I have not done a Friday Summary in a couple weeks, which is a blog post we have rarely missed over the last 6 years, so bad on me for being a flake. Sorry about that, but that does not mean I don’t have a few things I to talk about before years end.

Noise. Lots of Bitcoin noise in the press, but little substance. Blogs like Forbes are speculating on Bitcoin investment potential, currency manipulation, and hoarding, tying in a celebrity whenever possible. Governments around the globe leverage the Gattaca extension of Godwin’s Law, when they say “YOU ARE EITHER WITH US OR IN FAVOR OF ILLEGAL DRUGS AND CHILD PORNOGRAPHY” – basing their arguments on unreasoning fear. This was the card played by the FBI and DHS this week, when they painted Bitcoin as a haven for money-launderers and child pornographers. But new and disruptive technologies always cause problems – in this case it is fundamentally disruptive for governments and fiat currencies. Governments want to tax it, track it, control exchange rates, and lots of other stuff in their own interest. And unless they can do that they will label it evil. But lost in the noise are the simple questions like “What is Bitcoin?” and “How does it work?” These are very important, and Bitcoin is the first virtual currency with a real shot at being a legitimate platform, so I want to delve into them today.

Bitcoin is a virtual currency system, as you probably already knew. The key challenges of digital currency systems are not assigning uniqueness in the digital domain – where we can create an infinite number of digital copies – nor assignment of ownership of digital property, but instead stopping fraud and counterfeiting. This is conceptually no different than traditional currency systems, but the implementation is of course totally different. When I started writing this post a couple weeks ago, I ran across a blog from Michael Nielsen that did a better job of explaining how the Bitcoin system works than my own, so I will just point you there. Michael covers the basic components of any digital currency system, which are simple applications of public-key cryptography and digital signatures/hashes, along with the validation processes that deter fraud and keep the system working. Don’t be scared off by the word ‘cryptography’ – Michael uses understandable prose – so grab yourself a cup of coffee and give yourself a half hour to run through it. It’s worth your time to understand how the system is set up because you may be using it – or a variant of it – at some point in the future.

But ultimately what I find most unique about Bitcoin is that the community validates transactions, unlike most other systems which use a central bank or designated escrow authorities to approve money transfers. This avoids a single government or entity taking control. And personally having built a system for virtual currency way back when, before the market was ready for such things, I always root for projects like Bitcoin. Independent and anonymous currency systems are a wonderful thing for the average person; in this day and age where we use virtual environments – think video games and social media – virtual currency systems provide application developers an easy abstraction for money. And that’s a big deal when you’re not ready to tackle money or exchanges or ownership when building an application. When you build a virtual system it should be the game or the social interaction that count. Being able to buy and trade in the context of an application, without having a Visa logo in your face or dealing with someone trying to regulate – or even tax – the hours spent playing, is a genuine consumer benefit. And it allows any arbitrary currency to be created, which can be tuned to the digital experience you are trying to create.

More reading if you are interested: Bitcoin, not NFC, is the future of payments, and Mastercoin (Thanks Roy!).

Ironically, this Tuesday I wrote an Incite on the idiocy of PoS security and the lack of Point to Point encryption, just before the breach at Target stores which Brian Krebs blogged about. If merchants don’t use P2P encryption, from card swipe to payment clearing, they must rely on ‘endpoint’ security of the Point of Sale terminals. Actually, in a woulda/coulda/shoulda sense, there are many strategies Target could have adopted. For the sake of argument let’s assume a merchant wants to secure their existing PoS and card swipe systems – which is a bit harder than securing desktop computers in an enterprise, and that is already a losing battle. The good news is that both the merchant and the card brands know exactly which cards have been used – this means both that they know the scope of their risk and that they can ratchet up fraud analytics on these specific cards. Or even better, cancel and reissue. But that’s where the bad news comes in: No way will the card brands cancel credit cards during the holiday season – it would be a PR nightmare if holiday shoppers couldn’t buy stuff for friends and families. Besides, the card brands don’t want pissed-off customers because a merchant got hacked – this should be the merchant’s problem, not theirs. I think this is David Rice’s point in Geekonomics: that people won’t act against their own short term best-interests, even if that hurts them in the long run. Of course the attackers know this, which is exactly why they do this during the holiday season: many transactions that don’t fit normal card usage profiles make fraud harder to detect, and their stolen cards are less likely to be canceled en masse.

Consumers get collateral poop-spray from the hacked merchant, so it’s prudent for you to look for and dispute any charges you did not make. And, since the card brands have tried to tie debit and credit cards together, there are risks to bank accounts should the attackers guess you PIN number. It is somewhat specious to throw responsibility at consumers’ feet to monitor “your credit score” – credit scores being an arbitrary yardstick used by and for financial institutions – but you do need to watch both debit and credit transactions for your own protection. I do it every month now, because just about every year at least one of my cards is compromised.

This is the last summary of 2013. We will be back in the second week of 2014. To all our readers: Happy Holidays and stay safe!

Note from Rich:

I’ve been worse than Adrian about getting my end of year writing up. This has been a most interesting year, with some incredible highs and lows. Recently I’ve been in hibernation mode due to nonstop travel and nearly-nonstop minor illnesses inherited from my kids. All is good, although apologies to some clients on late deliveries… I blame the three petri dishes running around my house. 2014 is already shaping up to be an amazing year and I can’t wait to roll some of our new ideas out. I hope everyone else has a great end of year, and I will see ya on the other side.

On to the Summary:

Favorite Securosis Posts

• Adrian Lane: Target falls victim to data compromise. Dave Lewis on the Target breach – less caustic than my take but a good read!
• Mike Rothman: Incite 12/18/2013: Flow. I have learned a lot this year. Some of you may understand what I’m talking about each week. Others may not. Either way, it’s all good.
• Gunnar Peterson: Datacard Acquires Entrust.

Favorite Outside Posts

• Adrian Lane: How to disable webcam light on Windows. Solid analysis w/o hype from Mr. Graham.
• Mike Rothman: Nine Steps to DDoS Yourself. Good post here on the F5 blog about testing your ability to withstand a DDoS attack. Figure it out now, or later. It’s your choice…
• Mike Rothman, take 2: Mark Twain’s Top 9 Tips for Living a Kick-Ass Life. This is awesome. Love Mark Twain. You should too.
• Gal Shpantzer: FBI criminal affidavit for bomb threat kid who didn’t want to take his first semester sophomore finals. Soapbox: It’s sad when overachievers get so wound up in some definition of success that they end up self-destructing, whether through eating disorders, stepping on other people’s necks to get into the next elite school, or, you know, calling in a bomb threat to avoid a bad grade.
• Rich: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. Gal sent this one. Pulling keys from memory by analyzing the sounds your laptop makes! Insane.

Research Reports and Presentations

• Executive Guide to Pragmatic Network Security Management.
• Security Awareness Training Evolution.
• Firewall Management Essentials.
• A Practical Example of Software Defined Security.
• Continuous Security Monitoring.
• API Gateways: Where Security Enables Innovation.
• Identity and Access Management for Cloud Services.
• Dealing with Database Denial of Service.
• The 2014 Endpoint Security Buyer’s Guide.
• The CISO’s Guide to Advanced Attackers.

Top News and Posts

• Taking out drones with Skyjack.
• Two million stolen passwords. Two weeks old but interesting.
• WikiLeaks releases new documents exposing secret Trans-Pacific Partnership.
• On the X-Frame-Options Security Header.
• Apple releases new versions of Safari to fix critical vulnerabilities.
• I Thought We Were Done With These? No, you wish we were done with these.
• Sins of the coder.
• Vulnerability scanning or fumbling in the dark?.
• Sometimes it feels like somebody’s watching me.
• An acoustic side channel attack to obtain encryption keys.
• Why com.com Should Scare You
• Harvard student tried to dodge exam with bomb hoax, FBI says. Brute force user de-aliasing by FBI – anonymity still suspect on Tor networks.
• The Bitcoin Boom. Journalists seem to enjoy using the word ‘Winklevii’ whenever possible.
• Analysis of PayPal’s Node-vs-Java benchmarks. Not security related, but given political heat on Java, this is an even-handed performance assessment.
• Netflix Open Sources Aegisthus MapReduce program for Cassandra.
• Judge Orders NSA to Stop Collecting Telephone Metadata.
• NSA Coworker Remembers Snowden.
• CBS Airs NSA Propaganda.
• Report accuses BT of supplying backdoors for GCHQ and NSA. The better question is who didn’t?
• Push for Britons to sue Google.
• Security guru Bruce Schneier to leave employer BT.

Blog Comment of the Week

This week’s best comment goes to Anton Chuvakin, in response to Multi-layer DoS Defense FTW.

This paper actually shocked me: PLX people are usually smart and well informed, but this paper is sheer idiocy. DDoS defenses needs MORE multi-tool/multi-vendor approach that much of the rest of info sec.