That's when you remind him that your boss needs to get this role filled by the end of the week so if you don't get a response by tomorrow you'll have no choice but to offer the job to another candidate.
This sounds way too sophisticated for them to risk it with a "Offer.pdf.exe". Especially if it was state-backed. If the victim notices it, and the bar isn't high, you'd basically spook him away and alert the entire company.
You can easily embed arbitrary javascript into any PDF, and you can obfuscate it pretty well enough to get past most endpoint security tools on the market.
Is there a good no-nonsense way to clean PDFs of possible threats? Hunting around I see mentions of converting PDF->Postscript->PDF to remove junk, but I also see mentions that Postscript is its own security mess.
You’d be best suited making sure your pdf viewer is locked down and doesn’t allow for any js. You could parse your pdf pretty easily and read the sections before you open it, it’s mostly in plaintext
Unfortunately, there is a scourge of PDFs that download the content after you open them, and have interactive features that should be on websites rather than PDFs.
The BSA efiling system has mandatory forms for every bank to fill out, and if they say they say the browser's pdf viewer is no-go and you must configure adobe, that is what you will do. Now every bank in the USA has a hard dependency on adobe reader and a gpo that disables the web browser's built-in pdf reader. Thanks for that, fincen.
I'm not sure it was even an exploit. It could very well be an intentionally-malformed PDF that pretends it has to be opened in a special "viewer" software, maybe even Adobe- or DocuSign-branded.
1. LinkedIn is an absolute godsend for bad guys, allowing easy targeting of everyone in the company with spear phishing emails and texts. I know many security professionals no longer use their real name, and don't list the real name of their company, because they know it's such a great hacking vector. Not sure what/whether LinkedIn can do anything about this.
2. I wish there were more information about what the vulnerability was in the PDF in the first place. I think a lot of people would be wary of downloading a PDF from a stranger, but not from someone who you had multiple interview rounds with and who offered you a job.
How usable is LinkedIn with a pseudonym? Is that a security industry only practice or could a regular dev get away with that too? I've always been shy about having a profile with my actual name but id consider one with a thin veil of anonymity.
Same, although my perception is that LinkedIn has moved past its peak usefulness, and it would be better to spend time on other platforms than creating a LI account. All I hear about LinkedIn these days is spam.
There's a lot of platforms that do sort of related things, so it's a hard thing to answer. For "finding a job" I've been looking at HN, remoteok, and a bunch of others. For professional networking I use various tools run by former coworkers (mostly Slack and Google Groups). For "blogs" I use HN and Reddit. etc. I don't think LinkedIn does any of those better (my perception, I'm not a current user).
Personally, I'm probably not interested in a LI clone for many of the reasons I stopped using LI. I deleted my LI account maybe 8 years ago, after getting too much spam (and I think some security issue?)
LinkedIn sceptic here -- I would assume that in 2022, the closer you are to real, legal Microsoft-ecosystem roles, the more useful it is.. meanwhile, the independent people in tech get splashed with mud. No comment in this discussion has indicated to me that LinkedIn is not useful for certain swathes of established professions, even now.
I really wish I could just dump LI and delete my account; it's just spam and another service for those who love to self promote themselves. I won't do it because I'm not sure how it will impact by ability to get a job.
How many of you have gotten jobs with no LI account? YEO?
As an engineer I never found LinkedIn useful. But during college I made sure to connect with everybody, even if I barely knew them. The only jobs I’ve had I got through other means, in some cases even “connections,” in the traditional sense of the word, which incidentally exist on the LinkedIn graph, but that’s just a mirror of real life and it’s not like the coordination occurs over LinkedIn messages anyway.
As a startup founder, it’s effective in some contexts, like as a contact point or promotional tool. We never felt the need to use it for recruiting. At least in the software industry, GitHub is a much more effective marketplace of talent. But LinkedIn can have some benefits for a startup outside of recruiting. Posting content about your product is a good way to stay in front of investors you’ve connected with who doomscroll their LinkedIn feed like a dev does HN. :) (it’s also something I need to automate because I block LinkedIn on /etc/hosts for productivity purposes..)
I’m not sure I’ve ever _sourced_ an opportunity from LinkedIn. I also never accept connections without at least one prior interaction. For me it’s a tool for following up and keeping in touch, not introductions. It might also be useful in some rare sales contexts, for some specific archetype of audience especially susceptible to the psychological tactics commonly deployed to the LinkedIn newsfeed. Developers are definitely not that audience (well, not on LinkedIn at least…)
Personally I don't update my LinkedIn until I start looking for a new job. There is absolutely no need for anyone to know where I work (or at least for me to share that far and wide publically) and I'm not interested in cold emails/cold linkedin messages.
My decision was cemented in 2020 when someone who didn't like a tweet of mine retweeted it to my old company's twitter account trying to get me fired/reprimanded (The tweet in question called out my local PD for a dubious tweet they made, the person who tried to get me in trouble lived in a different state 12+ hours away). Thankfully my current company wouldn't have cared but there is no need to give people ammo.
> Personally I don't update my LinkedIn until I start looking for a new job.
Perhaps semi-off topic, but note there are companies that sell software (spyware?) to HR departments that specifically trolls LinkedIn looking for when employees update their LinkedIn profiles as a sign they're looking for a new job. This may or may not be a good thing depending on your position, perspective, or company, but just be aware it exists.
Yeah, though I'd get dinged by that either way since I normally update my bio to include recent projects/tech I've worked with. This way I can hide behind plausible deniability "Oh, I just got around to adding X company to my LinkedIn" if I need to, whereas updating an existing entry is harder to justify (without giving away you are looking). Though I also try not to work for companies that I would need to worry about that.
> whereas updating an existing entry is harder to justify (without giving away you are looking)
I don't think it is at all. Indeed, if you're updating it regularly (every 3-4 months, perhaps?) with new project/task stuff, it's simply keeping things fresh in your mind, vs having to try to trawl back 3 years to think about project FOO.
If you only update it once every 2 years, then people can draw more nefarious conclusions.
I doubt they'd actually ask you about it (and thus give you a chance to "explain" yourself), HR would just note you down and you'd be more likely to be laid off, less likely to get promotions approved, etc.
I know this is off topic but I'm always confused by the attitude you've mentioned where companies don't actively work to retain staff.
I wonder if there are any courses for managers to train them to think logically about this and not switch into bad decisions based on emotion.
Companies waste so much money on hiring and then deciding to react very slowly to changes in market conditions.
If businesses treated their staff like they treat their clients...
This is not how companies work (at least the ones worth working for). Retention risk is a reflection on their current role, compensation, manager, etc.
We have absolutely promoted high performing employees and/or given them raises even though we knew they were looking at other opportunities.
Last time my RSU cliff came around, I logged into LinkedIn, updated my profile and accepted the backlog of connection requests (and read the flurry of "congratulations on your 4 year anniversary" messages). I almost immediately got Slack messages saying "are you leaving?" But I wanted them to notice; that was the point.
Which is why I simply don't use my real name (well, not a full name) for my Twitter account. I have the right to keep my professional and private persona separate, and if someone really wanted to, they could find out where I work anyway. (I'm not tweeting anything extreme in my own view, but there's always someone who will regard it as such, and as you say, what's good about giving people such option to begin with).
Meanwhile, my company actively gives us hints on how to spruce up our resumes with marketing bullshit that impresses nobody but middle managers who think that keyword searches with word soups like "Innovator. Thought-Haver. Bringer of Boys To the Yard." are their paths to big league success.
It’s a shame too. In my experience LinkedIn has been great for job hunting, indeed et al. were worthless time sinks for me. I want to keep it just for the ability to job hunt and get results but as you said…it’s a risk too.
That's the only thing it's good for, but that thing actually works. My last three job offers were from LinkedIn (I ultimately rejected one because my employer at the time gave me a counteroffer when I handed my notice, but I did accept the other two).
The "content" on LI (feelhgood / motivational BS) is do ridiculous that I sort of contempt-read it ("hateread" would be to strong a word) for the heck of it, but I can't wrap my head around WHY people would participate in this nonsense for real.
When I first signed up for LI I honestly couldn't tell the difference between the actual feed and a what I imagined a parody site would look like. The posts that proclaim themselves to hold controversial ideas, followed by the most banal cliches possible, crack me up.
Once in a while I check the feed for kicks and it's always 100% spam, cliches, humble brags, and not-so-humble brags.
It introduces the idea of "transitive trust" where person A might not know person B but if the two have a bunch of contacts in common, the odds of A trusting B goes up. When there's a profile with tens or hundreds of shared connections, it looks real by all accounts.
On (1), I have seen employees get spear-phishing texts (Welcome X! This is the CEO of Y. I need you to do a small favor…) within hours of updating their LinkedIn. I assume there are robots crawling it constantly looking for fresh candidates for account takeovers or other scams.
I am listed as the Principal on a couple of companies, and get constant approaches that are obviously fake (like an attractive young "stewardess" from Dubai, who just happened to like my picture (which is actually my logo)).
I've given up reporting them, as LI always responds with "This is not in violation..."
Yup. I'm gonna remove my cynical comment (although I still totally believe it). It's just not helpful. I think people can figure it out, for themselves.
Also, people use LI as a way to aggregate information, then send emails that appear to be from LI, but are not. I got one of those, yesterday, and reported it to LI, saying "These guys obviously used your service to construct this honker."
And LI's reply was ... envelope, please ... "Not our problem. Go away, kid. Yer bodderin' me." but stated a bit more politely.
I deliberately stay fairly open. I mentioned that, some time ago. It comes with some problems, like a determined bad actor can build up a fairly good profile.
But I have had years of experience, rubbing elbows with professional con artists, so I am maybe a little tougher to fool than many (but some approaches have come close -these folks are good). I would never be so arrogant to say that I can't be phished or whaled, but it's almost certainly not worth the effort.
I recently had some try the CEO/boss needs something right away for a customer ruse via text. I know LI was the source, because it referenced my previous job and LI still had the incorrect information. I played along that I was ready to purchase with my corporate card. Then after wasting more of their time, I sprung that they were fishing with old bait. Good times
I think one shouldn't discount the attack vector that is just working in the Crypto industry, especially when you're someone who works with startups rather than the big guys.
