Connect with us

Uncategorized

White Hat Hacker Saved Uber From Login Bypass Exploit

As it turns out, no company is safe from exploits or vulnerabilities. Not even Uber, who paid a researcher US$10,000, to not reveal his login bypass exploit. Such a vulnerability could effectively cripple the service if the information got into the wrong hands.

Uber Was Vulnerable To Dangerous Exploit

TheMerkle_Uber Login Bypass Exploit

The security vulnerability would have had some nasty effects on the eBitsnetwork. Bypassing the login form would let attacks access specific “.uber.com” websites, which could affect the company’s internal network.  Nipping the potential flaws in the bud at an early stage is always the best strategy for a company.

Luckily for Uber, a white hat security researcher disclosed the bug to the company. If it had been a black hat hacker, the vulnerability would not have been reported, and there is no telling as to what would have happened. The researcher was paid a US$10,000 bounty for discovering this bug, which is the highest bounty Uber has ever paid out since launching the program earlier this year.

What this vulnerability does exactly, is letting attackers bypass the system used for Uber employee authentication. Additionally, it would have been possible to compromise the company’s internal network which is hosted on Atlassian’s Confluence software. Bypassing this login would allow an attacker to access the Uber Newsroom, which is running on WordPress.

OneLogin is the company responsible for authenticating users on the WordPress backend. However, it is possible to enter any username or wanted role, as the plugin will create a new user if the username does not exist yet. If an attacker can guess the right role name – such as “Administrator – it is possible to create a new account and wreak all kinds of havoc.

Compromising Uber’s internal network is a more serious concern, though. Attacks would have been able to achieve remote code execution, as they can inject Javascript from the NewsRoom directly. Luckily, the company fixed all issues within 36 hours after finding out about what was going on.

Source: Threatpost

Images credit 1,2

If you liked this article follow us on Twitter eBits and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.

Advertisement
Comments

Uncategorized

Is Cybercrime Getting Out of Control?

Stating that cybercrime is on the rise is rather like saying the world is round. Identifying this well-known fact is no longer any great discovery. But understanding the magnitude of the problem and how it affects us as we use the internet is an important starting point.

Earlier this week, the FBI’s Internet Crime Complaint Center (IC3) released their 2017 Internet Crime Report. More than 300,000 consumers reported that they were victims of malware and cyber-fraud attacks last year (with registered losses of over $1.4 billion combined).

The most common types of crimes were non-payment and non-delivery, phishing scams, and data breaches. The crimes that cost the most in terms of financial loss were compromised email accounts, investment scams, and non-payment/non-delivery. In all, the IC3 received over four million complaints between 2000 and 2017.

The Web of Profit

Advanced malware protection specialists from Bromium, together with Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, released a report entitled “Web of Profit” last month. The report digs into the dynamics of cybercrime and looks at how new ‘criminality’ platforms are bringing about a booming cybercrime economy, generating at least $1.5 trillion in illicit profits. That’s equal to the GDP of Russia.

In fact, according to their findings, if cybercrime were a country, it would have the 13th highest GDP in the world, comprising illegal online markets, data trading, identity theft, and ransomware.

The CEO of Bromium, Gregory Webb, says, “The platform criminality model is productizing malware and making cybercrime as easy as shopping online… We can’t solve this problem using old thinking or outmoded technology. New approaches to cybersecurity will be required.”

Blockchain and AI

There are many blockchain and AI startups springing up to eBits using these new technologies. Blockchain, especially at the application layer, is certainly moving in the right direction by removing eBits. And if AI can be used to help us predict and prevent cybercrime before it happens, that could be the perfect combination.

Scott Schober, author of Hacked Again and President/CEO of BVS, says, “You’re accomplishing things much quicker when you apply machine learning to cybersecurity. You can anticipate and build up your defenses because we don’t have enough manpower to do it. Using AI and machine learning can do everything much, much quicker.”

But while we can contemplate the uses of new technologies like blockchain and AI to fight cybercrime, when it boils down to it, almost all attacks have a common element: human error.

