Cyber Security

HIGHLIGHTS

Black Hat Party Tricks Shouldn't Distract from Real Issues

U.S. Targets Bitcoin Exchange, Alleging It Facilitated Crime

Editor’s News Picks: Staffing For Privacy Shield, WFC Breach Apology, Russian Facebook Espionage, Loan Application Breach, Bitcoin Laundering

Advertisement

Commentary & Analysis

Black Hat Party Tricks Shouldn’t Distract from Real Issues

By Kate Fazzini

It’s probably the biggest, flashiest conferences in the cybersecurity world: “Black Hat,” a convergence of hacker demonstrations, roundtables and security wares that is hard to ignore even for those who don’t work in the field.

One reason it’s so hard to ignore? Businesses, particularly technology companies, often get sucked into the event because of live hacker demonstrations that show the weakness of their products or networks. Businesses in and around the conference, held this year in Las Vegas, often shore up their defenses in novel ways for fear of being hacked: restaurants, bars and shops in and around the conference refuse credit cards and go cash-only. Business services companies, like United Parcel Service of America Inc., don’t allow customers to use USB devices to upload printable documents at retail locations around the conference.

This climate of fear and mystery may not be particularly productive or instructive for business leaders, experts said. Instead, they suggest focusing on some unmistakable trends in the industry--trends that reflect current and future threats--and understand how they can incorporate those into their cybersecurity strategies.

“Some of [the conference] may be people just showing off what they can do,” in terms of hacking, said Michael Chertoff, founder of security consulting firm Chertoff Group and former Secretary of the U.S. Department of Homeland Security. “But what I hope board members don’t do is just throw their hands up in the air and say ‘there’s nothing we can do about this,’ and just pray they don’t get caught up in a breach.”

Understanding the Changing Risks

One trend to watch is the use of traditional criminal hacking techniques, such as ransomware, as vehicles for disrupting companies and institutions by nation-states or political entities. This point shouldn’t be lost on executives and board members, said Mr. Chertoff, because it plays into a critical piece of security strategy --making note of which data is most valuable to hackers today. If nation-state hacking continues to rise, that means businesses must start paying particular attention not just to data that can be monetized, like credit card numbers, but data on customers, business deals and transactions involving potential targeted individuals or enterprises.

“People don’t understand what kinds of assets might be critical to a hacker. In fact, a lot of companies don’t really know their assets they have on their network …especially when there are mergers involved,” Mr. Chertoff said. Companies should carefully evaluate “What are the threat actors looking for,” presently, and continually update their strategies accordingly. He said he expects the trend of nations and criminal groups converging and launching new types of attacks on the private sector to continue.

Mr. Chertoff said that, on a positive note for companies, there is growing “strong international interest” in creating norms for cyber warfare, norms that would provide greater clarity on what kinds of corporate and government targets must be avoided. In the private sphere, this is particularly true of financial sector firms and their critical providers, as cybersecurity threats to the global financial system have come into greater focus.

French Caldwell, a senior marketing executive with Palo Alto-based risk and IT advisory firm MetricStream, has attended several past Black Hat conferences, though not this year’s. Mr. Caldwell, who formerly served in cybersecurity roles with the U.S. Naval War College and The George Washington University, said what has changed is just how “digital” companies are now.

Integrating security strategy high-up in the corporate structure has become essential, given recent attacks, Mr. Caldwell said, and companies shouldn’t expect major help or significant regulation in the U.S. near-term. The broader “attack surface” for most companies today is reflected in the huge proliferation in cyber vendors—a market estimated to grow to $170 billion in 2020 from $77 billion in 2015--and their commensurate race to get noticed at conferences like Black Hat.

What hasn’t grown, he said, is the amount of government support offered to companies.

“It’ll take something truly massive, such as a large number of Americans’ having their life savings wiped out, or lives lost, for the government to intervene aggressively. For the foreseeable future, cybersecurity legislation will advance only slowly and incrementally,” he said.

The WannaCry and Petya attacks provide the most important lessons for businesses, when compared to other recent hacking news and one-off demonstrations at shows like Black Hat, said Mr. Caldwell.

