Isolated, Air-Gapped Cypto-Wallets Hacked

By: Kacy Zurkus

He who holds the private keys owns all of the bitcoins. For those who manage their cryptocurrency in offline, or “cold,” wallets under the premise that they cannot be compromised, recent news from researcher Dr. Mordechai Guri from Ben-Gurion University of the Negev, Israel, raises some alarms. Guri demonstrated that cold wallets can be infected with malicious code, allowing an attacker to access the wallet’s private keys.

Because cold wallets are presumably safer than storing their keys in “hot,” or online, wallets, many cryptocurreny owners keep their bitcoin wallets isolated in air-gapped PCs so that they are away from the internet and not connected to any network, Wi-Fi or Bluetooth.

In addition to publishing a white paper, Guri also demonstrated the attack method’s effectiveness using malware called bridgeware, which successfully leaks the bitcoin private key over air gap via ultrasonic signals in only 3 seconds.

The discovery isn’t new, nor is it the first time a hacking technique was used to compromise an isolated machine. Rather, Guri’s experiment showed that private cryptocurrency keys can be stolen using out-of-band communication methods.

Malware can be preinstalled, delivered during the initial installation of the wallet, or pushed through a removable media. Once the malware is installed, there are a variety of exfiltration methods an attacker can use, and Guri evaluated several, including physical, electromagnetic, electric, magnetic, acoustic, optical and thermal.

“This research shows that although cold wallets provide a high degree of isolation, it’s not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin’s private keys) can be exfiltrated from an offline, air-gapped wallet … within a matter of seconds,” Guri noted.

The PC and keyboard are removed in the second video to demonstrate an additional exfiltration method – a technique known as a RadIoT attack. In about 15 seconds, Guri successfully transmits private keys from a Raspberry Pi to a nearby smartphone over air gap by way of electromagnetic signals.

MORE: https://www.infosecurity-magazine.com/news/isolated-airgapped-cypto-wallets/

A cryptocurrency exchange had $3.5 million stolen — and thinks its security chief ran off with the money

By: ARJUN KHARPAL

Indian cryptocurrency exchange Coinsecure has lost over $3.5 million and is blaming its head of security.

In a message posted to its website Thursday, the company said that its Chief Security Officer (CSO) Amitabh Saxena was extracting a cryptocurrency known as bitcoin gold in order to distribute it to customers. But Coinsecure claimed the funds were lost in the process.

Director Mohit Kalra has sent a letter to Indian authorities about the incident. In the document posted on the company’s website, Kalra said that 438.318 bitcoin have gone missing. This equates to just over $3.5 million at Friday’s bitcoin price.

Users’ funds were kept in a secure bitcoin wallet and the private keys were kept by Saxena and Kalra. Private keys are essentially required to send cryptocurrency out of a storage wallet. Having the private key allows you to move money.

“As the private keys are kept with Dr Amitabh Saxena, we feel that he is making a false story to divert our attention and he might have a role to play in this entire incident,” the letter written by Kalra said.

“The incident reported by Dr Amitabh Saxena does not seem convincing to us. Dr Amitabh Saxena also has an Indian passport and he might fly out of the country soon. Therefore, his passport should be seized so he cannot fly out of the country.”

MORE: https://www.cnbc.com/2018/04/13/coinsecure-cryptocurrency-exchange-lost-3-million-and-it-thinks-its-security-chief-stole-it.html

SikurPhone With a Secure Cryptocurrency Wallet Unveiled at MWC 2018.

By: Jagmeet Singh

A long time after launching its security-focused GranitePhone, Brazil’s Sikur at Mobile World Congress (MWC) 2018 in Barcelona on Tuesday brought the SikurPhone that helps you protect your cryptocurrency. The new smartphone comes with a pre-installed cryptocurrency wallet and includes cloud integration to securely store various cryptocurrencies under one roof. Pre-orders for 20,000 units for the SikurPhone have already started at a promotional price of $799 (roughly Rs. 52,100), while the units will ship sometime in August this year.

The SikurPhone is touted to be “hack proof”, protecting user data as well as cryptocurrencies from hackers. To test how the phone can protect users, Sikur hired ethical hackers from bug bounty company HackerOne between November and December who were failed to gain access to any information, as per COO Alexandre Vasconcelos. The company deployed a custom Android version on SikurPhone, which it calls SikurOS, that doesn’t allow you to install any of the third-party apps on your own. This doesn’t mean that the smartphone won’t support your favourite apps – you instead need to ask the Sikur team to configure the apps individually.

Vasconcelos, in an interaction with CNET, pointed out that while the SikurPhone is designed to protect user data, it will not give the same tough protection to save criminals. The executive highlighted that the company would disable access to its services if it gets hints of any criminal behaviour of a user. In a separate interview with Mashable, Vasconcelos revealed that the Sikur will not only secure your digital currencies through its cloud-connected wallet but will also remotely wipe the data in case if you lose your phone to protect your money. “If you lose your phone, we can remotely wipe it for you. You can get a new one, log in, and your funds will be safe, as your private keys are stored in our cloud,” he said.

