Information Technology

Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates.

Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, nothing seems to have changed for the better. This year alone, so far we’ve seen the Colonial Pipeline ransomware disaster that caused fuel supply shortages across parts of the US; ongoing issues at Ireland’s national health service, and systematic disruption for meat processor giant JBS due to the malware. Ransomware operators will deploy malware able to encrypt and lock systems, and they may also steal confidential data during an attack. Payment is then demanded in return for a decryption key.  Losing money by the second while their systems fail to respond, victim enterprise players may then be subject to a second salvo designed to pile on the pressure — the threat of corporate data being either leaked or sold online through so-called leak sites in the dark web.  Ransomware attacks are projected to cost $265 billion worldwide by 2031, and payouts now commonly reach millions of dollars — such as in the case of JBS. However, there is no guarantee that decryption keys are fit for purpose or that paying once means that an organization will not be hit again.  A Cybereason survey released this week suggested that up to 80% of businesses who fell prey to ransomware and paid up have experienced a second attack — potentially by the same threat actors. 

The threat of ransomware to businesses and critical utilities has become serious enough that the issue was raised during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit.   Each group has a different modus operandi and ransomware operators are constantly ‘retiring’ or joining the fold, often through a Ransomware-as-a-Service (RaaS) affiliate model.  On Friday, the Prodaft Threat Intelligence (PTI) team published a report (.PDF) exploring LockBit and its affiliates.  According to the research, LockBit, believed to have previously operated under the name ABCD, operates a RaaS structure that provides affiliate groups a central control panel to create new LockBit samples, manage their victims, publish blog posts, and also pull up statistics concerning the success — or failure — of their attack attempts.  The investigation revealed that LockBit affiliates most often will buy Remote Desktop Protocol (RDP) access to servers as an initial attack vector, although they may also use typical phishing and credential stuffing techniques.  “Those kinds of tailored access services can be purchased as low as $5, thus mak[ing] this approach very lucrative for affiliates,” Prodaft notes.  Exploits, too, are used to compromise vulnerable systems, including Fortinet VPN vulnerabilities that have not been patched on target machines.  Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify “mission-critical” systems including NAS devices, backup servers, and domain controllers. Data exfiltration then begins and packages are usually uploaded to services including MEGA’s cloud storage platform.  A LockBit sample is then deployed manually and files are encrypted with a generated AES key. Backups are deleted and the system wallpaper is changed to a ransom note containing a link to a .onion website address to purchase decryption software.  The website also offers a decryption ‘trial,’ in which one file — with a size smaller than 256KB — can be decrypted for free.  However, this isn’t just to show that decryption is possible. An encrypted file needs to be submitted for affiliates to generate a decryptor for that particular victim.  If victims reach out, attackers can open a chat window in the LockBit panel to talk to them. Conversations will often start with the ransom demand, payment deadline, method — usually in Bitcoin (BTC) — and instructions on how to purchase cryptocurrency.  Prodaft was able to obtain access to the LockBit panel, revealing affiliate usernames, the number of victims, registration dates, and contact details. 
Prodaft
The research team says that clues within the affiliate names and addresses suggest that some may also be signed up with Babuk and REvil, two other RaaS groups — however, the investigation is ongoing. On average, LockBit affiliates request roughly $85,000 from each victim, 10 – 30% of which goes to the RaaS operators, and the ransomware has infected thousands of devices worldwide. Over 20% of victims on the dashboard were in the software and services sector.  “Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group,” Prodaft says. “However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim.” At the time of writing, LockBit’s leak site was unavailable. After infiltrating LockBit’s systems, the researchers decrypted all of the accessible victims on the platform.Earlier this month, Bleeping Computer reported that LockBit was a new entrant to a ransomware cartel overseen by Maze. Prodaft told ZDNet that as they “detected several LockBit affiliates are also working for other ransomware groups, collaboration is very likely.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Improving diversity in the cybersecurity industry by doing more to hire people from different backgrounds can help improve online defences for everyone because it will enable information security teams to think about – and defend against – concepts and attack techniques they may not have considered before.Figures from an NCSC report on diversity detail how over 85% of professionals working in cybersecurity are white, compared to under 15% from black, Asian or mixed ethic groups. Two-thirds of the industry identifies as male, compared to 31% identifying as female, while over 84% of those surveyed identify as straight, compared with 10% who identified as LGBT. But diversity is – gradually – increasing.

ZDNet Recommends

“I feel like from a diversity and inclusion standpoint in the cybersecurity industry we’ve honestly come a long way,” Christine Izuakor, founder and CEO of Cyber Pop-up told ZDNet Security Update.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  “There’s definitely some work to do, but I’m so happy to see so many initiatives around building diversity in the industry, bringing more women into the industry, more people of colour people from all these different backgrounds. I think that’s huge”.Not only does diversifying the cybersecurity industry help it better reflect the population, it can bring different ways of thinking and different skills to the table – and it could also help cybersecurity teams gain a better idea of how the malicious hacking operations they’re trying to defend networks again work.

“The people who are carrying out these attacks, don’t look one kind of way or come from one different background. They come from so many different backgrounds across so many different parts of the world,” Izuakor explained.”You can’t defend against that, by having one train of thought, you need those different perspectives, you need the people who are defending against these attacks to look just like the people who are attacking and that looks like a variety of different people,” she added.Improving diversity in cybersecurity teams should, therefore, be a key aim for organisations across the industry, because it can help protect people and businesses from a wider range of cyber threats.”I truly believe that we cannot adequately defend against attacks or develop the solutions and the methods and things that we need if we keep a one-track mind – we have to have diversity in the space, otherwise we will fail,” Izuakor said. SEE: This new ransomware group claims to have breached over 30 organisations so farIt’s also important to recognise that people can take different routes into cybersecurity – some might get qualifications from university or information security certifications, others might learn skills via online courses, some might even teach themselves entirely. “It’s important to acknowledge that people have different learning modes and different paths, and that is OK, as long as the job is getting done right and as long as we’re defending against these attacks and being more secure,” said Izuakor.MORE ON CYBERSECURITY More

The recently announced proposal to make the Rust programming language one of two main languages for the Linux kernel is getting a major boost thanks to Google and the Internet Security Research Group (ISRG), the group behind the Let’s Encrypt certificate authority. The main goal of the push to bring Rust to Linux is to wipe out an entire class of memory-related security bugs in the kernel, which is a key part of the internet’s infrastructure, running on everything from servers to edge devices and smartphones. 

Historically, key Linux drivers that make up the kernel have been written in C, which is not memory-safe whereas Rust is; as Microsoft has highlighted, 70% of all bugs it fixes are memory-related. SEE: Hiring Kit: Python developer (TechRepublic Premium)Linux kernel developers are exploring whether to write new parts of the kernel in Rust rather than rewriting the entire Linux kernel, which contains over 30 million lines of code. Google aired its plans to back the project to bring Rust to Linux in April – an initiative that’s been led by developer, Miguel Ojeda, who has posted a request for comment (RFC) about the proposal. Until now, Ojeda had been working on contract with ISRG’s Prossimo project for memory safety and that early effort was funded by Google, but now the group has hired him to work full-time on the project. 

“Google has found time after time that large efforts to eliminate entire classes of security issues are the best investments at scale,” said Dan Lorenc, a software engineer at Google, who’s helped coordinate the Rust-Linux project and works on the infrastructure behind Google Cloud Platform. “We understand work in something as widely used and critical as the Linux kernel takes time, but we’re thrilled to be able to help the ISRG support Miguel Ojeda’s work dedicated to improving the memory safety of the kernel for everyone.” As suggested by Lorenc, introducing a second language into the Linux kernel isn’t a light decision. Linux creator Linus Torvalds had a few objections to bringing in Rust after Ojeda’s RFC. But with Google’s backing, there might be room to move. “Adding a second language to the Linux kernel is a decision that needs to be carefully weighed,” said Ojeda in a statement. “Rust brings enough improvements over C to merit such consideration.SEE: Learn the principles of Python and Django for only $29.99The Linux kernel is at the heart of the modern internet, from servers to client devices, said ISRG’s executive director, Josh Aas, pointing out it’s on the front line for processing network data and other forms of input. As such, vulnerabilities in the Linux kernel can have a wide-ranging impact, putting security and privacy for people, organizations, and devices at risk. “Since it’s written largely in the C language, which is not memory-safe, memory safety vulnerabilities such as buffer overflows and use-after-frees are a constant concern. By making it possible to write parts of the Linux kernel in Rust, which is memory-safe, we can entirely eliminate memory safety vulnerabilities from certain components, such as drivers.”Google is also backing the ISRG project to create a Rust-based module for the Apache HTTP web server.  It’s another important piece of internet infrastructure since it’s responsible for cryptographically securing HTTPS connections to widely used Apache web servers.  More

