#cryptofail — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #cryptofail, aggregated by home.social.
-
“Just” a few rogue contractors.
“Just” some sensitive data stolen.
“Just” a $20M ransom.
But don’t worry: no private keys were touched.
↘️
#Coinbase: Fort Knox of Web3… with a revolving door.
#Bitcoin: your ticket to freedom…yes, until you lose your seed phrase and customer support shrugs.
But hey, the YouTube guru called it “inevitable”.🔗 https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-giant-coinbase-falls-prey-to-an-inside-job-expects-up-to-usd400-million-in-losses
#web3 #crypto #bitcoin #blockchain #infosec #techsarcasm #digitalfreedom #cryptofail -
“Just” a few rogue contractors.
“Just” some sensitive data stolen.
“Just” a $20M ransom.
But don’t worry: no private keys were touched.
↘️
#Coinbase: Fort Knox of Web3… with a revolving door.
#Bitcoin: your ticket to freedom…yes, until you lose your seed phrase and customer support shrugs.
But hey, the YouTube guru called it “inevitable”.🔗 https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-giant-coinbase-falls-prey-to-an-inside-job-expects-up-to-usd400-million-in-losses
#web3 #crypto #bitcoin #blockchain #infosec #techsarcasm #digitalfreedom #cryptofail -
“Just” a few rogue contractors.
“Just” some sensitive data stolen.
“Just” a $20M ransom.
But don’t worry: no private keys were touched.
↘️
#Coinbase: Fort Knox of Web3… with a revolving door.
#Bitcoin: your ticket to freedom…yes, until you lose your seed phrase and customer support shrugs.
But hey, the YouTube guru called it “inevitable”.🔗 https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-giant-coinbase-falls-prey-to-an-inside-job-expects-up-to-usd400-million-in-losses
#web3 #crypto #bitcoin #blockchain #infosec #techsarcasm #digitalfreedom #cryptofail -
“Just” a few rogue contractors.
“Just” some sensitive data stolen.
“Just” a $20M ransom.
But don’t worry: no private keys were touched.
↘️
#Coinbase: Fort Knox of Web3… with a revolving door.
#Bitcoin: your ticket to freedom…yes, until you lose your seed phrase and customer support shrugs.
But hey, the YouTube guru called it “inevitable”.🔗 https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-giant-coinbase-falls-prey-to-an-inside-job-expects-up-to-usd400-million-in-losses
#web3 #crypto #bitcoin #blockchain #infosec #techsarcasm #digitalfreedom #cryptofail -
“Just” a few rogue contractors.
“Just” some sensitive data stolen.
“Just” a $20M ransom.
But don’t worry: no private keys were touched.
↘️
#Coinbase: Fort Knox of Web3… with a revolving door.
#Bitcoin: your ticket to freedom…yes, until you lose your seed phrase and customer support shrugs.
But hey, the YouTube guru called it “inevitable”.🔗 https://www.tomshardware.com/tech-industry/cryptocurrency/crypto-giant-coinbase-falls-prey-to-an-inside-job-expects-up-to-usd400-million-in-losses
#web3 #crypto #bitcoin #blockchain #infosec #techsarcasm #digitalfreedom #cryptofail -
#ReverseEngineering of the #SamsungNX social media uploads right from the camera reveals a huge surprise: camera engineers are bad at encryption and #security 🤦🤷
-
#Cryptofail can happen for larger organizations, too: #Microsoft #Office365 email message #encryption (#OME) uses AES cipher in Electronic Code Book (#ECB) mode of operation for protecting the OME encrypted messages.
The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal. What this means is that repeating parts of the message get encrypted to identical values revealing structure of the messages. It also will allow creating “fingerprints” of messages, where the relationship of repeating patterns can be used to infer similarity of different messages.
To make matters worse, in addition of keeping the encrypted message in the email server itself, OME by default also sends the encrypted message as an attachment to the recipient. While email typically does best-effort TLS encryption, in practice email transmission cannot really be considered secure. In practice this means that the poorly encrypted messages can be analyzed by anyone who ever managed to intercept the email message or happens to run into any of the OME encrypted messages at a later date. This allows actors who either have large collection of email traffic or who can access the email messages to analyze messages after the fact.
When I approached Microsoft about this flaw, they awarded me $5000 bug #bounty and then proceeded to do nothing. As far as I know the flaw is still present in Office 365 today. I have no clue why Microsoft refuses to fix this flaw, but I presume the reason is that it would break backwards compatibility.
The included sample images and the corresponding “encrypted” version of it were procured by sending an OME protected message with Outlook and then extracting the image from the RPMSG attachment.
-
@icing I bet.
"Not Invented Here" is extremely dangerous with #cryptography. More often than not it leads to some fatal flaw that totally breaks the intended protection. This is also very dangerous as laymen have no way of understanding if the solution is good or not. They will happily accept the #snakeoil since they have no way of verifying the claims.
Another classic #cryptofail I've seen was using a textbook #RSA to secure 4 digit PIN. That obviously was really stupid as it allowed creating a list of 10000 cipher texts matching the corresponding clear text PIN codes.
-
About a year ago I ran into a #mobile application that claimed to implement a secure message delivery over #SMS. The demonstration video of the application was "interesting": The message was #encrypted and then sent over SMS (notably the message was encrypted first and the recipient was selected only after this). The recipient would then paste the ciphertext to the app on their end to decrypt it. This immediately rang some major alarm bells: They wouldn't just use some fixed encryption key would they?
I wasn't surprised to learn that it was AES in CTR mode with key "12345678901234561234567890123456" and IV "1234567890123456" 🤦 #cryptofail #mistakesweremade #epicfail
-
Note to myself: #Encrypted #backups really suck when you forget your passphrase. I do have a #backup though.
-
Was pleasantly surprised today by https://bugzil.la/524403 being resolved. Only to see it immediately followed up by: "Script error. Ignore." So #Firefox still won't properly protect the database of locally stored passwords, and no plans change this it seems. #cryptofail
-
So somebody built an "unhackable" USB stick that would only unlock with the right iris scan and password. And then a particular USB command makes the device produce the credentials needed to unlock it, as clear text? Fascinating... #cryptofail
-
Dear @acebit, using AES-ECB is 𝘯𝘰𝘵 "Best possible encryption" - it's pretty broken encryption actually. Maybe you should change the way you describe #PasswordDepot? For reference: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_(ECB) 1/5
-
He didn't check how they derive the encryption key from your password, so I took a quick look. Apparently, #7zip uses PBKDF2-HMAC-SHA1 with 1000 iterations (hardcoded). In other words, even with the rest of it all implemented flawlessly you better choose a damn strong password if file encryption should be of any use.
-
Michal Stanek over at Twitter did a quick look at the crypto behind #7zip file encryption. Not entirely surprisingly, what he found wasn't pleasant: