Video Game Addiction and Death

When Mr. Hsieh died in a crowded room, nobody took any notice. For hours, he sat there slumped over and face-down on a table. Even when his dead body was carried out of the room, few paid much attention. Why? Because he died in an internet café in Taiwan. The other gamers were simply too involved in their gaming to pay attention to what was going on around them. Death was caused by cardiac arrest probably brought on by sleep deprivation.

But was the ultimate cause of Hsieh’s death video game addiction? It certainly must be considered a major contributing factor. If an alcoholic passes out on a cold night and freezes to death, the cause of death may be listed as hypothermia. However, few would deny that the underlying cause may be the alcoholism that caused him to pass out in the first place.

Hseih was known to disappear for days to play games at his local internet café. He had all the symptoms associated with video game addiction. The World Health Organization (WHO) has recently classified gaming addiction as a mental health disorder. The condition becomes a mental disorder when a persistent pattern of gaming behavior develops that “takes precedence over other life interests.” The organization points out that “for gaming disorder to be diagnosed, the behavior pattern must be of sufficient severity to result in significant impairment in personal, family, social, educational, occupational or other important areas of functioning and would normally have been evident for at least 12 months.” In short, gaming addicts put gaming above all other aspects of life, even when they know that relationships and health are being harmed as a consequence.

video game lives

Gaming addiction often leads to a lack of sleep which, in turn, leads to heart failure. Dr. Daniel Kuetting and his colleagues at the Department of Diagnostic and Interventional Radiology at the University of Bonn studied the effects of sleep deprivation on people who worked 24 hour shifts. They found that, “short-term sleep deprivation in the context of 24-hour shifts can lead to a significant increase in cardiac contractility, blood pressure and heart rate.” It is safe to assume that the condition worsens if one stretches the time of being awake even further. Many of the gamers who have died of their addiction had, like Mr. Hseih, been playing for up to three days straight. Most died of heart failure. Though most such gamers would survive a three-day gaming marathon, those in poor physical condition or with pre-existing heart problems would be at a much greater risk.

Just as not all those who drink alcohol become alcoholics, not all game players become gaming addicts. Studies vary in the number of gamers who become addicts but it’s generally agreed that around 8-10% are either addicted or have problems related to gaming. According to the most recent statistics, 6.2% of adults have Alcohol Use Disorder (what we used to call, alcoholism), and we can assume that the percent of adults with some kind of drinking problem is much higher. A big difference between the two addictions is that around 88,000 people a year die alcohol-related deaths. These include driving accidents, fires, suicides, homicides, health problems, and falls. Even including deaths like that of Daniel Petric’s shooting of his parents for taking away his Halo 3 game, video gaming deaths are nowhere near as many as those related to alcohol addiction or even gambling, but it doesn’t mean that gaming addiction doesn’t ruin lives. For example, 15% of women filing for divorce listed excessive gaming as a contributing factor. To put this in perspective, here is a reminiscence of self-described gaming addict, Mike Fahey.

“The woman I had once told was the love of my life was sitting undressed in my bed not a foot away from my computer desk, begging me to join her, and I kept putting it off. I was so close to level 40 I could taste it. I was in the Dreadlands, kiting large enemies back and forth, killing them slowly with my Bard songs. I still remember the urgency I felt, along with the annoyance that this woman was trying to keep me from reaching my goal. Couldn’t she understand how important this was to me?”

So what games are most addicting and, potentially, most life-threatening or life-destroying? There are a number of lists that claim certain games are more addictive than others. Of course, games are made for different platforms but the following names come up a lot. They are in no particular order. It should be noted that men are 7.5 times more likely to become addicts than women so games that appeal to men are, in all probability, the ones that will cause the most problems.

World of Warcraft

Minecraft

Call of Duty

Candy Crush Saga

Everquest

The Sims

League of Legends

Dota 2

If you expanded this to the most addictive games ever, you’d have to include games like Tetris, Super Mario, Pac Man, and Age of Empires. Remember that everyone has their own poison. I’ve known Tetris addicts, Asteroids addicts, Wolfenstein, and Duke Nukem addicts.

But, according to experts, the most dangerously addicting games are multiplayer online games aka. massively multiplayer online role-playing games (MMORPGs). These are the ones parents should pay most attention to if they feel their child is losing contact with the real world or is having social, behavioral, or academic problems.

Among these potentially problematic games are the following. (the asterisks indicate free online games).

