• United States



Bitcoin: Outdated software creating invalid cryptocurrency

Jul 05, 20155 mins
Data and Information SecurityMicrosoftSecurity

Running outdated software can create invalid bitcoins, and wallets running such software are vulnerable to a double-spending flaw. Oh, and don't use Skype on your box with your bitcoin wallet, as it may open the way to theft.

Running out-of-date software is risky if you value security, but running outdated bitcoin software can create invalid currency; many bitcoin wallets using outdated software are “currently vulnerable to double-spending of confirmed transactions,” a bitcoin warning states. “Almost all software (besides Bitcoin Core 0.9.5 and later) will accept these invalid blocks under certain conditions.” warned that some bitcoin miners are using outdated software which just assumes the blocks are valid instead of checking them. “All software that assumes blocks are valid (because invalid blocks cost miners money) is at risk of showing transactions as confirmed when they really aren’t. This particularly affects lightweight (SPV) wallets and software such as old versions of Bitcoin Core which have been downgraded to SPV-level security by the new BIP66 consensus rules.”

The warning states:

Early morning UTC on 4 July 2015, the 950/1000 (95%) threshold was reached. Shortly thereafter, a small miner (part of the non-upgraded 5%) mined an invalid block–as was an expected occurrence. Unfortunately, it turned out that roughly half the network hash rate was mining without fully validating blocks (called SPV mining), and built new blocks on top of that invalid block.

Note that the roughly 50% of the network that was SPV mining had explicitly indicated that they would enforce the BIP66 rules. By not doing so, several large miners have lost over $50,000 dollars worth of mining income so far.

The “fix” is to get all miners off of Simplified Payment Verification (SPV) mining as “lightweight (SPV) wallets are not safe for less than 30 confirmations until all the major pools switch to full validation.” Additionally, since web wallets run varying infrastructure, “unless you know for sure that they use Bitcoin Core 0.9.5 or later for full validation, you should assume they have the same security as the lightweight wallets.”

Bitcoin – not diamonds – are a Greek’s best friend

Meanwhile in Greece, Greeks are turning to cryptocurrency to transfer their money out of their bank accounts and even the country. Adam Vaziri, a board member of the UK Digital Currency Association, told Reuters, “When people are trying to move money out of the country and the state is stopping that from taking place, bitcoin is the only way to move any value. There aren’t any other options unless you buy diamonds, and that’s very difficult to move.”

Speaking of diamonds, Reddit user hxcast warned against going to hackathons and pitching a bitcoin-based idea as industry folks might steal it, as allegedly happened with his and Edward Harpham’s hackathon-winning blockchain-based idea to combat fraud. The problem stems from an article about startup Everledger and its CEO Leanne Kemp; the company is credited with using the bitcoin blockchain platform to fight insurance fraud, starting with diamonds and then expanding to other high-end luxury goods.

Online bitcoin gambling site offers reward

A bitcoin-savvy gambler exploited the random number generation system at the online bitcoin gambling site Primedice. The gambler “Hufflepuff” was reportedly “the largest bettor Primedice had ever seen; he was often seen betting upwards of $8,000 worth of bitcoin every second for hours on end.” Although Primedice was suspicious, the company couldn’t find any evidence of Hufflepuff cheating the system. The main developer eventually detected the exploit, but the hacker had cashed out winnings which totaled about $1 million.

The winnings allegedly “broke” the bank and Primedice asked the hacker to give the money back. Instead, the hacker created a new account and exploited the improperly patched fix to win over 2,000 more bitcoins. Primedice’s “hot-wallet was drained” so the hacker couldn’t cash out.

The bitcoin-savvy gambler then sent Primedice the following private message:

Your offer is declined. Your demands are laughable. I’m happy to walk away and leave you be, but if you’re going to take this further, then so will I. I don’t think you want this to go further. I actually enjoy this shit. Your move.

Oh, and by the way, there are some pending withdrawals that you need to process.

Shortly thereafter, the hacker doxed a Primedice employee.

Primedice then offered a reward: “Any information that leads to the return of the coins from this incident will be greatly rewarded.”

Bitstamp heist

Do you remember when the bitcoin exchange Bitstamp was hacked back in January and the attackers managed to steal about $5 million worth of bitcoins? Well an “unconfirmed breach report,” which has since poofed from Scribd but has been saved on other sites, reads like a cautionary tale about what could happen if a person were to run Skype and Microsoft Office on the same PC that connects to a server that hosts that person’s bitcoin wallet.

Six Bitstamp employees were targeted in a phishing attack; four employees received malicious attachments, but “all of the phishing messages were highly tailored to the victim, and showed a significant degree of background knowledge on the part of the attacker.”

The attackers targeted Bitstamp system admin Luka Kodric, who had access to Bitstamp’s hot wallet, first sending a phishing email to his Gmail account before social-engineering him via Skype. According to the confidential “Bitstamp incident report,” forensic analysis helped determine that the transfer was initiated through a VPN connection from Kodric’s laptop to the server hosting the bitcoin wallet at Bitstamp’s data center.

In January, “the attacker drained the Bitstamp wallet, as evidenced on the blockchain.” The report added, “5,000 bitcoins were in the wallet when it was exfiltrated on December 29, but over 18,000 bitcoins were stolen in total due to additional deposits made before the theft was noticed.” Those bitcoins were valued to have a worth over $5 million; Bitstamp was “working closely with the Secret Service, FBI and UK cybercrime investigators to apprehend and prosecute the hacker.”

Lastly, last week the DEA Agent who stole bitcoin while investigating Silk Road and Ross Ulbricht, aka Dread Pirate Roberts, pleaded guilty to extortion, money laundering and obstruction of justice.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.