Sep. 10, 2018
Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the ‘Safest’ security level of the NoScript extension that’s included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content.
Sep. 9, 2018
New technology is making surveillance cameras more powerful than ever. Such systems are often developed away from the public eye, as detailed in a new report showing how IBM worked with the NYPD to create software that could search CCTV footage for individuals based on their skin tone. Features like searching for individuals based on age, gender, and skin tone IBM’s software was reportedly developed and tested on surveillance cameras run through the Lower Manhattan Security Initiative (pictured).
Sep. 9, 2018
Over the last few years, there’s been a lot of projects, both public and private, that are attempting to create a next-generation blockchain or something better than Satoshi’s Bitcoin. A great majority of these projects have condemned proof-of-work (PoW) cryptocurrencies because they think they waste resources, and many of these new blockchains have chosen to use a proof-of-stake (PoS) system. However, PoS has many flaws and introduces a distribution process that advocates an ugly planned economy that’s propagated by ancient thinking and basically the old banking system.
Sep. 5, 2018
Bittrex, one of the largest cryptocurrency exchange platforms, has delisted Bitcoin Gold (BTG) from its trading platform over the weekend after BTG maintainers declined to pay half of the damages Bittrex suffered during a complex multi-stage cyber-attack earlier this year. According to a statement from the BTG team, Bittrex asked the BTG team to pay 12,372 BTG (~$256,000) as reparations for the attacks. BTG maintainers said they did all that was possible on their end to help trading platforms prevent the attacks, but they did not have the legal power to intervene inside a private company like Bittrex.
Sep. 4, 2018
Vitalik Buterin, Zoë Hitzig and E. Glen Weyl yesterday released their paper Liberal Radicalism: Formal Rules for a Society Neutral among Communities. As prior readers will know, I tend to break down whitepapers I suspect most of the community won’t have the time or inclination to do. This falls squarely in that bracket given it is self admittedly ‘strange’ and weighs in at a healthy 41 pages.
Sep. 4, 2018
There are free-riders in the cryptocurrency ecosystem. At least, that’s the contention of a new paper, shared with CoinDesk on Monday, written by ethereum founder Vitalik Buterin,Microsoft researcher Glen Weyl and Ph.D. of economics at Harvard, Zoë Hitzig. And free-riders pose a problem.
Described in the paper, free-riders are people or businesses that profitfrom the under-provision of public goods. And, on top of that, ‘the more people [these public goods] benefit the more they will be under-provided.’ It’s an issue that plagues development even outside the cryptocurrency space, but the authors are – at least – initially focused on how the idea creates harmful incentives for the funding of blockchain projects.
Sep. 4, 2018
Mysterious movements from the original Silk Road wallet suggest that the US government is cashing out on the Bitcoin gradually. The Silk Road market may be dead—we actually checked just to see if it came back somehow—but its wallet appears to be alive. Over a billion dollars in Bitcoin are being moved from several wallets that are all tied to the supposed original Silk Road cold storage wallet.
Sep. 4, 2018
Ethereum community got all curious and agitated after Tech Crunch published an article on Ethereum – ‘collapse of ETH is inevitable’. Number of questions and doubts popped up and to answer it all co-founder Vitalik Buterin wrote a post giving an insight about it. Surprisingly, he agrees ‘collapse of ETH is inevitable’, at least for now.
Cryptocurrency entrepreneur Jeremy Rubin wrote the Tech Crunch article stipulating the price of ETH and that it is bound to plummet. Vitalik Buterin agreeing to the piece wrote on Reddit, “In Ethereum as it presently exists, this is absolutely true.” Buterin further added, “[A]nd in fact if Ethereum were not to change, all parts of the author’s argument […] would be correct.”
Aug. 28, 2018
A new EOS bug has been discovered that allows users to use malicious code to steal RAM, which is a scarce resource in EOS blockchain. EOS,the fifth-largest cryptocurrency in terms of capitalization, has made headlines in connection with a new issue. A new EOS bug has been discovered that allows stealing resources directly from a user.
The resource in question is RAM, which is valuable in the EOS blockchain due to its scarcity. EOS is working on solving the issue and has provided a temporary fix in the meantime. The EOS blockchain aims to be a decentralized operating system and to allow the running of decentralized applications and smart contracts.
Aug. 28, 2018
I’m a big fan of Prometheus and Grafana. As a former SRE at Google I’ve learned to appreciate good monitoring, and this combination has been a winner for me over the past year. I’m using them for monitoring my personal servers (both black-box and white-box monitoring), for the Euskal Encounter external and internal event infra, for work I do professionally for clients, and more.
Aug. 25, 2018
I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.
Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.
Aug. 25, 2018
I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.
Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.
Aug. 8, 2018
Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, the mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint — saying he’d obtained yet another mobile phone.
Aug. 8, 2018
In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April. This time the targets included US payment processing companies. In April 2018, we detailed a brazen BGP hijack of Amazon’s authoritative DNS service in order to redirect users of a crypto currency wallet service to a fraudulent website ready to steal their money.
Jul. 13, 2018
This week, the start-up said that a wallet being used to ‘upgrade’ smart contracts was compromised. This wallet was then used to withdraw $12.5 million in Ethereum (ETH), alongside $1 million in Pundi X (NPXS) and $10 million in Bancor Network Tokens (BNT). Bancor says that once the compromised wallet was identified the company was able to mitigate the damage by freezing the transfer of BNT, bringing the cost down to roughly $13.5 million.
Jul. 13, 2018
A jury trial found a former engineer at a Navy contractor guilty of stealing trade secrets regarding Navy projects by uploading the files to his personal Dropbox account. The man, Jared Dylan Sparks, 35, of Ardmore, Oklahoma, worked as an electrical engineer for LBI, Inc., a company authorized to build unmanned underwater vehicles (drones) for the US Navy’s Office of Naval Research, and weather data-gathering buoys for the National Oceanic and Atmospheric Administration (NOAA). Sparks worked for LBI from January 2010 to December 2011, when he left for a similar position at Charles Rivers Analytics (CRA), another Navy contractor.
Jul. 13, 2018
The following is intended to provide technical details for those with interest in the specifics of the information security incident Timehop has experienced. It is also to be transparent about what has happened, and correct some earlier inaccuracies. There are still some highly specific details we are withholding about an incident that remains the subject of ongoing investigations.
Source: timehop.com
Jul. 13, 2018
A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.
Jul. 13, 2018
We found the full story in what’s called the Sentencing Position document filed by the United States of America in its federal court case against Theresa Tetley, aka the “Bitcoin Maven”. The Bitcoin Maven (a maven, in case you are wondering, is an expert or connoisseur) had already pleaded guilty to money laundering charges relating to bitcoins; this time she was back in court to be sentenced. Simply put, Tetley did indeed buy bitcoins for hard cash, according to the prosecutors.
Jul. 7, 2018
A team of academics from the University of California, Irvine (UCI), have presented a type of attack that could enable a malefactor to retrieve sensitive information you entered via your keyboard – possibly up to a minute after you typed it. The researchers had 30 users enter 10 different passwords, both strong and weak, on four common external keyboards. Using a thermal imaging camera, the researchers then scanned the residual heat left on the recently-pressed keys.