Overwatch

Battlefield

Grand Theft Auto

Destiny

Call of Duty

League of Legends/Dota 2*

Star Wars Battlefront

FIFA

Resident Evil

Diablo 3

Fornite* (also the fastest growing online game)

Smite*

Eve Online*

According to psychologists who treat gaming addiction, the games that are mentioned most are,

World of Warcraft

Call of Duty

Second Life

Everquest

Eve Online,

although my gamer son claims this list is out of date.

But what precisely is it that makes these games the most addicting among the thousands on the market? Experts on gaming addiction give the following reasons why some games are more addictive than others.

Addictive games will be,

1. Online Multiplayer Games: MMORGs.

2. Games that allow players to create their own characters, teams, and worlds. This social element creates an alternative world and an escape from reality.

3. Games that have no predefined end or goal, which means they can continue to be played forever.

4. Games that have levels or rewards for playing more or for acquiring more skills. Games that are difficult to advance in tend to create a ‘give up factor’ which would kill potential addiction. Rewards stimulate addiction.

5. Games that have frequent upgrades to keep the game fresh and interesting.

6. Games that generate emotions. These are not always positive emotions, such as a feeling of accomplishment. Negative emotions, such as anger or a need for revenge, can also lead to more gaming.

Taking all of the above into consideration, I would suggest that the crystal meth of online games would have all of these elements and, in addition, be free and available on multiple platforms. With all of the above factors in mind, I sorted through a list of the best multiplayer games and came up with the following which should be considered among the current games with the most potential to cause addiction.

Warhammer 40,000, Fortnite, Heroes of the Storm, Dota 2, Smite, League of Legends, and Paladins.

Others that need to be watched are Terraria, Trackmania Turbo, PlanetSide 2, and Pixel Worlds.

Video game addiction is a physical addiction. Robert Lustig, a professor of pediatrics and endocrinology, recently reported his research on how gaming “can overrelease dopamine, overexcite and kill neurons, leading to addiction.” He further states that “when the brain gets used to a higher level of dopamine, it wants us to keep seeking out the addictive substance or habit.” Teens and young adults are particularly susceptible to dopamine addiction. Add to this the fact that video game developers actually try to make gaming as addicting as possible and you have the dopamine trap known as gaming addiction.

The free online game model works because addicted gamers will pay real money for in-game content. Thus, the more gaming addicts companies can create, the more money they can extract from gamers. And the sad truth is that gamers seek games that are addicting. In the end, it’s a perfect example of a codependent relationship. Mental health experts say that “people with codependency often form or maintain relationships that are one-sided, emotionally destructive and/or abusive.” That about sums it up.

you are dead

Posted in Uncategorized | Tagged , , | Leave a comment

Social Security Scams on the Rise, and It’s Not Just the Elderly Who Have to Worry

It was just a matter of time. With Boomers retiring in droves, more and more criminals have been targeting them to cash in on their retirement benefits. And if you think you’re safe because you’re not retiring yet, think again. One of the most recent scams will actually register you for retirement long before you’ve ever considered doing so. This means that when you do retire, your money may end up going to someone else. In fact, in some cases, these criminals may have preemptively withdrawn all of your retirement benefits before you even registered for retirement. This attack vector was increasingly used in 2017 and led cybersecurity expert, Brian Krebs, to encourage people to register on the Social Security Administration website as soon as possible.

In order to register on the SSA website, you will need to give them some basic information. This will include a name, address, telephone number, email, and, of course, your Social Security Number. If someone has these, they can register as you. But wait, the SSA uses something called an “Identity Services Provider” to “help us verify the identity of our online customers and to prevent fraudulent access to our customers’ sensitive personal information.” And who is this trusted authenticator? Equifax, a company that was hacked last year and lost its database of 145 million Americans; a database which included all of the above personal information and more. So, yes, your Social Security future may be impacted. To find out if your information was lost in this breach, go here. If you are outside of the US, you’ll have to use a VPN that can redirect you through a US server.

Update: On February 9th, the Wall Street Journal reported that Equifax lost more information than they previously disclosed. This included “tax identification numbers, which are used when someone doesn’t have a social security number, as well as e-mail addresses, credit card information, and some additional drivers license information.”

It has been reported that the data from the Equifax hack was dumped and put up for sale. Whether this is true or not doesn’t really matter. Social Security information is readily available for sale on the deep web. For example, I found this information on one deep web site. I removed sensitive information but it would otherwise be there for all to see.

ssn deep web

Some of the information seems to check out.

ssn valid

So, if you have not registered at the SSA website, someone else could certainly do it for you. They could change your address, email, and bank account number to their own and you would be none the wiser.

