Posts


Sep. 10, 2018

Exploit vendor drops Tor Browser zero-day on Twitter

Exploit vendor drops Tor Browser zero-day on Twitter

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the ‘Safest’ security level of the NoScript extension that’s included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content.

Sep. 9, 2018

IBM secretly used New York’s CCTV cameras to train its surveillance software

IBM secretly used New York’s CCTV cameras to train its surveillance software

New technology is making surveillance cameras more powerful than ever. Such systems are often developed away from the public eye, as detailed in a new report showing how IBM worked with the NYPD to create software that could search CCTV footage for individuals based on their skin tone. Features like searching for individuals based on age, gender, and skin tone IBM’s software was reportedly developed and tested on surveillance cameras run through the Lower Manhattan Security Initiative (pictured).

Sep. 9, 2018

Proof-of-Stake is a Rebranded Version of the Old Financial System

Proof-of-Stake is a Rebranded Version of the Old Financial System

Over the last few years, there’s been a lot of projects, both public and private, that are attempting to create a next-generation blockchain or something better than Satoshi’s Bitcoin. A great majority of these projects have condemned proof-of-work (PoW) cryptocurrencies because they think they waste resources, and many of these new blockchains have chosen to use a proof-of-stake (PoS) system. However, PoS has many flaws and introduces a distribution process that advocates an ugly planned economy that’s propagated by ancient thinking and basically the old banking system.

Sep. 5, 2018

Bitcoin Gold delisted from major cryptocurrency exchange after refusing to pay hack damages

Bitcoin Gold delisted from major cryptocurrency exchange after refusing to pay hack damages

Bittrex, one of the largest cryptocurrency exchange platforms, has delisted Bitcoin Gold (BTG) from its trading platform over the weekend after BTG maintainers declined to pay half of the damages Bittrex suffered during a complex multi-stage cyber-attack earlier this year. According to a statement from the BTG team, Bittrex asked the BTG team to pay 12,372 BTG (~$256,000) as reparations for the attacks. BTG maintainers said they did all that was possible on their end to help trading platforms prevent the attacks, but they did not have the legal power to intervene inside a private company like Bittrex.

Sep. 4, 2018

Liberal Radicalism: Breaking down Buterin, Hitzig and Weyl’s paper

Liberal Radicalism: Breaking down Buterin, Hitzig and Weyl’s paper

Vitalik Buterin, Zoë Hitzig and E. Glen Weyl yesterday released their paper Liberal Radicalism: Formal Rules for a Society Neutral among Communities. As prior readers will know, I tend to break down whitepapers I suspect most of the community won’t have the time or inclination to do. This falls squarely in that bracket given it is self admittedly ‘strange’ and weighs in at a healthy 41 pages.

Sep. 4, 2018

There’s a Problem With Crypto Funding – And Vitalik Just Might Have a Solution

There’s a Problem With Crypto Funding – And Vitalik Just Might Have a Solution

There are free-riders in the cryptocurrency ecosystem. At least, that’s the contention of a new paper, shared with CoinDesk on Monday, written by ethereum founder Vitalik Buterin,Microsoft researcher Glen Weyl and Ph.D. of economics at Harvard, Zoë Hitzig. And free-riders pose a problem.

Described in the paper, free-riders are people or businesses that profitfrom the under-provision of public goods. And, on top of that, ‘the more people [these public goods] benefit the more they will be under-provided.’ It’s an issue that plagues development even outside the cryptocurrency space, but the authors are – at least – initially focused on how the idea creates harmful incentives for the funding of blockchain projects.

Sep. 4, 2018

Almost $1B in Bitcoin Moved Around in Silk Road Wallet Addresses

Almost $1B in Bitcoin Moved Around in Silk Road Wallet Addresses

Mysterious movements from the original Silk Road wallet suggest that the US government is cashing out on the Bitcoin gradually. The Silk Road market may be dead—we actually checked just to see if it came back somehow—but its wallet appears to be alive. Over a billion dollars in Bitcoin are being moved from several wallets that are all tied to the supposed original Silk Road cold storage wallet.

Sep. 4, 2018

Ethereum co-founder Vitalik Buterin speaks on ‘collapse of ETH’

Ethereum co-founder Vitalik Buterin speaks on ‘collapse of ETH’

Ethereum community got all curious and agitated after Tech Crunch published an article on Ethereum – ‘collapse of ETH is inevitable’. Number of questions and doubts popped up and to answer it all co-founder Vitalik Buterin wrote a post giving an insight about it. Surprisingly, he agrees ‘collapse of ETH is inevitable’, at least for now.

Cryptocurrency entrepreneur Jeremy Rubin wrote the Tech Crunch article stipulating the price of ETH and that it is bound to plummet. Vitalik Buterin agreeing to the piece wrote on Reddit, “In Ethereum as it presently exists, this is absolutely true.” Buterin further added, “[A]nd in fact if Ethereum were not to change, all parts of the author’s argument […] would be correct.”

Aug. 28, 2018

New EOS Bug Steals Resources Directly From Users

New EOS Bug Steals Resources Directly From Users

A new EOS bug has been discovered that allows users to use malicious code to steal RAM, which is a scarce resource in EOS blockchain. EOS,the fifth-largest cryptocurrency in terms of capitalization, has made headlines in connection with a new issue. A new EOS bug has been discovered that allows stealing resources directly from a user.

The resource in question is RAM, which is valuable in the EOS blockchain due to its scarcity. EOS is working on solving the issue and has provided a temporary fix in the meantime. The EOS blockchain aims to be a decentralized operating system and to allow the running of decentralized applications and smart contracts.

Aug. 28, 2018

Debugging an evil Go runtime bug

Debugging an evil Go runtime bug

I’m a big fan of Prometheus and Grafana. As a former SRE at Google I’ve learned to appreciate good monitoring, and this combination has been a winner for me over the past year. I’m using them for monitoring my personal servers (both black-box and white-box monitoring), for the Euskal Encounter external and internal event infra, for work I do professionally for clients, and more.

Aug. 25, 2018

Remote Code Execution on a Facebook server

Remote Code Execution on a Facebook server

I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.

Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.

Aug. 25, 2018

Remote Code Execution on a Facebook server

Remote Code Execution on a Facebook server

I regularly search for vulnerabilities on big services that allow it and have a Bug Bounty program. Here is my first paper which covers a vulnerability I discovered on one of Facebook’s servers. While scanning an IP range that belongs to Facebook (199.201.65.0/24), I found a Sentry service hosted on 199.201.65.36, with the hostname sentryagreements.thefacebook.com.

Sentry is a log collection web application, written in Python with the Django framework. While I was looking at the application, some stacktraces regularly popped on the page, for an unknown reason. The application seemed to be unstable regarding the user password reset feature, which occasionally crashed.

Aug. 8, 2018

Florida Man Arrested in SIM Swap Conspiracy

Florida Man Arrested in SIM Swap Conspiracy

Police in Florida have arrested a 25-year-old man accused of being part of a multi-state cyber fraud ring that hijacked mobile phone numbers in online attacks that siphoned hundreds of thousands of dollars worth of bitcoin and other cryptocurrencies from victims. The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, the mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint — saying he’d obtained yet another mobile phone.

Aug. 8, 2018

BGP / DNS Hijacks Target Payment Systems

BGP / DNS Hijacks Target Payment Systems

In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April. This time the targets included US payment processing companies. In April 2018, we detailed a brazen BGP hijack of Amazon’s authoritative DNS service in order to redirect users of a crypto currency wallet service to a fraudulent website ready to steal their money.

Jul. 13, 2018

Another hack rocks cryptocurrency trading: Bancor loses $13.5 million

Another hack rocks cryptocurrency trading: Bancor loses $13.5 million

This week, the start-up said that a wallet being used to ‘upgrade’ smart contracts was compromised. This wallet was then used to withdraw $12.5 million in Ethereum (ETH), alongside $1 million in Pundi X (NPXS) and $10 million in Bancor Network Tokens (BNT). Bancor says that once the compromised wallet was identified the company was able to mitigate the damage by freezing the transfer of BNT, bringing the cost down to roughly $13.5 million.

Jul. 13, 2018

Engineer Found Guilty for Stealing Navy Secrets via Dropbox Account

Engineer Found Guilty for Stealing Navy Secrets via Dropbox Account

A jury trial found a former engineer at a Navy contractor guilty of stealing trade secrets regarding Navy projects by uploading the files to his personal Dropbox account. The man, Jared Dylan Sparks, 35, of Ardmore, Oklahoma, worked as an electrical engineer for LBI, Inc., a company authorized to build unmanned underwater vehicles (drones) for the US Navy’s Office of Naval Research, and weather data-gathering buoys for the National Oceanic and Atmospheric Administration (NOAA). Sparks worked for LBI from January 2010 to December 2011, when he left for a similar position at Charles Rivers Analytics (CRA), another Navy contractor.

Jul. 13, 2018

Timehop security breach

Timehop security breach

The following is intended to provide technical details for those with interest in the specifics of the information security incident Timehop has experienced. It is also to be transparent about what has happened, and correct some earlier inaccuracies. There are still some highly specific details we are withholding about an incident that remains the subject of ongoing investigations.

Source: timehop.com

Jul. 13, 2018

Compromised JavaScript Package Caught Stealing npm Credentials

Compromised JavaScript Package Caught Stealing npm Credentials

A hacker has gained access to a developer’s npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago.

Jul. 13, 2018

“Bitcoins for cash in bags” trader gets 12 months in prison

“Bitcoins for cash in bags” trader gets 12 months in prison

We found the full story in what’s called the Sentencing Position document filed by the United States of America in its federal court case against Theresa Tetley, aka the “Bitcoin Maven”. The Bitcoin Maven (a maven, in case you are wondering, is an expert or connoisseur) had already pleaded guilty to money laundering charges relating to bitcoins; this time she was back in court to be sentenced. Simply put, Tetley did indeed buy bitcoins for hard cash, according to the prosecutors.

Jul. 7, 2018

Attackers could use heat traces left on keyboard to steal passwords

Attackers could use heat traces left on keyboard to steal passwords

A team of academics from the University of California, Irvine (UCI), have presented a type of attack that could enable a malefactor to retrieve sensitive information you entered via your keyboard – possibly up to a minute after you typed it. The researchers had 30 users enter 10 different passwords, both strong and weak, on four common external keyboards. Using a thermal imaging camera, the researchers then scanned the residual heat left on the recently-pressed keys.