Blockchains, Cryptocurrency, and Infosec

May 16, 2018 0 Comment

Blockchain has become the technology industry buzzword of 2017-2018. Mention of it is widespread, but understanding and knowledge of it is limited.“Blockchain” is defined in Wikipedia as:

“a continuously growing list of records, called blocks, which are linked and secured using cryptography. Each block typically contains a cryptographic hash of the previous block, a timestamp and transaction data. By design, a blockchain is inherently resistant to modification of the data. It is an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way.”

The target of this article is to provide a cryptocurrency/blockchain primer for Information Security professionals.

Background

Blockchains are the foundational technology which makes Cryptocurrency possible. Originally created in 2009, Bitcoin was the first project which implemented a successful cryptocurrency on a blockchain. However blockchain itself as a concept existed as early as 1991.

Bitcoin is not the only cryptocurrency, but it is the most well known one. Over a thousand others exist, each with their own unique value proposition to draw investors.

Addresses and Wallets

Cryptocurrency is stored in a ‘Wallet’. A Wallet is made up of a public/private keypair which points to a block of data on a blockchain. Below is a public (top)/private (bottom) keypair for a wallet on the Ethereum blockchain.

0x7E5F4552091A69125d5DfCb7b8C2659029395Bdf
0000000000000000000000000000000000000000000000000000000000000001

This wallet can hold Ether (the Ethereum blockchain’s component currency) and Ethereum’s ERC20 tokens. The owner of this wallet, or any individual with the private key, is able to transfer funds.

One of the most popular websites traders use to view the contents of their Ethereum wallets and send currency is MyEtherWallet (sometimes called MEW). By inputting a private key, a user is able to manipulate the contents of the wallet. Because of this, it’s no surprise that MyEtherWallet, and sites like it, have been attacked multiple times.

Ethereum

Ethereum is a project which uses a blockchain to implement Smart Contracts. Smart contracts are basically small scripted programs which allow for blockchains to automatically execute logic. This can be useful for things like automatic escrow of funds. Initial Coin Offerings (ICOs) have previously used Smart Contracts to automatically send tokens to individuals who contribute funds in Ether.

Ethereum is the second largest cryptocurrency, in terms of market cap and popularity, as of May 2018. Bitcoin is the first.

The DNA of Cryptocurrency and blockchains is based around decentralization, so many projects proudly proclaim their ability to function without a central authority. However some, like Ripple (XRP), are meant for centralized use by financial institutions.

Ethereum is a smart-contract enabled blockchain which currently serves as the basis for dApps (Decentralized Applications), which are essentially Applications which run on top of the Ethereum blockchain. They leverage its ability for automated contracts to execute code to perform services. The following are a few popular dApps:

Basic Attention Token (BAT) – A token which can be passed between advertisers and users as a way to access services
Golem (GNT) – Distributed processing system which allows users to rent time on each other’s computers
Augur (REP) – A market prediction platform

Each of these dApps also contain component units, which comply with the ERC20 Ethereum Request for Comments 20 (ERC20) standard. These units (also called ‘tokens’ or ‘coins’) are typically what individuals buy and trade on Cryptocurrency Exchanges. Each project uses these tokens for different purposes, including fundraising during their Initial Coin Offering.

Initial Coin Offerings

New projects are often added to the Ethereum blockchain via an Initial Coin Offering (ICO), whereas the stock market is greeted by new companies via an Initial Public Offering (IPO). Groups setting up an ICO for a project will define a couple of items in relationship to how their specific token will operate. One of these is the total number of tokens available for sale. This number is arbitrary and can be set to anything.

Bitcoin has a total maximum of 16,933,375 bitcoins available for sale in its ‘Circulating Supply’, but there is total maximum hard cap of 21 Million Bitcoins. As bitcoin is mined, the amount of coins for sale in its Circulating Supply will increase until it reaches 21 Million.

An individual can own down to 0.00000001 of a bitcoin, however. These tiny units are referred to as ‘sats’, or ‘satoshis’ after the creator of bitcoin, Satoshi Nakamoto. Individuals are not required to own a whole Bitcoin, but some blockchains, like Neo, do not divide into smaller units.

An ICO, depending on the group behind it, may allow for a token pre-sale. Typically, these presales will allow individuals to send cryptocurrency to a specific wallet, and they will in turn be provided with tokens at a certain exchange rate on a set date. For example, an ICO pre-sale may state that for every 0.05 ETH (Ether) they receive from a wallet, they’ll send back 100 tokens.

Mining

“Miners” perform cryptographic calculations to determine the next block in a blockchain, in a process called “mining.” For the Ethereum blockchain, miners are rewarded with a certain amount of Ether for their efforts, called Gas. When a user transfers funds, they must pay Gas as a way to compensate these miners for adding their transaction to the Ethereum blockchain.

Miners are just computers running a specific type of software. Much of this software is able to leverage Graphics Processing Units (GPUs) to perform the hashing calculations needed to find more blocks, faster. The speed is referred to as ‘hashrate’. Higher hashrates mean more calculations, which means a greater likelihood of locating the next block in the blockchain. Miners which successfully find a block are compensated in Ether.

Users may opt to join Mining Pools. Mining pools allow individuals to share resources to get a payout more often, instead of receiving a payment only when their personal miner finds a block. Typically, these payouts are much smaller as a result. Mining pools will typically have webpages that show different miners and will graph their hash rate.

Multiple miners exist:

Name OS Domain
Minergate MacOS/Windows/Linux Minergate.com
Ethminer MacOS/Windows/Linux https://github.com/ethereum-mining/ethminer
WinEth Windows Wineth.net
Claymore Windows/Linux https://github.com/nanopool/Claymore-Dual-Miner/releases

Minergate

Available for MacOS, Windows, and Linux, Minergate is a popular miner for a group of popular cryptocurrencies, including Ethereum, Monero, and Dashcoin.

It typically connects to *.minergate.com, as this is where the mining pools reside.

Installation directory: C:\Program Files\MinerGate\

Data directory: C:\Users\[username]\AppData\Local\minergate

When Minergate is installed, it prompts for an email address. It doesn’t validate the address, but it adds it to a series of on-disk locations, including an .achievements file. The address also lives in the miners. ini file.

The .lock file contains an identifier which also contains the hostname that the miner is running on.

The Minergate process runs as minergate.exe regardless of whether or not it’s mining.

If uninstalled, the Data directory still exists, and is untouched.

Claymore

Claymore’s Dual Ethereum AMD GPU Miner is a GitHub project which leverages GPUs to mine multiple cryptocurrencies. The software can be configured to contribute to a specific mining pool.

By default, Claymore uses pools at nanopool.org, configured to communicate over port 15555.

The default name of the Claymore folder is “Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v”, followed by a version number. There is no real installation process, so the miner runs out of wherever the downloaded ZIP archive is decompressed to. The below screenshot is a segment of the Claymore directory:

Forensics

Forensically, we care about Cryptocurrency for a few reasons:

1. The illicit transfer of funds from one location to another (ex, Ransomware, Money Laundering)
2. Cryptocurrency mining as a result of a malware infection on either endpoints or network infrastructure
3. Rogue employees actively misappropriating endpoints or network infrastructure to mine cryptocurrency
4. Rogue employees misappropriating budgets and funds to purchase and transfer cryptocurrency

Illicit Funds Transfer

Cryptocurrency project Monero exists because of a desire for additional privacy and anonymity in trades and transfers. Monero is often used for laundering funds to either attempt to dodge taxation from a trader’s home country, or to clean stolen funds.

Cryptocurrency-Related Malware

Drive-by malware infections leveraging the Cryptonight Monero-mining algorithm is a commonplace security incident. This class of malware is sometimes written in the nascent Web Assembly language, and sometimes in Javascript. This type of miner can be executed in the browser without a user’s knowledge when a user visits a website. Because of the nature of browser-based languages, these miners can run on any device and operating system.

Many individuals are now familiar with the threat presented by Ransomware. Ransomware, after infecting a device, encrypts a user’s files, and asks that the user provide a certain amount of Cryptocurrency, typically Bitcoin, to decrypt their files.

Transaction tracing

When a transaction involving Ether itself, or an ERC20 token, is created on the Ethereum blockchain, a transaction ID is generated. A transaction ID looks like the following:

0xc82109e6c60dfaa845356354af730b6a7764dd32a18f6998312f19be19764919

Because Ethereum’s transaction data is public, anyone can pick a transaction ID and examine it using a site like EtherScan.io. Etherscan allows you to view the details of any transaction, and the contents of any wallet.

In this illustration, we observe a Transaction ID (Here called TxHash), along with a success code (TxReceipt Status). The Block Height shows which mined Ethereum block contains this specific transaction. We can observe the date that the transaction was added to the Ethereumblockchain, along with the address the funds are coming from and going to.

This specific transaction is going to etherdelta_2, which is an alias for the address of a smart contract for the EtherDelta Cryptocurrency exchange. This is a user attempting to transfer funds for trading. However, this specific transaction has failed.

The above illustration is a description of what’s inside of an Ethereum wallet. The ETH Balance is the total Ether held inside of this wallet. Below that is the total USD value of the Ether within the wallet (this does not include any ERC20 tokens). The Token Tracker dropdown menu contains a listing of all of the ERC20 tokens in this wallet, along with the USD value of each type. This specific wallet holds 28 ERC20 tokens, or component units of projects based on the Ethereum blockchain.

The bottom half of the screen has a series of four tabs. “Transactions” lists all of the movements of Ether into and out of this wallet. “Token Transfers” shows any transfers of ERC20 tokens into and out of this wallet. Comments can be left on a specific wallet by anyone via the Comments tab. These comments are an Etherscan feature, and aren’t added to the Ethereum blockchain.

The transaction tab shows us where the Ether is coming from, where it’s going to, when the transaction took place, and how much went. Also included here is the TxFee, which is how much Gas was paid to the Ethereum miners for processing the transaction.

Summary

Cryptocurrency is creating an environment where individuals can transfer wealth without centralized institutions taking center stage. However, the details of these transactions and accounts are more public and searchable than ever before. Regardless of the total value of the market due to its fluctuations, individuals are free to use the technology today.

Leave a Reply

Your email address will not be published. Required fields are marked *