I believe that the “area of interest “ for nation state / well resourced attackers is far larger than most people think.
We’ve seen DPKR pursue a relentless quest for cryptocurrency (bitcoin) in particular . They’ve been quite resourceful.
Who is leading the charge in updating security guides / research / threat modeling ? Who is adapting the adage “todays nation state is tomorrows script kiddy ?”. Let’s be real: we all (for sufficiently large values of all) are the target of a nation state . It’s no longer acceptable to say “this is sufficient unless your being hunted by big game “.
During a previous job, some people I had worked alongside looked closely into the DPRK's attacks on cryptocurrency services, we had a daily threat intelligence report and dedicated team on threat intelligence as this was in the finance sector.
The DPRK's attacks on cryptocurrency providers in fact weren't very sophisticated, many nation state 'threat actors' with the APT designations or funny names are often unprofessional or aren't substantially unique beyond what their motives are, their toolkit and where they come from. There are some exceptions like the FVEY, or elite branches in Russia/China's government security agencies. However, those groups often conduct attacks to target an individual or make a serious attack to people comparable to their level (like with the SolarWinds / U.S. Government breach or the USA making malicious, persistent hard drive firmware for single targets).
Many threat actors in hostile nations are just younger people committing crime for fun or financial gain and being able to do it consistently and persistently because the nation they are from does not hold them accountable or punish them for doing it. You can compare Russian ransomware groups or Iranian politically motivated hacktivism to the teenagers in the USA who hack a company and post the database on warez forums, with the difference being the westerners actually go to jail. North Korea is a bit different considering their political climate (extremely communist, everyone is in the military) but their capabilities are around the same and lack anything unique because they are stupidly poor country. The North Korean's most damaging attack involved using a leaked American exploit rather than anything original.
North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly. Intelligence reported that it was phishing, and so did other forensics firms publicly. If you look at the targets that North Korea attacked and stole funds from, you'll essentially see that they are all random shitcoin companies most 'crypto' people have probably not heard of, done with no announcement of a zero-day exploit or sophisticated attack:
North Korea attacks cryptocurrency companies not just because they can use the funds they steal to fund illicit activities. The security that these 'crypto' or 'blockchain' companies have are horrendous to the point that they are low-hanging fruit for the North Koreans to actually take advantage of. FTX was one of the largest exchanges when it was active, and had no dedicated cybersecurity team. In fact, many still don't do have it to this day.
Anyways, to answer this:
Who is leading the charge in updating security guides / research / threat modeling ?
Users, engineers, researchers, academics and hackers. Companies do little to nothing when it comes to security innovation and it's all down to the people they hire. Companies serve to promote, publicize and make money off of having better security to their competitors only in my opinion. This doesn't mean to say all the big companies have flawed security though, they don't, since they always get to hire the best people.
Projects like Tor, Whonix, Brave, Samourai, GrapheneOS, or even hardware (e.g. Trezor) and commercial software (e.g. Windows) rely heavily on independent research for the progress of their product. If it is not for the groups of people I mentioned putting them to the test or through scrutiny then they wouldn't be leading anything.
You'll find websites that publish security/privacy advice all the time, but if you can't really trust them to keep them up to date, your best bet is to look at what the developers of big security/privacy projects say. A lot of these people are open to talking about the downsides, shortcomings and what needs to be improved on with their work, because they need that criticism to be public to have someone notice it and make a difference.
reply
"North Korea commits cryptocurrency theft by just attacking cryptocurrency exchange platforms and custodians, because the security in most of them suck, and badly."
Yes. This is very true. I enjoyed The Lazarus Heist podcast for a deep dive on all that.
I've toyed around with launching a crypto exchange. Riding the rails of our high assurance and compliant infrastructure we are building out anyway as we go through all the hoops to be a prime US Government contractor with facility clearance etc. Once you have your own proper PKI and K8S, it's amazing how "easy" everything becomes and how low your marginal costs drop. :)
"Companies do little to nothing when it comes to security innovation"
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors? (I know the blame lies with both). Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
I hang out in /r/netsec and other similar forums.
Thank you for the detailed/principled reply. It's appreciated.
reply
Do you mean end user organizations? Customers of vendors? Or are you referring to the vendors?
Mainly vendors. They'll often drive towards profit and only do what's required or industry standard for their information security or the security of their products - no need to go above since for them that'll just be more costs and less profit. Think the commercialization of products selling security features with special names and marketing frills like 'military-grade' - no innovation when you are doing the same thing as everyone else.
iPhone sells their phone as the most secure when in practice an Android (Pixel) are both extremely similar in their implementations (default disk encryption, private messaging app, permission controls, a secure element etc.), just an example.
Things like the Zero Day Initiative are a great way to help bridge the gap and allow researchers to research "safely" and organizations to get their act together.
A lot of the best results come from groups like this I think. It's likely why Apple and Google (Project Zero) have their own dedicated teams for these things too.
reply
deleted by author
reply
what if your threat model does include a nation state?
monero
reply
What is the threat? (asking honestly, I don't understand anything about this, you're talking about north korea being a threat to bitcoin? what are they gonna do, buy so many computers they can take over the currency—thereby destroying its value and making everyone move on to another currency?)
reply
Stealing of bitcoin holdings.
Via any number of methods , ultimately resulting in a keystroke logger or something being planted.
Hardware wallets mitigate the risk to some extent.
reply
Most folks advise to never type your seed phrase anywhere, so that should significantly reduce the impact of keyloggers, no?
reply
I’m guessing most folks record it somewhere on their hard drive ?
For example , the post the other day with a GPG encrypted copy of the pass phrase. They entered the alphanumeric password at some point and had the pass phrase (seed phrase I guess ?) in a plain text file.
What are the best practices these days ? Anyone to follow / read for good security guides (for crypto specifically ).
Mostly this is an academic thought exercise , a “curated gentle troll” meant to get the community thinking and ideating.
As someone who’s taken many security precautions (including an air gapped offline root CA and GPG primary private key , using multiple yubikeys (one for daily use , one for more sensitive things , one for airgap ) , I take security quite seriously.
I’m always interested to discover new resources
reply
Quite simply I think keeping the seed offline forever is what people do. Physical backups, seed plates, etc. as soon as you put it on a computer, the attack vector increases exponentially. Other folks can weigh in though, I’m just one person
reply
deleted by author
reply
Consider me flattered and honored!
reply
deleted by author
deleted by author
reply
I know your being somewhat sarcastic.
My money is on the entire FAANG etc having their Thales based root CA keys compromised . I’ve been less than impressed with security measures taken around key material and/or network security in general.
Once you start really understanding the full capabilities and vulnerabilities of these commercial CA appliances , you realize how massive the attack surface is.
My current stack is Nitro key HSM with XCA on an air gapped laptop. Keep it all in a decent safe with cameras and alarm system.
reply
deleted by author
reply