- \n
- Two zero-day vulnerabilities hit dozens of Bitcoin-wallet providers.<\/li>\n
- Researchers developed an acoustic keystroke-reading attack.<\/li>\n
- Researchers hacked access to paid Tesla features.<\/li>\n
- Zoom will begin collecting user data to train AI.<\/li>\n<\/ul>\n<\/div>\n
Two zero-day vulnerabilities hit dozens of Bitcoin-wallet providers<\/strong><\/h2>\n
Fireblocks researchers found in the implementation of widely used cryptographic protocols GG18, GG20 and Lindell17 two zero-day vulnerabilities under the umbrella BitForge. The issue affected more than 15 wallet providers using multi-party computation (MPC), including Coinbase, ZenGo and Binance.<\/p>\n
![\"Opera-Snimok_2023-08-11_212338_twitter.com_\"](\"https:\/\/u1f987.com\/wp-content\/uploads\/Opera-Snimok_2023-08-11_212338_twitter.com_.webp\")
Data: X<\/a>. <\/figcaption><\/figure>\n Both vulnerabilities allow attackers to recover seed phrases and steal assets.<\/p>\n
The first of them<\/a> affects GG18 and GG20 threshold-signature schemes, enabling several parties to generate keys and jointly sign transactions.<\/p>\n
\n
“Depending on the implementation parameters, the attacker can send a specially crafted message and extract key shards as 16-bit fragments, thereby obtaining the seed phrase in 16 repetitions,” Fireblocks explained.<\/p>\n<\/blockquote>\n
The second vulnerability<\/a> in the Lindell17 2PC protocol has a similar nature and allows the full private key to be extracted in roughly 200 signing attempts.<\/p>\n
\n
“The issue manifests in improper handling of interrupts by wallets. This forces them to continue signing operations, which inadvertently exposes bits of the private key,” the experts noted.<\/p>\n<\/blockquote>\n
The vulnerabilities were first discovered in May 2023. By the time of writing, Binance, Coinbase and ZenGo had already fixed the issue.<\/p>\n
Fireblocks researchers created a dedicated tool<\/a> to test other wallet providers for risk due to the problematic MPC implementation.<\/p>\n
Researchers hacked access to Tesla\u2019s paid features<\/strong><\/h2>\n
German researchers from the Technical University of Berlin developed a jailbreak technique for the infotainment systems in the latest Tesla models and unlocked paid features of the car, according to Bleeping Computer<\/a>.<\/p>\n
The attack used voltage fluctuations applied to the AMD processor, which serves as the root of trust for the system.<\/p>\n
The resulting root privileges allowed researchers to extract a unique RSA key that Tesla uses to authenticate the car in the service network. They were also able to enable software-locked features, including seat heating and rapid acceleration.<\/p>\n
The jailbreak authors notified the automaker of their findings. The company is working on remediation.<\/p>\n
Interpol dismantled the Phishing-as-a-Service platform 16shop<\/strong><\/h2>\n
During the operation, Interpol shut down the Phishing-as-a-Service platform 16shop, responsible for breaching more than 70,000 individuals in 43 countries.<\/p>\n
Hackers sold phishing kits for between $60 and $150, targeting Apple, PayPal, American Express, Amazon and Cash App accounts. In these attacks, criminals stole email addresses, passwords, IDs, card data and phone numbers.<\/p>\n
Law enforcement arrested the 21-year-old operator of 16shop and detained two of his accomplices in Japan and Indonesia.<\/p>\n
Researchers developed an acoustic keystroke-reading attack<\/strong><\/h2>\n
A group of British researchers developed a side-channel acoustic attack that can read keystrokes recorded on a phone with up to 95% accuracy.<\/p>\n
To train the classifier, the researchers repeatedly pressed keys on a 2021 MacBook Pro, recording the sound on an iPhone 13 mini, and via Zoom and Skype. As a result they obtained spectrograms of the sound waves, visualising differences for each key.<\/p>\n
![\"keystrokes-recording\"](\"https:\/\/u1f987.com\/wp-content\/uploads\/keystrokes-recording.webp\")
Sampling of keystroke sounds. Data: arxiv.org.<\/figcaption><\/figure>\n The attack could lead to leakage of passwords, messages or other confidential information.<\/p>\n
To protect data, researchers recommended changing typing style, using random passwords and applying software audio filters for keystrokes.<\/p>\n
Zoom to start collecting user data for AI training<\/strong><\/h2>\n