The SikurPhone additionally includes fingerprint authentication, and the preloaded wallet offers up-to-date market information about pricing, cryptocurrency news, and quotes. The wallet also has multisignature (P2SH) and multiple wallet support to give you an extensive cryptocurrency platform.

On the specification side, the Android 7.0 Nougat-based SikurPhone features a 5.5-inch full-HD display with Gorilla Glass protection on top. It is powered by a MediaTek MT6750 SoC, coupled with 4GB of RAM and has 13-megapixel rear camera sensor and a front camera sensor. Also, there is 64GB of onboard storage and a 2800mAh battery.

More: https://gadgets.ndtv.com/mobiles/news/sikurphone-cryptocurrency-wallet-mwc-2018-1818260

If you’ve amassed a cryptocurrency fortune, SikurPhone might be the phone for you.

By: Stan Schroeder

If you’ve amassed a fortune in cryptocurrencies, you probably don’t keep it all (or any of it) on your mobile phone. But a company called Sikur wants you to reconsider that.

On Tuesday, the company has launched a security-oriented smartphone called the SikurPhone. One of its main features is a built-in cryptocurrency wallet which, ideally, would allow you to keep cryptocoins on your phone without having to worry about losing them.

The phone itself is based on a highly customized version of Android 7.0, Sikur’s COO Alexandre Vasconcelos told me at the company’s booth at the Mobile World Congress in Barcelona. It’s not for the common user: It doesn’t have access to Google’s Play Store, it won’t run any apps that haven’t been vetted by Sikur, and its interface is far more spartan and corporate-looking than that of your typical, everyday Android.

The specs won’t wow you either, thought they’re probably good enough for most users: a 5.5-inch Full HD screen, a MediaTek MT6750 processor, 4GB of RAM, 64GB of storage, a 2,800mAh battery and a 13-megapixel rear camera, as well as a 5-megapixel selfie shooter.

But this phone isn’t about playing Android games — in fact, I bet that most users won’t even use it as their main device. “It’s sort of like the Ledger,” said Vasconcelos, referring to a hardware wallet that’s a popular choice for securely storing cryptocurrency. “If you lose your phone, we can remotely wipe it for you. You can get a new one, log in, and your funds will be safe, as your private keys are stored in our cloud.”

There’s a potential problem there: What Vasconcelos is describing is nothing like the Ledger, which keeps the private keys solely on the device itself. Keeping cryptocurrency private keys — which are basically the only thing you need to access your coins — in the cloud has potential drawbacks: The company’s servers could get hacked. It’s not exactly a rare ocurrence; two months into 2018 and we’ve already seen several major exchanges losing hundreds of millions of dollars in crypto due to hackers.

More: https://mashable.com/2018/02/27/sikurphone/#9b6Zq_8ub5qc

IOTA Attacked for Subpar Wallet Security Following $4m Hack

By: sikur

Capturar

by Avi Mizrah

January 22, 2018

The IOTA project is again the target of public anger and criticism. This time the issue is a feature of the technology that apparently allowed scammers to steal around $4 million from many unsuspecting users.

IOTA, the network behind the 11th most valuable cryptocurrency in the world by market cap (MIOTA), is coming under an attack on social media and community forums. The technology behind the project is accused of enabling an apparent exit scam or hack which cost users about $4 million, according to reports.

This is not the first time IOTA has come under attack. Back in December the project received a lot of public scorn for allegedly over hyping a “partnership” with Microsoft.

What Happened?

IOTA Attacked for Terrible Wallet Security Following $4m HackThe IOTA wallet requires users independently generate their own seeds (private keys). Many users have relied on online key generators to do this, such as iotaseed.io.

If someone maliciously hacked into the online generator (or was behind it at the first place) they could just collect all the seeds IOTA users were getting from them and wait for the best time to strike. This apparently happened on Friday night, when a lot of funds started moving using stolen seeds. At the same time, whoever was behind the theft organized a distributed denial of service (DDoS) attack against some of the most popular IOTA full nodes, effectively preventing the victims from recovering their money.

While IOTA supporters explain that this is not a bug in the technology itself, which they say is still perfectly secure, critics aren’t buying it. For them depending on end users to generate the seeds is seen an easy attack vector for trouble makers, just asking to be exploited.

MORE: https://news.bitcoin.com/iota-attacked-for-subpar-wallet-security-following-4m-hack/?utm_source=OneSignal%20Push&&utm_medium=notification&&utm_campaign=Push%20Notifications

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist

Accenture – Embarrassing data leak business data in a public Amazon S3 bucket

By: sikur

accenture

By Pierluigi Paganini

October 11, 2017

The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting!

Another Tech giant has fallen victim of an embarrassing data leak, this time the leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket.

The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients

The unsecured Amazon S3 bucket was discovered by researchers at UpGuard that privately reported to Accenture on Sept. 17. The company solved the problem in one day.

“The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.” states the report published by UpGuard.

MORE: http://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist