作者 | 鸽子
Authors, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons, pigeons.
本营小姐姐今天正式上线了
/strang'
别嫌我啰嗦
Don't make me talk.
往后看
Looking back
真心有干货
♪ There's a real thing ♪ ♪ There's a real thing to do ♪ ♪ There's a real thing to do ♪ ♪ There's a real thing to do ♪ ♪ There's a real thing to do ♪ ♪ There's a real thing to do ♪
来看3个数字:
Let's see three figures:
区块链自身机制安全12.5亿美金;
The block chain's own mechanism is secure $1.25 billion ;
生态安全14.2亿美金;
Eco-safety $1.42 billion United States dollars;
使用者安全0.56亿美金;
User security US$56 million ;
这3个数字加起来,共造成27亿美金的经济损失。
Taken together, these three figures account for $2.7 billion in economic losses.
这就是这些年来,区块链行业所遭受的剧痛。
That's how the block chain industry has suffered over the years.
这个数字,来自近日刚刚出炉的《2018上半年区块链安全报告》,由知道创宇和腾讯安全联合发布。
This figure is derived from the first half of 2018 block chain security report, which has just been released in recent days, and is jointly issued by Soshio and Tseng.
这3个数字,狠狠地抽打着区块链这个行业,抽打着人们的脸。
These three numbers, they hit the chain of blocks, the industry, and people's faces.
这3个数字的损失,归结来看,来自3个方面:区块链自身机制、生态安全、使用者安全。
The loss of these three figures, in summary, comes from three sources: the
以下分别来跟大家说说这3类安全。以下内容主要来自《2018上半年区块链安全报告》的解读内容。
These three types of security are described below. The following is mainly based on the reading of the first half of the 2018 block chain security report.
三类安全事故
Three types of security incidents
第一个,区块链自身机制。
说到自身机制,不得不提以太坊。以以太坊为代表的区块链智能合约,设计是存在漏洞的,由此带来的经济损失也是相当严重。
When it comes to its own mechanisms, it has to be mentioned that there are loopholes in the design of the block chain smart contracts, which are represented by it, and the resulting economic losses are significant.
举个例子,2016年6月,以太坊最大众筹项目The DAO被攻击,黑客获得超过350万个以太币,最终导致以太坊分叉为ETH和ETC。
By way of example, in June 2016, the DAO, the most popular project in Tai Ho, was attacked, and hackers received more than 3.5 million Ethers, which eventually led to the division of the Tai Po into ETH and ETC.
同时,由于真实的区块链网络是自由开放的,若黑客控制绝大多数计算机资源,就能重改共有账本,最终实现51%“双花攻击”。
At the same time, because the real block chain network is free and open, if hackers control the vast majority of computer resources, it will be possible to redecorate the shared books and eventually achieve 51% of the `double flower attack'.
这样的后果,十分严重。
The consequences are serious.
第二个,生态安全。
区块链生态,说起来可就杂了:
The block chain ecology, that's what it's all about:
包括PoW机制下的矿场和矿池、PoS机制下的权益节点、加密数字货币交易所、软硬钱包、数据跟踪浏览器、DApp应用,以及面向未来DApp应用的区块链网关系统等。
These include mines and ponds under the PoW mechanism, equity nodes under the PoS mechanism, an encrypted digital currency exchange, soft and hard wallets, data tracking browsers, Dapp applications, and block chain gateway systems for future Dapp applications.
在所有所有的这些生态中,交易所类安全事件最为惨烈:交易所被盗、交易所被钓鱼、内鬼盗窃、钱包失窃、各种信息数据泄露和篡改、交易所账号失窃等。果然,最有钱的地方,就是最危险的地方。
Of all these ecosystems, exchange-type security incidents are most severe: exchange theft, exchange fishing, insider theft, wallet theft, disclosure and tampering of information data, exchange account theft, etc. The richest place is the most dangerous.
总的来说,对于生态安全的攻击,无论是损失金额,还是攻击类型,在攻击事件中,统统排名第一。
In general, attacks on ecological security, whether in terms of amounts lost or in terms of type of attack, rank first in the attacks.
说完生态安全,再说说使用者安全。从数字上可以看出,来自使用者安全造成的损失最少,但也高达0.56亿美金。
When you say eco-safety, let's say user safety. Figures show that the least damage is caused by user safety, but it is also up to US$56 million.
第三个,使用者安全。
third, user safety.
一般来说,用户要搞清楚钱包等工具的使用,还是没那么容易的,因为这是需要懂点计算机、懂点加密原理、并对网络安全有较高的认知才行的。
Generally, it is not easy for users to understand the use of tools such as wallets, because it requires a little computer, a little encryption, and a better understanding of cybersecurity.
然而呢,许多人,根本就没这个能力,所以呢,只能自认倒霉。话说,东莞曾有一名叫imToken的用户发现自己账户的100多个ETH(以太坊币)被盗,最终发现其实是身边的熟人作案。当时就傻了…
However, many people don't have the ability to do it at all, so it's their own bad luck. One user named ImToken found out that more than 100 ETHs from his account had been stolen, and it was actually someone close to him who did it. It was stupid...
本营小姐姐我看完这个报告的相关内容,有限的那么点信息,再除去软广和套话,也就这些了,都给你摘出了,供你学习学习。(损失金额辣么大,不学就坑死自己了)
I've finished reading this report with a limited amount of information, and that's all I've got for you, so you can learn.
接下来,本营小姐姐我又死皮赖脸地拉着知道创宇这家安全公司的小哥哥,让他们把深藏的报告信息,多给点,我们也好给读者多贡献贡献。还好,爽快人,磨了一会,把他们的报告内容分享了出来。除去后面的广告(比如,知道创宇可以针对。。提供啥啥啥服务。。不好意思,需要删掉~~),别的内容,还是很值得一学的。
Next, my little sister at the camp pulled up the little brother who knew the security company, so that they could take a lot of the information they had on it, so that we could make a lot of contributions to the reader. It was nice to have a good time and share it with the readers. And it was worth learning about it, except for the ads on the back, for example, "strong" and "strong" and know what you can do about it. And what you can do. And what you can do. I'm sorry, I need to delete /strong" and something else.
OK,那我们就从两个方面,给大家多一些学习资料。
OK, so let's give you two more learning materials.
首先,让我们详细来看看,区块链行业的风险,到底来自哪些方面?
First, let's see in detail what the risks of the block chain industry come from.
答案,6个方面。
Answer, six ways.
六大风险
six major risks
1.智能合约安全风险
1. Smart contract security risks
智能合约(Smart Contract)是“执行合约条款的计算机交易协议”。因为区块链公链以及智能合约的开源属性,所以智能合约一经发布,在区块链上的所有用户都可以看到该智能合约,同时这会导致包括安全漏洞在内的所有漏洞都可见,并且可能无法迅速修复。
The Smart Contract is a “computer exchange agreement to implement the terms of the contract.” , because of the open-source properties of the block chain and the intelligent contract, once issued, can be seen by all users in the block chain, which can lead to all loopholes, including security loopholes, that may not be quickly repaired.
2.应用平台安全风险
2. Application platform security risks
应用平台(交易所、矿池)作为对外提供服务的中心化的节点,大量的加密数字货币会沉淀在应用平台中,为恶意黑客作恶提供了合适的攻击目标。通过DDoS攻击、CC攻击、安全漏洞审计、Web应用安全攻击等手段对应用平台的Web网站、APP、API接口等进行攻击和渗透,给应用平台的正常稳定运行造成威胁,影响应用平台的社群及声誉。
Applied platforms (exchanges, ponds) are central nodes for external service delivery, and a large number of encrypted digital currencies are deposited in the application platform, providing a suitable target for malicious hackers. Attacks and infiltration of the platform’s Web sites, APP, API interfaces, etc., through DDoS attacks, CC attacks, security gap audits, Web security attacks, etc., pose a threat to the normal and stable operation of the application platform and affect the community and reputation of the application platform.
恶意黑客及黑产通过“猫池”、“接码平台”批量的注册账号,并利用这些账号在应用平台或项目方的各个渠道中“抢糖果”使应用平台及项目方用于推广获客的资金“打水漂”。
The malicious hackers and blacks use the registered accounts of the cat pool, the docking platform, and use these accounts to “take candy” in the various channels of the application platform or the project party to “drizzle” the funds used by the application platform and the project party to promote the recipients.