In the "Web2 Sector", it would be very easy IMO to snuff out a fictitious company. I've gotten a handful of "offers" in the past and you can see straight through them, because the company doesn't exist in real life and you can't find any info on it, huge red flag.
The problem with the "Web3 Sector" IMO is you have a bunch of upcomming players in the space that no one has heard of. Just like investors in Cryto, if you're a developer in the space, no doubt you are jockeying to join a project that might land you a 7-10 figure windfall at the end.
So if an unheard of company approached me, I would tell them to kick rocks. If a similar company approached someone in the "Web3 Sector", they might take it thinking it's an emerging opportunity. I'm sure this still happens with Startups but my gut says it's really bad in the Web3 space.
That's possible, and addressed by your first sentence above. You wrote the second sentence to address a different possibility. In that case, a process with access to the whole device could read e.g. auth tokens contained in a VM.
I think one other thing that bears mentioning is that LinkedIn's reporting doesn't easily let you explain how someone is performing a scam. If you're diligent you can find the link somewhere where you can actually explain it but when you just "report" someone or a job the response from LinkedIn is usually "We didn't find anything indicating this is a scam" or similar.
PostScript is a Turing Complete language (always has been), and an over-simplified description of PDF is that it "just" wraps PostScript in a single Virtual Machine to target (versus PostScript has a lot of subtly different physical machines it was built for/targeted).
That "PDF VM" has had many 0-day RCE bugs over the years. Thankfully though the VM is standardized with the format it does have multiple implementations still in different applications and many exploits are application-specific implementation bugs.
I'm not sure this is Linkedin's problem to solve. They are just a directory.
I suppose they could add a phishing warning for messages sent on LinkedIn, but really it's an education problem, teaching people to identify what phishing emails look like and how to avoid them. This is a problem I've been working on since at least 2003, when we realized that the best way to prevent eBay account takeovers was teaching people what phishing is. We also identified that education is the hardest solution to achieve.
It's ironic that the security professionals are the ones hiding their identity, given that they are the best prepared to identify and avoid phishing emails.
> I'm not sure this is Linkedin's problem to solve. They are just a directory.
If the issue reduces user metrics, then they will want to fix it. Ultimate responsibility seems irrelevant.
> It's ironic that the security professionals are the ones hiding their identity, given that they are the best prepared to identify and avoid phishing emails.
I might have demolitions training, but I’d still rather walk around the minefield.
Yep. Bad opsec at the org level. Either the eng was doing work stuff on a personal laptop or personal stuff on a work laptop. This is easily preventable and should be table stakes when handling money, phi, etc
I still can't believe that they opened the PDF on the company computer. I always use my home computer and the poor hacker would get bored of seeing all of my Raspberry Pi projects that I haven't done.
It might be hard to believe that the particular person in a particular company did that, but given a lot of attempts, dedication and lucky / unlucky circumstances eventually somewhere someone will trust a malicious person and will get socially engineered into opening a pdf on a working computer.
Also wonder if the PDF exploit works for only local/native PDF readers (e.g. Adobe Readers) or also web-based. If someone occasionally checks their personal email from a work laptop, chances are they'd only use the Gmail preview to open the PDF. It seems like most engineers wouldn't get all the way to downloading a job offer PDF to their work laptop and opening it up there.
I really wish we had details here too, but someone made a good point:
"Hey, you need a PDF viewer with scripts enabled for the digital signing.. can you install Adobe XXX?" would be a good line to get the mark to use a less-than-secure PDF viewer.
But also, since it was the North Korea hacking group, I'm not ruling out a 0-day... hopefully more details will come at some point.
Huh? I've used my company laptops for my personal life for the last 15 years. Why would I want to carry two laptops everywhere? I travel. I barely remember what a personal laptop is.
I guess its fine as long as your computer doesn't have the credentials to the company slush fund.
Friend of mine I traveled with carried 3 macbooks with her: school issued, work issued, and personal. They had different software licenses tied to the machine, whadyagonnado?
I get MDM profile updates from IT on my work machine. One time they auto-installed a cloud backup service and sent out a company-wide email after they already did it. Something like: “Now nobody has to deal with lost data. You’re welcome!”
Huge backlash from employees on that move. But I get both perspectives. These are work machines, and a mundane accident with the equipment shouldn’t incur significant losses to the business.
But apart from the potential loss of personal privacy, it feels wrong. Especially so, when you’re looking for other jobs.
I think you are joking to bait us. At least use a VM running a VPN within it. It won't protect you from screen captures or keyloggers your employer put on your machine, but it will segregate files and network activity.
I regularly use my work laptop for unrelated purposes. Working from home has encouraged this behavior.
I know they monitor some things because they are upfront about it: Chrome says it's company managed, and there is an antivirus and some VPN software that must be always one.
But why do I care? They don't crack down on us, and know everyone plays games or visits non-work-related sites, watches YouTube, or even do homework on these laptops.
I'm not going to work for the competition using the company's laptop, so why worry?
It is not that weird. For several jobs now I got a laptop from work and it was agreed upon beforehand that I could install Linux on it. I trust a machine that I installed myself.
Nope, not joking. I use a separate chrome profile for my personal life, and I keep my personal files in google drive. Even if your employer is monitoring you (which I doubt), what are you doing that you think will be so interesting to them?
No, it's not satire! I use a separate chrome profile for my personal life, and I keep my personal files in google drive. I'm not sure what the fuss is about?
I suppose that sending it during business hours and, who knows, maybe the final offer would be in the PDF and the poor guy couldn't wait to open it. The rest is history.
If you're looking for work, you have to interview during the day, which you're probably in office (things are very different now). I know I'm guilty of having my personal emailed signed into my work computer (albeit with a separate browser). I've also done virtual interviews in the office meeting/phone room.
You've done interviews in the office of your (then) current employer??? Gutsy. I wouldn't dream of using employer's equipment, time or space while negotiating for a new employment.
I open all sorts of PDFs, all the time, regardless of which computer I'm using.
Is PDF as an attack vector such a widespread threat? I never payed much attention to them, assuming it's a document format that is relatively harmless even if it can include javascript.
PDFs are "harmless" on their own, but they are user-generated documents that conform to a complex specification. Viewing them requires software that parses them. These parsers are often written in unsafe low level languages.
The (in)security of unsafe parsers reading user-generated input is a tale as old as time itself.
Most people view pdfs now in web browsers built-in viewers. Especially if the job offer comes from a linkedin message, I would imagine most people would default to the browser viewer.
While browsers are sure not without security vulnerabilities, I sure trust the PDF viewer within to be way more sandboxed than most standalone desktop PDF viewer applications.
If the vulnerability (which I assume was RCE) was in a web browser, then it's a major bug.
As I mentioned in another comment (and I think others have mentioned this as well), browser PDF viewers implement a subset of PDF features, and notably they won't support things like forms (I think?) or signatures. So I can imagine that attacker tricked the user into opening the PDF with separate software by saying something along the lines of "you need Adobe Reader to sign this document" (and I don't think DocuSign is ubiquitous enough that users will second guess that).
I think both Firefox and Chrome support forms now, although I know that there are other interactive features that they don't support. But yeah, I can see the attacker convincing the victim to use Adobe regardless.
> PDFs are "harmless" on their own, but they are user-generated documents that conform to a complex specification. Viewing them requires software that parses them. These parsers are often written in unsafe low level languages.
Yes, I understand this, keep in mind I'm a software engineer.
Let me re-phrase. It's understood that, in general, document formats are more or less harmless unless they execute macros/code, and even then, this code must be able to exploit the platform's vulnerabilities to be able to do harm.
What is different about PDF than, say, JPEGs? I don't know of anyone who would hesitate to open an image file on their work computer, yet they are also complex formats requiring readers (viewers) which are often written in unsafe low-level languages. Yet I have never ever head of someone recommending "be careful before opening a JPEG (or PNG, or whatever) file".
I'm assuming we are not talking about ye olde "PDF.exe" or "JPEG.exe" trick here, but actual vulnerabilities in document files (not just renamed executables).
I understand what you're getting at now; I had thought you were asking the "more obvious" question. I'm unwilling to claim to be a subject matter expert, but I have some thoughts on this based on intuition as someone who's also a software engineer and has some security background.
Both JPEG (or any other ubiquitous image format) and PDFs are nontrivial formats. And both have their fair share of CVEs (the list of JPEG vulnerabilities is also pretty long, based on that CVE database).
Something that sticks out to me is that JPEG (and most other image formats) is basically a header followed by a large blob of compressed image data, whereas PDF is a mixed-media format combining images and other multimedia, fonts, and a PostScript. And of course, we know that PDFs have all sorts of other crazy fancy features like forms and embedded JavaScript and digital signatures. Based on these facts alone, PDF features is a superset of image formats, and certainly by quite a wide margin. And more features means much bigger attack surface.
There's also another practical consideration of how users generally interact with these formats. Users interact with images primarily through browsers (or Electron-based software), which are sandboxed and have very well-funded security teams behind them. User-uploaded images to image hosts are often re-encoded (and sanitized as a side effect). Notable exceptions I can think of are loading images from a camera (generally a trusted source; and certainly there must be plenty of vulnerabilities in RAW parsers, but people almost never share RAWs) and iMessage (...which is a thing). It's very unusual for a user to be forced the view the image outside of a browser.
PDFs are a different situation: while browsers have well-sandboxed PDF viewers these days, they intentionally implement a subset of PDF features (I think forms is a big one left out, and signatures). You can imagine how easy it is to convince a user that need to download the PDF to disk and open it with Adobe Reader so that they can digitally sign a job offer. I'm aware that DocuSign exists, but I don't think it's ubiquitous enough that every user will wonder "hmm why am I being asked to sign with Adobe Reader instead of using DocuSign".
> The main problem was using a machine that had access to half a billion dollars
Going up a level, the main problem was that the company had a system where a single person could irreversibly transfer half a billion dollars away from the company.
The article actually covers that it required 5 out of 9 people to sign off. They got 4 via PDF attacks and 1 via legacy access that was never properly terminated.
My understanding of the article was that only 1 person was compromised and that the exploit installed on their computer was then used to access the validator nodes themselves. FWIW, I have no idea what a validator node is but I'm assuming that by compromising one employee's workstation they somehow got access to multiple other machines (which if true is itself a bit of a f* up).