Then there are the scams. Even if you are registered, criminals can use this information against you. Take a look at a common phishing letter that is making the rounds.

ssa email

Okay, so the bad grammar may be a give away, but would you otherwise recognize it as fake? If you clicked on the link, you may even go to a sign in page that looks like a legitimate SSA site. Yes, you should hover the cursor over the link to see where it goes (check the lower left hand corner of your screen), but sometimes these links are made to look real. The SSA gives this real example of one such link (don’t worry. It goes nowhere):

https://www.socialsecurity.gov.gmx.de/

Notice that it is has legitimate looking elements and even has an ‘https’ header which seems to give it a secure look. But beware of these so-called secure sites. If you must trust any of them, the ‘https’ should be green. Here are two examples. The first is from the legitimate SSA website. Notice that it is not green, and that includes its sign-in page.

ssa https

The second, from Bank of America, shows the highest level of security.

boa

The problem is that any website can get the gray certificate. It can even be acquired for free. Check my post on this for more information.

SSA email scams, like the one mentioned above, are a relatively new phenomenon. Most scams targeting seniors use scam phone callers pretending to be from the SSA. They have the same goal, however, to get your personal information. Why do they use phone scams? Because, sadly enough, older people tend to be more trusting, especially when they hear a friendly voice on the other end of the line. But as seniors become more tech savvy and depend more on email and social media, these are more and more likely to become the main attack vectors. Look for such scams to increase and become more sophisticated in the future.

 

Posted in Uncategorized | Tagged , | Leave a comment

The Cryptocurrency Scam Epidemic

When a businessman friend of mine told me he and his brother were investing in cryptocurrencies, I was, quite frankly, dumbfounded. Here were two technologically challenged businessmen planning to invest considerable money in one of the most technologically challenging concepts in existence. However, I understood the motivation behind their optimism. It was, in short, the belief that this was the road to instant wealth. It was not only the triumph of greed over fear, but the triumph of ignorance over reason. As someone who writes on cybersecurity, my first question to them was whether they had bought a hardware wallet. Their blank stares said more than any words could have.

This interaction made me wonder how many others were like these two businessmen. How many people, hoping for instant wealth, invested large sums in bitcoins or other cryptocurrencies without knowing the first thing about how they operate? I suspected the numbers were high, and, if this were true, there must be hundreds of hungry scammers waiting to feed on them.

Yes, I expected to see a lot of scams, but what I found exceeded all my expectations. There is a rampant feeding frenzy going on among scammers who are glutting themselves on the overabundance of naïve bitcoin and other cryptocurrency buyers. They are taking advantage of these people in a number of ways. Some of the scams are simplistic while others are more complex. Here are some that are currently making the rounds.

The ICO (Initial Coin Offering) Scam

 Initial coin offerings (ICOs) are supposed opportunities to be among the first to invest in a new type of cryptocurrency. As one writer recently put it, “the shear number of ICO’s that have come across my desk makes my head spin.” The writer estimates that 90% of these offers are scams. If you check a site like Bitcoin Jerk, you will find a list of nearly every possible cryptocurrency available. As of this writing, there are almost 1500 of them with some selling for less than one cent. Although bitcoin itself is based on complex code and encryption, some of the currencies listed are based on absolutely nothing. Then how can they even exist? The answer is: by pure speculation.

If I have enough people believing that a green piece of paper with some esoteric markings on it has value, then it has value, at least among the believers. This paper can, then,  be exchanged for goods and services. Remember that bitcoin really got its footing in the deep web where people needed to buy illegal merchandise, often drugs, in an untraceable fashion. As more people believed in its value, its value increased.

New cryptocurrencies need some way to make themselves known. The best way to do this is to pair themselves with a spamming network or botnet. This is what the largely unheard of cryptocurrency, Swisscoin, is doing.

swisscoin

Swisscoin has paired itself with the infamous Necurs botnet to spread spam offers for the coin. Swisscoin spokespeople deny this and ask those who get such emails to report it to them. That said, Swisscoin has been termed a Ponzi scheme by a number of researchers as it relies mainly on persuading investors to interest other people in the coin in order to increase interest (speculation) in it, thus, raising its price in what is termed a pump-and-dump scam. It could be that only one investor used the botnet to encourage more people to invest in the coin. The increased interest would, then, increase the price of the coin and, by extension, the spammer’s own income. The current price of a Swisscoin stands at $0.004. It is no surprise, then, that Swisscoin wants people to buy packages that start at 25 euros. That said, according to those who’ve traced the bitcoin address for the company, Swisscoin has received over $2.5 million in bitcoins alone. Not a bad return for a little known and almost useless cryptocurrency.

For this and other cryptocurrency spam emails, look for subject lines like the following.

Subject:    Forget about bitcoin, there’s a way better coin you can buy.

Subject:    Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

Subject:    This crypto coin could go up fifty thousand percent this year

Subject:    Could this digital currency actually make you a millionaire?

Cryptocurrency Wallet Hacks

 When you buy your bitcoins, you are really buying a private key that enables you, and only you, to use the coins. This key needs to be protected because, if it falls into someone else’s hands, the coins are as good as theirs. What’s worse is that bitcoin’s built-in privacy will allow the thief to escape all detection. So, to protect the key and your bitcoins, you need what is called, a wallet. Basically, there are three kinds of wallets. One that is often used comes with the coins you buy through some website, like Coinbase. The website protects your private key with its own security. In order for you to access your private key, you need a username and password. However, these ‘cloud’ wallets are vulnerable if someone gets your password. They can get this through normal hacking methods, such as phishing scams, or by infiltrating your email and contacting the bitcoin site to reset the password, thereby taking control of your account.

Cloud services themselves have been hacked and customers’ bitcoins were stolen. This happened to NiceHash when hackers compromised an employee’s computer to steal $64 million. The Mt. Gox hack (billions of dollars in bitcoins stolen) and the recent Coincheck hack ($450 million stolen) are examples of online storage sites that were hacked. Some of these could have been inside jobs.

Software wallets store your bitcoin information on your device or computer and, in so doing, are connected to the internet. Such wallets allow for easy use of your bitcoins but are more accessible to hackers. No serious bitcoin owner will use software to protect their private key. Serious users use hardware wallets, which are independent devices, not connected to the internet. They can be hacked, but not easily. For more information on these hardware wallets, see my recent post.

Fake Recipient Hacks

 “All of my money was just send from MyEtherWallet to this address. It looks like that person has stolen more than 44 million dollars worth of crypto. What now?” So began one post on Reddit. It appears the user signed into a spoofed (look alike) website and gave them the information they needed to steal his bitcoins from the real website. Always check the URL carefully as even a one letter difference can be important. GoogIe.com is not the same as Google.com. (They look the same because of the font used on this website. The capital ‘I’ is indistinguishable from the letter ‘l’, but that’s my point. Spoofing a false link can be difficult to spot.)

It is also possible for a hacker to divert bitcoin payments through a man-in-the-middle attack. Without going into details, the scammer initiates a transaction with both a buyer and a seller and watches it progress. When the time is right, the scammer, pretending to be the seller, gives the buyer his own bitcoin address for the buyer to send the coins to. For more details on this scam, go here.

So, my final observation after studying many of these scams is that those who speculate on cryptocurrencies without knowing how they work are destined to find out how they work after they lose their coins. When greed is the underlying motive for buying cryptocurrency, reason is co-opted and people are more willing to take risks they would not normally take. As for my businessman friend mentioned at the beginning of this post, he ended up losing about 30% of his original investment. For the moment, his greatest fear is not of being hacked, but of having his wife learn about his costly investment.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Emotion Detection and Manipulation Headsets Are Now on Sale

Here is the latest version of a headset that is capable of detecting and influencing your emotions.

emotion headset

The headset, developed by imec and Holst Centre, is promoted as “breakthrough technology to advance neuro research, e-learning and virtual gaming”.

Before we get too carried away with this idea, and before we delve into the true implications of this technology, keep in mind that we have been using technology to modify our emotions for decades. We are emotionally influenced by movies and music and may choose to alter or augment our moods by matching them to the appropriate media output. Even the simplest video games can influence our emotional states in positive and negative ways. Those who have experienced games in virtual reality know that reason can be bypassed in VR environments. There are still games my gamer son won’t play because they are simply too scary, and even though I logically know I am not on the edge of a high building, I have great difficulty making my mind believe that I can take that first step into the abyss. So how will this headset change anything?

Here is what the company says about the integration of music and emotion detection.

“With the integration of music playback, the system can not only measure, but also influence the emotions of the person that is wearing the headset. With the help of Artificial Intelligence our headset can learn the personal musical preferences of the wearer and compose and playback, in real-time, music that fits his preferences and influences his emotions to achieve the wearers’ desired emotional state.”

 Isn’t this what drugs do? If drugs are used to alter our emotional states and change our perceptions of reality, won’t these headsets do more or less the same thing? The somewhat surprising phrase in the quote is that the device will interact with AI to “compose” music to achieve the user’s desired emotional state. This begs the question: Can a nefarious actor use the same technique to alter a person’s personality in order to manipulate them?

The new headset is certainly a breakthrough in terms of comfort and use. In the past, in order to access a person’s emotional states, electrodes had to be ‘glued’ to a person’s skull and placed in precise locations. The new headset uses ‘dry’ detectors and is designed to fit in a way that enables the embedded electrodes to be placed above the precise brain regions that need to be monitored. It would seem but a matter of time before VR headsets, such as the Sony Playstation VR headset, come with similar emotion detecting electrodes.

But why wait? The future is already here. Looxidlabs has already integrated brain sensors with a dual camera VR headset.

loomix headset

loomix headse2t

The system can detect what a user is looking at on a VR screen and simultaneous chart the emotional response to it. The diagram below shows how the device is integrated.

loomix diagram

Currently, the device is being marketed as a research tool. Marketers could get a quick insight into what ads had the most effect on potential customers. Game designers could determine which images created the desired emotional impact. Fashion designers could target market niches more precisely. The list goes on and on. The device will be available for pre-orders on February 1, 2018.

All first, I couldn’t really understand how game developers could use this technology to make any substantial difference to gaming. Would users be able to preset emotional options such as what level of fear they want to tolerate? Possibly, but my guess is that marketers have more financial goals in mind, and I don’t say this without a reason.

Take a look at this leaked screenshot from a marketing company that specializes in marketing within the gaming environment. From information given in the leak, the marketing may be associated with EA games.  Notice how they detect the psychological state of the gamer and use it in microtransactions to gain income.

gamer leak

In short, the marketers determine a gamer’s psychological state by using the gaming device microphone to analyze the gamer’s vocal characteristics. Apparently, a depressed gamer will have a high purchase rate for in-game products (microtransactions) but will then tend to experience buyer’s remorse, which may inhibit future purchases. Thus, if the marketers can manipulate the user into a non-depressed state, they would increase long-term revenues.

The leaked documents also show how the marketers would analyze the sound of a car’s engine that they picked up on a user’s smartphone. Using a combination of algorithms, they were able to determine the brand of car the gamer used and, thus, calculate the social status of the individual, making them easier to target for marketing. Numerous other data gathering tools were mentioned in the leak as well as how the data could be used for specific purposes.

It is interesting to note that EA games initially dropped microtransactions in its Star Wars Battlefront II game when they were criticized by the EU for encouraging gambling within the gaming environment. In any event, it doesn’t take much imagination to see how game developers could use an emotion detection VR headset to further their marketing success and gain income for the company. The development of data mining via the gaming vector should contribute to a marked increase in free online gaming in the years to come.

Of course, there will be positive uses for these emotion detector headsets. An array of psychological problems could be addressed and even cured. Phobias could be overcome. Social relationships could be improved, and learning could be enhanced. However, there is a disturbing undercurrent that comes with this emotion-on-demand technology. Would game developers be able to make games more addicting? Could gaming be used to manipulate an individual’s viewpoints in a manner similar to brainwashing? These are questions yet to be answered, but, disturbingly enough, the questions have now become valid.

Posted in Uncategorized | Tagged , , , | 1 Comment

Bitcoin Hardware Wallets and Their Vulnerabilities

Bitcoins don’t exist. That is, there is no physical coin with a bitcoin logo, even though attempts have been made to create them. Those that do exist, exist as novelty items, like the one in this image.

bitcoin

When you buy a bitcoin, you buy a line of computer code that a group of people believe has monetary value, just like we believe that a piece of paper has a special value if it has the correct identifying features.

dollar

When you buy a bitcoin, you get a private key that allows you and only you to use it. If you do not protect this private key, you are in danger of having it stolen. That’s why you need something called, a ‘bitcoin wallet’. Just as you can protect your money by putting it in a safe or a bank, you can protect your key and bitcoins by putting them in a bitcoin wallet.

