[HN Gopher] A fake job offer took down Axie Infinity
___________________________________________________________________
A fake job offer took down Axie Infinity
Author : danso
Score : 355 points
Date : 2022-07-06 14:43 UTC (8 hours ago)
(HTM) web link (www.theblock.co)
(TXT) w3m dump (www.theblock.co)
| trhway wrote:
| One can wonder how much info for the hack was collected during
| the interviews. "Tell me about the security protection you
| architected for your validators".
| Apocryphon wrote:
| I've got to say, this is an incredibly cyberpunk article.
|
| > Ronin, the Ethereum-linked sidechain that underpins play-to-
| earn game Axie Infinity, lost $540 million in crypto to an
| exploit in March. While the US government later tied the incident
| to North Korean hacking group Lazarus, full details of how the
| exploit was carried out have not been disclosed.
|
| It's not in William Gibson's style, sounds more like Bruce
| Sterling's.
|
| > Axie Infinity was huge. At its peak, workers in Southeast Asia
| were even able to earn a living through the play-to-earn game. It
| boasted 2.7 million daily active users and $214 million in weekly
| trading volume for its in-game NFTs in November last year --
| although both numbers have since plummeted.
|
| > Earlier this year, staff at Axie Infinity developer Sky Mavis
| were approached by people purporting to represent the fake
| company and encouraged to apply for jobs, according to the people
| familiar with the matter. One source added that the approaches
| were made through the professional networking site LinkedIn.
|
| Also gives me Charles Stross vibes.
| pjbeam wrote:
| Cyberpunk is now, just sans the 80s fashion inspirations :)
| munificent wrote:
| _> sans the 80s fashion inspirations :)_
|
| You definitely haven't been paying attention to Gen-Z people
| then. The 80s are back.
| pjbeam wrote:
| That's a fair assessment of my attention
| hindsightbias wrote:
| The future is already here. It's just not evenly distributed
| yet" - maybe W. G.
| silentsea90 wrote:
| Who knows, hackers might be using their $ on fashion but alas
| the profession makes it hard to flaunt.
| outworlder wrote:
| Where are my mantis blades?
| jerf wrote:
| The people in this review seem to think they're alright,
| but they look very silly to me:
| https://www.youtube.com/watch?v=tB4DDM8VHVg YMMV. But hey,
| maybe you can ask them for their design.
| nkrisc wrote:
| > but they look very silly to me
|
| And pretty impractical as well. They look really poorly
| designed in terms of maximizing leverage. It also looks
| like they lose a lot of energy in the flexing of the
| entire mechanism and their arm, compared to a blade held
| directly in the hand.
| tadfisher wrote:
| More like Cryptonomicon without the Nazi gold backing.
| ineedasername wrote:
| How is Proof of Authority, mentioned in the article, any
| different than normal social trust and reputational risk
| associated with that? This seems like a cute way of wrapping up
| the status quo in crypto lingo.
| dboreham wrote:
| All it means is that the system organizers decided to make a
| certain set of keys able to vote on transaction validity.
| Similar for example to how browser vendors decide to make a
| certain set of keys valid for issuing certs.
| [deleted]
| cemregr wrote:
| Is it just me or is the (x) button on the banner ad on this site
| not work, and open the ad instead of dismissing it?
| esseti wrote:
| Did he get the job? because i guess he was fired from the
| previous one.
| zanethomas wrote:
| ThePowerOfFuet wrote:
| Quarrelsome wrote:
| kinda disgusting he got fired for this if that was the case.
| Its a very sophisticated attack and I think its conversion rate
| would be rather high.
| kube-system wrote:
| The article says they are no longer employed. It is possible
| that this exploit was only possible because of breaking other
| security policies.
|
| At least, I hope that any reasonable organization doesn't
| secure $600+ million dollars by relying on the endpoint
| security of a device used to access LinkedIn
| uhhyeahdude wrote:
| > reasonable organization
| tedunangst wrote:
| Opening a legit job offer PDF on your work computer could be
| considered a fireable offense. You should not be using
| company resources to find your next job.
| cbsks wrote:
| It's also possible that he quit instead. If I interviewed for a
| new job, accepted an offer, and then everything blew up in my
| face... I'd probably not want to stick around.
| rideontime wrote:
| Yeah, I wouldn't want to work for a company that designed a
| system that allowed this sort of thing to happen either.
| labrador wrote:
| Can someone explain to me how a pdf can execute code?
| WorldMaker wrote:
| PostScript the "graphics language" that PDF was built around is
| a Turing Complete language.
| marshray wrote:
| Yes, but PDF doesn't embed the PostScript language (which is
| basically Forth). Acrobat Reader's Turing completeness comes
| from weird machines.
|
| https://en.wikipedia.org/wiki/Weird_machine
| Hamuko wrote:
| https://opensource.adobe.com/dc-acrobat-sdk-docs/standards/p...
|
| Page 414 and forwards. And if you're generally interested in
| PDF feature bloat, go to page 511 to find out how to embed 3D
| art, including the manipulation of the virtual camera, in your
| PDF document.
| labrador wrote:
| > _12.6.3 An annotation, page object or... that can trigger
| the execution of an action_ Page 415
|
| What could go wrong?
| pjc50 wrote:
| Exploits in the PDF viewer.
|
| The Adobe tools in particular have been a bountiful source of
| exploits for decades, but it's a complicated spec and there are
| plenty of opportunities for bugs.
| labrador wrote:
| I see, much like Unicode exploits. I use Chrome to view PDFs
| which I assume to be safe.
| ylyn wrote:
| Chrome's PDF viewer seems to be implemented in native code.
| But it probably benefits from the sandboxing that Chrome
| does.
|
| I would say Firefox is the safest here, because its built-
| in PDF viewer is written in JS, although Firefox's
| sandboxing is not as strong as Chrome's.
| tialaramex wrote:
| Program and data aren't really different, philosophically.
| On some level this even applies to people. When someone
| teaches you French is that program or data? Is it just
| data? Why can you now understand French then? Or if it's
| program, how does that work, who taught the teacher how to
| program you?
|
| So, our best effort is to constrain what certain data can
| do when we process it, in the hope that this prevents
| surprising negative consequences like a PDF that steals
| privileged information and sends it elsewhere.
|
| Notice that, in some sense, a PDF which just contains a
| photograph of your wife tied to a chair and holding today's
| newspaper, plus human readable text like, "We have your
| wife Sarah and all three kids Beth, Jim and Amanda. We are
| watching. Do not try to call for help. Email the privileged
| information to crooks@example.com or we will kill your
| family" is also potentially effective at doing this, but we
| would not usually consider that an exploit in this context.
|
| One irritation in this space is that programmers love
| General Purpose Programming Languages. The idea of the
| general purpose language is that it can do anything. But
| the problem in this sort of situation is that we don't
| _want_ programs which can do anything, in fact doing
| anything is our worst case scenario. We actually want
| Special Purpose Programming Languages. We want to write our
| PDF data processing software in a language that _even if we
| were trying_ can 't do the things that should never happen
| as a result of processing a PDF.
|
| This is the purpose of languages like WUFFS:
| https://github.com/google/wuffs
|
| You can't write a WUFFS program to, for example, email
| anything to crooks@example.com even if you desperately
| needed to, which means you definitely won't _accidentally_
| write a program which can email the privileged information
| to the crooks when fed a PDF. Of course the PDF mentioned
| earlier with the kidnap note inside it could still work.
| And also of course making a PDF renderer out of WUFFS would
| be a really big ask. WUFFS-the-library today can render
| PNG, GIF, BMP but notably not yet JPEG. But it 's clearly
| _possible_ for something like PDF rendering to happen under
| these constraints. Nobody ordinarily _viewing_ a PDF wants
| it to do arbitrary stuff.
| labrador wrote:
| Good idea, but WUFFS is written in C
| tialaramex wrote:
| Well, WUFFS the library is C code, but that's because in
| practice the language implementation is a Go program
| which emits C rather than machine code. There's no reason
| you can't compile WUFFS the language into, say, Rust, or
| PowerPC assembler, or a long series of letters to
| Princess Celestia [the FiM++ programming language],
| except that nobody did all that hard work.
| labrador wrote:
| It's amazing what people come up with when they have time
| on their hands for leisure activities. That's why I look
| forward to robots doing all the work while human subsist
| on universal basic income.
