This Week In Blockchain and CyberSecurity News - February 8, 2019
Google Launches Password Checkup Extension To Alert Users Of Data Breaches
This past week Google launched a new Chrome extension that warns you if your login credentials for any website have been impacted by a data dump or any breaches. The extension called “Password Checkup” checks your username/password and compares it to over 4 billion credentials Google knows to have been previously compromised in data breach events. Google has pointed out that Password Checkup has collaborated with “cryptography experts” from Stanford University, and that “Google never learns your username or password, and that any breach data stays safe from wider exposure,” according to their blog post. Password Checkup is currently available in the Chrome Web Store as an extension for Chrome, more information on how to use it can be found here "Protect accounts that have unsafe passwords"
Get more information about Password Checkup here
Zcash Cryptocurrency Fixes Infinite Counterfeiting Vulnerability
Zcash has been compared to as a total anonymity version of the Bitcoin cryptocurrency. In a very secret sequence of events, the developer team behind Zcash has fixed a severe vulnerability that would have allowed an attacker to generate new Zcash funds from scratch without any upper limit. The Zcash team disclosed details about the vulnerability last week, almost three months after the patch’s release. Reportedly only four people know about the vulnerability before a patch was released at the end of October 2018. The flaw could have allowed attackers to flood the Zcash ecosystem with new funds that could have possibly ruined the reputation of the coin. “The counterfeiting vulnerability affected a variant of zk-SNARKs, the implementation of zero-knowledge cryptography Zcash used to encrypt and protect the transactions. zk-SNARKs was also implemented in other different projects.” The Zcash development team confirmed that the flaw had existed in the cryptocurrency scheme for years. There has been no evidence that any counterfeiting has occurred.
Read more about the Zcash flaw here
Backdoored Cryptocurrency Software Found Serving AZORult Malware
Malicious users have compromised the GitHub account of the Denarius cryptocurrency project lead and have uploaded a backdoored version of the Windows Client. The backdoored version of the Windows Client was combined with a version of the AZORult malware. Once the installation of the client .bat file starts, it will initiate other bins in sequence as well, with smaller one being AZORult. Once installed on a users computer, the malware has the ability to steal various pieces of information. AZORult can steal data such as “browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients”(zdnet). Information stolen would then be sent to a command and control center for a malicious attacker to view. According to Misterch0c, the control center IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain. One of the cryptocurrencies in Misterch0c’s list is New York Coin(NYC), which was hit with a 51% attack last week most likely caused by malware that slipped into its wallet before the attack. One of the top developers behind the Denarius cryptocurrency stated that the incident occurred because he used an older password to secure his account.
Read more about the backdoored client here
MacOS Zero-Day Exposes Apple Keychain Passwords
Security researcher Linus Henze demoed a zero-day macOS exploit this week displaying a vulnerability impacting the Keychain password management system. The password management system can store passwords for websites, applications, servers, and bank information. The vulnerability allows a malicious app running on the macOS system to get access to passwords stored inside the Keychain. The issue allows a potential hacker to steal Keychain passwords from any local user account on the Mac, without the need of admin privileges or a master password. As long as the keychain is unlocked, you may be vulnerable to this exploit. The exploit impacts all macOS versions up to the latest one, 10.14.3 Mojave, and will extract the password without any prompts or notifications to the user. Linus declines to share more details with Apple or the community, stating that he would like a bug bounty program to be set in place.
Watch the proof-of-concept here
Read more about the exploit here
2.2 billion unique accounts compromised after ‘Collections #2-5’
A second major data dump was discovered last week, compromising of 2.2 billion unique usernames and passwords. The data dump, dubbed Collection #2-5 contains 845GB of data and over 25 billion total unique records. Collection #2-5 has now created a record for the largest data breach collection. Researchers who have analyzed the data have stated that much of the stolen information stems from prior breaches of Yahoo, Linkedin, and Dropbox. However, the size of this collection gives hackers a better opportunity to use automated tools to log into different websites in the hopes that people have reused passwords(credential stuffing). Data dumps like these highlight the importance of good password practices. Having reused, weak, or compromised passwords can amplify the chances of having your account/data stolen. You can check the Hasso-Plattner Institute’s tool to see if you are impacted by the data breach
Read more about the data dump here