Nicehash Hacked To Tune of $66 Million Worth Of Bitcoin

Subject: General Tech | December 6, 2017 - 09:59 PM |
Tagged: nicehash, mining, hack, Cyber Security, bitcoin

In a recent press release cryptocurreny mining market Nicehash revealed that its payment service was hacked and its BTC payment wallet was emptied. While the company did not reveal the exact amount lost, users on Reddit spent the better part of today worried as the service was initially "under maintenance" for 12 hours amidst suspicious transactions on the blockchain that saw 4,736.42 BTC taken from Nicehash and their Nicehash internal wallets reporting zero balances. The company is currently investigating the precise amount stolen, though estimates around the web put it north of $66 million USD worth of the popular cryptocurrency (at time of writing 1 BTC = ~$13970.50).

fdecomlte on flickr.png

Image courtesy fdecomite via Flickr.

Users that mined to an external wallet for an additional fee are out unpaid balances less than 0.01 BTC, but sadly users that mined to an internal wallet have potentially losts hundreds or thousands of mined bitcoin. Also, purchasers of the Nicehash mining service may have lost the BTC that they paid into the service for alt coin hashing power.

"We are fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity.

We would not exist without our devoted buyers and miners all around the globe. We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavour to update you at regular intervals."

Nicehash is further recommending that users of its internal wallets change all of their online passwords (especially any that were similar to the one they used on the site) as a precaution.

The full press release is available here.

In all, it is a devastating hack that is another in a series of high profile crypto currency heists that have traditionally left users out money and the company destroyed. Nicehash has indicated that they have reached out to and are cooperating with the relevant authorities, but unless they are able to find the individual(s) responsible and recover the massive amount of bitcoin it is not looking good.

I hope that the bitcoin is able to be recovered or at least that Nicehash is able to do the right think and compensate its users from its own funds.

This high-profile attack further illustrates the need to use safe bitcoin storage practices and to always hold your own private key in an offline wallet (hardware or paper or at least encrypted software wallet you control at a minimum) for long term storage of funds. Your crypto currency is only truly yours when you alone control the private key(s) and you should only transfer and keep coins on other servers (e.g. exchanges) for as long as it takes to transfer them to your bank or as short a time as possible when trading.

What are your thoughts on this? Did you have money in a Nicehash wallet or unpaid mining balance? Do you plan to venture forth and mine on your own?

Source: Nicehash

Protection against Pineapple penetration is important

Subject: General Tech | November 22, 2017 - 12:49 PM |
Tagged: security, wifi, hack, pineapple

Today Slashdot linked to an article about the popular Wi-Fi Pineapple as well as how to defend yourself against what it does.  Depending on what you are using it for, the Wi-Fi Pineapple is either a great tool for penetration testing networks you want to ensure are secure, or a way of gaining access to networks that haven't been fully secured.  It has been around for almost a decade and the hardware is quite simple, the only real difference between it and the wireless router you use is that the Pineapple has multiple radios so it can interface with hundreds of devices simultaneously.  Thanks to the software written for the device, even someone with very little understanding of network security can use it to conduct man in the middle attacks.  Thankfully there are ways to protect yourself from it and other attacks which you can read about by following the links in the Slashdot post.

tactical2_2aef24e4-d7d2-4e25-be13-a696da2b57bc_1024x1024.jpg

"The Wi-Fi Pineapple is a cheap modified wireless router enables anyone to execute sophisticated exploits on Wi-Fi networks with little to no networking expertise. A report in Motherboard explains how it can be used to run a Wall of Sheep and execute a man-in-the-middle attack, as well as how you can protect yourself from Pineapple exploits when you're connected to public Wi-Fi."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Want another reason to dump that HDD? It can be used as a microphone

Subject: General Tech | October 13, 2017 - 01:01 PM |
Tagged: security, paranoia, microphone, hdd, hack

Some of you may remember the days when it was inadvisable to yell at a HDD array, the latency issue has been mostly overcome with the advances in technology over the last decade.  That does not mean it is completely gone, as the read head in a HDD cannot read from a disk that is oscillating due to external input such as sound, and those tiny delays are how this researcher was able to use the HDD as a low quality microphone.  He also found a tone which created even more latency than in that video; enough to have a system drop the disk as bad.  There are links to the research over at Slashdot, including the new improved way to verbally abuse your storage devices.

index.jpg

"It's not accurate yet to pick up conversations," Ortega told Bleeping Computer in a private conversation. "However, there is research that can recover voice data from very low-quality signals using pattern recognition. I didn't have time to replicate the pattern-recognition portion of that research into mine. However, it's certainly applicable."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

DOOM Guy gets hot and bothered

Subject: General Tech | May 24, 2017 - 02:24 PM |
Tagged: doom, gaming, hack, mod

It's the May Two-Four so you have probably turned down your furnace* and your thermostat has very little to do, so why not play a game of DOOM on it?  Over at Hack a Day you can get a port of Chocolate DOOM which you can set up and run on a Honeywell Prestige thermostat.  The colour may be better than the original but for now you will have to play it without sound, still it is impressive how far hardware has come, even in simple appliances.

doomstat-feat.png

*offer may not be valid in Wyoming

"In his video, [cz7asm] shows us the game running quite nicely on the 480 x 272 LCD with an NES controller plugged into the USB port originally intended for software updates. The thermostat runs on a STM32F429 which is an ARM9 processor that has the juice to pull it off."