|
| FiM++ - Esolang
|
| https://esolangs.org/wiki/FiM%2B%2B
| ourmandave wrote:
| _The rate of DeFi hacks has accelerated rapidly this year,
| topping $2 billion in total funds lost, according to The Block
| Research data._
|
| Seesh, you could finance a war with $2B.
| headsoup wrote:
| I'm still not entirely convinced this wasn't an inside job (or
| entirely made up) and they just put a nice pot of money away
| somewhere. Wouldn't be without precedent in the wonderful world
| of crypto...
| kube-system wrote:
| You don't just take some dude's word for it when dealing with a
| $600+ million dollar heist. There were multiple third party
| investigators involved in the aftermath.
| dboreham wrote:
| Perhaps they not taking his word, but waiting for him to move
| the funds?
| kube-system wrote:
| They already know where the money went:
|
| https://home.treasury.gov/policy-issues/financial-
| sanctions/...
|
| And it has already been moved:
|
| https://www.blockchain.com/eth/address/0x098B716B8Aaf215129
| 9...
| lern_too_spel wrote:
| From the group that brought you The Interview hack, here
| is an interview hack.
| jandrese wrote:
| This doesn't mean it wasn't an inside job. Dude could
| have a nice payday for "oops I got PDF hacked", plus
| giving away enough information about their internal
| organization to make the attack feasible.
| kube-system wrote:
| The organizations that were called in to investigate this
| are very well aware of the likelihood of insider-threat
| attacks. It is basically financial fraud 101. They
| haven't released any information beyond what was detailed
| here, but you can be certain that it was thoroughly
| covered.
| tehlike wrote:
| Given it's crypto, there might be game in a game. You
| never know.
| tartoran wrote:
| Or the dev could be simply setup to take the blame.
| Everything's possible. Or an ex employee could have
| surveyed the system and shared data with a larger group
| to perform the operation.
| Thorrez wrote:
| Google warned of North Korean hackers targeting security workers
| through LinkedIn in January 2021.
|
| https://blog.google/threat-analysis-group/new-campaign-targe...
| paulpauper wrote:
| I think the media and tech writes overestimate the efficacy of
| spear phishing attacks. There is tons of research involved in
| finding suitable targets and then planning out the attack, such
| as the exploit, fake websites, fake emails, and other
| ingredients.
| t_mann wrote:
| I think this is instead a good reminder that no matter how
| complicated / unlikely a specific attack vector seems, if the
| bounty is large enough you better assume that someone is going
| to do it.
| larsiusprime wrote:
| It helps when your boss is a state actor and your target
| chooses to put $625 million in assets behind what amounts to a
| single point of failure
| rchaud wrote:
| Surely the technology experts at A16z and Binance could have
| given them some basic cybersecurity tips before cutting a
| $300 million check?
| hn_throwaway_99 wrote:
| Huh? Don't understand your point. When the potential bounty is
| $540 million, seems like investment well spent.
|
| Just another reason crypto is a godsend for bad guys (obviously
| other financial crimes occur, e.g. with convincing folks to
| send fake wires) but there aren't many better ways to steal
| half a billion dollars I think. But, yeah yeah, "HN is so mean
| and hates crypto!!!"
| paulpauper wrote:
| This is a huge outlier though and it's not $500 million of
| cash but $500 million of crypto that must be
| processed/laundered slowly into usable cash, which may not
| even be doable. Given the recent crash it's probably more
| like a 100 hundred million now.
| jacquesm wrote:
| Meanwhile, my kids' school forces them to use windows, spreads
| around lots of information that should be on websites as pdfs and
| asks to install all kinds of software from dubious sources
| including stuff that can only properly be classified as a rootkit
| in disguise.
|
| People are conditioned to trust certain verticals, Google, Apple,
| Microsoft (which owns LinkedIn) and a bunch of others and will
| lower their guard. Which is why it works so well. In fact I've
| received email from some of those where I was pretty sure I was
| being spearphished but they turned out to be real (but not on
| LinkedIn, which I refuse to join).
| alexfromapex wrote:
| This is so interesting, I just reported someone doing this on
| LinkedIn to the IC3. They create fake companies and ask for
| details like your SSN to ostensibly run a background check on you
| but in actuality it's to steal your identity or use your info to
| gain access to restricted resources.
| dboreham wrote:
| In my mind there has to have been some insider involvement (at
| least) in this attack. There are too many things unknowable to
| outsiders that would need to be known.
| treme wrote:
| it's hilarious that KJU was probably among the biggest benefactor
| of crypto boom.
| jspdown wrote:
| They rely on 9 trusted validators, the hacker managed to get
| access to the private keys of 4 out of the 9 validators.
|
| What's the point of using a Blockchain if you end up centralizing
| validations like that?
| kwertyoowiyop wrote:
| Don't worry, they're going to have 100 trusted validators, thus
| solving the problem...FOREVER.
| ltbarcly3 wrote:
| The true answer is that it doesn't make sense but investors
| don't care because BLOCKCHAIN
| mikevin wrote:
| 'Proof of Authority' sounds an awful lot like the regular
| banking system.
| anyfactor wrote:
| TLDR
|
| Job offer PDF was downloaded to office computer. PDF had spyware
| that infiltrated the system.
| CarbonCycles wrote:
| LN has now become a dumping ground for spammers, scammers, and a
| social network site. It's lost its appeal, and I am getting more
| scammers all the time.
|
| I'm beginning to contemplate what value LN provides as LN has
| focused on more aggressive marketing tactics, and it's starting
| to feel like Instagram with the engagements metrics...
|
| Oh yea, I'm still perplexed on how anyone would ever go into an
| interview w/out doing any homework on the company...even the
| smallest of start-ups have a presence on the net. They better
| damn-well have a pitch deck for new capital and employees.
| Animats wrote:
| This reads like blameshifting. Axie Infinity is a Ponzi on the
| way down. They need someone to blame for their failure.
| schemescape wrote:
| They say that a worker downloading (and presumably viewing) a PDF
| (fake job offer) allowed spyware in. Which PDF viewer was
| exploited?
| alexk307 wrote:
| You can easily embed arbitrary javascript into any PDF, and you
| can obfuscate it pretty well enough to get past most endpoint
| security tools on the market.
| WorldMaker wrote:
| You don't even need JS in a PDF. PostScript remains a Turing
| Complete language on its own.
| Nextgrid wrote:
| That JS would be sandboxed similar to in browsers, so you'd
| still need an exploit to break out of that.
| kube-system wrote:
| Not too tough, if you're a state backed group. Just buy
| one.
|
| The going price for Adobe PDF RCE zero-days is $80,000
| Jwarder wrote:
| Is there a good no-nonsense way to clean PDFs of possible
| threats? Hunting around I see mentions of converting
| PDF->Postscript->PDF to remove junk, but I also see mentions
| that Postscript is its own security mess.
| jabroni_salad wrote:
| Your only option is to disable all of those fancy features.
| That config only lasts until someone needs to file a form
| with the government though.
| Nextgrid wrote:
| I'm not sure it was even an exploit. It could very well be an
| intentionally-malformed PDF that pretends it has to be opened
| in a special "viewer" software, maybe even Adobe- or DocuSign-
| branded.
| snickerbockers wrote:
| im guessing it was the ol' ".pdf.exe" trick.
| Hamuko wrote:
| This sounds way too sophisticated for them to risk it with a
| "Offer.pdf.exe". Especially if it was state-backed. If the
| victim notices it, and the bar isn't high, you'd basically
| spook him away and alert the entire company.
| j0hnyl wrote:
| You're downvoted, but I'm certain this is exactly what it is.
| hn_throwaway_99 wrote:
| That trick doesn't work anymore for any reasonably modern
| email client.
| snickerbockers wrote:
| That's when you remind him that your boss needs to get this
| role filled by the end of the week so if you don't get a
| response by tomorrow you'll have no choice but to offer the
| job to another candidate.
| bfgoodrich wrote:
| silverPoodle wrote:
| You can put it into a .zip archive or just send an email
| containing a link with a fake PDF
| samatman wrote:
| To quote Fight Club: a major one.
| t_mann wrote:
| This is an important social engineering attack vector that all
| companies should be aware of. These kind of targeted attacks
| (often spoofing valid contacts that employees would legitimately
| exchange documents with) were common since I can remember the
| space, but using job applications is particularly disingenuous
| because employees are naturally going to be a bit secretive about
| those.
| Ekaros wrote:
| And this is why you should separate work machines from private
| and anything else. Specially when working with something high
| value.
