security Archives -
President Trump is getting his third national security adviser in the first 14 months of his presidency, Reuters reports. Current national security adviser Lt. Gen. HR McMaster is resigning, to be replaced by John Bolton on April 9. “I am very thankful for the service of General H.R. McMaster…
National-security concerns surrounding China’s Huawei Technologies—the world’s biggest supplier of wireless equipment and No. 3 vendor of smartphones—are spreading to key allies.
WSJ.com: What’s News Asia
Facebook CEO Mark Zuckerberg breaks silence on data scandal: ‘We don’t deserve to serve you’ without securityMarch 21, 2018 | dailybusinessnews
Facebook CEO and co-founder Mark Zuckerberg on Thursday broke his silence regarding the social media site’s role in what he called the “Cambridge Analytica situation,” in which the research firm allegedly accessed 50 million Facebook user profiles improperly.
Hardware wallet manufacturer Ledger has published a firmware update to remedy several security flaws. The exploits were independently found by a trio of white hat security researchers, one of whom, Saleem Rashid, is a 15-year-old British boy. The attack vector he discovered is hardware based, and is not limited to Ledger devices, making it difficult to mitigate altogether via software alone.
Ledger at Loggerheads with Security Researcher Who Found Flaw
On March 20, Ledger released an update to its firmware, 1.4.1, accompanied by a blog post that promised “a deep dive into security fixes”. It began: “Following a transparent and responsible disclosure process, we are giving a full detailed assessment of the fixed attack vectors that the Firmware 1.4 patches, which were initially reported by three security researchers. As the publication of these technical details might elevate the threat level of non-patched devices, we strongly encourage our users to update their firmware”.
It is the exploit discovered by Saleem Rashid that’s gathered the most attention, both on account of his tender age, and his publication today of a detailed explainer on how he achieved the feat. “An attacker can exploit this vulnerability to compromise the device before the user receives it, or to steal private keys from the device physically or, in some scenarios, remotely,” Rashid explains. “I have demonstrated this attack on a real Ledger Nano S. Furthermore, I sent the source code to Ledger a few months ago, so they could reproduce it.” He also told a security blog that “[Ledger] make it so easy to open the device that you can take your fingernail and open it up [to tamper with it]”.
White Hat Hacker Forgoes His Bounty
Ledger says the security researchers were asked to sign a Bounty Program Reward Agreement as one of the conditions of being remunerated for their efforts, while noting that this doesn’t prevent the researchers from publishing their own reports. The article is worded in such a way as to suggest all three researchers were happy to comply with this agreement, but that’s not entirely true. Rashid actually forwent his bounty reward, explaining:
I have not been paid a bounty by Ledger because their responsible disclosure agreement would have prevented me from publishing this technical report. I chose to publish this report in lieu of receiving a bounty from Ledger, mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.
The teen researcher is of the opinion that Ledger were seeking to downplay the seriousness of the exploit he’d uncovered. Publishing a full and frank report of how he broke the Ledger wallet, and giving up his right to a reward, hasn’t done his reputation or his Twitter follower count any harm either. Saleem Rashid is clever beyond his years, and his article on the exploit is lengthy but fascinating for anyone with an interest in such matters.
Your Cryptocurrency Hardware Wallet Is Safe
One matter in danger of getting lost amidst all this is the status of Ledger wallets. Cryptography teacher Matthew Green posted a tweetstorm in response to Rashid’s blog, exploring the difficulty of fully preventing hardware-based attacks of this nature. He finishes, reassuringly: “Nothing in the post or thread above means you should freak out about these vulns, or that you should assume other wallets are better. Just be safe.” Ledger users should update to the latest firmware, but there is no cause for alarm. Attacks such as the one demonstrated by Saleem Rashid show the difficulty of creating a device that is immune from all known forms of attack.
Do you think Ledger is guilty of trying to downplay the seriousness of the exploit? Let us know in the comments section below.
Images courtesy of Shutterstock.
Need to calculate your bitcoin holdings? Check our tools section.
The post 15-Year-Old Security Researcher Shares Ledger Wallet Exploit appeared first on Bitcoin News.
A group of former students defrauded by for-profit colleges is alleging in court that the Education Department illegally obtained and used their Social Security data to limit their student loan relief.
The Education Department announced in December that it will start granting some former students…
Yes, Cambridge Analytica, the data analysis firm that helped Donald Trump win the 2016 election, violated rules when it obtained information from some 50 million Facebook profiles, the social media company acknowledged late Friday. But the data came from someone who didn’t hack the system: a professor…
France’s minister for overseas territories has announced an emergency plan to improve security on the French island of Mayotte following weeks of street protests.
President Donald Trump blocks Broadcom’s $ 117 billion hostile offer for Qualcomm over national-security concerns, quashing what would have been the biggest-ever tech deal.
WSJ.com: What’s News Asia
President Donald Trump is blocking Singapore-based Broadcom’s takeover of US chipmaker Qualcomm on national security grounds, the AP reports. The White House says Trump is taking the action on the recommendation of the Committee on Foreign Investment in the United States, which reviews foreign purchases of US entities. Broadcom made…
A union representing California law enforcement officers wants security personnel at state hospitals and veterans facilities to be armed following Friday’s slayings at a veterans home in Yountville.