Feed for tag: security
Introducing the Ledger Donjon
Ledger, the manufacturer of the popular hardware wallet Ledger Nano S has been working to improve the security of their products. This time, they are introducing not a device, but a group of security experts known as the Donjon. It is a small group of 8 experts in the smartcard and security industry. Their primary function is to work on improving the security of Ledger products by assessing vulnerabilities, testing and putting in place measures to check the security leakages.
Getting around to fixing the timewarp attack

A timewarp attack on Bitcoin allows malicious miners to game the timestamp system to allow them to increase the rate of block generation beyond what the blockchain meant it to be. This attack has been possible since 2012 and was demonstrated on the testnet.

This was dismissed as an unimportant issue for the past few years as it requires the majority of hashrate and is easily blocked once someone starts using it.

Lumi Wallet: Insecure or Scam ?

Another Cryptocurrency wallet, boasting next generation security has been released. The proprietary, Lumi Wallet has been identified as either a scam or simply an insecure application. In a blog post by wallet developer Daniel Staudigel the security flaws of Lumi Wallet were examined. According to Staudigel:

I know something is off — “truly private” and “web wallet” and “extremely secure” are impossible to have for the same product. If something is a web wallet, it’s definitely not extremely secure (see recent DNS attacks for MyEtherWallet), and it’s highly unlikely to be “truly private” due to technical limitations of the web.

Mitigations for Loop Attacks
Lightning network is the up and coming standard for sending payments throughout the Bitcoin network, it makes tiny fee and fast payments a reality that Bitcoin’s current network can not promise. But Lightning introduces new attack vectors, most important of which is called the Loop Attack. The basic idea is that a sender and receiver collude to create a long circuit and refuse to settle or fail the HTLC1 at the end until the last possible moment.
Ledger Blue Firmware and Availability Updates

The hardware wallet maker Ledger published news regarding the next firmware update for the ledger blue, their premium hardware wallet released after the Nano S, which recieved only one firmware update since it’s launch :

Despite being a premium hardware wallet – the Blue received just one firmware update, as the Nano S received three. Rightly, many members of our community have been wondering about the future of the Ledger Blue, and asking us when we will build out new features through firmware updates. We’re sorry we kept you waiting so long

Trezor Test Your Seed Backup

Trezor released a new feature that allows users to test the seed backup through the trezor wallet user interface. The seed is the 12 or 24 unique words you need to safely store and which are used to deterministically generate all private keys in HD Wallets. Quote:

Starting today, you can rest easy, without necessarily needing to wipe and launch the setup process all over again. In the TREZOR Wallet user interface, just go to device settings by clicking on your device name, and then select Advanced > Check recovery seed. Follow the instructions and, in the end, the device will tell you the status of your recovery seed. Then, you can be confident that your seed is correct, or you will know for sure you need to generate a new one.

Source Article

A Lesson in Sharing Private Keys
The cryptocurrency exchange, ironically named CoinSecure was forced to halt their operations when it was discovered over 430 BTC had been stolen. CoinSecure is a company located in Delphi, India, where the price of Bitcoin relative to the average wage is exponentially greater than the common first world nation. We should consider the magnitude of that difference when evaluating the extent to which this company has failed its customers and shareholders.
Vulnerabilities in Numerous Javascript Cryptographic Libraries

Some concerns were raised on bitcoin-dev regarding potential vulnerabilities with some Javascript based crypto applications, more precisely the use of SecureRandom() function which collects entropy and includes a PRNG (Pseudo Random Number Generator).


The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015

ElectrumPro Scam
The official Electrum website is electrum.org. There is an electrum.com that appears to be a scam, which calls its software Electrum Pro. Do not download or run any executables from this site - its binaries have not been verified. The original Electrum software is written entirely in Python, meaning it should never be compiled to create binary files.