| petilon wrote:
| If you care about security, two things you don't want to install
| on your computer are Adobe Acrobat and Microsoft Office. These
| products were written the 1990s in C/C++ and are impossible to
| secure. Microsoft does not allow installing Office on Secure
| Admin Workstations (SAW) [1] for a reason!
|
| [1] https://www.microsoft.com/en-us/insidetrack/protecting-
| high-...
| wly_cdgr wrote:
| How do you go through a whole job interview process and not
| realize that the company you are applying to is fake and doesn't
| exist?!
|
| ...Oh wait, this is crypto
| vgel wrote:
| I applied (and got a job and worked at for a bit) a stealth-
| mode startup and it felt like a scam. No web presence, nobody
| had it listed as their job on LinkedIn, a couple vague
| references to funding rounds online that mentioned a different
| business model (turns out they had pivoted), etc. Remote
| applications are weird.
| a4isms wrote:
| How should we respond if we interview for a non-crypto job, and
| when we can't get any background on the company, they explain
| that they're in "stealth mode" to protect the advantage of
| surprise?
|
| From time to time there are real startups that decide to fly
| under the radar until they're ready to show the world what
| they've built. Of course, many such companies turn out to be
| massive duds... Like Cuil.
|
| https://en.wikipedia.org/wiki/Cuil
| 999900000999 wrote:
| Just interviewed with a crypto company, can confirm. Even
| "legitimate" companies with a web presence, customers, etc,
| come off as super sketchy.
|
| That said, for lower income people you'll be absolutely
| inundated with scams, a good friend of mine just hit me up cuz
| someone wanted to promise him for $100 or so a week, you'd
| somehow become a crypto millionaire. I actually think crypto in
| its entirety is a giant scam, there's just levels of
| sophistication to it.
|
| Not everyone's going to fall for give me $100 and I'll turn
| that into $10,000 , but a ton of people fell for buy a bunch of
| crypto coins and hold ,time the market and sell.
| jandrese wrote:
| What an incredible story. In fact it is so incredible that it
| smells a bit funny to me.
|
| Are we sure this heist wasn't an inside job? Axie was collapsing
| under its own weight and an employee decided to swipe all of the
| crypto after making up this crazy job offer PDF story to cover
| their tracks.
| password4321 wrote:
| I'm amazed I had to scroll down this far to find the obvious
| explanation: a rug pull with a press release so the perpetrator
| doesn't have to fake their own death.
|
| Edit: I thought the lack of details was fishy but the following
| would be tough to fake:
|
| _the FBI has attributed North Korea-based Lazarus Group,
| highly skilled hackers, to the Ronin Validator Security Breach.
| The US Government, specifically the Treasury Department, has
| sanctioned the address that received the stolen funds_
| xigency wrote:
| So they lost half a billion dollars because they forgot to set up
| Multi Factor Authentication?
| marshray wrote:
| MFA can't help you if your network admin is willing to open an
| untrusted file with an Adobe product.
| hn_throwaway_99 wrote:
| Two points to highlight from this article:
|
| 1. LinkedIn is an absolute godsend for bad guys, allowing easy
| targeting of everyone in the company with spear phishing emails
| and texts. I know many security professionals no longer use their
| real name, and don't list the real name of their company, because
| they know it's such a great hacking vector. Not sure what/whether
| LinkedIn can do anything about this.
|
| 2. I wish there were more information about what the
| vulnerability was in the PDF in the first place. I think a lot of
| people would be wary of downloading a PDF from a stranger, but
| not from someone who you had multiple interview rounds with and
| who offered you a job.
| jcrawfordor wrote:
| Most PDF "attacks" in the real world are very unsophisticated.
| One of the most common uses of PDFs in a phishing context is
| just as a way to deliver a link that would likely result in
| blocking by email security products (many don't inspect inside
| PDFs, and even for those that do the PDF format is complicated
| enough that it offers tremendous opportunities for
| obfuscation). I would wager money that the "PDF attack"
| involved here was as simple as a link to a malicious executable
| presented in a PDF to avoid detection by email filtering... in
| my time as a security analyst this was the #1 source of real
| compromise incidents, and anecdotally it seems to remain
| popular today based on the number of such PDFs I receive in my
| spam email.
|
| The PDF format presents many opportunities for other exploits,
| either obfuscating a payload or running code, but modern PDF
| viewers are locking these opportunities down to such a degree
| that they are not very reliable (most of all because it is
| difficult to know which PDF viewer your target will use, and
| many popular PDF viewers today like pdf.js are relatively
| feature-incomplete which is a significant security advantage in
| this case). It's possible that something more sophisticated was
| going on but I would be very surprised if it was anything more
| complex than using the PDF as an obfuscated transport for a
| binary packed in it and invoked by the user (e.g. by clicking a
| link in the PDF with a javascript target). Non-user-interaction
| PDF vulnerabilities exist but are increasingly hard to come by
| as there has been more than a decade of work on locking down
| PDF viewers and the situation has improved dramatically in that
| time.
|
| Contrary to what people sometimes expect, highly organized
| groups (such as APTs) tend to stick to very basic, simple
| methods as much as possible, since they are relatively
| reliable. The use of recent vulnerabilities in a specific PDF
| viewer, for example, is high risk due to the likelihood of
| failure and the opportunities for analysis it presents (you
| will have to do custom development rather than using off-the-
| shelf tooling). This is the kind of thing that organized groups
| try to avoid as much as possible, subject to an ROI analysis.
| Or in other words, if putting a link to an EXE in a PDF still
| works, why would you bother with anything else?
| noduerme wrote:
| If it's just a javascript link to download an EXE, doesn't
| the target of the hack still need to run the EXE? Or are you
| saying that a link in a PDF can install _and_ execute code on
| its own?
|
| Assuming it can't, then the engineer had to click to run some
| unknown EXE after downloading it... that should hardly be
| described as a "PDF attack".
| TechBro8615 wrote:
| There is a whole class of attacks related to "deep linking"
| and custom URL schemes that the operating system can pass
| to any application that registers itself to match it. At
| that point the sanitization is up to the application.
|
| I recently stumbled upon a nice write-up [0] that described
| this class of attack and surveyed which software was
| vulnerable to it. Many crypto clients were included.
|
| [0] https://positive.security/blog/url-open-rce
| joshstrange wrote:
| Personally I don't update my LinkedIn until I start looking for
| a new job. There is absolutely no need for anyone to know where
| I work (or at least for me to share that far and wide
| publically) and I'm not interested in cold emails/cold linkedin
| messages.
|
| My decision was cemented in 2020 when someone who didn't like a
| tweet of mine retweeted it to my old company's twitter account
| trying to get me fired/reprimanded (The tweet in question
| called out my local PD for a dubious tweet they made, the
| person who tried to get me in trouble lived in a different
| state 12+ hours away). Thankfully my current company wouldn't
| have cared but there is no need to give people ammo.
| V-2 wrote:
| Which is why I simply don't use my real name (well, not a
| full name) for my Twitter account. I have the right to keep
| my professional and private persona separate, and if someone
| really wanted to, they could find out where I work anyway.
| (I'm not tweeting anything extreme in my own view, but
| there's always someone who will regard it as such, and as you
| say, what's good about giving people such option to begin
| with).
| hn_throwaway_99 wrote:
| > Personally I don't update my LinkedIn until I start looking
| for a new job.
|
| Perhaps semi-off topic, but note there are companies that
| sell software (spyware?) to HR departments that specifically
| trolls LinkedIn looking for when employees update their
| LinkedIn profiles as a sign they're looking for a new job.
| This may or may not be a good thing depending on your
| position, perspective, or company, but just be aware it
| exists.
| heleninboodler wrote:
| Last time my RSU cliff came around, I logged into LinkedIn,
| updated my profile and accepted the backlog of connection
| requests (and read the flurry of "congratulations on your 4
| year anniversary" messages). I almost immediately got Slack
| messages saying "are you leaving?" But I _wanted_ them to
| notice; that was the point.
| joshstrange wrote:
| Yeah, though I'd get dinged by that either way since I
| normally update my bio to include recent projects/tech I've
| worked with. This way I can hide behind plausible
| deniability "Oh, I just got around to adding X company to
| my LinkedIn" if I need to, whereas updating an existing
| entry is harder to justify (without giving away you are
| looking). Though I also try not to work for companies that
| I would need to worry about that.
| mgkimsal wrote:
| > whereas updating an existing entry is harder to justify
| (without giving away you are looking)
|
| I don't think it is at all. Indeed, if you're updating it
| regularly (every 3-4 months, perhaps?) with new
| project/task stuff, it's simply keeping things fresh in
| your mind, vs having to try to trawl back 3 years to
| think about project FOO.
|
| If you _only_ update it once every 2 years, then people
| can draw more nefarious conclusions.
| outworlder wrote:
| You can't really reason with algorithms.
|
| You'll be placed in a list with a score next to your
| name.
|
| > Though I also try not to work for companies that I
| would need to worry about that.
|
| How do you figure out what kind of software your company
| uses internally?
| joshstrange wrote:
| > How do you figure out what kind of software your
| company uses internally?
|
| I work for smaller companies that are more concerned with
| building instead of turning their workforce into scores
| on a list.
| cmeacham98 wrote:
| I doubt they'd actually ask you about it (and thus give
| you a chance to "explain" yourself), HR would just note
| you down and you'd be more likely to be laid off, less
| likely to get promotions approved, etc.
| adaml_623 wrote:
| I know this is off topic but I'm always confused by the
| attitude you've mentioned where companies don't actively
| work to retain staff.
|
| I wonder if there are any courses for managers to train
| them to think logically about this and not switch into
| bad decisions based on emotion.
|
| Companies waste so much money on hiring and then deciding
| to react very slowly to changes in market conditions. If
| businesses treated their staff like they treat their
| clients...
| kortilla wrote:
| > less likely to get promotions approved
|
| This is not how companies work (at least the ones worth
| working for). Retention risk is a reflection on their
| current role, compensation, manager, etc.
|
| We have absolutely promoted high performing employees
| and/or given them raises even though we knew they were
| looking at other opportunities.
| cmeacham98 wrote:
| Companies worth working for aren't talking their
| employees in LinkedIn.
| joshstrange wrote:
| Fair, though if I'm looking I'm planning on being gone in
| 1-2 months max and I'm probably leaving in part due to
| lack of promotion.
| MisterBastahrd wrote:
| Meanwhile, my company actively gives us hints on how to
| spruce up our resumes with marketing bullshit that impresses
| nobody but middle managers who think that keyword searches
| with word soups like "Innovator. Thought-Haver. Bringer of
| Boys To the Yard." are their paths to big league success.
| BolexNOLA wrote:
| It's a shame too. In my experience LinkedIn has been great for
| job hunting, indeed et al. were worthless time sinks for me. I
| want to keep it just for the ability to job hunt and get
| _results_ but as you said...it's a risk too.
| V-2 wrote:
| That's the only thing it's good for, but that thing actually
| works. My last three job offers were from LinkedIn (I
| ultimately rejected one because my employer at the time gave
| me a counteroffer when I handed my notice, but I did accept
| the other two). The "content" on LI (feelhgood / motivational
| BS) is do ridiculous that I sort of contempt-read it
| ("hateread" would be to strong a word) for the heck of it,
| but I can't wrap my head around WHY people would participate
| in this nonsense for real.
| BolexNOLA wrote:
| Yeah I really don't see any appeal beyond jobs (my current
| job came from it). The content is just SEO/personal
| branding fodder.
| rurp wrote:
| When I first signed up for LI I honestly couldn't tell the
| difference between the actual feed and a what I imagined a
| parody site would look like. The posts that proclaim
| themselves to hold controversial ideas, followed by the
| most banal cliches possible, crack me up.
|
| Once in a while I check the feed for kicks and it's always
| 100% spam, cliches, humble brags, and not-so-humble brags.
| ineptech wrote:
| > I wish there were more information about what the
| vulnerability was in the PDF in the first place.
|
| Agreed, I thought that opening a read-only PDF was GRAS
| regardless of the application.
| WorldMaker wrote:
| PostScript is a Turing Complete language (always has been),
| and an over-simplified description of PDF is that it "just"
| wraps PostScript in a single Virtual Machine to target
| (versus PostScript has a lot of subtly different physical
| machines it was built for/targeted).
|
| That "PDF VM" has had many 0-day RCE bugs over the years.
| Thankfully though the VM is standardized with the format it
| does have multiple implementations still in different
| applications and many exploits are application-specific
| implementation bugs.
| LegitShady wrote:
| I see people posting things even on HN where its a link to a
| PDF and I don't click on them. I remember PDF being a leaky and
| buggy format whose interpreters were full of vulnerabilities. I
| don't click on PDFs.
| ChrisMarshallNY wrote:
| _> LinkedIn is an absolute godsend for bad guys_
|
| I am listed as the Principal on a couple of companies, and get
| _constant_ approaches that are obviously fake (like an
| attractive young "stewardess" from Dubai, who just happened to
| like my picture (which is actually my logo)).
|
| I've given up reporting them, as LI _always_ responds with
| "This is not in violation..."
| djbusby wrote:
| Isn't LI owned by MS?
| JohnJamesRambo wrote:
| Is there a "Best of" archive for HN comments?
| ChrisMarshallNY wrote:
| Yup. I'm gonna remove my cynical comment (although I still
| totally believe it). It's just not helpful. I think people
| can figure it out, for themselves.
|
| Also, people use LI as a way to aggregate information, then
| send emails that appear to be from LI, but are not. I got
| one of those, yesterday, and reported it to LI, saying
| "These guys obviously used your service to construct this
| honker."
|
| And LI's reply was ... envelope, please ... "Not our
| problem. Go away, kid. Yer bodderin' me." but stated a bit
| more politely.
|
| I deliberately stay fairly open. I mentioned that, some
| time ago. It comes with some problems, like a determined
| bad actor can build up a fairly good profile.
|
| But I have had _years_ of experience, rubbing elbows with
| professional con artists, so I am maybe a little tougher to
| fool than many (but some approaches have come close -these
| folks are good). I would never be so arrogant to say that I
| can 't be phished or whaled, but it's almost certainly not
| worth the effort.
| wombatpm wrote:
| I recently had some try the CEO/boss needs something
| right away for a customer ruse via text. I know LI was
| the source, because it referenced my previous job and LI
| still had the incorrect information. I played along that
| I was ready to purchase with my corporate card. Then
| after wasting more of their time, I sprung that they were
| fishing with old bait. Good times
| PebblesRox wrote:
| I'd love to hear more about your experience with con
| artists!
| ChrisMarshallNY wrote:
| It's not the type of story that I really share in the
| venue of press, radio and films, if you get my drift.
|
| I'm happy to chat -a bit- about it, directly. Many of the
| stories that I know, are not mine, to tell.
| cosmodisk wrote:
| Same here. I grew up knowing some very shady people. Some
| of the stuff could easily be turned into books or a
| script for a movie.
| _fat_santa wrote:
| I think one shouldn't discount the attack vector that is just
| working in the Crypto industry, especially when you're someone
| who works with startups rather than the big guys.
|
| In the "Web2 Sector", it would be very easy IMO to snuff out a
| fictitious company. I've gotten a handful of "offers" in the
| past and you can see straight through them, because the company
| doesn't exist in real life and you can't find any info on it,
| huge red flag.
|
| The problem with the "Web3 Sector" IMO is you have a bunch of
| upcomming players in the space that no one has heard of. Just
| like investors in Cryto, if you're a developer in the space, no
| doubt you are jockeying to join a project that might land you a
| 7-10 figure windfall at the end.
|
| So if an unheard of company approached me, I would tell them to
| kick rocks. If a similar company approached someone in the
| "Web3 Sector", they might take it thinking it's an emerging
| opportunity. I'm sure this still happens with Startups but my
| gut says it's really bad in the Web3 space.
| samstave wrote:
| Speaking of spear phishing:
|
| When I was at lockheed we had an incident whereby a bunch of
| folks had attended some defense conference, and after the fact
| received emails from folks they had 'met' at the conference,
| something along the lines of
|
| "Hey Bob, we met at the [defense] conference this last week and
| I wanted to be sure you had my contact info: malware-
| contact.vcf"
|
| or some other payload.
|
| This installed a very slow sprawling worm which would slowly
| trickle data out of lockheed to China.
|
| It was not discovered for quite a while due to how slowly it
| operated, but someone had complained about machine performance
| and IT looked at the machine and discovered the worm... after
| removing it - this somehow sent a signal to China that they had
| been found and all the worms started to firehose as much as
| they could until egress was closed. At the time, all of
| Lockheeds 150,000 employees had just three egress points to the
| internet. They had to shut them all down to kill that worm.
| secondcoming wrote:
| Also, don't use a company device for personal business.
|
| If you use your own device then do company work in a VM.