Schober continues, “I think blockchain applied in the right area is definitely going to help secure things, but you can spend billions of dollars in security, you can implement the latest and greatest blockchain to secure things, but blockchain is fundamentally a layer underneath allowing things to happen; it’s not a magic silver bullet to stop hackers in their tracks.”

The Human Element

Clearly, there are a lot of people making money by preying on unsuspecting internet users. And we all know by now the importance of being careful when we go online. We don’t open links from strangers, we don’t download suspicious attachments, and we don’t respond to messages on Skype asking for our bank details.

Yet most of us have been victims of cybercrime at some point in our lives. It’s not surprising that criminals pick the easiest targets (people over 60, according to the IC3 report). But even the highly technically minded among us can be affected too. Just look at the continued Binance eBits that have duped more than one exchange user.

And let’s not even get started on ICOs.

“The biggest problem in cybersecurity today is people,” Schober says. “We continually fall back to choosing convenience over security… We were lazy with creating passwords, and guess what? It really hasn’t changed much today. We don’t take the time to carefully vet what we’re putting out on the internet and then it’s used against us. People are too trusting; we give out information too easily.”

So, it seems that unless we fundamentally change our habits and improve what Schober calls our “cyber hygiene,” all the blockchains in the world won’t be enough to keep our account funds or our identities intact.

Cybercrime is reaching a critical point. Don’t make it any easier for the hackers. 

Continue Reading

Uncategorized

MIT Review Acclaims zk-SNARKs, but zk-STARKs May Steal the Show

As much as we love the convenience of the internet, our privacy is at great risk whenever we go on social media, check our credit reports, grab a ride, or simply log into a fitness app. Our need to protect our information encompasses much more than financial transactions with a few cryptocurrencies.

In the United States alone, the staggering number of data breaches shows the need for a better privacy solution, and zk-SNARKs or zk-STARKs are poised to fill that need. This year, the Cambridge Analytica data mining scandal affected more than 87 million Facebook users, and the WSJ predicts its repercussions will be huge. Last year, the Equifax data breach shared the social security numbers and dates of birth for more than half the nation. Meanwhile, an Uber hack exposed data from 57 million customers and drivers, and the MyFitnessPal app leaked usernames and passwords of more than 150 million users.

zk-SNARKs and zk-STARKs are two cryptographic protocols that could help prevent personal information from being vulnerable to these types of database breaches in the first place.

The Promise of Privacy: zk-SNARKs

This month, zk-SNARKs were included on an MIT Tech Review list of the 10 Breakthrough Technologies of 2018 among AI developments, 3D metal printing, and a smart city that Alphabet is building from the ground up.

zk-SNARKs protect your privacy, allowing you to prove who you are without having to give away specific details relating to your identity. Some of the potential uses cited in MIT’s article were verifying you’re over 18 without having to share your date of birth, and proving you have enough money in your bank account as collateral without having to give away account details like your exact balance.

Implementation of zk-SNARKs

zk-SNARKs are already running on cryptocurrency Zcash and JP Morgan Chase’s blockchain-based payment system. Both protocols have also grabbed the attention of Vitalik Buterin and the Ethereum foundation, including this exploration of zk-STARKs last year by Buterin. zk-SNARKs have been in the works since the 1980s, but it wasn’t until these recent cryptocurrency applications that interest in them really peaked.

Adding zk-SNARKs brings a layer of privacy previously inaccessible with most cryptocurrencies, traditional passwords, and even two-factor authentication. zk-SNARKs stands for zero-knowledge succinct non-interactive argument of knowledge, while zk-STARKs represents zero-knowledge succinct transparent argument of knowledge.

Potential Problems with zk-SNARKs

If zk-SNARKs sounds too good to be true, you’re onto something. While the world needs a privacy measure to address hacks, privacy breaches, and identity theft, zk-SNARKs need to overcome major hurdles to be a practical privacy solution.

