#4 – New Tinder Hack, A Crypto Heist, And Bitcoin ‘Creep’

There is a  new Tinder hack! Tinder is potentially leaking lots of information about you; listen to find out more. The biggest cryptocurrency hack ever (no, it’s not Bitcoin). YouTube gets an ad “bug.” And Spectre won’t go away. We have a guest, Ben Rothke, with lots of great tips, and we answer a few listener questions, too.

Do you know what an NEM Coin is? Cryptocurrencies hacked again.LISTEN-NOW-DIY-CYBERGUY

Hair on fire – 5 of 5

Fix -Keep your Digital Wallet OFFLINE when not in use!

Bitcoin were not lost in the hack – NEM Coins were.

More similarities than differences:

Two different crypto currencies, both can be used to buy goods and services (if merchant accepts them) and both can be converted to other currencies based on then-current exchange rates.

Once stolen – gone – as we discussed with Philip Andreae a few weeks back. Unless you digital wallet can cover your losses…?

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered perhaps the largest hack in the history of cryptocurrencies, totaling about $532 million!

Reuters reported:

The theft – one of the world’s biggest cyberheists – highlights the vulnerabilities in trading an asset that policymakers are struggling to regulate, as well as the broader risks for Japan as it aims to leverage the fintech industry to stimulate economic growth.

The Financial Services Agency (FSA) on Monday ordered improvements to operations at Coincheck, which on Friday suspended trading in all cryptocurrencies except bitcoin after hackers stole 58 billion yen ($534 million) of NEM coins, among the most popular digital currencies in the world.

Coincheck said on Sunday it would repay about 90 percent, though it has yet to figure out how or when.

FIX:

Keep you wallet OFFLINE when not in use.

How?

Hardware Crypto Wallets:https://www.google.com/search?q=Hardware+Crypto+Wallets

Paper (not printing money; its printing your keys): https://lifehacker.com/how-to-store-your-bitcoin-as-securely-as-possible-1821051421

Coinhive on YouTube

Hair on Fire 1 of 5

Already fixed – but you should know about this:

YouTube was likely targeted because users are typically on the site for an extended period of time,” independent security researcher Troy Mursch told Ars. “This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made.” Mursch said a campaign from September that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site.

Source: https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

What is Coinhive?

Open a calculator on your computer. Google “Calculator”

Type 1 + 2, and hit equals. You get 3.

Computer processed that, which took some processing time. That problem was probably 4 or 5 bytes of data.

Imagine you did a computing problem that was 140 GB of data!

That’s how Bitcoin runs – just a math problem that has to be solved to complete.

1+2=3 probably took all of one millisecond to solve. Depending on the power of your computer, it could take days, even weeks to solve the problem.

Bitcoin miners have a financial incentive – if they solve the math first, they get to process a batch of transactions, and earn Bitcoin in return.

So, Miners need lots of computing power to earn money.

One way to get that power if to get your computer to do it for them.

CoinHive has programs that programmers can use to make a simple web advertisement able to make your computer MINE BITCOIN or other Cryptocurrencies!

THE CATCH – you must stay on page.

SO, hackers target video sites.

Last September, Showtime was found with Coinhive software:

https://gizmodo.com/showtimes-websites-may-have-used-your-cpu-to-mine-crypt-1818763497

More recently, YouTube

https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

Sites completely blocking Coinhive.com

https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/

HOW TO BLOCK CRYPTO MINERS

Firefox and Chrome:

No-Coin extension. https://chrome.google.com/webstore/detail/no-coin-block-miners-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en

Use Quad9:

https://quad9.net/

https://quad9.net/result/?url=coinhive.com

Very easy to set up! 50 second video.

Spectre

More next week – keep running those updates on Apple, and Windows. Google is in good shape (Google Docs, sheets, etc.).  Everything else – stop your updates until further notice. Intel had to backtrack its latest fix!!

TinderDrift

Hair on fire = 5 of 5 if you are using Tinder.

Tinder not using HTTPS!

On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder’s iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream.

https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/

No fix – just pick another app, or only use on private, secure WiFi.

Published by

David W. Schropfer

David W. Schropfer is the CEO of AnchorID, Incorporated, a cybersecurity company in New York (www.AnchorID.com).  Every day, he and his team of professionals keep the people who use AnchorID safe from some of the most common traps, hacks and attacks that target computer systems of all sizes. David’s previous books, including The Smartphone Wallet and three industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.

One thought on “#4 – New Tinder Hack, A Crypto Heist, And Bitcoin ‘Creep’

Comments are closed.