| jessaustin wrote:
| Opening the pdf wasn't "company work", so maybe everything
| should be done in a VM? (Not the _same_ VM!)
| secondcoming wrote:
| He opened it on a company device I assume
| jessaustin wrote:
| That's possible, and addressed by your first sentence
| above. You wrote the second sentence to address a
| different possibility. In that case, a process with
| access to the whole device could read e.g. auth tokens
| contained in a VM.
| jedberg wrote:
| I'm not sure this is Linkedin's problem to solve. They are just
| a directory.
|
| I suppose they could add a phishing warning for messages sent
| on LinkedIn, but really it's an education problem, teaching
| people to identify what phishing emails look like and how to
| avoid them. This is a problem I've been working on since at
| least 2003, when we realized that the best way to prevent eBay
| account takeovers was teaching people what phishing is. We also
| identified that education is the hardest solution to achieve.
|
| It's ironic that the security professionals are the ones hiding
| their identity, given that they are the best prepared to
| identify and avoid phishing emails.
| hungryforcodes wrote:
| You're right -- apparently it's a PDF problem, and I'm still
| looking for an explanation of how a simple PDF could be worth
| half a billion dollars.
| burrows wrote:
| > I'm not sure this is Linkedin's problem to solve. They are
| just a directory.
|
| If the issue reduces user metrics, then they will want to fix
| it. Ultimate responsibility seems irrelevant.
|
| > It's ironic that the security professionals are the ones
| hiding their identity, given that they are the best prepared
| to identify and avoid phishing emails.
|
| I might have demolitions training, but I'd still rather walk
| around the minefield.
| aaronharnly wrote:
| On (1), I have seen employees get spear-phishing texts (Welcome
| X! This is the CEO of Y. I need you to do a small favor...)
| within hours of updating their LinkedIn. I assume there are
| robots crawling it constantly looking for fresh candidates for
| account takeovers or other scams.
| alexfromapex wrote:
| I think one other thing that bears mentioning is that
| LinkedIn's reporting doesn't easily let you explain how someone
| is performing a scam. If you're diligent you can find the link
| somewhere where you can actually explain it but when you just
| "report" someone or a job the response from LinkedIn is usually
| "We didn't find anything indicating this is a scam" or similar.
| walrus01 wrote:
| > I know many security professionals no longer use their real
| name, and don't list the real name of their company, because
| they know it's such a great hacking vector. Not sure
| what/whether LinkedIn can do anything about this.
|
| on the other hand I bet you could collect some interesting
| things by creating a few fake people as linkedin honeypots at
| FAANGs, and I would be very surprised in their infosec/netsec
| teams aren't already doing this.
|
| or getting real people who opt-in to have their linkedin
| profile receive incoming scams, virus, trojans, phish links and
| pipeline them into the infosec/netsec team.
| bl_valance wrote:
| Isn't the issue here that they used their work laptop or were
| on their work's internal network(VPN?) to "apply" for this job?
|
| This is something I see/hear so often, people using work
| equipment/network to conduct their personal stuff. This, IMO,
| should not be allowed at all.
| Dig1t wrote:
| I deactivated my LI after my last job search, it hasn't
| affected my life at all since then. I don't know why you need
| one at all most of the time. Even without one, I think it would
| be perfectly easy to get interviews at companies, most
| interviews I've done in the past have been the ones I got by
| just going to the company's website and applying directly
| anyway.
| caseysoftware wrote:
| Some in the security community demonstrated this with Robin
| Sage, circa 2009: https://en.wikipedia.org/wiki/Robin_Sage
|
| It introduces the idea of "transitive trust" where person A
| might not know person B but if the two have a bunch of contacts
| in common, the odds of A trusting B goes up. When there's a
| profile with tens or hundreds of shared connections, it looks
| real by all accounts.
|
| I wrote about this is an intel gathering/attack vector way back
| in the day but it's 100x better now because connecting is
| second nature and people trust more now:
| https://caseysoftware.com/blog/open-source-intelligence-link...
| elif wrote:
| I'm so confused by #2 as well.
|
| If pdf is compromised, is it fixed? This seems like the kind of
| vulnerability that would ruin pdf's reputation permanently. It
| was the safe alternative to sending someone a .doc particularly
| because of it's limited functionality.
| kornhole wrote:
| I only use titles such as 'Employee' 'Worker' 'Carbon Based
| Life Form'.. on Linkedin. It also significantly reduces the
| amount of spam and cold calls.
| rmbyrro wrote:
| The main problem was using a machine that had access to half a
| billion dollars to also browse the web and do stuff like
| applying for jobs.
|
| If you're gonna have access to such amount of money, it's worth
| buying a dedicated machine and using it very, very cautiously.
| PragmaticPulp wrote:
| > The main problem was using a machine that had access to
| half a billion dollars
|
| Going up a level, the main problem was that the company had a
| system where a _single person_ could irreversibly transfer
| half a billion dollars away from the company.
| handoflixue wrote:
| The article actually covers that it required 5 out of 9
| people to sign off. They got 4 via PDF attacks and 1 via
| legacy access that was never properly terminated.
| 8note wrote:
| I think it's worth noting that the people did not sign
| off, only the keys did.
|
| The system does not require people to sign off, but for
| the keys to sign off.
|
| I don't think it's worth calling this a hack, the keys
| are what owned the moneies, and it's the keys that
| decided what to do with it. People have access to keys,
| they don't own them
| tylersmith wrote:
| The compromised employee had access to that 5th factor it
| was just not as direct as as him having a 5th private
| key.
| mousetree wrote:
| My understanding of the article was that only 1 person
| was compromised and that the exploit installed on their
| computer was then used to access the validator nodes
| themselves. FWIW, I have no idea what a validator node is
| but I'm assuming that by compromising one employee's
| workstation they somehow got access to multiple other
| machines (which if true is itself a bit of a f* up).
| logifail wrote:
| > I'm assuming that by compromising one employee's
| workstation they somehow got access to multiple other
| machines (which if true is itself a bit of a f* up)
|
| Q: If you assume the bad guys have already compromised
| your workstation, how sure are you that they won't be
| able to compromise other machines you connect to?
| charcircuit wrote:
| You can't which is why one person shouldn't have access
| to more than one.
| [deleted]
| fsckboy wrote:
| because the workstation was compromised by opening a
| corrupted pdf, but that vector wouldn't compromise the
| other machines unless users on them could be induced to
| open the same pdf.
|
| not to say it can't be done, but it was unexplained
| sangnoir wrote:
| It doesn't have to be the same pdf, it could have been an
| attachments from compromised machine via email/slack.
| "Hey, can you help me figure this unusual log/transaction
| summary". How many wouldn't open such an attachment from
| a "colleague"?
| abxytg wrote:
| Yep. Bad opsec at the org level. Either the eng was doing
| work stuff on a personal laptop or personal stuff on a work
| laptop. This is easily preventable and should be table stakes
| when handling money, phi, etc
| spaceman_2020 wrote:
| When I first got into crypto, a few things were pretty much
| drilled into my head:
|
| - Not your keys, not your coins; always self-custody
|
| - Never use the same machine for trading and for work/surfing
| the web
|
| - Store only funds you want to regularly trade with on a hot
| wallet. Everything else on a cold wallet.
| empraptor wrote:
| and this is part of why i think cryptocurrencies should
| have died before large number of people wasted their money
| on it. for the average user without the
| time/knowledge/patience to handle cryptos "properly", the
| choice is between losing money while handling this shit
| yourself or losing money while trusting someone else to do
| it right.
| spaceman_2020 wrote:
| Its an entirely free market. Just because one person
| doesn't understand the tech and loses his money doesn't
| mean that everyone else shouldn't be allowed to use it
| either.
|
| Even if you don't buy into the crypto vision (I don't), a
| digital-only currency that isn't tied to any nation-state
| does deserve to exist.
| Retric wrote:
| It's fine for a few people to play with such a system.
| The issue if it's absolutely clear crypto is incapable of
| widespread adoption or just about anything else people
| hype it up as, then it shouldn't be hyped as if that
| stuff is a possibility.
|
| I could never tell how much was incompetence vs fraud,
| but either way without the hype vastly fewer suckers
| would be holding the bag right now. The crypto ecosystem
| has been just been terrible for just about everyone and
| things are far from over.
| spaceman_2020 wrote:
| The people holding the bag right now mostly got in
| because of the allure of quick profits. And if they
| didn't sell even after making incredible (paper) returns,
| they have their own greed to blame.