3.矿机、矿场安全风险
3. Mine machines, mine safety risks
矿机、矿场通过计算算力的积累进行“挖矿”来获取加密数字货币,使得矿场能够相对稳定持续的积累加密数字货币资产,恶意黑客可以通过渗透的方式控制矿机甚至矿场的管理权限,从而实现“窃取算力挖矿”的目标,给个人矿工和矿场造成了较大的经济损失,同时恶意黑客还通过后门程序、病毒、木马等恶意代码远程控制一些暴露在互联网的服务器、主机、物联网设备等占用设备的正常资源实现“挖矿”。
Miners, mines and mines “mining” of encrypted digital currency through the accumulation of computing power allow for relatively stable and continuous accumulation of encrypted digital monetary assets in the mines, and malicious hackers can achieve the objective of “stealing of arithmetic mining” by permeating control of the management of the mine machines and even the mines, causing considerable economic loss to individual miners and mines, while malicious hackers also achieve “mining” by remote control of the normal resources of equipment exposed to the Internet through malicious codes such as backdoor procedures, viruses, wooden horses, etc.
4.数字钱包安全风险
4. Digital wallet security risk
数字钱包作为保存加密数字货币的载体,被广泛的用户和组织所认可,通过“热钱包”和“冷钱包”的存储方式,在便利使用加密数字货币的同时提供更安全的防护。“热钱包”和“冷钱包”也是恶意黑客关注的重点,通过篡改钱包地址、恢复助记词以及窃取“根密钥”等方式窃取用户和机构的加密数字货币。
Digital wallets, as vehicles for the preservation of encrypted digital money, are recognized by a wide range of users and organizations to provide safer protection while facilitating the use of encrypted digital money through the storage of “hot wallets” and “cold wallets.” “hot wallets” and “cold wallets” are also the focus of malicious hackers, stealing encrypted digital currencies from users and institutions by tampering with wallet addresses, restoring letters of credit and stealing “root keys”.
5.社会工程学安全风险
5. Social engineering safety risks
恶意黑客通过钓鱼网站、钓鱼邮件、密码暴力破解等方式尝试获取用户的账号和密码,并通过收集到的账号密码盗取用户在应用平台中的数字货币或通过短时间用高价值的数字货币买入低价值的数字货币,利用数字货币交易平台的价格差甚至数字货币期货套现,非法获利。而普通用户普遍难以意识到钓鱼网站、钓鱼邮件带来的安全威胁,一旦访问到钓鱼网站受骗,往往会在舆论上对正常的应用平台进行谴责,对应用平台的良好信誉带来巨大的损失。
malicious hackers attempt to obtain user accounts and passwords by fishing websites, fishing e-mails, password violence, etc., and by collecting account codes to steal users’ digital currency from the application platform or buy low-value digital money in a short time, using digital money trading platforms for price differentials and even digital currency futures, to profit illicitly. While it is generally difficult for ordinary users to recognize the security threats posed by fishing websites, fishing e-mails, and when they visit fishing websites, they often denounce normal application platforms in public opinion, causing huge losses to their integrity.
6.办公环境安全风险
6. Office environment security risks
由于区块链行业的快速发展,项目方均在同时间赛跑,务求用最短的时间让公链、平台、项目上线运营,从而忽视了员工信息安全意识培养及内部办公环境中存在的安全隐患。根据知道创宇威胁及敏感信息泄漏监测中心的观察和统计,在GitHub、GitLab、CSDN等国际知名的开发者网站及平台上,大量项目方的核心源码及账户名和密码存在敏感信息泄漏的情况,恶意黑客可以利用这些账号密码对办公环境进行内网渗透。在安全防护较薄弱的办公设备及服务器上面部署恶意代码程序,并潜伏,等待时机发起“致命一击”。
As a result of the rapid development of the block chain industry, project parties are running at the same time to allow public chains, platforms, projects to operate online at the shortest possible time, thus neglecting staff information security awareness development and security risks in the internal office environment. Based on observations and statistics from the Clearinghouse, which knows the threat of creating and sensitive information leaks, there are significant numbers of sensitive information leaks from core source codes and account names and passwords on the site and platform of internationally recognized developers such as GitHub, GitLab, CSDN, which are used by malicious hackers to infiltrate the office environment.
说完了6大风险,再来看看,这些年,都有哪8件典型的安全大事故狠狠抽了你的脸。
"Strong" said six big risks, and look, there's eight typical security incidents that hit your face hard over the years.
1.以太坊“蜜罐”智能合约
1. .
知道创宇“404”安全实验室的区块链安全研究团队在研究过程中发现了基于以太坊的蜜罐智能合约,【Smart-Contract-Honeypots】和【Solidlity-Vulnerable】,黑客可以基于上述的两类蜜罐智能合约,通过多种欺骗手段诱导智能合约的开发人员将数字货币转账到合约地址,这类蜜罐智能合约的目的性更强,显著区别与普通钓鱼的行为。相较于钓鱼行为面向大众,蜜罐智能合约主要面向的是“智能合约开发者”、“智能合约代码审计人员”或“拥有一定技术背景的黑客”。因为蜜罐智能合约门槛更高,需要能够看懂智能合约才可能会上当,非常有针对性。
In the course of its research, the Block Chain Security Research Team, aware of the “404” Safety Laboratory, found that smart contracts based on the ‘strong’ honey can is likely to be more relevant and targeted because of the higher threshold of smart contracts for honey cans and the need to understand smart contracts.
目前发现的蜜罐智能合约的欺骗手段有以下几个方面:
There are several kinds of deceptions that have been found in the nectar contracts:
古老的欺骗手段
It's ancient deception.
神奇的逻辑漏洞
It's a magical logical flaw.
新颖的赌博游戏
A brand-new gambling game
黑客的漏洞利用
The hacker's bug.
由于篇幅原因,关于“蜜罐智能合约”的描述,可参看Seebug漏洞社区的Paper,链接:https://paper.seebug.org/631/。
For space reasons, for a description of the “hone can smart contract”, see PaperSmart, web link: https://paper.seebug.org/631/.
2.BeautyChain智能合约漏洞
2. Beauty Chain Smart Contract Leak
2018年4月25日,美图公司声明,即日起公司旗下海外产品BeautyPlus终止与Beauty Chain(BEC美链)的海外推广合作。然而在2018年2月美图曾公开表示,BeautyPlus与Beauty Chain(BEC美链)在海外有推广合作,此外美图并不涉及(BEC美链)其他相关业务。合作终止后,美图与Beauty Chain(BEC美链)将无任何合作。同时,美图重申没有、也不会发行任何数字货币。
On April 25, 2018, the company stated that, as of that date, its overseas product BeautyPlus would cease its overseas promotion cooperation with Beauty Chain (the BEC chain). However, in February 2018, the company publicly stated that there was an overseas extension cooperation between BeautyPlus and Beauty Chain (the BEC chain), and that the map did not cover other related business (the BEC chain).
图 1 巴比特资讯,美图官方声明
Figure 1 Babbit Information, Map Official Statement
图 2 BEC美蜜官方公告
Figure 2 BEC Honey Official Bulletin
事件的起因是:在2018年4月23日,有安全研究人员发现在BeautyChain的智能合约中发现了漏洞,并利用该漏洞获得了巨额的BEC代币,数值为:57,896,044,618,658,100,000,000,000,000,000,000,000,000,000,000,000,000,000,000.792003956564819968。如此高额的代币数量,引发恐慌,导致市场上海量BEC被抛售,价值直接归零。事件发生时,BEC 官方团队立刻暂停了一切交易和转账,并且和交易所合作将所有交易回滚到黑客攻击之前,以求挽回损失。
The cause of the incident was that, on 23 April 2018, security researchers discovered a gap in the Beauty Chain smart contract and used it to obtain a huge amount of BEC indemnities, amounting to 57,896,044,618,658,100,000,100,000, 200,000, 200,000, 200,000, 200,000, 000 000 000, 79,956564819968. Such a high number of tokens caused panic, leading to the sale of BEC in the market and a direct loss of value. In the event of the incident, the official BEC team immediately suspended all transactions and transfers and worked with the exchange to reverse all transactions until the hackers attacked.
图 3 BEC交易记录查询
Figure 3 BEC transaction log queries
事件还原:
incidence recovery:
(1)在BEC的智能合约中,存在一个批量转账的函数:BatchOverFlow
(1) In BEC's smart contract, there is a function for bulk transfers: BatchOverFlow
图 4 BEC智能合约批量转账方法
Figure 4 BEC Smart Contract Batch Transfer Method
(2)黑客利用以太坊 ERC-20 智能合约中该函数数据溢出的漏洞攻击BEC的智能合约。
(2) Hackers attack the BEC intelligence contract using a bug in the Ether-ERC-20 smart contract from which data from this function has spilled.
(3)该漏洞的详细利用方式及说明详见:https://paper.seebug.org/615/
(3) Details and descriptions of the use of the lacuna are available at https://paper.seebug.org/615/Add.1.
3.EXMO遭遇DDoS攻击
3. EXMO > DDoS attack
英国比特币交易所EXMO在2017年12月28日发布官方公告,公告称正在遭受DDoS攻击,预计在半小时内恢复正常业务。
The British Bitcoin Exchange EXMO issued an official announcement on 28 December 2017 stating that it was under attack by DDoS and was expected to resume operations within half an hour.
图 5 EXMO官方Twitter公告称遭受到DDoS攻击
Figure 5 EXMO official Twitter announcement of assault on DDoS
于此同时,EXMO的CEO Pavel Lerner在位于基辅的办公室外被绑架。EXMO通过BBCNEWS发表声明:“将尽一切努力找到Pavel Lerner,同时向用户保证交易所能够正常运行,并承诺保证用户的个人数据安全和资金安全。”
At the same time, EXMO's CEO Pavel Lerner was abducted outside his office in Kiev. EXMO issued a statement through BBCNEWS: “All efforts will be made to locate Pavel Lerner, while assuring users that the exchange will function properly and that the user's personal data security and financial security will be guaranteed.”
图 6 EXMO官方发言人通过BBCNEWS发表声明
Figure 6 Statement by the official spokesperson of EXMO through BBCNEWS
4.Bithumb被黑客攻击
4. Bithumb was hacked into
韩国加密货币交易所bithumb在2018年6月20日称,遭黑客盗走价值350亿韩元(3150万美元)的虚拟货币。
On 20 June 2018, the Korean crypto-currency exchange Bithumb claimed that a virtual currency worth $35 billion ($31.5 million) had been stolen by hackers.
图 7 Bithumb官方Twitter公告
Figure 7 Bithumb official Twitter bulletin
这是2018年6月以来被攻击的第二家韩国交易所,暴露出加密货币交易的高风险。根据CoinMarketCap.com的数据,bithumb是亚洲最大加密货币交易所之一,管理近3.6亿美元资产。bithumb在网站发布公告称,已停止所有交易,此前查明“价值约350亿韩元的加密货币于昨日晚间至今日早间失窃。”
According to CoinMarketCap.com, bithumb is one of the largest encrypted currency exchanges in Asia, managing nearly $360 million in assets. Bithimb announced on the website that all transactions had been stopped and that it had previously been ascertained that “encrypted currency valued at about 35 billion won had been stolen in the morning of yesterday night so far”.
bithumb称已将“全部客户资产存在安全的冷钱包(cold wallet)里”,这些钱包的运行平台并未直接与互联网相连。据Coinmarketcap.com,bithumb为全球第六繁忙的加密货币交易所。
Bithumb claims to have “all customer assets in secure cold wallets” whose operating platform is not directly connected to the Internet. According to Coinmarkcap.com, bithumb is the sixth busiest encrypted currency exchange in the world.
5.Coinsecure“内鬼”盗窃
5. Coinsecure's "Inner Ghost"
印度三大比特币交易所之一,在coinsecure在官网发布公告称,该交易所在2018年4月9日发生数字货币失窃,一共被盗取了438个BTC,按照当日价格计算,价值约330万美元。
One of India's three major Bitcoin exchanges, which published an announcement on the web in Coinsecure, stated that a digital currency had been stolen on 9 April 2018 and that a total of 438 BTCs had been stolen, valued at approximately $3.3 million at current prices.
该交易所首席执行官(CEO)Mohit Kalra认为Amitabh Saxena(CSO)为首要嫌疑人,并已向新德里警方对其提起指控。该案成为印度最大的数字货币盗窃案。据悉,coinsecure在印度有超过20万用户。根据报警记录,Amitabh Saxena告诉coinsecure团队这笔资金是由于一场外部攻击才从该公司的比特币钱包中失窃的。但是coinsecure的CEO不相信这个说法,他告诉警方,他的合伙人“在编故事试图分散其注意力,他很可能参与了这场失窃事件”。
The CEO of the Exchange, Mohit Kalra, identified Amitabh Saxena (CSO) as the prime suspect and charged him with the New Delhi police. The case became the largest digital currency theft in India. According to the police records, Coinsecure had over 200,000 users in India. According to the police records, Amitabh Saxena told the Coinsecure team that the money had been stolen from the company's Bitcoin wallet as a result of an external attack. But the CEO of Coinsecure did not believe the statement, and he told the police that his partner “was trying to distract his attention and that he was likely to be involved in the theft”.
图 8 coinsecure announcement
Figure 8
6.Nicehash矿池被入侵
6. Nicehash pond invaded
位于斯洛文尼亚的“世界上最大的加密货币挖矿算力市场”NiceHash就陷入了一场噩梦,于2017年12月6日发布官方公告称大量比特币被盗。
NiceHash, “the world's largest market for cryptographic money mining algorithms”, located in Slovenia, was caught in a nightmare when an official announcement was issued on 6 December 2017 stating that a large number of bitcoins had been stolen.
图 9 NiceHash官方公告被盗事件
Figure 9 The theft of the NiceHash official bulletin
NiceHash与2017年12月7日在Facebook采用livestream的方式向用户发布事件说明及最新进展情况。
NiceHash and Facebook on 7 December 2017 released an account of events and updates on progress to users in the form of Livestream.
图 10 NiceHash官方Twitter公告
Figure 10 NiceHash official Twitter bulletin
事件发生后,NiceHash平台停摆超过14天,于2017年12月20号NiceHash平台才正式恢复正常业务。
After the incident, the NiceHash platform ceased to operate for more than 14 days and was officially re-established on 20 December 2017 on the NiceHash platform.
图 11 NiceHash官方Twitter公告,平台业务恢复
Figure 11 NiceHash official Twitter announcement, platform business resumption
在本次事件中,NiceHash共计被盗的比特币达到了4000 BTC,后来透露是因为一位内部员工的电脑被攻击,致使攻击者可以获得这个市场的系统的访问权限并将比特币从该公司转走。
In this incident, the total number of stolen Bitcoin in NiceHash reached 4,000 BTC, which was later revealed as a result of an attack on the computer of an in-house employee, which allowed the attackers access to the market system and the transfer of Bitcoin from the company.
NiceHash于2018年2月5日正式宣布启动偿还项目,官方公告链接:https://www.nicehash.com/news/256
NiceHash officially announced the start of the reimbursement project on 5 February 2018, official bulletin link: https://www.nichash.com/news/256
图 12 NiceHash偿还项目官方公告
Figure 12 Official Bulletin of NiceHash Reimbursing Projects
截止2018年6月29日项目偿还计划完成过半,官方公告链接:https://www.nicehash.com/news/nicehash-repayment-program-more-than-half-way-through
Halfway to 29 June 2018, project reimbursement plan, official bulletin link: https://www.nicehash.com/news/nicehash-repayment-program-more-than-allf-way-through
图 13 NiceHash偿还项目进度官方公告
Figure 13 Official bulletin on the progress of the NiceHash reimbursement project
7.Parity电子钱包被盗
Parity Multi-Sig电子钱包版本1.5+的漏洞被发现,使得攻击者从三个高安全的多重签名合约中窃取到超过15万ETH(约3000万美元)。
Parity Multi-Sig electronic wallet version 1.5+ was detected, allowing the attackers to steal more than 150,000 ETHs (approximately $30 million) from three high-security multiple-signature contracts.
