Thursday, February 1, 2018

Cryptocurrency InfoSec Perspective

So I like Reddit. Some folks on Reddit decided to start their own Cyptocurrency for fun. I've been meaning to learn about how this works for real not just theory in part because I need to have more details to back up telling people blockchain can't fix their problems. What I learned so far was shocking as an InfoSec person. I'm still getting started and learning but I have enough to rant about. This is going to focus on the crazy InfoSec of all of this. Not the details, directions, overclocking the GPU, etc, etc. Go somewhere else if you want to learn to mine. Stay here if you want to learn how dangerous all of this is.


  • Be careful what executable files you download and run, research the coin or software and if it doesn't look 100% legit don't do it.
  • Don't blow off AV warnings because other are
  • Be careful if your private key and know about any software you paste it into, that is all someone needs to empty out your wallet, if you really get into this look into hardware wallets
  • Research all software you are thinking about using. Google it with the word scam after the name. Really dig into anything that seems easy and is GUI based, the scammers appear to be targeting people who shy away from using command line tools. If you can't deal with command line, don't get into mining.

The Story:

The new currency (which is going to the moon) is Garlicoin.

For starters you need a wallet. Doing this what they say here This involves downloading a zip full of executable files and running many of them.  Sketchy, but I've been following this community for a while and I'm sure they are solid people. But people are doing this for 1000's of coins they have no involvement with, that is crazy. But OK moving on.

I need to get a miner. The official sites point me to this one. So yet another random exe from someone I don't know. Tpruvot. But he looks like a nice man from France and googling it looks like tons of people use his software to mine, it is very popular. Technically I can try to look over the code but it is a lot of code and forget it, now I'm mining coins. Probably safe, maybe.

So far I've run 3 executable files but the sources seems pretty trustworthy. Then everyone started to recommend installing a GUI wallet Garlium. So I did. To import the wallet I setup with the command line I have to give it my private key. Now if you don't know, that private key is all you need to steal my hard mined coins. And I need to put it into this software I know nothing about. And btw, AV pops it when you download it. I'm serious. That seems crazy but everyone is doing it and I want to be cool. But I did just give an unknown app that AV pops my private key. If this was full of bitcoin I wouldn't have done it. This is getting to be too much.

But now my hash rates aren't as good as everyone else. Well they are using this version of ccminer instead so I try it and it is far faster, more coins, sweet! But here is the thing. This is a github repo from some Russian I can't find much about or anyone who knows. There is no documentation and I don't know why it is faster or what was changed. Yet I'm running in on the same PC that the wallet is on and has the private key to the wallet. This is clearly a bad idea but no one is thinking twice about it. This is all getting a bit too much so I start to google around. What I found was shocking.

The whole cryptocurrency mining community seems to be built on people simply running compiled code, either GUI apps or command line exe files, from dubious sources. AV popping them is a common problem which everyone ignores. It is common to put your private key in random software, and I saw many people give advice on their website or in directions saying to save it in a text file on your computer. And people are installing these apps and running these programs from coins they know nothing about hoping to get in early in the next bitcoin. If anyone ever decided to be evil in rolling out a new coin they could easily make one decided to empty your wallets of your other coins, or worse. This makes me wonder if hardware wallets are really in wide use, but I don't know. So many people seems to keep tons of their coins on websites that get hacked and use online wallets, I kind of doubt it.

Finally people appear to clearly be making easy to use GUI mining tools for people that are just plan out scams. There are tons of scams, of clearly malicious software people are using to mine.

So this is all crazy. Now that I have some coins I get to figure out how horrible the markets are. More to come. :-)

No comments:

Post a Comment