> I'm assuming that by compromising one employee's workstation they somehow got access to multiple other machines (which if true is itself a bit of a f* up)
Q: If you assume the bad guys have already compromised your workstation, how sure are you that they won't be able to compromise other machines you connect to?
because the workstation was compromised by opening a corrupted pdf, but that vector wouldn't compromise the other machines unless users on them could be induced to open the same pdf.
not to say it can't be done, but it was unexplained
It doesn't have to be the same pdf, it could have been an attachments from compromised machine via email/slack. "Hey, can you help me figure this unusual log/transaction summary". How many wouldn't open such an attachment from a "colleague"?
Yep, internal security is brittle. The initial pdf vector would be only the start of a long sequence of hacks, including social engineering. e.g. sending email from managers -- or slack messages as you mention.
It does not have to be via the same method; what the attackers discover from the first compromised machine may give them access to other machines. It seems clear this is what happened here:
Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised... The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.
I think it's worth noting that the people did not sign off, only the keys did.
The system does not require people to sign off, but for the keys to sign off.
I don't think it's worth calling this a hack, the keys are what owned the moneies, and it's the keys that decided what to do with it. People have access to keys, they don't own them
This is a preposterous position. It's clearly a hack. Keys cannot legally own anything. People and organizations own things and in this case the people were hacked and the funds stolen.
What the hell is a system that is 1 out of 9 partial crypto key signers for huge amounts of money doing with even a GUI or a PDF reader on it in the first place. Sounds like people using their personal workstation.
and this is part of why i think cryptocurrencies should have died before large number of people wasted their money on it. for the average user without the time/knowledge/patience to handle cryptos "properly", the choice is between losing money while handling this shit yourself or losing money while trusting someone else to do it right.
Its an entirely free market. Just because one person doesn't understand the tech and loses his money doesn't mean that everyone else shouldn't be allowed to use it either.
Even if you don't buy into the crypto vision (I don't), a digital-only currency that isn't tied to any nation-state does deserve to exist.
It’s fine for a few people to play with such a system. The issue if it’s absolutely clear crypto is incapable of widespread adoption or just about anything else people hype it up as, then it shouldn’t be hyped as if that stuff is a possibility.
I could never tell how much was incompetence vs fraud, but either way without the hype vastly fewer suckers would be holding the bag right now. The crypto ecosystem has been just been terrible for just about everyone and things are far from over.
The people holding the bag right now mostly got in because of the allure of quick profits. And if they didn't sell even after making incredible (paper) returns, they have their own greed to blame.
Bitcoin was $6,000 in March 2020. It hit $63,000 in April 2021. And if you didn't sell that top, it hit $67,000 again in November 2021.
Even now, it has dropped less than Netflix, a supposed bluechip.
I don't know what's the scam in this - you had plenty of entry opportunities and plenty of exit opportunities. The underlying system itself still works exactly as described.
I lost nothing, but I can empathies with people who are screwed.
It’s not that Bitcoin or any alt coin has X paper value right now, it’s nobody can get out without someone else getting stuck holding the bag. The underlying system is predatory because mining isn’t free so it’s a negative sum game where people have already cashed out.
I remember being saddened when it was less than 1/1,000th isn’t current value I realized how many suckers where lining up for the fleecing. I briefly thought the odds are very good it’s going sky high, but I didn’t want to be part of someone losing their retirement when things eventually fell apart.
Wait a minute. You decided not to invest early, despite expecting it to be massively profitable because you were worried about the morality of allowing less competent people to try the same thing in future? Are you sure that's really the truth and you weren't just too hesitant and now you regret missing out so you've gone all salty?
they said odds were good, but maybe they're not much of a gambler. and sounds like they views cryptocurrencies as being something akin to scammy MLM or Ponzi scheme rather than an investment.
i haven't bought any myself. i just enjoy reading tech and economics stories in general so i've been reading about cryptocurrencies since 2013 or so. but i don't intend to buy any unless one fulfills some need i have better than other solutions. and i certainly don't intend to hold onto any if i can help it.
Crypto tokens are absolutely a scammy MLM or ponzi scheme. They're not investments. No profit is derived from the token itself, no one is holding bitcoins to do useful work with them. The value comes entirely from speculation and from miners pumping the price so they can recoup their investment in mining equipment and energy costs. They're also not "currencies", they function incredibly poorly for that purpose.
Almost, I wasn't worried about people trying to time the market. I was worried for the suckers who actually believed the hype.
Look morality is only meaningful when it comes at a cost. I sincerely hope you are discouraged from scamming, robbing, kidnapping etc because you think it’s wrong rather than insufficient gain to be worth the effort.
> nobody can get out without someone else getting stuck holding the bag
That's true for practically every asset class. If you sold your Netflix stock at $600, someone had to buy it at $600 as well. And now they're out of $430.
There's a losing counterparty in every winning trade.
No, this is false. With stocks, the holder can get paid in dividends. With real estate, you gain value from actually using the land. A bond is actually a form of credit. Et cetera. Which other assets are you thinking of?
Edit: You must be conflating it with the funny money private stocks and their buybacks that a lot of startups have. Those are obviously a gamble, they're not really "investments" for most participants. It's no surprise that the same type of companies tried to go deep into ICOs a few years ago which are like the crypto equivalent of a bogus penny stock.
> There's a losing counterparty in every winning trade
the counterparties are equal in every trade; any winning takes place afterward in the future
and if one party is selling a publicly traded security or commodity at a loss, that doesn't mean it wasn't a good investment, it means it was bought at a fair price and conditions changed
> That doesn’t absolve the con artist for running one though
Who are you going to prosecute in this case? The developers of Ethereum who are making a digital peer2peer smart contract system and have no interest in running a ponzi scheme?
Are you going to arrest Bram Cohen for inventing Bittorrent for what happens on it? What about the people behind Tor?
In the case of a literal Ponzi scheme it is pretty obvious who to prosecute. In the blockchain space many players have figured out ways to avoid being prosecuted for their schemes (many of which are little more than outright scams), but that doesn’t make what they’re doing ethical
You missed my point, they're building a decentralised smart contract system, there's nothing in the Ethereum smart contract code that says you must build a ponzi.
> The people holding the bag right now mostly got in because of the allure of quick profits. And if they didn't sell even after making incredible (paper) returns, they have their own greed to blame.
The market adapts to make secure access more convenient. The best solution devised so far is hardware wallets, which mostly insulate someone from hacks emanating from their computing device being compromised.
It wouldn't be one machine. The initial incursion would have been used to leverage other local attacks. Then targeting domain controllers and admin accounts.
Probably also reading email; one possible way of finding it needed to get at 5 of 9 keys to unlock.
Most PDF "attacks" in the real world are very unsophisticated. One of the most common uses of PDFs in a phishing context is just as a way to deliver a link that would likely result in blocking by email security products (many don't inspect inside PDFs, and even for those that do the PDF format is complicated enough that it offers tremendous opportunities for obfuscation). I would wager money that the "PDF attack" involved here was as simple as a link to a malicious executable presented in a PDF to avoid detection by email filtering... in my time as a security analyst this was the #1 source of real compromise incidents, and anecdotally it seems to remain popular today based on the number of such PDFs I receive in my spam email.
The PDF format presents many opportunities for other exploits, either obfuscating a payload or running code, but modern PDF viewers are locking these opportunities down to such a degree that they are not very reliable (most of all because it is difficult to know which PDF viewer your target will use, and many popular PDF viewers today like pdf.js are relatively feature-incomplete which is a significant security advantage in this case). It's possible that something more sophisticated was going on but I would be very surprised if it was anything more complex than using the PDF as an obfuscated transport for a binary packed in it and invoked by the user (e.g. by clicking a link in the PDF with a javascript target). Non-user-interaction PDF vulnerabilities exist but are increasingly hard to come by as there has been more than a decade of work on locking down PDF viewers and the situation has improved dramatically in that time.
Contrary to what people sometimes expect, highly organized groups (such as APTs) tend to stick to very basic, simple methods as much as possible, since they are relatively reliable. The use of recent vulnerabilities in a specific PDF viewer, for example, is high risk due to the likelihood of failure and the opportunities for analysis it presents (you will have to do custom development rather than using off-the-shelf tooling). This is the kind of thing that organized groups try to avoid as much as possible, subject to an ROI analysis. Or in other words, if putting a link to an EXE in a PDF still works, why would you bother with anything else?
If it's just a javascript link to download an EXE, doesn't the target of the hack still need to run the EXE? Or are you saying that a link in a PDF can install and execute code on its own?
Assuming it can't, then the engineer had to click to run some unknown EXE after downloading it... that should hardly be described as a "PDF attack".
There is a whole class of attacks related to “deep linking” and custom URL schemes that the operating system can pass to any application that registers itself to match it. At that point the sanitization is up to the application.
I recently stumbled upon a nice write-up [0] that described this class of attack and surveyed which software was vulnerable to it. Many crypto clients were included.
We had an employee compromised by a similar attack-executable linked in a Pdf.
Basic flow was-phisher asked employee to sign a document relating to customs. The phisher had gathered that this employee works with shipping claims and returns, and surmised that they need to deal with customs documents requiring signature. There was a link to an exe hosted on a European cloud service in the PDF titled "install fake signature certificate company to sign this document". This directed to a download of a basic ransomware executable. This did get past our AV to the point of encrypting the employee's machine, but thankfully was blocked from spreading to the rest of the network.
The employee's machine was toast, but I was able to restore from the prior day's backup and no major harm occurred. I was able to see the phishing attack since we use gsuite email so the ransom ware didn't erase the employee's inbox, but they did lose a half-day work and I updated our training. The attack itself was clever from a social engineering perspective, but the technical exploit was something any script kiddy could have downloaded from the open web, nothing advanced at all. But Gmail doesn't always scan links in PDFs, so a clever ruse was able to bypass Google's scanning as well as our local scanning.
This was a bypass of our security process, ideally they shouldn't be able to. However, since it wasn't downloaded through the browser, our security solution didn't intercept it. That was a whole other issue, and I was not at all pleased with the vendor. Unfortunately, I can't name-and-shame, but we also switched vendors after that issue.
And due to a legacy system, we can't rely on windows UAC to prevent these attacks either, this user needed to have a local admin account. Yes, this is a security issue in itself, but needs must.
When I was at lockheed we had an incident whereby a bunch of folks had attended some defense conference, and after the fact received emails from folks they had 'met' at the conference, something along the lines of
"Hey Bob, we met at the [defense] conference this last week and I wanted to be sure you had my contact info: malware-contact.vcf"
or some other payload.
This installed a very slow sprawling worm which would slowly trickle data out of lockheed to China.
It was not discovered for quite a while due to how slowly it operated, but someone had complained about machine performance and IT looked at the machine and discovered the worm... after removing it - this somehow sent a signal to China that they had been found and all the worms started to firehose as much as they could until egress was closed. At the time, all of Lockheeds 150,000 employees had just three egress points to the internet. They had to shut them all down to kill that worm.
I deactivated my LI after my last job search, it hasn't affected my life at all since then. I don't know why you need one at all most of the time. Even without one, I think it would be perfectly easy to get interviews at companies, most interviews I've done in the past have been the ones I got by just going to the company's website and applying directly anyway.
I see people posting things even on HN where its a link to a PDF and I don't click on them. I remember PDF being a leaky and buggy format whose interpreters were full of vulnerabilities. I don't click on PDFs.
If pdf is compromised, is it fixed? This seems like the kind of vulnerability that would ruin pdf's reputation permanently. It was the safe alternative to sending someone a .doc particularly because of it's limited functionality.
PDF can embed lots of things and is quite hard to scan because there's some many ways to do things..
It is used for sending documents because its function is to have a fixed layout for printing (and look the same on every device), not because it's safer than other document formats.
If you really want a safe PDF, there's a function in Qubes OS that basically opens a PDF in a new VM, makes screenshots and then creates a new PDF from those. You'll lose advanced functions (e.g. forms) as the pages simply become pictures but that's a tradeoff you have to make.
> I know many security professionals no longer use their real name, and don't list the real name of their company, because they know it's such a great hacking vector. Not sure what/whether LinkedIn can do anything about this.
on the other hand I bet you could collect some interesting things by creating a few fake people as linkedin honeypots at FAANGs, and I would be very surprised in their infosec/netsec teams aren't already doing this.
or getting real people who opt-in to have their linkedin profile receive incoming scams, virus, trojans, phish links and pipeline them into the infosec/netsec team.
I’ve gotten vague legal threats from competitors who just browsed linked in and searched who they maybe thought could make the change they wanted and emailed me.
They seemed to avoid contacting executives or senior staff… but instead targeted folks capable of maybe making the change they wanted, and maybe jr / low enough on the pole enough to panic and do it.
I’ve seen it happen three times now, pretty scummy IMO.
People on LinkedIn, using a name sufficiently far enough away from their real name so as to not be able to be easily found, listing their security jobs with again, sufficiently far enough away org names.
One thing about LinkedIn that profoundly bothered me when it got popular was the fact that you were expected to share a photo on your profile. Back in the day, in the US, attaching a photo to a resume was a big no-no, but here was a new way of recruiting that circumvented that principle. I found it shocking how readily and eagerly people threw that convention out.
I removed my profile from LinkedIn 2 years ago because it was starting to get crazy; I got calls and emails from obvious scammers every day. The problem is that when I introduce myself, people always get suspicious of me not having a LinkedIn profile. Someone needs to reinvent a professional network.
A few months ago I searched and found a new job without having a Linkedin profile. Was no problem at all, especially as a developer. If someone asks you can tell then that you got fed up with the recruitment spam and they will understand and nod. I did have a personal website though. Doing it without any online presence at all would be harder I guess, as it was a remote job in another country.
I’m assuming it was an exploit in Adobe reader. The target cloud have even been persuaded to install Adobe reader to “e-sign” the document. PDFs don’t have the best track record when it comes to security
>Why do pdfs even allow executing code outside of the pdf env
Some PM in 2006 thought it would be a good idea if PDFs were turing complete. I'm sure the word sandbox wasn't even thought about. 10 years later PDF (and more notably, Flash) became huge attack vectors.
I think a far more interesting hack is when NSO used a PDF to embed a virtual machine inside an iPhone to develop a zero click exploit over iMessage:
Curious if anyone has been able to find technical details of how this attack works/worked. I'm under the impression most PDF viewers would prevent this sort of attack (e.g. opening a PDF in your browser should sandbox it to the browsing context), but really keen to know what PDF viewer / OS was used by the dev.
To some extent, the PDF viewer/OS doesn't matter. A dedicated and well resourced attacker like the Lazarus Group will find holes in all of them. The "right" move here would have been for the employee not to download the compromised pdf, and short of that, for the IT Security team at Ronin to quickly detect the weird traffic that resulted and isolate the validators to prevent a compromise of their critical assets.
I know that document-rendering is much more complex than what it appears on the surface, but surely in this day and age there should be document viewers that don't run scripts and are exploit free.
Every program is potentially exploutable. The only defense is defense in depth, where an intrustion attempt fails at layer 3 of 5, alarms bells ring, and those 3 compromised layers get hardening upgrades.
What usually happens is that layers 1 and 2 of 3 are constantly compromised, no one cares to follow up, and one day layer 3 gets compromised, shock of shocks.
The right move here would have been to have separate work/personal computers so that this PDF never landed on a system with access to the Ronin network.
I know I'm pushing a boulder uphill with that one but it really is the way to go, better for both the individual and the company.
Or more to the point, what would stop someone from sending malicious documents to the employees' work emails?
Figure out a company uses <some-saas> register a phishing domain (e.g. gith.ub) send them an email with important info about their account, and a PDF attachment with more details.
If it's that easy to compromise a system all you have to do is get a few employees to open the PDF right?
Exactly. I was on a meeting a couple of years ago and the co-worker who was presenting his desktop received a personal iMessage that flashed for everyone to see.
True, but that’s just one of several reasons I’m reluctant to share work and personal activity on a single computer. I certainly wouldn’t conduct a job search on a work computer.
It makes it a bit harder to travel with two laptops, which is one of the nice advantages of working from home.. but I'm otherwise in support of this.
This might just result in employees finding ways to remote access their work computer from their personal computer from wherever they are, but at least that's an additional wall for would-be attackers to hurdle.
Nahhhhh, I gotta browse the internet to be effective. That requires me logging into random sites with personal logins.
I don't install anything personal on my work computer, but I wouldn't hesitate to open an email or pdf from a seemingly trusted source. I don't really blame the dev here.
What you propose is a reasonable solution, but I feel like it slams in the face of actual human behavior. Most people act the way I describe, even most tech professionals.
The right move would be to have separate work / production computers, where the production system requires 2FA, and the finanical production system requres 3FA.
> To some extent, the PDF viewer/OS doesn't matter. A dedicated and well resourced attacker like the Lazarus Group will find holes in all of them.
I dispute this: the web browser is one of the most defended pieces of software of all time, especially relative to its complexity. I would find it much safer to open a potentially malicious PDF in my browser's JS-based reader than using a desktop reader.
> The "right" move here would have been for the employee not to download the compromised pdf, and short of that, for the IT Security team at Ronin to quickly detect the weird traffic that resulted and isolate the validators to prevent a compromise of their critical assets.
It also probably would have been helpful if one employee didn't have access to almost half of the validators, especially on a system they're accessing email with.
Does it even need to be terribly complicated? Congrats on your new job, here's a script for you to generate a new ssh key with us, just copy/paste it in your terminal and that will sort it out.
Yet according to the article, the malware was introduced by the "candidate" opening a PDF; I'd expect most senior developers to know better than to run a random script from a company they don't have an ongoing relationship with without looking at the source first, especially if they have sensitive credentials on the computer they're using.
On Windows, Acrobat Reader has Protected Mode (sandbox) and Protected View (most features disabled) features [0], but people tend to disable it, in particular the Protected View, or don’t enable it for all locations. Or maybe the vulnerability wasn’t on Windows, or was in something like font rendering, or they used a different reader without sandboxing.
Likely this was a standalone PDF reader hack (rather than a browser), since those can have many more features and a much larger attack surface.
It says it was an offer letter, so my guess is that opening it in the browser came up with an error like "to be able to digitally sign this offer letter, please open it in a desktop PDF reader with full scripting support enabled :)"
The article says they are no longer employed. It is possible that this exploit was only possible because of breaking other security policies.
At least, I hope that any reasonable organization doesn't secure $600+ million dollars by relying on the endpoint security of a device used to access LinkedIn
Opening a legit job offer PDF on your work computer could be considered a fireable offense. You should not be using company resources to find your next job.
It’s also possible that he quit instead. If I interviewed for a new job, accepted an offer, and then everything blew up in my face… I’d probably not want to stick around.
Does Adobe Acrobat really that bad? We use Acrobat Pro because it easy to modify pdf file with it. Other software can't do that much. Is there other pdf 'editor' that you can recommend?
Acrobat in a virtual machine that you don't connect to the network?
Most malware these days can't function without internet connectivity. The exploits typically connect to a server to get the rest of their code because they don't want any pesky researchers getting their hands on stuff.
The other major cause of the failure was that one dev had access to 5 signing keys. That shouldn't have happened, because than that one dev could have run off with $540 Million...
And remember, it wasn't just that one dev - it was everything running on his computer - think of the probably tens of thousands of developers who wrote the code that runs as root on his PC, much of it unreviewed.
> In a post-mortem blog post on the hack, published April 27, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
The company fully blames the employee. I wish software companies had the same level of professionalism than airlines. "It's the pilot's fault" does not help to improve security. Nothing is learned.
No idea, but in the context of "why can't airlines scapegoat more pilots rather than deal with root causes?", unions are on the list of labor protections to consider.
I don't think you can generalize Web3 companies to all software companies. Web3 companies have shown time and time again that they don't care much about security or good software development practices. I'm not sure if it's because the industry is so nascent or because the people joining are simply incompetent or because they don't care (or a combination of all three) but it's clear that Web3 companies have major incidents at higher rates than most other software companies.
> clear that Web3 companies have major incidents at higher rates than most other software companies
I won't argue this, but I think that it depends on where you look. Cryptography audit services are books out for months or years because of the demand from cryptocurrency projects. There's never been a vulnerability in the Bitcoin or Ethereum networks that allowed an attacker to steal funds or execute a double-spend. And cryptocurrency projects have pioneered whole fields of cryptography like zksnarks for security purposes.
