SCF Advanced Search

banner

banner

Members
Stats
  • Total Posts: 38414
  • Total Topics: 12987
  • Online Today: 1045
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









banner

Author Topic: The Blockchainer tool for hunt down wallets from poorly secured transactions...  (Read 1629 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7526
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


The engineer behind the Heartbleed checker has created a tool to hunt down wallets from poorly secured transactions that leak private keys.

Filippo Valsorda released the Blockchainer tool to Github following a presentation at the Hack in the Box conference in Malaysia today: https://github.com/FiloSottile/blockchainr

The CloudFlare engineer demonstrated how known flaws in some implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA) have allowed thieves to steal Bitcoins due to factors such as insecure clients or flaws in unpatched browsers.

"I applied a known attack to the real world and showed how you could use ECDSA in a safe way that doesn't need random numbers so that it would not fail scanning the blockchain," Valsorda told Vulture South via Skype.

"I found two really big events where someone probably made an error while writing their client that generated hundreds and hundreds of vulnerable transactions.

"I was able to identify one attacker who stole something like 59 Bitcoins ... targeted the users' browsers that were likely not providing the right random numbers."

That attack happened in August 2013 and was wrongly pinned on Google, he said. Valsorda found some indications that other attackers were scanning and raiding wallets judging by transactions, but could not be conclusive.

"In the research I went over the blockchain to look for mistakes, but the moral was that we should make decisions that by default protect [transactions] when something else fails," he said, adding that the random number should be secret and unique but not necessarily random.

Bitcoin clients Multibit and Electrum received five stars for the correct use of ECDSA, while blockchain.info did not – since it relied on the browser's random number generator.

He stressed this was not a vulnerability in blockchain.info, but rather in the reliance on what could be an unpatched and outdated browser.

Valsorda's tool would scrape for vulnerable Bitcoin transactions and to that end would be helpful to the research community. The researcher found no remaining wallets for raiding and pointed out that attackers could already target those exposed without his script.

"Whoever is developing software has responsibility to users who do not know enough to protect themselves," he said.

His slide deck can be perused here (PDF): http://conference.hitb.org/hitbsecconf2014kul/materials/D1T1%20-%20Filippo%20Valsorda%20-%20Exploiting%20ECDSA%20Failures%20in%20the%20Bitcoin%20Blockchain.pdf

(ElReg)

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising