Author

cryptocurrencies,

Bitcoin Cash ABC Is Vulnerable To 51% Attacks

It’s been a couple of days since Bitcoin Cash split into two separate blockchains and the results from the controversial hard fork are mostly negative (if you wanna know why hard forks suck click right here). One of them is the BSV (operated by nChain) and the other is BAB, the brainchild of ABC.

As of writing, both networks are struggling with severe technical difficulties. However, yesterday ABC’s vision of Bitcoin Cash rolled out an update that made things even worse. In short, if miners with bad intentions decide to launch a 51% attack they could easily do so.

The update in question amends the way the mainnet verifies pending transactions. Originally, BAB relied on a classic Proof-of-Work algorithm but with recent changes “checkpoints” entered the game. Checkpoints make sure miners validate transactions on the original blockchain, and not on a copycat one. The idea is clearly to protect the network from “deep organization attacks”. Put simply, deep organization attacks happen when a group of highly-coordinated baddies tricks miners into mining a false blockchain. A successful deep organization attack could force the blockchain into nasties such as double spending and reverse transactions.

With the latest software update, every 10th block operates as a checkpoint. That being said, blocks which do not match the checked version of the ABC network will be automatically rejected by miners.

I don’t see why this is bad

Some security researchers voiced their concerns that this opens up space for 51% attacks. If someone takes over 51% of the network’s hashrate they could easily add ten artificial blocks by simply restructuring 9 checkpoint blocks. If this happens at exactly the same time when the network mines its 10th block (which it will assume as “honest”), this could result in a malicious and unplanned hard fork.

According to Eric Wall (as cited by Hard Fork) the arising issues are as follows:

“Since not all information gets propagated over the network at the exact same time, some nodes will see a 10-block reorganization, which they will reject, and others will see a [nine] block reorganization, which they’ll accept. […] The network will then have forked into two, and if there are two exchanges on different forks, it’s trivial for the attacker to sell the same cryptocurrency twice, on both these exchanges, and thus be double-spending.”

Other crypto geeks such as Bob MacElrath also voiced their concerns:

And to make things worse, it turns out that ordinary mining rigs and $27k are just enough to take the ABC network down.

cryptocurrencies,

The Reason Why Japan Is Regulating Crypto Wallets

The never-ending crypto scams are making the Japanese authorities feel uneasy. Despite being one of the crypto-friendliest countries in the world, Japan is not blind to the risks that come with digital assets.

Earlier this year the industry was granted a self-regulatory status but the officials are still concerned that the baddies might go under the radar. This time they are keeping an eye on cryptocurrency wallets. According to reports, wallet regulatory frameworks are underway. The Japanese Financial Services Agency (FSA) is working around the clock to further improve the digital asset ecosystem in the country.

At the moment the industry is self-regulated but it doesn’t mean that businesses are not listed within the FSA. However, this is valid only for companies offering trading services and as you have guesses wallets are not falling into this category. Put simply, the FSA assumes that as being part of the regulatory gray area, cryptocurrency wallets providers get the chance of doing all the nefarious things we wouldn’t want them to do. On the other hand, cryptocurrency trade indirectly involves the use of wallets. The latter makes the authorities believe that wallets should feel the strong hand of the law as well.

This is the moment were we should note that the upcoming regulations are most likely referring only to custodial wallets. The concerns are that third-parties, which are in charge of customers’ funds might abuse their power. Having that in mind, the officials do have a point here. Supposedly, the new rules aim to level up security to international standards. Obviously, they aim to cut off illicit practices such as terrorist financing and money laundering. Additionally, wallet providers will have to adhere to KYC policies.

However, it is unclear when the new regulations will take place.

security,

Top 5 Cryptocurrency Scams And How To Avoid Them

As we approach the end of the year, it is time to summarize the past 12 months. But as you know we eat and breathe security and our summary is more like a short guide on fraudsters’ favorite tactics and how to avoid them. As if the bear market was not enough, the cryptocurrency community had to withstand the rise of crypto-related scams. Unfortunately, there isn’t a sole thing that can guarantee you a 100% protection. But the good news is that by investing a couple of minutes (and some brain cells) a day, you can stay afloat the swindle ocean.