Just like banks, some wallets are better than others. Bitcoin wallets can take the form of an app, a software program, a website (cloud), or a removable hardware storage device, like a USB. Wallets that use programs connected to the internet are termed, ‘hot storage’. Those wallets on independent, physically isolated devices are referred to as, ‘cold storage’. It should be quite clear that, especially if you have a considerable investment tied up in bitcoins, a hardware wallet, or cold storage wallet, is preferable, if not mandatory.

Anyone serious about keeping their bitcoins safe will use a hardware wallet. Hardware wallets, being physical devices, must be paid for, unlike some software wallets, which are either free or included in a cloud service. Prices start at just under $100. But, how do you know which hardware wallet is best?

The best hardware wallets will come with their own small screens so that you are even less exposed to malware, like keyloggers, that may be waiting for you to type information on your computer. The image below shows a hardware wallet made by the firm, KeepKey, with its built-in screen.

keepkey

Of  course, there are other ‘wallets’ that you could use. You could use a separate computer that is not connected to the internet to store your bitcoin data. You could use hardware architecture on an Android device, such as that offered by InZero Systems, which separates the hardware at the kernel level, making what amounts to, two separate devices out of one device. Just be sure that the safe side of the device is not connected to the internet. Or you could write down your private key on a piece of paper.

Hardware Wallet Vulnerabilities

  1. You could lose your wallet

Yes, it can happen. Back in 2013, James Howells threw out an old hard drive when he was cleaning up his desk. Later, he realized that he had stored 7,500 bitcoins on it that he had bought, and then forgot about, years before. That’s right. At today’s rates, he had thrown away $120 million. It’s still buried in a landfill in Wales, if you’re interested.

You might not be as unlucky as James Howells, but you could still misplace or accidentally destroy your hardware wallet. Then what? Well, that’s the end of the story. If someone steals your wallet, they cannot open it without a pin. Three pin attempts will delete everything on the wallet so even the owner can lose all the data if they forget the pin. What if your house burns down? What if you drop the device in the toilet? You get the picture. Hardware wallets have physical vulnerabilities.

For all of these reasons, those who have large investments in bitcoins often buy more than one hardware wallet. One can be kept nearby, while another can be kept in a secure and more distant location, like a safety deposit box in a bank. And don’t forget analog storage. That is, you can always write your private key on a piece of paper and store that in a secure place.

  1. The firmware could be tampered with

bitcoin wallet warning

The above warning is given for one particular hardware wallet for a reason. People have been scammed by buying a wallet from a third party like eBay. In one case, the wallet appeared to work and send bitcoins to a recipient. Only later did the owner realize that all of his bitcoins, $34,000 worth, were missing. Apparently, the wallet was programmed by the seller to send bitcoins to his/her address. Most hardware wallets have to have the firmware programmed into the device to work and should not, in general, work right out of the box.

Such attacks are often referred to as ‘supply chain attacks’. Anyone physically handling a device from the time it is manufactured to the time it is delivered could potentially tamper with it to make it perform to their needs.

  1. Firmware updates

 This is a common attack vector for both regular criminals and nation-states. Basically, the attacker forces a firmware update of the hardware wallet. The user may have set their computer to update programs automatically. The update may reprogram the device to send information, such as the private key, back to the attackers. Often, victims have no idea this has even happened until their bitcoins disappear.

  1. Recovery attacks

 Many hardware wallet companies realize that people, being humans, will make mistakes. They may lose, damage, or otherwise lose access to their wallet. That’s why they use a special way for customers to get their wallets back. It’s called, the ‘recovery phrase’. This is a phrase of 12 to 24 related or unrelated words that can be used to recover lost private keys. An example is given below.

bitcoin wallet phrase

If this message shows up on your computer screen, it can be captured with screen capture malware and there go your bitcoins. Others may store their phrase/words in an accessible file on their regular computer or write it down and put it somewhere in their house, which makes them vulnerable to other forms of attack.

KeepKey uses the phrase recovery technique but advises customers to use it only on a new KeepKey wallet. KeepKey encrypts each letter as you type it into your computer before it is sent to the company to retrieve your private key. This, of course, means that some of your data is stored in the KeepKey cloud, which would make it a target for hackers. Indeed, KeepKey was hacked in early 2017. Company CEO, Darin Stanchfield reported that “the attacker was able to temporarily access one of our sales distribution channels, a vendor we use for shipping and logistics, and our email marketing software account. This means he momentarily had access to a portion of our customer data which included addresses, emails and phone numbers.” This is troubling even if the attacker did not gain access to the private keys of customers. A good attacker could use this personal information to engineer an attack which could trick users into revealing their private keys.

  1. Other Vulnerabilities

In the documentary film about Edward Snowden, Citizen Four, Snowden is seen pulling a blanket over his head before typing in his password.

snowden blanket

Apparently, he was worried about hidden security cameras capturing his password when he typed it in. It could conceivably happen with a hardware wallet. Not only a security camera, but malware which controlled your webcam could, at least in theory, capture information from your bitcoin wallet screen. It could also capture your device’s pin.

In addition, new vulnerabilities recently found in a number of processors could be leveraged to take control of bitcoin wallets, although this is yet to be demonstrated.

As long as the price of bitcoins remains high, criminals will do anything to get their hands on them. Once stolen, the same technology that is used to keep bitcoin owners anonymous will keep those stealing them anonymous as well. The cryptocurrency realm is a dangerous terrain to navigate and threats can appear at any turn in the road. For those with little experience in speculating on cryptocurrency, here be monsters.

Posted in Uncategorized | Tagged , , , | Leave a comment

Free Malware Neutralizes Nearly All Android Antivirus Software

One of the most annoying problems for hackers is dealing with those pesky antivirus programs. As much as you may malign them, these software programs still form the main line of defense against common malware attacks. If only hackers had a way to neutralize these programs, their work would be much easier.

Well, relief is here at last. Now, a free toolkit is available to neutralize nearly all Android antivirus software. Look at the list below. If your current antivirus software is listed, you could be the next victim of the AVPass toolkit.

avpass list

This list is from the free malware code. The attacker simply chooses the number associated with the antivirus software they need to neutralize.

According to the developer, “AVPass is meant to make sure whatever malware you’re sending cannot be screened by antivirus.” That’s fine, but how is this done?

Basically, the toolkit uses the fact that all AV programs have set detection rules. Once those rules are understood, they can be manipulated to make malware appear to be harmless. Why is Android targeted? Simply because 86% of the smartphone market is Android.

An Android operating system with its associated files is contained in something called an APK file. If you could tap into this file, you could alter some of its components before you installed it. This can be done with certain tools as is seen in the example for an app called APKtool shown below.

apktool

This tool is included in the AVPass toolkit because it is needed to rebuild files to the hacker’s specifications.

Through what is more or less a trial-and-error approach, AVPass detects the antivirus program being used and then tests its detection capabilities by incrementally altering elements of the selected malware’s code and testing these changes on malware detection sites such as VirusTotal. Eventually, it builds an idea of the AV’s detection rules and how to circumvent them. In the end, the attacker can install the malware package they want and know that it will not be detected.

Since the Android platform dominates all other smartphone platforms, it is the most obvious target for hackers. It is projected that over 3.5 million Android malware samples were detected in 2017, which amounts to almost 8,500 samples a day. That’s a lot of material for attackers to work with.

Antivirus firms aren’t simply going to allow AVPass a free pass. They are now building AVPass detection into their software. The developers of AVPass are researchers from Georgia Tech who actually want to help antivirus firms detect malware that attempts to bypass their algorithms. Some malware detection software has already been built to uncover malicious code trying to hide itself on a device. DeGuard is one example of software built for the “statistical deobfuscation of Android APKs”, although the researchers point out that it is not without its own problems.

deguard

In order for software similar to AVPass to be developed, the researchers have made the code open-sourced and posted it online for anyone to use. Is this a good idea? I’m not sure. The researchers put up a disclaimer saying that the code is only to be used for research, but, let’s face it, malware developers can use it to insert any malware onto any Android device they want.

And it doesn’t stop here. The same researchers are planning to use the same strategy on Google Verify Apps to see if it is possible to get malware infected apps placed in Google Play Store. This would allow attackers to put malware into seemingly valid apps. If this was used with AVPass, the malware would be downloaded and installed without detection; a hacker’s dream.

One more thing, the same researchers plan on developing a version of AVPass for Windows. In short, it looks like all operating systems will soon be vulnerable to such attacks. At the moment, 2018 is shaping up to be the best year for hackers and the worst year for normal users that we have ever seen. Happy New Year.

Posted in Uncategorized | Tagged , , , | Leave a comment

Was Intel Always Aware of Vulnerabilities in Their Processors?

When I first heard the news about a critical flaw in Intel’s chips, I felt that something wasn’t quite right. Intel has been designing chips for decades and they must have some of the world’s best chip designers. How was it possible that they missed what appeared to be a major flaw that would open the door to two possible exploits named, Meltdown and Spectre?

intel icon

There are three possible answers to this dilemma.

