[HN Gopher] A fake job offer took down Axie Infinity ___________________________________________________________________ A fake job offer took down Axie Infinity Author : danso Score : 355 points Date : 2022-07-06 14:43 UTC (8 hours ago) (HTM) web link (www.theblock.co) (TXT) w3m dump (www.theblock.co) | trhway wrote: | One can wonder how much info for the hack was collected during | the interviews. "Tell me about the security protection you | architected for your validators". | Apocryphon wrote: | I've got to say, this is an incredibly cyberpunk article. | | > Ronin, the Ethereum-linked sidechain that underpins play-to- | earn game Axie Infinity, lost $540 million in crypto to an | exploit in March. While the US government later tied the incident | to North Korean hacking group Lazarus, full details of how the | exploit was carried out have not been disclosed. | | It's not in William Gibson's style, sounds more like Bruce | Sterling's. | | > Axie Infinity was huge. At its peak, workers in Southeast Asia | were even able to earn a living through the play-to-earn game. It | boasted 2.7 million daily active users and $214 million in weekly | trading volume for its in-game NFTs in November last year -- | although both numbers have since plummeted. | | > Earlier this year, staff at Axie Infinity developer Sky Mavis | were approached by people purporting to represent the fake | company and encouraged to apply for jobs, according to the people | familiar with the matter. One source added that the approaches | were made through the professional networking site LinkedIn. | | Also gives me Charles Stross vibes. | pjbeam wrote: | Cyberpunk is now, just sans the 80s fashion inspirations :) | munificent wrote: | _> sans the 80s fashion inspirations :)_ | | You definitely haven't been paying attention to Gen-Z people | then. The 80s are back. | pjbeam wrote: | That's a fair assessment of my attention | hindsightbias wrote: | The future is already here. It's just not evenly distributed | yet" - maybe W. G. | silentsea90 wrote: | Who knows, hackers might be using their $ on fashion but alas | the profession makes it hard to flaunt. | outworlder wrote: | Where are my mantis blades? | jerf wrote: | The people in this review seem to think they're alright, | but they look very silly to me: | https://www.youtube.com/watch?v=tB4DDM8VHVg YMMV. But hey, | maybe you can ask them for their design. | nkrisc wrote: | > but they look very silly to me | | And pretty impractical as well. They look really poorly | designed in terms of maximizing leverage. It also looks | like they lose a lot of energy in the flexing of the | entire mechanism and their arm, compared to a blade held | directly in the hand. | tadfisher wrote: | More like Cryptonomicon without the Nazi gold backing. | ineedasername wrote: | How is Proof of Authority, mentioned in the article, any | different than normal social trust and reputational risk | associated with that? This seems like a cute way of wrapping up | the status quo in crypto lingo. | dboreham wrote: | All it means is that the system organizers decided to make a | certain set of keys able to vote on transaction validity. | Similar for example to how browser vendors decide to make a | certain set of keys valid for issuing certs. | [deleted] | cemregr wrote: | Is it just me or is the (x) button on the banner ad on this site | not work, and open the ad instead of dismissing it? | esseti wrote: | Did he get the job? because i guess he was fired from the | previous one. | zanethomas wrote: | ThePowerOfFuet wrote: | Quarrelsome wrote: | kinda disgusting he got fired for this if that was the case. | Its a very sophisticated attack and I think its conversion rate | would be rather high. | kube-system wrote: | The article says they are no longer employed. It is possible | that this exploit was only possible because of breaking other | security policies. | | At least, I hope that any reasonable organization doesn't | secure $600+ million dollars by relying on the endpoint | security of a device used to access LinkedIn | uhhyeahdude wrote: | > reasonable organization | tedunangst wrote: | Opening a legit job offer PDF on your work computer could be | considered a fireable offense. You should not be using | company resources to find your next job. | cbsks wrote: | It's also possible that he quit instead. If I interviewed for a | new job, accepted an offer, and then everything blew up in my | face... I'd probably not want to stick around. | rideontime wrote: | Yeah, I wouldn't want to work for a company that designed a | system that allowed this sort of thing to happen either. | labrador wrote: | Can someone explain to me how a pdf can execute code? | WorldMaker wrote: | PostScript the "graphics language" that PDF was built around is | a Turing Complete language. | marshray wrote: | Yes, but PDF doesn't embed the PostScript language (which is | basically Forth). Acrobat Reader's Turing completeness comes | from weird machines. | | https://en.wikipedia.org/wiki/Weird_machine | Hamuko wrote: | https://opensource.adobe.com/dc-acrobat-sdk-docs/standards/p... | | Page 414 and forwards. And if you're generally interested in | PDF feature bloat, go to page 511 to find out how to embed 3D | art, including the manipulation of the virtual camera, in your | PDF document. | labrador wrote: | > _12.6.3 An annotation, page object or... that can trigger | the execution of an action_ Page 415 | | What could go wrong? | pjc50 wrote: | Exploits in the PDF viewer. | | The Adobe tools in particular have been a bountiful source of | exploits for decades, but it's a complicated spec and there are | plenty of opportunities for bugs. | labrador wrote: | I see, much like Unicode exploits. I use Chrome to view PDFs | which I assume to be safe. | ylyn wrote: | Chrome's PDF viewer seems to be implemented in native code. | But it probably benefits from the sandboxing that Chrome | does. | | I would say Firefox is the safest here, because its built- | in PDF viewer is written in JS, although Firefox's | sandboxing is not as strong as Chrome's. | tialaramex wrote: | Program and data aren't really different, philosophically. | On some level this even applies to people. When someone | teaches you French is that program or data? Is it just | data? Why can you now understand French then? Or if it's | program, how does that work, who taught the teacher how to | program you? | | So, our best effort is to constrain what certain data can | do when we process it, in the hope that this prevents | surprising negative consequences like a PDF that steals | privileged information and sends it elsewhere. | | Notice that, in some sense, a PDF which just contains a | photograph of your wife tied to a chair and holding today's | newspaper, plus human readable text like, "We have your | wife Sarah and all three kids Beth, Jim and Amanda. We are | watching. Do not try to call for help. Email the privileged | information to crooks@example.com or we will kill your | family" is also potentially effective at doing this, but we | would not usually consider that an exploit in this context. | | One irritation in this space is that programmers love | General Purpose Programming Languages. The idea of the | general purpose language is that it can do anything. But | the problem in this sort of situation is that we don't | _want_ programs which can do anything, in fact doing | anything is our worst case scenario. We actually want | Special Purpose Programming Languages. We want to write our | PDF data processing software in a language that _even if we | were trying_ can 't do the things that should never happen | as a result of processing a PDF. | | This is the purpose of languages like WUFFS: | https://github.com/google/wuffs | | You can't write a WUFFS program to, for example, email | anything to crooks@example.com even if you desperately | needed to, which means you definitely won't _accidentally_ | write a program which can email the privileged information | to the crooks when fed a PDF. Of course the PDF mentioned | earlier with the kidnap note inside it could still work. | And also of course making a PDF renderer out of WUFFS would | be a really big ask. WUFFS-the-library today can render | PNG, GIF, BMP but notably not yet JPEG. But it 's clearly | _possible_ for something like PDF rendering to happen under | these constraints. Nobody ordinarily _viewing_ a PDF wants | it to do arbitrary stuff. | labrador wrote: | Good idea, but WUFFS is written in C | tialaramex wrote: | Well, WUFFS the library is C code, but that's because in | practice the language implementation is a Go program | which emits C rather than machine code. There's no reason | you can't compile WUFFS the language into, say, Rust, or | PowerPC assembler, or a long series of letters to | Princess Celestia [the FiM++ programming language], | except that nobody did all that hard work. | labrador wrote: | It's amazing what people come up with when they have time | on their hands for leisure activities. That's why I look | forward to robots doing all the work while human subsist | on universal basic income. | | FiM++ - Esolang | | https://esolangs.org/wiki/FiM%2B%2B | ourmandave wrote: | _The rate of DeFi hacks has accelerated rapidly this year, | topping $2 billion in total funds lost, according to The Block | Research data._ | | Seesh, you could finance a war with $2B. | headsoup wrote: | I'm still not entirely convinced this wasn't an inside job (or | entirely made up) and they just put a nice pot of money away | somewhere. Wouldn't