Connect with us

Blockchain

$220M in Bitcoin May Be Encrypted Forever on IronKey

Stefan Thomas is two failed password attempts away from losing the private keys to $220 million worth of bitcoin forever. This is because Thomas holds the private keys to his bitcoin wallet in an IronKey. “The World’s Most Secure Flash…

The post $220M in Bitcoin May Be Encrypted Forever on IronKey appeared first on CipherTrace.

Republished by Plato

Published

on

Stefan Thomas is two failed password attempts away from losing the private keys to $220 million worth of bitcoin forever. This is because Thomas holds the private keys to his bitcoin wallet in an IronKey. “The World’s Most Secure Flash Drive” would rather die than give up its secrets, thanks to a series of built-in protections. IronKey was funded by the US Department of Homeland Security in 2018 and co-founded by Dave Jevans, CEO of CipherTrace. 

Jevans is helping with the investigation to recover Thomas’s private keys, an endeavor made challenging by the highly attack-resistant IronKey that Jevans and his team designed to protect crypto keys. 

On Tuesday, Jevans commented on Thomas’s situation in a Twitter conversation with Alex Stamos, former CISO at Facebook.  

The full thread was found here https://twitter.com/alexstamos/status/1348999178702057476 but is no longer available.

An archive has been transcribed below.


Alex Stamos @alexstamos

6:24 AM · Jan 12, 2021

Um, for $220M in locked-up Bitcoin, you don’t make 10 password guesses but take it to professionals to buy 20 IronKeys and spend six months finding a side-channel or uncapping.

I’ll make it happen for 10%. Call me.

“Stefan Thomas, a German-born programmer living in San Francisco, has two guesses left to figure out a password that is worth, as of this week, about $220 million.

The password will let him unlock a small hard drive, known as an IronKey, which contains the private keys to a digital wallet that holds 7,002 Bitcoin. While the price of Bitcoin dropped sharply on Monday, it is still up more than 50 percent from just a month ago, when it passed its previous all-time high of around $20,000.

The problem is that Mr. Thomas years ago lost the paper where he wrote down the password for his IronKey, which gives users 10 guesses before it seizes up and encrypts its contents forever. He has since tried eight of his most commonly used password formulations — to no avail.

“I would just lay in bed and think about it,” Mr. Thomas said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”


Alex Stamos @alexstamos

Replying to @alexstamos

We’re not talking about some NSA-built crypto processor installed on an SSBN, but an old $50 piece of consumer kit. There is no way it’s hardened against the last ten years of USENIX papers that have never been used in practice.


Dave Jevans @davejevans

Replying to  @alexstamos

I was co-founder and CEO of IronKey.  We had numerous conversations with the NSA during the development of the products.  If the person is using the first generation of IronKey before we sold the company to Imation, it will be very challenging.  /1


Jex @in3dye

What was NSA’s purpose in helping you?


Dave Jevans @davejevans

Replying to  @in3dye and  @alexstamos

 

Once they determined that there were no back doors, they wanted to make it as secure as possible for classified use.  For example, they didn’t just want AES key destruction, they advised on NAND flash wipe techniques that we implemented in hardware.


Dave Jevans @davejevans

Replying to  @alexstamos

 

The password counter and encrypted AES keys are stored on an Atmel AT98 processor.  Uncapping is challenging as there is a randomized protection layer over the chip meaning access to the internal circuitry is likely to kill the chip.  https://dtsheet.com/doc/232348/atmel-at98sc008ct  /2


Dave Jevans @davejevans

Replying to  @alexstamos

IronKey/Atmel security features include voltage, frequency and temperature detectors, illegal code execution prevention, tampering monitors and protection against side channel attacks and probing. The chips can detect tampering attempts and destroy sensitive data on such events /3


Dave Jevans @davejevans

Replying to  @alexstamos

 

We went to Fly Labs and uncapped and looked at our IronKey security chips with a FIB during development.  It will be extremely hard to attack.  If you can turn off the password counter, that is your best bet.  Maybe extract the encrypted AES key.  Both are highly unlikely.  /4


Alex Stamos @alexstamos

I’m sure you guys did a great job (I think iSEC did some validation for you at one point) but it’s not a reasonable threat model to expect consumer hardware to hold up after a decade and against millions of dollars in directed research.


Dave Jevans @davejevans

Replying to  @alexstamos

 

It would be cool to find if anyone has reliably been able to attack the AT98SC family of smart cards without it resetting.  By reliable I mean attacking one device, with a high success chance, rather than being successful 1% of the time.