  1. Intel’s chip designers are not as good as they think. Everyone working on and checking the design never saw that the chip was flawed.
  2. Intel knew that the chip had vulnerabilities but overlooked them to increase the performance (speed) of its processor.
  3. Some authority ‘requested’ that Intel ‘design’ the vulnerability into its chip so that it could be exploited if necessary.

I’ve already explained why I think option 1 is unlikely, but I was unsure if Intel would choose the risky performance-over-security alternative that comprises option 2. After all, if this flaw was ever detected by an independent third party, it could have catastrophic financial consequences for the firm.

That being said, option 2 has been pointed to by a number of cybersecurity experts, such as Anders Fogh, a researcher for German cybersecurity firm, GData.  Remarking on his findings concerning the vulnerabilities, WIRED noted that “in their insatiable hunger for faster performance, chipmakers have long designed processors to skip ahead in their execution of code, computing results out of order to save time rather than wait at a certain bottleneck in a process.” Later in the article, WIRED expanded on this idea when they talked about research on the vulnerability conducted by Paul Kocher of Cryptography Research, saying that he wanted “to explore a broad issue he saw in computer security: the increasingly desperate drive to squeeze ever-greater performance out of microchips at all costs—including, perhaps, the cost of their fundamental security.” Undeniably, the issue of speed over security is a leading contender for the existence of the Meltdown/Spectre vulnerabilities.

Actually, the odds of such vulnerabilities never being discovered were in the company’s favor. Only some group with the knowledge to perform something in the order of a Stuxnet attack would be capable of making use of this vulnerability. According to a BBC article, “Meltdown or Spectre will at first probably be limited to those prepared to plan and carry out more complex attacks, rather than everyday cyber-criminals.” The Financial Times adds more details by claiming that “the vulnerability would be most likely to be used by sophisticated nation state hackers for espionage”.

And that brings us to option 3. Was Intel asked to design what could be called a backdoor into its chip? The answer to this is far more complex, but it would not be the first time that Intel has been accused of putting backdoors or other questionable elements in its processors. At the Blackhat Conference in 2012, researcher, Jonathan Brossard, showed how a hardware backdoor he called, Rakshasa, “works on 230 Intel-based motherboards”. This revelation caused one writer to observe that, “it would be very, very easy for the Chinese government to slip a hardware backdoor into the firmware of every iPad, smartphone, PC, and wireless router.” This is because 99% of all chips are produced in China.  Coincidentally, in the same year, researchers at Cambridge University found a hardware backdoor in a military grade chip made in China.

“We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.”

 Then, in 2013, stories began to surface that Intel was working with the NSA to put hardware backdoors on their chips. A leaked NSA slide even joked about this.

nsa slide

In June, 2016, a researcher reported on what amounted to a chip within the main Intel chip called the Intel Management Engine (ME). He claimed that “when these are eventually compromised, they’ll expose all affected systems to nearly unkillable, undetectable rootkit attacks.” In August, 2017, a team from Positive Technologies was working on disabling this ME when they discovered that the NSA had been there before them. Apparently, desiring to protect themselves from anyone manipulating the ME, they had Intel design a way for them to disable it. Most people in the cybersecurity community would not be surprised to learn that the NSA was working with Intel, but the point here is that option 3 above cannot be discounted for several reasons. Certainly China or the NSA could have found ways to have the Meltdown/Spectre vulnerability placed on the chips.

Any device with a computer chip is vulnerable to these attacks. However, it would be unlikely that such a sophisticated attack would be used for normal hacking purposes. It has been reported that no attacks using these vulnerabilities have been discovered. This is a useless claim since anyone exploiting the vulnerabilities would leave no traces anyway.

In any event, Intel and other chip makers are busily working on updates. Since Microsoft products run on Intel chips, they were the first to come out with their updates. The first reports found that the updates conflict with other antivirus programs that users may have been using in conjunction with Windows Defender. You may have to set the registry yourself for the update to be accepted. To see if your antivirus program is affected, follow this link and take a look at the chart. It should be noted that some computers running on AMD processors were reportedly frozen by the update, so be careful.

I received the update without a problem. Some have warned that the fix may slow computers, but I have noticed nothing serious to this point. If it is true that chips manufactured by other chip makers also contain these vulnerabilities, then the problem becomes much more serious, especially if option 3 proves to be true.

 

 

Posted in Uncategorized | Tagged , , , , | Leave a comment