So without further ado, here’s the list of cryptocurrency scams that rose to prominence in 2018.

Straightforward hacking

There is nothing fancy about it except the fact that the evilest and powerful hacking entity is Lazarus. In case you’ve missed the news, Lazarus is the brainchild of the North Korean regime. Yeah, that’s right, the commies have their own hacking entity, which is believed to be behind the infamous Coincheck hack.

Kaspersky Labs has been closely following Lazarus over the years and has warned that it is already building a brand new malicious software aimed to take on Linux. The cybersecurity company states:

“It would seem that in the chase after advanced users, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.”

Lazarus has become notorious for penetrating Windows and Mac systems, fintech companies, exchanges, and whatever comes to your mind. Since the group is not kidding we believe that the smartest thing to do is to refrain from using online wallets. It would be much better to go for a hardware wallet instead. If you are not sure why, check our cryptocurrency wallet guide.

Bitcoin blackmailing

While blackmailing is a classic move, it wasn’t until that summer that it became a thing in the crypto world. Here is how it goes. You open your email and there is suddenly someone telling you they know your password (which they do) and have photos of you doing your thing while watching those nasty movies (which is most likely a false claim). The bad actors tell you that if you don’t pay a certain amount of Bitcoin, they will send all of your “Oh” photos to your contacts.

But don’t panic. While the baddies might indeed have some of your passwords it doesn’t mean that they know something about you, neither do they have any photos. These are just randomly sent emails, which rely on recipients fears. For your own safety, it is better to change passwords and cover your laptop camera. However, you can always check how the culprits got your password using this search engine.

Did I fail to mention not to pay the ransom? Well, don’t! Those fuckers don’t deserve a penny. Do not respond to their email either.

Botnets

These are designed to spread malware all over the internet and infect websites, computers, servers, etc. Once the baddies infect their targets, they can control them directly all pull all sorts of nasty tricks. Luckily, the cybercriminals are often using them for cryptojacking purposes, which you can easily block by using the right browser extensions.

In worse case scenarios, you might be tricked into downloading malicious files. Despite that, a top-notch antivirus should be able to handle the situation.

Social engineering

Some culprits prefer to do it the old-school way. Unfortunately, social engineering and phishing still work surprisingly well. According to Kaspersky, over 100,000 malicious pages have been used to redirect traffic to authorization pages of renowned exchanges like Bittrex, Binance, and Kraken. Of course, these are just copycats aiming to steal your credentials. And even EtherDelta users ate some phish (pun badly intended) earlier this year.

Kaspersky elaborates:

“Scammers also try to use the speculation around cryptocurrencies to trick people who don’t have a wallet: they lure them to fake crypto wallet sites, promising registration bonuses, including cryptocurrency. In some cases, they harvest personal data and redirect the victim to a legitimate site. In others, they open a real wallet for the victim, which is compromised from the outset.”

Sadly, the only way to protect yourself from phishing and social engineering is to be extra cautious when typing private seeds and passwords. Plus, it is advisable to enable two-factor authentication (a.k.a. 2FA) just in case.

Fake wallets

Google Play and Apple’s AppStore are plagued with copycats of legitimate cryptocurrency wallets. Always pay extra attention to tiny details such as publisher, publishing date, number of downloads, etc. In addition, do your research before installing a mobile wallet and double-check its rating and reviews. And as always, please don’t go for wallets that offer you some free tokens upon registration, you’ll thank me later.

 

cryptocurrencies,

Ledger Adds IOTA Integration

The non-profit IOTA Foundation announced last week that it has partnered with Ledger, one of the leading cryptocurrency wallets manufacturers. The partnership will see IOTA tokens integrated to Ledger Nano S, the flagship model of the cold wallet giant.

For the uninitiated, Ledger Nano S is by far one of the most secure hardware wallets on the market. Its one and only goal is to protect private keys giving you access to your cryptocurrency funds. Now that Ledger has added support for IOTA, it practically allows IOTA hodlers to store their tokens within Ledger Nano S. What’s even better, Ledger smoothly integrates with IOTA’s native Trinity Wallet and Romeo Wallet. Put simply, IOTA lovers can add yet another layer of security by isolating the keys to their accounts from the internet. The integration between Trinity/Romeo and Ledger means that users can verify IOTA transactions on their Ledger Nano S hardware device.