“We, as a society, are transforming our businesses in a way so that they’re almost entirely digital,” said Mr. Caldwell. “When your model is totally dependent on IT, IT becomes a critical component of a business model, particularly in regards to deliver of services to customers.”

Companies, therefore, shouldn’t focus too much on the threat of the moment, he said, because new threats can always emerge; the enterprise must be poised to react to tomorrow’s threat instead.

(Kate Fazzini writes about cybersecurity for WSJ Pro. She has held roles in cybersecurity at Promontory Financial Group and JPMorgan Chase, and is an adjunct professor of cybersecurity at the University of Maryland, teaching cybersecurity for business and government. Write to Kate at kate.fazzini@wsj.com.)

Advertisement

More From Dow Jones

U.S. Targets Bitcoin Exchange, Alleging It Facilitated Crime

By Ian Talley in Washington and Samuel Rubenfeld in New York

Alexander Vinnik, left, was arrested this week and fined by the Treasury Department. U.S. officials allege that a bitcoin exchange he owns didn’t have enough internal oversight, making it easy to conduct criminal activity. ALEXANDROS AVRAMIDIS/REUTERS

U.S. law-enforcement authorities took aim at one of the world’s largest digital-currency exchanges this week in an anti-money-laundering operation that spanned two continents and sent a warning to other virtual-money platforms the U.S. says may be facilitating crime.

The Treasury Department’s Financial Crimes Enforcement Network late Wednesday levied a record $110 million fine against BTC-e and a $12 million penalty against Alexander Vinnik, a Russian national who the U.S. says is the beneficial owner of the Seychelles-based company that manages BTC-e. The fines followed the arrest of Mr. Vinnik in Greece on Tuesday at the request of U.S. authorities under a 21-count indictment brought by the Justice Department in a Northern California district court.

BTC-e, which is based in Bulgaria but regulated under the laws of Cyprus, allowed its users to trade bitcoin with high levels of anonymity. U.S. authorities allege that insufficient internal oversight at the firm facilitated computer hacking, fraud, identity theft, public corruption and drug trafficking in transactions that totaled more than $4 billion.

“We will hold accountable foreign-located money transmitters, including virtual-currency exchangers, that do business in the United States when they willfully violate U.S. anti-money-laundering laws,” said Jamal El-Hindi, FinCEN acting director.

Neither Mr. Vinnik nor BTC-e could immediately be reached for comment. The website for BTC-e said it was offline for unscheduled maintenance and wouldn’t be back in service for five to 10 days.

The joint operation was coordinated with more than a half-dozen U.S. agencies, including the Federal Bureau of Investigation and the Internal Revenue Service.

Mr. Vinnik, whose U.S. warrant was issued under seal in January, was arrested and detained by Greek law enforcement Tuesday under money-laundering charges. Greek police told the Associated Press they seized electronic equipment from his hotel room, and the officers that arrested Mr. Vinnik at a hotel grabbed his mobile phone before he could lock it.

The Justice Department said that while cryptocurrencies such as Bitcoin provide legitimate new financial channels for commerce, the anonymity of the BTC-e digital-currency exchange facilitated money-laundering and illicit finance for a world-wide network of criminal activity. The only requirements to register an account were a username, password and email address.

“Just as new computer technologies continue to change the way we engage each other and experience the world, so too will criminals subvert these new technologies to serve their own nefarious purposes,” said Brian Stretch, U.S. attorney for the Northern District of California.

According to the indictment, which was approved in January and unsealed Wednesday, the company operated as a criminal business venture designed to launder money from a host of illegal enterprises. Among those activities, authorities pointed to the laundering of digital currency from the now-defunct Mt. Gox exchange that once handled most of the world’s bitcoin transactions but shut down after it was hacked in 2014. Authorities say the firm also received a portion of criminal proceeds from CryptoWall, one of the world’s largest ransomware schemes.

The Justice Department said that, unlike other several digital platforms that have anti-money laundering programs in place to combat illicit finance, BTC-e failed to implement sufficient protocols. BTC-e wasn’t registered as a money-services business with Treasury, as required by law, despite doing substantial business in the U.S., according to the Justice Department. BTC-e users “openly and explicitly discussed conducting criminal activity” through the website’s internal messaging systems, Treasury said.

