Categories
Security

Thief steals $1 million of Bored Ape Yacht Club NFTs with Instagram hack

A hacker has stolen NFTs worth millions of dollars after compromising the official Instagram account for Bored Ape Yacht Club (BAYC) and using it to post a phishing link that transferred tokens out of users’ crypto wallets.

The hack was disclosed on Twitter by BAYC just before 10AM ET on Monday morning. “There is no mint going on today,” the Tweet read. “It looks like BAYC Instagram was hacked.”

Another tweet from a user unaffiliated with the project claimed to show the image that had been posted from the BAYC account, promoting an “airdrop” — essentially a free token giveaway — for any users who connected their MetaMask wallets.

Unfortunately, BAYC’s warning came too late for a number of holders of the extremely expensive Bored Ape NFTs, along with many other valuable NFTs stolen in the hack. A screenshot posted by one Twitter user showed an OpenSea page for the hacker’s account receiving more than a dozen NFTs from the Bored Ape, Mutant Ape, and Bored Ape Kennel Club projects — all presumably taken from users who connected their wallets after clicking on the phishing link.

The profile page tied to the hacker’s wallet address was no longer visible on OpenSea at time of publication. OpenSea head of communications Allie Mack confirmed to The Verge that the hacker’s account had been banned on the platform, as OpenSea’s terms of service prohibited fraudulently obtaining items or otherwise taking them without authorization.

But given the decentralized nature of NFT, the contents of the hacker’s wallet can still be viewed on other platforms. Seen through NFT platform Rarible, the wallet contained 134 NFTs, among them four Bored Apes and many others items from projects made by Yuga Labs — the creators of BAYC — such as Mutant Apes and Bored Ape Kennel Club.

Independently, each of the stolen Apes is worth well into six figures based on the most recent sale price. The lowest priced Ape, #7203, last sold four months ago for 47.9 ETH — equivalent to $138,000 at current exchange price. Ape #6778 was last sold for 88.88 ETH ($256,200), while Ape #6178 sold for 90 ETH or $259,400. And Bored Ape #6623 was the most valuable of all, sold three months ago for 123 ETH ($354,500) — meaning that collectively the total value of the four stolen Apes is just over $1 million.

It is not known yet how the hacker was able to compromise the project’s Instagram account. In a statement sent to The Verge by email and also posted on Twitter, Yuga Labs said that two-factor authentication was enabled at the time of the attack and that the security of the Instagram account followed best practices. Yuga Labs also said that the team was actively working to establish contact with affected users.

Though NFTs can be bought and sold for huge sums of money, they are often held in smartphone wallets rather than more secure environments because the popular decentralized crypto wallet application MetaMask only supports NFT display on mobile. It also encourages users to manage NFTs through the smartphone app rather than the browser-based extension. This means that the use of Instagram to deliver a phishing link is an effective way to steal NFTs, as the phishing link is more likely to be interacted with from a mobile wallet.

While security advice in the crypto space suggests NFT holders never connect their wallet to an unknown or untrusted third party, the fact that the phishing link was sent through the official BAYC social media account likely convinced the victims that it was legitimate, raising difficult questions about where exactly the fault lies.

Yuga Labs did not respond to an email from The Verge asking whether victims of the hack would be compensated by the project for their losses.



Repost: Original Source and Author Link

Categories
Computing

Hertzbleed vulnerability steals data from AMD and Intel CPUs

Researchers just outlined a new vulnerability that affects processor chips — and it’s called Hertzbleed. If used to conduct a cybersecurity attack, this vulnerability can help the attacker steal secret cryptographic keys.

The scale of the vulnerability is somewhat staggering: According to the researchers, most Intel and AMD CPUs might be impacted. Should we be worried about Hertzbleed?

Hertzbleed

The new vulnerability was first discovered and described by a team of researchers from Intel as part of its internal investigations. Later on, independent researchers from UIUC, UW, and UT Austin also contacted Intel with similar findings. According to their findings, Hertzbleed might affect most CPUs. The two processor giants, Intel and AMD, have both acknowledged the vulnerability, with Intel confirming that it affects all of its CPUs.

Intel has issued a security advisory that provides guidance to cryptographic developers on how to strengthen their software and libraries against Hertzbleed. So far, AMD hasn’t released anything similar.

What exactly is Hertzbleed and what does it do?

Hertzbleed is a chip vulnerability that allows for side-channel attacks. These attacks can then be used to steal data from your computer. This is done through the tracking of the processor’s power and boost mechanisms and observing the power signature of a cryptographic workload, such as cryptographic keys. The term “cryptographic keys” refers to a piece of information, securely stored in a file, which can only be encoded and decoded through a cryptographic algorithm.

In short, Hertzbleed is capable of stealing secure data that normally remains encrypted. Through observing the power information generated by your CPU, the attacker can convert that information to timing data, which opens the door for them to steal crypto keys. What’s perhaps more worrying is that Hertzbleed doesn’t require physical access — it can be exploited remotely.

It’s quite likely that modern processors from other vendors are also exposed to this vulnerability, because as outlined by the researchers, Hertzbleed tracks the power algorithms behind the Dynamic Voltage Frequency Scaling (DVFS) technique. DVFS is used in most modern processors, and thus, other manufacturers such as ARM are likely affected. Although the research team notified them of Hertzbleed, they are yet to confirm whether their chips are exposed.

Putting all of the above together certainly paints a worrying picture, because Hertzbleed affects such a large number of users and so far, there is no quick fix to be safe from it. However, Intel is here to put your mind at ease on this account — it’s highly unlikely that you will be the victim of Hertzbleed, even though you are likely exposed to it.

According to Intel, it takes anywhere between several hours to several days to steal a cryptographic key. If someone would still want to try, they might not even be able to, because it requires advanced high-resolution power monitoring capabilities that are difficult to replicate outside of a lab environment. Most hackers wouldn’t bother with Hertzbleed when plenty of other vulnerabilities are discovered so frequently.

How to make sure Hertzbleed won’t affect you?

Hertzbleed vulnerability mitigation methods depicted in a chart.
Intel

As mentioned above, you are probably secure even without doing anything in particular. If Hertzbleed gets exploited, it’s unlikely that regular users will be affected. However, if you want to play it extra safe, there are a couple of steps you can take — but they come at a severe performance price.

Intel has detailed a number of mitigation methods to be used against Hertzbleed. The company doesn’t seem to be planning to deploy any firmware updates, and the same can be said about AMD. As per Intel’s guidelines, two ways exist to be fully protected from Hertzbleed, and one of them is super easy to do — you just have to disable Turbo Boost on Intel processors and Precision Boost on AMD CPUs. In both cases, this will require a trip to the BIOS and disabling boost mode. Unfortunately, this is really bad for your processor’s performance.

The other methods listed by Intel will either only result in partial protection or are very difficult, if not impossible, for regular users to apply. If you don’t want to tweak the BIOS for this and sacrifice your CPU’s performance, you most likely don’t have to. However, keep your eyes open and stay sharp — cybersecurity attacks take place all the time, so it’s always good to be extra careful. If you’re tech-savvy, check out the full paper on Hertzbleed, first spotted by Tom’s Hardware.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Tech News

Android malware that steals passwords is spreading fast

Google recently boasted about the success of its efforts to protect Google Play Store and Android devices last year mostly using advanced machine learning technology. That, however, doesn’t cover apps acquired outside of the Play Store and the phones that install those. Sometimes, Android’s own open nature sometimes works against it because of that, like the case of this FluBot malware that’s spreading rapidly like a real virus, spreading to people in your phone’s address book to steal their passwords.

The way the malware works isn’t exactly that sophisticated and relies on good old-fashioned social engineering. Victims receive a text message claiming to be from a popular courier service, like DHL or Amazon. The message includes a link that it recommends people tap on to track their package.

As most would have probably guessed, that link opens up a web page that instead downloads an Android APK and asks users to install it. By default, Android doesn’t allow installing from unverified, third-party sources but the site is kind enough to provide instructions on how to change that. Once a phone has been infected, it reportedly steals passwords, online bank details, and other sensitive information stored on the phone.

Like the flu, this FluBot malware also looks into your phone’s address book to send the same phishing message to people there, which is how it is spreading quickly to Android phones. Given how locked down iPhones are, owners of Apple’s iOS devices are immune to this trick but the UK’s National Cyber Security Centre (NCSC) still recommends that iPhone users should play it safe and don’t open those links anyway.

The report does raise the question of how passwords and login credentials, which are often encrypted or protected on Android and most browsers, can get so easily stolen, though that isn’t exactly unheard of. Unfortunately, there is no fix for those already infected other than to factory reset their phone. It might not be so bad for those with backups but users should be careful when restoring backups made after getting infected by the FluBot.

Repost: Original Source and Author Link

Categories
Computing

2020 MacBook Air review roundup: The keyboard steals the show, but base performance is just OK

While the new iPad Pro and Magic Keyboard stole most of the spotlight earlier this week, Apple also launched a significant update to the MacBook Air this week, with a new keyboard, faster processors, and more storage. And based on early impressions, those three things make it a must-buy for anyone looking to upgrade to a new Mac notebook.

Dana Wollman of Engadget hasn’t had time to formulate a full review, but her first impressions are strong: “If you can’t tell, I love this keyboard. I won’t be returning to my company-issued MacBook Pro unless I need to use the VPN. Just know that the slight trade-off to this new and improved typing experience is that it’s a tad noisy. It’s not a problem when I’m working alone in my apartment, but if I were in an office or co-working space I might feel a little self-conscious.”

Over at CNBC, Todd Haselton writes that the new MacBook Air has excellent battery life that should be “good enough to get through most of a workday so long as I keep the brightness at about half max.” Like Wollman, he also praises the keyboard, calling the keys “much more pleasant to type on.”

TechCrunch’s Brian Heater has given the MacBook Air a more detailed review, and he concludes that “it’s nice to see Apple keeping the beloved line fresh a dozen years after it was first introduced.” However, he notes that the base Core i3 model might be a little pokey for some users and recommends “adding $100 back onto the system price in order to upgrade to an i5.” He also says the states 11 hours of battery life “is probably a stretch,” but concedes that “all-day battery life seems like a fair enough description.”

Jason Snell at Six Colors also spend enough time with the MacBook Air to give it a full review, and finds that Apple’s newest laptop is perfect for anyone who has been holding out for a new model: “It’s everything that was great about the 2018 MacBook Air, but it’s cheaper and faster, with more customizable specs and—perhaps most importantly—the same Magic Keyboard as the 16-inch MacBook Pro.”

Dan Ackerman at CNET also took issue with the Core i3 processor but had nothing but nice things to say about the keyboard: “There’s a satisfying heft to typing, and unlike the previous version you’ll never wonder if a keystroke registered. It’s hard to overstate how big a change this is when using the two MacBook Air keyboards side by side.”

Finally, Jacob Krol from CNN says of the new keyboard: “Keys feel punchy with a not too loud clicking and clacking, along with a nice feel when actually pushing the key.” Like the other reviewers, he recommended the step-up model, as “the 10th Generation Intel Core i5 zips along at a steady pace.”

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.

Repost: Original Source and Author Link