S3 Ep70: Bitcoin, billing blunders, and 0-day after 0-day after 0-day [Podcast + Transcript]

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG. Bitcoin, billing errors, and zero-day after zero-day after zero-day.

All that, and more, on the Naked Security Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug; he is Paul; and we’ve got a veritable cornucopia of security stories for you here today.

Some about crocodiles…


DUCK. Technically, there’s only one crocodile.


DOUG. Thank you for clarifying.


DUCK. And it’s not an actual crocodile.

It’s only a metaphorical crocodile.


DOUG. There we go.


DUCK. So if you’re expecting something like a great snapping frenzy, you might be disappointed.

But it is a wacky story in its own right.


DOUG. Yes!


DUCK. So hang in there.


DOUG. Important clarification – thank you.


DUCK. [LAUGHS]

DOUG.We like to start the show with a Fun Fact.

And it’s been a snowy winter here in the US, but not as snowy as 1978, when not one but two major blizzards hit in rapid succession.

The so-called Great Blizzard of 1978 dropped 52″ of snow, or 130cm, in Muskegan, Michigan, in late January, while the Northeastern Blizzard of 1978 dropped 27″, about 70cm, in Boston in early February.

And I do have a way of bringing that fact back into the show when we talk about our This Week in Tech History segment.

So strap in for that.


DUCK. I think I know what this is about…


DOUG. [QUIZZICAL] OK?


DUCK. And I think, Doug, that it is indirectly connected with Wikipedia.


DOUG. Hmmmmm?

OK, we will test that theory… stick around; we will see.

Let’s talk about crocodiles.

Excuse me, *one* crocodile.


DUCK. [LOUD LAUGHTER] Sorry…

One self-proclaimed “crocodilian person”.


DOUG. Yes – it doesn’t really work if you give yourself the nickname.

But this is the self-styled “Crocodile of Wall Street”.


DUCK. Indeed – nicknames don’t work that way, do they?


DOUG. No, they don’t!


DUCK. You can’t give them to yourself.


DOUG. I’ve been trying to get people to call me “Cool Doug” for years, and it has not caught on.

It just doesn’t work that way.

But this lady, the Crocodile of Wall Street, with her husband: they’ve been accused of stealing many, many bitcoins to the tune of many, many dollars.

So, what’s happening here?


DUCK. Well, what’s fascinating about this, Doug, is this apparently goes back to the infamous Bitfinex breach back in 2016, which was one of the early large-scale incidents: “Oh, dear! We’re a cryptocurrency exchange. And we had a bank robber, a virtual bank robbery.”

It’s alleged that these two people, the husband-and-wife team, the woman calling herself…oh, dear [LAUGHS]… the “Crocodile of Wall Street” and her husband… they’re alleged, if not actually to have done the hack that allowed them to wander off with all these customers’ investments at Bitfinex, at least to have come across, or acquired, some or all of the proceeds of that heist.

So, they’re not accused of doing the heist, but of knowingly coming into money that they didn’t get lawfully.

It was at, the time, a whopping $72 million worth of Bitcoin.


DOUG. I am looking at the original article

It is adorable that the teaser text on there says they stole “nearly 120,000 bitcoins worth about $72 million”.


DUCK. Yes. That’s the crunch, isn’t it?

120,000 bitcoins at today’s value is north of $4000 million, or $4 billion!

So I guess they’re being charged with the offences related to the bitcoins, not to the dollar amount.

But a lot of media articles said, “New York couple alleged to have stolen $4.5 billion (in bitcoins)”.

Ironically, at the time, well, it was a mere 72 million, Doug!

The interesting thing about this case, if we take the allegations at face value for a moment: it seems that the real complexity, for the people accused of it, is cashing out the money.

And there are all these machinations that investigators claim they were able to track down, showing them trying to set up accounts, and coming up with all these cover stories.

So, they’re charged with… in plain English: with trying to shift around cryptocurrency that they knew was stolen, whether they stole it themselves or not; and with fraud.

In other words, telling a whole bunch of lies along the way to give the impression, to places where they could cash out the cryptocoins, that they had acquired them legally.

But the vast majority of them, some significant percentage – I think around 80% of them – were, as far as I can make out, sitting in cold wallets in the cloud.

So it all hinged, as far as I can make out, on these cold wallets getting cracked.

It turned out that dispersing them and cashing them out was quite a complicated exercise.

And, in fact, if you go to the article on Naked Security and click through to the various law enforcement links, it’s a fascinating article – I think it was by an IRS investigator – about all the bits they had to piece together.

It’s quite fascinating, the machinations that these people are alleged to have gone through, in some cases to cash out as little as $500 at a time to buy gift cards.

It seems, if it’s true, they did manage to live a pretty high life – but the vast majority of these supposedly stolen funds were still sitting there while the alleged perpetrators tried to figure out what to do with them.


DOUG. I’m trying to think of how you would launder or tumble that much.

It’s mind boggling.

You couldn’t do it.

Even if they tried to tumble it all… that would clearly raise some red flags, right?


DUCK. There’s this whole back story they had to create to avoid triggering alarms at exchanges that were trying to do the right thing.

Including, “Let’s do the transactions in smaller amounts so that they don’t necessarily need to be reported.”

It’s quite a fascinating story.

If, in the end, some of the people who had lost their funds at the start get them back in dollars, they’ll probably be fairly happy.

But if they get them back in Bitcoin…


DOUG. [LAUGHS] Oh, boy!


DUCK. …they’ll probably be really, really, *really* interested, because what was $72 million at the time is north of $4000 million dollars worth of bitcoins now!


DOUG. All right, that is an interesting story. It’s: Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist on nakedsecurity.sophos.com.

And now, something the reverse of a megaheist: we have what can only be charitably referred to as a “billing error”.

Like when you’re playing Monopoly: Bank error in your favour to the tune of…


DUCK. Oh, yes, I forgot about that card! “Bank error in your favour”… it’s $50, isn’t it?


DOUG. Yes, something like that, yes.


DUCK. This was…


DOUG. [LAUGHING] Slightly larger!


DUCK. …a little bit more dramatic than that, Doug. [LAUGHS]

As far as we can make out, this was due to recent severe storms in the north and northeast of the United Kingdom, and this relates to a power company that operates in northeast England.

So, this chap had a power outage, and because power provision in the UK is privatised, the companies that get the franchises to operate these power companies… there are terms-and-aconditions whereby if you’re without power for a certain time, they have to pay you a predetermined compensation.

So, I imagine he would have been getting a payout, perhaps in the low hundreds of pounds.

But they made a blunder, Doug.


DOUG. Hmmmm…


DUCK. And I don’t know whether it was actually an underlying software flaw that’s still there, or whether this was a special case… because it was a storm bad enough to get a special name (Storm Arwen – it was the first of the season, thus ‘A’).

Maybe this was a special case of, “Send us a CSV file and we’ll just shove it through the system.”

Apparently they took his electricity meter serial number as the amount to refund.

So instead of getting, say, £210, which would be say three days at £70 a day, he got, Doug…

[READING AMOUNT IN FULL] Two trillion, three hundred and twenty-four billion, two hundred and fifty-two million, eighty thousand, one hundred and ten pounds.

How about that? He had a 13 digit payment number.


DOUG. [LAUGHS] That’s a lot of bitcoins….


DUCK. They actually sent him a cheque attached to a signed letter!

I’m using air quotes (obviously a pre-scanned signature), but it wasn’t just an email.

It was actually a letter that came through the mail, with a good old-school cheque, with a QR code, crossed “Account of Payee Only”, pay to “This person’s name Only”, converted into words.

The amount was so long…


DOUG. [LAUGHS] I’ve just seen that – it doesn’t even fit!


DUCK. …it wouldn’t even be a valid cheque, because the words and numbers don’t match – it runs out just before the “one”, where it should say “one hundred and ten pounds and zero pence”, or whatever. But that last bit is missing.

He saw the funny side, and he posted to Twitter saying, “Dear @PowercompanyConcerned, are you sure you have enough money to cover this amount?”


DOUG. [LAUGHS]


DUCK. I looked it up, and it is slightly more than the annual GDP of the economy of the entire United Kingdom of Great Britain and Northern Ireland.


DOUG. There you go.


DUCK. So it would probably have bounced…


DOUG. I think so!


DUCK. …if he tried to present it.

And although we laugh, you think, “I wonder how that happened?”

To be fair to the power company: they have apologised; they have said they’ll do their best to actually get out cheques that these people can cash, because they are entitled to compensation; and they’re trying to figure out how it happened.

I do hope that they are able to find out, and they do go public with that information, because it will be a fascinating story.

Is it an underlying flaw in the software which obviously needs addressing?

Or was it a special case – “We’ll use a special procedure!” – and maybe the whole process hadn’t been tested or validated the as much as it should.

So, it will be interesting to see how this happened.


DOUG. For all the stories we talk about here that end in “Validate thine inputs”, we now get to say, “Don’t forget to validate thine outputs, too.”

Because this could have gotten caught many times over, whether flagged for such a huge amount, or “requires supervisor signature”, or who knows what else…


DUCK. [LAUGHING] Yes!

“Requires supervisor’s supervisor’s supervisor’s… TOO MANY SUPERVISORS REQUIRED error”.

You’re exactly right, Doug.

In this case, clearly the input wasn’t validated because it’s absurd, but the output should have been caught.

Why not check the output as well?

Because that’s what’s actually going on the cheque.

So, the point is that even though this did come from using the wrong input – the 13-digit electricity meter serial number instead of an amount in pounds and pennies…

…if you’ve missed the chance to catch it on the input, you’ve got a second chance to catch it at the output.

And two checks are always going to be better than one!


DOUG. Exactly.

Check that out – that article is called Power company pays out $3 trillion compensation to astonished customer on nakedsecurity.sophos.com.

It’s time for This Week in Tech History.

Well, we talked about the Great Blizzard of 1978 a little earlier in the show…

And this week, on 16 February 1978, the first public BBS, or bulletin board service, was launched by Chicago’s Ward Christensen and Randy Suess.

The two men began work on the BBS weeks earlier, after being snowed in by the storm.

The CBBS, or “computerised bulletin board system” as they called it, was modelled after the cork bulletin board Christensen’s computer club used to post things for sale, helpful information, and requests for rides.

Christensen provided the hardware for the BBS – an S-100 bus computer and a Hayes modem.

Seuss’s home served as a nice central location in the city of Chicago where the connection to the BBS was a local call for most users.

I had forgotten that… the BBS was a little before my time, but not super-before my time.

I remember, as a very young computer user, connecting to BBSes, and I had forgotten that you couldn’t just connect to whatever you wanted, because sometimes it was a long distance call.

So when I wanted to go get help with the Sierra Online games I was playing, I had to call out to California and it was a long distance call.


DUCK. Outside North America, Doug, certainly in most countries with a British heritage, local calls were metered as well as long distance ones.


DOUG. Oooof!


DUCK. So you had to pay for as long as you wanted to stay on.

But that did have a slight advantage on its flip side: there was an incentive not to stay on for hours and hours and hours once you got access to one of the modems that the BBS operator had in their home.

Because of course, he needed a separate phone line and a separate phone bill and a separate number for each one.

So that was the flip side for us: although you had to pay – it wasn’t dollars a minute, but it was certainly tens of cents a minute – to stay on locally. It did mean that there was an incentive not to hog the line.

It meant that people couldn’t jump on in the morning and then just keep the line open all day long.

[EXCITED] So there is, Doug: a tangential – maybe not even tangential – connection with Wikipedia.

Because, of course, Ward Christensen was the chap who went on to invent the concept of Wikis in 1995…


DOUG. [DELIGHTED] OK!


DUCK. …which gradually took off.

And of course, that Wiki software and the Wiki model was ultimately adopted by Larry Sanger and Jimbo Wales for Wikipedia.


DOUG. Very cool, all thanks to the Great Blizzard of 1978!

We have a blizzard of zero-day stories….


DUCK. [LAUGHS] That’s good, Doug.


DOUG. Thank you.

Thank you very much.


DUCK. That’s a triple-play segue, if you ask me.


DOUG. [LAUGHS] Great – that’s what I’m looking for!


DUCK. I’m happy with that!


DOUG. So, when we talk about zero-days – if a regular person were to ask what a zero-day is – is it fair to say it’s basically some sort of security hole or exploit that is discovered and abused by the Bad Guys before the Good Guys notice it?

In other words, this isn’t a bug that’s caught and fixed.

It’s caught because it’s already been abused.


DUCK. Yes.

In modern parlance, the “zero” is meant to remind you that even if you are the most proactive patcher in the world, even if you have a system for your entire organisation’s network that grabs and pushes out patches minutes after they appear…

…in the case of a zero-day exploit, there are quite literally zero days during which you could have been ahead of the Bad Guys.

But my understanding is that the term was transferred from the early days of game piracy, where the big game-creating software houses would drop a brand new game, and then the gamecrackers would go to work trying to figure out how to play it without buying the box and getting the licence code.

Remember those weird maps you’d get that were printed in funny colors so you couldn’t scan them?


DOUG. Uh huh!


DUCK. And what’s the third word on the 17th page of the manual, all that stuff?


DOUG. [LAUGHS]


DUCK. The crackers would try and remove that part of the program so it would work illegally.

If you could get a crack on the fourth day, that was pretty good; if you could get a three-day crack, that was very good.

And the ultimate crack, of course, would be the zero-day, which meant that you actually cracked it *on the same day it came out*.

So that metaphor was transferred to bugs.

But of course, in the case of the bugs, the crooks could have found them long before.


DOUG. And we’re talking about three large companies that are affected here, Apple, Adobe and Google.

So, three separate stories.

But, as I’m reading all three of these stories, I’m seeing some of the same phrases over and over.

I’m seeing zero-click attacks; I’m seeing arbitrary code execution; I’m seeing use-after-free.

So three separate incidents, but the same means to an end in almost all of them?


DUCK. We don’t know exactly what form the bug took in Apple’s case because they just said, “We’re aware of a report that this CVE may have been actively exploited.”


DOUG. [HEAVY IRONY] That’s odd.

They weren’t forthcoming?

That’s weird.


DUCK. Apple’s bug, of course, was in WebKit.

That’s doesn’t just mean that it’s in Safari – as we spoke about in a previous podcast, it means it’s in the code that sits under Safari.

So, it’s in any app that uses the WebKit rendering engine – for example, for its help system.

And it’s also in any browser on your iPhone, because browsers on the iPhone aren’t allowed to bring their own rendering engines: even though it may not be Safari on top, it has to be WebKit underneath.


DOUG. I’m guessing not a lot of people know that.

If you’re downloading Firefox for iOS, you might think, “Oh, this is the actual Firefox engine underneath this.”

It’s not!


DUCK. Yes!

I think a lot of people, perhaps quite reasonably, like to have a bit of “divide-and-conquer”, don’t they?

So you might decide, “I know what: I’ll use Google as my search engine; having done that, well, I’ll use the Outlook.com for my free email, so it’s a different company; and then I’ll stick to Meta, or Facebook, for my social networking, so that’s another company; and I’ll stick to Firefox for my browser because that’s not associated with any of the others.”

But you’re right that on iOS and iPad OS – so, on iPhones and iPads – all browsers that make it into the App Store have to use WebKit underneath.

So, as you see with IoT devices, you could have three different brands, but actually, if you peel the labels off, it’s all the same product underneath.

And that certainly happens with browsers on Apple’s operating system.

Having said that, you mentioned Adobe, Doug.

And their bug, in some ways, is a bit more dramatic… because it wasn’t a bug on the client side in the browser, it was a bug in Adobe’s e-commerce products…


DOUG. Oh, dear!


DUCK. …on the server side. [LAUGHS]

When the word “e-commerce” comes in, you think, “Oh! No!”

“Insufficient input validation bug”.

Basically, that means an untrusted user… whether it’s Log4Shell style, just fill in a form with garbage or add weird HTTP headers, we don’t know; Adobe isn’t saying exactly how the bug happened.

But it did admit a little bit more than Apple, and it said it was aware that the CVE in that case had been exploited in the wild.

Then they couldn’t resist adding, “In very limited attacks”. [LAUGHS]


DOUG. [IRONIC] Of course.


DUCK. And you’re thinking, “That’s obviously better than if every single customer using Adobe Commerce or Magento (the open source version), got attacked.”