Setting up zk-SNARKs requires a trusted setup that creates a very uncomfortable situation. Take Zcash’s launch as an example: a team of six developers around the world followed a set of instructions on a DVD to add the zk-SNARKs protocol to its blockchain. Essentially, each member generated one shard, or section, of the password to control Zcash. Gaining this control over all six shards would allow a bad actor to create additional tokens or steal funds.

Once the developers had run the code to generate their respective pieces of the password, each supposedly destroyed their portion of the key, some going as far as to drill holes into their hard drives. In this setup, at least one member must destroy their shard, so no one can find the entire key. This means, in theory, that even if the other five developers colluded to share their shards, they still wouldn’t have access, and it would be difficult to figure out the missing piece.  

Later, Zcash performed a larger trusted setup ceremony called “Powers of Tau”, with somewhere between 100 and 1,000 people running the protocol and destroying their shards of the key, some ceremoniously destroying their hardware in the process.

Though this higher number of participants could make things safer, there’s no true way to know it worked, and there’s no way to ensure a fake Zcash isn’t valued as the real Zcash. If Ethereum were to implement zk-SNARKs, it could take thousands of participants to run this kind of scenario unless there were a way around it.

zk-SNARKs are also slow and fairly expensive to implement right now, but this may not always be the case. One implementation, Secure Remote Password protocol (SRP), uses zk-SNARKs so you can log into your account by answering some true or false questions rather than by providing your password. This go-around proves you have the information without ever putting it on a server where a third-party could use it to access your account.

Zk-STARKs: A Better Privacy Breakthrough?

zk-STARKs, on the other hand, are being touted as a less costly and faster alternative to zk-SNARKs. Their biggest advantage is that no trusted setup is required.

Zcash’s founding scientist and zk-SNARKs researcher Professor Eli Ben-Sasson shed light on how the two proofs vary. Ben-Sasson is also part of a new launch, recently cofounding StarkWare Industries for commercial use.

He explains, “zk-SNARKs use public key (asymmetric) cryptography to establish security. zk-STARKs instead requires a leaner symmetric cryptography, namely, collision resistant hash functions, and thus removes the need for a trusted setup. These same techniques also eliminate the number-theoretic assumptions of zk-SNARKs (and BulletProofs) that are computationally expensive and prone to attack by quantum computers. This makes zk-STARKs both faster to generate and post-quantum secure.” We’re about to jump into some of the technical reasons as to why zk-STARKs work differently from zk-SNARKs. 

The zk-STARKs white paper states, “No ZK system realized thus far in code (including that used by cryptocurrencies like Zcash) has achieved both transparency and exponential verification speedup, simultaneously, for general computations.”

Ben-Sasson elaborates on this exponential verification method, saying, “If T represents the number of machine cycles of a computation, then the time to verify a zk-STARK for that computation, as a function of T, is log(T), which is exponentially smaller than T. In contrast, for a computation used only once, zk-SNARK verification … takes exponentially more time than a zk-STARK verification, [and] most of this added computation time is due to the trusted setup.”

When asked how zk-STARKs could help alleviate the number of privacy breaches over time, Ben-Sasson conjectures, “Permissionless blockchains will be the early adopters, followed by conventional businesses. Businesses will be pressured to adapt to the higher standards of transparency and accountability offered by zk-STARKs. As a result, citizens will enjoy a higher level of security and privacy from businesses and organizations who collect and store their personal data.”

To put it simply, zk-SNARKs are like building a top-secret blanket fort with your friends. You each have to assemble all the blankets in just the right way and celebratorily hide the evidence of your fort from your nosey older sister. You also have to put in a lot of effort to keep the sofa cushion walls up, and it will take you more time overall. zk-STARKs, on the other hand, are like a foldable tent you can pull right out of the box. It may not require all the effort and secrecy, but it means you’ll have more time to play flashlight games and tell ghost stories.

A Push for Privacy

Leaders in cryptographic research (i.e., the pioneers of many of the biggest existing and upcoming cryptocurrency projects) are looking into both zk-SNARKs and zk-STARKs. If one were added as an option to the Ethereum platform, you could choose a privacy option to keep your transactions hidden.

