Archive for December 31, 2018

Hackers pocketed $878,000 from cryptocurrency bug bounties in 2018

While hardcore cryptocurrency enthusiasts often tout blockchain for its heightened security, the technology is not perfect – and there are often tons of vulnerabilities in the code. Indeed, blockchain companies have received at least 3,000 vulnerability reports in 2018 alone.

According to stats from breach disclosure platform HackerOne, blockchain companies awarded $878,504 in bug bounties to hackers this year. The data was compiled in mid-December. By contrast, the total sum of bug bounties awarded by August was $600,000.

With $534,500 awarded, EOS creator Block.one accounts for more than 60 percent of all bounties handed out in 2018.

Here is the top three all-time chart when it comes to bug bounty rewards (please note this includes bounties from before 2018):

Block.one – $534,500
Coinbase – $290,381
TRON – $76,200

While cryptocurrency exchange desk Coinbase comes in second (with $290,381 in bug bounties), it’s been running a disclosure program since 2014. Block.one launched its disclosure program for EOS at the end of May. Shortly after that, one single hacker claimed $120,000 in bug bounties from Block.one in less than a week.

“Nearly 4 percent of all bounties awarded on HackerOne in 2018 were from blockchain and cryptocurrency companies,” a HackerOne spokesperson told Hard Fork.

Still, it seems blockchain companies remunerate hackers slightly better than other industries on HackerOne.

“The average bounty for all blockchain companies in 2018 was $1490, that is higher than the Q4 platform average of around $900.” the spokesperson added. “One of the top paid crypto hackers earned 7X the median software engineer salary in their country respectively.”

The blockchain bug problem is bigger than it seems.

HackerOne told Hard Fork there are currently 64 blockchain companies on its platform at present. For context, there are more than 2,000 various cryptocurrency companies out there. This means the real number of vulnerabilities is likely significantly higher.

Google Wins a Dismissal of a Lawsuit over the Biometric Privacy Act


The world's largest search engine had a lawsuit filed against it by its users, allegedly stating that Google had violated the privacy of its users by utilizing facial recognition software to examine their photos without their consent.

U.S. District Judge Edmond E. Chang in Chicago dismissed it referring to an absence of "concrete injuries" to the offended parties.

The original suit was known to have been documented in March 2016, a user sued Google for supposedly transferring their information to Google Photos by means of using the facial recognition software and further scanning it in order to create a template of their face without their permission, all the while crossing paths with a unique Illinois law.

In spite of the fact that Google is the first among those well-known who violated the law explicitly as Snapchat and Facebook also have had faced lawsuits for the same ,  Google emerges as the first to prevail upon a dismissal of a lawsuit over the biometric security act.

Google's triumph comes in the midst of open public backlash against the U.S. technology goliaths over misusing of user information and expanded the further examination of privacy policies.

‘Ethical Hackers’ warning medical professionals about cyberattacks


According to cyber security experts, whenever a medical device is connected to a wider network and internet is involved, cybersecurity should be a primary concern. However, a lot of medical professionals are oblivious to the threats posed by cyber attacks on the safety of patients.

Various medical devices employed for patient safety such as insulin pumps, CT scanners, pacemakers, and imaging devices are vulnerable to hacks and can potentially be exploited by hackers.

To exemplify such an attack, it was in the tenth episode (season 2) of the Showtime television show "Homeland", the character playing vice president of the U.S is murdered through a remote attack on his pacemaker.

The aforementioned fictional attack was labeled as an "accurate portrayal of what was possible" by former vice president Dick Cheney in a conversation with "60 Minutes".  

Referenced from what Cheney told the CBS news show- In 2007, Cheney had to get his implanted defibrillator replaced. During the replacement operation, fearing that a terrorist could assassinate the vice president, his doctor asked the manufacturer to disable the wireless feature so that the device is fortified against malicious signals.

Putting into perspective that how the benefits of pacemakers and other medical devices which can potentially save thousands of lives still outnumber the risks of a cyber attack, ethical hackers said that they don’t intend to have patients scared to the extent where they do not even consider getting a lifesaving device.

That said, patients and doctors should stay alarmed and take necessary precautions as any device employing connectivity and network is vulnerable to tampering and hence makes for a potential target.

Referenced from the comments put forth by Dr. Christian Dameff a clinical informatics fellow at the University of California San Diego, "I come from a generation of doctors that never used paper charts. We are so dependent on the technology," Dameff said. 

"We need to make doctors realize how dependent they are on this technology and to have a backup plan if it should fail because what we don't want is for patient care to suffer."

In 2017, reflecting on the vulnerable state of health care, a report was issued by the Health Care Industry Cybersecurity Task Force, it addressed the "growing challenge of cyber attacks targeting health care."

"All medical devices face a certain amount of cybersecurity risk. The risk of potential cybersecurity threats increases as more medical devices use software and are connected to the Internet, hospital networks, and other medical devices," reads the report.




A software that can clone anyone’s voice

Using snippets of voices, Baidu's ‘Deep Voice’ can generate new speech, accents, and tones.

With just 3.7 seconds of audio, a new AI algorithm developed by Chinese tech giant Baidu can clone a pretty believable fake voice. Much like the rapid development of machine learning software that democratized the creation of fake videos, this research shows why it's getting harder to believe any piece of media on the internet.

Researchers at the tech giant unveiled their latest advancement in Deep Voice, a system developed for cloning voices. A year ago, the technology needed around 30 minutes of audio to create a new, fake audio clip. Now, it can create even better results with just a few seconds of training material.

Of course, the more training samples it gets, the better the output: One-source results still sound a bit garbled, but it doesn’t sound much worse than a low-quality audio file might.

The system can change a female voice to male, and a British accent to an American one—demonstrating that AI can learn to mimic different styles of speaking, personalizing text-to-speech to a new level. “Voice cloning is expected to have significant applications in the direction of personalization in human-machine interfaces,” the researchers write in a Baidu blog article on the study.

This iteration of Deep Voice marks yet another development in AI-generated voice mimicry in recent years. Adobe demonstrated its VoCo software in 2016, which could generate speech from text after 20 minutes of listening to a voice. Montreal-based AI startup Lyrebird claims it can do text-to-speech using just one minute of audio.

These technologies represent the kind of leaps in the advancement of AI that researchers and theorists raised concerns around when deepfakes democratized machine learning-generated videos. If all that’s needed is a few seconds of someone’s voice and a dataset of their face, it becomes relatively simple to fabricate an entire interview, press conference, or news segment.

Cyber Police of Ukraine destroyed one of the sites in DarkNet for the sale of personal data

Within the framework of International Cooperation, the Cyber Police of Ukraine detained a group of hackers who stole and sold personal information of Users of social networks on one of the most famous in DarkNet online platform.

According to published data, hackers for the last five years without problems gained access to accounts of PayPal, Amazon, eBay, WellsFargo, Suntrust, Bank of America, using specially created malicious software.

Hackers sold such information as logins, passwords, personal data of Users, phone numbers, Bankcard details and other information necessary for authorization.

The cost of one account averaged $ 2.5. Accounts containing the password to the victim's mailbox cost twice as much.

During the year of such activity, hackers made a profit of more than $ 22 million. The victims of hackers were citizens of Ukraine, Canada, Great Britain, Spain, and France.

Cyber Police officers conducted authorized searches on the territory of three regions of Ukraine. According to their results, computer equipment, mobile phones and draft records were seized.

At the moment, 4 Ukrainians involved in the creation, organization and administration of DarkNet online platform have been detained. As a result, one of the sites in DarkNet for the sale of personal data was deleted.