fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Lightning Network Discloses “Concerning” Crypto Vulnerabilities

Lightning Network Discloses “Concerning” Crypto Vulnerabilities

The team behind Lightning Network has released extensive details on the vulnerabilities that were discovered in the cryptocurrency protocol and its software implementations.

Attackers could have exploited these vulnerabilities to cause DoS and to disrupt crypto transactions by intercepting “smart contracts” made between two parties.

Lightning Network is a payment protocol that runs on top of blockchain-based cryptocurrencies like Bitcoin, Ethreum, etc.

Its main selling point is the speed of blockchain transactions. 

Lightning’s website touts the protocol with phrases, “Lightning-fast blockchain payments without worrying about block confirmation times. Payment speed measured in milliseconds to seconds.” 

October’s “partial” disclosure

Earlier this month, Conner Fromknecht, Head of Cryptographic Engineering at Lightning Labs had published a partial disclosure related to the vulnerabilities on Linux Foundation’s mailing list. 

“We are writing to let the Lightning community know about the existence of vulnerabilities that affect lnd versions 0.10.x and below,” said Fromknecht.

This happened on October 9th, when Lightning team’s focus was mainly on prompting the users to upgrade to non-vulnerable versions of the products.

“The circumstances surrounding the discovery resulted in a compressed disclosure timeline compared to our usual timeframes. We will be publishing more details about this in the coming weeks along with a comprehensive bug bounty program,” Fromknecht had further written.

Also Read: How Bank Disclosure Of Customer Information Work For Security

Lightning Network vulnerabilities fully disclosed this week

This week both vulnerabilities impacting the Lightning Network cryptocurrency protocol and its software implementations have been disclosed in full detail.

The vulnerabilities were spotted as early as April 3rd, 2020 by Antoine Riard, a Bitcoin Core and Rust-Lightning contributor at Chaincode Labs.

On discovery, Riard informed both the Lightning Network (LND) team and developers behind its c-lightning and Eclair implementations.

In fact, given Lightning’s growing adoption rate and the fact money was at stake, Riard agreed to wait for six months before publicly disclosing the vulnerabilities discussed below.

Riard further shared with BleepingComputer:

“They are serious [vulnerabilities] because LN nodes channel connections are open, you can freely stake funds with any well-known nodes and thus steal from them.”

“LN nodes are hot wallets.  If it would have been exploited in the wild, the impact would have been direct fund loss for victims (at least for the high-s one [CVE-2020-26895]).”

  1. CVE-2020-26895—”Hodl my Shitsig

    Given blockchain-based protocols deal with money, extensive security measures and failsafe measures are built into them. One such concept is called “transaction standardness.”

    Transaction standardness enforces a set of anti-Denial of Service (DoS) rules on top of the Bitcoin consensus rules a node may already have in place.

    Transaction standardness malleability on the other hand is a form of attack on cryptocurrency protocols that can effectively “invalidate” a transaction – as if it had never happened.

    “This situation is concerning and sound to have been an undersight during Lightning/payment channels protocols design,” wrote Riard. “The transaction standardness surface is quite wide, and any standardness fault, either accidental or malicious triggered, can provoke a loss of funds for a LN node,” he continued.

    Flaws like this one can lead to the security of funds being compromised and open pathways for DoS attacks, according to Riard.
     
  2. CVE-2020-26896—”The (un)covert channel

    The second vulnerability allowed an attacker to intercept and stealthily “steal” the Hashed Timelock Contract (HTLC) signed between two parties.

    HTLC is a “smart contract” used by cryptocurrency protocols that provides ability for the recipient to confirm they have received the payment within a certain time period. Failing to generate an HTLC properly and in time, would void the transaction.

    By exploiting this flaw, an attacker could essentially disrupt an ongoing transaction so that the invoice issuer wouldn’t be paid.

    “If this vulnerability has been exploited, the original sender would have discovered the preimage, according to the pre-agreed invoice but without the issuer effectively being paid,” explained Riard.

    “In case of legal disagreement if the corresponding good/service should be settled, and assuming parties were subject to the same jurisdiction, it could have been an interesting case to
    decide if the invoice/preimage pair is legally binding,” he further advised.

Riard additionally told BleepingComputer, “The codebase is open source and the protocol runs publicly thus patching the vulnerability overtly would have [allowed funds to be stolen] during the deployment. That is the reason patches were covert. Fixes were bundled with other changes.”

Also Read: Data Protection Framework: Practical Guidance For Businesses

Both vulnerabilities were patched in versions 0.11.0 and above of lnd, the open-source implementation of Lightning Network.

“While we have no reason to believe these vulnerabilities have been exploited in the wild, we strongly urge the community to upgrade to lnd 0.11.0 or above ASAP,” the October 9th advisory had stated.

In addition to Riard’s disclosures linked above, the Lighning Network development team has also released separate advisories for CVE-2020-26895 and CVE-2020-26896

Update, 21-Oct-2020: Added quotes provided by Antoine Riard.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us