What Recent Supply Chain Attacks On IOTA and Monero Can Teach Us About Blockchain Security

13 de April de 2020 Por

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. If you are interested in learning about blockchain technology, we recommend you to check the recently created Cryptonics Academy. Please enjoy.

A False Sense of Security

Blockchains are protected by complex mathematical protocols and by decentralization. Cryptographic primitives, such as digital signatures and hashing, are used to verify transaction authenticity and the integrity of the data stored on the blockchain. It is only through these primitives that the concept of digital ownership can be secured. Decentralization makes it incredibly hard for an attacker to gain sufficient control over a blockchain to alter transaction history or apply censorship.

This means that blockchains are quite secure at the protocol level. Although there are confirmed incidents of protocol-level breaches, such as 51% attacks, these are relatively rare and confined to smaller blockchains. Nevertheless, digital assets represented on blockchains are stolen on an alarmingly regular basis, even from large established networks.

In a recent article, we already identified smart contracts as a significant risk vector. In this article, we look at two recent high profile attacks, in order to highlight hidden dangers in the security of support systems that allow attackers to sidestep the sophisticated cryptographic defense mechanisms blockchain protocols provide. This type of attack is typically called a supply chain attack, as it focuses on less secure parts of a project’s supply chain.

[Read more…]

The 5 Most Common Smart Contract Vulnerabilities

10 de March de 2020 Por

Today’s post is authored by Stefan Beyer, CEO @ Cryptonics, Blockchain Consultant and Smart Contract Auditor. Please enjoy.

Smart contracts are hard to get right. Their three main properties, the ability to hold value, transparency, and immutability, are essential for them to work. However, these properties also turn smart contracts into a security risk and a high-interest target for cybercriminals. Even without deliberate attacks, there are plenty of examples of funds getting stuck and companies losing money due to smart contract bugs and vulnerabilities.

Over the last two years, we have audited the smart contracts of more than 40 projects here at Cryptonics. The contracts audited include different types of asset tokenization, insurance policies, decentralized finance platforms, investment funds, and even computer games. We have observed certain trends in the types of vulnerabilities that we usually encounter, and some issues seem more common than others. In this article, we will describe the five most common issues we detect in our daily auditing activities.

[Read more…]

The Importance of Server Hardening – Part 2. Hardening the Server

6 de March de 2020 Por

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 4th July 2019)

Today we publish the second of three articles courtesy of Jorge Garcia on the importance of server bastioning. You can find the first one here: The importance of server hardening – I

All right, we have the mission of hosting an online commerce web application and offering it to the world on a server that we own. Our goal is to make it as impregnable as possible at all levels. Since it is a web application, it is foreseeable that the main attack entry vector is through vulnerabilities of the application itself. Really, let’s not fool ourselves, all CMS are sure candidates for severe vulnerabilities. The scheme of how the platform will be organized is the usual one in a virtual server:

Therefore, the issue is to choose a CMS with these premises:

  1. That it is actively developed and supported by a large community of developers or by a large company. This ensures that when a vulnerability is published, it is quickly corrected.
  2. That the installed CMS is the last available version of a branch that has support, and that it is expected to continue having it for quite some time. Do not forget that, since we do not have a development environment at home, updates or migrations mean a loss of service which in turn means potential loss of money.
  3. That it is compatible with the operating system of the server that we have. A consideration that is obvious but important.
  4. May the history of critical vulnerabilities be as low as possible. A CMS that is actively developed and has good support but that on average finds a critical vulnerability every week is not viable to maintain or safe to use.

[Read more…]

The fight for privacy

4 de March de 2020 Por

The post, next week.

Own text. Original comic strip by RaphComic. Modified with permission.

The Importance of Server Hardening – Part 1. Introduction and Types of Infrastructure

3 de March de 2020 Por

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 1st July 2019)

Today we publish the first of three articles courtesy of Jorge García on the importance of server hardening. Jorge introduces himself as follows: “Although I am officially a systems administrator and responsible for security in the company where I work, the truth is that my job is also my hobby. I am a big fan of geek computing, defensive security, deploying my own servers and any DIY process that poses new learning challenges as I fend for myself to solve problems. Evolution is my passion.”