be without precedent in the wonderful world | of crypto... | kube-system wrote: | You don't just take some dude's word for it when dealing with a | $600+ million dollar heist. There were multiple third party | investigators involved in the aftermath. | dboreham wrote: | Perhaps they not taking his word, but waiting for him to move | the funds? | kube-system wrote: | They already know where the money went: | | https://home.treasury.gov/policy-issues/financial- | sanctions/... | | And it has already been moved: | | https://www.blockchain.com/eth/address/0x098B716B8Aaf215129 | 9... | lern_too_spel wrote: | From the group that brought you The Interview hack, here | is an interview hack. | jandrese wrote: | This doesn't mean it wasn't an inside job. Dude could | have a nice payday for "oops I got PDF hacked", plus | giving away enough information about their internal | organization to make the attack feasible. | kube-system wrote: | The organizations that were called in to investigate this | are very well aware of the likelihood of insider-threat | attacks. It is basically financial fraud 101. They | haven't released any information beyond what was detailed | here, but you can be certain that it was thoroughly | covered. | tehlike wrote: | Given it's crypto, there might be game in a game. You | never know. | tartoran wrote: | Or the dev could be simply setup to take the blame. | Everything's possible. Or an ex employee could have | surveyed the system and shared data with a larger group | to perform the operation. | Thorrez wrote: | Google warned of North Korean hackers targeting security workers | through LinkedIn in January 2021. | | https://blog.google/threat-analysis-group/new-campaign-targe... | paulpauper wrote: | I think the media and tech writes overestimate the efficacy of | spear phishing attacks. There is tons of research involved in | finding suitable targets and then planning out the attack, such | as the exploit, fake websites, fake emails, and other | ingredients. | t_mann wrote: | I think this is instead a good reminder that no matter how | complicated / unlikely a specific attack vector seems, if the | bounty is large enough you better assume that someone is going | to do it. | larsiusprime wrote: | It helps when your boss is a state actor and your target | chooses to put $625 million in assets behind what amounts to a | single point of failure | rchaud wrote: | Surely the technology experts at A16z and Binance could have | given them some basic cybersecurity tips before cutting a | $300 million check? | hn_throwaway_99 wrote: | Huh? Don't understand your point. When the potential bounty is | $540 million, seems like investment well spent. | | Just another reason crypto is a godsend for bad guys (obviously | other financial crimes occur, e.g. with convincing folks to | send fake wires) but there aren't many better ways to steal | half a billion dollars I think. But, yeah yeah, "HN is so mean | and hates crypto!!!" | paulpauper wrote: | This is a huge outlier though and it's not $500 million of | cash but $500 million of crypto that must be | processed/laundered slowly into usable cash, which may not | even be doable. Given the recent crash it's probably more | like a 100 hundred million now. | jacquesm wrote: | Meanwhile, my kids' school forces them to use windows, spreads | around lots of information that should be on websites as pdfs and | asks to install all kinds of software from dubious sources | including stuff that can only properly be classified as a rootkit | in disguise. | | People are conditioned to trust certain verticals, Google, Apple, | Microsoft (which owns LinkedIn) and a bunch of others and will | lower their guard. Which is why it works so well. In fact I've | received email from some of those where I was pretty sure I was | being spearphished but they turned out to be real (but not on | LinkedIn, which I refuse to join). | alexfromapex wrote: | This is so interesting, I just reported someone doing this on | LinkedIn to the IC3. They create fake companies and ask for | details like your SSN to ostensibly run a background check on you | but in actuality it's to steal your identity or use your info to | gain access to restricted resources. | dboreham wrote: | In my mind there has to have been some insider involvement (at | least) in this attack. There are too many things unknowable to | outsiders that would need to be known. | treme wrote: | it's hilarious that KJU was probably among the biggest benefactor | of crypto boom. | jspdown wrote: | They rely on 9 trusted validators, the hacker managed to get | access to the private keys of 4 out of the 9 validators. | | What's the point of using a Blockchain if you end up centralizing | validations like that? | kwertyoowiyop wrote: | Don't worry, they're going to have 100 trusted validators, thus | solving the problem...FOREVER. | ltbarcly3 wrote: | The true answer is that it doesn't make sense but investors | don't care because BLOCKCHAIN | mikevin wrote: | 'Proof of Authority' sounds an awful lot like the regular | banking system. | anyfactor wrote: | TLDR | | Job offer PDF was downloaded to office computer. PDF had spyware | that infiltrated the system. | CarbonCycles wrote: | LN has now become a dumping ground for spammers, scammers, and a | social network site. It's lost its appeal, and I am getting more | scammers all the time. | | I'm beginning to contemplate what value LN provides as LN has | focused on more aggressive marketing tactics, and it's starting | to feel like Instagram with the engagements metrics... | | Oh yea, I'm still perplexed on how anyone would ever go into an | interview w/out doing any homework on the company...even the | smallest of start-ups have a presence on the net. They better | damn-well have a pitch deck for new capital and employees. | Animats wrote: | This reads like blameshifting. Axie Infinity is a Ponzi on the | way down. They need someone to blame for their failure. | schemescape wrote: | They say that a worker downloading (and presumably viewing) a PDF | (fake job offer) allowed spyware in. Which PDF viewer was | exploited? | alexk307 wrote: | You can easily embed arbitrary javascript into any PDF, and you | can obfuscate it pretty well enough to get past most endpoint | security tools on the market. | WorldMaker wrote: | You don't even need JS in a PDF. PostScript remains a Turing | Complete language on its own. | Nextgrid wrote: | That JS would be sandboxed similar to in browsers, so you'd | still need an exploit to break out of that. | kube-system wrote: | Not too tough, if you're a state backed group. Just buy | one. | | The going price for Adobe PDF RCE zero-days is $80,000 | Jwarder wrote: | Is there a good no-nonsense way to clean PDFs of possible | threats? Hunting around I see mentions of converting | PDF->Postscript->PDF to remove junk, but I also see mentions | that Postscript is its own security mess. | jabroni_salad wrote: | Your only option is to disable all of those fancy features. | That config only lasts until someone needs to file a form | with the government though. | Nextgrid wrote: | I'm not sure it was even an exploit. It could very well be an | intentionally-malformed PDF that pretends it has to be opened | in a special "viewer" software, maybe even Adobe- or DocuSign- | branded. | snickerbockers wrote: | im guessing it was the ol' ".pdf.exe" trick. | Hamuko wrote: | This sounds way too sophisticated for them to risk it with a | "Offer.pdf.exe". Especially if it was state-backed. If the | victim notices it, and the bar isn't high, you'd basically | spook him away and alert the entire company. | j0hnyl wrote: | You're downvoted, but I'm certain this is exactly what it is. | hn_throwaway_99 wrote: | That trick doesn't work anymore for any reasonably modern | email client. | snickerbockers wrote: | That's when you remind him that your boss needs to get this | role filled by the end of the week so if you don't get a | response by tomorrow you'll have no choice but to offer the | job to another candidate. | bfgoodrich wrote: | silverPoodle wrote: | You can put it into a .zip archive or just send an email | containing a link with a fake PDF | samatman wrote: | To quote Fight Club: a major one. | t_mann wrote: | This is an important social engineering attack vector that all | companies should be aware of. These kind of targeted attacks | (often spoofing valid contacts that employees would legitimately | exchange documents with) were common since I can remember the | space, but using job applications is particularly disingenuous | because employees are naturally going to be a bit secretive about | those. | Ekaros wrote: | And this is why you should separate work machines from private | and anything else. Specially when working with something high | value. | petilon wrote: | If you care about security, two things you don't want to install | on your computer are Adobe Acrobat and Microsoft Office. These | products were written the 1990s in C/C++ and are impossible to | secure. Microsoft does not allow installing Office on Secure | Admin Workstations (SAW) [1] for a reason! | | [1] https://www.microsoft.com/en-us/insidetrack/protecting- | high-... | wly_cdgr wrote: | How do you go through a whole job interview process and not | realize that the company you are applying to is fake and doesn't | exist?! | | ...Oh wait, this is crypto | vgel wrote: | I applied (and got a job and worked at for a bit) a stealth- | mode startup and it felt like a scam. No web presence, nobody | had it listed