|
| Bitcoin was $6,000 in March 2020. It hit $63,000 in April
| 2021. And if you didn't sell that top, it hit $67,000
| again in November 2021.
|
| Even now, it has dropped less than Netflix, a supposed
| bluechip.
|
| I don't know what's the scam in this - you had plenty of
| entry opportunities and plenty of exit opportunities. The
| underlying system itself still works exactly as
| described.
| 8note wrote:
| I'd put an addendum to the first one
|
| You can't own keys, so you can't own coins. You instead
| have access to coins when you have access to keys.
| abirch wrote:
| I still can't believe that they opened the PDF on the
| _company_ computer. I always use my home computer and the
| poor hacker would get bored of seeing all of my Raspberry Pi
| projects that I haven 't done.
| cfn wrote:
| I suppose that sending it during business hours and, who
| knows, maybe the final offer would be in the PDF and the
| poor guy couldn't wait to open it. The rest is history.
| kuboble wrote:
| It might be hard to believe that the particular person in a
| particular company did that, but given a lot of attempts,
| dedication and lucky / unlucky circumstances eventually
| somewhere someone will trust a malicious person and will
| get socially engineered into opening a pdf on a working
| computer.
| godot wrote:
| Also wonder if the PDF exploit works for only
| local/native PDF readers (e.g. Adobe Readers) or also
| web-based. If someone occasionally checks their personal
| email from a work laptop, chances are they'd only use the
| Gmail preview to open the PDF. It seems like most
| engineers wouldn't get all the way to downloading a job
| offer PDF to their work laptop and opening it up there.
| turtlebits wrote:
| If you're looking for work, you have to interview during
| the day, which you're probably in office (things are very
| different now). I know I'm guilty of having my personal
| emailed signed into my work computer (albeit with a
| separate browser). I've also done virtual interviews in the
| office meeting/phone room.
| bornfreddy wrote:
| You've done interviews in the office of your (then)
| current employer??? Gutsy. I wouldn't dream of using
| employer's equipment, time or space while negotiating for
| a new employment.
| CrispinS wrote:
| I can't believe a software developer is using an operating
| system/pdf viewer that isn't patched for security
| vulnerabilities as major as an RCE.
|
| Unless this was a zero day, but I would have assumed the
| article would mention that fact ..
| da39a3ee wrote:
| Huh? I've used my company laptops for my personal life for
| the last 15 years. Why would I want to carry two laptops
| everywhere? I travel. I barely remember what a personal
| laptop is.
| RajT88 wrote:
| I travel with a HP Spectre x360 for personal stuff. It is
| barely a weight or bulk addition compared to my work
| machine.
|
| When I was on the road all the time I also had separate
| phones to ensure I never got stuck with a dead phone.
| logifail wrote:
| > I've used my company laptops for my personal life for
| the last 15 years.
|
| Counterpoint: I've been completely and utterly allergic
| to opening anything personal from any company system for
| longer than that.
| jazzyjackson wrote:
| lol
|
| do you at least dual boot?
|
| have a separate user account?
|
| I guess its fine as long as your computer doesn't have
| the credentials to the company slush fund.
|
| Friend of mine I traveled with carried 3 macbooks with
| her: school issued, work issued, and personal. They had
| different software licenses tied to the machine,
| whadyagonnado?
| acheron wrote:
| I hope this is satire.
| kornhole wrote:
| I think you are joking to bait us. At least use a VM
| running a VPN within it. It won't protect you from screen
| captures or keyloggers your employer put on your machine,
| but it will segregate files and network activity.
| koofdoof wrote:
| How usable is LinkedIn with a pseudonym? Is that a security
| industry only practice or could a regular dev get away with
| that too? I've always been shy about having a profile with my
| actual name but id consider one with a thin veil of anonymity.
| 8organicbits wrote:
| Same, although my perception is that LinkedIn has moved past
| its peak usefulness, and it would be better to spend time on
| other platforms than creating a LI account. All I hear about
| LinkedIn these days is spam.
| bckr wrote:
| which other platform?
| 8organicbits wrote:
| There's a lot of platforms that do sort of related
| things, so it's a hard thing to answer. For "finding a
| job" I've been looking at HN, remoteok, and a bunch of
| others. For professional networking I use various tools
| run by former coworkers (mostly Slack and Google Groups).
| For "blogs" I use HN and Reddit. etc. I don't think
| LinkedIn does any of those better (my perception, I'm not
| a current user).
|
| Personally, I'm probably not interested in a LI clone for
| many of the reasons I stopped using LI. I deleted my LI
| account maybe 8 years ago, after getting too much spam
| (and I think some security issue?)
| mistrial9 wrote:
| LinkedIn sceptic here -- I would assume that in 2022, the
| closer you are to real, legal Microsoft-ecosystem roles,
| the more useful it is.. meanwhile, the independent people
| in tech get splashed with mud. No comment in this
| discussion has indicated to me that LinkedIn is not useful
| for certain swathes of established professions, even now.
| chatmasta wrote:
| As an engineer I never found LinkedIn useful. But during
| college I made sure to connect with everybody, even if I
| barely knew them. The only jobs I've had I got through other
| means, in some cases even "connections," in the traditional
| sense of the word, which incidentally exist on the LinkedIn
| graph, but that's just a mirror of real life and it's not
| like the coordination occurs over LinkedIn messages anyway.
|
| As a startup founder, it's effective in some contexts, like
| as a contact point or promotional tool. We never felt the
| need to use it for recruiting. At least in the software
| industry, GitHub is a much more effective marketplace of
| talent. But LinkedIn can have some benefits for a startup
| outside of recruiting. Posting content about your product is
| a good way to stay in front of investors you've connected
| with who doomscroll their LinkedIn feed like a dev does HN.
| :) (it's also something I need to automate because I block
| LinkedIn on /etc/hosts for productivity purposes..)
|
| I'm not sure I've ever _sourced_ an opportunity from
| LinkedIn. I also never accept connections without at least
| one prior interaction. For me it's a tool for following up
| and keeping in touch, not introductions. It might also be
| useful in some rare sales contexts, for some specific
| archetype of audience especially susceptible to the
| psychological tactics commonly deployed to the LinkedIn
| newsfeed. Developers are definitely not that audience (well,
| not on LinkedIn at least...)
| charlie0 wrote:
| I really wish I could just dump LI and delete my account;
| it's just spam and another service for those who love to self
| promote themselves. I won't do it because I'm not sure how it
| will impact by ability to get a job.
|
| How many of you have gotten jobs with no LI account? YEO?
| CodesInChaos wrote:
| Did this use a code-execution vulnerability in the PDF reader? or
| did they just trick the user into opening an executable?
| nemothekid wrote:
| I'm assuming it was an exploit in Adobe reader. The target
| cloud have even been persuaded to install Adobe reader to
| "e-sign" the document. PDFs don't have the best track record
| when it comes to security
| silentsea90 wrote:
| Why do pdfs even allow executing code outside of the pdf env
| ie why isn't there a sandbox/apis that allow very limited
| operation?
| nemothekid wrote:
| >Why do pdfs even allow executing code outside of the pdf
| env
|
| Some PM in 2006 thought it would be a good idea if PDFs
| were turing complete. I'm sure the word sandbox wasn't even
| thought about. 10 years later PDF (and more notably, Flash)
| became huge attack vectors.
|
| I think a far more interesting hack is when NSO used a PDF
| to embed a virtual machine inside an iPhone to develop a
| zero click exploit over iMessage:
|
| https://hothardware.com/news/zero-click-malware-pwns-
| iphone-...
| darepublic wrote:
| During beginning of pandemic I got a job via a fully remote
| process. I felt it was sketchy in some respects and I began to
| increasingly fearful that it was some kind of phishing scheme.
| Luckily turned out to be legit. Job applications are such an open
| door for this kind of thing. They collect so much info from
| candidates, easily enough to commit identity theft. Also god
| forbid the company or recruiters get hacked and the data leaks
| anyway
| londons_explore wrote:
| Chrome/Edge PDF viewers are pretty secure. You can reasonably
| safely open anything in them.
|
| Desktop PDF viewers like acrobat are gaping security holes...
| Don't use them!
| ahmadmijot wrote:
| Does Adobe Acrobat really that bad? We use Acrobat Pro because
| it easy to modify pdf file with it. Other software can't do
| that much. Is there other pdf 'editor' that you can recommend?
| londons_explore wrote:
| Acrobat in a virtual machine that you don't connect to the
| network?
