Reconstructing A Blurry QR Code

October 26, 2017 by Lewin Day 4 Comments

QR Codes are a two-dimensional type of matrix barcode that are used for a variety of uses. They’re one way of turning a long piece of string data into an easily machine-readable format. For this reason, they can be used to store private keys for encryption and crypto-currency purposes. [Roger Ver] attempted to use a QR code containing a private key to give away some cryptocurrency on TV, but the code was blurred out by the broadcaster. Not ones to give up easily, [Michael] and [Clément] decided to see if they could reconstruct it anyway.

The work begins, as so many cryptographic exploits do, with the collection of as much of the plaintext key as possible. By stepping through the footage frame by frame, small pieces of the unobscured QR code were found, as well as some of the private key itself. By combining this with enhanced images of the blurred code, the team were able to put together less than one third of the QR code. The team had other tricks up their sleeve though – they knew the QR contained a private key of a particular format, and were able to figure out the QR code was 41×41 pixels.

By using this data along with a careful study of the QR code format, the team were able to put together some code in Python to brute force the key. After 838849 trials, the key was found, and the team were able to claim the prize. It’s a great example of cryptographic analysis – and so is this story on hacking your own password.

[Thanks to Esko for the tip!]

Cryptocurrency Mining Post-Bitcoin

September 2, 2017 by Bryan Cockfield 46 Comments

While the age of using your own computer to mine Bitcoin during spare CPU cycles has long passed, average folks aren’t entirely shut out of the cryptocurrency game yet. Luckily, Bitcoin isn’t the only game in town anymore, and with GPUs coming down in price it’s possible to build a mining rig for other currencies like Etherium.

[Chris]’s build starts with some extruded aluminum and a handful of GPUs. He wanted to build something that didn’t take up too much space in the small apartment. Once the main computer was installed, each GPU was installed upwards in the rack, with each set having its own dedicated fan. After installing a fan controller and some plexiglass the rig was up and running, although [Chris] did have to finagle the software a little bit to get all of the GPUs to work properly.

While this build did use some tools that might only be available at a makerspace, like a mill and a 3D printer, the hardware is still within reason with someone with a little cash burning a hole in their pockets. And, if Etherium keeps going up in value like it has been since the summer, it might pay for itself eventually, providing that your electric utility doesn’t charge too much for power.

And if you missed it, we just ran a feature on Etherium. Check it out.

Ethereum: GPU Mining Is Back But For How Long?

September 1, 2017 by Jack Laidlaw 66 Comments

By now, everyone and their dog has at least heard of Bitcoin. While no government will accept tax payments in Bitcoin just yet, it’s ridiculously close to being real money. We’ve even paid for pizza delivery in Bitcoin. But it’s not the only cryptocurrency in town.

Ethereum initially launched in 2015 is an open source, it has been making headway among the 900 or so Bitcoin clones and is the number two cryptocurrency in the world, with only Bitcoin beating it in value. This year alone, the Ether has risen in value by around 4000%, and at time of writing is worth $375 per coin. And while the Bitcoin world is dominated by professional, purpose-built mining rigs, there is still room in the Ethereum ecosystem for the little guy or gal.

Ethereum is for Hackers

There may be many factors behind Ethereum’s popularity, however one reason is that the algorithm is designed to be resistant to ASIC mining. Unlike Bitcoin, anyone with a half decent graphics card or decent gaming rig can mine Ether, giving them the chance to make some digital currency. This is largely because mining Ethereum coins requires lots of high-speed memory, which ASICs lack. The algorithm also has built-in ASIC detection and will refuse to mine properly on them.

Small-scale Bitcoin miners were stung when the mining technology jumped from GPU to ASICs. ASIC-based miners simply outperformed the home gamer, and individuals suddenly discovered that their rigs were not worth much since there was a stampede of people trying to sell off their high-end GPU’s all at once. Some would go on to buy or build an ASIC but the vast majority just stopped mining. They were out of the game they couldn’t compete with ASICs and be profitable since mining in its self uses huge amounts of electricity.

Economies of scale like those in Bitcoin mining tend to favor a small number of very large players, which is in tension with the distributed nature of cryptocurrencies which relies on consensus to validate transactions. It’s much easier to imagine that a small number of large players would collude to manipulate the currency, for instance. Ethereum on the other hand hopes to keep their miners GPU-based to avoid huge mining farms and give the average Joe a chance at scoring big and discovering a coin on their own computer.

Ethereum Matters

Ethereum’s rise to popularity has basically undone Bitcoin’s move to ASICs, at least in the gamer and graphics card markets. Suddenly, used high-end graphics cards are worth something again. And there are effects in new equipment market. For instance, AMD cards seem to outperform other cards at the moment and they are taking advantage of this with their release of Mining specific GPU drivers for their new Vega architecture. Indeed, even though AMD bundled its hottest RX Vega 64 GPU with two games, a motherboard, and a CPU in an attempt to make the package more appealing to gamers than miners, AMD’s Radeon RX Vega 56 sold out in five minutes with Ethereum miners being blamed.

Besides creating ripples in the market for high-end gaming computers, cryptocurrencies are probably going to be relevant in the broader economy, and Ethereum is number two for now. In a world where even banks are starting to take out patents on blockchain technology in an attempt to get in on the action, cryptocurrencies aren’t as much of a fringe pursuit as they were a few years ago. Ethereum’s ASIC resistance is perhaps its killer feature, preventing centralization of control and keeping the little hacker in the mining game. Only time will tell if it’s going to be a Bitcoin contender, but it’s certainly worth keeping your eye on.

World’s Worst Bitcoin Mining Rig

July 14, 2017 by Dan Maloney 26 Comments

Even if we don’t quite understand what’s happening in a Bitcoin mine, we all pretty much know what’s needed to set one up. Racks of GPUs and specialized software will eventually find a few of these vanishingly rare virtual treasures, but if you have enough time, even a Xerox Alto from 1973 can be turned into a Bitcoin mine. As for how much time it’ll take [Ken Shirriff]’s rig to find a Bitcoin, let’s just say that his Alto would need to survive the heat death of the universe. About 5000 times. And it would take the electricity generated by a small country to do it.

Even though it’s not exactly a profit center, it gives [Ken] a chance to show off his lovingly restored Alto. The Xerox machine is the granddaddy of all modern PCs, having introduced almost every aspect of the GUI world we live in. But with a processor built from discrete TTL chips and an instruction set that doesn’t even have logical OR or XOR functions, the machine isn’t exactly optimized for SHA-256 hashing. The fact that [Ken] was able to implement a mining algorithm at all is impressive, and his explanation of how Bitcoin mining is done is quite clear and a great primer for cryptocurrency newbies.

[Ken] seems to enjoy sending old computer hardware to the Bitcoin mines — he made an old IBM mainframe perform the trick a while back. But if you don’t have a room-size computer around, perhaps reading up on alternate uses for the block chain would be a good idea.

[via Dangerous Prototypes]

Raspberry Pi Malware Mines BitCoin

June 8, 2017 by Al Williams 80 Comments

According to Russian security site [Dr.Web], there’s a new malware called Linux.MulDrop.14 striking Raspberry Pi computers. In a separate posting, the site examines two different Pi-based trojans including Linux.MulDrop.14. That trojan uses your Pi to mine ~~BitCoins~~ some form of cryptocurrency. The other trojan sets up a proxy server.

According to the site:

Linux Trojan that is a bash script containing a mining program, which is compressed with gzip and encrypted with base64. Once launched, the script shuts down several processes and installs libraries required for its operation. It also installs zmap and sshpass.

It changes the password of the user “pi” to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1”.

In addition, the malware searches for network machines with open port 22 and tries to log in using the default Raspberry Pi credentials to spread itself.

Embedded systems are a particularly inviting target for hackers. Sometimes it is for the value of the physical system they monitor or control. In others, it is just the compute power which can be used for denial of service attacks on others, spam, or — in the case — ~~BitCoin~~ mining. We wonder how large does your Raspberry Pi botnet needs to be to compete in the mining realm?

We hope you haven’t kept the default passwords on your Pi. In fact, we hope you’ve taken our previous advice and set up two factor authentication. You can do other things too, like change the ssh port, run fail2ban, or implement port knocking. Of course, if you use Samba to share Windows files and printers, you ought to read about that vulnerability, as well.

Bitcoin Price Ticker

May 21, 2017 by Lewin Day 28 Comments

Are you a Bitcoin miner or trader, but find yourself lacking the compulsive need to check exchange rates like the drug-fuelled daytraders of Wall Street? Fear not – you too can adorn your home or office with a Bitcoin Price Ticker! The post is in Italian but you can read a translated version here.

It’s a straightforward enough build – an Arduino compatible board with an onboard ESP8266 is hooked up with an HD44780-compatible LCD. It’s then a simple matter of scraping the Bitcoin price from the web and displaying it on the LCD. It’s a combination of all the maker staples, tied together with some off-the-shelf libraries – it’s quick, and it works.

[Ed: Oh boo! The images of the LCD were photoshopped. Please ignore the next paragraph.]

What makes the build extra nice is the use of custom characters on the LCD. The HD44780 is a character based display, and this project appears to use a screen with two lines of sixteen characters each. However, a custom character set has been implemented in the display which uses several “characters” on the screen to create a single number. It’s a great way to make the display more legible from a distance, as the numbers are much larger, and the Bitcoin logo has been faithfully recreated as well. It’s small touches like this that can really set a project apart. We’d love to see this expanded to display other financial market information and finished off in a nice case.

If you’re wondering what you can actually do with Bitcoin, check out the exploits of this robotic darknet shopper. Oh, and Microsoft will take them, too.

Global Cyber Attack Halted: Autopsy Time

May 13, 2017 by Jack Laidlaw 131 Comments

Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.

Spread Halted?

It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.

Why was the UK’s NHS Hit So Badly?

According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.

Where Else Was Hit?

There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.

So is this the end for ransomware?

No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.

[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]