Over half of organisations would pay the ransom if they fell victim to a ransomware attack – despite repeated warnings that they shouldn’t encourage cyber criminal extortion.Research by the Neustar International Security Council (NISC) found that six in ten organisations would pay cyber criminals for the decryption key in the event of a ransomware attack, according to its survey of 300 workers in ‘senior positions’.That’s despite the likes of The White House, the UK Home Office, law enforcement and cybersecurity experts warning that paying the ransom should be avoided because it signals to ransomware operations that their extortion schemes work.High profile victims of ransomware attacks who have paid ransoms recently include Colonial Pipeline, which paid over $4 million in Bitcoin to cyber criminals using DarkSide ransomware, while meat processor JBS paid $11 million in Bitcoin to criminals who compromised its network with REvil ransomware.These incidents have seemingly forced business to take notice, with 80 percent of cybersecurity professionals surveyed for the research stating that more emphasis is being placed on protecting against the threat of ransomware. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  However, a quarter of respondents fear that their current security procedures might not offer full protection against ransomware threats, describing them as ‘somewhat’ or ‘very’ insufficient.

When it comes to ransomware, the best thing an organisation can do is prevent it becoming a problem in the first place. Cybersecurity procedures like applying multi-factor authentication across the network, applying security patches to protect against known vulnerabilities in a timely manner and regularly updating back-ups and storing them offline can help organisations prevent being disrupted by a ransomware attack.By applying these sorts of protections, it makes it much less likely that organisations will feel the need to give into the extortion demands of cyber criminals. “Companies must unite in not paying ransoms. Attackers will continue to increase their demands for ever larger ransom amounts especially if they see that companies are willing to pay. This spiral upwards must be stopped,” said Rodney Joffe, NISC chairman and fellow at Neustar.MORE ON CYBERSECURITY More

A strain of malware with odd intentions when it comes to piracy and the moral compass of its victims has been detected in the wild.

On Thursday, Sophos researchers said they had uncovered a malware campaign that doesn’t follow typical behavioral patterns: infiltrate a system, steal information, conduct banking fraud, and so on — instead, the malware “blocks infected users’ from being able to visit a large number of websites dedicated to software piracy.” The means of distribution varies: some samples were buried in archives disguised as software packages promoted through the Discord chat service, whereas others are distributed directly via torrent. The creator has used the names of numerous software brands, games, productivity tools, and cybersecurity solutions to hide the malware, according to principal researcher Andrew Brandt, and so appears to be targeting everyone from gamers to professionals who might not want to purchase a software license. The malicious packages are named in common formats used when distributing pirated software, such as “Minecraft 1.5.2 Cracked [Full Installer][Online][Server List].” Files are tagged to appear as uploads from The Pirate Bay.  “The files that appear to be hosted on Discord’s file-sharing tend to be lone executable files,” Brandt says. “The ones distributed through Bittorrent have been packaged in a way that more closely resembles how pirated software is typically shared using that protocol: added to a compressed file that also contains a text file and other ancillary files, as well as an old fashioned Internet Shortcut file.” If the malware’s executable is double-clicked, a message pop-up appears which claims the victim’s system is missing a crucial .DLL file. In the background, the malware is fetching a secondary payload, dubbed ProcessHacker, from an external website. This payload is responsible for modifying the HOSTS file on the target machine. 