There’s a big misconception that transactions on blockchains like Bitcoin, Litecoin, and Ethereum are untrackable. While transactions may appear anonymous because they use long address codes, it is possible to piece together someone’s identity and account balances by tracking the addresses on their public ledgers and elsewhere, especially when someone always uses the same address.

Advances in Privacy Tech

As both zero-knowledge protocols undergo testing on blockchains, the cryptocurrency community is actively testing zk-SNARKs and is likely to test zk-STARKs soon as well. There are also other privacy coins like Monero tackling privacy, at least when it comes to spending.

Monero works by hiding a sender’s identity in a couple of ways, using stealth addresses with one-time destination public keys. It obscures a sender’s IP address and uses a ring signature, which combines a sender’s output address with a group of other possible sender addresses chosen randomly from the Monero blockchain, making it impossible to tell which transaction went where. Ring signatures make it look like a transaction could have been initiated by anyone in a group, kind of like someone with very illegible handwriting signing a check from a group checking account.

In contrast, zk-SNARKs and zk-STARKs fundamentally change how data is shared instead of creating a smoke trail around who sent what. Both are much-needed developments towards protecting our privacy. As Ethereum, banks, and others seek privacy measures in the wake of the increasing amount of data breaches of our sensitive information, zk-SNARKs and zk-STARKs will both be put to the test. Whether it’s either of these or something new, may the best proof win – it’s vitally needed.

Continue Reading

Uncategorized

Security for the Blockchain: Exclusive Interview with Trail of Bits Founder and CEO Dan Guido

Too often, we’ve made incorrect assumptions about our security. Fraudulent charges are covered by our credit card protections, while the FDIC protects our bank accounts. When the entire financial system collapsed mostly due to the subprime mortgage lending industry, we assumed we’d be okay again, and the government bailed out the banks.

We should never take our security for granted, and this is especially true when it comes to blockchain technology. Blockchain projects remain in the early stages, so it’s important to verify that the coding behind crypto wallets, exchanges, and projects are secure. No industry leader understands this better than Trail of Bits founder and CEO Dan Guido.

Guido’s firm specializes in security testing, as if they were hacking their own clients to find their vulnerabilities. Dan Guido’s exclusive interview with The Merkle is an opportunity for the crypto community to proactively address our assumptions about security and safety.

The Merkle: Can you give us a brief history of Trail of Bits and the scope of its projects?

Dan Guido: Trail of Bits has been around for almost seven years. I founded the company with my partner Alex Sotirov. We are both security researchers, and we’ve been doing this since we were fifteen years old. We don’t have any venture funding; we built the company from the ground up.

We work across many industries including tech, finance, and defense. We audit high-assurance financial applications code, low-level code, and cryptographic systems. We work on airplanes for Lockheed Martin, security operations software for Facebook, and security research for DARPA. Since blockchain emerged as a new technology, we have been able to apply all that experience to this new field.

The Merkle: What makes Trail of Bits particularly qualified to do security engineering and assessments on blockchain technology?

Guido: We’re a software security company, and that means we’re constantly working on compilers, binary analysis, programming languages, and trying to find software security flaws, sometimes without even looking at source code. We know what tools to write and what processes to construct. We can tell what good and bad code looks like because we’ve seen it all before; it’s stuff we’ve spent our whole lives on.

About two years ago, we focused on porting the tools we built [to test software and code in other industries] to blockchain technology, particularly the Ethereum Virtual Machine (EVM). Now we primarily offer three services to clients in this space: smart contract audits, design guidance for asset custody, and blockchain design.

For smart contract audits, we’re given a DApp – typically written in Solidity – and apply our unique set of tools and knowledge to help uncover hidden risks. We write new software test cases and provide guidance to help projects stay secure, even after our engagement is finished.

We also look at custody systems, as they are designed for exchanges like Gemini, ICOs, and organizations like the Web3 Foundation. For these projects, we’re designing and reviewing systems that access and store funds.

Finally, we also help with blockchain design. In one notable case, we worked with the RSK blockchain, which puts smart contracts into Bitcoin, and helped review their contract runtime environment. We have both theoretical and applied cryptographers who can do real assessments of blockchain design choices that many other companies cannot.

The Merkle: What are some of the blockchain projects you’re working on?

Guido: Specific to blockchain companies, Trail of Bits has worked with LivePeer, Golem, MakerDAO, and many others we’re not able to disclose. Code auditing isn’t new, but the rapid growth of smart contracts has created an immediate need for testing. From infamous hacks to failed exchanges to enterprising hackers stealing cryptocurrency, it’s clear this industry requires rigorous testing to prove applications work as promised and remain secure.

We started with only one engineer focused on blockchains, working on it out of interest. Today we have ten. Even with all those security engineers, Trail of Bits still has to be selective about new clients, and there are a lot of people we unfortunately turn away. We choose clients who build foundational technologies, take on risks, or who present us with interesting intellectual challenges.

The Merkle: Tell us about your work on Ethereum with fuzzing, particularly your EVM Smart Fuzzer, Echidna, released in early March. On your blog you said, “It’s the first-ever fuzzer to target smart contracts, and has powerful features like abstract state-machine modelling and automatic minimal test case generation.” What are the implications?

Guido: A fuzzer tries to violate assumptions about how code will act. In this case, we’re generating sample inputs to find unexpected problems in Ethereum smart contracts. Echidna is smart about what tricky inputs look like and can generate millions of test cases at a very high throughput to stress test smart contracts.

The potential inputs to a program could be vast, so a good fuzzer must be both really fast and really smart at finding which potential inputs are more effective at breaking the program than others. Echidna does both of these things.

If you’re working with typical compiled code like C++, then you’re looking for a crash. However, in Solidity or EVM bytecode, you don’t know exactly what a bad thing looks like. It could be a wallet drained or accessing someone else’s data. Echidna has an expressive language that lets you customize what properties it’s looking for in these cases.

The Merkle: So, essentially, it tries to make things that must always be true become false?

Guido: Yes, and Echidna tracks the amount of the code it has tested while it works. When it’s tested close to 100%, then it has tried almost anything someone could do to a program. It flails around like crazy trying to find ways to do things you don’t want, testing to see if it can make your application work incorrectly.

This kind of testing gives high assurance your program won’t do something unexpected, like lose all your ether. Echidna is best to use after you add a new feature. Write test cases for it and Echidna will do its best to break the code.

An Echidna test showing problems with Solidity coding.

The Merkle: When someone like Golem goes to you for a smart contract audit, what do you do?

Guido: As a starting point, we ask about the use, architecture, implementation, and testing of the product. Then, we ask about their nightmare scenarios. We’ll use that foundation to search for scenarios where they might become true. We meet with the engineers weekly to review what we’ve found, discuss potential fixes, and make sure we’re reviewing for the right issues.

This process typically takes two to eight weeks. At the conclusion, we write an audit report that lists all our high-level concerns in addition to the specific flaws we found. For example, are there systemic issues with how they write code or parts of the code base that should be checked later? What matters most is that they fix the code identified. In the final debrief, we want them to have the tools and knowledge to fully address all the issues.

The Merkle: Why are these audits so important?

Guido: The risk and consequences of failure when using this technology is high. Blockchain technology is very unforgiving. Transactions are irreversible and participants are pseudo-anonymous, which makes it easy for hackers to steal cryptocurrency with impunity.

Each new application has its own set of business risks too. For example, if you’re depending on a stablecoin not changing value, yet someone can manipulate its price ratio on demand, then that is a security flaw that could let someone make millions. We have to deeply understand each project we work with to find these application-specific flaws.

The Merkle: Yes, the recent phishing attack on MyEtherWallet is yet another reminder of hackers’ ability to steal funds in this space. What steps do you recommend for securely developing smart contracts?

Guido: Many developers rush into writing Solidity because it looks like JavaScript and that makes it easy and familiar. Before you begin, I recommend closely reading the Solidity language documentation and our “Not So Smart Contracts” reference to learn from others’ mistakes. The language, and this whole field, is a work in progress, so it pays to understand its foundation. As you’re writing code, use the best tools available to ensure that each line is correct: use the latest Solidity compiler and review the warnings, write high-coverage unit tests, fuzz the code with Echidna, and symbolically execute it with another of our tools, Manticore, to verify it works correctly.

If you’re truly writing high-risk code, you should talk to an expert. Even if you’ve run through all the right steps, you need a professional, considering what is at risk. These are still the early days, and most of the development tools are not refined. We invest so much in tools to help make this easier for everyone to get right.

Bugs present in Solidity eliminated from other modern programming languages, from a controversial Trail of Bits presentation titled “Black Hat Ethereum”.

The Merkle: It sounds like, despite its popularity, there are some serious problems around coding in Solidity. Can you explain them?

Guido: Solidity has reintroduced bug classes we’ve mostly ironed out from other programming languages. There’s dozens of problems even languages like C, C++, Go, Rust, and Swift have eliminated, where Solidity is reintroducing them all over again. There’s also a financial cost to everyone when bad Solidity code is run in the EVM; it costs real money (in gas) to run inefficient code on smart contracts. I’m really anticipating a move to WASM (Web Assembly Stacked Virtual Machine).

If WASM replaces the EVM, it would let the community build tooling on LLVM (Low Level Virtual Machine). This would be a huge benefit since LLVM is a vastly more mature compiler toolchain, with support for many languages, optimizations, and analyses that Ethereum could use as well.

Regarding the longevity of the Solidity language itself, I think there was a clear benefit in the early stages of Ethereum to [using] a language built for easy adoption like Solidity. However, now that we’ve seen what’s possible, it’s time to consider a safer, more efficient, and more secure method to build smart contracts.

Continue Reading
Advertisement

Lastest News

Blockchain22 mins ago

Price of Bitcoin Slides Below $8,100 Amid Consensus Woes

This week has marked the duration of the fourth annual Consensus conference, the largest cryptocurrency conference in the world. As...

Blockchain22 mins ago

Bitcoin Price Continues to Decline as Bears Continue to Reign

Today will prove to be another difficult day for all cryptocurrency markets. The bearish pressure is not relenting by any...

Blockchain22 mins ago

Binance Coin Price Shoots to Almost $15 in Quick Succession

Even though most cryptocurrencies are suffering from another round of bearish pressure, there is always at least one exception to...

Blockchain22 mins ago

Envion ICO Turns Into a Legal Battle Despite Raising $100M

The initial coin offering industry is plagued by scams, shady projects, and a lot of miscommunication. In the case of...

Blockchain22 mins ago

Steem Blockchain Welcomes Its One Millionth Unique Account

Cryptocurrency-related platforms often struggle to gain any sort of traction. Even when they do so, sustaining long-term growth has proven...

Blockchain22 mins ago

Pornhub Models Can Now Accept Verge as Payment

Ever since Verge partnered with Pornhub, things seemingly have made little sense when it comes to the latter platform. Even so, it...

Blockchain22 mins ago

US Government Launches HoweyCoins Website to Showcase Fake ICOs

Educating the masses on potential risks associated with cryptocurrency and ICOs is a tedious challenge. Nefarious projects continue to dupe investors,...

Blockchain22 mins ago

SEC Creates Fake ICO Website to Scare Investors

The SEC has taken an extra creative step to ensure investors are aware of the dangers of initial coin offerings...

Blockchain22 mins ago

Augmenting Marketing Channels onto the Blockchain Provides an Immersive, Creative Experience for Users

AR will happen…and it will happen in a big way, and we will wonder when it does, how we ever...

Blockchain22 mins ago

Bing Follows Facebook, Google in Banning Crypto Ads

Microsoft Corp. announced earlier this week that its native search engine, Bing, will ban all cryptocurrency-related ads by July of...



Trending