Friday, December 20, 2019

Security is the next concern for Crypto exchanges

As those who follow Crediblock know, we’ve been monitoring Crypto for some time.  But 2019 was the year of the hack, so we are thinking that 2020 will be the year of security.  Here are just a few examples of big hacks that happened.  And then there’s the huge example of Upbit, that made investors fed up:

Cryptocurrency exchange UPbit announced today that it lost almost US$50 million worth of ether (ETH) in an apparent security breach.  According to this statement by Lee Seok-woo, the CEO of the exchange’s operator Dunamu, around 342,000 ETH were moved from the platform’s ‘hot wallet’ to this unrecognized wallet today shortly after 1 p.m. local time. Client funds were not affected, said the South Korea-based cryptocurrency exchange.

So we know that security is going to be a big issue if not THE issue in 2020, but what firms are doing something about it?  As we’ve referenced before, there are security companies offering full-stack solutions, like Blackwatch Digital.  But what exchanges are implementing them?  What are the exchanges to watch in 2020?

One notable exchange is ECXX, they have a 3 step security protocol that blows 2FA out of the water.  Multiple departments must authorize a withdraw, similar to military protocols for Nuclear missiles (In the US, the President can’t unilaterally start a Nuclear war, it takes 2 other top ranking Generals to agree).   They also use a solid user id verification system, with a proven track record.

Based in Singapore, ECXX is one to watch out for in 2020.  Binance was hacked recently and has been buying up the Crypto industry (a strategy similar to large cap technology companies).

So it’s only reasonable that ECXX would be snapped up next. 

It seems like security is going to be the big concern for the Crypto community in 2020, and perhaps for the coming years ahead as well.  But the biggest issue that companies face, isn’t implementing a good security protocol, it’s finding trustworthy employees, which will be hard to find in Asia.  Although it has been known for years that the majority of hacks come from an inside threat, and this number keeps falling; the number is still quite large. 


The majority (70%) of organizations are seeing insider attacks more frequently, with 60% experiencing at least one attack within the past 12 months, according to the Nucleus Cyber 2019 Insider Threat Report, conducted with Cybersecurity Insiders, released on Thursday. 
The report surveyed 400,000 members of the Cybersecurity Insiders community to determine how prevalent email attacks are in the cyber threat landscape. Some 68% of respondents reported feeling "extremely to moderately" vulnerable to them, and 85% said it's difficult to fully see the damage caused from each attack. 
 One mistake that many Crypto exchange have made, is by being biased that Crypto is somehow different than I.T. – or in other words, that traditional threats do not apply.  Exchanges have firewalls, Windows machines, networks, routers, and employees.  Exchanges do not live inside their own world – they are part of the world that you and I are part of.  This systemic (Cybernetics) thinking has not ‘trickled down’ to most of the exchanges, which is why we are seeing the hacks.  Basic I.T. and security hygiene would have prevented 90% of these Crypto attacks.

In other words, it’s not the Blockchain being hacked – that’s possible but very complex.  Hackers are using the tried and true methods of phishing, brute force attacks, and other methods that have been used since the 90s. 

Various security companies have risen proposing a ‘Blockchain’ solution to security, when having secure protocols, as pioneered by ECXX, is sufficient.

So we’ll be watching ECXX closely in 2020, and look forward to seeing more security developments in a space plagued with fraud and hacks.
Posted by at

Thursday, December 19, 2019

Traders Got Head Start on Bank of England News Conferences

The Bank of England shut down an audio feed of market-sensitive information after it was used to offer some traders a competitive time advantage.
The feed supplies investors and central-bank watchers with audio from the news conferences by Gov. Mark Carney in the minutes after interest-rate decisions are published. Small changes in language from bank officials on the future path of interest rates can often move the pound or U.K. government bonds.
The audio feed, meant to be a backup to the main audio and video feed provided by Bloomberg LP, has been “misused by a third-party supplier to the Bank since earlier this year to supply services to other external clients,” the central bank said in a statement, without identifying the supplier.
Traders have long sought to gain access to market-sensitive information as quickly as possible, and the rise of electronic and algorithmic trading has made such information even more valuable.
The bank, which also didn’t identify the clients who received the information from the backup-audio supplier, said it was in the dark about the alleged misuse. “This wholly unacceptable use of the audio feed was without the Bank’s knowledge or consent,” the central bank said.
Statisma News and Data Ltd., an audio-delivery technology company, says on its website that it has covered public events in the U.K. since 2010 including Bank of England news conferences. It said in a statement published on its website Thursday, “We DO NOT carry embargoed information and we DO NOT release information without it first being made available to the public.” A Statisma spokesman couldn’t be reached for further comment.
On April 29, a tweet from an account linked to Statisma’s website enticed customers to watch government news conferences through its feed. “Hear the news first…up to 10 seconds faster than watching them live on TV,” the tweet said. The tweet appears to have been taken down Thursday.
A screenshot of an April tweet from an account linked to Statisma's website that appears to have been taken down Thursday.
Another tweet, posted Nov. 7, the same day that Mr. Carney was set to speak, said, “Sign up for a free trial at statisma.com to hear him first.”
A YouTube account that purported to be from Statisma News posted videos of Bank of England press conferences along with links to charts showing how the pound moved when Mr. Carney was speaking. This included a news conference on August 2, 2018, the day the bank raised interest rates for only the second time in a decade.
Statisma’s website said it is a unit of Encoded Media Ltd. Encoded Media describes itself as a media streaming company, founded in 2003, with the original aim of serving the finance industry. The companies share common directors according to U.K. corporate filings. Encoded executives couldn’t be reached for comment.
The Bank of England declined to comment on Statisma’s statement or on the social media posts from the @StatismaComms Twitter account. The monetary authority said Thursday it had referred the case to the Financial Conduct Authority, the U.K.’s market watchdog. Any misuse of the feed would likely fall foul of market abuse regulations, a person familiar with the FCA’s oversight role said.
The European Central Bank appears to have run into a similar issue. In September it started providing a low-latency or ultrafast audio feed of its press conferences, after the bank discovered that some companies were trying to sell access to a faster feed than the official video webcast, which has a delay of about 30 seconds. Audio-only feeds tend to be faster than video.
The new ECB audio feed has a delay of about three seconds, to help ensure a level playing field for listeners, an ECB spokesman said.
The Bank of England holds its news conferences at its fortresslike headquarters in the City of London. Reporters given access to rate decisions ahead of time are held in a “lock in” in the basement without internet access. After the decision is released, reporters move upstairs to an auditorium where the press conference takes place.
The press briefings often offer more detail and nuance than the official statements published on the central bank’s website. There are also question-and-answer sessions where the responses from policy makers at the BOE, including Mr. Carney, offer more spontaneous responses which have the potential to move markets.
“Having information a few seconds early—where fractions of a second make a difference—could be hugely advantageous,” said Ben Watford, partner and head of hedge funds at global law firm Eversheds Sutherland.
In 2017, the U.K. government restricted how it distributed economic data to markets after The Wall Street Journal documented how the information was leaking to traders before publication.
Central banks, including the U.S. Federal Reserve, have also come under criticism in recent years for giving preferential access to big investors, who can glean future policy decisions from the meetings.
The Fed said Thursday that it “aims to make its press conferences available as widely as possible by streaming them live directly to the public and through accredited news organizations,” according to a spokesman. “We only use systems that are open for broad distribution,” he said.
The Fed has a pool arrangement with three news organizations. One of them at a time is allowed to attend a press conference and broadcast live, sharing the footage with the others for distribution.
The Fed doesn’t have a separate audio-only feed.
Information leaks at central banks don’t occur often but are potentially consequential when they do.
Several years ago, the Federal Reserve mistakenly emailed market-sensitive minutes of a monetary-policy meeting to a group of people, including investors, a full day before the document was scheduled to be released to the public.
In 2017, Federal Reserve Bank of Richmond President Jeffrey Lacker resigned after revealing his involvement in a 2012 leak of confidential information about Fed policy deliberations.
The alleged breach comes at a sensitive time for the Bank of England. Mr. Carney is set to step down at the end of January after serving in the job since 2013. While generally respected for his handling of monetary policy, he has also drawn sharp criticism from investors and politicians for what some say have been overly pessimistic predictions about the effects of Brexit on the economy.
Boris Johnson’s incoming government, fresh off last week’s election victory, has yet to name a successor.
—Anna Hirtenstein, Caitlin Ostroff, Tom Fairless and Sarah Chaney contributed to this article.
Write to Anna Isaac at anna.isaac@wsj.com
Posted by at

Wednesday, December 18, 2019

Bank Of England "Hijacked" Audio Feed Was Used To Secretly Leak Confidential Information To Hedge Funds

