CyberSecurity Pulse 2016-09-22
|“If you’re going to try, go all the way. Otherwise, don’t even start.”|
Knowing How Ethereum Dapps Work Is Not Accessible to All
The truth is that it is not the first time that something similar to this happens. In July 2016, The Dao, a new cryptocurrency fully mounted on Ethereum suffered an incident in which up to 50 million dollars were stolen after exploiting a programming glitch in the withdrawRewardFor function. To address this incident, the Swiss foundation that manages and promotes Ethereum announced the creation of a fork that led to two new blockchains: Ethereum Classic, which follows the original blockchain unmodified and Ethereum, in which the proposed changes were introduced by the Ethereum Foundation after the incident. The implicit risk of using these DAPPs is that understanding the effects of the implementation details of the logic coded in many Ethereum contracts is something that, doubtless, is not easy to explain to everybody.
EEUU to Vote on Cyber Bill for Small Businesses
The House of Representatives is slated to vote on a bill that would extend cybersecurity help to small businesses. The Small Business Administration would be in charge of increasing cybersecurity programs at the SMBCs in accordance with a small-business security strategy that would be developed with the Department of Homeland Security. The bill would not only address the expertise gap for small businesses, but also address the several complaints launched within the small-business community regarding the alleged fact of recent cybersecurity laws being helping most large businesses.
IPhone Passcode Bypassed With NAND Mirroring Attack
A researcher at the University of Cambridge has published a study about how to bypass the passcode used in an iPhone 5c, an action that the FBI was unable to perform in March 2016. The technique used is known as NAND mirroring and consists in cloning the information contained in the chip of the device as many times as necessary (after 10 attempts allowed, a forced rewriting process is necessary) so as to obtain the corresponding passcode by using a brute force attack. According to the author, a passcode consisting of four digits would need at least 20 hours and more than 1600 copies to be hacked.
Rest of the Week´s News
NSA Hacking Tools Used Against Cisco Customers
Cisco has published an advisory on Friday saying that NSA grade hacking tools are now being used against customers. The authors wrote that the “Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms”. Cisco have not yet identified those that have fallen prey to the exploit.
Signal Fixes a Vulnerability that Would Allow Corrupt Attachments
Signal messaging application developed by cryptography and communications company Open Whisper Systems has fixed two vulnerabilities in the Android version that would allow the modification of big attachments by adding pseudorandom data. Although an attacker could effectively exploit the lack of full verification of files, Moxie Marlinspike, founder of the company, has also commented that they consider the impact of such vulnerability low due to the volume of information required to exploit it.
Mozilla Plans Firefox Fix for Same Vulnerability that Tor
The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).