2 posts tagged

Hacks

Crypto industry & currency brutal facts

The digital era offers more and more data every coming day, the ways of informational communication become more and more distinguished and sophisticated. Speaking about the security, the more advanced methods are used for protection, the more complex attack tools are used by fraudsters and cybercriminals of the new era to avoid or to break it.

This is not an easy task to stay safe&sound in the modern informational world, let alone the crypto industry itself.

Fact is, the all the data, which is supposed to remain confidential, the personal stuff, they assets and account info – that’s all at stake. The cybercrimes are the more and more often happening, and the forecast is not positive as the industry seems to be only more lucrative over time.

The latest research from RiskIQ does highlight the unpleasant things that are still present though.

Things can really get out of user control

No matter how much efforts one can take into the protection of the customers’ data, the things can always slip away of your control – just like with the MyEtherWallet phishing attack.

With the emergence of the social engineering, the fraudsters become more innovative and creative. Nowadays they can even copy your company – through the website, email, or social media page: all these efforts are to trick the customers and employees into giving away vital information and get the malware installed on their hardware.

It is stated that in just Q1 2018 RiskIQ identified more than 25,000 phishing domains posing as almost 300 brands – moreover, 40 % of them were established in the financial services industry. So, what is the best way to struggle against the phishing? Raise the level of knowledge of your customers, employees, and stay alert – to take the necessary actions to get down the impostor sites down as soon as possible.

The mass attack goes wide

Going on, the RiskIQ states that their company analyzes over two billion HTTP requests every day. Moreover, they deploy web crawling infrastructure that checks terabytes of passive DNS data, millions of SSL certificates, and monitor mobile apps to see how broad the scope of an attack surface really is – or, simply put, how much of an opportunity is there for hackers to break in?

The company analyzed over three million new domains and 77 million hosts that could all be potential targets for a hacker over a two-week period. Since many modern websites share the same frameworks, plugins, and third-party apps, the hacker’s job is even easier. Just as we can create websites faster and easier, so can hackers come up with malicious code to infiltrate them all.

Fact is, one of the most significant vectors is content management systems (CMS) are to attached to WordPress – RiskIQ found that over 13,000 WordPress plugins were among Alexa’s most-visited sites.

Moreover, some 3,390 of them showed critical vulnerabilities running at least one weak web component.

The scale of mobile attack surface is substantial

Most users think of the Google Play Store and Apple’s App Store to be the only mobile app stores available globally. However, there are plenty more of them: a host of affiliate stores serve the Android market, and they can present a wealth of opportunities for bad actors to replace legitimate apps with the fake ones.

Another data from RiskIQ shows an unprecedented 21,948 blacklisted mobile apps, equating roughly to 1.5 percent of all new apps. Almost all of these apps claimed READ_SMS permission, allowing them to intercept messages that could circumvent 2FA.

The best tip could be given – users should always download apps from the primary app stores and be extremely careful when researching the apps they download – if it doesn’t look legit and it’s asking for too much information, it’s probably best to avoid.

Cryptocurrency Miners are set loose

The mining programs and crypto jacking are making the buzz all the time around as more and more computers get infected with the software for mining and lose GPU power as an effect. For example, it is known that more than 50,000 websites have been running Coinhive over the last twelve months – knowingly or otherwise.

Also, there is now an average of 495 new hosts that run cryptocurrency miners every week. Too, even worse than that? Many of the crypto mining scripts found have been active for over 160 days already, meaning companies have failed to detect them.

Hackers may know much more than you expect

Going on, RiskIQ research found that at least 30 percent of companies have more internet assets than they thought. Here counts such stuff as shadow IT, M&As, or a simple lack of organization.

For example, Shadow IT occurs when an IT department outsources for a time and fails to include all internet assets in the company security program. If this happens over a period, it becomes an easy vector for a hacker, since these assets remain unpatched and don’t pass security frameworks.

What is the main reason? Mergers with other companies often lead to this, as the list of assets is frequently incomplete and sometimes chaotic. Internet assets include elements such as domain names, certificates, hosts, and apps.

Still, the modern security strategy for the most companies has shifted to the defense-in-depth approach starting at the perimeter and layering back to the assets that should be protected.

Happy end

In today’s world of digital engagement, users sit outside the perimeter along with an increasing number of exposed corporate digital assets—and the majority of the malicious actors. As such, companies need to adopt security strategies that encompass this change.

The chaotic world of the crypto industry sees many dangers – let alone ICO start-ups which have numerous vulnerabilities as for the investors, and to their creators as well. One should invest as much as possible to security as this present specific danger even nowadays. The existing defensive methods required need to be developed and continuously updated. The things can get out of hand, and harsh pretty fast in case organizations do not take proper attention to assets protection.

ICO Smart-contracts vulnerability

Initial Coin Offering Models of fundraising still have a lot of loops which makes the money fraud and steal quite often and large-scaled.

According to the latest security researchers made by Positive last year as stated by the Bleeping Computer an average number of vulnerabilities in ICOs stands at number of 5.

The results had shown the very negative trends and outcomes. According to researchers, only one draft of the original offer of coins did not contain bugs.

The study found that 71% of the projects contained vulnerabilities in smart contracts. Among the common problems, analysts pointed out the inconsistency with the ERC-20 standard, the incorrect generation of random numbers and other significant shortcomings.

Experts said that such vulnerabilities appear due to lack of proper qualification of programmers and insufficient testing of the source code.

Most of the security breaches analysts found in ICO-projects to develop mobile applications. Among the common vulnerabilities were named the following: unsafe data transmission, unreliable storage of user data in phone backups and disclosure of the session identifier.

Some vulnerabilities in web applications were aimed at attacking investor funds. For example, because of a lack of proper security, hackers could register a domain similar to ICO, create phishing sites, thereby deceiving investors.

According to the research, every third project contained vulnerabilities that allowed hackers to access data and savings of companies-organizers. Analysts also noted that many initiators of ICO did not use two-factor authentication for important accounts.

https://www.bleepingcomputer.com/news/security/researchers-last-year-s-icos-had-five-security-vulnerabilities-on-average/

Speaking about the background of the this research and former industry vulnerability issues, other things should also be remembered.

Currently, there are hundreds of thousands of smart contracts in the Ethereum blockchain that manage wallets, tokens, applications or are used to store funds. A group of some British researchers alone was able to identify 34,200 vulnerable smart contracts according to the Motherboard data.

An assistant professor from University College London Ilya Sergey and his colleagues conducted a large-scale study to detect all possible vulnerabilities of smart contracts on the Ethereum blockchain. To do this, they downloaded the Ethereum, in effect creating its fork for personal use, and began to launch a variety of scenarios, trying to achieve undesirable consequences. When these consequences came, they marked a smart contract “with a tracked vulnerability.”

Having analyzed about a million smart contracts in this way, the researchers found that 34,200 of them contained critical vulnerabilities. They tested their assumptions on 3,000 smart contracts, and in 89% of cases, they caused the most undesirable consequences. In theory, this could allow them to steal $ 6 million in Ethereum.

According to experts, early detection of vulnerabilities prevents
possible negative consequences. So, for example, in November 2017, a user under the pseudonym DevOps19 found a vulnerability in the code of the Ethereum-purity library Parity and accidentally blocked $ 150 million.

“We are working with applications that have two very unpleasant features: they are used to manage your money and can not be fixed,” Ilya explained.

Attempts to find the creators of vulnerable, smart contracts were in vain. However, since researchers do not say which vulnerabilities were found in smart contracts, they can be considered as safe.
“If someone wants to take advantage of our idea, he, at least, will have to do as much work as we did,” the researcher summed up.
Recall, in January, the Cisco unit detected many vulnerabilities in the Ethereum-client Parity. First of all, it was about the creation of operating code, the incorrect operation of which could lead to a large-scale DoS-attack on its supporting nodes. Moreover, some “loopholes” in the purse software allowed access to private information.

A few days later, representatives of Parity Technologies said that the vulnerabilities were corrected in new versions of the software Ethereum-client.

As we see, the ICO suffers from numerous vulnerabilities, and the further develops the market the points of hacker intrusion also appears.

Read the similar material about how to ensure safety from Ddos-attacks in our official blog

https://blog.merklion.com/all/how-to-ensure-security-from-ddos-attacks/