Over the past few years there had been numerous allegations in both the trading community and among the media that critical UK data releases were being mysteriously leaked ahead of time. Back in 2017, Reuters reported that "unusual sterling moves often precede UK data releases", explaining that "on eight occasions over the past 12 months, the pound has moved against the dollar in the minutes before the release of the retail sales numbers, correctly anticipating the direction the currency took once the figures were published" adding that "this has been true even when the retail sales data have gone against the Reuters poll market consensus, leading to speculation among traders about the possibility of leaks of the information before its official publication."
One such example took place on Feb. 17, 2017 when sterling fell by around 20 ticks to $1.2440 in the space of around 15 seconds, around three minutes before the release of the numbers for January. When the figures were published by the ONS, they showed sales had been much weaker than economists had expected, sending sterling down further.
A similar pattern was found to have occurred in seven of the other 12 months for which Reuters analyzed trading data. The moves in sterling were most notable in January, November, October, July and April as well as in February. In five of those months, the official figures were significantly weaker or stronger than forecasts by economists.
Foreign exchange traders posted messages on Twitter saying they believed that the data had been leaked ahead of time, a regular refrain after the monthly retail sales figures.
David Woolcock, chair of the committee of professionalism at the Association Cambiste Internationale Financial Markets Association, a body representing foreign exchange dealers, said his review of the analysis suggested either that some investors were very good at predicting what the data would show, or that it was being leaked.
“Looking at the charts shown to me by Thomson Reuters it seems evident that either a very close correlation in private/public data has been discovered that is allowing traders to pre-position ahead of publication or a leak of the numbers is occurring,” he said.
A separate analysis by the Wall Street Journal of 207 releases of British inflation, industrial production and labor market data, showed that on 59.5% of occasions British government bond futures moved ahead of the data in what proved to be the right direction, confirming that someone was indeed leaking - and trading on - market-moving information ahead of its scheduled release time.  Alexander Kurov, an associate professor of finance at West Virginia University who conducted the analysis for the Wall Street Journal, told the newspaper it was “very unlikely that we are looking at a random pattern.”
But where was the leak taking place? As the WSJ noted, the ONS provides a preview of the retail sales figures before their publication to 41 people at the Bank of England, the business ministry, Cabinet Office, Downing Street and the Treasury. Those people had access to the data 24 hours ahead of publication.
Meanwhile, as part of the now infamous reporter "lock up", around a dozen journalists from news agencies including Reuters have access to the data around 40 minutes ahead of publication to help them prepare articles ready to go when the data hits the feed. However, they are only given the information in a locked room without Internet or phone access and under the supervision of ONS staff.
It now appears that we know who the culprit was.
In a press release issued late on Wednesday, the Bank of England said that following concerns raised with the Bank, "we have recently identified that an audio feed of certain of the Bank press conferences - installed only to act as a back-up in case the video feed failed - has been misused by a third party supplier to the Bank since earlier this year to supply services to other external clients."
"This wholly unacceptable use of the audio feed was without the Bank’s knowledge or consent, and is being investigated further", the central bank said.
The BOE's shocking admission was in response to a report earlier in the day by the Times, according to which hedge funds had been eavesdropping on the Bank of England’s press conferences before they are officially broadcast after its internal systems were "hijacked."
As the BOE has since confirmed, the Times report alleged that the central bank has discovered that one of its suppliers has been sending "an audio feed of its press conferences to high-speed traders who hope to profit by acting on the governor’s comments before the rest of the world."
While the company that was behind the audio feed hijacking was not named, "the third-party supplier is understood to be connected to a market news service that promises clients will gain an edge over rival traders in a field where getting information microseconds before others can generate huge profits." While the Bank’s official video feed of press conferences is managed by Bloomberg, the Bank employed contractors to install a separate back-up audio feed several years ago in case the video feed went down. It was never intended to be used by an outsider unless the video failed, and yet for an unknown number of HFTs, it became the primary source of information, and countless profits.
While the BoE said that the gross insider trading started "earlier this year", according to the Times, the supplier hacked into the audio feed since "at least the start of this year", which means the leaks could have been going on for years, and was meant to provide the service to one of its other companies. That service is then sold on to high-speed companies, giving client traders an invaluable edge over everyone when it comes to the most market-moving of events.According to the Times, since audio is easier to compress than video, hijacking the backup feed gave paying clients a five to eight-second head start on the rest of the market; in other words, a license to print money in violation of every known insider trading rule known to man.
The Bank said that it had “disabled the third-party supplier’s access”. A spokesman added: “This wholly unacceptable use of the audio feed was without the Bank’s knowledge or consent, and is being investigated further”.
Since UK data leaks had been known for almost three years, it's about time the BOE finally realized that it itself was the source of the leaks. As for the company intermediating all of this, we are confident that they already have moved their money to a non-extradition jurisdiction. The unnamed market news service was selling these feeds charges between £2,500 and £5,000 a press conference for each client in addition to a subscription fee.
The revelation that the Bank of England’s systems were abused to give HFT traders an advantage over everyone else will be a huge embarrassment because one of the bank's roles is to support fair and efficient markets. BOE head Mark Carney is due to leave the Bank on January 31 and will become the United Nations special envoy for climate action and finance on a token $1 a year for the part-time role. His successor could be announced as soon as tomorrow.
While the news may explain why there was no allegations of any information leaks ahead of the latest BOE report, it also explains why there have been recurring instances of clients trading on what appears to be inside information, and it now appears the BOE itself was the culprit.
And while the BOE may finally be cracking down on insider trading, after an unknown set of clients has already made millions if not billions in illicit profits, consider that high-speed audio services are also offered for press conferences at the ECB, the Fed and the Bank of Canada. Just how much money was made by hedge funds who had found a way to hijack backup feeds at all these central banks. We doubt we will ever find out, especially if the central bankers in question plan on ending up as employees of said hedge funds after their tenure is completed. It almost makes one wonder what "quid pro quo" helped propel former Fed chair Ben Bernanke to the role of senior advisor at the world's foremost HFT operation, Ken Griffin's Citadel.
Posted by at

Tuesday, December 17, 2019

Google has fired another worker-activist

Google  has fired another worker-activist: Kathryn Spiers. Spiers, who worked on the platform security team, was generally tasked with writing code for browser notifications to automatically notify employees of guidelines and company policies while surfing the web.
According to Spiers, Google fired her because she created a browser notification to educate her colleagues about their labor rights. What prompted Spiers to create the tool was the news of Google working with a union-busting firm, as well as Google’s alleged retaliation against employees for organizing.
The notification read, “Googlers have the right to participate in protected concerted activities.”
“Over my time at Google, I saw people go from full trust in Google — always giving them the benefit of the doubt — to [Google] using blanket excuses to target workers,” Spiers told TechCrunch. “The company has lost that sentiment from workers, and have repeatedly taken actions to reduce trust in Google, and as I said in my blog, ‘A less transparent Google is a less trustworthy Google.’ ”
In response to Spiers’ browser tool, Google allegedly suspended Spiers without warning. This happened the same day Google fired the Thanksgiving Four, who say Google fired them for organizing. Spiers says Google interrogated her three separate times about organizing activities and if she had any intention to disrupt the workplace.
“The interrogations were extremely aggressive and illegal,” she wrote on Medium. “They wouldn’t let me consult with anyone, including a lawyer, and relentlessly pressured me to incriminate myself and any coworkers I had talked to about exercising my rights at work.”
Fast forward to Friday, December 13 and Google terminated her for violating the company’s security policies.
“We dismissed an employee who abused privileged access to modify an internal security tool,” a Google spokesperson told TechCrunch. “This was a serious violation.”
Now, Spiers is working with a lawyer to file an unfair labor practice claim. In the claim filed with the National Labor Relations Board, her lawyers states that Google’s interrogation and termination of her “was done to attempt to quell Spiers and other employees from asserting their right to engage in concerted protected activities.”
As she outlined on Medium, other Google employees have modified code to make their jobs easier, and to share hobbies or interests. She also pointed to how, during the walkouts last year, someone changed the default desktop wallpaper to the Linux penguin holding a protest sign.
“The company has never reacted aggressively in response to a notification such as this in the past,” Spiers wrote. “It’s always been a celebrated part of the culture.”
Kathryn Spiers

This all comes after the Thanksgiving Four filed a complaint with the National Labor Relations Board, arguing Google fired them for organizing, which is a protected activity. In November, Google put Rebecca Rivers and Laurence Berland on leave for allegedly violating company policies. At the time, Google said one had searched for and shared confidential documents that were not pertinent to their job, and one had looked at the individual calendars of some staffers. Following a protest in support of the two, Rivers and Berland, along with two other employees, were fired.
The Thanksgiving Four all organized around a variety of topics, including Google’s treatment of its temporary, vendor and contractor workers, Google’s alleged retaliation against employees who organized, the company’s work with Customs and Border Protection and more.
Spiers similarly organized around a variety of issues. In her first week at Google, she signed the letter demanding Google not renew its military drone contract. She has also organized around Google’s relationship with CBP.
“Google should not be helping CBP enforce racist and xenophobic immigration policy,” Spiers said. “I posted some comments internal to Google about its relationship with CBP, which were removed by the community moderation team.”
Since the walkout last year, a number of employees have reported retaliation from Google in light of organizing. Meredith Whittaker and Claire Stapleton, two key organizers of the walkouts, reported retaliation. Both Whittaker and Stapleton have since left Google on their own terms.
Posted by at
Subscribe to: Posts (Atom)