The malware’s piracy website blocking process is rudimentary, as it simply adds a list of between a few hundred to over 1,000 web domains and points them to a localhost address. Oddly, some websites that are on the block list have nothing to do with piracy.However, on modern machines, privileges may be required to modify the HOSTS file and not every sample triggered Windows systems to escalate the malware’s privileges. When this escalation didn’t occur, the HOSTS file modification failed.  “Modifying the HOSTS file is a crude but effective method to prevent a computer from being able to reach a web address,” Sophos says. “It’s crude because, while it works, the malware has no persistence mechanism. Anyone can remove the entries after they’ve been added to the HOSTS file.” In some of the malware packages, the operator added files bundled with the installer, likely to improve its look of legitimacy as a pirate software package. Most of these files are junk code and garbage images, although a common .nfo file contained racist slurs.  “On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation,” Brandt commented. “However, the attacker’s vast potential target audience — from gamers to business professionals — combined with the curious mix of dated and new tools, TTPs, and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky.”While the malware is crude and doesn’t have a major impact on users — unless they are fans of cracked software or pirate content — if the HOSTS file has been modified, Sophos says it can be cleaned up by running Notepad as an administrator, opening up c:WindowsSystem32Drivers etchosts, and removing references. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cryptocurrency exchanges are a lot like the auction house in World of Warcraft. Like in WoW, you’re buying and selling digital goods, except this time you’re buying and selling, say, Dogecoin instead of Crystalized Dread. Basically, crypto exchanges help traders acquire or divest cryptocurrency holdings. They do this by converting fiat money (actual government-backed currency) into the digital currency of your choice (and vice versa when you sell). Some exchanges only take real money. Some only take digital currency. All charge fees of one sort or another, which is key to how they make a profit.

It should go without saying, but we’ll say it here: investing in cryptocurrency is risky as all heck. Crypto investing involves transferring hard-earned actual money for some fake bits generated by a purposely obtuse algorithm in the hope that enough other people will believe in the fake bits to make them somehow real. If that raises the hairs on the back of your neck, it should. But some of you will be brave enough, or crazy enough, or wealthy enough that it just doesn’t matter, and put down cold, hard cash in return for fantasy money. Good luck. People are out there are making money off this stuff. We’re not, but someone is. How we made our selectionsWe did a literature review of the findings of six financially-oriented sites (they’re listed below) who ranked the exchanges and aggregated those findings. By looking at findings from evaluators across the internet, we stand a better chance of creating a more reliable picture of the exchanges, while also being careful to avoid picking winners in a possibly regulated market. Across all the sites, we identified 43 crypto exchanges. Of those 43 exchanges, 29 of them were only reviewed on one site. Because we’re explicitly trying to find how they’re perceived across the internet, we removed all of the one-hit wonders. We also removed another six exchanges that showed up on only two sites. None of them scored near the top of their respective reviewers’ lists, so there was no great loss. That left us with seven providers tested on three or more sites, giving us a good starting point. Of those seven, four exchanges (Coinbase, Gemini, Binance.US, and Kraken) each got three sets of star-ratings. Two sites rated on a 1-5 scale and one (BitDegree) rated on a 1-10 scale. We converted BitDegree’s rating to a 1-5 scale (by dividing the ratings in half), and that allowed us to total up average ratings for the four exchanges where we had enough representative data.

These are the crypto exchanges that you might consider checking out.

Probably the best-known crypto exchange

OverviewReview average: 4.63Free crypto on signup: $5 worth of free bitcoinNumber of currencies: 20+Wallet: YesTrading feesSpread fee: 0.5%Fees: $1.49 – $2.99 depending on amountWire transfer fees: $10 incoming, $25 outgoingPayment fees when buying cryptoACH deposits: 1.49%Coinbase wallet: 1.49%Debit cards: 3.99%Many categories of online services have canonical brands that are nearly synonymous with the category. For online shopping, it’s Amazon. For auctions, it’s eBay. For movie streaming, it’s still Netflix. For cryptocurrency, it’s Bitcoin. And for crypto exchanges, it’s Coinbase. No other crypto exchange has the brand equity of Coinbase. Coinbase was one of only two sites that were rated by all our source reviewers (the other was Gemini).Coinbase seems to be a solid platform if you’re just starting out and you want to trade some bitcoin. One benefit of Coinbase is that it’s a US company. This is important if you’re trading more than $10,000 and want to keep your tax paperwork less complex. That’s because US Coinbase customers are not required to file the Report of Foreign Bank and Financial Accounts (FBAR) with the IRS.Coinbase does offer a wallet, so you can treat the exchange as your one-stop shop for basic crypto. There’s also a Coinbase Pro service for those who have more in-depth intentions in this field.ProsProbably best known crypto exchangeClean user interfaceConsMediocre technical supportHigher fees than many

View Now at Coinbase

A monster of a crypto exchange

OverviewReview average: 4.62Free crypto on signup: NoneNumber of currencies: 50+Wallet: NoTrading feesFees (maker/taker): 0-0.2%/0.1-0.5% depending on volumeAdditional fees: Leverage buying has margin opening and rollover feesPayment fees when buying cryptoACH deposits: $0-10 depending on bank optionDebit/credit cards: 3.75% + $0.25Crypto deposit: Percentage of currency being deposited (varies by currency)Withdrawal feesCash withdrawal: $0-35 depending on bank optionCrypto withdrawal: Percentage of currency being withdrawn (varies by currency)There’s something unsettling about using a currency exchange whose name immediately brings to mind the phrase “beware the…” before its name. But, at least according to the aggregated internet reviews, you probably don’t have to beware this Kraken. It has the second highest review average and quite a lot of positive comments.The Miami Herald, for example, says it has the “best customer support of any crypto exchange,” even though the only support provided is via chat or ticket requests. Given that many of the crypto exchanges we’ve looked at tend to elicit “good, but terrible customer support,” that may not be a terribly high bar. But any customer support has to be better than terrible customer support, so there you go.The customer support may be needed, because the interface is relatively complex and is reputed to “have bugs that need fixing in the UI,” according to the Herald. Kraken also offers a variety of advanced services including margin trading, futures trading, and staking rewards.ProsBetter customer service than many other exchangesWide range of currencies and servicesConsComplex interfaceSomewhat buggy

View Now at Kraken

Lots of currencies, but US restrictions and UI issues

OverviewReview average: 4.57Free crypto on signup: NoneNumber of currencies: 200+Wallet: YesTrading feesSpot trading fee: 0.1%Instant buy/sell fee: 0.5%Discount: 25% if you use BNB (Binance’s own currency)Deposit feesACH deposits: freeWire: $15Debit cards: 4.5%Withdrawal feesACH withdrawal: 0%Wire: $15 domestic, $35 internationalDebit card: not availableBinance.US is the American version of the Binance trading platform. The US site has a more limited selection of coins and tokens to trade than the international Binance. That’s not necessarily meant to imply that the coins and tokens on the US implementation are any safer, however.There are also issues with access control. We’ve seen quite a few reports like this one, which describe serious difficulties setting up and using multifactor authentication.If you’re a big-money trader (more than $50,000 in a given month), you may be able to get discounts on trading fees. The company offers a wide range of order types including limit, market, and stop-limit mechanisms. Some of these options may not be available in the US.ProsBig volume discountsMany coin types availableConsFutures and margin trading not available in USMany additional limits for US traders

View Now at Binance.US

Because…the founders are the Winklevoss twins

OverviewReview average: 4.23Free crypto: $10 worth of Bitcoin after buying/selling $100 BTCNumber of currencies: 25+Wallet: NoTrading fees”Convenience” fee: 0.5% over market rateTransaction fees: $0.99-$2.99Large transaction ($200,00+) fee: 1.49% of market valueDeposit feesACH deposits: freeWire transfer fees: $10 incoming, $25 outgoingNo debit or credit cardsTransfer feesACH: freeWire: freeSome crypto: freeSo here’s a bit of trivia. Remember Cameron Winklevoss and Tyler Winklevoss, contenders to the title of founders of Facebook? It’s a long story and part of a relatively inaccurate movie with Aaron Sorkin’s unbelievable but spectacularly-written dialog. Both Winklevi (they’re twins) were played by Armie Hammer in the movie.Gemini trades in quite a few digital currencies, but that’s not all. The company has begun trading in NFTs. One interesting fact is that Gemini is a US-based company that’s FDIC-insured and regulated by the New York State Department of Financial Services.Gemini appears to generally have a reputation for a good UI. Guru99 says, “It is a simple, elegant, and secure way to build bitcoin and crypto portfolio.” That feeling is echoed by most of the internet evaluations we examined.ProsGood user interfaceNew York State regulatedConsChallenging and unclear fee structureFounders not on Zuckerberg’s Friends list

