This is clever:
How the attack works:
- Attacker added tens of malicious servers to the Electrum wallet network.
- Users of legitimate Electrum wallets initiate a Bitcoin transaction.
- If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
- User clicks the link and downloads the malicious update.
- When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
- The malicious Electrum wallet uses the 2FA code to steal the user’s funds and transfer them to the attacker’s Bitcoin addresses.
The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets.
Posted on January 7, 2019 at 6:13 AM •
This is well-worth reading (non-paywalled version). Here’s the opening:
Cryptocurrencies, although a seemingly interesting idea, are simply not fit for purpose. They do not work as currencies, they are grossly inefficient, and they are not meaningfully distributed in terms of trust. Risks involving cryptocurrencies occur in four major areas: technical risks to participants, economic risks to participants, systemic risks to the cryptocurrency ecosystem, and societal risks.
I haven’t written much about cryptocurrencies, but I share Weaver’s skepticism.
EDITED TO ADD (8/2): Paul Krugman on cryptocurrencies.
Posted on July 24, 2018 at 6:29 AM •
Ross Anderson has a new paper on cryptocurrency exchanges. From his blog:
Bitcoin Redux explains what’s going wrong in the world of cryptocurrencies. The bitcoin exchanges are developing into a shadow banking system, which do not give their customers actual bitcoin but rather display a “balance” and allow them to transact with others. However if Alice sends Bob a bitcoin, and they’re both customers of the same exchange, it just adjusts their balances rather than doing anything on the blockchain. This is an e-money service, according to European law, but is the law enforced? Not where it matters. We’ve been looking at the details.
Posted on June 5, 2018 at 6:32 AM •
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions.
Research paper. BoingBoing post.
EDITED TO ADD (4/13): Brad Tempelton wrote about this years ago.
Posted on March 28, 2018 at 2:25 PM •
Interesting paper “A first look at browser-based cryptojacking“:
Posted on March 21, 2018 at 6:27 AM •
A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I’ve seen it infect SCADA systems, though.
It seems that this mining software is benign, and doesn’t affect the performance of the hacked computer. (A smart virus doesn’t kill its host.) But that’s not going to always be the case.
Posted on February 8, 2018 at 11:55 AM •
This is a clever attack.
After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.
So far it hasn’t been very profitable, but it—or some later version—eventually will be.
Posted on January 23, 2018 at 6:41 AM •
I agree with Lorenzo Franceschi-Bicchierai, “Cryptocurrencies aren’t ‘crypto’“:
Lately on the internet, people in the world of Bitcoin and other digital currencies are starting to use the word “crypto” as a catch-all term for the lightly regulated and burgeoning world of digital currencies in general, or for the word “cryptocurrency”—which probably shouldn’t even be called “currency,” by the way.
To be clear, I’m not the only one who is mad about this. Bitcoin and other technologies indeed do use cryptography: all cryptocurrency transactions are secured by a “public key” known to all and a “private key” known only to one party—this is the basis for a swath of cryptographic approaches (known as public key, or asymmetric cryptography) like PGP. But cryptographers say that’s not really their defining trait.
“Most cryptocurrency barely has anything to do with serious cryptography,” Matthew Green, a renowned computer scientist who studies cryptography, told me via email. “Aside from the trivial use of digital signatures and hash functions, it’s a stupid name.”
It is a stupid name.
Posted on December 4, 2017 at 9:14 AM •
The press is reporting a $32M theft of the cryptocurrency Ethereum. Like all such thefts, they’re not a result of a cryptographic failure in the currencies, but instead a software vulnerability in the software surrounding the currency—in this case, digital wallets.
This is the second Ethereum hack this week. The first tricked people in sending their Ethereum to another address.
This is my concern about digital cash. The cryptography can be bulletproof, but the computer security will always be an issue.
Posted on July 20, 2017 at 9:12 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.