This tutorial will guide you through reproducing the exploit for CVE-2018-20587 to help test and ensure that you have updated your configuration for future prevention.
Feed for tag: security
Ledger, the manufacturer of the popular hardware wallet Ledger Nano S has been working to improve the security of their products. This time, they are introducing not a device, but a group of security experts known as the Donjon. It is a small group of 8 experts in the smartcard and security industry. Their primary function is to work on improving the security of Ledger products by assessing vulnerabilities, testing and putting in place measures to check the security leakages.
A timewarp attack on Bitcoin allows malicious miners to game the timestamp system to allow them to increase the rate of block generation beyond what the blockchain meant it to be. This attack has been possible since 2012 and was demonstrated on the testnet.
This was dismissed as an unimportant issue for the past few years as it requires the majority of hashrate and is easily blocked once someone starts using it.
Another Cryptocurrency wallet, boasting next generation security has been released. The proprietary, Lumi Wallet has been identified as either a scam or simply an insecure application. In a blog post by wallet developer Daniel Staudigel the security flaws of Lumi Wallet were examined. According to Staudigel:
I know something is off — “truly private” and “web wallet” and “extremely secure” are impossible to have for the same product. If something is a web wallet, it’s definitely not extremely secure (see recent DNS attacks for MyEtherWallet), and it’s highly unlikely to be “truly private” due to technical limitations of the web.
Lightning network is the up and coming standard for sending payments throughout
the Bitcoin network, it makes tiny fee and fast payments a reality that
Bitcoin’s current network can not promise. But Lightning introduces new attack
vectors, most important of which is called the Loop
Attack.
The basic idea is that a sender and receiver collude to create a long circuit
and refuse to settle or fail the HTLC1 at the end until the last possible moment.
The hardware wallet maker Ledger published news regarding the next firmware update for the ledger blue, their premium hardware wallet released after the Nano S, which recieved only one firmware update since it’s launch :
Despite being a premium hardware wallet – the Blue received just one firmware update, as the Nano S received three. Rightly, many members of our community have been wondering about the future of the Ledger Blue, and asking us when we will build out new features through firmware updates. We’re sorry we kept you waiting so long
Trezor released a new feature that allows users to test the seed backup through the trezor wallet user interface. The seed is the 12 or 24 unique words you need to safely store and which are used to deterministically generate all private keys in HD Wallets. Quote:
Starting today, you can rest easy, without necessarily needing to wipe and launch the setup process all over again. In the TREZOR Wallet user interface, just go to device settings by clicking on your device name, and then select Advanced > Check recovery seed. Follow the instructions and, in the end, the device will tell you the status of your recovery seed. Then, you can be confident that your seed is correct, or you will know for sure you need to generate a new one.
The cryptocurrency exchange, ironically named
CoinSecure was forced to halt their operations when
it was discovered over 430 BTC had been stolen. CoinSecure is a company located
in Delphi, India, where the price of Bitcoin relative to the average wage is
exponentially greater than the common first world nation. We should consider
the magnitude of that difference when evaluating the extent to which this
company has failed its customers and shareholders.
Some concerns were raised on
bitcoin-dev
regarding potential vulnerabilities with some Javascript based crypto
applications, more precisely the use of SecureRandom() function which
collects entropy and includes a PRNG (Pseudo Random Number
Generator).
TL;DR
The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015
The official Electrum website is electrum.org. There is an electrum.com that appears to be a scam, which calls its software Electrum Pro. Do not download or run any executables from this site - its binaries have not been verified. The original Electrum software is written entirely in Python, meaning it should never be compiled to create binary files.