Robert Hackett
Good afternoon, Cyber Saturday readers.
In honor of “blockchain week,” which is kicking off in New York City, I’ve been thinking about the security of smart contracts, self-executing computer programs designed to encode business relationships. A smart contract might codify, for example, an agreement like this: If Justify, a racehorse, wins the Kentucky Derby, pay $10 in Bitcoin to some lucky fellow’s digital wallet. The code eliminates the need for a bookie.
Now imagine a future in which such contracts automate tasks once relegated to lawyers, pencil-pushers, and other intermediary parties. Blockchain boosters dream of a day when they can route around middlemen with these sorts of self-driving computer programs, thereby making markets more efficient, so the thinking goes. There’s a snag though: Smart contracts are software applications, and software applications have bugs.
Sometimes, as with The DAO, an ill-fated, decentralized venture capital fund built on Ethereum, a popular cryptocurrency network, those bugs can be ruinous. Hackers stole $50 million in cryptocurrency from the project in 2016 thanks to a simple “reentrancy” flaw. The bug allowed an attacker, or group of attackers, to continually withdraw money from the smart contract-powered organization until its coffers had been thoroughly pilfered.
Similar flubs abound in the field of cryptocurrency. Chris Wysopal, cofounder and chief technologist at Veracode, an application security shop bought by CA Technologies for $614 million in cash last year, gave a keynote talk at Collision conference in New Orleans earlier this month in which he provided an overview of the security challenges posed by smart contracts. “The blockchain is really secure, but the things that have to interact with it, those things aren’t secure,” Wysopal told the audience. “It’s probably one of the toughest problems right now” in security, he said.
Although I did not catch Wysopal’s talk in person (you can watch it here), I chatted with him afterward at B.B. King Blues Club and Grill and in between jazz sets at various bars along Frenchman Street. He said that if he were a thief, smart contracts are where he would focus the majority of his attention and energy today. Target the youngest projects with the worst quality assurance processes, the highest valuations, and the weakest defenses. It’s a recipe for success; in this world, baddies no longer have to worry about monetizing the data they steal. They can steal (virtual) money itself.
If you happen to be in New York for blockchain week, temper your enthusiasm with that alarum. It’s what the smartest folks will do.
Have a great weekend.
Robert Hackett
@rhhackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Smacked down. Symantec’s market value collapsed by a third after the antivirus maker disclosed an internal investigation prompted by a whistleblower. “The Company’s financial results and guidance may be subject to change based on the outcome of the Audit Committee investigation,” Symantec said in its statement accompanying its annual earnings report. It’s unclear what the investigation concerns, although the company clarified that it is not related to a security breach.
Equifax…again. Just when you thought the credit bureau had moved on from its data breach, Equifax said in an SEC filing that tens of thousands of more consumers records were compromised in its 2017 data breach. Hackers accessed photos of 38,000 driver’s licenses, 12,000 Social Security or taxpayer ID cards, 3,200 passports, and 3,000 other ID documents, the company said. And so the blast radius continues to widen.
Secret tweets. Twitter is reportedly testing end-to-end encrypted Direct Messages. A computer science student noticed the experimental feature embedded in a package of code for Twitter’s Android application, the sort of place where tech companies tend to drop to-be-released updates early. It remains to be seen whether the company will roll the feature out publicly as rivals, like Facebook, already have.
Mixed signals. Due to an idiosyncrasy in the way Mac operating systems handle app notifications, messages sent via the encrypted chat app Signal appear to be recorded indefinitely in the memory of Apple computers, security researchers have warned. The bug could cause a log of conversations that had supposedly self-destructed or been deleted to persist.
Fool me three times…
Share today’s Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Have we learned nothing? Despite fixes being available, thousands of businesses are still downloading vulnerable versions of Apache Struts, the software hackers exploited to loot Equifax. While it’s hard to say whether companies are using this code in production, it is likely that many are. One would think that businesses would have learned from Equifax’s mistake by now. Apparently not.
When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.
In the year since, thousands of companies have continued to introduce the same security holes into their computer networks.
FORTUNE RECON
How Relying on Oil Makes Us More Vulnerable to Cyberattacks, by Nathan Sproul
How China’s Laser Attacks on the U.S. Military Could Cause a Serious Conflict, by Andrew Shear
Facebook Found 3,000 Russia-Linked Election Ads. Now House Democrats Are Planning to Release Them, by Natasha Bach
Undetectable Commands for Apple’s Siri and Amazon’s Alexa Raise Serious Security Risks, by Chris Morris
The U.S. Navy Revives Second Fleet to Counter Russian Aggression, by David Z. Morris
ONE MORE THING
You can’t handle the truth. A recently published study conducted at Harvard Business School found that online ads were less effective on people who were told they were targeted based on tracking activity on other websites. Advertisers who disclose their privacy-intrusive methods turn off consumers. “If you track people across the internet, as Facebook routinely does, and admit that fact to them, the transparency will poison the resulting ads,” writes The Intercept.
Robert Hackett May 12, 2018的下午好,网络星期六读者。为庆祝WPAP60300 4QTEBLAMOLD周,WPAP60300 6QTE在纽约开张,IWPA60607QTEVE一直在思考智能合同的安全性,自我执行的计算机程序,用于编码业务关系。一个聪明的合同可能会编纂,例如,这样的协议:如果一个赛马,赢得肯塔基德比,支付10美元的比特币一些幸运FuxWAPP60300 7QTES数字钱包。该代码消除了对Booee的需求。现在设想一个未来,这样的合同一旦被委托给律师、铅笔推销员和其他中介方就自动完成任务。封锁链助推器梦想有一天他们可以绕过中间人,通过这些自我驱动的计算机程序,从而使市场更有效率,所以思考就这样。但是,智能合同是软件应用程序,软件应用程序有漏洞。有时,和道一样,一个不幸的、分散的风险投资基金建立在EthUM上,这是一个流行的密码网络,这些错误可能是毁灭性的。由于一个简单的WPA60304QTELeNETCURWPAP60300 6QTE缺陷,黑客从2016的项目中窃取了5000万美元的密码。该漏洞允许攻击者或一组攻击者继续从智能合同驱动组织撤回资金,直到其财宝被彻底窃取。类似的流质在隐匿性的领域中大量存在。Chris Wysopal,合作者和首席技术专家ValaCod,一个应用安全商店去年由CA技术公司以6亿1400万美元现金购买,在本月早些时候在新奥尔良举行的碰撞会议上发表了主题演讲。聪明的合同。WPA60604QTETs链链是真正安全的,但必须与之互动的东西,这些东西ARPWAP60300 7QTET安全,WPA60606QTE Wysopar告诉观众。WPA60304QTEITWPAP60300 7QTES可能是目前最安全的问题之一WPAP60300 6QTE安全,他说。虽然我没有亲自接听WysopalWPAP60300 7QTES(你可以在这里看),但我后来在B.B. King Blues Club and Grill布鲁斯酒吧和法国人街的各个酒吧之间与爵士聊天。他说,如果他是小偷,聪明的合同是他今天将集中精力和精力的地方。以最差的质量保证过程、最高的估价和最薄弱的防御为目标。ITWPA60607QTES是一个成功的秘诀;在这个世界上,坏人不再需要担心他们偷窃的数据货币化。他们可以偷(虚拟)钱本身。如果你碰巧在纽约参加BigStand周,那就用你的热情锻炼你的热情。ITWPA60607QTES最聪明的人会做什么。周末愉快。Robert Hackett @ RHHACKET.RoB.HKETTTHORY.COM欢迎来到网络星期六版的数据表,FuntWAPP60300 7QTESMENT技术通讯。财富报记者Robert Hackett在这里。您可以通过Twitter、Cryptocat、JabbER(见OTR指纹在我的.me)、PGP加密电子邮件(见我的KiBase.IO)上的公钥、WIKR、信号,或者您(安全地)访问Robert Hackett。欢迎反馈。威胁猛击SyMtTeCWPAP60300 7QTE市场价值下跌了第三,在反病毒制造商披露了一个由告密者提示的内部调查后。“该公司的财务结果和指导可能会根据审计委员会调查的结果而改变,”赛门铁克说。在其年度收益报告的声明中。ITWPA60607QTES不清楚调查涉及什么,尽管该公司澄清它与安全漏洞无关。当你认为信用局已经从数据泄露中走出来时,EICIFAX在一个SEC文件中说,成千上万的消费者记录在2017次数据泄露中遭到破坏。黑客们访问了38000个驾照,12000个社会保险的照片。该公司表示,这是纳税人的身份证、3200张护照和3000份身份证件。爆炸半径继续扩大。秘密鸣叫。据报道,Twitter测试端到端加密的直接消息。一位计算机科学的学生注意到了一个嵌入Twitter WPUP60300 7QTE Android应用程序的代码包中的实验特性,这是技术公司倾向于提前发布更新的地方。这家公司是否会像脸谱网这样的竞争对手公开展示这一特性还需拭目以待。混合信号。由于MAC操作系统处理APP通知的特殊性,通过加密聊天应用程序信号发送的消息似乎会无限期地记录在苹果计算机的内存中,安全研究人员警告。这个bug可能会导致一个原本被自毁或被删除的对话日志。愚弄我三天PAP603015QTE分享今天WPA60607QTES数据表与朋友:HTTP://FUNIT.COM/NeXLTETR/DATSHETET/寻找以前的数据表?点击这里。广告准许访问我们什么也没学到吗?尽管修复是可用的,但成千上万的企业仍在下载易受攻击的Apache Struts版本,这些软件黑客被用来掠夺Edimax。虽然ITWPA60307QTES很难说公司是否在生产中使用这一代码,但很有可能是很多。人们会认为,企业现在已经从ErimaXAWPAP60300 7QTES错误中吸取了教训。显然不是。当消息出现时,Erimax已经从去年5月中旬到去年七月屈服于一个巨大的数据泄露,部分消费者因为被洗劫完全可以预防。黑客窃取了1亿4800万人的姓名、社会保险号码、出生日期、住址和更敏感的信息,就像3月份主要信用局的最后一次统计数字一样,更糟糕的是,这两个月发生在软件错误的漏洞修复之后。在过去的一年中,成千上万的公司继续在他们的计算机网络中引入同样的安全漏洞。财富侦察 如何依赖石油使我们更容易受到网络攻击,由弥敦SpRoul如何中国PAP60300 7QTES激光攻击U美国军方可能会引起严重的冲突,安得烈剪切脸谱网发现了3000个与俄罗斯有关的选举广告。现在众议院民主党人正计划释放他们,因为Natasha Bach对APIE WAPP60607QTES SIRI和AxaMnWAPP60的检测不到命令。Alexa公司提出了严重的安全风险,由克里斯·莫里斯,美国海军恢复第二舰队对抗RU。
SPONSORED FINANCIAL CONTENT
You May Like
赞助财务内容你可能喜欢