View Now at Gemini

Lots of currencies and flat-fee trading

OverviewReview average: not enough ratingsFree crypto: NoNumber of currencies: 220+Wallet: YesTrading feesFlat fee for all transactions: 0.25%Deposit feesNo wire transfer feesOnly US Dollar transfers allowed via wire transferIndividual currency transfers may have feesAccording to Tradesanta.com, “Bittrex is probably one of the most advanced crypto exchanges on the market today. It provides users with the fastest transactions available.”Based up here in the Pacific Northwest, Bittrex is a Seattle-based company. However, despite being a US-based company, Bittrex states “Bittrex is not a regulated exchange under U.S. securities laws.”Bittrex was founded by Bill Shihara (a former security engineering manager at Amazon and Blackberry, with a prior 11-year Microsoft tenure), Richie Lai (a former leader in the Amazon information security team, with a prior 12 year Microsoft tenure), and Rami Kawach (a former principle security engineer at Amazon, with time at Qualys and Microsoft). All that certainly explains why they’re based in the Evergreen State.ProsFree online walletVery few deposit feesA metric ton of currenciesConsNo margin tradingFlat fee could get expensive

View Now at Bittrex

Accepts credit and debit cards, plus Apple Pay

OverviewReview average: not enough ratingsFree crypto: NoNumber of currencies: 10+Wallet: NoTrading feesSpread: XBX + 2%Buy order commission fee: Up to 3.9%Sell order commission fee: 0.1% to 0.9%Payment fees when buying cryptoDebit/credit cards: Additional 5% “momentum” feeSEPA bank transfer fee: £0SWIFT bank transfer: £0 over $1,000, £20 under $1,000Withdrawal feesWithdrawal: $0Additional sell fee: 0.1-0.9%Coinmama, the exchange with the best name we’ve seen, was founded by Nimrod Gruber (also the best founder name we’ve seen), is registered in Slovakia and operates out of Israel.The exchange’s most obvious benefit is the ease of transferring fiat currency (i.e., dollars or euros) into and out of the exchange. The firm accepts not only debit cards, but credit cards and even Apple Pay.Coinmama is more of a reseller than an exchange. You can’t use one cryptocurrency to buy another. Instead, if you want to buy a currency, you have to use fiat money. The same is true of selling a currency. So if you want to use your Bitcoin to buy Ethereum, you’ll first need to sell your Bitcoin and get dollars or euros, then spend those dollars or euros to buy the Etherium.When you add up the spread fee percentage plus the sell fee percentage, you get a fee basis that’s higher than Coinbase, which has among the highest fees we’ve seen. You can lower those fees a bit by being what Coinmama calls Curious, Enthusiast, or Believer, a loyalty discount based on your trading volume over both a rolling 90-day period and lifetime on Coinmama.ProsBest name evar!Accepts credit and debit cards, plus Apple PayConsVery few currencies comparative to other exchangesFlat fee could get expensive

View Now at Coinmama

eToro

Automatically mimic successful traders (and there’s Alex Baldwin)

OverviewReview average: not enough ratingsFree crypto: Get $50 when you buy $1,000 worth of cryptoNumber of currencies: 14Wallet: YesTrading feesTrading fee: 0.75% to 2.9% based on the spread between bid and askConversion (currency to currency) fee: 0.1%Payment fees when buying cryptoDeposit fee: $0Additional fees: Extra fee for deposting non-USD currencyWithdrawal feesWithdrawal: $0Additional fees: Extra fee for withdrawing in non-USD currencyOne of the most interesting features of eToro is its “practice trading account,” which allows you to game trading and get used to the process before risking actual money. Another interesting feature is eToro’s CopyTrade option, which allows you to automatically run trades based on the actions of top traders on the platform. Essentially, you can put your trading on autopilot, and as long as the trader you’re mimicking is making smart moves, so will you.Be aware that there are some built-in delays getting started with eToro. Every incoming deposit is put on hold for 7 days. Transfers can then take another 3 days, so you’re looking at 10 days before you’re actually in the money, er, crypto. This also applies to wired-in funds as well, which can also take up to 7 days to hit your account.ProsAbility to mimic successful traders automaticallyPractice trading accountThe best BaldwinConsComparatively high trading feesCredit/debit cards not acceptedBaked-in delays on top of baked-in delays

How much does it cost to trade crypto currency?