Cryptocurrency projects often have a fundamentally very difficult problem to solve, and attackers are also very sophisticated. There are currently very few people with the expertise needed to implement a complex cryptocurrency project securely.
Disclaimer: I'm a protocol developer for a cryptocurrency project (not one of the ones mentioned here)
My takeaway was that Sky Mavis's ops culture is a dumpster fire, something that might be generalizable to a good chunk of the Web3 sector. The tech companies where I have worked (a couple BigTech cos, some smaller orgs, and civil service) have all taken the blameless postmortem approach very seriously.
How is Proof of Authority, mentioned in the article, any different than normal social trust and reputational risk associated with that? This seems like a cute way of wrapping up the status quo in crypto lingo.
All it means is that the system organizers decided to make a certain set of keys able to vote on transaction validity. Similar for example to how browser vendors decide to make a certain set of keys valid for issuing certs.
I'm still not entirely convinced this wasn't an inside job (or entirely made up) and they just put a nice pot of money away somewhere. Wouldn't be without precedent in the wonderful world of crypto...
You don't just take some dude's word for it when dealing with a $600+ million dollar heist. There were multiple third party investigators involved in the aftermath.
This doesn’t mean it wasn’t an inside job. Dude could have a nice payday for “oops I got PDF hacked”, plus giving away enough information about their internal organization to make the attack feasible.
The organizations that were called in to investigate this are very well aware of the likelihood of insider-threat attacks. It is basically financial fraud 101. They haven't released any information beyond what was detailed here, but you can be certain that it was thoroughly covered.
Or the dev could be simply setup to take the blame. Everything’s possible. Or an ex employee could have surveyed the system and shared data with a larger group to perform the operation.
I think the media and tech writes overestimate the efficacy of spear phishing attacks. There is tons of research involved in finding suitable targets and then planning out the attack, such as the exploit, fake websites, fake emails, and other ingredients.
Huh? Don't understand your point. When the potential bounty is $540 million, seems like investment well spent.
Just another reason crypto is a godsend for bad guys (obviously other financial crimes occur, e.g. with convincing folks to send fake wires) but there aren't many better ways to steal half a billion dollars I think. But, yeah yeah, "HN is so mean and hates crypto!!!"
This is a huge outlier though and it's not $500 million of cash but $500 million of crypto that must be processed/laundered slowly into usable cash, which may not even be doable. Given the recent crash it's probably more like a 100 hundred million now.
I think this is instead a good reminder that no matter how complicated / unlikely a specific attack vector seems, if the bounty is large enough you better assume that someone is going to do it.
This is an important social engineering attack vector that all companies should be aware of. These kind of targeted attacks (often spoofing valid contacts that employees would legitimately exchange documents with) were common since I can remember the space, but using job applications is particularly disingenuous because employees are naturally going to be a bit secretive about those.
The Adobe tools in particular have been a bountiful source of exploits for decades, but it's a complicated spec and there are plenty of opportunities for bugs.
Program and data aren't really different, philosophically. On some level this even applies to people. When someone teaches you French is that program or data? Is it just data? Why can you now understand French then? Or if it's program, how does that work, who taught the teacher how to program you?
So, our best effort is to constrain what certain data can do when we process it, in the hope that this prevents surprising negative consequences like a PDF that steals privileged information and sends it elsewhere.
Notice that, in some sense, a PDF which just contains a photograph of your wife tied to a chair and holding today's newspaper, plus human readable text like, "We have your wife Sarah and all three kids Beth, Jim and Amanda. We are watching. Do not try to call for help. Email the privileged information to crooks@example.com or we will kill your family" is also potentially effective at doing this, but we would not usually consider that an exploit in this context.
One irritation in this space is that programmers love General Purpose Programming Languages. The idea of the general purpose language is that it can do anything. But the problem in this sort of situation is that we don't want programs which can do anything, in fact doing anything is our worst case scenario. We actually want Special Purpose Programming Languages. We want to write our PDF data processing software in a language that even if we were trying can't do the things that should never happen as a result of processing a PDF.
You can't write a WUFFS program to, for example, email anything to crooks@example.com even if you desperately needed to, which means you definitely won't accidentally write a program which can email the privileged information to the crooks when fed a PDF. Of course the PDF mentioned earlier with the kidnap note inside it could still work. And also of course making a PDF renderer out of WUFFS would be a really big ask. WUFFS-the-library today can render PNG, GIF, BMP but notably not yet JPEG. But it's clearly possible for something like PDF rendering to happen under these constraints. Nobody ordinarily viewing a PDF wants it to do arbitrary stuff.
Well, WUFFS the library is C code, but that's because in practice the language implementation is a Go program which emits C rather than machine code. There's no reason you can't compile WUFFS the language into, say, Rust, or PowerPC assembler, or a long series of letters to Princess Celestia [the FiM++ programming language], except that nobody did all that hard work.
It's amazing what people come up with when they have time on their hands for leisure activities. That's why I look forward to robots doing all the work while human subsist on universal basic income.
Page 414 and forwards. And if you're generally interested in PDF feature bloat, go to page 511 to find out how to embed 3D art, including the manipulation of the virtual camera, in your PDF document.
During beginning of pandemic I got a job via a fully remote process. I felt it was sketchy in some respects and I began to increasingly fearful that it was some kind of phishing scheme. Luckily turned out to be legit. Job applications are such an open door for this kind of thing. They collect so much info from candidates, easily enough to commit identity theft. Also god forbid the company or recruiters get hacked and the data leaks anyway
In my mind there has to have been some insider involvement (at least) in this attack. There are too many things unknowable to outsiders that would need to be known.
How should we respond if we interview for a non-crypto job, and when we can't get any background on the company, they explain that they're in "stealth mode" to protect the advantage of surprise?
From time to time there are real startups that decide to fly under the radar until they're ready to show the world what they've built. Of course, many such companies turn out to be massive duds... Like Cuil.
Just interviewed with a crypto company, can confirm. Even "legitimate" companies with a web presence, customers, etc, come off as super sketchy.
That said, for lower income people you'll be absolutely inundated with scams, a good friend of mine just hit me up cuz someone wanted to promise him for $100 or so a week, you'd somehow become a crypto millionaire. I actually think crypto in its entirety is a giant scam, there's just levels of sophistication to it.
Not everyone's going to fall for give me $100 and I'll turn that into $10,000 , but a ton of people fell for buy a bunch of crypto coins and hold ,time the market and sell.
I applied (and got a job and worked at for a bit) a stealth-mode startup and it felt like a scam. No web presence, nobody had it listed as their job on LinkedIn, a couple vague references to funding rounds online that mentioned a different business model (turns out they had pivoted), etc. Remote applications are weird.
For those that don't want to read the whole thing, (supposedly) the attackers reached out on linkedin to a bunch of employees asking them to apply to a fake company. One of them did it, went through a bunch of fake interviews, and then got a fake offer, in the form of a PDF.
They opened the PDF and that installed a keylogger on their system (it doesn't explain how).
The attackers then used that engineer's credentials to take over 4 of the 9 validators on the blockchain which they then used for their heist.
It’s honestly impressive. I work in security in fintech and it can be frustrating to have our work deprioritized against product features. These examples help underscore why having robust security controls is existential.
I'm trying to imagine a setup at any company whose primary business is controlling extremely valuable digital assets having a security setup that could be entirely undone with keyloggers, and it's difficult. No necessary VPNs, keys on devices, or other non-password authentication? One engineer's password should not be the keys to the kingdom.
Sounds like a bad RPG plot. "Because of its danger, we broke the Obsidian Key into 9 pieces and divided them across the realm, each protected by a powerful, mystic dungeon. Also, Dave can access them any time he says the secret word."
I’m of the view that the completely illogical nature of their entire business and the absence of any meaningful security are deeply interwoven.
Rather than think of their primary business as securing digital assets, think of their primary business as convincing people that a perpetual money machine in the shape of a video game is possible. The valuable digital assets are just a narrative tool — and so it follows that they wouldn’t have the expertise in securing digital assets.
Nobody capable of building a secure system for digital assets would waste their time working for a company like Axie, after all, the entire premise of their business is flawed so people with the critical thinking skills necessary to build a secure system would apply that critical thinking to the viability of the company — and, of course, conclude it’s destined for failure and not hitch their wagon to it.
I understand your argument but this kind of reasoning consistently fails to be predictive. If things worked as you describe, there would be way more consensus amongst skilled engineers on political topics. In practice people are very skilled at selectively turning off their brain, especially when they stand to benefit.
“It's difficult to get a man to understand something when his salary depends on not understanding it." -Upton Sinclair
I completely agree in principle but the nuance here is that I’m leaning on the belief that people joining Axie do not “…stand to benefit…” because the long term prospects of Axie Infinity are not good (and have never been good) and so anybody analysing the benefit of joining them — who has a broad range of opportunities available to them — would immediately see how little they stand to benefit from getting involved with Axie Infinity.
I’m under no illusions about the intelligence of software engineers (of any specialism) — we are all idiots at least some of the time — but I struggle to believe that a competent engineer with lots of opportunities would somehow believe that Axie Infinity is the best opportunity available to them, hence, their system is built by people who don’t have other opportunities and have produced an insecure house of cards (more insecure than the average system anyway — all systems are insecure in some capacity).
I disagree. Competent engineers go where they will be paid, and crypto startups are often one of the few places that can pay our frankly insane compensation requirements.
I had a recruiter contact me just recently for some crypto game that was offering something like $600k/year (which I unfortunately assume was at least partly stock) for one of them, and that would certainly have been enough to attract real security talent.
I think examining the incentives of the managers is far more likely to be informative than looking at IC engineers. The best security engineer in the world probably couldn’t have prevented this hack if management doesn’t listen to what they say.
Axie Infinity exploded in popularity overnight. They likely built their infrastructure when they were securing $1M in digital assets and then suddenly found themselves controlling half a billion before they could upgrade their security.
That doesn’t excuse their poor security practices. They shouldn’t have built their asset custody system in-house if they didn’t have the expertise. They could have used Fireblocks or a Gnosis Safe Multisig with hardware wallets and they would be safe.
I've got to say, this is an incredibly cyberpunk article.
> Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.
It's not in William Gibson's style, sounds more like Bruce Sterling's.