Garrett SerackCowboy hat face @fearthecowboy

Replying to @alexstamos

Wasn’t there a case similar to this a few months back where someone had bitcoin on some piece of crap crypto disk?

IIRC someone came out and found that the firmware that was on it could be downgraded to one that was vulnerable, and went thru and they got it unlocked.


Dave Jevans @davejevans

Replying to  @fearthecowboy and  @alexstamos

 

You cannot downgrade the firmware on the original IronKey devices.  It is checked in hardware and must be signed by physical keys on an HSM at IronKey (now Imation).  This is not a Trezor with software firmware checks.  It’s done in custom hardware. We spent over $10M in chip R&D


Brent Mueller @Patchemup1

Replying to @alexstamos and @hacks4pancakes

I’m betting that counter to 10 at the very least can be reset or severed from the kill switch. At least with the amount of resources that much money could buy.


Dave Jevans @davejevans

 

Yes.  But see my comments on the protective mesh, side channel attack prevention, etc on the key management chip that we used in building IronKey devices.  You have one chance to disable the physical mesh, and it is randomized per device.


iver_Tam @RiverTamYDN

I feel like he could afford to pay Kingston enough money to update the firmware of IronKey to a version that gives him unlimited decrypt attempts


Dave Jevans @davejevans

 

If it is an original version of IronKey, then there is no way to update the firmware on the smart card which holds the encrypted AES key and password counter.  Needs physical attack, which the chip has many protections against.


Josh @JDG_1980

Any chance the IronKey could be decapped and the password deciphered with an electron microscope?


Dave Jevans @davejevans

 

During development at IronKey we did decap the smart card and played with a FIB.  The card has many physical protections against reading memory, including UV detection, randomized hardware mesh, side channel attack detection, etc.  They reset easily.


Dan Kaminsky @dakami

If it’s helpful,  @justmoon, Alex’s offer is absolutely credible.


 Dave Jevans @davejevans

Replying to  @dakami, @lacker  and 2 others

 

As co-founder and former CEO of IronKey I’ll give you what help I can.  You need to crack the Atmel AT98 (assuming this is the IronKey that we developed before Imation bought our company).

Hardware Wallets, IronKeys, and Unbreakable Security

Hardware wallet companies need to elevate their security posture and seek the external certification of their encryption. Unlike hardware wallets, IronKeys continue to be tamper-proof more than a decade after their initial release. The National Institute of Standards and Technology (NIST) issues the Federal Information Protection 140 Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government.  

  • FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be “production-grade” and various egregious kinds of insecurity must be absent. 
  • FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication. 
  • FIPS 140-2 Level 3 adds requirements for physical tamper-resistance. 

In 2011, IronKey was by far “World’s Most Secure Flash Drive” because it was the only mobile encryption device to be certified FIPS 140-2 Level 3, tamper-resistance. Zero hardware wallet vendors have yet to certify their software at even FIPS 140-2 Level 1. While some Trezor wallets have chipsets from Super Micro, ST31 and STM32, which are separately EAL validated, the Trezor wallet itself is not certified. 

Implications for Hardware Wallets 

Historically, hardware wallets have never been very secure. In 2018, Ledger hardware wallets were compromised by a 15-year-old researcher, Rashid Saleem, using very small amounts of code. Saleem installed a backdoor on a Ledger Nano S that caused the device to generate pre-determined recovery passwords. An attacker could enter those passwords into a new Ledger hardware wallet to recover the private keys of the backdoored device. Rashid was also able to exploit a Trezor wallet flaw a year prior. https://ciphertrace.com/ledger-bitcoin-wallet-hacked/ 

The Ledger data breach of 2020 exposed the email addresses and other PII of over 270,000 users, resulting in many of Ledger’s customers falling victim to phishing and ransomware attacks that included threats of violence. While the hack didn’t directly threaten any customer funds, their reputation within the industry has been compromised, leading many to question the future of hardware wallet security. Perhaps these hardware companies would be wise to revisit IronKey’s contributions to crypto security. In the spirit of decentralization, the onus remains on the user to secure their private keys so that they do not end up in Thomas’s unfortunate situation with hundreds of millions of dollars inaccessible. 

Source: https://ciphertrace.com/220m-in-bitcoin-encrypted-forever-on-ironkey/

Blockchain

Bybit to Cease Services for UK Citizens Following the FCA Ban on Crypto Derivatives Trading

Republished by Plato

Published

on

The first consequences from the FCA ban on crypto derivatives trading in the UK are evident for the popular digital asset exchange Bybit. The company announced earlier that it will suspend its services to all customers based in the United Kingdom. 

  • Established in 2018, Bybit is a cryptocurrency exchange headquartered in Singapore with a reported user base of over one million registered clients. However, the firm will seize offering its services to UK-based customers, according to a recent press release
  • The statement informed that all UK users have to close all of their opened positions and withdraw all account balances by 8 AM UTC, March 31st, 2021. Following that date, UK citizens will be “restricted from accessing or performing any trading activities on Bybit.” 
  • Furthermore, the exchange will immediately restrict all new registrations using UK mobile numbers and/or IP addresses. 
  • Bybit’s decision is a direct consequence of a ban on crypto derivatives trading in the UK instituted by the country’s regulator – the Financial Conduct Authority (FCA). 
  • CryptoPotato reported last year that the watchdog planned to prohibit the sale, marketing, and distribution to all retail customers of crypto derivatives and exchange-traded notes (ETNs).  
  • At the time, the FCA described such products as “ill-suited for retail customers due to the harm they pose.” It also outlined that traders are unable to determine a reliable value because of the extreme volatility in the market and inadequate understanding. 
  • Interestingly, though, even the UK population couldn’t stop the FCA from implementing the ban as a survey compiled by the watchdog suggested that over 97% disagreed with the decision. 
SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

You Might Also Like:


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Source: https://cryptopotato.com/bybit-to-cease-services-for-uk-citizens-following-the-fca-ban-on-crypto-derivatives-trading/

Continue Reading

Blockchain

PAID Crashes 70% In Minutes as Network Purportedly Exploited

Republished by Plato

Published

on

PAID Network, one of the most popular Initial DEX Offerings (IDOs) that took place on Polkastarter’s platform a while ago and brought tremendous returns to private sale investors, is going through what seems as a massive attack.

  • PAID Network, one of the most popular and heavily promoted IDOs that brought massive returns to private sale investors, seems to have been exploited.
  • Multiple reports on social media point towards the exploit.
  • It appears that over 59 million PAID tokens were minted and sold through Uniswap.
  • This resulted in the price of the token taking a nosedive and decreasing by more than 80% in minutes.
paidchart
PAID/USD. Source: Dextools
  • At the time of this writing, the team hasn’t come up with an official statement.
  • Many in the cryptocurrency community speculate that this is a rug pull as the owner of the contract had the capability to mint new tokens.
SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

You Might Also Like:


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Source: https://cryptopotato.com/paid-crashes-70-in-minutes-as-network-purportedly-exploited/

Continue Reading

Blockchain

Bitcoin Losing the $50K Mark, Entering Bearish March: The Weekly Crypto Recap

Republished by Plato

Published

on

This week was tough across the board, not just in the cryptocurrency market. It was marked by a serious correlation between Bitcoin and the S&P 500, as well as the entire legacy market, in general.

As CryptoPotato reported, the abovementioned correlation reached a 5-month high. While this seems to be bearish in the short term, given that the stock market slumped following government bond yield that gave the market a jolt, there’s also a bullish argument to be made.

Last weekend, the US House of Representatives passed President Biden’s $1.9 trillion COVID-19 Relief Package, which also got a 51-50 approval vote in the senate. Should the legislation become effective, it could be the case that markets will recover. Given the high correlation, this might also play out positively for Bitcoin and the cryptocurrency market as well.

Nevertheless, the week wasn’t favorable for the market as the primary cryptocurrency, as well as the majority of large-cap altcoins, remained indecisive and failed to regain the momentum they previously had. Presently, Bitcoin is trading at around $49,000. Historically, March has been one of the two most bearish months for Bitcoin, on par only with September. After all, we did see Bitcoin drop by 50% in 2 days last March upon the announcement of the coronavirus pandemic.

Elsewhere, major news took place all over. Binance Smart Chain saw its first major rug pull as Meerkat Finance saw its protocol drained of over $30 million in both Binance Coin and BUSD.

We saw developments in regard to the BitMEX – CFTC fiasco. In a recent filing, it was revealed that the former CEO of the derivatives exchange, Arthur Hayes, could surrender to US authorities in Hawaii this April.

On the more positive and funny side, Mark Cuban’s Dallas Mavericks announced that they would start accepting Dogecoin as a means of payment for tickets and merchandise. The billionaire celebrity gave the most earth-shattering explanation for the move, saying they did it “because we can.”

It’s certainly interesting to see how the global macroeconomic outlook will pan out in the coming days. Will the markets start to recover, or is there more pain ahead? Only time will tell.

Market Data

Market Cap: $1,444B | 24H Vol: 130B | BTC Dominance: 60.7%

BTC: $48,959 (+2.94%) | ETH: $1,531 (+0.38%) | XRP: $0.462 (+3.89%)

Bitcoin Correlation With S&P 500 at 5-Month High: Is This Bearish for BTC? Data reveals that the correlation between the S&P 500 and Bitcoin’s price has hit a 5-month high. This was clearly confirmed over the past week as the cryptocurrency is following the traditional stock market very closely.

US House Passes $1.9 Trillion COVID-19 Relief Package, $1,400 Direct Check Provisions Included. The US House of Representatives has passed President Biden’s $1.9 trillion stimulus bill the past weekend. The Senate also voted 51-50 to proceed with the regulation. If successful, this will see another financial injection into the US economy.

First Major Rug Pull on Binance Smart Chain? Over $30 Million Drained. Meerkat Finance might have been the very first major rug pull on the novel Binance Smart Chain. The protocol saw over $30 million drained from it in what appears to be a rug pull. The community was taken ablaze as many people lost a lot of money.

Former BitMEX CEO Arthur Hayes Could Surrender in Hawaii in April. The former CEO of BitMEX and one of the most influential figures in the cryptocurrency industry, Arthur Hayes, could surrender to US authorities in April in Hawai. This became clear after new court documents were filed.

Mark Cuban’s Dallas Mavericks to Accept Dogecoin Payments. The Dallas Mavericks – an NBA team owned by famous billionaire and Shark Tank star Mark Cuban, will be accepting Dogecoin payments for tickets and merchandise. This became clear after a recent announcement where Cuban gave an astonishing reason for the move – “Because we can!.”

Tim Draper Handpicks Netflix as the Next Company to Purchase Bitcoin. According to one of the most popular venture capitalists in the cryptocurrency field, Tim Draper, the next major company to buy Bitcoin might be the streaming giant Netflix. He believes that the company’s co-CEO is the guy in control, and he thinks he’s an “innovative guy.”

Charts

This week we have a chart analysis of Bitcoin, Ethereum, Ripple, Polkadot, and Cardano – click here for the full price analysis.

SPECIAL OFFER (Sponsored)
Binance Futures 50 USDT FREE Voucher: Use this link to register & get 10% off fees and 50 USDT when trading 500 USDT (limited offer).

PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO35 code to get 35% free bonus on any deposit up to 1 BTC.

Disclaimer: Information found on CryptoPotato is those of writers quoted. It does not represent the opinions of CryptoPotato on whether to buy, sell, or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk. See Disclaimer for more information.

Cryptocurrency charts by TradingView.


Checkout PrimeXBT
Trade with the Official CFD Partners of AC Milan
The Easiest Way to Way To Trade Crypto.
Source: https://cryptopotato.com/107410-2/

Continue Reading
Blockchain4 days ago

Why Mark Cuban is looking forward to Ethereum’s use cases

Blockchain3 days ago

Amplifying Her Voice

Blockchain3 days ago

Libra Coin – A New Digital Currency Developed by FACEBOOK

Blockchain4 days ago

The Sony PlayStation 5 Game Console Mining Ethereum with almost 100 MH/s is Not True!

Blockchain3 days ago

Blockchain in Sports Betting

Blockchain3 days ago

Bitcoin Halving: Definitive Guide (In Just 5 Minutes)

Blockchain3 days ago

DeFi token CRV spikes after reports PayPal acquired unrelated custody firm Curv

Blockchain2 days ago

Will Netflix soon buy bitcoin?

Blockchain3 days ago

DEX aggregator 1inch integrates Bitquery’s API-powered crypto trading data

Blockchain2 days ago

3 key Ethereum price metrics show pro traders are aiming for $2K ETH

Blockchain1 day ago

Crypto fund KR1 makes investment in blockchain data protocol LazyLedger

Blockchain1 day ago

XRP Price Analysis: 04 March

Blockchain3 days ago

The Hard Sell

Blockchain2 days ago

Bitcoin HODL Waves Suggest Bull Run Has Barely Started

Blockchain19 hours ago

How to Protect Yourself from the Cryptojacking Threat

Blockchain3 days ago

Da Vinci Capital Reportedly Requests $100 Million from Telegram for TON’s Failure

Blockchain2 days ago

Ethereum’s price prospects: What you need to know

Blockchain2 days ago

Ripple is committed to San Francisco, says co-founder Chris Larsen

Blockchain3 days ago

Mainnet launch and NFT sale lift Aavegotchi (GHST) to a new all-time high

Blockchain3 days ago

Bitcoin Shakes Off Dollar Rebound But Beware Of Coming Bear Phase

Trending