Daily Archives: June 11, 2018

Blockchain’s Once-Feared 51% Attack Is Now Becoming Regular among smaller coins

Posted on by

Monacoin, bitcoin gold, zencash, verge and now, litecoin cash.

At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that’s perhaps the crypto equivalent of a bank heist.

More surprising, though, may be that so-called 51% attacks are a well-known and dangerous cryptocurrency attack vector.

While there have been some instances of such attacks working successfully in the past, they haven’t exactly been all that common. They’ve been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in crypto time) argument? It’s too costly and they wouldn’t get all that much money out of it.

But that doesn’t seem to be the case anymore.

NYU computer science researcher Joseph Bonneau released research last year featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment.

One conclusion he drew? These attacks were likely to increase. And, it turns out he was right.

“Generally, the community thought this was a distant threat. I thought it was much less distant and have been trying to warn of the risk,” he told CoinDesk, adding:

“Even I didn’t think it would start happening this soon.”

Inside the attacks

Stepping back, cryptocurrencies aim to solve a long-standing computer science issue called the “double spend problem.”

Essentially, without creating an incentive for computers to monitor and prevent bad behavior, messaging networks were unable to act as money systems. In short, they couldn’t prevent someone from spending the same piece of data five or even 1,000 times at once (without trusting a third party to do all the dirty work).

That’s the entire reason they work as they do, with miners (a term that denotes the machines necessary to run blockchain software) consuming electricity and making sure no one’s money is getting stolen.

To make money using this attack vector, hackers need a few pieces to be in place. For one, an attacker can’t do anything they want when they’ve racked up a majority of the hashing power. But they are able to double spend transactions under certain conditions.

It wouldn’t make sense to amass all this expensive hashing power to double spend a $3 transaction on a cup of coffee. An attacker will only benefit from this investment if they’re able to steal thousands or even millions of dollars.

As such, hackers have found various clever ways of making sure the conditions are just right to make them extra money. That’s why attackers of monacoin, bitcoin gold, zencash and litecoin cash have all targeted exchanges holding millions in cryptocurrency.

By amassing more than half of the network’s hashing power, the bitcoin gold attacker was able to double spend two very expensive transactions sent to an exchange.

Through three successful attacks of zencash (a lesser-known cryptocurrency that’s a fork of a fork of privacy-minded Zcash), the attacker was able to run off with about more than 21,000 zen (the zencash token) worth well over $500,000 at the time of writing.

Though, the attack on verge was a bit different since the attacker exploited insecure rules to confuse the network into giving him or her money. Though, it’s clear the attacks targeted verge’s lower protocol layer, researchers are debating whether they technically constitute 51% attacks.

Small coins at risk

But, if these attacks were uncommon for such a long time, why are we suddenly seeing a burst of them?

In conversation with CoinDesk, researchers argued there isn’t a single, clear reason. Rather, there a number of factors that likely contributed. For example, it’s no coincidence smaller coins are the ones being attacked. Since they have attracted fewer miners, it’s easier to buy (or rent) the computing power necessary needed to build up a majority share of the network.

Further, zencash co-creator Rob Viglione argued the rise of mining marketplaces, where users can effectively rent mining hardware without buying it, setting it up and running it, has made it easier, since attackers can use it to easily buy up a ton of mining power all at once, without having to spend the time or money to set up their own miners.

Meanwhile, it’s grown easier to execute attacks as these marketplaces have amassed more hashing power.

“Hackers are now realizing it can be used to attack networks,” he said.

As a data point for this, someone even erected a website Crypto51 showing how expensive it is to 51% attack various blockchains using a mining marketplace (in this instance, one called NiceHash). Attacking bytecoin, for example, might cost as little as $719 to attack using rented computing power.

“If your savings are in a coin, or anything else, that costs less than $1 million a day to attack, you should reconsider what you are doing,” tweeted Cornell professor Emin Gün Sirer.

On the other hand, larger cryptocurrencies such as bitcoin and ethereum are harder to 51% attack because they’re much larger, requiring more hashing power than NiceHash has available.

“Bitcoin is too big and there isn’t enough spare bitcoin mining capacity sitting around to pull off the attack,” Bonneau told CoinDesk.

Source: Blockchain’s Once-Feared 51% Attack Is Now Becoming Regular – Telegraph

EU Copyright law could put end to net memes

Posted on by

Memes, remixes and other user-generated content could disappear online if the EU’s proposed rules on copyright become law, warn experts.

Digital rights groups are campaigning against the Copyright Directive, which the European Parliament will vote on later this month.

The legislation aims to protect rights-holders in the internet age.

But critics say it misunderstands the way people engage with web content and risks excessive censorship.

The Copyright Directive is an attempt to reshape copyright for the internet, in particular rebalancing the relationship between copyright holders and online platforms.

Article 13 states that platform providers should “take measures to ensure the functioning of agreements concluded with rights-holders for the use of their works”.

Critics say this will, in effect, require all internet platforms to filter all content put online by users, which many believe would be an excessive restriction on free speech.

There is also concern that the proposals will rely on algorithms that will be programmed to “play safe” and delete anything that creates a risk for the platform.

A campaign against Article 13 – Copyright 4 Creativity – said that the proposals could “destroy the internet as we know it”.

“Should Article 13 of the Copyright Directive be adopted, it will impose widespread censorship of all the content you share online,” it said.

It is urging users to write to their MEP ahead of the vote on 20 June.

Jim Killock, executive director of the UK’s Open Rights Group, told the BBC: “Article 13 will create a ‘Robo-copyright’ regime, where machines zap anything they identify as breaking copyright rules, despite legal bans on laws that require ‘general monitoring’ of users to protect their privacy.

“Unfortunately, while machines can spot duplicate uploads of Beyonce songs, they can’t spot parodies, understand memes that use copyright images, or make any kind of cultural judgement about what creative people are doing. We see this all too often on YouTube already.

Source: Copyright law could put end to net memes – BBC News

Cisco Removes Backdoor Account, Fourth in the Last Four Months

Posted on by

For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks.

This time around, the hardcoded password was found in Cisco’s Wide Area Application Services (WAAS), which is a software package that runs on Cisco hardware that can optimize WAN traffic management.

Harcoded SNMP community string

This backdoor mechanism (CVE-2018-0329) was in the form of a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon.

[…]

The string came to light by accident, while security researcher Aaron Blair from RIoT Solutions was researching another WaaS vulnerability (CVE-2018-0352).

This second vulnerability was a privilege escalation in the WaaS disk check tool that allowed Blair to elevate his account’s access level from “admin” to “root.” Normally, Cisco users are permitted only admin access. The root user level grants access to the underlying OS files and is typically reserved only for Cisco engineers.

By using his newly granted root-level access, Blair says he was able to spot the hidden SNMP community string inside the /etc/snmp/snmpd.conf file.

“This string can not be discovered or disabled without access to the root filesystem, which regular administrative users do not have under normal circumstances,” Blair says.

Source: Cisco Removes Backdoor Account, Fourth in the Last Four Months

The first 3D printed houses will be built in the Netherlands this year

Posted on by

The city of Eindhoven soon hopes to boast the world’s first commercially-developed 3D-printed homes, an endeavor known as Project Milestone.

Artist's rendering of 3D printed home neighborhood.
Artist’s rendering of 3D printed home neighborhood. (3dprintedhouse.nl)

Construction on the first home begins this year and five houses will be on the rental market by 2019, project organizers say. Within a week of releasing images of the new homes, 20 families expressed interest in dwelling in these postmodern pods, according to the project website.

“The first aim of the project is to build five great houses that are comfortable to live in and will have happy occupants,” developers say. Beyond that, they hope to promote 3D concrete printing science and technology so that printed housing “will soon be a reality that is widely adopted.”

3D printed concrete.
3D printed concrete. (3dprintedhouses.nl)

The “printer” in this case is a big robotic arm that will shape cement of a light, whipped-cream consistency, based on an architect’s design. The cement is layered for strength.

Source: The first 3D printed houses will be built in the Netherlands this year — Quartz

Facebook gave some companies special access to data on users’ friends

Posted on by

Facebook granted a select group of companies special access to its users’ records even after the point in 2015 that the company has claimed it stopped sharing such data with app developers.

According to the Wall Street Journal, which cited court documents, unnamed Facebook officials and other unnamed sources, Facebook made special agreements with certain companies called “whitelists,” which gave them access to extra information about a user’s friends. This includes data such as phone numbers and “friend links,” which measure the degree of closeness between users and their friends.

These deals were made separately from the company’s data-sharing agreements with device manufacturers such as Huawei, which Facebook disclosed earlier this week after a New York Times report on the arrangement.

Source: Facebook gave some companies special access to data on users’ friends

Ticketfly exposes data on 27m customers in hack

Posted on by
  • Ticketfly was the target of a malicious cyber attack last week
  • In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed.
  • However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. It’s important to note that many people purchase tickets with multiple email accounts, so the number of individuals impacted is likely lower.
  • We take privacy and security very seriously and upon first learning about this incident we took swift action to secure the data of our clients and fans.
  • Ticketfly.com, Ticketfly Backstage, and the vast majority of temporary venue/promoter websites are back online.

Source: Ticketfly | Ticketfly Cyber Incident Update

The hits keep coming for Facebook: Web giant made 14m people’s private posts public

Posted on by

about 14 million people were affected by a bug that, for a nine-day span between May 18 and 27, caused profile posts to be set as public by default, allowing any Tom, Dick or Harriet to view the material.

“We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time,” Facebook chief privacy officer Erin Egan said in a statement to The Register.

Source: The hits keep coming for Facebook: Web giant made 14m people’s private posts public • The Register