While exchanges are not banks, they all have one very bankerly philosophy: whether or not you make money, the banker always wins. In this case, the exchanges make money through a wide range of fees attached to just about everything. For example, there’s the spread fee. If you buy cryptocurrency, you’ll pay a bit more than the asking price. If you sell cryptocurrency, you’ll get a bit less than market price. That bit more or bit less is the spread.On top of the actual purchase fees are the fees you pay to bring real world money (called stablecoin in crypto vernacular) into the exchange. These include ACH transfers, wire transfers, use of the exchange’s wallet, and debit and credit card fees (although most exchanges only accept debit cards).

How secure are crypto exchanges?

Many of the reviewers we explored during our literature review made claims about the security of the various exchanges. Over the past year, there has been a constant series of hacks of exchanges, accounts, and crypto-related activities. We do not feel that we have anywhere near enough information to declare one exchange more secure than another (and, quite honestly, don’t feel that any reviewer has enough information to make any claims).As such, we’re not reporting that one exchange is more secure than another, or this or that exchange has not been hacked (because they may have been, but not reported it). This is definitely an area where caveat emptor is in full effect. Be careful, young Padawan. Be very, very careful.

How risky is crypto investment?

Look, crypto investing isn’t for everyone. Almost everything about the process, once you think about the real money implications, should invoke a sense of caution and care, if not some crystalized dread. Much of the terminology and mechanisms behind crypto trading is complex and arcane, so it’s very possible to lose your shirt.That said, the exchanges we’re spotlighting here seem to be some of the best out there, at least according to other outlets that examined them in some detail.Personally, most of my digital currency holdings are in World of Warcraft gold, and even that has some market value. If you want 5,000 WoW gold coins, you can buy it for about $400. I didn’t buy my gold. Instead, years ago when I had more time to play video games, I farmed (the WoW equivalent of crypto mining) it in game.Why do I keep bringing all this back to fake money in a video game? Because, fundamentally, all these cryptocurrencies we’ve been talking about are also fake money in a digital space. The value of crypto exists solely because enough people decided it has value — and that value can vanish the minute people lose faith.But isn’t that also true of so-called real money? Most of us have paper in our wallets or a number on a website that represents our cash holdings. Our real money has value because we choose to accept it for goods and services. So, it’s entirely possible that, as time moves on, more and more sellers will accept certain cryptocurrencies in return for their goods and services.For now, though, just be careful.

The sites we used as source material These are the sites we used in researching and assembling the data in this article: What about you? Have you invested in crypto? Do you plan to in the future? Share your thoughts and experiences (and advice, if you have any) below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

To tackle the growing threat of attacks on the software supply chain, Google has proposed the Supply chain Levels for Software Artifacts framework, or SLSA which is pronounced “salsa”. Sophisticated attackers have figured out that the software supply chain is the soft underbelly of the software industry. Beyond the game-changing SolarWinds hack, Google points to the recent Codecov supply chain attack, which stung cybersecurity firm Rapid7 via a tainted Bash uploader.

ZDNet Recommends

While supply chain attacks aren’t new, Google notes they’ve escalated in the past year, and has shifted the focus from exploits for known or zero-day software vulnerabilities.SEE: Network security policy (TechRepublic Premium)Google describes SLSA as “an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.”It takes its lead from Google’s internal “Binary Authorization for Borg” (BAB) – a process Google has been using for more than eight years to verify code provenance and implement code identity. The goal of BAB is to reduce insider risk by ensuring that production software deployed at Google is properly reviewed, especially if the code has access user data, Google notes in a white paper. 

“The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume,” said Kim Lewandowski of Google’s open-source security team and Mark Lodato, from the BAB Team.  SLSA looks to lockdown everything in the software build chain, from the developer to source code, the build platform and CI/CD systems, the package repository, and dependencies. Dependencies are a major weak point for open-source software projects. In February, Google proposed new protocols for critical open-source software development that would require code reviews by two independent parties, and that maintainers use two-factor authentication.   It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”SEE: GDPR: Fines increased by 40% last year, and they’re about to get a lot biggerWhile the SLSA framework iis just a set of guidelines for now, Google envisages that its final form will go beyond best practices via enforceability. “It will support the automatic creation of auditable metadata that can be fed into policy engines to give “SLSA certification” to a particular package or build platform,” Google said. The scheme consists of four levels of SLSA, with four being the ideal state where all software development processes are protected, as pictured below. 
Google More

Ransomware was a major point of discussion for both US President Joe Biden and Russian President Vladimir Putin during their first in-person summit on Wednesday. After the three-hour meeting in Geneva, Switzerland, both leaders held separate press conferences where they hinted at key points of discussions and potential compromise.Putin denied that Russia was harboring ransomware groups and refused to answer questions about other cyberattacks. Biden was also vague about what was agreed upon between the two leaders but confirmed that he pressed Putin specifically on the issue of ransomware. “I talked about the proposition that certain critical infrastructure should be off limits to attack. Period. By cyber or any other means. I gave them a list, 16 specific entities. 16 defined as critical infrastructure,” Biden said.Tom Kellermann, a member of the US Secret Service’s Cyber Investigations Advisory Board, said the 16 entities Biden was referring to were what CISA has defined as “critical infrastructure sectors.”Kellermann added that the 16 sectors are chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, water and waste systems.  All of these sectors have faced dozens of ransomware attacks over the last three years, and Biden said he pushed Putin to understand what the US was going through. He referenced the ransomware attack on Colonial Pipeline, which left parts of the East Coast scrambling for gas for days. “I looked at him and said: ‘How would you feel if ransomware took on the pipelines from your oil fields?’ He said: ‘It would matter.’ I pointed out to him that we have significant cyber capability. And he knows it,” Biden said to reporters. 

He went on to say that there were “reputational” consequences to the cyberattacks being leveraged from Russia that Putin was aware of.The meeting follows a stern warning that was sent out by the US and other G7 countries on Monday that specifically called out Russia for either launching their own cyberattacks or harboring ransomware organizations. The G7 said Russia needed to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes.”NATO also sent out a statement after the summit in Brussels reaffirming the idea that “the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.”Kellermann, who is also head of cybersecurity strategy at VMware, said the summit was “a seminal moment for civilizing cyberspace” and praised Biden for highlighting the need to protect critical industries.”As a result of this delineation, I believe that significant ransomware attacks against major critical infrastructures will diminish now, but possibly increase against traditional corporations, such as in the retail and financial sectors.”Many cybersecurity experts said the summit would have little effect on ransomware groups allowed to operate with impunity in a number of countries. But the idea that cybersecurity had reached a level of concern worthy of mention among two world leaders was a positive sign for some.”It was an excellent use of the ‘bully pulpit’ to let the world know that cybersecurity matters to America — and specifically the office of the president. We in the cybersecurity world already have an ‘all-hands-on-deck’ mentality — but it’s healthy to see that our concern is now shared in the prism of leadership, outside of our sector,” said YouAttest CEO Garret Grajek. Elena Elkina, a partner at privacy and data protection consulting firm Aleada, noted that Putin does not like demands or being told what to do, and she predicted he would respond to Biden’s forceful talk about cyberattacks in a more understated way. “It will be something more tangible that makes obvious his opinion,” she said. Cybersecurity researcher Chloé Messdaghi said the summit was just one manifestation of a deeper cyber Cold War that both countries needed to back down from. While the summit was a good start to addressing the problems between both countries, Messdaghi said formalized pacts around cybersecurity would be hard to come by. “The reality is that we may never have absolute and effective treaty-level accords on cyberattacks because so much is done by proxy, but each global superpower must strive to prevent chaos within their borders,” Messdaghi added. More