|
| Most malware these days can't function without internet
| connectivity. The exploits typically connect to a server to
| get the rest of their code because they don't want any pesky
| researchers getting their hands on stuff.
| TedDoesntTalk wrote:
| I use PDF Expert on MacOS for its editing and markup abilities;
| built-in browser viewers aren't good for that. What should I
| do?
| CamelRocketFish wrote:
| Don't work for a crypto company.
| iamwil wrote:
| In this case, there's no need to make it on a blockchain if a
| company controls the majority of validators.
| UberFly wrote:
| I read the first paragraph, the overlay banner popped up and
| blocked everything. I don't care what the article says after
| that.
| elif wrote:
| Is this the moment we need for LaTeX to become standard? pdf is
| clearly to blame here imo. This guy isn't the only one to trust
| it.
|
| It seems like the entire legal profession, for instance, should
| be crippled by this vulnerability disclosure, if true.
| shp0ngle wrote:
| hahaha
| Barrera wrote:
| > Validators fulfill various functions in blockchains, including
| the creation of transaction blocks and the updating of data
| oracles. Ronin uses a so-called "proof of authority" system for
| signing transactions, concentrating power in the hands of nine
| trusted actors.
|
| This paragraph perfectly encapsulates everything wrong with the
| way promoters sell Ethereum. Smart contracts can do little of
| interest beyond straight monetary transactions without
| information about the outside world. That information comes from
| "oracles", or what the article calls "validators".
|
| The security guarantees of this system are far, far weaker than
| the Ethereum consensus protocol, as the article demonstrates. And
| yet, the system is hyped to the n-th degree by sheisters who
| ignore this basic fact with ludicrous claims about security and
| stability.
|
| Zooming out, basically Ethereum is hyped as a platform for "smart
| contracts." But the minute a smart contract does anything beyond
| basic money transfers, it needs an oracle. And with the oracle
| comes radically reduced security.
|
| Eventually, this will be obvious. For now, shenanigans like this
| will continue.
| whatisweb3 wrote:
| Oracles that connect to off-chain data are usually understood
| as points of centralization, I don't think Ethereum or it's
| developers are selling otherwise.
|
| Most Ethereum developers are advising against relying on
| bridges across security zones that would be upheld by multisigs
| and oracles, they are vulnerable to attacks. A better model
| than a bridge to sidechain would be a rollup - posting proofs
| on chain without giving the sequencer the ability to steal or
| control user funds.
| [deleted]
| jedberg wrote:
| For those that don't want to read the whole thing, (supposedly)
| the attackers reached out on linkedin to a bunch of employees
| asking them to apply to a fake company. One of them did it, went
| through a bunch of fake interviews, and then got a fake offer, in
| the form of a PDF.
|
| They opened the PDF and that installed a keylogger on their
| system (it doesn't explain how).
|
| The attackers then used that engineer's credentials to take over
| 4 of the 9 validators on the blockchain which they then used for
| their heist.
| leoqa wrote:
| It's honestly impressive. I work in security in fintech and it
| can be frustrating to have our work deprioritized against
| product features. These examples help underscore why having
| robust security controls is existential.
| CobrastanJorji wrote:
| I'm trying to imagine a setup at any company whose primary
| business is controlling extremely valuable digital assets
| having a security setup that could be entirely undone with
| keyloggers, and it's difficult. No necessary VPNs, keys on
| devices, or other non-password authentication? One engineer's
| password should not be the keys to the kingdom.
|
| Sounds like a bad RPG plot. "Because of its danger, we broke
| the Obsidian Key into 9 pieces and divided them across the
| realm, each protected by a powerful, mystic dungeon. Also, Dave
| can access them any time he says the secret word."
| SV_BubbleTime wrote:
| Agreed. The article doesn't mention keylogger at all. I was
| definitely picturing a remote control exploit.
| jedberg wrote:
| They must have updated it. When I read it it specifically
| said keylogger.
| phphphphp wrote:
| I'm of the view that the completely illogical nature of their
| entire business and the absence of any meaningful security
| are deeply interwoven.
|
| Rather than think of their primary business as securing
| digital assets, think of their primary business as convincing
| people that a perpetual money machine in the shape of a video
| game is possible. The valuable digital assets are just a
| narrative tool -- and so it follows that they wouldn't have
| the expertise in securing digital assets.
|
| Nobody capable of building a secure system for digital assets
| would waste their time working for a company like Axie, after
| all, the entire premise of their business is flawed so people
| with the critical thinking skills necessary to build a secure
| system would apply that critical thinking to the viability of
| the company -- and, of course, conclude it's destined for
| failure and not hitch their wagon to it.
| tornato7 wrote:
| Axie Infinity exploded in popularity overnight. They likely
| built their infrastructure when they were securing $1M in
| digital assets and then suddenly found themselves
| controlling half a billion before they could upgrade their
| security.
|
| That doesn't excuse their poor security practices. They
| shouldn't have built their asset custody system in-house if
| they didn't have the expertise. They could have used
| Fireblocks or a Gnosis Safe Multisig with hardware wallets
| and they would be safe.
| dataangel wrote:
| I understand your argument but this kind of reasoning
| consistently fails to be predictive. If things worked as
| you describe, there would be way more consensus amongst
| skilled engineers on political topics. In practice people
| are very skilled at selectively turning off their brain,
| especially when they stand to benefit.
|
| "It's difficult to get a man to understand something when
| his salary depends on not understanding it." -Upton
| Sinclair
| phphphphp wrote:
| I completely agree in principle but the nuance here is
| that I'm leaning on the belief that people joining Axie
| do not "...stand to benefit..." because the long term
| prospects of Axie Infinity are not good (and have never
| been good) and so anybody analysing the benefit of
| joining them -- who has a broad range of opportunities
| available to them -- would immediately see how little
| they stand to benefit from getting involved with Axie
| Infinity.
|
| I'm under no illusions about the intelligence of software
| engineers (of any specialism) -- we are all idiots at
| least some of the time -- but I struggle to believe that
| a competent engineer with lots of opportunities would
| somehow believe that Axie Infinity is the best
| opportunity available to them, hence, their system is
| built by people who don't have other opportunities and
| have produced an insecure house of cards (more insecure
| than the average system anyway -- all systems are
| insecure in some capacity).
| eigenvalue wrote:
| Seems like there would be market demand for a super locked down
| PDF viewer that basically ignores all the silly
| extensions/additions that Adobe has added to the format over the
| decades. The vast majority of documents don't need Turing
| complete code capabilities or embedded videos or interactive 3D
| models. Something that safely (using sandboxing and other
| methods) turns the document into totally static pixel data that
| still feels nice to read would mitigate this extremely common
| attack vector.
| tornato7 wrote:
| This pretty much already exists, it's called Cloudflare Browser
| Isolation. They basically render your browser on a remote
| server and pipe you the visual data.
| SV_BubbleTime wrote:
| FoxIt has out of the box GPO controls that are quite easy to
| use. It's probably got a lot of tweaking to really lock it
| down, but I think you could get pretty far before having to
| stop for lunch.
| stefan_ wrote:
| I realized some time ago, not wanting to install drivers, that
| a lot of office printers now have some janky webinterface that
| also allows uploading PDFs to submit as print jobs. This will
| turn a malicious PDF into perfectly safe paper!
|
| Now whatever cursed embedded software on the printer reads the
| PDF is probably a lot easier to exploit than an updated PDF
| viewer, but that's not what these people are going for.
| schemescape wrote:
| What's the best practice, security-wise, for viewing PDFs?
| AustinDev wrote:
| I have a script that watches my download folder and runs them
| through ghost script which is designed to reduce the file size
| of PDFs but it also strips out any linked media or embedded
| code from my testing. It does a bunch of other stuff too but
| the pdf auto-converter was pretty simple.
| pcthrowaway wrote:
| Curious if anyone has been able to find technical details of how
| this attack works/worked. I'm under the impression most PDF
| viewers would prevent this sort of attack (e.g. opening a PDF in
| your browser should sandbox it to the browsing context), but
| really keen to know what PDF viewer / OS was used by the dev.
| layer8 wrote:
| On Windows, Acrobat Reader has Protected Mode (sandbox) and
| Protected View (most features disabled) features [0], but
| people tend to disable it, in particular the Protected View, or
| don't enable it for all locations. Or maybe the vulnerability
| wasn't on Windows, or was in something like font rendering, or
| they used a different reader without sandboxing.
|
| [0] https://helpx.adobe.com/reader/using/protected-mode-
| windows....
| butterNaN wrote:
| Why is Protected mode not the default?
| wespiser_2018 wrote:
| Here's a demonstration of some example attacks using pdf:
| executing arbitrary js, and connecting to a samba server:
| https://www.sentinelone.com/blog/malicious-pdfs-revealing-te...
|
| I'm not sure about this attack specifically, though, and in
| Ronin's post mortem they aren't really talking about that:
| https://roninblockchain.substack.com/p/back-to-building-
| roni....
|
| To some extent, the PDF viewer/OS doesn't matter. A dedicated
| and well resourced attacker like the Lazarus Group will find
| holes in all of them. The "right" move here would have been for
| the employee not to download the compromised pdf, and short of
| that, for the IT Security team at Ronin to quickly detect the
| weird traffic that resulted and isolate the validators to
| prevent a compromise of their critical assets.
| Volundr wrote:
| The right move here would have been to have separate
| work/personal computers so that this PDF never landed on a
| system with access to the Ronin network.
|
| I know I'm pushing a boulder uphill with that one but it
| really is the way to go, better for both the individual and
| the company.
| gowld wrote:
| llaolleh wrote:
| I'm in this camp. All employees should be sent a laptop, or
| work with a remote environment that is isolated from your
| personal computer.
| rchaud wrote:
| what would stop a developer from checking personal email on
| a work machine?
| Volundr wrote:
| Themselves. I'm saying developers (and employees in
| general) should not do any personal stuff on work
| machines or any work stuff on personal machines.
|
| This has benefits for the employee, not just the company,
| in that it keeps the employees personal data out of the
| hands of the IT department.
| pcthrowaway wrote:
| It makes it a bit harder to travel with two laptops,
| which is one of the nice advantages of working from
| home.. but I'm otherwise in support of this.
|
| This might just result in employees finding ways to
| remote access their work computer from their personal
| computer from wherever they are, but at least that's an
| additional wall for would-be attackers to hurdle.
| macintux wrote:
| Exactly. I was on a meeting a couple of years ago and the
| co-worker who was presenting his desktop received a
| personal iMessage that flashed for everyone to see.
| ptudan wrote:
| yeah but that's solved by disabling notifications before
| presenting.
| ptudan wrote:
| Nahhhhh, I gotta browse the internet to be effective.
| That requires me logging into random sites with personal
| logins.
|
| I don't install anything personal on my work computer,
| but I wouldn't hesitate to open an email or pdf from a
| seemingly trusted source. I don't really blame the dev
| here.
|
| What you propose is a reasonable solution, but I feel
| like it slams in the face of actual human behavior. Most
| people act the way I describe, even most tech
| professionals.
| pcthrowaway wrote:
| Or more to the point, what would stop someone from
| sending malicious documents to the employees' work
| emails?
|
| Figure out a company uses <some-saas> register a phishing
| domain (e.g. gith.ub) send them an email with important
| info about their account, and a PDF attachment with more
| details.
|
| If it's that easy to compromise a system all you have to
| do is get a few employees to open the PDF right?
| Volundr wrote:
| And this is exactly why your IT department sends out
| those simulated phishing emails everyone likes to
| complain about.
| elif wrote:
| So then the attackers can only get my bank password?
|
| I think the clear move here should be to avoid pdf, just
| like the move is to avoid doc
| the_gipsy wrote:
| I know that document-rendering is much more complex than what
| it appears on the surface, but surely in this day and age
| there should be document viewers that don't run scripts and
| are exploit free.
| gowld wrote:
| cmeacham98 wrote:
| > To some extent, the PDF viewer/OS doesn't matter. A
| dedicated and well resourced attacker like the Lazarus Group
| will find holes in all of them.
|
| I dispute this: the web browser is one of the most defended
| pieces of software of all time, especially relative to its
| complexity. I would find it much safer to open a potentially
| malicious PDF in my browser's JS-based reader than using a
| desktop reader.
|
| > The "right" move here would have been for the employee not
| to download the compromised pdf, and short of that, for the
| IT Security team at Ronin to quickly detect the weird traffic
| that resulted and isolate the validators to prevent a
| compromise of their critical assets.
|
| It also probably would have been helpful if one employee
| didn't have access to almost half of the validators,
| especially on a system they're accessing email with.
| lordnacho wrote:
| Does it even need to be terribly complicated? Congrats on your
| new job, here's a script for you to generate a new ssh key with
| us, just copy/paste it in your terminal and that will sort it
| out.
| pcthrowaway wrote:
| Yet according to the article, the malware was introduced by
| the "candidate" opening a PDF; I'd expect most senior
| developers to know better than to run a random script from a
| company they don't have an ongoing relationship with without
| looking at the source first, especially if they have
| sensitive credentials on the computer they're using.
|
| But you never know.
| jaywalk wrote:
| Probably Acrobat.
| kyle-rb wrote:
| Likely this was a standalone PDF reader hack (rather than a
| browser), since those can have many more features and a much
| larger attack surface.
|
| It says it was an offer letter, so my guess is that opening it
| in the browser came up with an error like "to be able to
| digitally sign this offer letter, please open it in a desktop
| PDF reader with full scripting support enabled :)"
| pcthrowaway wrote:
| I guess we all need to be opening anything remotely phishy in
| VMs to avoid similar issues
| londons_explore wrote:
| The other major cause of the failure was that one dev had access
| to 5 signing keys. That shouldn't have happened, because than
| that one dev could have run off with $540 Million...
|
| And remember, it wasn't just that one dev - it was everything
| running on his computer - think of the probably tens of thousands
| of developers who wrote the code that runs as root on his PC,
| much of it unreviewed.
| hourago wrote:
| > In a post-mortem blog post on the hack, published April 27,
| Sky Mavis said: "Employees are under constant advanced spear-
| phishing attacks on various social channels and one employee
| was compromised. This employee no longer works at Sky Mavis.
| The attacker managed to leverage that access to penetrate Sky
| Mavis IT infrastructure and gain access to the validator
| nodes."
|
| The company fully blames the employee. I wish software
| companies had the same level of professionalism than airlines.
| "It's the pilot's fault" does not help to improve security.
| Nothing is learned.
| giaour wrote:
| My takeaway was that Sky Mavis's ops culture is a dumpster
| fire, something that might be generalizable to a good chunk
| of the Web3 sector. The tech companies where I have worked (a
| couple BigTech cos, some smaller orgs, and civil service)
| have all taken the blameless postmortem approach very
| seriously.
| Sebguer wrote:
| Airlines would behave the same way if there wasn't an
| aggressive government regulatory body forcing them to learn
| from failures.
| WorldMaker wrote:
| Government regulatory body _and_ a pilot 's union.
| ChadNauseam wrote:
| Do countries without a pilot's union have more unsafe air
| travel?
| xmprt wrote:
| I don't think you can generalize Web3 companies to all
| software companies. Web3 companies have shown time and time
| again that they don't care much about security or good
| software development practices. I'm not sure if it's because
| the industry is so nascent or because the people joining are
| simply incompetent or because they don't care (or a
| combination of all three) but it's clear that Web3 companies
| have major incidents at higher rates than most other software
| companies.
| ChadNauseam wrote:
| > clear that Web3 companies have major incidents at higher
| rates than most other software companies
|
| I won't argue this, but I think that it depends on where
| you look. Cryptography audit services are books out for
| months or years because of the demand from cryptocurrency
| projects. There's never been a vulnerability in the Bitcoin
| or Ethereum networks that allowed an attacker to steal
| funds or execute a double-spend. And cryptocurrency
| projects have pioneered whole fields of cryptography like
| zksnarks for security purposes.
|
| Cryptocurrency projects often have a fundamentally very
| difficult problem to solve, and attackers are also very
| sophisticated. There are currently very few people with the
| expertise needed to implement a complex cryptocurrency
| project securely.
|
| Disclaimer: I'm a protocol developer for a cryptocurrency
| project (not one of the ones mentioned here)
| system2 wrote:
| It is called dodging.
| nipponese wrote:
| No one is going to pick up the low hanging fruit and criticize
| _nine nodes_ as not being decentralized?
| marshray wrote:
| "multiple rounds of fake job interviews" ... "The con culminated
| in one senior engineer clicking a PDF supposedly containing the
| official offer"
|
| Wow! These folks were _really_ on the ball if it took that much
| social engineering just to get an employee to open a PDF.
___________________________________________________________________
(page generated 2022-07-06 23:00 UTC)