“The takedown of this large virtual-currency exchange should send a strong message to cybercriminals and other unregulated exchanges across the globe,” said Don Fort, chief of the IRS’s Criminal Investigation team.

The BTC-e effort follows the shutdown of AlphaBay, an online marketplace that sold illegal goods anonymously on the so-called Dark Web.

U.S. officials forced the shuttering of another digital-currency platform, Liberty Reserve, in 2013 after charging its founders with laundering more than $6 billion in ill-gotten gains.

Bitcoin experts say the latest action shows the U.S. can reach beyond its borders.

“If you are doing something illegal, even if you are outside the U.S., if you have customers in the U.S., then regulators can go after you,” said Nick Tomaino, a venture investor at Runa Capital and a cryptocurrency blogger.

The Justice Department noted in its indictment that BTC-e was using servers in the U.S. for many of its transactions.

Many bitcoin experts had wondered how the company had operated for so long given long-running and public concerns about the alleged criminal aspect of BTC-e. But the sealed indictment and Mr. Vinnik’s detainment in Greece indicate that U.S. authorities were waiting to snare the BTC-e executive when he visited a country ready to cooperate with the U.S.

Bitcoin prices showed little reaction to the fines and arrest of Mr. Vinnik. Experts say that is because of the growing legitimacy of digital currency and acknowledgment by authorities that there are both lawful and illegal uses of the virtual coin.

“BTC-e was a relic of the first age of these bitcoin companies,” Mr. Tomaino said. Several other exchanges have well-respected founders who have relationships with regulators and have established accountability programs meant to root out illicit finance, he added.

Write to Ian Talley at ian.talley@wsj.com and Samuel Rubenfeld at samuel.rubenfeld@wsj.com

Advertisement

Editor's News Picks

Staffing For Privacy Shield: The Trump administration is preparing to make nominations to the Privacy and Civil Liberties Oversight Board, the independent agency tasked with protecting civil liberties and a key component in U.S. compliance with the Privacy Shield agreement. Of five seats on the board, four have been vacant since the beginning of the administration, causing consternation in Europe over whether the U.S. intends to live up to the Privacy Shield framework for transferring data from the European Union to American companies. As the sole remaining board member told U.S. News and World Report, “Reports of our demise have been greatly exaggerated.”

WFC Breach Apology: Wells Fargo may soon be apologizing to approximately 50,000 customers after the bank’s general counsel mistakenly shared data belonging to many of its wealthiest customers as part of the e-discovery process, the New York Times reports. Those 50,000 clients had tens of billions of dollars invested with the bank, though their names, Social Security numbers, and financial details like their investment portfolios and banking fees were handed over without any protections as part of a defamation lawsuit.

Russian Facebook Espionage: Russian spies created at least two dozen Facebook accounts and attempted to cozy up to French officials in person, as part of a campaign to collect intelligence on now French-president Emmanuel Macron’s campaign, Reuters reported Thursday. The number of Facebook accounts suspended in France for promoting propaganda or spam rose to 70,000 from the 30,000 the company disclosed in April, Reuters reported. Emails belonging to Macron campaign officials were also stolen and dumped online as part of the interference campaign, though Mr. Macron won the election in a landslide in May.

Loan Application Breach: UniCredit said the personal data of more than 400,000 loan applicants was exposed in a data breach that the Italian bank didn’t detect for ten months, it said in a statement this week. The breach, apparently the fault of a third party, was discovered less than a year before the General Data Protection Regulation will force organizations to vet third party partners for security lapses. “Whilst the fact [UniCredit] knows this shows they are doing a better job than most,” one expert told The Register, “the delay in revealing this goes to show that any business with large amounts of data must have a full understanding of where, how and who manages it.”

Bitcoin Laundering: An American grand jury indicted a Russian man this week on charges he worked as the operator of BTC-e, a bitcoin exchange that prosecutors say was used to launder more than $4 billion for other suspects involved in computer hacking and digital drug sales. The U.S. Department of Justice alleged the man did a large chunk of his business in the U.S., and that he was involved in the collapse of Mt. Gox, the bitcoin exchange that was hacked in 2014 leading to the theft of 630,000 bitcoin.

Cyber Security