Here is some more Tech News from around the web:

Gaming

 

Source: Hack a Day

The winners of the first stage of The HackaDay Prize

Subject: General Tech | May 8, 2017 - 12:19 PM |
Tagged: hack, DIY, nifty

The first of the five rounds of The Hackaday Prize has completed and the winners announced.  This stage is the Design Your Concept stage, often the most important factor in determining the success of the build project you intend to sit out on.  The winners are an eclectic bunch, from heart monitoring devices to printing bones on a 3D printer to a hand portable braille printing press.  It is worth taking a look at these, even if the project does not strike your fancy you can learn a lot on how the create an effective design of a concept for your own projects.  There are still four more rounds to go so expect even more interesting designs over the coming weeks,

designfinalists.png

"Today we’re excited to announce the winners of the Design Your Concept phase of The Hackaday Prize. These projects just won $1000 USD, and will move on to the final round this fall."

Here is some more Tech News from around the web:

Tech Talk

Source: Hack a Day

Hack your NES Classic ... carefully

Subject: General Tech | January 10, 2017 - 12:34 PM |
Tagged: Nintendo, NES Classic, hack

The newly released Nintendo NES Classic shipped with 30 classic old games baked into its retrotacular ROMs.  It has now been hacked to be able to play any old game ROM you happen to be able to get your hands on, though of course you will have to make space as the storage capacity of this console is quite limited.  There are several caveats to this of course, ROMs are called read only for a reason and rooting around in them can lead to unintended and possibly permanent consequences.  There is also the source of your ROM to be considered, they tend to come from sources which could be considered slightly less than legitimate.  If you are still interested take a peek over at The Inquirer.

ZsZPuyZ.jpg

"It was Russian retro gaming community GBX and a modder called Madmonkey that cracked the rebooted console, and it was Reddit users that seized on the opportunity, to give the hack a go."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Friends don't let friends perform unattended updates ... or Bitlocker be broken

Subject: General Tech | November 30, 2016 - 02:10 PM |
Tagged: bitlocker, microsoft, windows 10, security, hack

Is Bitlocker cramping your voyeuristic cravings and preventing you from snooping on your loved ones or strangers?  Assuming you do not instead seek medical help for your problem, all you need to do is wait for Windows to perform a version update and for the user to get bored and walk away.  Hop onto their machine and press SHIFT+F10 to get a command prompt which will be running at root privileges and take advantage of the fact that Windows disables Bitlocker while installing an updated version of Windows.  This will not work for all updates, it needs to be a major OS update such as the move to Anniversary Edition which changes the version of Windows installed on the machine.

Microsoft is working on a fix, in the meantime sticking with Windows Long Term Service Branch or slighly modifying how updates are pushed via WSUS or SCCM will ensure this vulnerability cannot be leveraged.  You can also take the simple measure of sticking around when major updates occur.  Pop over to Slashdot for more information.

windows-10-update-stuck-at-32.jpg

"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Tesla stores your Owner Authentication token in plain text ... which leads to a bad Ashton Kutcher movie

Subject: General Tech | November 25, 2016 - 12:52 PM |
Tagged: Android, Malware, hack, tesla, security

You might expect better from Tesla and Elon Musk but apparently you would be dissappointed as the OAuth token in your cars mobile app is stored in plain text.  The token is used to control your Tesla and is generated when you enter in your username and password.  It is good for 90 days, after which it requires you to log in again so a new token can be created.  Unfortunately, since that token is stored as plain text, someone who gains access to your Android phone can use that token to open your cars doors, start the engine and drive away.  Getting an Android user to install a malicious app which would allow someone to take over their device has proven depressingly easy.  Comments on Slashdot suggest it is unreasonable to blame Tesla for security issues in your devices OS, which is hard to argue; on the other hand it is impossible for Telsa to defend choosing to store your OAuth in plain text.

images.jpg

"By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Have tape over your webcam? Might want to fill your headphones with wax as well!

Subject: General Tech | November 24, 2016 - 12:35 PM |
Tagged: security, hack, audio, Realtec

Security researchers have discovered a way to flip an output channel on onboard Realtec audio into an input channel, thus turning your headphones into an unpowered microphone.  The ability of a speaker or headphone to be used as a microphone is not news to anyone who has played around with headphones or input jacks, but it is possible some readers had deprived childhoods and have never tried this.  While you cannot mitigate this vulnerability permanently you could certainly notice it as your headphones would no longer play audio if the port is configured as input. 

Drop by Slashdot a link, and if you have never tried this out before you really should find an old pair of headphones and experiment with ports as well as snipping off one side of a pair of earbuds.  One supposes iPhone 7 users need not worry.

main-qimg-6c2713171e56fb4f0dda88717a6faae7-c.jpg

"In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially "retasks" the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn't a driver fix, either."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Touchless jackpotting, making ATM's disgorge their contents remotely

Subject: General Tech | November 23, 2016 - 12:50 PM |
Tagged: hack, bank, atm, security, cobalt

Imagine walking down the street, only to notice an ATM spewing money out of its slots and into a bag held by a shady looking character; but not in a video game.  In at least 14 countries including Russia, the UK, the Netherlands and Malaysia, hackers are using a program dubbed Cobalt to conduct remote logical attacks on ATMs.  These attacks cause the ATM to empty itself, into the waiting hands of an accomplice who only needs to show up at the appropriate time.  As the attacks are conducted remotely the mule may have only the slightest connection to the hackers that compromised the banking system which makes them very hard to catch.  The Inquirer has links to more information on Cobalt, unfortunately they do not have any details on fortunate times or locations to be present at.

ATM-hack.jpg

"HACKERS HAVE MANAGED to hack cash machines so that they do what everyone who has ever used one has wanted them to do, which is just spit out cash like it was going out of fashion."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer