Yet another Zcash bug
Zcash is urging it's userbase to immediately upgrade their wallets and node software to apply an "important security fix". A bulletin issued by the developers released no details, but stated:
"Version 2.0.7-3 of Zcashd includes an important security fix in response to an issue that was reported to us on Friday September 13th 2019 by Florian Tramèr, Dan Boneh, and Kenneth G. Paterson. Users should upgrade their nodes to this version immediately and discontinue use of older versions. Please note that the issue does not put funds at risk of theft or counterfeiting. More details of the issue will be released in coordination with the reporters of the issue at a future date."
This latest undisclosed issue is the second reported flaw in Zcash this year alone, the first being a bug that was found that allowed one to print unlimited monies which the developers kept secret for 8 months.
Tags: News, Cryptocurrency, Insecurity, Lulz
Canonical Shithub repositories hacked
Canonical Ltd (Ubuntu) source code repositories on Shithub were reportedly compromised this morning, complete with buttery screenshots. (archived)
No official word from Shithub or Canonical was available at the time of posting.
Tags: News, Insecurity, Lulz
Shinohai's Saturday Shitcoin Selections 4
The lulz in this story begin in a thread for the XJO cryptocuurency on bitcointalk. This guy suggests you can "run an entire 'DNM' on the XJO blockchain" and links to a javascript page (archived) that will happily eat your private keyz and encrypt and decrypt thingz for you!
Why this is incredibly stupid:
- iGolder.com should be all you need to know, but you can also google search it if you wish.
- No mention is made of airgap setups, and the joulecoin.info site is connected to the internet when performing crypto functions.
- No mention made of layering (see above), and why you should be using 4096-bit or higher rsa keys for any comms, period.
- Cost of 51% attacks and other lulz would be near nothing for interested 3-letter agencies.
- Point #1 is honestly enough to end this discussion.
"But it's so luser friendly, everyone can do it!"
There is no scenario that exists, or shall ever exist, where "paste your key here" ever becomes proper handling of cryptographic keys, and certainly not in situations that require proper OPSEC and associated sanitation procedures. This is seriously the most retarded post I've read all year, and tardstalk produces some very brain-damaged threads.
TL;DR OP is an utter moron and you should seek advice elsewhere if you use crypto in any high-risk situations.
Tags: News, Cryptocurrency, Insecurity, Lulz
SKS Keyserver Network Under Attack
via Shithub.
"At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately."
etc.
Update: Bonus lulz from phuctor.
Tags: News, Insecurity, Lulz
Official Alpine Linux Docker image found to allow NULL password for root users
Docker woes continue as security researchers discover that all "Official images" of Alpine linux (since v3.3) allow NULL passwords for the root user. This event, along with Docker Hub being hacked serve as a wonderful reminder of only running code from trusted sources and personal libraries.
Tags: News, Insecurity, Lulz, UNIX
McAfee flees U.S. after tax fraud allegations
John McAfee announced earlier this week that the U.S. Internal Revenue Service is allegedly charging him with felony tax evasion for 8 years non-payment of taxes, and that he will be "running his Presidential campaign from exile on a vessel dubbed "The Freedom Boat".
McAfee assured his followers on twitter that he would be releasing videos every day as long as the exile lasts, which leads the author to the conclusion that ample supplies of tinned penis, Xanax, and electronic equipment were provisioned in the freedom boat's hold before casting off. (archived)
Tags: News, Cryptocurrency, Insecurity, Lulz
Anti-Trump messages blamed on twitter hackers
Rudy Giuliani's cybersecurity team fails at the internet. twitter is blamed.
Tags: News, Insecurity, Lulz
Chinese Ethereum vulnerable to ancient bug
The NEO platform (Chinese Ethereum) was discovered to be vulnerable to the same default settings bug that caused mETH tards to have funds liberated from their nodes back in June. Chinese tech company Tencent first reported the bug, and encouraged all users to update their nodes as soon as possible, instead of correctly advising users to simply abandon the platform, and anything else remotely resembling Ethereum. Coinmarket cap lists an imaginary valuation of $532 million USD for this corn riddled steamy pile of Asian shit.
Tags: News, Bitcoin, Cryptocurrency, Lulz, Insecurity
Malicious GasToken Minting in mETHereum disclosed
Quoted from the public disclosure by Level K:
This is a public disclosure of a newly discovered vulnerability. Some affected parties have already been notified in a private disclosure that was sent out on November 13th. When ETH is sent to an address, that address is able to perform arbitrary computations paid for by the originator of the transaction. This is a known vector for griefing. However, in some cases, at-risk systems such as exchanges did not put proper protections in place. GasToken, which takes advantage of the refund mechanism on storage in Ethereum, allows users to store gas when the gas price is low and receive a gas refund when the gas price is high. By minting large amounts of GasToken when receiving ETH, the griefing vector mentioned above can now be a profitable attack. Because it was unknown which exchanges did and did not have the protections in place, the private disclosure was made to as many exchanges as possible, many of which were not at risk. To our knowledge, all affected exchanges that received the disclosure have patched the vulnerability. For more information the full disclosure can be found here.
As has been documented on this blog, and formerly on Qntra (Now pretty much the BingoBoingo blog), Ethereum is a flaming tire in a shitpit that should not be used for any purpose.
Tags: News, Cryptocurrency, Insecurity, Lulz
Buffer overflow bug discovered in segshit address scheme.
A buffer overflow vulnerability has been discovered by satoshi labs in the bech32 address scheme, used by Segshit and introduced into Bitcoin by "Core" developer Pieter Wuille. Satoshi labs assures users of their already pwnd Trezor devices that the risk is minimal and can only result in denial of service attacks, but released a firmware update immediately after the bug was confirmed. (archived)
Tags: News, Bitcoin, Insecurity, Lulz
Eliminating malicious TLDs with regex
A discussion on Telegram this morning led to this post, I decided to preserve this handy list of regular expressions for filtering out mostly dumb and malicious TLD's. I am personally using an EdgeRouter Lite with dnsmasq for this purpose, so your mileage may vary - feel free to modify and make these better. Suggestions for changes may be sent to my email listed on the contact page, as usual non-encrypted content will be ignored.
^https?://([A-Za-z0-9.-]*\.)?.gq/ ^https?://([A-Za-z0-9.-]*\.)?.cf/ ^https?://([A-Za-z0-9.-]*\.)?.men/ ^https?://([A-Za-z0-9.-]*\.)?.loan/ ^https?://([A-Za-z0-9.-]*\.)?.ml/ ^https?://([A-Za-z0-9.-]*\.)?.top/ ^https?://([A-Za-z0-9.-]*\.)?.work/ ^https?://([A-Za-z0-9.-]*\.)?.click/ ^https?://([A-Za-z0-9.-]*\.)?.tk/ ^https?://([A-Za-z0-9.-]*\.)?.country/ ^https?://([A-Za-z0-9.-]*\.)?.pw/ ^https?://([A-Za-z0-9.-]*\.)?.party/ ^https?://([A-Za-z0-9.-]*\.)?.trade/ ^https?://([A-Za-z0-9.-]*\.)?.review/ ^https?://([A-Za-z0-9.-]*\.)?.club/ ^https?://([A-Za-z0-9.-]*\.)?.bid/
YARA compatible regular expressions for detecting base64 encoded variable-case http:// and https:// URI prefixes:
HTTP:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx] [Io][Vd][FH][R][Qw][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z] [\x30\x32EGUWkm][h][\x30U][Vd][FH][A]\x36Ly[\x2b\x2f\x38-\x39]|[Sa][FH][R][\x30U] [Uc][D]ovL[\x2b\x2f-\x39w-z]) HTTPS:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx] [Io][Vd][FH][R][Qw][Uc][z]ovL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z] [\x30\x32EGUWkm][h][\x30U][Vd][FH][B][Tz][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[Sa][FH][R][\x30U] [Uc][FH][M]\x36Ly[\x2b\x2f\x38-\x39])
Tags: Insecurity, Webshit
Static address bug discovered in Ledger app
The Ledger hardware wallet team announced a serious "bug" in the Ledger Wallet Ethereum Chrome application, telling lusers to avoid using it as it generates a static address for everyone. But "Engineering is working on it" so they recommend using more Webshit, like MyEtherWallet, in the meantime while the company tries to figure out why webpages generate static addresses and bikeshed a solution.
Tags: News, Cryptocurrency, Insecurity, Lulz, Webshit
Zerodium offering increased rewards for UNIX 0day exploits
Zerodium, a company that brokers exploits to governments and "law enforcement" is now offering rewards of up to one half million USD for zero days in UNIX operating systems. The company's website states that payments can be processed in Bitcoin and other "cryptocurrencies".
ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies e.g. Bitcoin.
Zerodium only accepts submissions encrypted with their GPG KEY and claims to take one's privacy "very seriously", though they require a researchers personal information that they promise not to share with anyone, ever.
Tags: News, Bitcoin, Insecurity, Linux
Enumerating geth nodes for fun and profit
Step 1: Download GETH and build it inside a chroot.
Step 2: Fire up geth and wait for the ethereum database to load.
Step 3: Enumerate peers running misconfigured clients and rpc consoles by running an insecure instance yourself:
dibbuk# ./geth --rpc --rpcaddr 0.0.0.0 --rpcapi, db,eth,net,web3 --dev console
Step 4: Profit. I quickly found 22 nodes listening for the entire world on port 8545, ~60% of these were located on Chinese and other South Asian mining farms. For bonus lulz you can leverage the power of virtual shrimp mining to disrupt the network whilst you pilfer the funds from vulnerable wallets.
At the time of this post, the addresses below are confirmed to have received around $22 million USD in ETH liberated by enterprising crypto pirates, and the figures still climb despite warnings not to do this shit since March:
0x09d6fd506b7eb4102182d8e4d9a3d8f3dbfa499b 0x1234567461d3f8db7496581774bd869c83d51c93 Ox15e4cf195Offa338ce5bc59456b3e579ed1bead3 0x397aa69c17a7cc405a3aeeeb223158109b037d5b 0x3d985fd71a21256c7d2b618ab8a1896f10f64fcd 0x4e0603e2a27a30480e5e3a4fe548e29ef12f64be 0x519475b31653e46d20cd09f9fdcf3b12bdacb4f5 0x6ef57be1168628a2bd6c5788322a41265084408a 0x7097f41f1c1847d52407c629d0e0ae0fdd24fd58 0x72adadb447784dd7ab1f472467750fc485e4cb2d 0x7b09ff6548f03512dfe63a09a2673b9c25476482 0x85545528f1d72912558f9ef72296c404afd4b18d 0x8e4fbe2673e154fe9399166e03e18f87a5754420 0x8f760bc9bd9748fc61c7b60ea8033037f37d44d5 0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464 0x9b11efcaaa1890f6ee52c6bb7cf8153ac5d74139 0x9fe173573b3f3cf4aebce5fd5bef957b9a6686e8 0xafecd96855ec6324d7cde57babb775676e560441 0xc1e42aa688977d386a6ce15de741e3c34ff0c500 Oxd26114cd6ee289accf82350c8d8487fedb8a0c07 0xe386e3372e3d316ae063af50c38704ec6fba5149
Lesson: Trust your finances to garbage written in golang with a javascript console at your peril.
Tags: Bitcoin, Cryptocurrency, Insecurity, Lulz
Women In Tech: Tracey Rosenberger
Are you bored this weekend? Ever wake up at 3 a.m. and think "I'm just not giving the NSA enough personal information" ? Then follow along as women-in-tech(tm) author Tracey Rosenberger shows you how to build your own Amazon Alexa using a Raspberry Pi. Installation of the software is a breeze thanks to the unsigned automated scripts that ensure every packet of your precious data will get routed to improper users just like the real thing!
For those that prefer a more portable auto surveillance device, Ms. Rosenbenger has published an article on how to make Alexa your default assistant on Android.
Tags: News, Insecurity, lulz