The videoconferencing service Zoom added to its terms of service a clause stating its intent to collect call content to train AI models, with no option to opt out of updates, Stack Diary reports.<\/p>\n
![\"Opera-Snimok_2023-08-11_214522_twitter.com_\"](\"https:\/\/u1f987.com\/wp-content\/uploads\/Opera-Snimok_2023-08-11_214522_twitter.com_.webp\")
Data: X<\/a>.<\/figcaption><\/figure>\n However, the service assured users that they will be able to decide for themselves whether to enable AI features and share content during video conferences to improve the product.<\/p>\n
According to the company, the data generated in the course of using the service will remain exclusively in Zoom\u2019s possession.<\/p>\n
Telegram blocked in Iraq<\/strong><\/h2>\n
Iraq\u2019s Ministry of Communications blocked the Telegram messenger “on national security grounds,” Reuters reports.<\/p>\n
Previously the agency had repeatedly, but unsuccessfully, urged the app\u2019s developers to shut down “platforms that leak data from official government agencies and citizens\u2019 personal data.”<\/p>\n
Representatives of Telegram did not comment on the blockage.<\/p>\n
LitRes data breach<\/strong><\/h2>\n
On August 5, an unknown hacker published LitRes e-book service user data, according to the Telegram channel “Information Leaks.”<\/p>\n
More than 3 million rows containing first and last names, 590,000 unique email addresses and hashed passwords were publicly accessible.<\/p>\n
![\"2023-08-11-16.31.28\"](\"https:\/\/u1f987.com\/wp-content\/uploads\/2023-08-11-16.31.28-1024x162.jpg\")
Data: Telegram channel “Information Leaks”.<\/figcaption><\/figure>\n The source claims the full dump contains 97 million rows.<\/p>\n
Earlier, the same hacker leaked information for SberLogistics, the GeekBrains educational portal, and Delivery Club.<\/p>\n
LitRes representatives confirmed the leak, saying that user payment information was not affected. The service began an audit and tightened data storage controls.<\/p>\n
Also on ForkLog:<\/p>\n
- \n
- Sam Bankman-Fried jailed<\/a> before trial, Bloomberg reported a possible guilty plea<\/a> by the former FTX CEO, and Sino Global filed a lawsuit<\/a> against the exchange for $67 million.<\/li>\n
- The XRP price on Gemini surged to $50. The community acknowledged a glitch<\/a>.<\/li>\n
- Argentina opened an investigation<\/a> into Worldcoin, and at the company\u2019s warehouses in Kenya, raids<\/a> took place.<\/li>\n
- Hackers stole over $900,000 through a vulnerability in the wallet-utility<\/a> for Bitcoin wallets.<\/li>\n
- Experts disputed Chainalysis’s evidence<\/a> in the Bitcoin Fog case.<\/li>\n
- The hacker sent part of the bounty to the Ukrainian Armed Forces.<\/li>\n
- In South Korea, the head of the Bitsonic Bitcoin exchange was arrested<\/a>.<\/li>\n
- DEX Cypher lost $1m<\/a> in a hack.<\/li>\n
- The total value of stolen NFTs fell 31%<\/a> in July.<\/li>\n
- The Curve hacker returned part of the stolen assets<\/a>, and the project team offered a $1.85 million reward<\/a> for information about the hacker.<\/li>\n<\/ul>\n
What to read this weekend?<\/strong><\/h2>\n
In a special feature we outline the most common vulnerabilities in cryptocurrency wallets.<\/p>\n","protected":false},"excerpt":{"rendered":"
Here are the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":82962,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-82961","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"19","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/82961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=82961"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/82961\/revisions"}],"predecessor-version":[{"id":82963,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/82961\/revisions\/82963"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/82962"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=82961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=82961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=82961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- The XRP price on Gemini surged to $50. The community acknowledged a glitch<\/a>.<\/li>\n
- Sam Bankman-Fried jailed<\/a> before trial, Bloomberg reported a possible guilty plea<\/a> by the former FTX CEO, and Sino Global filed a lawsuit<\/a> against the exchange for $67 million.<\/li>\n