Follow by Email

Friday, February 9, 2018

Is that google exploring cybersecurity space? yes !!

Alphabet, the parent company of Google, announced that it would launch its first cybersecurity company, which it is calling Chronicle.
Chronicle will be a subsidiary of Alphabet.  Likewise Google is under the umbrella of one.
Chronicle will initially offer two services:

1. An malware intelligence service which was acquired by google over years (2012).
2. Cybersecurity intelligence and analytics platform that will help enterprises better manage and understand their own information-security-related data.

As we all know virustotal which is an online service which we can utilize to analyze the code or file which is malicious or not. All you need to do is upload and it compares with the almost available antivirus signatures and provide the results. It will continue to provide the services as is.

Security threats are growing faster than security teams and budgets can keep up, and there’s already a huge talent shortage. The proliferation of data from the dozens of security products that a typical large organization deploys is paradoxically making it harder, not easier, for teams to detect and investigate threats.

       Thousands of potential clues about hacking activity are overlooked or thrown away each day.As a result, it’s pretty common for hackers to go undetected for months, or for it to take a team months to fully understand what’s going on once they’ve detected an issue. All this adds up to more data breaches, more damage, and higher security costs.

We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find.

Hope the analytics platform which will emerge will help the large organizations to manage the information security in an ease, likewise we use the google analytics to review the data.

World-class experts in machine learning and cloud computing  are working on this project and expect that it will come up in good shape.

Monday, January 8, 2018

Layman's understanding of Monero


Everyone has a public address, an example of which looks like this: 43EH3omZSUYCmJYskCUx2tV5oB5tLVrp58AeMYLrFhcz2umUVQHiHu62nG5CS3mvcfgKHC3fPtq6DHkEbMjqvCAZJW5nw9E

The funds you own will not be associated with your public address, like they would with Bitcoin. This means if you tell someone your public address, they can’t see how rich you are.

When you send funds to someone’s public address, what happens is that you actually send the funds to a randomly created brand new one-time destination address. This means that the public record does not contain any mention that funds were received to the recipient’s public address.

For the same reason, the funds that you are sending were not associated with your own public address either in the public record. Therefore, when you send these funds, the public record will not show that the funds originated from your public address and will not show that the funds were sent to the recipient’s public address.


Everyone has a public address, an example of which looks like this: 1EjqMGa5j6JNQDMNXkrRZq7WSmqLRzn9fU

You receive funds at your own public address, and anyone can see what those funds are. When you want to send funds to someone, they tell you their public address, and you can see what funds they already have stored at that public address.

When you send funds, you announce to the entire Bitcoin network that the funds that you own now belong to the recipient’s public address. Everyone can see, as a matter of public record that the ownership of funds has moved from your public address to their public address. 

In Monero, your public address will never appear in the public record of transactions. Instead, a 'stealth address' is recorded in a way that only you, the receipient, can recognize the incoming funds.

When the recipient checks for funds, they need to scan the Monero blockchain (the public record of all transactions) to see if any transactions are destined for them. The recipient has a secret view key which is used to check each transaction to see if it was addressed to them. Because the recipient is the only one that knows the secret view key, only the recipient can see that funds have been sent to them.

This is why, if you launch your Monero wallet, you will see it ‘scanning’ the blockchain. This is done to check if any transactions have occurred that have you as the recipient. Note that you can give your ‘secret view key’ to others so that they can also see what funds you have received. They will only be able to view the transactions and not make any transactions on your behalf.

So far, we’ve discussed the concept of ‘unlinkability’. This means that received transactions are associated with a one-time address that is not linked to your public address. It also means that two transactions sent to your public address cannot be associated as having the same recipient.

We don't want the sender of a transaction to notice when the recipient of the transaction then spends the funds in a new transaction. Monero solves this problem through the use of ‘ring signatures’. 

Ring signatures enable ‘transaction mixing’ to occur. Transaction mixing means that when funds are sent, the sender randomly chooses several other users’ funds to also appear in the transaction as a possible source of the funds being sent. The cryptographical nature of the ring signature means that no one can tell which of the funds were really the source of the transaction – not even the person that gave the funds to the sender in the first place. A system of ‘key images’ associated with each ring signature ensures that although no one can tell the true source of the funds, it can be easily detected if the sender attempts to anonymously send their funds twice.
Finally, project Kovri, which is currently in development, will hide your internet traffic so that passive network monitoring cannot reveal that you are using Monero at all. This is achieved by encrypting all of your Monero traffic and routing it through I2P (Invisible Internet Project) nodes. These nodes pass your messages along and have no visibility over what is in them. They do also not know whether the destination they’re sending your messages to is the final destination or just a waypoint which will further forward your message. Passive listeners can tell you are using I2P, but cannot tell what you are using it for or what destinations you are interacting with. 

Supposedly cryptonote was first implemented in Java and then soon after migrated to c++.

Cryptonight works on its POW algorithm. 

Origin of Monero

Back in July of 2012, Bytecoin, the first real life implementation of CryptoNote, was launched. CryptoNote is the application layer protocol that fuels various decentralized currencies. While it is similar to the application layer which runs bitcoin in many aspects, there a lot of areas where the two differ from each other.
While bytecoin had promise, people noticed that a lot of shady things were going on and that 80% of the coins were already published. So, it was decided that the bytecoin blockchain will be forked and the new coins in the new chain will be called Bitmonero, which is was eventually renamed Monero meaning “coin” in Esperanto. In this new blockchain, a block will be mined and added every two mins.

Monero is headed by a group of 7 developers of which 5 have chosen to remain anonymous while two have come out openly in public. They are: David Latapie and Riccardo Spagni aka “Fluffypony”.  The project is open source and crowdfunded.

Features of Monero

So what is it about Monero that makes it so hot and in-demand. What are the unique properties that the CryptoNote algorithm gives it? Let’s check it out.
Property #1: Your currency is yours
Property #2: It is Fungible
Property #3: Dynamic Scalability
Property #4: ASIC (Application Specific Integrated Circuit) Resistant

when we said that Monero was based on the CryptoNote system which makes it distinctly different from bitcoins? Well, the hashing algorithm used in CryptoNote based systems is called “CryptoNight”. 

1. Cryptonight requires 2 MB of fast memory to work. This means that parallelizing hashes is limited by how much memory can be crammed in a chip while keeping cheap enough to be worth it. 2 MB of memory takes a lot more silicon than the SHA256 circuitry.
2.  Cryptonight is built to be CPU and GPU friendly because it is designed to take advantage of AES-Ni instruction sets. Basically, some of the work done by Cryptonight is already being done in hardware when running on modern consumer machines.   
3. There have been talks of moving Monero on from proof of work algorithm to “Cuckoo Cycle” (a different form of proof of work hash). If a switch like this does happen, then the amount of work spent in the R&D of Monero friendly ASICs would be meaningless.

Property #5: Multiple keys

One of the more confusing aspects of Monero is its multiple keys. In bitcoin, ethereum, etc. you just have one public key and one private key. However, in a system like Monero, it is not quite as simple as that.

View Keys: Monero has a public view key and a private view key.
1. The public view key is used to generate the one-time stealth public address where the funds will be sent to the receiver.
2. The private view key is used by the receiver to scan the blockchain to find the funds sent to them.

The public spend key makes the second part of the Monero address.Laymans understanding on Monero
The Monero address btw is a 95-character string which is made of the public spend and public view key.
Bitcoin (BTC) Digital Money
Monero(XMR) Untraceable Digital Money
BTC publicly viewable and monero concealed from public



Wednesday, December 27, 2017

Under The Hood XMR Crypto Miner

We have seen a substantial growth in crypto-currency miners this year
Crypto-currency mining is not illegal. However, there are groups of people who trick unwitting people into installing mining software on their computers, or exploit software vulnerabilities to do so. The criminals obtain crypto-currency, while the computers of their victims slow down. We have recently detected several large botnets designed to profit from concealed crypto mining. We have also seen growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the business processes of the target organisations suffer because data processing speeds fall substantially.
The main method used to install miners is adware installers spread using social engineering. There are also more sophisticated propagation methods – one is using the EternalBlue exploit published in April 2017 by the Shadow Brokers group. In this case, the cybercriminals tend to target servers – these provide them with a more powerful asset.
We recently detected a network made up of an estimated 5,000 plus computers on which Minergate, a legal console miner, had been installed without the knowledge or consent of the victims. The victims had downloaded the installer from a file-hosting service, under the guise of a freeware program or keys to activate licensed products. This installer downloader the miner’s dropper file to their computer. This installed the Minergate software to the computer, ensuring that it is loaded each time the computer boots and re-installing it if it is deleted.
Often, crypto-miners come with extra services to maintain their presence in the system, launch automatically every time the computer boots and conceal their operation. Such services could, for example try to turn off security software, monitor system activities or ensure that the mining software is always present by restoring it if the files are deleted.
Concealed miners are very difficult to detect because of their specific nature and operating principles. Anyone can choose to install this kind of software and legally use it to mine a crypto-currency.
Monero (XMR) and Zcash are the two currencies most often used in concealed mining. They both ensure the anonymity of transactions – this is clearly very useful for cybercriminals. Even according to conservative estimates, a mining network can generate up to $30,000 per month for its owners.
The above image shows a wallet coded into the miner’s configuration data. At the time of writing, 2,289 XMR had been transferred from this wallet, which at the current exchange rate is equivalent to $208,299.

The authors of malware use various techniques to circumvent defensive mechanisms and conceal harmful activity. One of them is the practice of hiding malicious code in the context of a trusted process. Typically, malware that uses concealment techniques injects its code into a system process, e.g. explorer.exe. But some samples employ other interesting methods. We’re going to discuss one such type of malware.

Our eye was caught by various samples for .NET that use the trusted application InstallUtil.exe from the Microsoft .NET Framework (information from Microsoft’s website: “The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies. This tool works in conjunction with classes in the System.Configuration.Install namespace”).

Briefly, the console utility InstallUtil.exe runs a malicious .NET assembly, bypassing the entry point of the assembly; all malicious activity is then hidden in the context of the trusted process.
The spreading of malicious samples follows a standard pattern: they basically reach the user in a password-protected archive, and the executable file icons in most cases are chosen specially so that the victim perceives the file as a normal document or photo. We also encountered executable files masquerading as a key generator for common software. To begin with, the malicious content of the generator got inside the %TEMP% folder, where it was run later in the described manner.

InstallUtil.exe allows file execution to start not from the .NET assembly entry point: execution begins from a class inherited from System.Configuration.Install.Installer. To facilitate manual analysis, this class was renamed InstallUtilEntryClass in the sample under investigation. The code in static class constructors is known to execute first when the assembly is loaded into memory, a feature utilized by the authors of this piece of malware.