Connect with us


Is Cybercrime Getting Out of Control?

Stating that cybercrime is on the rise is rather like saying the world is round. Identifying this well-known fact is no longer any great discovery. But understanding the magnitude of the problem and how it affects us as we use the internet is an important starting point.

Earlier this week, the FBI’s Internet Crime Complaint Center (IC3) released their 2017 Internet Crime Report. More than 300,000 consumers reported that they were victims of malware and cyber-fraud attacks last year (with registered losses of over $1.4 billion combined).

The most common types of crimes were non-payment and non-delivery, phishing scams, and data breaches. The crimes that cost the most in terms of financial loss were compromised email accounts, investment scams, and non-payment/non-delivery. In all, the IC3 received over four million complaints between 2000 and 2017.

The Web of Profit

Advanced malware protection specialists from Bromium, together with Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, released a report entitled “Web of Profit” last month. The report digs into the dynamics of cybercrime and looks at how new ‘criminality’ platforms are bringing about a booming cybercrime economy, generating at least $1.5 trillion in illicit profits. That’s equal to the GDP of Russia.

In fact, according to their findings, if cybercrime were a country, it would have the 13th highest GDP in the world, comprising illegal online markets, data trading, identity theft, and ransomware.

The CEO of Bromium, Gregory Webb, says, “The platform criminality model is productizing malware and making cybercrime as easy as shopping online… We can’t solve this problem using old thinking or outmoded technology. New approaches to cybersecurity will be required.”

Blockchain and AI

There are many blockchain and AI startups springing up to eBits using these new technologies. Blockchain, especially at the application layer, is certainly moving in the right direction by removing eBits. And if AI can be used to help us predict and prevent cybercrime before it happens, that could be the perfect combination.

Scott Schober, author of Hacked Again and President/CEO of BVS, says, “You’re accomplishing things much quicker when you apply machine learning to cybersecurity. You can anticipate and build up your defenses because we don’t have enough manpower to do it. Using AI and machine learning can do everything much, much quicker.”

But while we can contemplate the uses of new technologies like blockchain and AI to fight cybercrime, when it boils down to it, almost all attacks have a common element: human error.

Schober continues, “I think blockchain applied in the right area is definitely going to help secure things, but you can spend billions of dollars in security, you can implement the latest and greatest blockchain to secure things, but blockchain is fundamentally a layer underneath allowing things to happen; it’s not a magic silver bullet to stop hackers in their tracks.”

The Human Element

Clearly, there are a lot of people making money by preying on unsuspecting internet users. And we all know by now the importance of being careful when we go online. We don’t open links from strangers, we don’t download suspicious attachments, and we don’t respond to messages on Skype asking for our bank details.

Yet most of us have been victims of cybercrime at some point in our lives. It’s not surprising that criminals pick the easiest targets (people over 60, according to the IC3 report). But even the highly technically minded among us can be affected too. Just look at the continued Binance eBits that have duped more than one exchange user.

And let’s not even get started on ICOs.

“The biggest problem in cybersecurity today is people,” Schober says. “We continually fall back to choosing convenience over security… We were lazy with creating passwords, and guess what? It really hasn’t changed much today. We don’t take the time to carefully vet what we’re putting out on the internet and then it’s used against us. People are too trusting; we give out information too easily.”

So, it seems that unless we fundamentally change our habits and improve what Schober calls our “cyber hygiene,” all the blockchains in the world won’t be enough to keep our account funds or our identities intact.

Cybercrime is reaching a critical point. Don’t make it any easier for the hackers. 



MIT Review Acclaims zk-SNARKs, but zk-STARKs May Steal the Show

As much as we love the convenience of the internet, our privacy is at great risk whenever we go on social media, check our credit reports, grab a ride, or simply log into a fitness app. Our need to protect our information encompasses much more than financial transactions with a few cryptocurrencies.

