Last Week In Blockchain and CyberSecurity News - December 7, 2018
Marriott Data Breach Affects 500 Million Guests
Passport numbers, payment details, and names for over 500 million guests were breached and taken from Marriott hotels in the past couples of years. Marriott announced that there had been access to the Starwood guest reservation database since 2014. More specifically “For approximately 327 million of these guests, the information includes some combination of name, mailing address, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” Using the information obtained from the breach, malicious users have the ability to commit fraud or use phishing attacks to trick individuals in providing sensitive details. This is one of the largest data breaches in history, and further shows how important it is to have regular security checks on sensitive information and overall have secure company cybersecurity.
Read more about the breach here
United States Commodity Futures Trading Commission (CFTC) Releases A Guide On Smart Contracts
The potential of cryptocurrency, blockchain, and smart contracts could possibly be one of the most transformative technological innovations of our time. CFTC released the guide with a “goal is to educate American consumers on how smart contracts work and how they could play a role in the future”. As the CFTC is one of the two major financial regulators in the United States alongside the SEC, this is a big step in the right direction for blockchain and crypto. It is important to educate the public as blockchain technology is starting to play an increasingly crucial role in businesses such as Amazon, and Alibaba. The guide breaks down what a smart contract is, dives into various aspects of blockchain technology, and then concludes on how smart contracts can be used in the future. The CFTC publishing this guide will not only validate what many benefits blockchain technology has, but will also attract a great deal of awareness to it.
Get more information here
Read the 32 page primer here
Kubernetes Flaw Allows Attackers To Take Over Any Vulnerable Node Using A Specially Crafted Request.
A serious vulnerability in Kubernetes can allow an attacker to gain full administrator privileges over the open source container systems’ compute nodes. According to a report by one of the members of Kubernetes security team, Jordan Liggitt, the CVE known as CVE-2018-1002105 allows a malicious user to send a "specially crafted request" through a Kubernetes API server to a backend server, which gets authenticated using the Kubernetes API servers’ own TLS (transport layer security) credentials. With a CVSS score of 9.8, it is marked as highly important. Once the request is established, no check on the ability to send arbitrary requests directly to those backends is looked at due to the requests being automatically authenticated with the Kubernetes API server’s TLS credentials used to set up the initial connection. As Kubernetes is the “de facto” standard in the Linux container organization, this issue becomes particularly concerning as it jeopardizes many sub-services to breaches as well. Data heists, installing malware, espionage, and recon are just some of the activities a malicious user can conduct exploiting this vulnerability.
Read more about the flaw here
Vertcoin Loses Over $100,000 In 51% Attack
A coin that was launched with an aim to discourage miners from forming pools and gaining a monopoly over its network was compromised. The blockchain of Vertcoin is under the 51% attack, resulting in over $100k of double spending on the network. Mark Nesbitt, a Coinbase engineer revealed that unknown cyber attackers rented large amounts of ASIC hashrate to take over the four-year-old cryptocurrency network. In doing this, they got a hold of more than 50 percent of the mining hash rate, thus allowing them to own and govern the Vertcoin public chain. This attack reflects on the weakness in the proof of work model, if any miner or miner pool posses a majority of the hash power, it can create separate blocks from any previous block, creating two versions of the same blockchain. Furthermore, if the miner also holds a large volume of coins, a double spending attack can be launched on the network, resulting in mass-theft. In a world where attacks become more sophisticated every day, it is important to review all aspects of a company, whether you are investing in one, or developing it.
Read more here!
NEO Vulnerability Allows Hackers to Steal Users’ Tokens
Due to the increasing popularity and value cryptocurrencies have, hackers have become more active in finding and exploiting bugs in blockchains to steal coins. Currently, NEO has fallen prey to hackers. NEO is one of the more popular cryptocurrencies, sometimes referred to as the “Chinese Ethereum” due to its similarity with Ethereum which allows developers to create smart contracts and decentralized applications. Tencent Security Lab, a giant Chinese Technology company, recently stated the vulnerability in NEO’s blockchain network allows hackers to remotely steal tokens from customer wallets. According to Tencent, when a customer commences a network node with a default configuration, they are at risk of losing their funds. While there is no bug acknowledgment or official advisory from NEO, updating to the highest version of the NEO-CLI client program, avoiding the use of the remote rpc function, and modifying the BlindAddress in the configuration file to 127.0.0.1 is recommended.
Read more about NEO’s Vulnerability here