Eric Larchevêque, the CEO of Ledger, said regarding the partnership:

“Providing the highest level of security and quality is a major focus at both Ledger and IOTA. The collaboration between the teams created an immediate synergy concentrated on developing a compatibility feature allowing users to access, store and manage IOTA tokens on Ledger devices. We are thrilled to welcome IOTA onto the Ledger platform.”

Ledger differs from other cold wallets in many ways. It runs on the top of its native BOLOS operating system, which in turn utilizes EAL5+ certified secure chip. To get an idea of how secure this chip is, we have to tell you that credit/debit card issuers, as well as passport issuers, use the very same type of chips. This secure chip is able to store and manage data and applications in accordance with a pre-established set of rules. In short, hackers will have a very hard time compromising it.

“Hardware wallets are regarded as the safest way to store cryptocurrencies. At IOTA, we made a commitment to delivering the safest and most usable standalone cryptocurrency wallet. The Trinity wallet is well on its way to fulfilling that commitment, and today we are proud to announce the next step on the journey. Ledger has earned a strong reputation for security and reliability, and this made it a natural choice for integration with Trinity. We are proud of how our community, the IOTA developers and the Ledger team have worked together to make this possible,” the co-chair and co-founder of IOTA Foundation, David Sønstebø, elaborated.

security,

Malware Found In CoinTicker App

To say that cryptocurrency trade in 2018 is a stressful activity would be a major understatement. Apart from keeping an eye on the market, one should also pay attention to the security or see their tokens vanish out of thin air.

I guess that many of you rely on cryptocurrency ticker apps to stay up-to-date with the current market situation, and to seamlessly monitor your crypto holdings. Yeah, I know that price fluctuation can be really intimidating sometimes but as I said before, you gotta have balls.

Now straight to the point, one guy sounded the alarm in the Malwarebytes forum, when he revealed some ticker apps installing unknown software on users’ devices. There seem to be something concerning about MacOS’ CoinTicker app. It looks like it installs two “open-source backdoors: EvilOSX and EggShell.”

As of writing, nobody has uncovered what these two malware pieces do with your (and our) machines. Nevertheless, Malwarebytes suspects that these are backdoors that could be the exit for your tokens. Put simply, security researchers believe that since this malware lies within a cryptocurrency app, their most likely task is to compromise your security and allow the bad actors to steal your fortune.

What makes this app perfect for setting up backdoors? It does not ask for access to root and administration privileges. Since after installation CoinTicker only shows cryptocurrency prices, there is nothing that can make you suspicious there is something wrong.

This is not the first time we see fraudsters come up with innovative ways to con reckless crypto geeks. This is especially true when talking about cryptojacking. There is no evidence that the above-mentioned pieces of malware are crypto mining scripts but do refrain from using CoinTicker at least for now. Of course, it is always better to be cryptojacked than being robbed. Luckily, you can always store your tokens in a cold wallet and give the baddies the finger.

security,

Stay Ahead Of Cryptojackers With This Simple Guide

The regular cryptocurrency trader is rather familiar with the variety of threats that lurk in the space. However, newbies and seasonal traders might be less educated about the industry and this makes them easy targets. The baddies are good at pulling all sorts of nasty tricks and we have to say that getting conned is not that difficult.

Many of the community members pay attention to the market before purchasing or selling their tokens. That’s good, what’s even better is using a hardware wallet. Nevertheless, we somehow seem to neglect cryptojacking as an emerging threat. Click here, to learn more about cryptojacking. In short, cryptojackers steal your computing power to mine cryptocurrencies. Unfortunately, this might make your device completely unusable. If you want to understand whether you have been cryptojacked and how to protect yourself, keep reading.

Is my device cryptojacked?

The easiest way to detect the symptoms of the cryptojacking fever is to check whether your device is running hot and whether there is a strange noise coming from it. Mining cryptocurrencies uses a lot of your CPU power, meaning your device will be much noisier and hotter than usual. Your other options include checking your resource monitor. Open Task Manager on Windows by pressing ctrl + shift + Esc and if you are using Mac search for Activity Monitor.

If you believe your CPU shouldn’t be working on full capacity but it is… Well, you’ve been cryptojacked. Alternatively, you can always use Opera’s Cryptojacking Test even you work with another browser.

Cryptojacking protection

Since cryptojackers are becoming extra creative in recent months, you should always pay attention to the files and updates you download. However, the most common method they rely on is to embed malicious codes in websites and wi-fi networks. But don’t worry. There is always a way to block the code. Most of the internet browsers already have extensions designed to keep the bad actors away. We guarantee you that minerBlock, NoCoin, Coin-hive Blocker will protect your Chrome. Firefox has its own version of minerBlock and NoMiner.

To level up your security it is advisable to use prominent anti-virus, which protects you against cryptojacking among other nasties. Perhaps the most troublesome scenario is when the culprits infect a router or a network of routers. Unfortunately, it is much harder to identify this type of attack. This is why we advise you to regularly update your router’s firmware.

Exchanges,

Mintpal Hack Took Place Exactly 4 Years Ago

Those of you who have been around in the crypto thing probably remember that exactly four years ago, we witnessed one of the most notorious hacks in the history of digital assets.

Back in 2014, there was an exchange called Mintpal and to say that it had a rough year would be a major understatement. First, it came to life in February and according to statements from its developing team it had two major goals in mind – ultra fast support and the best UX possible. Every month Mintpal added new assets, the most popular among them. These tactics proved to be working pretty well since at one point it was one of the most well-known exchanges offering altcoins.

However, on July 13 someone conducted an attack at a Vericoin wallet and successfully ran away with 8,000,000 Vericoin tokens. Back then that was worth $2 million and the number of tokens stolen was roughly 30% of the circulating supply. What’s the moral of the story? If you keep your tokens in a hot wallet (like Mintpal did) you are an easy target.

The culprits tried to drain Bitcoin and Litecoin wallets as well but this time Mintpal was clever enough to store its Litecoin and Bitcoin supplies in cold wallets. If you are new to cryptocurrency and you are not familiar with the types of cryptocurrency wallets, refer to our Ultimate Guide to Cryptocurrency Wallets.

At around the same time, Alex Green’s Moolah (officially known as Moopay LTD.) acquired Mintpal. The idea was Mintpal to act the main altcoin exchange for Green’s then operating platform. Unfortunately, Mintpal just was born with a bad luck. In late October, the exchange suffered another attack and as a result, 3,700 Bitcoins vanished out of thin air.

Surprisingly, the community later revealed that it was actually Alex Green, the CEO of Moolah, who staged the whole thing. At that time, the stolen Bitcoins were worth $1,500,000. Thankfully, three years later, in 2017 the authorities launched a criminal investigation, which is still going.

What’s the moral of the story? You cannot trust an exchange but you can trust a cold wallet. In fact, this is more relevant than ever since in 2018 the cybercriminals have stolen $833 million worth of crypto. Get your Trezor, KeepKey, or Ledger now and show them the finger!

 

cryptocurrencies,

Off-Grid Bitcoin Transactions Are Getting Traction

You need to just peep in our blog to realize we take crypto security seriously. We often tend to discuss interesting and intriguing topics such as exchange hacks, wallet hacks, cryptojacking, and virtually all things crypto. Today we are not doing that. Or at least we’ll do our best not to. Today we are going to talk about a guy from New Zealand who managed to conduct a Bitcoin transaction without using the web and without plugging to the grid. Are you getting curious?

So how does the magic happen?

Yeah, you’ve read it right no internet, no electricity, Bitcoin transaction made possible. An extra creative dude from New Zealand used low-cost equipment to send Bitcoin more than 12km away.

 

His hardware included four goTennas and a cheap $30 Android phone. GoTennas are tiny devices that the adventurers among you are familiar with. They pair with smartphones via Bluetooth and can send data between each other with the help of the old-school radio waves. The problem is that goTennas work best in the outdoor, thus limiting off grid transactions to vast areas or the next Zombie Apocalypse.

Coinsure (that’s the dev) placed the antennas six kilometers in higher ground. He then put Samourai wallet in action to generate and verify his Bitcoin transaction. The goTenna messaging platform successfully recorded it as a message and transferred it to the smartphone of the dev’s girlfriend (sorry girls, that clever dude is not single).

As simple as it sounds, off-grid transactions have the potential to completely transform the way we think about communication and obviously, cryptocurrency. Just imagine that governments fail to properly regulate the industry and decide to ban digital assets worldwide. We can practically migrate to off-chain/grid/web/whatever transactions and run an independent network. As far-fetched as it sounds, we should explore this opportunity and develop and off-grid ecosystem that can handle large-scale transfers.

Sounds exciting, doesn’t it? Though I cannot help but ask “How do you secure goTennas?”.

security,

Cryptojackers Get Super Creative – Infected Updates Are Now Viral

Cryptojackers are here to make fun of legitimate app developers and to make some money along the way. Since everything in technology changes, the cyber culprits are not going for infecting Wi-Fi networks, Amazon Fire TVs, and random websites with Coinhive. These days they are delivering the change by compromising otherwise legitimate Adobe Flash Players.

In fact, it is the old-school Trojan horse tactics but hey, old-school always works. In short, when you download the latest Adobe Flash Player update, you get an XMRig bot, which is here to hijack your computing power and mine some Monero for the bad boys.

cryptojacking

Source: Palo Alto Networks

The first to uncover the mining malware was the cybersecurity entity Palo Alto Networks. Indeed the corrupted Flash updater has been circulating the internet since the beginning of August. Apart from getting the “newest” Flash Player, you get the “newest” mining malware installed in the background, silently making profits for someone else. The chances are many users are unaware of the fact that they have been cryptojacked. While they may experience system outages, slow and impaired performance, those who are not familiar with crypto malware may have a hard time figuring out what is wrong with their devices.

The cybersecurity researchers have stumbled upon 113 files dubbed “AdobeFlashPlayer”. But the catch is, none of them are stored on Adobe-owned servers. Palo Alto Networks suggests that the cryptojackers have used bogus URLs to redirect their potential victims. One question remains, however, how and why users reached these URLs?

While the analysis of the URLs showed no signs of something suspicious, after the installation process the mining bot immediately connects to a Monero mining pool and starts doing its thing.

“Because of the legitimate Flash update, a potential victim may not notice anything out of the ordinary. Meanwhile, an XMRig cryptocurrency miner or other unwanted program is quietly running in the background of the victim’s Windows computer,” reads the post.

security,

Google Restricts Third-party Apps From Using Sensitive Data

Traders from all walks of life know that storing cryptocurrencies in a mobile wallet is bad, bad, bad. There are hundreds of reasons one should refrain from hot wallets in general but mobile wallets and easily the most vulnerable of them all.

It’s not only that there are copycat applications that impersonate legitimate apps. The problem is that even “legitimate” apps sometimes do get compromised. And when that happens, oh boy… You can only hope you are fast enough to relocate your tokens. Indeed, hackers manage to corrupt mobile application much more often than you think.

This is the reason why Google has revamped their Apps Policy. In a blog post published on Monday, the tech giant clarifies that apart from shutting down its social media Google+ it will also give more power to decide what data they share with third-party apps. This puts the power back in users’ hands. From now on, when you install an app you can specifically choose what you share with it and what you don’t. This means that you can restrict camera, photos, docs, and calls access.

What does it mean for crypto geeks?

It means that in case you still want to store some tokens in a mobile wallet, they are a just a little better protected now. The new app update doesn’t prevent future hacks but it still levels up security. You should be careful how you handle your sensitive data such as passwords, PINs, 2FA, etc. The good news is that even if the bad guys sneak into your phone through an (supposedly compromised) app, they would not be able to access your docs, notes, etc. if you have explicitly restricted the app in question from using them.

Google says:

“Only an app that you’ve selected as your default app for making calls or text messages will be able to make these requests. (There are some exceptions—e.g., voicemail and backup apps.).”

Yeah, not necessarily a problem solver but still better than the previous data policy we would say. You never know when the bandits are coming for you, so you’d better go for a cold wallet instead.