In the United States alone, the staggering number of data breaches shows the need for a better privacy solution, and zk-SNARKs or zk-STARKs are poised to fill that need. This year, the Cambridge Analytica data mining scandal affected more than 87 million Facebook users, and the WSJ predicts its repercussions will be huge. Last year, the Equifax data breach shared the social security numbers and dates of birth for more than half the nation. Meanwhile, an Uber hack exposed data from 57 million customers and drivers, and the MyFitnessPal app leaked usernames and passwords of more than 150 million users.

zk-SNARKs and zk-STARKs are two cryptographic protocols that could help prevent personal information from being vulnerable to these types of database breaches in the first place.

The Promise of Privacy: zk-SNARKs

This month, zk-SNARKs were included on an MIT Tech Review list of the 10 Breakthrough Technologies of 2018 among AI developments, 3D metal printing, and a smart city that Alphabet is building from the ground up.

zk-SNARKs protect your privacy, allowing you to prove who you are without having to give away specific details relating to your identity. Some of the potential uses cited in MIT’s article were verifying you’re over 18 without having to share your date of birth, and proving you have enough money in your bank account as collateral without having to give away account details like your exact balance.

Implementation of zk-SNARKs

zk-SNARKs are already running on cryptocurrency Zcash and JP Morgan Chase’s blockchain-based payment system. Both protocols have also grabbed the attention of Vitalik Buterin and the Ethereum foundation, including this exploration of zk-STARKs last year by Buterin. zk-SNARKs have been in the works since the 1980s, but it wasn’t until these recent cryptocurrency applications that interest in them really peaked.

Adding zk-SNARKs brings a layer of privacy previously inaccessible with most cryptocurrencies, traditional passwords, and even two-factor authentication. zk-SNARKs stands for zero-knowledge succinct non-interactive argument of knowledge, while zk-STARKs represents zero-knowledge succinct transparent argument of knowledge.

Potential Problems with zk-SNARKs

If zk-SNARKs sounds too good to be true, you’re onto something. While the world needs a privacy measure to address hacks, privacy breaches, and identity theft, zk-SNARKs need to overcome major hurdles to be a practical privacy solution.

Setting up zk-SNARKs requires a trusted setup that creates a very uncomfortable situation. Take Zcash’s launch as an example: a team of six developers around the world followed a set of instructions on a DVD to add the zk-SNARKs protocol to its blockchain. Essentially, each member generated one shard, or section, of the password to control Zcash. Gaining this control over all six shards would allow a bad actor to create additional tokens or steal funds.

Once the developers had run the code to generate their respective pieces of the password, each supposedly destroyed their portion of the key, some going as far as to drill holes into their hard drives. In this setup, at least one member must destroy their shard, so no one can find the entire key. This means, in theory, that even if the other five developers colluded to share their shards, they still wouldn’t have access, and it would be difficult to figure out the missing piece.  

Later, Zcash performed a larger trusted setup ceremony called “Powers of Tau”, with somewhere between 100 and 1,000 people running the protocol and destroying their shards of the key, some ceremoniously destroying their hardware in the process.

Though this higher number of participants could make things safer, there’s no true way to know it worked, and there’s no way to ensure a fake Zcash isn’t valued as the real Zcash. If Ethereum were to implement zk-SNARKs, it could take thousands of participants to run this kind of scenario unless there were a way around it.

zk-SNARKs are also slow and fairly expensive to implement right now, but this may not always be the case. One implementation, Secure Remote Password protocol (SRP), uses zk-SNARKs so you can log into your account by answering some true or false questions rather than by providing your password. This go-around proves you have the information without ever putting it on a server where a third-party could use it to access your account.

Zk-STARKs: A Better Privacy Breakthrough?

zk-STARKs, on the other hand, are being touted as a less costly and faster alternative to zk-SNARKs. Their biggest advantage is that no trusted setup is required.

Zcash’s founding scientist and zk-SNARKs researcher Professor Eli Ben-Sasson shed light on how the two proofs vary. Ben-Sasson is also part of a new launch, recently cofounding StarkWare Industries for commercial use.

He explains, “zk-SNARKs use public key (asymmetric) cryptography to establish security. zk-STARKs instead requires a leaner symmetric cryptography, namely, collision resistant hash functions, and thus removes the need for a trusted setup. These same techniques also eliminate the number-theoretic assumptions of zk-SNARKs (and BulletProofs) that are computationally expensive and prone to attack by quantum computers. This makes zk-STARKs both faster to generate and post-quantum secure.” We’re about to jump into some of the technical reasons as to why zk-STARKs work differently from zk-SNARKs. 

The zk-STARKs white paper states, “No ZK system realized thus far in code (including that used by cryptocurrencies like Zcash) has achieved both transparency and exponential verification speedup, simultaneously, for general computations.”

Ben-Sasson elaborates on this exponential verification method, saying, “If T represents the number of machine cycles of a computation, then the time to verify a zk-STARK for that computation, as a function of T, is log(T), which is exponentially smaller than T. In contrast, for a computation used only once, zk-SNARK verification … takes exponentially more time than a zk-STARK verification, [and] most of this added computation time is due to the trusted setup.”

When asked how zk-STARKs could help alleviate the number of privacy breaches over time, Ben-Sasson conjectures, “Permissionless blockchains will be the early adopters, followed by conventional businesses. Businesses will be pressured to adapt to the higher standards of transparency and accountability offered by zk-STARKs. As a result, citizens will enjoy a higher level of security and privacy from businesses and organizations who collect and store their personal data.”

To put it simply, zk-SNARKs are like building a top-secret blanket fort with your friends. You each have to assemble all the blankets in just the right way and celebratorily hide the evidence of your fort from your nosey older sister. You also have to put in a lot of effort to keep the sofa cushion walls up, and it will take you more time overall. zk-STARKs, on the other hand, are like a foldable tent you can pull right out of the box. It may not require all the effort and secrecy, but it means you’ll have more time to play flashlight games and tell ghost stories.

A Push for Privacy

Leaders in cryptographic research (i.e., the pioneers of many of the biggest existing and upcoming cryptocurrency projects) are looking into both zk-SNARKs and zk-STARKs. If one were added as an option to the Ethereum platform, you could choose a privacy option to keep your transactions hidden.

There’s a big misconception that transactions on blockchains like Bitcoin, Litecoin, and Ethereum are untrackable. While transactions may appear anonymous because they use long address codes, it is possible to piece together someone’s identity and account balances by tracking the addresses on their public ledgers and elsewhere, especially when someone always uses the same address.

Advances in Privacy Tech

As both zero-knowledge protocols undergo testing on blockchains, the cryptocurrency community is actively testing zk-SNARKs and is likely to test zk-STARKs soon as well. There are also other privacy coins like Monero tackling privacy, at least when it comes to spending.

Monero works by hiding a sender’s identity in a couple of ways, using stealth addresses with one-time destination public keys. It obscures a sender’s IP address and uses a ring signature, which combines a sender’s output address with a group of other possible sender addresses chosen randomly from the Monero blockchain, making it impossible to tell which transaction went where. Ring signatures make it look like a transaction could have been initiated by anyone in a group, kind of like someone with very illegible handwriting signing a check from a group checking account.

In contrast, zk-SNARKs and zk-STARKs fundamentally change how data is shared instead of creating a smoke trail around who sent what. Both are much-needed developments towards protecting our privacy. As Ethereum, banks, and others seek privacy measures in the wake of the increasing amount of data breaches of our sensitive information, zk-SNARKs and zk-STARKs will both be put to the test. Whether it’s either of these or something new, may the best proof win – it’s vitally needed.

Continue Reading


Security for the Blockchain: Exclusive Interview with Trail of Bits Founder and CEO Dan Guido

Too often, we’ve made incorrect assumptions about our security. Fraudulent charges are covered by our credit card protections, while the FDIC protects our bank accounts. When the entire financial system collapsed mostly due to the subprime mortgage lending industry, we assumed we’d be okay again, and the government bailed out the banks.

We should never take our security for granted, and this is especially true when it comes to blockchain technology. Blockchain projects remain in the early stages, so it’s important to verify that the coding behind crypto wallets, exchanges, and projects are secure. No industry leader understands this better than Trail of Bits founder and CEO Dan Guido.

Guido’s firm specializes in security testing, as if they were hacking their own clients to find their vulnerabilities. Dan Guido’s exclusive interview with The Merkle is an opportunity for the crypto community to proactively address our assumptions about security and safety.

The Merkle: Can you give us a brief history of Trail of Bits and the scope of its projects?

Dan Guido: Trail of Bits has been around for almost seven years. I founded the company with my partner Alex Sotirov. We are both security researchers, and we’ve been doing this since we were fifteen years old. We don’t have any venture funding; we built the company from the ground up.

We work across many industries including tech, finance, and defense. We audit high-assurance financial applications code, low-level code, and cryptographic systems. We work on airplanes for Lockheed Martin, security operations software for Facebook, and security research for DARPA. Since blockchain emerged as a new technology, we have been able to apply all that experience to this new field.

The Merkle: What makes Trail of Bits particularly qualified to do security engineering and assessments on blockchain technology?

Guido: We’re a software security company, and that means we’re constantly working on compilers, binary analysis, programming languages, and trying to find software security flaws, sometimes without even looking at source code. We know what tools to write and what processes to construct. We can tell what good and bad code looks like because we’ve seen it all before; it’s stuff we’ve spent our whole lives on.

About two years ago, we focused on porting the tools we built [to test software and code in other industries] to blockchain technology, particularly the Ethereum Virtual Machine (EVM). Now we primarily offer three services to clients in this space: smart contract audits, design guidance for asset custody, and blockchain design.

For smart contract audits, we’re given a DApp – typically written in Solidity – and apply our unique set of tools and knowledge to help uncover hidden risks. We write new software test cases and provide guidance to help projects stay secure, even after our engagement is finished.

We also look at custody systems, as they are designed for exchanges like Gemini, ICOs, and organizations like the Web3 Foundation. For these projects, we’re designing and reviewing systems that access and store funds.

Finally, we also help with blockchain design. In one notable case, we worked with the RSK blockchain, which puts smart contracts into Bitcoin, and helped review their contract runtime environment. We have both theoretical and applied cryptographers who can do real assessments of blockchain design choices that many other companies cannot.

The Merkle: What are some of the blockchain projects you’re working on?

Guido: Specific to blockchain companies, Trail of Bits has worked with LivePeer, Golem, MakerDAO, and many others we’re not able to disclose. Code auditing isn’t new, but the rapid growth of smart contracts has created an immediate need for testing. From infamous hacks to failed exchanges to enterprising hackers stealing cryptocurrency, it’s clear this industry requires rigorous testing to prove applications work as promised and remain secure.

We started with only one engineer focused on blockchains, working on it out of interest. Today we have ten. Even with all those security engineers, Trail of Bits still has to be selective about new clients, and there are a lot of people we unfortunately turn away. We choose clients who build foundational technologies, take on risks, or who present us with interesting intellectual challenges.

The Merkle: Tell us about your work on Ethereum with fuzzing, particularly your EVM Smart Fuzzer, Echidna, released in early March. On your blog you said, “It’s the first-ever fuzzer to target smart contracts, and has powerful features like abstract state-machine modelling and automatic minimal test case generation.” What are the implications?

Guido: A fuzzer tries to violate assumptions about how code will act. In this case, we’re generating sample inputs to find unexpected problems in Ethereum smart contracts. Echidna is smart about what tricky inputs look like and can generate millions of test cases at a very high throughput to stress test smart contracts.

The potential inputs to a program could be vast, so a good fuzzer must be both really fast and really smart at finding which potential inputs are more effective at breaking the program than others. Echidna does both of these things.

If you’re working with typical compiled code like C++, then you’re looking for a crash. However, in Solidity or EVM bytecode, you don’t know exactly what a bad thing looks like. It could be a wallet drained or accessing someone else’s data. Echidna has an expressive language that lets you customize what properties it’s looking for in these cases.

The Merkle: So, essentially, it tries to make things that must always be true become false?

Guido: Yes, and Echidna tracks the amount of the code it has tested while it works. When it’s tested close to 100%, then it has tried almost anything someone could do to a program. It flails around like crazy trying to find ways to do things you don’t want, testing to see if it can make your application work incorrectly.

This kind of testing gives high assurance your program won’t do something unexpected, like lose all your ether. Echidna is best to use after you add a new feature. Write test cases for it and Echidna will do its best to break the code.