as their job on LinkedIn, a couple vague | references to funding rounds online that mentioned a different | business model (turns out they had pivoted), etc. Remote | applications are weird. | a4isms wrote: | How should we respond if we interview for a non-crypto job, and | when we can't get any background on the company, they explain | that they're in "stealth mode" to protect the advantage of | surprise? | | From time to time there are real startups that decide to fly | under the radar until they're ready to show the world what | they've built. Of course, many such companies turn out to be | massive duds... Like Cuil. | | https://en.wikipedia.org/wiki/Cuil | 999900000999 wrote: | Just interviewed with a crypto company, can confirm. Even | "legitimate" companies with a web presence, customers, etc, | come off as super sketchy. | | That said, for lower income people you'll be absolutely | inundated with scams, a good friend of mine just hit me up cuz | someone wanted to promise him for $100 or so a week, you'd | somehow become a crypto millionaire. I actually think crypto in | its entirety is a giant scam, there's just levels of | sophistication to it. | | Not everyone's going to fall for give me $100 and I'll turn | that into $10,000 , but a ton of people fell for buy a bunch of | crypto coins and hold ,time the market and sell. | jandrese wrote: | What an incredible story. In fact it is so incredible that it | smells a bit funny to me. | | Are we sure this heist wasn't an inside job? Axie was collapsing | under its own weight and an employee decided to swipe all of the | crypto after making up this crazy job offer PDF story to cover | their tracks. | password4321 wrote: | I'm amazed I had to scroll down this far to find the obvious | explanation: a rug pull with a press release so the perpetrator | doesn't have to fake their own death. | | Edit: I thought the lack of details was fishy but the following | would be tough to fake: | | _the FBI has attributed North Korea-based Lazarus Group, | highly skilled hackers, to the Ronin Validator Security Breach. | The US Government, specifically the Treasury Department, has | sanctioned the address that received the stolen funds_ | xigency wrote: | So they lost half a billion dollars because they forgot to set up | Multi Factor Authentication? | marshray wrote: | MFA can't help you if your network admin is willing to open an | untrusted file with an Adobe product. | hn_throwaway_99 wrote: | Two points to highlight from this article: | | 1. LinkedIn is an absolute godsend for bad guys, allowing easy | targeting of everyone in the company with spear phishing emails | and texts. I know many security professionals no longer use their | real name, and don't list the real name of their company, because | they know it's such a great hacking vector. Not sure what/whether | LinkedIn can do anything about this. | | 2. I wish there were more information about what the | vulnerability was in the PDF in the first place. I think a lot of | people would be wary of downloading a PDF from a stranger, but | not from someone who you had multiple interview rounds with and | who offered you a job. | jcrawfordor wrote: | Most PDF "attacks" in the real world are very unsophisticated. | One of the most common uses of PDFs in a phishing context is | just as a way to deliver a link that would likely result in | blocking by email security products (many don't inspect inside | PDFs, and even for those that do the PDF format is complicated | enough that it offers tremendous opportunities for | obfuscation). I would wager money that the "PDF attack" | involved here was as simple as a link to a malicious executable | presented in a PDF to avoid detection by email filtering... in | my time as a security analyst this was the #1 source of real | compromise incidents, and anecdotally it seems to remain | popular today based on the number of such PDFs I receive in my | spam email. | | The PDF format presents many opportunities for other exploits, | either obfuscating a payload or running code, but modern PDF | viewers are locking these opportunities down to such a degree | that they are not very reliable (most of all because it is | difficult to know which PDF viewer your target will use, and | many popular PDF viewers today like pdf.js are relatively | feature-incomplete which is a significant security advantage in | this case). It's possible that something more sophisticated was | going on but I would be very surprised if it was anything more | complex than using the PDF as an obfuscated transport for a | binary packed in it and invoked by the user (e.g. by clicking a | link in the PDF with a javascript target). Non-user-interaction | PDF vulnerabilities exist but are increasingly hard to come by | as there has been more than a decade of work on locking down | PDF viewers and the situation has improved dramatically in that | time. | | Contrary to what people sometimes expect, highly organized | groups (such as APTs) tend to stick to very basic, simple | methods as much as possible, since they are relatively | reliable. The use of recent vulnerabilities in a specific PDF | viewer, for example, is high risk due to the likelihood of | failure and the opportunities for analysis it presents (you | will have to do custom development rather than using off-the- | shelf tooling). This is the kind of thing that organized groups | try to avoid as much as possible, subject to an ROI analysis. | Or in other words, if putting a link to an EXE in a PDF still | works, why would you bother with anything else? | noduerme wrote: | If it's just a javascript link to download an EXE, doesn't | the target of the hack still need to run the EXE? Or are you | saying that a link in a PDF can install _and_ execute code on | its own? | | Assuming it can't, then the engineer had to click to run some | unknown EXE after downloading it... that should hardly be | described as a "PDF attack". | TechBro8615 wrote: | There is a whole class of attacks related to "deep linking" | and custom URL schemes that the operating system can pass | to any application that registers itself to match it. At | that point the sanitization is up to the application. | | I recently stumbled upon a nice write-up [0] that described | this class of attack and surveyed which software was | vulnerable to it. Many crypto clients were included. | | [0] https://positive.security/blog/url-open-rce | joshstrange wrote: | Personally I don't update my LinkedIn until I start looking for | a new job. There is absolutely no need for anyone to know where | I work (or at least for me to share that far and wide | publically) and I'm not interested in cold emails/cold linkedin | messages. | | My decision was cemented in 2020 when someone who didn't like a | tweet of mine retweeted it to my old company's twitter account | trying to get me fired/reprimanded (The tweet in question | called out my local PD for a dubious tweet they made, the | person who tried to get me in trouble lived in a different | state 12+ hours away). Thankfully my current company wouldn't | have cared but there is no need to give people ammo. | V-2 wrote: | Which is why I simply don't use my real name (well, not a | full name) for my Twitter account. I have the right to keep | my professional and private persona separate, and if someone | really wanted to, they could find out where I work anyway. | (I'm not tweeting anything extreme in my own view, but | there's always someone who will regard it as such, and as you | say, what's good about giving people such option to begin | with). | hn_throwaway_99 wrote: | > Personally I don't update my LinkedIn until I start looking | for a new job. | | Perhaps semi-off topic, but note there are companies that | sell software (spyware?) to HR departments that specifically | trolls LinkedIn looking for when employees update their | LinkedIn profiles as a sign they're looking for a new job. | This may or may not be a good thing depending on your | position, perspective, or company, but just be aware it | exists. | heleninboodler wrote: | Last time my RSU cliff came around, I logged into LinkedIn, | updated my profile and accepted the backlog of connection | requests (and read the flurry of "congratulations on your 4 | year anniversary" messages). I almost immediately got Slack | messages saying "are you leaving?" But I _wanted_ them to | notice; that was the point. | joshstrange wrote: | Yeah, though I'd get dinged by that either way since I | normally update my bio to include recent projects/tech I've | worked with. This way I can hide behind plausible | deniability "Oh, I just got around to adding X company to | my LinkedIn" if I need to, whereas updating an existing | entry is harder to justify (without giving away you are | looking). Though I also try not to work for companies that | I would need to worry about that. | mgkimsal wrote: | > whereas updating an existing entry is harder to justify | (without giving away you are looking) | | I don't think it is at all. Indeed, if you're updating it | regularly (every 3-4 months, perhaps?) with new | project/task stuff, it's simply keeping things fresh in | your mind, vs having to try to trawl back 3 years to | think about project FOO. | | If you _only_ update it once every 2 years, then people | can draw more nefarious conclusions. | outworlder wrote: | You can't really reason with algorithms. | | You'll be placed in a list with a score next to your | name. | | > Though I also try not to work for companies that I | would need to worry