Security Weekly 26: The Ether Has Frozen In Purses, a Million Of Fake WhatsApps, Useless Protection Of Intellectual Property
In the world of fans of technology blockade all is very simple and safe. Of course, the blockade is so reliable in itself that no regulator in the person of the state, banks or other superstructures is required to ensure any financial operations.
We are not going to argue that technology is devoid of many of the flaws and vulnerabilities of the old world. But this does not mean that she does not have her own weak spots, which it was impossible to imagine before. In general, this is the case: because of the vulnerability found in the popular Ethereum-purse Parity, frozen funds in the cryptocurrency, which, according to different estimates, are equivalent to 150-300 million US dollars.
- How did it happen? The user devops199 reported the possibility of destroying the Parity Wallet library, which made all the multi-sig wallets that were not available to her. From the point of view of Ethereum, there is no difference between accounts, libraries or contracts (all these are programs). Parity library had no owner. devops199 turned it into a purse, became the owner, and then deleted it. Allegedly by chance (believe-believe). After that all the wallets with multi-signature, which were tied to this library, became inaccessible.
The most interesting thing is that just recently, on July 19, Parity wallets already revealed a vulnerability that allowed to steal about $ 30 million. Then only three purses were compromised, the company quickly released a new version of the library and seems to have fixed everything. As you can see, not all. The current problem does not lead to a loss of funds, but the very fact of losing control over them is also not encouraging. So, one of the victims was the startup Polkadot, which in mid-October held ICO and collected 145 million dollars. 98 of them are now frozen in Parity purse.
- The developers of Ethereum reassured everyone that the detected problem does not concern the network as a whole, but only “codes” of smart contracts written on top of the blockbuster. But smart contracts Ethereum after activation cannot be changed. At all. Absolutely. This is the root feature of the block. And if so – you can not change the bugs contained in them. So, most likely, to eliminate the problem, you will need the power of the whole Ethereum network.
The problem of hardcore is that not always the whole community agrees to accept it. As we know, as a result of this, we already have Ethereum and Ethereum Classic, and from subsequent splits no one is immune. And, as the reader noted the post on ThreatPost, that’s why he prefers to use physical wallets, not software.
Million of fake Apps including Whatsapp
If you put something on Google Play that echoes design and name with a popular application, you can safely count on a number of installations by mistake. Sometimes hundreds, sometimes thousands. And if you deftly mimic the real hit, you can harvest more reaped. So, this week, the application Update WhatsApp Messenger, which managed to collect a million (!) Downloads, was deleted from Google Play.
By itself, this application was not very good at it and had minimal rights (only access to the Internet), but it downloaded from somewhere a short link the WhatsApp.apk application. After that Update, WhatsApp Messenger tried not to flash once again, even without a name and icons for the desktop.
After Google warned about a strange application, the latter was removed from Play, and the account of its developer was blocked. But there is another piquant detail: this very developer was listed … “WhatsApp Inc. “. Did you notice the difference? Yes, for sure – an extra space after the title. The developer used the code C2A0, the so-called non-breaking space, which was not identified as such by Google’s automatic filters.
- In May 2017, the Play Protect system was launched, regularly scanning applications in the store for malicious purposes and having a peak performance of 50 billion applications per day. In theory, it should prevent the appearance of Google Play of “wrappers” downloading APK from somewhere. But, it seems, man is still more cunning than robots, no matter how expensive they are.
It’s worth noting that this is not the first time that unscrupulous developers use Unicode characters to deceive Google. Just three weeks ago, in a similar way, a fake plug-in AdBlock Plus was thrown into the store, which was downloaded 37,000 times before detection and elimination. There, the name used a Cyrillic symbol passed through Google filters, like a red-hot knife through a piece of butter. How would Unicode in the Play is not banned in principle. From sin away.
IEEE P1735 standard is not as reliable as it seems before
The US Department of Homeland Security beats the alarm. According to academic research, the P1735 standard, developed by the Institute of Electrical and Electronics Engineers to protect copyrights for software and hardware products, is not as reliable as it seemed before.
- IEEE P1735 allows different manufacturers to create joint products without revealing to each other all the details of products and technologies. And, thus, protect their own experience from reverse engineering and theft. Thanks to IEEE P1735, the code of different companies can function together, while remaining encrypted.
US-CERT (Computer Emergency Preparedness Team of the USA) reports that the encryption methods used in the standard are not ideal, and in an unfavorable scenario, attack vectors are created that allow access to intellectual property in an unencrypted form. Implementations of IEEE P1735 may be unstable to cryptographic attacks, which, among other things, opens access to intellectual property without an encryption key.
- Holes in defense were first noticed by scientists from the University of Florida. They wrote about this in detail in the article “Standardizing Bad Cryptographic Practices” ( PDF). In total, seven vulnerabilities were identified with a CVSS (Common Vulnerability Scoring System) rating from 5.7 to 6.3 points out of 10 possible.
- Incorrect description of the padding in the Cipher block chaining mode, which allows using the means of automation of the design of electronics (CAD) as an oracle decryption;
- The incorrect syntax of the hardware description language (HDL), which allows using CAD as an oracle for decryption;
- Modification of encrypted intellectual property data for the introduction of hardware Trojans;
- Replacing the license-deny response to the license grant;
- And others (full list by reference).
The IEEE P1735 standard is implemented by the developer of Synopsys CAD systems in the development and debugging environment of Synplify Premier. But the problem can be manifested in the products of other vendors, in particular, Cadence Design Systems, Mentor Graphics, Xilinx, and Zuken.
Modern software and electronic products are so complex that they often can not be done alone. It is necessary to co-operate but to share secrets even with the checked partner oh as it would not be desirable. The standard IEEE P1735 was considered a panacea, but, as we see, there are gaps in it. And, according to researchers, systemic gaps that can not be treated with simple patches. As the plumber said, who won the contest of dissidents, “Here you do not a gasket, but the entire system must be changed!”.