An Echidna test showing problems with Solidity coding.

The Merkle: When someone like Golem goes to you for a smart contract audit, what do you do?

Guido: As a starting point, we ask about the use, architecture, implementation, and testing of the product. Then, we ask about their nightmare scenarios. We’ll use that foundation to search for scenarios where they might become true. We meet with the engineers weekly to review what we’ve found, discuss potential fixes, and make sure we’re reviewing for the right issues.

This process typically takes two to eight weeks. At the conclusion, we write an audit report that lists all our high-level concerns in addition to the specific flaws we found. For example, are there systemic issues with how they write code or parts of the code base that should be checked later? What matters most is that they fix the code identified. In the final debrief, we want them to have the tools and knowledge to fully address all the issues.

The Merkle: Why are these audits so important?

Guido: The risk and consequences of failure when using this technology is high. Blockchain technology is very unforgiving. Transactions are irreversible and participants are pseudo-anonymous, which makes it easy for hackers to steal cryptocurrency with impunity.

Each new application has its own set of business risks too. For example, if you’re depending on a stablecoin not changing value, yet someone can manipulate its price ratio on demand, then that is a security flaw that could let someone make millions. We have to deeply understand each project we work with to find these application-specific flaws.

The Merkle: Yes, the recent phishing attack on MyEtherWallet is yet another reminder of hackers’ ability to steal funds in this space. What steps do you recommend for securely developing smart contracts?

Guido: Many developers rush into writing Solidity because it looks like JavaScript and that makes it easy and familiar. Before you begin, I recommend closely reading the Solidity language documentation and our “Not So Smart Contracts” reference to learn from others’ mistakes. The language, and this whole field, is a work in progress, so it pays to understand its foundation. As you’re writing code, use the best tools available to ensure that each line is correct: use the latest Solidity compiler and review the warnings, write high-coverage unit tests, fuzz the code with Echidna, and symbolically execute it with another of our tools, Manticore, to verify it works correctly.

If you’re truly writing high-risk code, you should talk to an expert. Even if you’ve run through all the right steps, you need a professional, considering what is at risk. These are still the early days, and most of the development tools are not refined. We invest so much in tools to help make this easier for everyone to get right.

Bugs present in Solidity eliminated from other modern programming languages, from a controversial Trail of Bits presentation titled “Black Hat Ethereum”.

The Merkle: It sounds like, despite its popularity, there are some serious problems around coding in Solidity. Can you explain them?

Guido: Solidity has reintroduced bug classes we’ve mostly ironed out from other programming languages. There’s dozens of problems even languages like C, C++, Go, Rust, and Swift have eliminated, where Solidity is reintroducing them all over again. There’s also a financial cost to everyone when bad Solidity code is run in the EVM; it costs real money (in gas) to run inefficient code on smart contracts. I’m really anticipating a move to WASM (Web Assembly Stacked Virtual Machine).

If WASM replaces the EVM, it would let the community build tooling on LLVM (Low Level Virtual Machine). This would be a huge benefit since LLVM is a vastly more mature compiler toolchain, with support for many languages, optimizations, and analyses that Ethereum could use as well.

Regarding the longevity of the Solidity language itself, I think there was a clear benefit in the early stages of Ethereum to [using] a language built for easy adoption like Solidity. However, now that we’ve seen what’s possible, it’s time to consider a safer, more efficient, and more secure method to build smart contracts.

Continue Reading


How Can Blockchain Be Used to Aid Cybersecurity?

With the rapid advancement of internet-based technologies, cybersecurity is a constant cloud looming on the horizon. As the technology evolves, so too, do the cybercriminals. Their constant efforts to steal valuable data and disrupt business through DDoS attacks are increasingly sophisticated.

Holding companies hostage and monetizing data through ransomware techniques is sadly par for the course. In fact, it’s estimated that cybersecurity alone costs the global economy some $450 billion a year. With IT professionals scrambling to stay one step ahead of the hackers, how can blockchain be used to aid cybersecurity?

No Single Point of Failure

The decentralized nature of eBits means that there is no single point of failure, nor one central database waiting to be hacked. Information is stored over several databases, and each block is linked to the next in the chain, making no “hackable” entrance. This provides infinitely greater security than our current, centralized structures.

Removing Human Error

The weakest link in our current system is simple logins that are vulnerable to being cracked. Blockchain can remove human error in cybersecurity, as businesses can authenticate devices without the need for a password system. Each device is provided with a specific SSL certificate, rather than a password. Human intervention becoming a potential hacker vector is consequently avoided.

Bitcoin advocate, adjunct professor at NYU Law School and practicing attorney, Andrew Hinkes, explains, “Using a public blockchain with proof of work consensus can remove the foibles of human mistake or manipulation.”

Detecting Tampering in Real Time

The blockchain can uncover and reject suspicious behavior in the system in real time. Say, for example, that a hacker tried to interfere with the information in a block. The entire system would be alerted and examine all data blocks to locate the one that stood out from the rest. It would then be recognized as false and excluded from the system.

Improving IoT Security

With the rise in IoT devices, come inherent security risks. We’ve already seen problems occur when trying to disable compromised devices that become part of botnets. According to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, the blockchain can put an end to that:

“The blockchain, with its solid cryptographic foundation offering a decentralized solution can aid against data tampering, thus offering greater assurances for the legitimacy of the data.” This would mean that potentially billions of IoT devices could connect and communicate in a secure ecosystem.


All transactions on the blockchain are highly traceable, using a timestamp and digital signature. Companies can easily go back to the root of each and every transaction to a given date and locate the corresponding party. Since all transactions are cryptographically associated to a user, the perpetrator can be easily found.

Says Hinkes, “Blockchains create an audit trail of all activity by its participants, which simplifies access control and monitoring.” This offers companies a level of security and transparency on every iteration.

The Takeaway

Currently, the impending threat of DDoS attacks comes from our existing Domain Name System. Blockchain technology would disrupt this completely by decentralizing the DNS and distributing the content to a greater number of nodes. This would make it virtually impossible for cybercriminals to hack and create a secure environment to host the world’s data.

Continue Reading

Lastest News

Blockchain1 hour ago

Ethereum Price Could Rebound to $700 Later Today if Momentum Remains Solid

Sundays are usually contrarian days in the world of cryptocurrencies. During this time of the week, there is often price...

Blockchain1 hour ago

Tron Price Makes a Strong Comeback Thanks to Solid Trading Momentum

There is still a fair amount of bearish pressure on the cryptocurrency markets as of right now. While all top...

Blockchain1 hour ago

Cryptopia Is Allegedly Vetting All Current and Future Listings to Avoid Legal Issues

Cryptocurrency exchanges list new currencies on a regular basis. In a lot of cases, those currencies add additional trading volume,...

Blockchain1 hour ago

UK Firm Launches Ethereum Futures Trading

Ever since Bitcoin futures contracts became a thing, people have been wondering when other currencies would receive a similar treatment....

Blockchain1 hour ago

Facebook’s Own Cryptocurrency Won’t See the Light of Day Anytime Soon

Various technology firms have made it clear that they aim to issue their own cryptocurrency or digital token. Telegram has...

Blockchain1 hour ago

Upbit’s “Investigation” Has Nothing to Do with Fraud, Everything to Do with Pooled Liquidity

As is usually the case when the cryptocurrency markets are taking a beating, people want to know what is driving...

Blockchain1 hour ago

Substratum Releases Early Open Beta of Its Protocol

Cryptocurrency and blockchain products can solve a lot of pressing issues plaguing the world today. With internet censorship being a very...

Blockchain1 hour ago

XRP Price Slowly Pushes to $0.75 as Bulls Retake Control

The big question this week is whether or not the cryptocurrency markets will recover or continue to suffer from bearish...

Blockchain1 hour ago

Another Bytecoin Price Pump Materializes out of the Blue

It has been almost two days without a Bytecoin price pump, but that situation is being rectified as we speak....

Blockchain1 hour ago

The 2018 Year of Cryptocurrency Challenge – Week 18

At the beginning of 2018, I wrote an article outlining a eBits that I thought could help boost cryptocurrency adoption...