CyberSecurity Pulse 2016-09-22

CyberSecurity Pulse 2016-09-22

“If you’re going to try, go all the way. Otherwise, don’t even start.”
Charles Bukowski

Analyst Insight

Knowing How Ethereum Dapps Work Is Not Accessible to All

On September 18, just a few hours before the beginning of the DevCon 2 Conference held by the Ethereum Foundation in Shanghai, a security alert on a denial-of-service attack was published on the Ethereum blog. The alert was related to the vulnerability discovered in the Ethereum blokchain, specifically 2,283,416 block, and was soon labelled as a high severity issue.CyberSecurity Pulse 2016-09-22Ethereum’s most important feature afainst other cryptocurrencies is linked to the programming of distributed applications also called dapps. The trasacciones are registadas through each network node to provide greater transaparencia but any programming failure may result, as has been in this case, errors of memory on the client ethereum Go 1.4.11, also known as Geth, producing a stop mining of other blocks.

The truth is that it is not the first time that something similar to this happens. In July 2016, The Dao, a new cryptocurrency fully mounted on Ethereum suffered an incident in which up to 50 million dollars were stolen after exploiting a programming glitch in the withdrawRewardFor function. To address this incident, the Swiss foundation that manages and promotes Ethereum announced the creation of a fork that led to two new blockchains: Ethereum Classic, which follows the original blockchain unmodified and Ethereum, in which the proposed changes were introduced by the Ethereum Foundation after the incident. The implicit risk of using these DAPPs is that understanding the effects of the implementation details of the logic coded in many Ethereum contracts is something that, doubtless, is not easy to explain to everybody.

Top Stories

EEUU to Vote on Cyber Bill for Small Businesses

CyberSecurity Pulse 2016-09-22The House of Representatives is slated to vote on a bill that would extend cybersecurity help to small businesses. The Small Business Administration would be in charge of increasing cybersecurity programs at the SMBCs in accordance with a small-business security strategy that would be developed with the Department of Homeland Security. The bill would not only address the expertise gap for small businesses, but also address the several complaints launched within the small-business community regarding the alleged fact of recent cybersecurity laws being helping most large businesses.

» More information at The Hill

IPhone Passcode Bypassed With NAND Mirroring Attack

CyberSecurity Pulse 2016-09-22A researcher at the University of Cambridge has published a study about how to bypass the passcode used in an iPhone 5c, an action that the FBI was unable to perform in March 2016. The technique used is known as NAND mirroring and consists in cloning the information contained in the chip of the device as many times as necessary (after 10 attempts allowed, a forced rewriting process is necessary) so as to obtain the corresponding passcode by using a brute force attack. According to the author, a passcode consisting of four digits would need at least 20 hours and more than 1600 copies to be hacked.

» More information at Cornell University

Rest of the Week´s News

NSA Hacking Tools Used Against Cisco Customers

Cisco has published an advisory on Friday saying that NSA grade hacking tools are now being used against customers. The authors wrote that the “Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms”. Cisco have not yet identified those that have fallen prey to the exploit.

» More information at Cisco

Signal Fixes a Vulnerability that Would Allow Corrupt Attachments

Signal messaging application developed by cryptography and communications company Open Whisper Systems has fixed two vulnerabilities in the Android version that would allow the modification of big attachments by adding pseudorandom data. Although an attacker could effectively exploit the lack of full verification of files, Moxie Marlinspike, founder of the company, has also commented that they consider the impact of such vulnerability low due to the volume of information required to exploit it.

» More information at Ars Technica UK

Mozilla Plans Firefox Fix for Same Vulnerability that Tor

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).

» More information at Ars Technica UK

Further Reading

Facebook Gives $16,000 to Researcher Who Found a Way to Hijack Business Pages

» More information at Softpedia

Hackers Crack Tesla CAN Bus

» Más información at SC Magazine UK

A Mistake Allowed Us a Peek Into North Korea Internet Infrastructure

» More information at Security Affairs