Limited attacks are better than widespread attacks.

But think of Colonial Pipeline: one company got ransomware, and three days later people were pumping gasoline into plastic bags in Delaware.


DOUG. [LAUGHING] Aaaargh…


DUCK. I may have made up some of the details there…

…but limited attacks can nevertheless not be *that* limited in their side-effect.

And, like you said, this was one of those cases where you don’t get any buses at all, and then three come along at once.


DOUG. [LAUGHS]


DUCK. One just before the weekend; I think Adobe was over the weekend; and Google’s came out yesterday – that’s Valentine’s Day as we are recording – and they reported a zero-day in Chrome, Doug.


DOUG. Oh-oh!


DUCK. I presume that means some, or perhaps all, Chromium-based browsers may be affected, too.

That would include things like Microsoft Edge, which I would say is the second most widely used Chromium-based browser out there.

And, again, Google isn’t saying much.

In fact, you could argue that, for all their Project Zero attitude of “Hey, let’s be open and honest about bugs”, they’ve said the least.

Again: “aware of reports that an exploit exists in the wild.”

Sort of like, “Hey, we haven’t seen it ourselves; it’s just a report.”

[WHISPERS] But it’s an O-day.

And , like you said, it wasn’t the only bug of its class in this bunch of Chrome updates.

It was one of five so called “use-after-free” bugs, which is where a software program mismanages memory in a way that could allow someone to exploit one part of the program to poke a knitting needle into another part of the program.

Because the first part of the program carries on using memory that it shouldn’t use, even after it’s handed it back and it’s been lent out to someone else to do something else with.


DOUG. All right!

So, extra important in all three cases of these to patch.

Especially in this Chrome one.

[DRAMATIC PAUSE] I guess in the Apple one, too.

[DRAMATIC PAUSE] And Adobe.


DUCK. I guess in the e-commerce one, Doug?


DOUG. [LAUGHING] Yes!

OK – as we said, there are three different articles.

We’ve got:

All three of those on nakedsecurity.sophos.com.

It’s time for the Oh! No! of the week.

This week, we’ve got an unfortunate comment from Naked Security reader Richard, who, on the story about the $3 trillion cheque from the power company, writes:

I was sent a demand to pay $0 once and then a few weeks later a penalty of $15 for not paying the bill of $0.

Now *that* sounds about right as far as billing errors go from power companies, in my experience!


DUCK. Yes, and that’s why I think, although there’s a funny side to the $2 trillion error because it’s just so jolly obvious…

…well, that’s a little bit like when we talked about use-after-free.

If someone pokes garbage into a little bit of memory that is part of an image you’re trying to display, then either the image will not display at all or it’ll just have some weird noisy garbage in the middle of it – it’ll be obvious that something went wrong.

But what if, in the case of a drive-by download, it all looks OK… but, in the background, something happened that you didn’t notice?

And that’s the problem here.

He says explicitly, Doug, “I was sent a demand to pay zero DOT zero”, as though they normally only asked for amounts rounded to the nearest pound or dollar or whatever. And then he got a penalty for not paying zero DOT zero.

Why would you print $0.0?

I don’t know any currencies that work with tenths.

Maybe the problem there was that they had incorrectly displayed what was actually going on, which means that it’s entirely impossible for him to troubleshoot it!


DOUG. Well, I do wonder if the total he was supposed to pay was displayed incorrectly…

…or if he was actually current on his bill, and there’s just a boolean in this billing software that says, IF user doesn't make payment THEN charge $15.


DUCK. Ah, you mean that later on it doesn’t actually check how much he didn’t pay?

It just checks “here’s the list of people who haven’t paid”?


DOUG. Yes: “We sent a bill. You didn’t pay it.”


DUCK. It doesn’t matter whether it’s $1000 or $12… charge them $15.


DOUG. Yes!


DUCK. That’s another problem, isn’t it?

Which is why: “Check thine inputs, and check thine outputs.”


DOUG. Very good!

Bringing it all back home… good job, Paul!

If you have am Oh! No! you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com; you can comment on any one of our articles; you can hit us up on social: @NakedSecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH. …stay secure!

[MUSICAL MODEM]


go top