btcinfo  

Hic inserere motto

Anti-Trump messages blamed on twitter hackers

December 05, 2018 — shinohai

Rudy Giuliani's cybersecurity team fails at the internet. twitter is blamed.

Tags: News, Insecurity, Lulz

Chinese Ethereum vulnerable to ancient bug

December 04, 2018 — shinohai

The NEO platform (Chinese Ethereum) was discovered to be vulnerable to the same default settings bug that caused mETH tards to have funds liberated from their nodes back in June. Chinese tech company Tencent first reported the bug, and encouraged all users to update their nodes as soon as possible, instead of correctly advising users to simply abandon the platform, and anything else remotely resembling Ethereum. Coinmarket cap lists an imaginary valuation of $532 million USD for this corn riddled steamy pile of Asian shit.

Tags: News, Bitcoin, Cryptocurrency, Lulz, Insecurity

Malicious GasToken Minting in mETHereum disclosed

November 21, 2018 — shinohai

Quoted from the public disclosure by Level K:

This is a public disclosure of a newly discovered vulnerability. Some affected parties have already been notified in a private disclosure that was sent out on November 13th. When ETH is sent to an address, that address is able to perform arbitrary computations paid for by the originator of the transaction. This is a known vector for griefing. However, in some cases, at-risk systems such as exchanges did not put proper protections in place. GasToken, which takes advantage of the refund mechanism on storage in Ethereum, allows users to store gas when the gas price is low and receive a gas refund when the gas price is high. By minting large amounts of GasToken when receiving ETH, the griefing vector mentioned above can now be a profitable attack. Because it was unknown which exchanges did and did not have the protections in place, the private disclosure was made to as many exchanges as possible, many of which were not at risk. To our knowledge, all affected exchanges that received the disclosure have patched the vulnerability. For more information the full disclosure can be found here.

As has been documented on this blog, and formerly on Qntra (Now pretty much the BingoBoingo blog), Ethereum is a flaming tire in a shitpit that should not be used for any purpose.

Tags: News, Cryptocurrency, Insecurity, Lulz

Buffer overflow bug discovered in segshit address scheme.

October 31, 2018 — shinohai

A buffer overflow vulnerability has been discovered by satoshi labs in the bech32 address scheme, used by Segshit and introduced into Bitcoin by "Core" developer Pieter Wuille. Satoshi labs assures users of their already pwnd Trezor devices that the risk is minimal and can only result in denial of service attacks, but released a firmware update immediately after the bug was confirmed. (archived)

Tags: News, Bitcoin, Insecurity, Lulz

Eliminating malicious TLDs with regex

September 07, 2018 — shinohai

A discussion on Telegram this morning led to this post, I decided to preserve this handy list of regular expressions for filtering out mostly dumb and malicious TLD's. I am personally using an EdgeRouter Lite with dnsmasq for this purpose, so your mileage may vary - feel free to modify and make these better. Suggestions for changes may be sent to my email listed on the contact page, as usual non-encrypted content will be ignored.

^https?://([A-Za-z0-9.-]*\.)?.gq/ 
^https?://([A-Za-z0-9.-]*\.)?.cf/ 
^https?://([A-Za-z0-9.-]*\.)?.men/ 
^https?://([A-Za-z0-9.-]*\.)?.loan/ 
^https?://([A-Za-z0-9.-]*\.)?.ml/
^https?://([A-Za-z0-9.-]*\.)?.top/
^https?://([A-Za-z0-9.-]*\.)?.work/
^https?://([A-Za-z0-9.-]*\.)?.click/
^https?://([A-Za-z0-9.-]*\.)?.tk/
^https?://([A-Za-z0-9.-]*\.)?.country/
^https?://([A-Za-z0-9.-]*\.)?.pw/
^https?://([A-Za-z0-9.-]*\.)?.party/
^https?://([A-Za-z0-9.-]*\.)?.trade/ 
^https?://([A-Za-z0-9.-]*\.)?.review/ 
^https?://([A-Za-z0-9.-]*\.)?.club/ 
^https?://([A-Za-z0-9.-]*\.)?.bid/

YARA compatible regular expressions for detecting base64 encoded variable-case http:// and https:// URI prefixes:

HTTP:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]
[Io][Vd][FH][R][Qw][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z]
[\x30\x32EGUWkm][h][\x30U][Vd][FH][A]\x36Ly[\x2b\x2f\x38-\x39]|[Sa][FH][R][\x30U]
[Uc][D]ovL[\x2b\x2f-\x39w-z])

HTTPS:// ([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]
[Io][Vd][FH][R][Qw][Uc][z]ovL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z]
[\x30\x32EGUWkm][h][\x30U][Vd][FH][B][Tz][O]i\x38v[\x2b\x2f-\x39A-Za-z]|[Sa][FH][R][\x30U]
[Uc][FH][M]\x36Ly[\x2b\x2f\x38-\x39])

Tags: Insecurity, Webshit

Static address bug discovered in Ledger app

August 03, 2018 — shinohai

The Ledger hardware wallet team announced a serious "bug" in the Ledger Wallet Ethereum Chrome application, telling lusers to avoid using it as it generates a static address for everyone. But "Engineering is working on it" so they recommend using more Webshit, like MyEtherWallet, in the meantime while the company tries to figure out why webpages generate static addresses and bikeshed a solution.

Tags: News, Cryptocurrency, Insecurity, Lulz, Webshit

Zerodium offering increased rewards for UNIX 0day exploits

June 29, 2018 — shinohai

Zerodium, a company that brokers exploits to governments and "law enforcement" is now offering rewards of up to one half million USD for zero days in UNIX operating systems. The company's website states that payments can be processed in Bitcoin and other "cryptocurrencies".

ZERODIUM evaluates and verifies all submitted research within one week or less. Payments are made in one or multiple installments by wire transfer or using crypto-currencies e.g. Bitcoin.

Zerodium only accepts submissions encrypted with their GPG KEY and claims to take one's privacy "very seriously", though they require a researchers personal information that they promise not to share with anyone, ever.

Tags: News, Bitcoin, Insecurity, Linux

Enumerating geth nodes for fun and profit

June 13, 2018 — shinohai

Step 1: Download GETH and build it inside a chroot.

Step 2: Fire up geth and wait for the ethereum database to load.

Step 3: Enumerate peers running misconfigured clients and rpc consoles by running an insecure instance yourself:

dibbuk# ./geth --rpc --rpcaddr 0.0.0.0 --rpcapi, db,eth,net,web3 --dev console

Step 4: Profit. I quickly found 22 nodes listening for the entire world on port 8545, ~60% of these were located on Chinese and other South Asian mining farms. For bonus lulz you can leverage the power of virtual shrimp mining to disrupt the network whilst you pilfer the funds from vulnerable wallets.

At the time of this post, the addresses below are confirmed to have received around $22 million USD in ETH liberated by enterprising crypto pirates, and the figures still climb despite warnings not to do this shit since March:

0x09d6fd506b7eb4102182d8e4d9a3d8f3dbfa499b 
0x1234567461d3f8db7496581774bd869c83d51c93 
Ox15e4cf195Offa338ce5bc59456b3e579ed1bead3 
0x397aa69c17a7cc405a3aeeeb223158109b037d5b
0x3d985fd71a21256c7d2b618ab8a1896f10f64fcd 
0x4e0603e2a27a30480e5e3a4fe548e29ef12f64be 
0x519475b31653e46d20cd09f9fdcf3b12bdacb4f5 
0x6ef57be1168628a2bd6c5788322a41265084408a 
0x7097f41f1c1847d52407c629d0e0ae0fdd24fd58 
0x72adadb447784dd7ab1f472467750fc485e4cb2d 
0x7b09ff6548f03512dfe63a09a2673b9c25476482 
0x85545528f1d72912558f9ef72296c404afd4b18d 
0x8e4fbe2673e154fe9399166e03e18f87a5754420 
0x8f760bc9bd9748fc61c7b60ea8033037f37d44d5 
0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464 
0x9b11efcaaa1890f6ee52c6bb7cf8153ac5d74139 
0x9fe173573b3f3cf4aebce5fd5bef957b9a6686e8 
0xafecd96855ec6324d7cde57babb775676e560441 
0xc1e42aa688977d386a6ce15de741e3c34ff0c500 
Oxd26114cd6ee289accf82350c8d8487fedb8a0c07 
0xe386e3372e3d316ae063af50c38704ec6fba5149

Lesson: Trust your finances to garbage written in golang with a javascript console at your peril.

Tags: Bitcoin, Cryptocurrency, Insecurity, Lulz

Women In Tech: Tracey Rosenberger

June 02, 2018 — shinohai

Are you bored this weekend? Ever wake up at 3 a.m. and think "I'm just not giving the NSA enough personal information" ? Then follow along as women-in-tech(tm) author Tracey Rosenberger shows you how to build your own Amazon Alexa using a Raspberry Pi. Installation of the software is a breeze thanks to the unsigned automated scripts that ensure every packet of your precious data will get routed to improper users just like the real thing!

For those that prefer a more portable auto surveillance device, Ms. Rosenbenger has published an article on how to make Alexa your default assistant on Android.

Tags: News, Insecurity, lulz