Tackling The Latest Cyber Security Headlines
Crypto-boss dies with only password, bug bounties, government shutdown recovery and more
The cyber security headlines of late have been hard to ignore. That’s why CSO of BitGo, Inc. Tom Pageler joined Monday night’s episode (#71) of Task Force 7 Radio, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. Pageler and Rettas dove right in to the most popular news stories that have been catching our attention, starting with the crypto boss who died with the only passwords needed to unlock around $190 million in cryptocurrency.
According to Fox News, the customers of a Canadian cryptocurrency exchange are reportedly unable to access $190 million of funds after the company’s founder died with the passwords needed to access the money. Gerald Cotten, the 30-year-old founder of QuadrigaCX, died due to complications with Crohn’s disease, according to Sky News, citing Cotten’s wife, Jennifer Robertson. The executive reportedly passed away in December while traveling in India to open an orphanage.
To further complicate the situation, the money is said to be in “cold storage” with the digital key held only by Cotten, and while officials have access to his laptop, even a security expert has been unable to get past the device’s encryption. Understandably, QuadrigaCX customers have taken to social media to voice their frustration and without any answers from the company so far, there are now conspiracy theories of an exit scam.
Coincidently, QuadrigaCX is a customer of BitGo, so Pageler had a lot to say about this story. BitGo provides institutional cryptocurrency financial services, offering its clients security, compliance and custodial solutions. Pageler explained that in this case, Cotten held what is considered a ‘hot wallet,’ meaning he used this cryptocurrency for online trading. As such, BitGo holds onto one password for its clients, and suggests clients to store two more passwords: they sign up for an account with one password, and tell them to store a third key (as backup). So, in this case, the individual who passed away did not give the passwords to anyone.
While there is plenty of speculation all over the news because no one can access the cryptocurrency, Pageler said it’s important to focus why this situation came about in the first place: QuadrigaCX clearly was not following the best practices that were recommended, and its customers should be asking why.
For example, organizations like this should look into custodian cold storage solutions as a best practice. In the case of BitGo for instance, there are state regulators come in and make sure BitGo has the appropriate keys so it doesn’t allow for single point of failure.
“If you’re working with an exchange or anyone who has your assets … Ask about qualified custodian solutions. There’s a lot of money here and there’s too much stuff that can go wrong. You want to be able to recover those funds,” said Pageler. “I think this is why crypto is offering qualified custodians, so this situation doesn’t happen. You don’t run a company off a single laptop. There are so many best practices out there. I don’t even want to talk about speculation – whatever happened; the point is there was poor set up from the beginning.”
Rettas added that although he doesn’t want to speculate, “the swirl is out of control out there.” He noted that frustrated investors “took to social media and went nuts. There are lawsuits swirling around.” Rettas also brought up the notion that the exec “didn’t even trust his wife, lawyers or legal team. Does the CEO of Coca-Cola give the secret recipe to his wife? No, but why didn’t he give his keys to lawyers?” Rettas asked before adding that this is why “we’re skeptical and suspicious of everybody.”
As coverage of this story surely will continue, it’s important to look at what we can learn as outlined by Pageler:
- Large amounts of money should be in a custodial solution with a company that can store those assets securely – it takes longer to get your money out, but that’s why you set up a hot wallet, so you can trade immediately. At the end of the day, you can still get the funds. In this case, no one knows what really happened and now it’s a big mess. “It was poor practices from the beginning. It was a disaster waiting to happen.”
- Make sure there’s an independent (or multiple) custodial entities. According to the court report from EY (who was hired to figure out this case), it was facing an “extraordinary set of case facts.” What does it this do to the cryptocurrency market? “It’s going to shed light on what you want to look for. Why you should question things,” said Pageler.
- Be sure to have a third-party in there handling checks and balances. Now that there’s a major investigation underway and the government is involved, some healthy rules should come into play so this doesn’t happen again.
Bug Bounties And Scare Tactics
Rettas switched gears to Switzerland where they are essentially “putting down the virtual gantlet,” by asking the public to hack its e-voting system. According to an article in itnews.com, Switzerland’s federal government has put into a place a PIT – public intrusion test, which offers large cash awards for anyone who finds vulnerabilities in its e-voting system. There’s up to 50,000 Swiss francs to be swept up in bug bounties. Rettas asked Pageler his thoughts on this and whether or not e-voting and bug bounties are becoming more mainstream in America.
According to Pageler, e-voting is already here. They do allow online voting in 25 states right now. However, we have had problems here with the voting system said Rettas. “Americans don’t trust it right now.”
Although there are trust issues here, Pageler said that this open source approach in Switzerland is interesting. It offers anyone to really look at the online voting process and make some money off of it without going to the black market. “There’s incentive for people to dig in and find holes,” he said adding that it’s a great approach to get more eyes on security and start to figure out the bugs.
And while Rettas noted that they’re probably going to find a bunch of issues and probably have to pay out more money, the amount still won’t add up to hiring 1 to 2 programmers to do it. With the open source approach, the government can have more full-time people on it and looking at it constantly.
Rettas asked “What kind of story do you think this will tell if hackers just pick this system apart?”
Pageler explained that it could happen, but it also “tells a story of people doing the right thing.” And while Pageler does pen testing, code reviews, etc., to always change it up — it’s a good reminder to “review, re-review and check again. You always want to keep checking and I don’t think that’s a bad story.”
As far as overall bug bounty programs, Pageler explained that they emerged from the private industry, but now there’s legitimate government involved (like in Switzerland), which is making it even more legitimate.
Switching topics again, Rettas cited a CNBC article – where Google’s head of internet security said businesses should ignore scare tactics and learn from history. According to Heather Adkins advice, “businesses have more to learn about their own insecurity from the history of cyber security than from frightening headlines or scary pitch decks from vendors.”
Further, she said “the attacks, methods, motivations, tools and even criminals themselves are the same as they've been since the 1980s.”
Pageler agreed that there’s a lot of white noise out there. But it’s a good reminder to use a risk-base approach to pay attention to good cyber security hygiene. However, he noted that one opportunity she missed was in talking about the FIDO Alliance and YubiKeys.
Google helped to develop the whole system which goes beyond the password. It wasn’t a random security vendor that put it together, but “it was a bunch of companies coming together and creating, and agreeing on a standard.” It showed the industry coming together, Pageler said.
And speaking of emerging technologies, Rettas noted that it also makes things easier for criminals as he discussed in a recent TF 7 Radio show. “How much easier is it now for criminals to speak to each other in a secure fashion?” he asked.
Pageler said, “Encryption is great for good guys trying to protect things for example, but now bad guys are using it.” You can’t understand them [because it’s encrypted], and they now also have ransomware. “It’s almost a cat-and-mouse game. Here’s a tool you can use to protect yourself, and now it’s a threat to you,” he added.
“The motivation for the criminal remains the same – the method of attacking weakest link in the chain has remained consistent,” said Rettas. And yet, “we’ve had some huge fails in this space.”
So, Pageler offered this quick risk-base approach:
- Know what kind of data you have.
- Classify that data.
- Put proper governance around that data to secure it.
Aftermath Of The Government Shutdown
Rettas started the next segment by noting that “you [Pageler] and I are both former government employees and know what it’s like.”
After the government shutdown concluded, these furloughed cyber security employees returned to expired software licenses, web-encryption certificates, burnt-out colleagues, and weeks-worth of un-analyzed activity logs. “Can you imagine trying to catch up? Can you image coming back to a mess like this?” Rettas asked.
“I’m actually just appalled that this is not considered a critical job. That’s a horrible message the government sent out. As you know, secret service agents worked through the government shutdown – critical positions do. The fact that we furloughed cyber security experts is just absolutely appalling … we just sent such a horrific message out there that cyber security really doesn’t matter at our government level,” said Pageler.
Rettas added that he was looking at a May report that came out from the White House’s office of management and budget – it cited that 74% of federal agencies are in urgent need of digital defense improvements. “So, more than half don’t have the ability to catalogue the software that runs on their systems.” Plus, only about 25% of agencies are prepared to identify and thoroughly assess signs of data breaches. “We’re behind the eight ball already,” said Rettas, and now these employees are returning to work to see incidents that happened three weeks ago.
Pageler added that if he was in that position, he would be so frustrated that “probably that month I had off; I’d be applying for jobs.” One guarantee of a government job is a paycheck every month. For this timeframe that paycheck never came, so the best cyber security execs are probably going to get better offers.
Rettas added that the military and intelligence were hit too because they have dependencies. Web-encryption certs for websites were expired (including NASA’s rocket testing portal). There were warning signs everywhere that websites weren’t safe. “Do you think the government is going to wake up and notice they have to spend budget on cyber security?”
“At some point, some critical infrastructure will have to come down for them to do anything,” said Pageler.
“It would be nice to get out in front of that before a loss of life event,” said Rettas.
And both Rettas and Pageler agreed that shows like Task Force 7 Radio help get the word out there so people tell their congressmen and senators that “this is not OK.”
Physical Security – Are We Paying Enough Attention?
Rettas and Pageler were both secret service agents dealing with physical and cyber security. However, today’s world focuses on digital. “Everything is online now – even in your home. Just a short time ago, I didn’t even have a cell phone,” said Rettas. And while the online world is “awesome, super-convenient and we can control our life from anywhere in the world, it also comes with more risk.” With the focus on digital, are we falling short by not giving physical security attention?” asked Rettas.
Pageler reinforced, “You have to take some digital assets offline.” He advises that sometimes you have to “go old school.” Figure out what is too sensitive that can be created offline, as you typically don’t need access to those as much.
Again it comes down to data governance. Start with data discovery. Then, classify and put governance around it. Put governance around sensitive assets, for example, like the Coca-Cola recipe, which shouldn’t be online. “That should be stored somewhere safe, offline.” Get a QR reader, shards of a key, etc., and “then have a method to get to it, and a communication channel of when to get to it.”
In Pageler’s case with BitGo, “we have off storage for a reason. If we lose funds, people won’t trust us.” Multiple people have to come together to create a key, passwords, etc., and sometimes it’s slower to get to those funds, but in the end Pageler said, “sometimes slow, but secure is better.”
To get started, Pageler said to, “Understand what data could cause a business to be over. Think about a way to get that offline and secure it. Once you get that right, start working your way down.”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.