Photo via Flickr user anatancoins.
Yesterday, news broke that a Canadian Bitcoin exchange, simply known as “Canadian Bitcoins,” was robbed of nearly $100,000 worth of cryptocurrency. Luckily, the business model of Canadian Bitcoins is such that none of the company’s customers lost any of their own money—because Canadian Bitcoins is not a trading platform where customers hold balances with the service, they simply buy bitcoins and go on their way.
Despite the crypto-fortunes of the company’s customers remaining intact, the method that Canada’s newly crowned most successful bitcoin thief used has exposed a massive (but by no means new) gap in computer security: human beings. All this thief did was open up a chat window with the data centre that hosts the Canadian Bitcoins website and pretend to be its CEO, James Grant. Given that at no point did Granite Networks—the company that hosted Canadian Bitcoins—ever speak with the thief, the cyber-burglar could have been a 12-year old girl with an advanced knowledge of server systems and deception (the company has since switched facilities). We just don’t know.
Anyway, over the course of a two hour conversation, during which there was ostensibly little-to-no authentication of James’s identity by the data centre representative, the thief was able to convince the data centre to reboot the Canadian Bitcoins server, enter a physically locked “server pen” where the company’s servers were stored, and give this thief access to the servers itself, which then allowed him to extract 149.94BTC from one of the company’s Bitcoin wallets—a sum that at as of 11:30AM EST this morning, is worth $102,800 CAD.
Comically enough, Rogers, which owns Granite, responded to this facepalm-worthy social engineering heist by releasing the following statement: “Rogers Data Centres provides the highest level of security in the Canadian data centre industry. Its security protocol is operationally certified and in accordance with industry best practices. We have reviewed our security processes and continue to work with our customers to make sure they take advantage of all of our security features.”
Really? The highest grade of security in Canada doesn’t mandate thorough identity verification checks, when someone claiming to be the CEO of said company opens up a chat window and essentially requests full access to the company’s servers? I’m sure that’s providing a ton of reassurance to tech companies across the country that are following this story. To make matters worse, James Grant told the Ottawa Citizen that were he to request the same kind of access in person, he would have had to use “a key card to enter the building” which would then be followed by a retina scan, two sets of locked doors, then another door leading into the server pen that can only be opened by entering a private numeric code.
Social engineering has been one of the primary tools for hacking since hacking was invented. Kevin Mitnick, one of the planet’s most infamous hackers, wrote extensively about social engineering in 2002 in his book The Art of Deception, which outlines various tricks that social engineers can use to get access to “secure” systems. For example: “a person gains access to a company's internal computer system, guarded by a password that changes daily, by waiting for a snowstorm and then calling the network center posing as a snowed-in employee who wants to work from home, tricking the operator into revealing today's password and access through duplicity,” or “a person gains access to a restricted area by approaching the door carrying a large box of books, and relying on people's propensity to hold the door open for others in that situation.”
In a report written by Cameron Winklevoss after the collapse of Mt. Gox, the largest collapse of a Bitcoin exchange to date, Cam Winks theorized that a “janitor attack” could have potentially brought down the company: “whereby a infiltrator posing as cleaning personnel is able to carry out a USB attack to place malware on a development machine and successfully corrupt random number generator MtGox used to generate internal bitcoin accounts…. Yes it might seem extreme, but very possible given how comparatively soft a target Mt.Gox appears to have been. An engineer could, for example, simply apply for an interview. A bank or art gallery heist is arguably much harder to pull off. There is plenty of historical precedent for elaborate multi-million dollar heists in the past.”
To learn more about the ways in which major companies are susceptible to social engineering attacks, I called Robert Masse, co-founder of the internet security firm Swipe Identity, whose personal Twitter bio boasts: “I'm the guy you call when you get hacked or if you want something to get hacked.” Regarding the Canadian Bitcoins heist, Robert told me he was impressed with the balls it would have taken to pull off such a brazen theft. He assumes it must have been an inside job, pulled off by someone who would know the specific weaknesses of Granite Networks.
Even more interesting, however, was Robert’s description of a recent security breach he was hired to execute on an unnamed telecom company that was looking to increase its security, by testing its own weaknesses. Robert gets hired to do speaking gigs, where he gives a talk called “How to Breach a Data Centre for $50.” In his words: “I was hired to break into a data centre. Just to prove the point, I went to RONA/Home Depot and I bought a white construction helmet, then I went to a flea market and paid $10 to make a logo of the phone company [that hired me] and I put it on the side of the construction helmet. Then I kicked the helmet around my garage for five minutes… I was able to walk into the data centre and plant a backdoor into the network.
[The back door] is inside a box the size of cigarette pack. On one side you plug the network cable into the LAN port, and then the other interface is a USB port. In the USB port I plug in a cellular rocket stick, and that dials up an IP connection back to my office. As soon as I plug it in, it calls my office, through cellular modem,” thus giving Robert complete access to the company’s data centre.
Robert even told me he was followed by a security guard during the entire process, and when he was asked what the backdoor device was for, Robert muttered something like: “to test the fiber optics level” to which the security guard replied, “Oh that’s interesting.”
According to Robert, it’s “super simple” for a company to provide the correct “training and awareness” so that someone, with one conversation, isn’t able to contact your data centre and steal $100,000. As Robert explained, Granite Networks had “millions of dollars of infrastructure that were completely taken apart. Was there a procedure? If there was, it wasn’t solid… It’s called people hacking… I don’t need to hack your firewall and infrastructure. I’ll just call someone and get it done. I’ll break one of your procedures.”