Author

cryptocurrencies,

Trezor Just Added Two Outstanding Features

There is a reason why everyone loves Trezor. Apart from being one of the most secure hardware wallets along with Ledger and KeepKey, Trezor never fails with creativity. The guys working for Satoshi Labs do not care about security only. They know that a great wallet is more than just a cold storage. It has to be convenient, user-friendly, and super easy to use. This is why they develop web applications as well.

Trezor Wallet Exchange

Since Monday (October 22) there is built-in Exchange feature inside the Trezor Wallet site. Put simply, users can seamlessly hop between different digital assets, without even having to leave the Wallet website. What’s even better is that the interface allows you to initiate, stop, or monitor the whole exchange process in real time.

However, Trezor notes:

The exchange feature is provided by various third parties; SatoshiLabs bears no responsibility for the process, exchange rates, fees, or functionality. In this initial release, we have decided to cooperate with ShapeShift and Changelly. Trezor Wallet will always operate without KYC, as the Wallet or your Trezor device are not custodial. If the exchange providers decide to enact KYC, registration, and verification will be done by them. Your personal information will not be processed by Trezor Wallet / SatoshiLabs, nor will it ever be requested by the company. Customer support for exchanges will be serviced by the partners.

Obviously, Trezor has partnered with Changelly and ShapeShift, which are one of the most prominent names in the business. Both companies have proven that they are trustworthy.

Trezor Password Manager

Isn’t it fascinating how Satoshi Labs always build their Trezors with something in mind? With the new Trezor Password Manager browser extension you can turn your cold storage into a password manager as well. We know that having a strong password for each and every account may be a challenging task and boy, we are happy that Satoshi Labs have finally approached this problem.

So how does it work? You install the Password Manager app and plug in your hardware device (your Trezor model doesn’t matter). Then you manually type your passwords and their relevant URLs. You Trezor encrypts this data, generates and unique private seed and puts your data in a cloud such as Google Drive or Dropbox. I know that you are already raising your eyebrows but hey, Trezor got your back. Only your device can decrypt it using your private seed. Simply said, even if someone sneaks into your Google Account your passwords are as safe as your tokens.

The next time you want to login in Facebook (or anywhere else) you just have to open the website, plug in your Trezor and press alt+shift+F. Voila! You are ready to go.

security,

How To Protect Your Cryptocurrency In 1 Single Step

If you haven’t noticed so far we are often bitchin’ about security here. And while there are some things that are out of your control (like hacker’s attacks), others are up to you. For example, talking about how much Bitcoins you own is a bad idea. Doing this in public is even worse because you can easily drag the attention of any fraudsters nearby. Your bragging is music to their ears as they start to see you as a target.

In case you don’t believe us, consider this – a Google executive who specializes in fighting email frauds recently discussed the matter in a chat with CNBC. Mark Risher explained that people who like to talk about their cryptocurrency fortunes in public often fall victims to email hack attempts.

“It could just be a case of mistaken identity or guilt by association,” he said, adding that cybercriminals can easily find your email. He explained that they often monitor social media accounts and target people who are smart enough to reveal they own some tokens.

“They could be using someone who seems to be low value to pivot toward somebody considered a higher value target, like somebody political in nature. Or maybe they saw that you were discussing Bitcoin on a public message board.”

Another bad idea is to use one and the same email address to both log in to social media and back up your cryptocurrency wallet. It is a piece of cake to check somebody’s email on Facebook and then hack it, reset its password and do some other nasties.

Fraudsters are getting smarter

While you are unlikely to fall for the ancient “Nigerian Prince” scam (we hope so) the bad boys often do their research pretty well before contacting you. They might be impersonating someone you know and trust.

“You might think of this generic ‘Dear Sir or Madam, I am contacting you to ask you for a favor,’ but the truth is many of these attackers have done some serious research on their victims. So you might get what we call ‘social truth’ in your message,” Risher adds.

