Tag Archive for: Ledger

How the Ledger Connect hacker tricked users into making malicious approvals

/in


The ‘Ledger hacker’ who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking Web3 users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.

According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager javascript (NPMJS) account.

Once they gained access, they uploaded a malicious update to Ledger Connect’s GitHub repo. Ledger Connect is a commonly used package for Web3 applications.

Some Web3 apps upgraded to the new version, causing their apps to distribute the malicious code to users’ browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were infected with the code.

As a result, the attacker was able to siphon away at least $484,000 from users of these apps. Other apps may be affected as well, and experts have warned that the vulnerability may affect the entire Ethereum Virtual Machine (EVM) ecosystem.

How it could have happened

Speaking to Cointelegraph, Cyvers CEO Deddy Lavid, chief technology officer Meir Dolev, and blockchain analyst Hakal Unal shed further light on how the attack may have occurred.

According to them, the attacker likely used malicious code to display confusing transaction data in the user’s wallet, leading the user to approve transactions they didn’t intend to.

When developers create Web3 apps, they use open-source “connect kits” to allow their apps to connect with users’ wallets, Dolev stated. These kits are stock pieces of code that can be installed in multiple apps, allowing them to handle the connection process without needing to spend time writing code. Ledger’s connect kit is one of the options available to handle this task.

Source…

ERI’s John Shegerian Describes the Dangers of Hardware Hacking and the “Insecurity of Everything” on Security Ledger Podcast

/in


Press release content from Business Wire. The AP news staff was not involved in its creation.

Click to copy

FRESNO, Calif.–(BUSINESS WIRE)–Sep 23, 2021–

John Shegerian, Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company, is a featured guest on the current episode of the “ Security Ledger ” podcast.

The show, hosted by Paul F. Roberts, the founder and Editor in Chief of The Security Ledger, an independent security news and analysis publication that explores the intersection of cyber security with the Internet of Things, features interviews with leading minds in the area of cyber security, threats and attacks. The Security Ledger is an independent security news website that explores the intersection of cyber security with business, commerce, politics and everyday life. Security Ledger provides well-reported and context-rich news and opinion about computer security topics that matter in our IP-enabled homes, workplaces and daily lives.

In the current episode, Shegerian discusses his latest book, The Insecurity of Everything, and the various aspects of hardware security that are often overlooked in today’s society, both by consumers as well as businesses.

“It was an honor to talk with Paul and be featured on his excellent and informative podcast, the Security Ledger, sharing information on one of the most critical and pressing issues in the world today – the hardware hacking of private data,” said Shegerian. “Protection of privacy has become a greater issue than ever before. It is important that we share vital best practices for protecting digital privacy and security with the cybersecurity community and beyond.”

ERI is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States. ERI is certified at the highest level by all leading environmental and data security oversight organizations to de-manufacture, recycle, and refurbish every type of electronic device in an…

Source…

IBM led consortium wins $3.2 million German Digital Health Passport contract – Ledger Insights

/in


Yesterday German press reported that a consortium led by IBM, including blockchain cybersecurity firm Ubirch won the tender for digital vaccination certificates in Germany. The two firms beat competition from a joint initiative by Deutsche Telekom and SAP. According to the Official EU Journal the award is €2.7 million ($3.2 million), but IBM will subcontract 51% of the project.

The initiative is to create a digital version of yellow vaccine certificates. 

Frankfurter Allgemeine Zeitung reported that other consortium participants include Bechtle and Govdigital, which is a cooperative of 15 IT providers. In January, Ubirch and Govdigital were involved in a regional project in the Bavarian district of Altötting. It’s unclear whether that solution used IBM’s Digital Health Pass. 

A key feature of the regional trial was to issue a physical card, similar to a credit card but displaying a QR code. Given the first vaccines were provided to older people, the card proved popular. The QR code encodes personal information such as the name, ID and the details of the vaccination, and anyone scanning the code sees the information. The data is not saved elsewhere and the vaccine recipient can store the data on a mobile phone. When the QR code is created, a hash or fingerprint of the data is stored on a blockchain.

A similar solution for Corona test certificates has already been deployed by Ubirch at Frankfurt Airport, Berlin, Hamburg and Düsseldorf. For that, Ubrich partnered with Govdigital and Lufthansa Industry Solutions.

Ubirch positions itself as an IoT cybersecurity firm. It claims it created the world’s first blockchain-on-a-SIM solution together with 1NCE and G+D Mobile Security, a firm known as a currency solution provider to central banks.

Meanwhile, IBM’s Digital Health Pass solution is currently being trialed by the State of New York. It uses a mobile phone app and blockchain for verifiable credentials. 

There are a variety of solutions in the marketplace for COVID-19 health certificates. And airlines, in particular, are keen to adopt them. The solutions include GE Digital’s TrustOne app, IATA’s Travel Pass platform, and the 

Source…

Ledger Adds Bitcoin Bounty and New Data Security After Hack

/in


Matt Johnson, Ledger’s new Chief Information Security Officer (CISO), had no choice but to hit the ground not just running but, well, sprinting. His first week of work entailed scrutinizing the fallout from an extensive data dump of customer information, among other areas such as data security and increased attacks that would come as a byproduct of bitcoin pumping. 

In the aftermath of the largest hack in company history, and a little over a week after Johnson started, the hardware wallet company Ledger has announced its first measures to address the data breach and ensure such a hack doesn’t happen again. 

These include working with blockchain analytics firm Chainalysis to hunt the hackers, offering a 10 BTC bounty for information leading to the hacker’s arrest and creating a comprehensive review of what information the company holds onto, where it’s stored and how long it’s retained. 

The Ledger hack

Ledger publicly revealed that customer information had been compromised in July 2020. At the time, the company estimated 9,500 customers had been affected by the hack. In the following months, CoinDesk documented a string of convincing phishing attempts executed by the hackers, including emails that mimicked official Ledger correspondence and text messages. 

Then, in December 2020, a data dump “exposed 1 million email addresses and 272,000 names, mailing addresses and phone numbers belonging to people who had ordered Ledger’s devices, which store the private keys for cryptocurrency wallets,” as CoinDesk reported.  The number of people affected was much higher than the original estimate of 9,500.  

A rash of SIM swaps were reported in the days following the data dump and some customers started getting extortion emails, including threats of violence. 

Now, Ledger has released new information about the hack, revealing that it was likely due, in part, to rogue actors at Shopify, its e-commerce partner at the time. 

Shopify’s rogue agents

On Dec. 23, 2020, Ledger was notified by Shopify of an incident “involving merchant data in which rogue member(s) of their support team obtained customer transactional records, including Ledger’s. The agent(s) illegally exported…

Source…