All companies, regardless of the field in which they are developed, have, to a greater or lesser extent, an IT infrastructure of servers that store and process corporate information of vital importance to the business. The question that always assails me is: if this information is so important, why does experience tell us that it is so frequent that companies do not keep their servers, applications and equipment updated and properly hardened?

It is well known that a large part of companies do not take computer security seriously. Without going any further this report published three months ago indicates that 7 of the 10 most exploited vulnerabilities during 2018 were between 1 and 6 years old; or this other report that indicates that a large number of companies do not patch their systems quickly. This is because, companies think that they are not targeted by hiding behind the typical “my company is small and has nothing attractive to hackers” thinking, or because they do not have or do not consider it necessary to have staff resources and tools to keep the platform updated. Or at least they don’t do it until it’s too late, and that’s what I’m going to talk about in today’s post. It’s a true story. Let’s go with a little background.

[Read more…]

CNA Tactics: a first proposal

25 de February de 2020 Por

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)

Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

[Read more…]

YaraRET (I): Carving with Radare2 & Yara

2 de September de 2019 Por

During the management of forensic cases, there are times when we find ourselves in a dead end, where after the detection of a critical compromise indicator, we have to approach an analysis with weak evidence.

That is why I decided to develop a carving tool based on Yara rule detection. This tool also had to handle raw files in and be able to carry out a wide variety of options on this data in a flexible way, so I decided to use Radare2.

From this combination was born YaraRET, a file carving tool developed in Go, whose stable version is available in the repository of YaraRules: https://github.com/Yara-Rules/YaraRET

The development version can be found in the following repository: https://github.com/wolfvan/YaraRET

So, during the next article the resolution of a fictitious forensic case with YaraRET will be presented, which is based on the combination of several cases that I have been finding for a few months. [Read more…]

I discovered a crime … and now what?

9 de July de 2019 Por

[Author’s note: The author of this article is a technician, not a lawyer. Although several jurists have been consulted to corroborate that no legal barbarity has been said, it is strongly recommended to consult with a trusted legal professional if necessary].
[Author’s note 2: I would like to thank the ideas and comments offered by the Forensic Computing Telegram group: https://t.me/forense, whose activity has fostered and promoted this article].

Let’s imagine that Mary is a forensic analyst who is working on a case of corporate espionage. While analyzing some compressed files with strange names, she discovers with horror that they are full of images of child pornography.

Imagine that Pete is a pentester whose objective is to take control of a mail server, having to submit as evidence a half dozen high-level emails. Once he has achieved his objective, he extracts several mails at random from the mail accounts, but verifies with indignation that they contain information about a civil servant being bribed for the granting of an important public contract.

Both Mary and Pete have signed a strict confidentiality agreement with the company in which they work, which clearly states that “all the information they have knowledge of during their working activity must be kept in the strictest secrecy.” [Read more…]

The State of VPN Security Today

6 de June de 2019 Por

Today’s post is authored by Christopher Nichols from SurfShark.com, who gives a quick insight of some of the main threats of surfing without protection in today’s Internet, and gives some valuable information on the advantages of, probably, the main countermeasure: Virtual Private Networks. Please enjoy.

No one should log onto the internet without the added protection of a virtual private network (VPN). Personal and financial information transmitted over the web needs protection against snoopers, hackers, and spies. Those snoopers also include the user’s own government as well as the internet services provider, who collects service fees as well as free information from their users. [Read more…]

My5tery solved

21 de May de 2019 Por

Typical autumn day, through the window you can only see a gray sky. It is the typical day in which you believe that nothing strange is going to happen. Suddenly, our surveillance system alerts anomalous connections: a user has tried to connect against IP addresses of unknown origin. These IP addresses are public and, according to the configuration established in the organization, any HTTP connection to the outside must pass through a proxy.

The connections are searched in the proxy logs and are not found, so this user has tried to connect directly, ignoring the configuration of the system. [Read more…]