The point here is, don’t talk about crypto. Neither in public nor in social media. Use several email addresses and pay extra caution when dealing with those connected to financial services. Level up your passwords and pins to further enhance your protection.

security,

A Crucial Bug In Monero Could’ve Resulted In Millions Lost

Monero might be one of those cryptocurrencies that care about use anonymity but it turns out Monero was too vulnerable to hacks. Well, until now, according to its core development team. Today the devs made the news by revealing the Monero network had a severe security flaw left unnoticed.

An excerpt from the bone-chilling blog post reads:

“The bug basically entails the wallet not providing a warning when it receives a burnt output. Therefore, a determined attacker could burn the funds of an organization’s wallet whilst merely losing network transaction fees.” Further adding, “In sum, a bug in the wallet software allowed a determined attacker to cause significant damage to organizations present in the Monero ecosystem with minimal cost. Fortunately, the bug did not affect the protocol and thus the coin supply was not affected.”

How does it happen?

We are not getting in details here but just like the Bitcoin and Ethereum networks, the Monero blockchain can also “burn” its own tokens. When similar or identical stealth addresses settle transactions between each other the Monero mainnet is programmed to allow only one “correct” transaction. It considers the remaining transactions fake and “burns” them. The burnt XMR tokens become unusable as they are neither removed nor replaced with new tokens.

However, the security researchers have recently discovered that hacker might exploit that and smuggle tokens directly from external wallets and third-party apps.

The disclosure explains that the bad guys can generate a private key and then adjust in such a way that it redirects funds to a certain public address(let’s say a wallet in an exchange), which is the same as the stealth address (which they control). The attackers then send a thousand transactions of one XMR to the exchange wallet.

What happens then? The blog post outlines, “Because the exchange’s wallet does not warn for this particular abnormality (i.e. funds being received on the same stealth address), the exchange will, as usual, credit the attacker with 1000 XMR. The attacker then sells his XMR for BTC and lastly withdraws this BTC. The result of the hacker’s action(s) is that the exchange is left with 999 unspendable/burnt outputs of 1 XMR.”

The Monero developers insist they have contacted major exchanges and offered their help in fixing the problem. In fact, they have released and sent a private patch to exchanges. We must all thank the Monero community members who voiced their concerns on the potential attack on Reddit. It helped the developing team investigate and review the code before someone have managed to pull a nasty trick.

In conclusion, the announcement reads, “this event is again an effective reminder that cryptocurrency and the corresponding software are still in its infancy and thus quite prone to (critical) bugs.”

 

security,

Crypto Thefts In Japan Triple In H1 2018

According to the Japanese media The Asahi Shimbun, the number of cryptocurrency thefts has tripled over the first half of 2018. Japan is one of the leading crypto markets but it looks like it has a hard time keeping cybercriminals away. The National Police Agency (NPA) reports that compared to the same period last year, the number of hacks has grown immensely.

In 2017, the authorities have registered less than 60 cases, while this year they are 158 and counting. Unsurprisingly, Bitcoin leads the race. The number one cryptocurrency seems to be the most targeted  as it was the prime subject of the attacks 94 times. Bitcoin thefts amount to 860 million yen stolen. Second comes Ripple’s XRP, which was targeted 42 times. The bad guys have snatched 1.52 billion yen worth of XRP in the first six months of the year. Surprisingly, Ethereum was the prime target in just 14 cases, which however result in 60 million yen losses.

Of course, tens of altcoins have been compromised as well. NEM (XEM) for example made the news during the infamous Coincheck hack.

“More than 60 percent of all cases, or 102 incidents, involved individuals who used the same ID and password for their e-mail account and other Internet services, such as online shopping, for cryptocurrency dealings,” read the police report.

In total, the Japanese market has lost over 60.50 billion yen (roughly $540 million) in the first half of 2018. In contrast, for the same period last year, the cyber thieves have stolen a mere $5.5 million. We should note, however, that since the Coincheck wrongdoing the officials introduced stricter regulations. The NPA is monitoring whether exchanges comply with KYC and AML policies, while the Financial Services Agency has investigated many of the domestic exchanges.

Though in general, the number of crypto thefts declined after March, the culprits still managed to steal $60 million from Zaif earlier this week.

 

Exchanges, security,

Fake EOS Tokens Flood A Fake Decentralized Exchange, $60k Stolen

If you think your tokens are safe in an exchange, you are wrong. If you think trading through an exchange is safe, you are wrong again. If an exchange claims it is decentralized, well it doesn’t mean it really is. So why am I bitching about this again? Well, partly because crypto security is an evergreen topic and partly because somebody somehow exploited exchange vulnerabilities once again.

Pssst, kid! Wanna buy some EOS?

It seems like EOS troubles have no end. The startup did raise $4 billion from institutional investors to challenge Ethereum and virtually every couple of days we see hackers chewing off bits of EOS and spitting them in investors’ faces.

The EOS protocol allows everyone to create a token and name it whatever they like. Yes, “EOS” is just the perfect name and it’s free, ya know. Thanks to this smart move from the real EOS engineers, the baddies “developed” an EOS-based token, named it “EOS” and flooded one particular “decentralized” exchange with copycats. One billion fake tokens to be exact. And do you know what’s worse? By the end of the perfectly staged attack, the culprits smuggled some $58,000 from ordinary traders.

Decentralize this!

Probably, this is the most hackless hack in the history of hacks and here’s why. The bad boys never really had to hack the exchange, because it doesn’t utilize smart contracts and it is not even decentralized. They purchased some altcoins with their fake EOS tokens and then exchanged them for the real EOS equivalent, which they siphoned through Bitfinex.

Newdex (the “hacked” marketplace) said in a statement:

“EOS account oo1122334455 issued 1,000,000,000 fake EOS tokens. After testing the feasibility of the attack, the account began to place large [buy orders]. A total of 11,800 fake EOS orders were issued to purchase BLACK, IQ [sic] and ADD.”

Thanks, Captain Obvious! Now, since there is no smart contract to verify the authenticity of the tokens it receives, anyone can send anything and fool the system. In other words, Newdex is not a decentralized exchange. It is just a single account that conducts the transactions, pretending to be an asset exchange. Ha-ha-ha, very smart. It turns out traders were just sending money to a personal EOS account, hoping it would settle their transactions accordingly.

In fact, the crypto community smelled something wrong is going on days before the attack:

“Unlike a real DEX, they do not have a smart contract that holds funds / handles order matching on-chain. Instead, they match all orders off-chain in a centralized server. […] What’s worse, they deceptively present Scatter as the login and trading interface, so you feel like you’re using a DEX. In reality, you aren’t sending funds to any smart contract, it’s just a regular EOS account they own ‘newdexpocket’, that doesn’t even have a smart contract running on it. […]This means there’s no smart contract or ABI on that account. Essentially all you are doing when you submit an order from their interface is sending your funds to their personal EOS account and hoping they return you the tokens you’re buying/selling.”

Well, I have nothing more to add, this whole fiasco has really blown me away. And remember, stay off of Newdex.

security,

Ledger Wins “Startup of the Year” Award In France

Apart from being one of the most renowned cold wallets manufacturers, Ledger is one of the most praised. The French startup has built a dedicated community of customers but it’s not only regular users that give kudos to Ledger, as even global businesses do.

The international accountancy heavyweight EY rewarded Ledger its annual Startup of the Year Award for the Ile-de-France region. EY annually runs a competition where France’s best performing new companies lead the race. There are three main categories that the Le Prix de l’Entrepreneur de l’Année includes – best entrepreneur, best social commitment, and best startup.

Surprisingly or not, in a year heavily dominated by cyber attacks, one cryptocurrency business won one of the EY’s awards. The accountancy firm has given the Startup of the Year Award for the Ile-de-France region to Ledger.

 

In the next round, Ledger will face eight other startups from various fields and only one of them will grab the major prize. According to Forbes, in 2017 the French company has sold over one million hardware wallets, thus netting close to $29 million in profit.

Why is Ledger any different?

It’s not that researchers have never found vulnerabilities in the Ledger devices. This has happened to virtually everyone in the business. Unlike other, Ledger is always quick to approach the issue and communicate and even co-work with its users.

Fortunately, when some security experts pointed to a possible Ledger Nano S hack, it turned out that the case is rather extraordinary (check the linked article for more info). In a real-life situation, when you purchase your Ledger device directly from the company or from pre-approved resellers, you can be sure your coins are safe.

 

security,

Cryptojacking Attacks Seem To Have No End

One can only imagine the scale of the latest cryptojacking attack. The trend to steal internet users’ computing power to mine cryptocurrencies shows no signs of slowing down. In fact, it is quite the opposite, cryptojackers get smarter and more creative than expected.

A group of cybersecurity researchers has stumbled upon 3,700 routers that silently run cryptocurrency mining scripts. These particular routers have not been infected before but it looks like the internet cowboys have changed that. This brings the total number of corrupted devices to 280,000. What is more concerning is the fact that just three months ago this number was 200,000. Read between the lines babe, roughly 888 devices are being hacked every day. That makes 37 hacks per hour. Yet some dare to say, cryptojacking is unprofitable.

The recent discovery just proves that the attack that took place in Brazil one month ago is not over yet. Back then the culprits performed “zero-day attack” on MicroTik routers, successfully compromising 200,000 of them. Prior to the attack, no one was aware of the existing vulnerabilities. As always, CoinHive was the software that was injected in the routers, thus allowing the hackers to effectively mine Monero.

CoinHive is the most notorious piece of code on planet Earth in recent months. It is super popular among hackers as it is easy to use as well as effective. So far, the online criminals have infected AdSense banners, websites, Wi-Fi networks, and routers. Once an internet network (or a website) starts running CoinHive the script hijacks computing power from user’s devices and mines Monero.

One research even suggests that cryptojackers literally earn $250,000 per month. If you want to learn more about cryptojacking, click here.

Unfortunately, cryptojacking is not the only tool the bad guys rely on. We have to fear Android Banker as well. It is a Trojan Horse virus, which effectively circumvents two-factor authentication (2FA) and thus stealing usernames and passwords. Hackers primarily use it against banking apps and have already compromised 200 applications in 2018 alone.

Never ever download and trust applications from unknown sources. You will thank me later.

cryptocurrencies,

Lack Of Regulation Would Kill The Crypto Market

Philipp Maume and Mathias Fromberger from the Technical University of Munich recently published a paper where they discuss the initial coin offerings market and its regulation. The authors draft that the European law should see tokens launched and promoted via ICOs as securities.

The research named Reconciling US and EU Securities Laws further implies that the EU regulators can simply follow the course set by the US Securities and Exchange Commission. The authors undoubtedly pose that there should be a clear regulatory framework regarding cryptocurrencies and ICOs in the European Union.

An excerpt from the paper reads:

“It is our view that investment tokens (including hybrid tokens with some investment functions) are ‘transferable securities’ under Directive 2014/65/EU on Markets in Financial Instruments.”

Maume and Fromberger note that a token running on a blockchain is considered a security if it is “transferable, negotiable, and standardized,” according to the EU. Blockchains do exactly that – by using public and private keys they transfer tokens between senders and receives.

The EU explicitly gives an answer to the term “negotiable”. In fact, if an exchange lists an investment token it instantly becomes negotiable. Hybrid tokens also fall in this category. The only kind of token that cannot be deemed a security is the one that acts only as a payment method. Having said that, we can easily agree that ICO associated tokens are indeed securities. In addition, we can all agree that developers do use standards when building cryptocurrencies.

Unified crypto regulation

The authors point that if there isn’t one global regulatory framework the market is going to die in the near future. The researchers emphasized that we are already “racing to the bottom”.  This term is often used to describe a situation where different nations are all trying to be at the forefront of something in particular and are ready to drop taxes and regulation in order to attract businesses. However, this usually impacts the quality of the industry in a negative way.

In fact, we are already witnessing companies hopping from one country to another, regardless of whether we are talking about exchanges, ICOs, fintech startups, wallet providers, or cryptocurrency miners. Not to mention that launching a cryptocurrency token is extremely easy. The paper notes that “less than 100 lines of code seem to be typical in the industry,” implying that via platforms like Ethereum everyone can set up their own token.

Should we note that the cryptocurrency industry is full of shitcoins? Should we say again that we need quality, not quantity?

 

Exchanges,

Bittrex Delists Bitcoin Gold

Hey, are there any Bitcoin Gold hodlers out there? We got some news for you – Bittrex is delisting Bitcoin Gold from its platform. The reason for this unexpected turn of events is that the popular Bitcoin hard fork has been a subject to a variety of hacker’s attacks in recent times.

In fact, the internet bad boys managed to snatch some $20 million worth of BTG. If you remember, the online pirates hijacked enough computing power to smuggle 51% of the total hash power in May. Back then, Bittrex was one of the exchanges that suffered from the attack. During the fiasco, the culprits stole over 388,000 BTG, which at that time was worth roughly $18 million dollars. They ultimately abused exchanges, tricking them to transfer more coins than necessary thanks to a method called “double-spending”.

Though it never became clear how much Bittrex had lost during the attack, according to the Bitcoin Gold developing team, the exchange asked for a 12,000 BTG ($255,000) compensation. It later posted an official statement, an excerpt from which reads:

Bittrex informed us that they make this decision because the BTG team would not “take responsibility for our chain,” and that taking responsibility meant paying Bittrex 12,372 BTG to cover the loss they incurred. They later informed us they would cover part of the loss from their own BTG reserves and requested we pay the remaining ~6,000 BTG ($127,000), and that if we did not, we would be delisted.

Unfortunately, the case only goes to show that blockchain technologies are not as safe as we think they are. The BTG team refuses to take the blame and instead claims that it is the Proof-of-Work algorithm, which powers Bitcoin Gold that failed.

The Bitcoin Gold team is not responsible for security policy within private entities like Bitrex [sic]; those who earn revenue running a private business must manage the related risks and are ultimately responsible for their own security.

This is not the first time Bitcoin Gold takes a blow due to a hacker’s attack. Last year, someone developed a fake BTG wallet, thus successfully stealing $3.3 million worth in BTG. Whether Bittrex’s action will affect the price of Bitcoin Gold or not we cannot tell. But according to CoinMarketCap, its value remains stable despite the bad news.

Of course, none of this would have happened if both exchanges and traders relied more on cold wallets.

 

security,

What Makes A Strong Password?

In an age where an invasion of our online security might virtually erode our offline well-being, it is extremely important to protect the passwords we use. The last time we talked about PINs and how the majority of them could be cracked within seconds. Unfortunately, when speaking of passwords the statistics ain’t much better.

 How weak are weak passwords?

In short, they are as weak as the weakest PIN you can think of. Digging deeper, Keeper Security has discovered that the majority of internet users go for “123456”, “qwerty” and other combinations that are literally “unbreakable”. In fact, 17% of all 10,000,000 passwords scanned were “123456”. More interesting and disturbing facts – the top 25 most common passwords make up for 50% of all passwords examined by Keeper Security.

I know this might come as a surprise to you but even more complex patterns like “1q2w3e4r5t6y” fail miserably. Hackers know too damn well that they can easily feed an algorithm with strings of numbers and letters that are commonly used as passwords and brute force accounts. It will take the algorithm just minutes to compromise your account. Remember, hackers can read too, meaning research findings such as those by Keeper Security practically help them develop even better hacking tools.

Why should this not disturb you?

Because you are a human. Unlike machines, you think slower but you have something bots don’t have (at least for now) – imagination. Leveling up your security is just a matter of some creativity. Usually, there is one simple rule – the longer the password, the better. Rule #2 – use a variety of symbols AKA combine letters and numbers.

No, your street number and your dog’s name don’t make a strong pass. A quick check on social media will give the bad actors all the necessary information. However, your options are countless – combine a favorite quote (better choose a less popular one) with the last three digits of your best friend’s phone number.

Draw on your keyboard! Well, not literally. Here’s what I’m talking about – make up a password that will form a triangle, X, octagon, square (you get the idea) on the keyboard. Are you a musician? Great, you can easily use the opening chords (or notes) of the first song you’ve ever learned.

Your possibilities are endless. Your password should make sense to you. It should be hard to guess but easy to remember. You are human after all, not a machine.