Pages:
Author

Topic: Kaspersky and INTERPOL Say Blockchain is Vulnerable - page 2. (Read 3188 times)

legendary
Activity: 2097
Merit: 1070
Using op_return data many things are possible. Command and control for a botnet, sure - sounds possible to me.

This will never change, if they didn't use op_return they could use one of various other methods of embedding spurious information into the blockchain.

I have to wonder if there's altcoins out there which we're not aware of which were designed for this specific type of insert only structure.

I'm sure public key servers could be used in a similar way but unlike Bitcoin those records could be tampered with by the operators.

I reckon that this will be an issue at some point but I suspect there's nothing anyone can do about it.

I'll add that there's nothing new here at all, anything that can be done now could be done long ago. It's sabre rattling by Interpol and Kaspersky.
legendary
Activity: 2464
Merit: 1145
However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".

probaly the main point for them.
you can store malicious code on the blockchain and only need some small code on victim pc to get the main code executed/downloaded.

but i would agree that this is no blockchain vuneralbility...
staff
Activity: 4284
Merit: 8808
I suggest taking their claims at face value and asking them why they're behaving unethically; make them clarify that what they're doing isn't actually an attack. Smiley
sr. member
Activity: 293
Merit: 251
Director - www.cubeform.io
This is so stupid it's frustrating... The only kind of accurate title for the article would be 'bitcoin may provide new source for command and control of malware' or something... But to suggest the blockchain is 'vulnerable' is such nonsense... By that logic, All versions of Apache and every other web server is 'vulnerable' because it could serve a payload to anyone!
legendary
Activity: 2114
Merit: 1015
However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".

This article is just outright lies because it leaves an impression that block chain itself is the root of all evil when actually the botnet could be operated from anywhere on the internet and block chain is just one way to do it.

using an exploit code that opens a notepad --- this wording is a typical shellcode execution wording because often time the PoC exploits open calc.exe or notepad. this is what confused me the most about this post. If it was really possible to make a bitcoin tx that would spawn notepad in all the computers of the bitcoin's network then it would be a humongous vulnerability Cheesy
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Its pretty simple how they did it. They created a malicous application that fetches data from the blockchain. If you run said malicious application malicious things might happen. Bottom line? Dont run anything from Kaspersky?

their "demo" -> https://www.youtube.com/watch?v=FNsqXHbeMco
staff
Activity: 4284
Merit: 8808
However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
They didn't, and it didn't say they did.

All this is saying is that they can put data inside OP_RETURNS which other malicious software can act on.  This is one of the problems with having non-trivial side-channels for non-bitcoin data. The complaint is mostly hype.

Perhaps the real news should be "Kaspersky says they believe they know a vulnerability in Bitcoin, but they failed to responsibly disclose it to the developers and instead wrote press articles on it".
legendary
Activity: 2114
Merit: 1015
"They successfully demonstrated how arbitrary data can be injected into a digital currency decentralized database simply by using an exploit code that opens a notepad enabling corrupted data to be inserted into the Blockchain."

http://bitcoinist.net/kaspersky-labs-interpol-blockchain-vulnerable/

There are just so many things wrong with this claim that I don't know where to start. Exploit code is not needed to save arbitrary data in the block chain. Anyone can save such data and it's perfectly normal and safe. I assume those Kaspersky idiots just wrote a vulnerable application that operates on block chain and then they wrote an exploit for their own vulnerable application. The bottom line is, BLOCK CHAIN IS NOT VULNERABLE. The article is misleading and its authors should be banned from writing any more articles for their high degree of incompetency.

However, I don't really know how they spawned a notepad from block chain in the victim's computer. Does anyone know the details?
Pages:
Jump to: