Why’s my computer so slow? Maybe someone is digging for virtual gold.

Posted on : 30-06-2014 | By : richard.gale | In : Cyber Security

Tags: , , , , , , ,


We’ve discussed the rise and fall and rise of virtual currencies in a couple of previous articles (When are Bitcoins going to crash and what’s next?,  The hidden costs of transacting with virtual currencies).

Creating new currency (whether it be Bitcoin, Dogecoin, Litecoin etc) involves using more and more complex logarithms that consume computing power. The reward for this problem solving is a virtual coin and the amount of work required to ‘earn’ a ‘coin’ is constantly rising.  ‘Miners’, as the creators are call are always looking for new and creative ways to build more coins and the cost of processing power sometimes outweighs the worth of the output.

A phenomena that will only rise in frequency and impact is the misuse of other people’s computers to do this.  A few examples are outlined below where organisations were unwittingly hosting unauthorised external mining activities (maybe some terminology from the Californian gold rush would be appropriate – are they virtual “claim jumpers” or “processing poachers”?)

Harvard University research servers have been used to mine dogecoins. A powerful cluster of machines known as ‘Odyssey’ had been hijacked – misused really as the user had legitimate access – and a mining operation was in place for an unknown period of time. The perpetrator has now had their access revoked but is is not known how profitable the operation was.

Another example, the US National Science foundation supercomputers had been taken over for bitcoin mining – the researcher accused of creating the mining operation said he was ‘conducting research’ and it is thought around $8,000 worth of bitcoins were produced.

There are other occurrences of this phenomena including rogue Android applications which have been reported to have taken over peoples’ mobile phones to carry out mining activities (although they would need a large number of phones to make this at all valuable).

We think these examples reflect a wider problem. People  can have legitimate access to huge amounts of computing  power, this especially true in academic, governmental and larger enterprises. How can the need to run large simulations or experiments be differentiated from more sinister misuses of that excess power?

This whole space is a difficult area to analyse. What is ‘normal’ and what is ‘abnormal’? We’ve been thinking about how to differentiate the two and are now working with a really smart new security company that can help with this (and many other security) issues.

The product, Darktrace, has been built by some ex-MI5 and GCHQ scientists and it grew out of the need to protect the UK’s critical network infrastructure (energy & water supplies, communications & transport)  against terrorist or foreign state cyber-attack. The guys at Darktrace quickly realised that the current suite of protection could not prevent most insider attacks (whether intentioned or accidental) so a new model was needed.

Darktrace sits at the centre of your network, listens and learns about the behaviour of users, connected devices and the network itself and then alerts when something abnormal or unusual occurs. It has no preconceptions about the environment when it is installed and it learns (for a period of 2-4 weeks) and then shouts (usually to the security operations team or external team such as the Mandiant response units) when something odd happens. Darktrace views the appliance almost like the immune system of a body, It understands what healthy is and alerts its ‘antibodies’ to investigate and destroy if necessary any potential threat.

The product uses some clever probabilistic algorithms that constantly learn and build on its knowledge of your environment. An example could be the user ‘Fred’. Fred normally logs in to the network after 8:00am, accesses mail, three file servers and then logs out before 7:00pm. If Fred suddenly starts logging in at 02:0am, searchers eight different file servers for documents containing the word ‘Patent’ and then starts exporting them outside the organisation to a site in the Ukraine then it would be marked as ‘unusual’ and alerted. This could potentially be legitimate activity if ‘Fred’s role has changed but probably not. Traditional cyber-technologies may not catch these sort of issues as they are looking for specific patterns or types of behaviour rather than general differences from the norm.

We have been working with Darktrace and can install the appliance on your network to perform the analysis for you. We can do this for a period of 4-8 weeks(to give the system enough time to learn the environment and to sufficient data to work with) and can provide analysis of any unusual behaviour and advice to your security team through that period. In that period of time we would expect to see some unusual activity so should hopefully show the value to your organisation.

If you would like to learn more about this please do contact us.