Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

MAJOR SECURITY FLAW in Metamask... Discovered By 'Good Hackers', Fixed Before Bad Ones Could Use It!

Metamask security hole

The world's most popular Crypto wallet Metamask announced they have patched a security hole that potentially could have been a DISASTER.

Thankfully, it was first discovered by 'good hackers' who immediately informed Metamask of the flaw, and told them how to fix it.  Going by the name 'The United Global Whitehat Security Team' (UGWST), the organization was able to claim a $120,000 reward for finding the vulnerability.

Metamask tells us that there were no users affected by this vulnerability. UGWST seems to be the first and only to discover it, and they only shared their findings with Metamask.

The strategy consists of camouflaging malicious code on a site so that the user clicks on it without realizing it. For example, if you fall into clickjacking , by clicking "Play" on a video you could be conferring access to your funds in a wallet.

Metamask developers immediately fixed it...

Only users of the browser extension were ever at risk, but this is the most popular method of accessing Metamask wallets.  The hackers demonstrated launching Metamask an iframe (that is, a website within another website) and setting it to 0% opacity, in other words in a completely transparent window - user would have no idea it existed.  Then it's a matter of tricking the user to click specific locations on their screen, unaware they're actually pressing an invisible button that confirms a transaction.

It could look like a pop-up ad, but the 'X' to close it is actually the button to confirm sending all your Ethereum to someone, for example.

Make Sure You're Up To Date...

By default Metamask automatically updates, but double check yours to be safe.  Open Metamask, go to 'settings', then 'about', and make sure you have version 10.14.6 or above.

If any of those numbers are lower, you need to update. 

Hacking for good can be a profitable venture...

Metamask awarding the bug finders $120,000 is a very common practice, virtually all major players in tech offer a 'bug bounty' giving hackers an alternative, completely legal way to turn their discoveries into profit. 

UGWST, the organization that discovered this has also helped Apple, Reddit, Microsoft, and performed security audits for Crypto.com and OpenSea. 

---------------
Author: Oliver Redding
Seattle Newsdesk  / Breaking Crypto News / Dimefi Review

$25 Million In Crypto HACKED, Stolen... And RETURNED!? Inside The Recovery Operation...

Crypto Loan Site Lendf.me Hacked

Decentralized cryptocurenncy loan platform 'Lendf.Me' suffered a security breach on April 18th, around $25 million worth of cryptocurrency was stolen.

Using an exploit in the DeFi smart contracts, the callback mechanism enabled the hacker to withdraw ERC777 tokens repeatedly, this exploit allows them to drain the account without the new balance being immediately updated and showing the theft, until it's too late.

Upon discovering this, things couldn't have looked any worse, as the CEO publicly made this depressing statement while sharing the news:

"This attack not only harmed our users, our partners, and my co-founders, but also me personally. My assets were stolen in this attack, too.

This attack was my failure. While I did not execute it, I should have anticipated it and taken actions to prevent it. My heart goes out to everyone harmed, and I will do everything in my power to make this right. I sincerely apologize to our users, to our new investors, and to my team for letting them down."

While it sounded like the company was down and out, possibly forever - this was just the beginning of the story.

The site's CEO Mindao Yang wanted to try negotiating, so he had his team leave a note for the hackers on the blockchain, saying "Contact us. For your better future" along with their direct contact information.

An Aggressive Counterattack...

Here's where they got it right - instantly their team sprang into action, bringing in security firm SlowMist, which specializes specifically in blockchain based cybersecurity, along with the Singapore Police.

They then announced on their social media that the process of tracking down the hackers had begun.

While we don't know what (if anything) was left behind as far as clues that could lead to the hackers, the company began a campaign to put them in a state of paranoia, stating on their site that there were 'traces left by the hackers before and after the attack' allowing them to 'cross-check with the resources of various parties at home and abroad to obtain breakthrough clues, getting closer to the hacker'.

At the same time, they began contacting other exchanges and making them aware of the hack, getting them to blacklist and freeze any wallets receiving the stolen coins.

The Hackers Couldn't Handle The Heat...

The stress was too much, and the hackers began to crack - the combo of a security firm in the process of tracking them down, and the coins becoming hard to spend as more exchanges blacklisted them, led the hackers to deciding it just wasn't worth it anymore.

They began returning some of the stolen crypto, then something must have really spooked them - the following day they sent back everything they had left.

Amazingly, Nearly All Of the $25 Million Was Recovered...

While the company stated 'all' the assets had been recovered, we were only able to verify $24 of the original $25 million as being returned. But we won't bother getting hung on a tiny $1 million lost, this was still a job well done!

Any users with funds stolen have been promised 100% will be returned.

The company is now bringing in 3rd party experts to both analyze what went wrong here, and what needs to be done to fortify their security in the future.

It's safe to assume this is was part of the deal with the hackers - the company has withdrawn their request to press charges with the Singapore Police. 

-------
Author: Ross Davis
E-Mail: Ross@GlobalCryptoPress.com Twitter:@RossFM

San Francisco News Desk




Crypto Thief Arrested in US After Stealing $1M+ From 75 Victims in 20 States...

Crypto news
While mainstream media reports are making this kid sound like a mastermind, the truth is, this trick takes virtually no skills whatsoever.

That's why it's so disturbing.

19 year old Yousef Selassie was arrested and charged with first-degree grand larceny and identity theft when authorities traced 75 victims back to him as he began to spend his earnings.

“He sought them out based on the industries they were involved in” said Brooklyn Assistant DA James Vinocur, explaining how Yousef targeted people in tech believing they were more likely to own high amounts of cryptocurrency.

A search of his residents found 9 phones, 3 flash drives, and 2 laptops - all containing evidence against him.  He plead not guilty.

Shockingly simple...

Authorities say he used a "SIM swap" to pull it off, and when you hear how easily this is done, it will shock you.
  • Get a blank SIM card (available on Ebay and hundreds of other sites) 
  • Put it into a cellphone.
  • Call the target's cellphone provider.
  • Pretending to be the target or someone close to them, say you recently lost your phone, you ordered a new one, and need it activated.
  • They will ask for the SIM card's ID number.
  • If everything went correctly, your phone is now on the victims account, you control their phone number, you receive their calls and texts.
  • Using the 'I lost my password' feature everything from crypto exchanges to online banking has, have them text a code to reset it.
  • Since the text messages now go to you, you're now able to reset the passwords to whatever you wish.
  • That's it, you have full access to everything. 
Some tricks used to get the customer service rep from the cell phone company to comply include pretending to be someones personal assistant, which would explain why you may not be able to answer every question they ask you.

Or, pretend to be elderly, make every step take way longer than usual, make the customer service rep frustrated and by the time they figure out what you need them to do, they'll rush to get you off the line.

Who's to blame?
Absolutely, it's the cellphone providers.  In almost every case a rep from the company doesn't go through the process of verifying they are talking to the true account owner, or, as mentioned above when they believe they're speaking with someone's personal assistant, they will forgive not knowing things like the mothers maiden name.

The solution? This can be tough, because sometimes we forget what we chose as our passwords or pins. I've never had to do this process myself, and I have no idea what answers I gave to the security questions when I signed up... 8 years ago now.

But frankly, if I forgot, it's my fault.  So perhaps a foolproof system where the customer service reps cannot change SIM information without first entering information given by the customer is the way to go. 

If they forgot, a verification code will have to be mailed to the customer's home address. It could be sent overnight (for a fee) and people will have to accept this is being done in the name of protecting their data.

These days, so much of our lives are on our phones.  It's a change that happened without much thought behind it, but most people don't feel like losing their phone is the same as losing their wallet with their credit cards in it.  But really, it's exactly like that.

Could someone call a bank and get someone else's login information by saying they are their personal assistant? Would the bank reps forgive not knowing a few pieces of personal information? Hell no.

Now keep in mind, through someones cellphone you can access that same account! That's why cellphone providers need to operate with the same security standards as the bank. 

-------
Author: Ross Davis
E-Mail: Ross@GlobalCryptoPress.com Twitter:@RossFM

San Francisco News Desk




Facebook's Libra Cryptocurrency HACKED - Major Security Flaw Discovered in Early Version of Libra Code...

A security hole was discovered in Facebook's soon-to-launch cryptocurrency, the 'Libra'.

The vulnerability was discovered by OpenZeppelin, a firm that has conducted security audits for many of the major players in the cryptocurrency industry including Coinbase, the Ethereum Foundation, Brave, Bitgo, Shapeshift and more.

The exploit allowed for text that appeared to be harmless inline comments, to be executed as code. The firm provided some examples of how a bad actor could use this vulnerability, including:

  • A faucet that mints assets (Libra Coins or any other asset on the Libra network) in exchange for a fee can deploy a malicious module that takes a fee but never actually provide the possibility of minting such asset to the user.
  • A wallet that claims to keep deposits frozen and release them after a period of time may actually never release such funds.
  • A payment splitter module that appears to divide some asset and forward it to multiple parties may actually never send the corresponding part to some of them.
  • A module that takes sensitive data and applies some kind of cryptographic operation to obscure it (e.g. hashing or encrypting operations) may actually never apply such operation.

But this is hardly a complete list, when discussing a security hole that allows for someone to execute code, the possibilities are endless - it all depends on how creative, or malicious, the person writing that code is.

What's normal here, and what isn't...

Discovery of security holes while a project is in the development phase is beyond common - it's standard.

The only thing we found surprising - the large gap of time between when OpenZeppelin said they informed Facebook on Aug 6th, and the date Facebook had finally fixed the code, Sept 4th.

Even odder, changes were made to this section of code during this time, but those changes left the security hole open for another 3 weeks.

Facebook says security a top priority...

Speaking to one of my contacts inside Facebook, they said Libra "has and will continue to go through some of the most intense security auditing/testing imaginable" adding "we're letting a lot of hackers take a stab at Libra, and it won't be launched without consensus among the developers that it's fully secure, and ready for the masses".

In all fairness, while I can't say i'm convinced Facebook entering the crypto space is a good thing - it is good they're letting outsiders put Libra's security through rigorous testing.

Nothing is more dangerous than a group of developers so sure their code is flawless, they don't see the need to test that claim before releasing it to the public. That's how insecure software ends up opening security hole on thousands, or millions of computers.

-------
Author: Ross Davis
E-Mail: Ross@GlobalCryptoPress.com Twitter:@RossFM

San Francisco News Desk