Tag Archives: Ethereum

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Fourth Cryptocurrency Heist in a Month – SEC May Step In

An undisclosed attack vector allowed a hacker to steal $8.4 million in Ethereum, a competitor to Bitcoin, during it’s “initial coin offering”.   This is the fourth time this month Ethereum alone was attacked, not counting attacks on other cryptocurrencies (Bitcoin and Ethereum are two popular cryptocurrencies – that is, so called currencies based on cryptography).

For the most part currencies, at least recognized ones such as the dollar or the euro, are regulated, controlled and guaranteed by governments.  None of that is true for cryptocurrencies.

The other hacks include a $7 million hack of Coindash, a $32 million hack of Parity and a $1 million hack of Bithumb.

Prior to panicking, where is there is money there are bandits.

People rob banks and we don’t stop using them (at least most people still use them).

People hack credit cards and we definitely still use them.

Hacking financial institutions has gone on for a long, long time.

Since cryptocurrencies are not regulated or guaranteed by any government, you are on your own when it comes to recouping losses.  That fact not withstanding, Bitcoin, one of the most popular cryptocurrencies has gone from a value of $1.00 in early 2011 to $2,674 today.  People love to speculate and as long are you are not doing that with the rent money and understand the risk, that is fine.  People take risks all the time.

Since most cryptocurrency  solutions are startups, many, likely, don’t even have insurance.

In some cases the people who lost their money get paid back; sometimes they don’t.  The issue with blockchains, which are behind most if not all cryptocurrencies is that they are supposed to be unchangeable, so to reverse a transaction violates “the prime directive”.   In at least one case that I am familiar with, that is exactly what happened.  They got their eraser out and deleted a transaction.

Not surprisingly, governments are watching what is going on with distinct interest and Reuters is reporting that the U.S. Securities and Exchange Commission is looking at regulating “Initial Coin Offerings” or ICOs.  While ICOs are not securities in the sense of an investor owning shares in a company, they are certainly an investment and as the SEC is responsible for protecting investors, it would make sense that they would be looking at this.  One reason that companies are issuing ICOs instead of IPOs is that they are not regulated, there is limited paperwork required and they don’t have to disclose investor risks at the same level that they would if they were doing an IPO.  Stay tuned to see if the SEC does in fact take action.  One question is whether or not ICOs are even in their regulatory authority or whether Congress would need to pass a law to allow them to do that.

All this means is that the cryptocurrency market is young and turbulent and investors should assume some degree of hiccups and loss.

One thing that makes Bitcoin, for example, different than the dollar, is that Bitcoin exists totally in the world of software and software always has bugs.  Hackers love to find bugs.  And exploit them.  As long as investors understand the risk, the market will evolve.

Information for this post came from The Hacker News and Reuters.