图 14 Security Alert Parity Wallet(Multi-Sig Wallet)
Figure 14 Security Alert Paris Wallet (Multi-Sig Wallet)
一位用户名为“devops199”的黑客,Github的用户名为“empty”,以太坊收款地址为“0xae7168Deb525862f4FEe37d987A971b385b96952”。
A hacker with the name “devops199”, and a user with the name “empty” in Github, at the Taipan collection address “0xae 7168 Deb525862f4FEE37d 987A971b385b969552”.
图 15 黑客“devops199”确认导致了本次事件
Figure 15 Hacker “devops 199” confirmed that this incident was the cause of the incident
事件还原:
incidence recovery:
(1)所有的Parity Multisig Wallets都是使用了一个函数库,地址是:“0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4”;
(1) All Parity Multisig Wallets uses a function library at: “0x863df6bfa4469f3ead0be8f9f9f2aae51c91a907b4);
(2)智能合约的函数库中,初始化产生了一个用户权限的问题,“任何人都可以成为这个合约的所有者,并具备自删除的权限。”(Library contract was not initialized properly. That allowed anyone to become its owner and self-destruct it.)
(2) In the functions library of an intelligent contract, initialization raises the question of user permission, " (3)devops199声称在调用“initWallet()”方法时,意外的发现可以修改智能合约的所有者; (3) devops199 claims that, when calling the “init Wallet()” method, the unexpected discovery could modify the owner of the intelligent contract; (4)并且尝试的执行了“kill()”方法,从而导致该智能合约失效,所有版本的Parity都失效了,并且存储在其中的所有加密数字货币将无法找回。 (4) An attempt was made to implement the “kill()” method, which led to the failure of the intelligent contract, the failure of all versions of Parity and the inability to recover all encrypted digital currencies stored therein. 8.Binance遭遇钓鱼网站 8. Binance encounter fishing website 2018年3月7日22:58-22:59两分钟内,数字货币交易所Binance的交易风控系统监测到“VIA/BTC交易对”异动,触发了Binance的交易风控策略,并自动停止提币行为。据Binance官网公告内容:“所有资金安全,无任何资金逃离”。官方公告链接: On 7 March 2018, at 22:58-22:59, within two minutes, the trading wind control system of the digital currency exchange Binance monitored the “VIA/BTC transaction versus” movement, triggered the trading wind control strategy of Binance and automatically stopped the currency withdrawal. According to the announcement of the Binance official network: “All funds are safe, no funds are safe.” The official bulletin links: https://support.binance.com/hc/zh-cn/articles/360001547431 图 16 Binance官方公告 Figure 16 Binance Official Bulletin 但是由于黑客在Binance交易所使用10000个BTC拉升小众币种VIA市值,导致VIA从市值0.000225 美元直接拉升 100 倍到 0.025 美元,同时黑客通过全世界各个数字货币交易所上挂出的【数字货币和代币做空单】,大赚10亿美元。 However, the use by hackers of 10,000 BTCs on the Binance Exchange to raise the market value of the local currency VIA in small currencies has led to a direct rise of VIA from a market value of US$ 0000225 to US$0.025, while hackers make a significant $1 billion through their presence on various digital currency exchanges around the world. 事件还原: incidence recovery:
(1)黑客从2018年2月开始,筹备针对Binance欧美用户的钓鱼网站【binanceweb.com】,并在社交网络中发布消息,误导用户访问该钓鱼网站。
(1) Since February 2018, hackers have prepared a fishing website [binanceweb.com] for Binance Euro-American users and have posted messages on social networks to mislead users into accessing the fishing site.
图 17 仿冒Binance钓鱼网站
Figure 17 Simulation of the Binance fishing website
(2)当用户访问此钓鱼网站,并输入用户名、密码后,黑客就控制了部分Binance的账号权限并申请“创建自动交易”的API;
(2) When users access the fishing website and enter a user name, password, the hacker controls part of Binance's account privileges and applies for API “to create an automated transaction”;
(3)在3月7日的22:58-22:59两分钟内,通过API自动下单,拉升VIA币种的市值,上涨近110倍;
(3) In the 22:58-22:59 two minutes on 7 March, the automatic billing through API increased the market value of VIA currencies by nearly 110 times ;
(4)虽然Binance的风控机制对异常账户进行了冻结没有造成资金损失,但是黑客通过在其他交易所通过“做空”的方式变现离场。
(4) Although the wind control mechanism in Binance freezes unusual accounts without financial loss, hackers make their exits by “vacanting” on other exchanges.
说了这么多风险,也说了这么多典型的安全事故,如果不给点解决方案,就太不厚道了。略去广告后,就只有这么点干货了,请各位爷多多见谅。
So many risks, so many typical safety incidents, it's too bad if you don't give us a solution. That's all you've got to do. Please forgive me.
一些解决方案
/strong
这里重点说说应用平台的安全解决方案吧。
Let's focus here on applying the platform's security solutions.
应用平台可以通过SaaS云安全防御平台,提升应用平台整体外部抗风险能力,保证应用平台的稳定高效运行。
The application platform can enhance the overall external risk resistance of the application platform through the SaaS cloud security defence platform and ensure the stable and efficient operation of the application platform.
安全CDN
Safe CDN
应用平台可以通过采用安全CDN技术,对Web系统和APP提供节点加速的基础上,隐藏源站IP地址,减少可攻击面。
The application platform can use safe CDN technology to hide the source IP address and reduce the accessibility on the basis of node acceleration for Web systems and APPs.
应用层DDoS及CC攻击防护
Applied DDoS and CC Attack Protection
针对DNS flood、放射性DDoS攻击、SYN flood、UDP flood、CC攻击及各类复合型DDoS攻击进行安全防护。
Security protection against DNS food, radiological DDos attack, SYN food attack, UDP food attack, CC attack and various complex DDoS attacks.
Web攻击防护
使用云WAF(Web- Application-Firewall)提供对WEB协议的加密和深度监测,防止包括SQL注入、XSS跨站攻击、CRSF跨站请求伪造、Webshell文件上传、恶意采集及利于Web漏洞进行的各类攻击。
Use of cloud WAF (Web-Application-Firewall) to provide encryption and in-depth monitoring of WEB protocols to prevent various types of attacks, including SQL injections, XSS overstation attacks, CRSF overstation requests for forgery, Webshell file uploading, malicious collection and profiting from Web holes.
Web性能监控
采用Web服务可用性的实时监控,对应用平台全球的可用性和性能进行监测,监测DNS污染的攻击方式。
To monitor the global availability and performance of the application platform using real-time monitoring of the availability of Web services and to monitor the way DNS pollution attacks are conducted.
Web安全接入
通过SSL协议加密,Web应用平台系统均采用HTTPS协议访问,对基于Web的核心系统访问均采用SSH加密认证。
Through SSL protocol encryption, HTTPS access is used for Web application platform systems and SSH encryption is used for Web-based access to core systems.
Web页面加固
在页面代码及配置审计基础上,通过对关键Web页面锁定避免被盗链或者篡改。
On the basis of the page code and configuration audit, the chain of theft or tampering is avoided by locking key Web pages.
好了,今天安全这块就先聊到这里吧。
All right, let's get this over with for the safe part of the day.
虽然不主动打广告,还是可以分享一下安全干货的嘛。
If you don't want to advertise, you can share it.
以下来自知道创宇经常更新的博客,各位爷感兴趣,可以去看看,链接在此https://paper.seebug.org,不客气。
Here are some of the blogs that have been updated from time to time, and you may wish to see them at https://paper.seebug.org.
记得给本营小姐姐我点个赞再走,各位大爷~万福金安~
"Strong" and I'll give you a compliment to my little sister in the camp.
内容转载请联系微信:
Please contact Weibo:
内容合作请联系微信:
Please contact Weibo:
hehe757892(备注:区块链大本营+内容合作)
Hehe757892 (Remark: Block Chain Base Camp + Content Cooperation)
其他商务合作请联系微信:
For other business cooperation, please contact Weibo:
fengyan-1101(备注:区块链大本营+商务合作)
Fengyan-1101 (Remark: Block Chain Camp + Business Cooperation)
了解更多区块链技术及应用内容
敬请关注:
Please pay attention to:
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论