about that. | | How do you figure out what kind of software your company | uses internally? | joshstrange wrote: | > How do you figure out what kind of software your | company uses internally? | | I work for smaller companies that are more concerned with | building instead of turning their workforce into scores | on a list. | cmeacham98 wrote: | I doubt they'd actually ask you about it (and thus give | you a chance to "explain" yourself), HR would just note | you down and you'd be more likely to be laid off, less | likely to get promotions approved, etc. | adaml_623 wrote: | I know this is off topic but I'm always confused by the | attitude you've mentioned where companies don't actively | work to retain staff. | | I wonder if there are any courses for managers to train | them to think logically about this and not switch into | bad decisions based on emotion. | | Companies waste so much money on hiring and then deciding | to react very slowly to changes in market conditions. If | businesses treated their staff like they treat their | clients... | kortilla wrote: | > less likely to get promotions approved | | This is not how companies work (at least the ones worth | working for). Retention risk is a reflection on their | current role, compensation, manager, etc. | | We have absolutely promoted high performing employees | and/or given them raises even though we knew they were | looking at other opportunities. | cmeacham98 wrote: | Companies worth working for aren't talking their | employees in LinkedIn. | joshstrange wrote: | Fair, though if I'm looking I'm planning on being gone in | 1-2 months max and I'm probably leaving in part due to | lack of promotion. | MisterBastahrd wrote: | Meanwhile, my company actively gives us hints on how to | spruce up our resumes with marketing bullshit that impresses | nobody but middle managers who think that keyword searches | with word soups like "Innovator. Thought-Haver. Bringer of | Boys To the Yard." are their paths to big league success. | BolexNOLA wrote: | It's a shame too. In my experience LinkedIn has been great for | job hunting, indeed et al. were worthless time sinks for me. I | want to keep it just for the ability to job hunt and get | _results_ but as you said...it's a risk too. | V-2 wrote: | That's the only thing it's good for, but that thing actually | works. My last three job offers were from LinkedIn (I | ultimately rejected one because my employer at the time gave | me a counteroffer when I handed my notice, but I did accept | the other two). The "content" on LI (feelhgood / motivational | BS) is do ridiculous that I sort of contempt-read it | ("hateread" would be to strong a word) for the heck of it, | but I can't wrap my head around WHY people would participate | in this nonsense for real. | BolexNOLA wrote: | Yeah I really don't see any appeal beyond jobs (my current | job came from it). The content is just SEO/personal | branding fodder. | rurp wrote: | When I first signed up for LI I honestly couldn't tell the | difference between the actual feed and a what I imagined a | parody site would look like. The posts that proclaim | themselves to hold controversial ideas, followed by the | most banal cliches possible, crack me up. | | Once in a while I check the feed for kicks and it's always | 100% spam, cliches, humble brags, and not-so-humble brags. | ineptech wrote: | > I wish there were more information about what the | vulnerability was in the PDF in the first place. | | Agreed, I thought that opening a read-only PDF was GRAS | regardless of the application. | WorldMaker wrote: | PostScript is a Turing Complete language (always has been), | and an over-simplified description of PDF is that it "just" | wraps PostScript in a single Virtual Machine to target | (versus PostScript has a lot of subtly different physical | machines it was built for/targeted). | | That "PDF VM" has had many 0-day RCE bugs over the years. | Thankfully though the VM is standardized with the format it | does have multiple implementations still in different | applications and many exploits are application-specific | implementation bugs. | LegitShady wrote: | I see people posting things even on HN where its a link to a | PDF and I don't click on them. I remember PDF being a leaky and | buggy format whose interpreters were full of vulnerabilities. I | don't click on PDFs. | ChrisMarshallNY wrote: | _> LinkedIn is an absolute godsend for bad guys_ | | I am listed as the Principal on a couple of companies, and get | _constant_ approaches that are obviously fake (like an | attractive young "stewardess" from Dubai, who just happened to | like my picture (which is actually my logo)). | | I've given up reporting them, as LI _always_ responds with | "This is not in violation..." | djbusby wrote: | Isn't LI owned by MS? | JohnJamesRambo wrote: | Is there a "Best of" archive for HN comments? | ChrisMarshallNY wrote: | Yup. I'm gonna remove my cynical comment (although I still | totally believe it). It's just not helpful. I think people | can figure it out, for themselves. | | Also, people use LI as a way to aggregate information, then | send emails that appear to be from LI, but are not. I got | one of those, yesterday, and reported it to LI, saying | "These guys obviously used your service to construct this | honker." | | And LI's reply was ... envelope, please ... "Not our | problem. Go away, kid. Yer bodderin' me." but stated a bit | more politely. | | I deliberately stay fairly open. I mentioned that, some | time ago. It comes with some problems, like a determined | bad actor can build up a fairly good profile. | | But I have had _years_ of experience, rubbing elbows with | professional con artists, so I am maybe a little tougher to | fool than many (but some approaches have come close -these | folks are good). I would never be so arrogant to say that I | can 't be phished or whaled, but it's almost certainly not | worth the effort. | wombatpm wrote: | I recently had some try the CEO/boss needs something | right away for a customer ruse via text. I know LI was | the source, because it referenced my previous job and LI | still had the incorrect information. I played along that | I was ready to purchase with my corporate card. Then | after wasting more of their time, I sprung that they were | fishing with old bait. Good times | PebblesRox wrote: | I'd love to hear more about your experience with con | artists! | ChrisMarshallNY wrote: | It's not the type of story that I really share in the | venue of press, radio and films, if you get my drift. | | I'm happy to chat -a bit- about it, directly. Many of the | stories that I know, are not mine, to tell. | cosmodisk wrote: | Same here. I grew up knowing some very shady people. Some | of the stuff could easily be turned into books or a | script for a movie. | _fat_santa wrote: | I think one shouldn't discount the attack vector that is just | working in the Crypto industry, especially when you're someone | who works with startups rather than the big guys. | | In the "Web2 Sector", it would be very easy IMO to snuff out a | fictitious company. I've gotten a handful of "offers" in the | past and you can see straight through them, because the company | doesn't exist in real life and you can't find any info on it, | huge red flag. | | The problem with the "Web3 Sector" IMO is you have a bunch of | upcomming players in the space that no one has heard of. Just | like investors in Cryto, if you're a developer in the space, no | doubt you are jockeying to join a project that might land you a | 7-10 figure windfall at the end. | | So if an unheard of company approached me, I would tell them to | kick rocks. If a similar company approached someone in the | "Web3 Sector", they might take it thinking it's an emerging | opportunity. I'm sure this still happens with Startups but my | gut says it's really bad in the Web3 space. | samstave wrote: | Speaking of spear phishing: | | When I was at lockheed we had an incident whereby a bunch of | folks had attended some defense conference, and after the fact | received emails from folks they had 'met' at the conference, | something along the lines of | | "Hey Bob, we met at the [defense] conference this last week and | I wanted to be sure you had my contact info: malware- | contact.vcf" | | or some other payload. | | This installed a very slow sprawling worm which would slowly | trickle data out of lockheed to China. | | It was not discovered for quite a while due to how slowly it | operated, but someone had complained about machine performance | and IT looked at the machine and discovered the worm... after | removing it - this somehow sent a signal to China that they had | been found and all the worms started to firehose as much as | they could until egress was closed. At the time, all of | Lockheeds 150,000 employees had just three egress points to the | internet. They had to shut them all down to kill that worm. | secondcoming wrote: | Also, don't use a company device for personal business. | | If you use your own device then do company work in a VM. | jessaustin wrote: | Opening the pdf wasn't "company work", so maybe everything | should be done in a VM? (Not the _same_ VM!) | secondcoming wrote: | He opened it on a company device I assume | jessaustin wrote: | That's possible, and addressed by your first sentence | above. You wrote the second sentence to address a | different possibility. In that case, a process with | access to the whole device could read e.g. auth tokens | contained in a VM. | jedberg wrote: | I'm not sure this is Linkedin's problem to solve. They are just | a directory. | | I suppose they could add a phishing warning for messages sent | on LinkedIn, but really it's an education problem, teaching | people to identify what phishing emails look like and how to | avoid them. This is a problem I've been working on since at | least 2003, when we realized that the best way to prevent eBay | account takeovers was teaching people what phishing is. We also | identified that education is the hardest solution to achieve. | | It's ironic that the security professionals are the ones hiding | their identity, given that they are the best prepared to | identify and avoid phishing emails. | hungryforcodes wrote: | You're right -- apparently it's a PDF problem, and I'm still | looking for an explanation of how a simple PDF could be worth | half a billion dollars. | burrows wrote: | > I'm not sure this is Linkedin's problem to solve. They are | just a directory. | | If the issue reduces user metrics, then they will want to fix | it. Ultimate responsibility seems irrelevant. | | > It's ironic that the security professionals are the ones | hiding their identity, given that they are the best prepared | to identify and avoid phishing emails. | | I might have demolitions training, but I'd still rather walk | around the minefield. | aaronharnly wrote: | On (1), I have seen employees get spear-phishing texts (Welcome | X! This is the CEO of Y. I need you to do a small favor...) | within hours of updating their LinkedIn. I assume there are | robots crawling it constantly looking for fresh candidates for | account takeovers or other scams. | alexfromapex wrote: | I think one other thing that bears mentioning is that | LinkedIn's reporting doesn't easily let you explain how someone | is performing a scam. If you're diligent you can find the link | somewhere where you can actually explain it but when you just | "report" someone or a job the response from LinkedIn is usually | "We didn't find anything indicating this is a scam" or similar. | walrus01 wrote: | > I know many security professionals no longer use their real | name, and don't list the real name of their company, because | they know it's such a great hacking vector. Not sure | what/whether LinkedIn can do anything about this. | | on the other hand I bet you could collect some interesting | things by creating a few fake people as linkedin honeypots at | FAANGs, and I would be very surprised in their infosec/netsec | teams aren't already doing this. | | or getting real people who opt-in to have their linkedin | profile receive incoming scams, virus, trojans, phish links and | pipeline them into the infosec/netsec team. | bl_valance wrote: | Isn't the issue here that they used their work laptop or were | on their work's internal network(VPN?) to "apply" for this job? | | This is something I see/hear so often, people using work | equipment/network to conduct their personal stuff. This, IMO, | should not be allowed at all. | Dig1t wrote: | I deactivated my LI after my last job search, it hasn't | affected my life at all since then. I don't know why you need | one at all most of the time. Even without one, I think it would | be perfectly easy to get interviews at companies, most | interviews I've done in the past have been the ones I got by | just going to the company's website and applying directly | anyway. | caseysoftware wrote: | Some in the security community demonstrated this with Robin | Sage, circa 2009: https://en.wikipedia.org/wiki/Robin_Sage | | It introduces the idea of "transitive trust" where person A | might not know person B but if the two have a bunch of contacts | in common, the odds of A trusting B goes up. When there's a | profile with tens or hundreds of shared connections, it looks | real by all accounts. | | I wrote about this is an intel gathering/attack vector way back | in the day but it's 100x better now because connecting is | second nature and people trust more now: | https://caseysoftware.com/blog/open-source-intelligence-link... | elif wrote: | I'm so confused by #2 as well. | | If pdf is compromised, is it fixed? This seems like the kind of | vulnerability that would ruin pdf's reputation permanently. It | was the safe alternative to sending someone a .doc particularly | because of it's limited functionality. | kornhole wrote: | I only use titles such as 'Employee' 'Worker' 'Carbon Based | Life Form'.. on Linkedin. It also significantly reduces the | amount of spam and cold calls. | rmbyrro wrote: | The main problem was using a machine that had access to half a | billion dollars to also browse the web and do stuff like | applying for jobs. | | If you're gonna have access to such amount of money, it's worth | buying a dedicated machine and using it very, very cautiously. | PragmaticPulp wrote: | > The main problem was using a machine that had access to | half a billion dollars | | Going up a level, the main problem was that the company had a | system where a _single person_ could irreversibly transfer | half a billion dollars away from the company. | handoflixue wrote: | The article actually covers that it required 5 out of 9 | people to sign off. They got 4 via PDF attacks and 1 via | legacy access that was never properly terminated. | 8note wrote: | I think it's worth noting that the people did not sign | off, only the keys did. | | The system does not require people to sign off, but for | the keys to sign off. | | I don't think it's worth calling this a hack, the keys | are what owned the moneies, and it's the keys that | decided what to do with it. People have access to keys, | they don't own them | tylersmith wrote: | The compromised employee had access to that 5th factor it | was just not as direct as as him having a 5th private | key. | mousetree wrote: | My understanding of the article was that only 1 person | was compromised and that the exploit installed on their | computer was then used to access the validator nodes | themselves. FWIW, I have no idea what a validator node is | but I'm assuming that by compromising one employee's | workstation they somehow got access to multiple other | machines (which if true is itself a bit of a f* up). | logifail wrote: | > I'm assuming that by compromising one employee's | workstation they somehow got access to multiple other | machines (which if true is itself a bit of a f* up) | | Q: If you assume the bad guys have already compromised | your workstation, how sure are you that they won't be | able to compromise other machines you connect to? | charcircuit wrote: | You can't which is why one person shouldn't have access | to more than one. | [deleted] | fsckboy wrote: | because the workstation was compromised by opening a | corrupted pdf, but that vector wouldn't compromise the | other machines unless users on them could be induced to | open the same pdf. | | not to say it can't be done, but it was unexplained | sangnoir wrote: | It doesn't have to be the same pdf, it could have been an | attachments from compromised machine via email/slack. | "Hey, can you help me figure this unusual log/transaction | summary". How many wouldn't open such an attachment from | a "colleague"? | abxytg wrote: | Yep. Bad opsec at the org level. Either the eng was doing | work stuff on a personal laptop or personal stuff on a work | laptop. This is easily preventable and should be table stakes | when handling money, phi, etc | spaceman_2020 wrote: | When I first got into crypto, a few things were pretty much | drilled into my head: | | - Not your keys, not your coins; always self-custody | | - Never use the same machine for trading and for work/surfing | the web | | - Store only funds you want to regularly trade with on a hot | wallet. Everything else on a cold wallet. | empraptor wrote: | and this is part of why i think cryptocurrencies should | have died before large number of people wasted their money | on it. for the average user without the | time/knowledge/patience to handle cryptos "properly", the | choice is between losing money while handling this shit | yourself or losing money while trusting someone else to do | it right. | spaceman_2020 wrote: | Its an entirely free market. Just because one person | doesn't understand the tech and loses his money doesn't | mean that everyone else shouldn't be allowed to use it | either. | | Even if you don't buy into the crypto vision (I don't), a | digital-only currency that isn't tied to any nation-state | does deserve to exist. | Retric wrote: | It's fine for a few people to play with such a system. | The issue if it's absolutely clear crypto is incapable of | widespread adoption or just about anything else people | hype it up as, then it shouldn't be hyped as if that | stuff is a possibility. | | I could never tell how much was incompetence vs fraud, | but either way without the hype vastly fewer suckers | would be holding the bag right now. The crypto ecosystem | has been just been terrible for just about everyone and | things are far from over. | spaceman_2020 wrote: | The people holding the bag right now mostly got in | because of the allure of quick profits. And if they | didn't sell even after making incredible (paper) returns, | they have their own greed to blame. | | Bitcoin was $6,000 in March 2020. It hit $63,000 in April | 2021. And if you didn't sell that top, it hit $67,000 | again in November 2021. | | Even now, it has dropped less than Netflix, a supposed | bluechip. | | I don't know what's the scam in this - you had plenty of | entry opportunities and plenty of exit opportunities. The | underlying system itself still works exactly as | described. | 8note wrote: | I'd put an addendum to the first one | | You can't own keys, so you can't own coins. You instead | have access to coins when you have access to keys. | abirch wrote: | I still can't believe that they opened the PDF on the | _company_ computer. I always use my home computer and the | poor hacker would get bored of seeing all of my Raspberry Pi | projects that I haven 't done. | cfn wrote: | I suppose that sending it during business hours and, who | knows, maybe the final offer would be in the PDF and the | poor guy couldn't wait to open it. The rest is history. | kuboble wrote: | It might be hard to believe that the particular person in a | particular company did that, but given a lot of attempts, | dedication and lucky / unlucky circumstances eventually | somewhere someone will trust a malicious person and will | get socially engineered into opening a pdf on a working | computer. | godot wrote: | Also wonder if the PDF exploit works for only | local/native PDF readers (e.g. Adobe Readers) or also | web-based. If someone occasionally checks their personal | email from a work laptop, chances are they'd only use the | Gmail preview to open the PDF. It seems like most | engineers wouldn't get all the way to downloading a job | offer PDF to their work laptop and opening it up there. | turtlebits wrote: | If you're looking for work, you have to interview during | the day, which you're probably in office (things are very | different now). I know I'm guilty of having my personal | emailed signed into my work computer (albeit with a | separate browser). I've also done virtual interviews in the | office meeting/phone room. | bornfreddy wrote: | You've done interviews in the office of your (then) | current employer??? Gutsy. I wouldn't dream of using | employer's equipment, time or space while negotiating for | a new employment. | CrispinS wrote: | I can't believe a software developer is using an operating | system/pdf viewer that isn't patched for security | vulnerabilities as major as an RCE. | | Unless this was a zero day, but I would have assumed the | article would mention that fact .. | da39a3ee wrote: | Huh? I've used my company laptops for my personal life for | the last 15 years. Why would I want to carry two laptops | everywhere? I travel. I barely remember what a personal | laptop is. | RajT88 wrote: | I travel with a HP Spectre x360 for personal stuff. It is | barely a weight or bulk addition compared to my work | machine. | | When I was on the road all the time I also had separate | phones to ensure I never got stuck with a dead phone. | logifail wrote: | > I've used my company laptops for my personal life for | the last 15 years. | | Counterpoint: I've been completely and utterly allergic | to opening anything personal from any company system for | longer than that. | jazzyjackson wrote: | lol | | do you at least dual boot? | | have a separate user account? | | I guess its fine as long as your computer doesn't have | the credentials to the company slush fund. | | Friend of mine I traveled with carried 3 macbooks with | her: school issued, work issued, and personal. They had | different software licenses tied to the machine, | whadyagonnado? | acheron wrote: | I hope this is satire. | kornhole wrote: | I think you are joking to bait us. At least use a VM | running a VPN within it. It won't protect you from screen | captures or keyloggers your employer put on your machine, | but it will segregate files and network activity. | koofdoof wrote: | How usable is LinkedIn with a pseudonym? Is that a security | industry only practice or could a regular dev get away with | that too? I've always been shy about having a profile with my | actual name but id consider one with a thin veil of anonymity. | 8organicbits wrote: | Same, although my perception is that LinkedIn has moved past | its peak usefulness, and it would be better to spend time on | other platforms than creating a LI account. All I hear about | LinkedIn these days is spam. | bckr wrote: | which other platform? | 8organicbits wrote: | There's a lot of platforms that do sort of related | things, so it's a hard thing to answer. For "finding a | job" I've been looking at HN, remoteok, and a bunch of | others. For professional networking I use various tools | run by former coworkers (mostly Slack and Google Groups). | For "blogs" I use HN and Reddit. etc. I don't think | LinkedIn does any of those better (my perception, I'm not | a current user). | | Personally, I'm probably not interested in a LI clone for | many of the reasons I stopped using LI. I deleted my LI | account maybe 8 years ago, after getting too much spam | (and I think some security issue?) | mistrial9 wrote: | LinkedIn sceptic here -- I would assume that in 2022, the | closer you are to real, legal Microsoft-ecosystem roles, | the more useful it is.. meanwhile, the independent people | in tech get splashed with mud. No comment in this | discussion has indicated to me that LinkedIn is not useful | for certain swathes of established professions, even now. | chatmasta wrote: | As an engineer I never found LinkedIn useful. But during | college I made sure to connect with everybody, even if I | barely knew them. The only jobs I've had I got through other | means, in some cases even "connections," in the traditional | sense of the word, which incidentally exist on the LinkedIn | graph, but that's just a mirror of real life and it's not | like the coordination occurs over LinkedIn messages anyway. | | As a startup founder, it's effective in some contexts, like | as a contact point or promotional tool. We never felt the | need to use it for recruiting. At least in the software | industry, GitHub is a much more effective marketplace of | talent. But LinkedIn can have some benefits for a startup | outside of recruiting. Posting content about your product is | a good way to stay in front of investors you've connected | with who doomscroll their LinkedIn feed like a dev does HN. | :) (it's also something I need to automate because I block | LinkedIn on /etc/hosts for productivity purposes..) | | I'm not sure I've ever _sourced_ an opportunity from | LinkedIn. I also never accept connections without at least | one prior interaction. For me it's a tool for following up | and keeping in touch, not introductions. It might also be | useful in some rare sales contexts, for some specific | archetype of audience especially susceptible to the | psychological tactics commonly deployed to the LinkedIn | newsfeed. Developers are definitely not that audience (well, | not on LinkedIn at least...) | charlie0 wrote: | I really wish I could just dump LI and delete my account; | it's just spam and another service for those who love to self | promote themselves. I won't do it because I'm not sure how it | will impact by ability to get a job. | | How many of you have gotten jobs with no LI account? YEO? | CodesInChaos wrote: | Did this use a code-execution vulnerability in the PDF reader? or | did they just trick the user into opening an executable? | nemothekid wrote: | I'm assuming it was an exploit in Adobe reader. The target | cloud have even been persuaded to install Adobe reader to | "e-sign" the document. PDFs don't have the best track record | when it comes to security | silentsea90 wrote: | Why do pdfs even allow executing code outside of the pdf env | ie why isn't there a sandbox/apis that allow very limited | operation? | nemothekid wrote: | >Why do pdfs even allow executing code outside of the pdf | env | | Some PM in 2006 thought it would be a good idea if PDFs | were turing complete. I'm sure the word sandbox wasn't even | thought about. 10 years later PDF (and more notably, Flash) | became huge attack vectors. | | I think a far more interesting hack is when NSO used a PDF | to embed a virtual machine inside an iPhone to develop a | zero click exploit over iMessage: | | https://hothardware.com/news/zero-click-malware-pwns- | iphone-... | darepublic wrote: | During beginning of pandemic I got a job via a fully remote | process. I felt it was sketchy in some respects and I began to | increasingly fearful that it was some kind of phishing scheme. | Luckily turned out to be legit. Job applications are such an open | door for this kind of thing. They collect so much info from | candidates, easily enough to commit identity theft. Also god | forbid the company or recruiters get hacked and the data leaks | anyway | londons_explore wrote: | Chrome/Edge PDF viewers are pretty secure. You can reasonably | safely open anything in them. | | Desktop PDF viewers like acrobat are gaping security holes... | Don't use them! | ahmadmijot wrote: | Does Adobe Acrobat really that bad? We use Acrobat Pro because | it easy to modify pdf file with it. Other software can't do | that much. Is there other pdf 'editor' that you can recommend? | londons_explore wrote: | Acrobat in a virtual machine that you don't connect to the | network? | | Most malware these days can't function without internet | connectivity. The exploits typically connect to a server to | get the rest of their code because they don't want any pesky | researchers getting their hands on stuff. | TedDoesntTalk wrote: | I use PDF Expert on MacOS for its editing and markup abilities; | built-in browser viewers aren't good for that. What should I | do? | CamelRocketFish wrote: | Don't work for a crypto company. | iamwil wrote: | In this case, there's no need to make it on a blockchain if a | company controls the majority of validators. | UberFly wrote: | I read the first paragraph, the overlay banner popped up and | blocked everything. I don't care what the article says after | that. | elif wrote: | Is this the moment we need for LaTeX to become standard? pdf is | clearly to blame here imo. This guy isn't the only one to trust | it. | | It seems like the entire legal profession, for instance, should | be crippled by this vulnerability disclosure, if true. | shp0ngle wrote: | hahaha | Barrera wrote: | > Validators fulfill various functions in blockchains, including | the creation of transaction blocks and the updating of data | oracles. Ronin uses a so-called "proof of authority" system for | signing transactions, concentrating power in the hands of nine | trusted actors. | | This paragraph perfectly encapsulates everything wrong with the | way promoters sell Ethereum. Smart contracts can do little of | interest beyond straight monetary transactions without | information about the outside world. That information comes from | "oracles", or what the article calls "validators". | | The security guarantees of this system are far, far weaker than | the Ethereum consensus protocol, as the article demonstrates. And | yet, the system is hyped to the n-th degree by sheisters who | ignore this basic fact with ludicrous claims about security and | stability. | | Zooming out, basically Ethereum is hyped as a platform for "smart | contracts." But the minute a smart contract does anything beyond | basic money transfers, it needs an oracle. And with the oracle | comes radically reduced security. | | Eventually, this will be obvious. For now, shenanigans like this | will continue. | whatisweb3 wrote: | Oracles that connect to off-chain data are usually understood | as points of centralization, I don't think Ethereum or it's | developers are selling otherwise. | | Most Ethereum developers are advising against relying on | bridges across security zones that would be upheld by multisigs | and oracles, they are vulnerable to attacks. A better model | than a bridge to sidechain would be a rollup - posting proofs | on chain without giving the sequencer the ability to steal or | control user funds. | [deleted] | jedberg wrote: | For those that don't want to read the whole thing, (supposedly) | the attackers reached out on linkedin to a bunch of employees | asking them to apply to a fake company. One of them did it, went | through a bunch of fake interviews, and then got a fake offer, in | the form of a PDF. | | They opened the PDF and that installed a keylogger on their | system (it doesn't explain how). | | The attackers then used that engineer's credentials to take over | 4 of the 9 validators on the blockchain which they then used for | their heist. | leoqa wrote: | It's honestly impressive. I work in security in fintech and it | can be frustrating to have our work deprioritized against | product features. These examples help underscore why having | robust security controls is existential. | CobrastanJorji wrote: | I'm trying to imagine a setup at any company whose primary | business is controlling extremely valuable digital assets | having a security setup that could be entirely undone with | keyloggers, and it's difficult. No necessary VPNs, keys on | devices, or other non-password authentication? One engineer's | password should not be the keys to the kingdom. | | Sounds like a bad RPG plot. "Because of its danger, we broke | the Obsidian Key into 9 pieces and divided them across the | realm, each protected by a powerful, mystic dungeon. Also, Dave | can access them any time he says the secret word." | SV_BubbleTime wrote: | Agreed. The article doesn't mention keylogger at all. I was | definitely picturing a remote control exploit. | jedberg wrote: | They must have updated it. When I read it it specifically | said keylogger. | phphphphp wrote: | I'm of the view that the completely illogical nature of their | entire business and the absence of any meaningful security | are deeply interwoven. | | Rather than think of their primary business as securing | digital assets, think of their primary business as convincing | people that a perpetual money machine in the shape of a video | game is possible. The valuable digital assets are just a | narrative tool -- and so it follows that they wouldn't have | the expertise in securing digital assets. | | Nobody capable of building a secure system for digital assets | would waste their time working for a company like Axie, after | all, the entire premise of their business is flawed so people | with the critical thinking skills necessary to build a secure | system would apply that critical thinking to the viability of | the company -- and, of course, conclude it's destined for | failure and not hitch their wagon to it. | tornato7 wrote: | Axie Infinity exploded in popularity overnight. They likely | built their infrastructure when they were securing $1M in | digital assets and then suddenly found themselves | controlling half a billion before they could upgrade their | security. | | That doesn't excuse their poor security practices. They | shouldn't have built their asset custody system in-house if | they didn't have the expertise. They could have used | Fireblocks or a Gnosis Safe Multisig with hardware wallets | and they would be safe. | dataangel wrote: | I understand your argument but this kind of reasoning | consistently fails to be predictive. If things worked as | you describe, there would be way more consensus amongst | skilled engineers on political topics. In practice people | are very skilled at selectively turning off their brain, | especially when they stand to benefit. | | "It's difficult to get a man to understand something when | his salary depends on not understanding it." -Upton | Sinclair | phphphphp wrote: | I completely agree in principle but the nuance here is | that I'm leaning on the belief that people joining Axie | do not "...stand to benefit..." because the long term | prospects of Axie Infinity are not good (and have never | been good) and so anybody analysing the benefit of | joining them -- who has a broad range of opportunities | available to them -- would immediately see how little | they stand to benefit from getting involved with Axie | Infinity. | | I'm under no illusions about the intelligence of software | engineers (of any specialism) -- we are all idiots at | least some of the time -- but I struggle to believe that | a competent engineer with lots of opportunities would | somehow believe that Axie Infinity is the best | opportunity available to them, hence, their system is | built by people who don't have other opportunities and | have produced an insecure house of cards (more insecure | than the average system anyway -- all systems are | insecure in some capacity). | eigenvalue wrote: | Seems like there would be market demand for a super locked down | PDF viewer that basically ignores all the silly | extensions/additions that Adobe has added to the format over the | decades. The vast majority of documents don't need Turing | complete code capabilities or embedded videos or interactive 3D | models. Something that safely (using sandboxing and other | methods) turns the document into totally static pixel data that | still feels nice to read would mitigate this extremely common | attack vector. | tornato7 wrote: | This pretty much already exists, it's called Cloudflare Browser | Isolation. They basically render your browser on a remote | server and pipe you the visual data. | SV_BubbleTime wrote: | FoxIt has out of the box GPO controls that are quite easy to | use. It's probably got a lot of tweaking to really lock it | down, but I think you could get pretty far before having to | stop for lunch. | stefan_ wrote: | I realized some time ago, not wanting to install drivers, that | a lot of office printers now have some janky webinterface that | also allows uploading PDFs to submit as print jobs. This will | turn a malicious PDF into perfectly safe paper! | | Now whatever cursed embedded software on the printer reads the | PDF is probably a lot easier to exploit than an updated PDF | viewer, but that's not what these people are going for. | schemescape wrote: | What's the best practice, security-wise, for viewing PDFs? | AustinDev wrote: | I have a script that watches my download folder and runs them | through ghost script which is designed to reduce the file size | of PDFs but it also strips out any linked media or embedded | code from my testing. It does a bunch of other stuff too but | the pdf auto-converter was pretty simple. | pcthrowaway wrote: | Curious if anyone has been able to find technical details of how | this attack works/worked. I'm under the impression most PDF | viewers would prevent this sort of attack (e.g. opening a PDF in | your browser should sandbox it to the browsing context), but | really keen to know what PDF viewer / OS was used by the dev. | layer8 wrote: | On Windows, Acrobat Reader has Protected Mode (sandbox) and | Protected View (most features disabled) features [0], but | people tend to disable it, in particular the Protected View, or | don't enable it for all locations. Or maybe the vulnerability | wasn't on Windows, or was in something like font rendering, or | they used a different reader without sandboxing. | | [0] https://helpx.adobe.com/reader/using/protected-mode- | windows.... | butterNaN wrote: | Why is Protected mode not the default? | wespiser_2018 wrote: | Here's a demonstration of some example attacks using pdf: | executing arbitrary js, and connecting to a samba server: | https://www.sentinelone.com/blog/malicious-pdfs-revealing-te... | | I'm not sure about this attack specifically, though, and in | Ronin's post mortem they aren't really talking about that: | https://roninblockchain.substack.com/p/back-to-building- | roni.... | | To some extent, the PDF viewer/OS doesn't matter. A dedicated | and well resourced attacker like the Lazarus Group will find | holes in all of them. The "right" move here would have been for | the employee not to download the compromised pdf, and short of | that, for the IT Security team at Ronin to quickly detect the | weird traffic that resulted and isolate the validators to | prevent a compromise of their critical assets. | Volundr wrote: | The right move here would have been to have separate | work/personal computers so that this PDF never landed on a | system with access to the Ronin network. | | I know I'm pushing a boulder uphill with that one but it | really is the way to go, better for both the individual and | the company. | gowld wrote: | llaolleh wrote: | I'm in this camp. All employees should be sent a laptop, or | work with a remote environment that is isolated from your | personal computer. | rchaud wrote: | what would stop a developer from checking personal email on | a work machine? | Volundr wrote: | Themselves. I'm saying developers (and employees in | general) should not do any personal stuff on work | machines or any work stuff on personal machines. | | This has benefits for the employee, not just the company, | in that it keeps the employees personal data out of the | hands of the IT department. | pcthrowaway wrote: | It makes it a bit harder to travel with two laptops, | which is one of the nice advantages of working from | home.. but I'm otherwise in support of this. | | This might just result in employees finding ways to | remote access their work computer from their personal | computer from wherever they are, but at least that's an | additional wall for would-be attackers to hurdle. | macintux wrote: | Exactly. I was on a meeting a couple of years ago and the | co-worker who was presenting his desktop received a | personal iMessage that flashed for everyone to see. | ptudan wrote: | yeah but that's solved by disabling notifications before | presenting. | ptudan wrote: | Nahhhhh, I gotta browse the internet to be effective. | That requires me logging into random sites with personal | logins. | | I don't install anything personal on my work computer, | but I wouldn't hesitate to open an email or pdf from a | seemingly trusted source. I don't really blame the dev | here. | | What you propose is a reasonable solution, but I feel | like it slams in the face of actual human behavior. Most | people act the way I describe, even most tech | professionals. | pcthrowaway wrote: | Or more to the point, what would stop someone from | sending malicious documents to the employees' work | emails? | | Figure out a company uses <some-saas> register a phishing | domain (e.g. gith.ub) send them an email with important | info about their account, and a PDF attachment with more | details. | | If it's that easy to compromise a system all you have to | do is get a few employees to open the PDF right? | Volundr wrote: | And this is exactly why your IT department sends out | those simulated phishing emails everyone likes to | complain about. | elif wrote: | So then the attackers can only get my bank password? | | I think the clear move here should be to avoid pdf, just | like the move is to avoid doc | the_gipsy wrote: | I know that document-rendering is much more complex than what | it appears on the surface, but surely in this day and age | there should be document viewers that don't run scripts and | are exploit free. | gowld wrote: | cmeacham98 wrote: | > To some extent, the PDF viewer/OS doesn't matter. A | dedicated and well resourced attacker like the Lazarus Group | will find holes in all of them. | | I dispute this: the web browser is one of the most defended | pieces of software of all time, especially relative to its | complexity. I would find it much safer to open a potentially | malicious PDF in my browser's JS-based reader than using a | desktop reader. | | > The "right" move here would have been for the employee not | to download the compromised pdf, and short of that, for the | IT Security team at Ronin to quickly detect the weird traffic | that resulted and isolate the validators to prevent a | compromise of their critical assets. | | It also probably would have been helpful if one employee | didn't have access to almost half of the validators, | especially on a system they're accessing email with. | lordnacho wrote: | Does it even need to be terribly complicated? Congrats on your | new job, here's a script for you to generate a new ssh key with | us, just copy/paste it in your terminal and that will sort it | out. | pcthrowaway wrote: | Yet according to the article, the malware was introduced by | the "candidate" opening a PDF; I'd expect most senior | developers to know better than to run a random script from a | company they don't have an ongoing relationship with without | looking at the source first, especially if they have | sensitive credentials on the computer they're using. | | But you never know. | jaywalk wrote: | Probably Acrobat. | kyle-rb wrote: | Likely this was a standalone PDF reader hack (rather than a | browser), since those can have many more features and a much | larger attack surface. | | It says it was an offer letter, so my guess is that opening it | in the browser came up with an error like "to be able to | digitally sign this offer letter, please open it in a desktop | PDF reader with full scripting support enabled :)" | pcthrowaway wrote: | I guess we all need to be opening anything remotely phishy in | VMs to avoid similar issues | londons_explore wrote: | The other major cause of the failure was that one dev had access | to 5 signing keys. That shouldn't have happened, because than | that one dev could have run off with $540 Million... | | And remember, it wasn't just that one dev - it was everything | running on his computer - think of the probably tens of thousands | of developers who wrote the code that runs as root on his PC, | much of it unreviewed. | hourago wrote: | > In a post-mortem blog post on the hack, published April 27, | Sky Mavis said: "Employees are under constant advanced spear- | phishing attacks on various social channels and one employee | was compromised. This employee no longer works at Sky Mavis. | The attacker managed to leverage that access to penetrate Sky | Mavis IT infrastructure and gain access to the validator | nodes." | | The company fully blames the employee. I wish software | companies had the same level of professionalism than airlines. | "It's the pilot's fault" does not help to improve security. | Nothing is learned. | giaour wrote: | My takeaway was that Sky Mavis's ops culture is a dumpster | fire, something that might be generalizable to a good chunk | of the Web3 sector. The tech companies where I have worked (a | couple BigTech cos, some smaller orgs, and civil service) | have all taken the blameless postmortem approach very | seriously. | Sebguer wrote: | Airlines would behave the same way if there wasn't an | aggressive government regulatory body forcing them to learn | from failures. | WorldMaker wrote: | Government regulatory body _and_ a pilot 's union. | ChadNauseam wrote: | Do countries without a pilot's union have more unsafe air | travel? | xmprt wrote: | I don't think you can generalize Web3 companies to all | software companies. Web3 companies have shown time and time | again that they don't care much about security or good | software development practices. I'm not sure if it's because | the industry is so nascent or because the people joining are | simply incompetent or because they don't care (or a | combination of all three) but it's clear that Web3 companies | have major incidents at higher rates than most other software | companies. | ChadNauseam wrote: | > clear that Web3 companies have major incidents at higher | rates than most other software companies | | I won't argue this, but I think that it depends on where | you look. Cryptography audit services are books out for | months or years because of the demand from cryptocurrency | projects. There's never been a vulnerability in the Bitcoin | or Ethereum networks that allowed an attacker to steal | funds or execute a double-spend. And cryptocurrency | projects have pioneered whole fields of cryptography like | zksnarks for security purposes. | | Cryptocurrency projects often have a fundamentally very | difficult problem to solve, and attackers are also very | sophisticated. There are currently very few people with the | expertise needed to implement a complex cryptocurrency | project securely. | | Disclaimer: I'm a protocol developer for a cryptocurrency | project (not one of the ones mentioned here) | system2 wrote: | It is called dodging. | nipponese wrote: | No one is going to pick up the low hanging fruit and criticize | _nine nodes_ as not being decentralized? | marshray wrote: | "multiple rounds of fake job interviews" ... "The con culminated | in one senior engineer clicking a PDF supposedly containing the | official offer" | | Wow! These folks were _really_ on the ball if it took that much | social engineering just to get an employee to open a PDF. ___________________________________________________________________ (page generated 2022-07-06 23:00 UTC)