> Axie Infinity was huge. At its peak, workers in Southeast Asia were even able to earn a living through the play-to-earn game. It boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs in November last year — although both numbers have since plummeted.
> Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.
The people in this review seem to think they're alright, but they look very silly to me: https://www.youtube.com/watch?v=tB4DDM8VHVg YMMV. But hey, maybe you can ask them for their design.
And pretty impractical as well. They look really poorly designed in terms of maximizing leverage. It also looks like they lose a lot of energy in the flexing of the entire mechanism and their arm, compared to a blade held directly in the hand.
Axie was always a pyramid scheme, not an actually enjoyable game. Being able to write off $540 million in crypto loss and ALSO keep the coin? Sounds like a pretty neat way to end a scheme.
This is so interesting, I just reported someone doing this on LinkedIn to the IC3. They create fake companies and ask for details like your SSN to ostensibly run a background check on you but in actuality it's to steal your identity or use your info to gain access to restricted resources.
Or rather, it makes perfect sense to slap on the bare minimum amount of blockchain to your scheme, given that it never had any use for blockchain in the first place but you can’t get funding without the right buzzwords
367 comments
[ 2.7 ms ] story [ 299 ms ] threadThe going price for Adobe PDF RCE zero-days is $80,000
The BSA efiling system has mandatory forms for every bank to fill out, and if they say they say the browser's pdf viewer is no-go and you must configure adobe, that is what you will do. Now every bank in the USA has a hard dependency on adobe reader and a gpo that disables the web browser's built-in pdf reader. Thanks for that, fincen.
https://bsaefiling.fincen.treas.gov/docs/BrowserSettingChang... [pdf warning]
1. LinkedIn is an absolute godsend for bad guys, allowing easy targeting of everyone in the company with spear phishing emails and texts. I know many security professionals no longer use their real name, and don't list the real name of their company, because they know it's such a great hacking vector. Not sure what/whether LinkedIn can do anything about this.
2. I wish there were more information about what the vulnerability was in the PDF in the first place. I think a lot of people would be wary of downloading a PDF from a stranger, but not from someone who you had multiple interview rounds with and who offered you a job.
Personally, I'm probably not interested in a LI clone for many of the reasons I stopped using LI. I deleted my LI account maybe 8 years ago, after getting too much spam (and I think some security issue?)
How many of you have gotten jobs with no LI account? YEO?
As a startup founder, it’s effective in some contexts, like as a contact point or promotional tool. We never felt the need to use it for recruiting. At least in the software industry, GitHub is a much more effective marketplace of talent. But LinkedIn can have some benefits for a startup outside of recruiting. Posting content about your product is a good way to stay in front of investors you’ve connected with who doomscroll their LinkedIn feed like a dev does HN. :) (it’s also something I need to automate because I block LinkedIn on /etc/hosts for productivity purposes..)
I’m not sure I’ve ever _sourced_ an opportunity from LinkedIn. I also never accept connections without at least one prior interaction. For me it’s a tool for following up and keeping in touch, not introductions. It might also be useful in some rare sales contexts, for some specific archetype of audience especially susceptible to the psychological tactics commonly deployed to the LinkedIn newsfeed. Developers are definitely not that audience (well, not on LinkedIn at least…)
Just something to keep in mind. This post will have a lot of negative LI reviews simply because it was used as a sort of attack vector.
My decision was cemented in 2020 when someone who didn't like a tweet of mine retweeted it to my old company's twitter account trying to get me fired/reprimanded (The tweet in question called out my local PD for a dubious tweet they made, the person who tried to get me in trouble lived in a different state 12+ hours away). Thankfully my current company wouldn't have cared but there is no need to give people ammo.
Perhaps semi-off topic, but note there are companies that sell software (spyware?) to HR departments that specifically trolls LinkedIn looking for when employees update their LinkedIn profiles as a sign they're looking for a new job. This may or may not be a good thing depending on your position, perspective, or company, but just be aware it exists.
I don't think it is at all. Indeed, if you're updating it regularly (every 3-4 months, perhaps?) with new project/task stuff, it's simply keeping things fresh in your mind, vs having to try to trawl back 3 years to think about project FOO.
If you only update it once every 2 years, then people can draw more nefarious conclusions.
I wonder if there are any courses for managers to train them to think logically about this and not switch into bad decisions based on emotion.
Companies waste so much money on hiring and then deciding to react very slowly to changes in market conditions. If businesses treated their staff like they treat their clients...
This is not how companies work (at least the ones worth working for). Retention risk is a reflection on their current role, compensation, manager, etc.
We have absolutely promoted high performing employees and/or given them raises even though we knew they were looking at other opportunities.
You'll be placed in a list with a score next to your name.
> Though I also try not to work for companies that I would need to worry about that.
How do you figure out what kind of software your company uses internally?
I work for smaller companies that are more concerned with building instead of turning their workforce into scores on a list.
Once in a while I check the feed for kicks and it's always 100% spam, cliches, humble brags, and not-so-humble brags.
It introduces the idea of "transitive trust" where person A might not know person B but if the two have a bunch of contacts in common, the odds of A trusting B goes up. When there's a profile with tens or hundreds of shared connections, it looks real by all accounts.
I wrote about this is an intel gathering/attack vector way back in the day but it's 100x better now because connecting is second nature and people trust more now: https://caseysoftware.com/blog/open-source-intelligence-link...
I am listed as the Principal on a couple of companies, and get constant approaches that are obviously fake (like an attractive young "stewardess" from Dubai, who just happened to like my picture (which is actually my logo)).
I've given up reporting them, as LI always responds with "This is not in violation..."
Also, people use LI as a way to aggregate information, then send emails that appear to be from LI, but are not. I got one of those, yesterday, and reported it to LI, saying "These guys obviously used your service to construct this honker."
And LI's reply was ... envelope, please ... "Not our problem. Go away, kid. Yer bodderin' me." but stated a bit more politely.
I deliberately stay fairly open. I mentioned that, some time ago. It comes with some problems, like a determined bad actor can build up a fairly good profile.
But I have had years of experience, rubbing elbows with professional con artists, so I am maybe a little tougher to fool than many (but some approaches have come close -these folks are good). I would never be so arrogant to say that I can't be phished or whaled, but it's almost certainly not worth the effort.
I'm happy to chat -a bit- about it, directly. Many of the stories that I know, are not mine, to tell.
In the "Web2 Sector", it would be very easy IMO to snuff out a fictitious company. I've gotten a handful of "offers" in the past and you can see straight through them, because the company doesn't exist in real life and you can't find any info on it, huge red flag.
The problem with the "Web3 Sector" IMO is you have a bunch of upcomming players in the space that no one has heard of. Just like investors in Cryto, if you're a developer in the space, no doubt you are jockeying to join a project that might land you a 7-10 figure windfall at the end.
So if an unheard of company approached me, I would tell them to kick rocks. If a similar company approached someone in the "Web3 Sector", they might take it thinking it's an emerging opportunity. I'm sure this still happens with Startups but my gut says it's really bad in the Web3 space.
So you may not find much about the founder or team beyond their public handles.
If you use your own device then do company work in a VM.
This is something I see/hear so often, people using work equipment/network to conduct their personal stuff. This, IMO, should not be allowed at all.
Agreed, I thought that opening a read-only PDF was GRAS regardless of the application.
That "PDF VM" has had many 0-day RCE bugs over the years. Thankfully though the VM is standardized with the format it does have multiple implementations still in different applications and many exploits are application-specific implementation bugs.
I suppose they could add a phishing warning for messages sent on LinkedIn, but really it's an education problem, teaching people to identify what phishing emails look like and how to avoid them. This is a problem I've been working on since at least 2003, when we realized that the best way to prevent eBay account takeovers was teaching people what phishing is. We also identified that education is the hardest solution to achieve.
It's ironic that the security professionals are the ones hiding their identity, given that they are the best prepared to identify and avoid phishing emails.
If the issue reduces user metrics, then they will want to fix it. Ultimate responsibility seems irrelevant.
> It's ironic that the security professionals are the ones hiding their identity, given that they are the best prepared to identify and avoid phishing emails.
I might have demolitions training, but I’d still rather walk around the minefield.
this was the attitude Microsoft had about malware on Windows for a long time and it led to so much misery and ruin across the world.
If you're gonna have access to such amount of money, it's worth buying a dedicated machine and using it very, very cautiously.
What does _phi_ stand for?
pii = personally identifiable information
Unless this was a zero day, but I would have assumed the article would mention that fact ..
"Hey, you need a PDF viewer with scripts enabled for the digital signing.. can you install Adobe XXX?" would be a good line to get the mark to use a less-than-secure PDF viewer.
But also, since it was the North Korea hacking group, I'm not ruling out a 0-day... hopefully more details will come at some point.
do you at least dual boot?
have a separate user account?
I guess its fine as long as your computer doesn't have the credentials to the company slush fund.
Friend of mine I traveled with carried 3 macbooks with her: school issued, work issued, and personal. They had different software licenses tied to the machine, whadyagonnado?
When I was on the road all the time I also had separate phones to ensure I never got stuck with a dead phone.
Counterpoint: I've been completely and utterly allergic to opening anything personal from any company system for longer than that.
I get MDM profile updates from IT on my work machine. One time they auto-installed a cloud backup service and sent out a company-wide email after they already did it. Something like: “Now nobody has to deal with lost data. You’re welcome!”
Huge backlash from employees on that move. But I get both perspectives. These are work machines, and a mundane accident with the equipment shouldn’t incur significant losses to the business.
But apart from the potential loss of personal privacy, it feels wrong. Especially so, when you’re looking for other jobs.
I know they monitor some things because they are upfront about it: Chrome says it's company managed, and there is an antivirus and some VPN software that must be always one.
But why do I care? They don't crack down on us, and know everyone plays games or visits non-work-related sites, watches YouTube, or even do homework on these laptops.
I'm not going to work for the competition using the company's laptop, so why worry?
Is PDF as an attack vector such a widespread threat? I never payed much attention to them, assuming it's a document format that is relatively harmless even if it can include javascript.
This is an honest question, by the way.
PDFs are "harmless" on their own, but they are user-generated documents that conform to a complex specification. Viewing them requires software that parses them. These parsers are often written in unsafe low level languages.
The (in)security of unsafe parsers reading user-generated input is a tale as old as time itself.
While browsers are sure not without security vulnerabilities, I sure trust the PDF viewer within to be way more sandboxed than most standalone desktop PDF viewer applications.
If the vulnerability (which I assume was RCE) was in a web browser, then it's a major bug.
Yes, I understand this, keep in mind I'm a software engineer.
Let me re-phrase. It's understood that, in general, document formats are more or less harmless unless they execute macros/code, and even then, this code must be able to exploit the platform's vulnerabilities to be able to do harm.
What is different about PDF than, say, JPEGs? I don't know of anyone who would hesitate to open an image file on their work computer, yet they are also complex formats requiring readers (viewers) which are often written in unsafe low-level languages. Yet I have never ever head of someone recommending "be careful before opening a JPEG (or PNG, or whatever) file".
I'm assuming we are not talking about ye olde "PDF.exe" or "JPEG.exe" trick here, but actual vulnerabilities in document files (not just renamed executables).
Both JPEG (or any other ubiquitous image format) and PDFs are nontrivial formats. And both have their fair share of CVEs (the list of JPEG vulnerabilities is also pretty long, based on that CVE database).
Something that sticks out to me is that JPEG (and most other image formats) is basically a header followed by a large blob of compressed image data, whereas PDF is a mixed-media format combining images and other multimedia, fonts, and a PostScript. And of course, we know that PDFs have all sorts of other crazy fancy features like forms and embedded JavaScript and digital signatures. Based on these facts alone, PDF features is a superset of image formats, and certainly by quite a wide margin. And more features means much bigger attack surface.
There's also another practical consideration of how users generally interact with these formats. Users interact with images primarily through browsers (or Electron-based software), which are sandboxed and have very well-funded security teams behind them. User-uploaded images to image hosts are often re-encoded (and sanitized as a side effect). Notable exceptions I can think of are loading images from a camera (generally a trusted source; and certainly there must be plenty of vulnerabilities in RAW parsers, but people almost never share RAWs) and iMessage (...which is a thing). It's very unusual for a user to be forced the view the image outside of a browser.
PDFs are a different situation: while browsers have well-sandboxed PDF viewers these days, they intentionally implement a subset of PDF features (I think forms is a big one left out, and signatures). You can imagine how easy it is to convince a user that need to download the PDF to disk and open it with Adobe Reader so that they can digitally sign a job offer. I'm aware that DocuSign exists, but I don't think it's ubiquitous enough that every user will wonder "hmm why am I being asked to sign with Adobe Reader instead of using DocuSign".
I hope that better answers your question.
Going up a level, the main problem was that the company had a system where a single person could irreversibly transfer half a billion dollars away from the company.
Q: If you assume the bad guys have already compromised your workstation, how sure are you that they won't be able to compromise other machines you connect to?
not to say it can't be done, but it was unexplained
Of course if you can access the software running the blockchain and get everyone to install an update, that works too
Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised... The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.
The system does not require people to sign off, but for the keys to sign off.
I don't think it's worth calling this a hack, the keys are what owned the moneies, and it's the keys that decided what to do with it. People have access to keys, they don't own them
But don’t I own my house keys too?
It should be paying your mortgage, by the way.
- Not your keys, not your coins; always self-custody
- Never use the same machine for trading and for work/surfing the web
- Store only funds you want to regularly trade with on a hot wallet. Everything else on a cold wallet.
Even if you don't buy into the crypto vision (I don't), a digital-only currency that isn't tied to any nation-state does deserve to exist.
I could never tell how much was incompetence vs fraud, but either way without the hype vastly fewer suckers would be holding the bag right now. The crypto ecosystem has been just been terrible for just about everyone and things are far from over.
Bitcoin was $6,000 in March 2020. It hit $63,000 in April 2021. And if you didn't sell that top, it hit $67,000 again in November 2021.
Even now, it has dropped less than Netflix, a supposed bluechip.
I don't know what's the scam in this - you had plenty of entry opportunities and plenty of exit opportunities. The underlying system itself still works exactly as described.
It’s not that Bitcoin or any alt coin has X paper value right now, it’s nobody can get out without someone else getting stuck holding the bag. The underlying system is predatory because mining isn’t free so it’s a negative sum game where people have already cashed out.
I remember being saddened when it was less than 1/1,000th isn’t current value I realized how many suckers where lining up for the fleecing. I briefly thought the odds are very good it’s going sky high, but I didn’t want to be part of someone losing their retirement when things eventually fell apart.
i haven't bought any myself. i just enjoy reading tech and economics stories in general so i've been reading about cryptocurrencies since 2013 or so. but i don't intend to buy any unless one fulfills some need i have better than other solutions. and i certainly don't intend to hold onto any if i can help it.
Look morality is only meaningful when it comes at a cost. I sincerely hope you are discouraged from scamming, robbing, kidnapping etc because you think it’s wrong rather than insufficient gain to be worth the effort.
That's true for practically every asset class. If you sold your Netflix stock at $600, someone had to buy it at $600 as well. And now they're out of $430.
There's a losing counterparty in every winning trade.
No, this is false. With stocks, the holder can get paid in dividends. With real estate, you gain value from actually using the land. A bond is actually a form of credit. Et cetera. Which other assets are you thinking of?
Edit: You must be conflating it with the funny money private stocks and their buybacks that a lot of startups have. Those are obviously a gamble, they're not really "investments" for most participants. It's no surprise that the same type of companies tried to go deep into ICOs a few years ago which are like the crypto equivalent of a bogus penny stock.
> There's a losing counterparty in every winning trade
the counterparties are equal in every trade; any winning takes place afterward in the future
and if one party is selling a publicly traded security or commodity at a loss, that doesn't mean it wasn't a good investment, it means it was bought at a fair price and conditions changed
Who are you going to prosecute in this case? The developers of Ethereum who are making a digital peer2peer smart contract system and have no interest in running a ponzi scheme?
Are you going to arrest Bram Cohen for inventing Bittorrent for what happens on it? What about the people behind Tor?
Can you tell me where the Ponzi is on this page: https://compound.finance/
Isn't that how fraudsters justify their tactics?
"Free market" in the Smithian sense is not what we have here.
You can't own keys, so you can't own coins. You instead have access to coins when you have access to keys.
Probably also reading email; one possible way of finding it needed to get at 5 of 9 keys to unlock.
The PDF format presents many opportunities for other exploits, either obfuscating a payload or running code, but modern PDF viewers are locking these opportunities down to such a degree that they are not very reliable (most of all because it is difficult to know which PDF viewer your target will use, and many popular PDF viewers today like pdf.js are relatively feature-incomplete which is a significant security advantage in this case). It's possible that something more sophisticated was going on but I would be very surprised if it was anything more complex than using the PDF as an obfuscated transport for a binary packed in it and invoked by the user (e.g. by clicking a link in the PDF with a javascript target). Non-user-interaction PDF vulnerabilities exist but are increasingly hard to come by as there has been more than a decade of work on locking down PDF viewers and the situation has improved dramatically in that time.
Contrary to what people sometimes expect, highly organized groups (such as APTs) tend to stick to very basic, simple methods as much as possible, since they are relatively reliable. The use of recent vulnerabilities in a specific PDF viewer, for example, is high risk due to the likelihood of failure and the opportunities for analysis it presents (you will have to do custom development rather than using off-the-shelf tooling). This is the kind of thing that organized groups try to avoid as much as possible, subject to an ROI analysis. Or in other words, if putting a link to an EXE in a PDF still works, why would you bother with anything else?
Assuming it can't, then the engineer had to click to run some unknown EXE after downloading it... that should hardly be described as a "PDF attack".
I recently stumbled upon a nice write-up [0] that described this class of attack and surveyed which software was vulnerable to it. Many crypto clients were included.
[0] https://positive.security/blog/url-open-rce
Basic flow was-phisher asked employee to sign a document relating to customs. The phisher had gathered that this employee works with shipping claims and returns, and surmised that they need to deal with customs documents requiring signature. There was a link to an exe hosted on a European cloud service in the PDF titled "install fake signature certificate company to sign this document". This directed to a download of a basic ransomware executable. This did get past our AV to the point of encrypting the employee's machine, but thankfully was blocked from spreading to the rest of the network.
The employee's machine was toast, but I was able to restore from the prior day's backup and no major harm occurred. I was able to see the phishing attack since we use gsuite email so the ransom ware didn't erase the employee's inbox, but they did lose a half-day work and I updated our training. The attack itself was clever from a social engineering perspective, but the technical exploit was something any script kiddy could have downloaded from the open web, nothing advanced at all. But Gmail doesn't always scan links in PDFs, so a clever ruse was able to bypass Google's scanning as well as our local scanning.
What I don't understand: Why do you let your users run downloaded executables, at all?
And due to a legacy system, we can't rely on windows UAC to prevent these attacks either, this user needed to have a local admin account. Yes, this is a security issue in itself, but needs must.
When I was at lockheed we had an incident whereby a bunch of folks had attended some defense conference, and after the fact received emails from folks they had 'met' at the conference, something along the lines of
"Hey Bob, we met at the [defense] conference this last week and I wanted to be sure you had my contact info: malware-contact.vcf"
or some other payload.
This installed a very slow sprawling worm which would slowly trickle data out of lockheed to China.
It was not discovered for quite a while due to how slowly it operated, but someone had complained about machine performance and IT looked at the machine and discovered the worm... after removing it - this somehow sent a signal to China that they had been found and all the worms started to firehose as much as they could until egress was closed. At the time, all of Lockheeds 150,000 employees had just three egress points to the internet. They had to shut them all down to kill that worm.
If pdf is compromised, is it fixed? This seems like the kind of vulnerability that would ruin pdf's reputation permanently. It was the safe alternative to sending someone a .doc particularly because of it's limited functionality.
It is used for sending documents because its function is to have a fixed layout for printing (and look the same on every device), not because it's safer than other document formats.
If you really want a safe PDF, there's a function in Qubes OS that basically opens a PDF in a new VM, makes screenshots and then creates a new PDF from those. You'll lose advanced functions (e.g. forms) as the pages simply become pictures but that's a tradeoff you have to make.
on the other hand I bet you could collect some interesting things by creating a few fake people as linkedin honeypots at FAANGs, and I would be very surprised in their infosec/netsec teams aren't already doing this.
or getting real people who opt-in to have their linkedin profile receive incoming scams, virus, trojans, phish links and pipeline them into the infosec/netsec team.
They seemed to avoid contacting executives or senior staff… but instead targeted folks capable of maybe making the change they wanted, and maybe jr / low enough on the pole enough to panic and do it.
I’ve seen it happen three times now, pretty scummy IMO.
People on LinkedIn, using a name sufficiently far enough away from their real name so as to not be able to be easily found, listing their security jobs with again, sufficiently far enough away org names.
Turtles all the way down.
Some PM in 2006 thought it would be a good idea if PDFs were turing complete. I'm sure the word sandbox wasn't even thought about. 10 years later PDF (and more notably, Flash) became huge attack vectors.
I think a far more interesting hack is when NSO used a PDF to embed a virtual machine inside an iPhone to develop a zero click exploit over iMessage:
https://hothardware.com/news/zero-click-malware-pwns-iphone-...
I'm not sure about this attack specifically, though, and in Ronin's post mortem they aren't really talking about that: https://roninblockchain.substack.com/p/back-to-building-roni....
To some extent, the PDF viewer/OS doesn't matter. A dedicated and well resourced attacker like the Lazarus Group will find holes in all of them. The "right" move here would have been for the employee not to download the compromised pdf, and short of that, for the IT Security team at Ronin to quickly detect the weird traffic that resulted and isolate the validators to prevent a compromise of their critical assets.
What usually happens is that layers 1 and 2 of 3 are constantly compromised, no one cares to follow up, and one day layer 3 gets compromised, shock of shocks.
I know I'm pushing a boulder uphill with that one but it really is the way to go, better for both the individual and the company.
Figure out a company uses <some-saas> register a phishing domain (e.g. gith.ub) send them an email with important info about their account, and a PDF attachment with more details.
If it's that easy to compromise a system all you have to do is get a few employees to open the PDF right?
This has benefits for the employee, not just the company, in that it keeps the employees personal data out of the hands of the IT department.
This might just result in employees finding ways to remote access their work computer from their personal computer from wherever they are, but at least that's an additional wall for would-be attackers to hurdle.
I don't install anything personal on my work computer, but I wouldn't hesitate to open an email or pdf from a seemingly trusted source. I don't really blame the dev here.
What you propose is a reasonable solution, but I feel like it slams in the face of actual human behavior. Most people act the way I describe, even most tech professionals.
I think the clear move here should be to avoid pdf, just like the move is to avoid doc
I dispute this: the web browser is one of the most defended pieces of software of all time, especially relative to its complexity. I would find it much safer to open a potentially malicious PDF in my browser's JS-based reader than using a desktop reader.
> The "right" move here would have been for the employee not to download the compromised pdf, and short of that, for the IT Security team at Ronin to quickly detect the weird traffic that resulted and isolate the validators to prevent a compromise of their critical assets.
It also probably would have been helpful if one employee didn't have access to almost half of the validators, especially on a system they're accessing email with.
But you never know.
[0] https://helpx.adobe.com/reader/using/protected-mode-windows....
It says it was an offer letter, so my guess is that opening it in the browser came up with an error like "to be able to digitally sign this offer letter, please open it in a desktop PDF reader with full scripting support enabled :)"
At least, I hope that any reasonable organization doesn't secure $600+ million dollars by relying on the endpoint security of a device used to access LinkedIn
Desktop PDF viewers like acrobat are gaping security holes... Don't use them!
Most malware these days can't function without internet connectivity. The exploits typically connect to a server to get the rest of their code because they don't want any pesky researchers getting their hands on stuff.
And remember, it wasn't just that one dev - it was everything running on his computer - think of the probably tens of thousands of developers who wrote the code that runs as root on his PC, much of it unreviewed.
The company fully blames the employee. I wish software companies had the same level of professionalism than airlines. "It's the pilot's fault" does not help to improve security. Nothing is learned.
I won't argue this, but I think that it depends on where you look. Cryptography audit services are books out for months or years because of the demand from cryptocurrency projects. There's never been a vulnerability in the Bitcoin or Ethereum networks that allowed an attacker to steal funds or execute a double-spend. And cryptocurrency projects have pioneered whole fields of cryptography like zksnarks for security purposes.
Cryptocurrency projects often have a fundamentally very difficult problem to solve, and attackers are also very sophisticated. There are currently very few people with the expertise needed to implement a complex cryptocurrency project securely.
Disclaimer: I'm a protocol developer for a cryptocurrency project (not one of the ones mentioned here)
And that's why I don't believe the story. No owner of such business would make this possible.
https://home.treasury.gov/policy-issues/financial-sanctions/...
And it has already been moved:
https://www.blockchain.com/eth/address/0x098B716B8Aaf2151299...
Just another reason crypto is a godsend for bad guys (obviously other financial crimes occur, e.g. with convincing folks to send fake wires) but there aren't many better ways to steal half a billion dollars I think. But, yeah yeah, "HN is so mean and hates crypto!!!"
The Adobe tools in particular have been a bountiful source of exploits for decades, but it's a complicated spec and there are plenty of opportunities for bugs.
I would say Firefox is the safest here, because its built-in PDF viewer is written in JS, although Firefox's sandboxing is not as strong as Chrome's.
So, our best effort is to constrain what certain data can do when we process it, in the hope that this prevents surprising negative consequences like a PDF that steals privileged information and sends it elsewhere.
Notice that, in some sense, a PDF which just contains a photograph of your wife tied to a chair and holding today's newspaper, plus human readable text like, "We have your wife Sarah and all three kids Beth, Jim and Amanda. We are watching. Do not try to call for help. Email the privileged information to crooks@example.com or we will kill your family" is also potentially effective at doing this, but we would not usually consider that an exploit in this context.
One irritation in this space is that programmers love General Purpose Programming Languages. The idea of the general purpose language is that it can do anything. But the problem in this sort of situation is that we don't want programs which can do anything, in fact doing anything is our worst case scenario. We actually want Special Purpose Programming Languages. We want to write our PDF data processing software in a language that even if we were trying can't do the things that should never happen as a result of processing a PDF.
This is the purpose of languages like WUFFS: https://github.com/google/wuffs
You can't write a WUFFS program to, for example, email anything to crooks@example.com even if you desperately needed to, which means you definitely won't accidentally write a program which can email the privileged information to the crooks when fed a PDF. Of course the PDF mentioned earlier with the kidnap note inside it could still work. And also of course making a PDF renderer out of WUFFS would be a really big ask. WUFFS-the-library today can render PNG, GIF, BMP but notably not yet JPEG. But it's clearly possible for something like PDF rendering to happen under these constraints. Nobody ordinarily viewing a PDF wants it to do arbitrary stuff.
FiM++ - Esolang
https://esolangs.org/wiki/FiM%2B%2B
Page 414 and forwards. And if you're generally interested in PDF feature bloat, go to page 511 to find out how to embed 3D art, including the manipulation of the virtual camera, in your PDF document.
What could go wrong?
https://en.wikipedia.org/wiki/Weird_machine
https://blog.google/threat-analysis-group/new-campaign-targe...
Job offer PDF was downloaded to office computer. PDF had spyware that infiltrated the system.
...Oh wait, this is crypto
From time to time there are real startups that decide to fly under the radar until they're ready to show the world what they've built. Of course, many such companies turn out to be massive duds... Like Cuil.
https://en.wikipedia.org/wiki/Cuil
That said, for lower income people you'll be absolutely inundated with scams, a good friend of mine just hit me up cuz someone wanted to promise him for $100 or so a week, you'd somehow become a crypto millionaire. I actually think crypto in its entirety is a giant scam, there's just levels of sophistication to it.
Not everyone's going to fall for give me $100 and I'll turn that into $10,000 , but a ton of people fell for buy a bunch of crypto coins and hold ,time the market and sell.
They opened the PDF and that installed a keylogger on their system (it doesn't explain how).
The attackers then used that engineer's credentials to take over 4 of the 9 validators on the blockchain which they then used for their heist.
Sounds like a bad RPG plot. "Because of its danger, we broke the Obsidian Key into 9 pieces and divided them across the realm, each protected by a powerful, mystic dungeon. Also, Dave can access them any time he says the secret word."
Rather than think of their primary business as securing digital assets, think of their primary business as convincing people that a perpetual money machine in the shape of a video game is possible. The valuable digital assets are just a narrative tool — and so it follows that they wouldn’t have the expertise in securing digital assets.
Nobody capable of building a secure system for digital assets would waste their time working for a company like Axie, after all, the entire premise of their business is flawed so people with the critical thinking skills necessary to build a secure system would apply that critical thinking to the viability of the company — and, of course, conclude it’s destined for failure and not hitch their wagon to it.
“It's difficult to get a man to understand something when his salary depends on not understanding it." -Upton Sinclair
I’m under no illusions about the intelligence of software engineers (of any specialism) — we are all idiots at least some of the time — but I struggle to believe that a competent engineer with lots of opportunities would somehow believe that Axie Infinity is the best opportunity available to them, hence, their system is built by people who don’t have other opportunities and have produced an insecure house of cards (more insecure than the average system anyway — all systems are insecure in some capacity).
I had a recruiter contact me just recently for some crypto game that was offering something like $600k/year (which I unfortunately assume was at least partly stock) for one of them, and that would certainly have been enough to attract real security talent.
That doesn’t excuse their poor security practices. They shouldn’t have built their asset custody system in-house if they didn’t have the expertise. They could have used Fireblocks or a Gnosis Safe Multisig with hardware wallets and they would be safe.
Someone with low ethics interested in a very good paycheck?
> Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.
It's not in William Gibson's style, sounds more like Bruce Sterling's.
> Axie Infinity was huge. At its peak, workers in Southeast Asia were even able to earn a living through the play-to-earn game. It boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs in November last year — although both numbers have since plummeted.
> Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.
Also gives me Charles Stross vibes.
You definitely haven't been paying attention to Gen-Z people then. The 80s are back.
And pretty impractical as well. They look really poorly designed in terms of maximizing leverage. It also looks like they lose a lot of energy in the flexing of the entire mechanism and their arm, compared to a blade held directly in the hand.
http://www.openthefuture.com/wcarchive/2004/10/stephenson_an...
What's the point of using a Blockchain if you end up centralizing validations like that?