Year: 2021

Ethereum Smart Contract SelfDestruct, Destroys Your Contract

Author wefightforsecurityPosted on August 28, 2021August 28, 2021Categories web securityTags , , , 2 Comments on Ethereum Smart Contract SelfDestruct, Destroys Your Contract

Ethereum logo used to discuss Self Destruct.
Ethereum Logo from Wikipedia

Ethereum Solidity code is used for writing smart contracts in Ethereum and a feature is called SelfDestruct. This is basically a function, that has existed in the Ethereum protocol since 2013. We are diving into Self Destruct and the problems with it.

What does Self Destruct do?

Self Destruct is written as SelfDestruct in the Solidity code. SelfDestruct can be used to dynamically update code, or delete code. A problem with SelfDestruct is no permission is needed for someone else to use it to update your code or delete code from an external contract. You also don’t have to use SelfDestruct within your code, as there are at least two other functions that can be used in an external contract for you to run it. Those functions are DelegateCall and CallCode, which are used a lot. No authentication or form of consent is needed for external contracts to modify your contract.

Someone can write a separate Ethereum Smart Contract written in Solidity that can interact with your Smart Contract. The other Smart contact can steal eth, delete the contract, updating the contract, or alter it. We wrote about stopping Ethereum contracts from being able to interact with your contract in our OnlyOwner article.

Some contracts need to interact with other contracts, which introduces a re-entrancy attack, unless it is secured. Securing against re-entrancy attack can be simple or complex, depending on how your code is written. These are just a few things that you want your smart contract secured against.

SelfDestruct is not the only function that can be used to modify another smart contract, but it is the one we are focusing on today. The creator of Ethereum looking back, wouldn’t have added SelfDestruct and they’re looking at a way to remove it, or make it not as much of a threat as it is now.

Smart Contracts can be written as secure as humanly possible, though based on what we discussed above, it is clear that the Ethereum blockchain is not in any form an immutable blockchain.

If you are writing a smart contract and need help, you can hire us, or contact us. You can also tweet us.

Ethereum Smart Contract Preventing Other Solidity Contracts From Hacking You

Author wefightforsecurityPosted on August 25, 2021August 25, 2021Categories web securityTags , 4 Comments on Ethereum Smart Contract Preventing Other Solidity Contracts From Hacking You

An Ethereum Smart Contract is written in Solidity, and has many built in-security features. In this article we are discussing a security feature, which is a specific Ethereum modifier that stops people from writing another smart contract that can interact with yours.

What is an Ethereum modifier?

It is in layman terms, built-in functions you can use in your own contract. While some smart contracts need to allow other Smart contracts to communicate with them, others it poses a great security risk to them. The Ethereum Modifier in Ethereum Smart Contracts called OnlyOwner is a great security feature. The name is very straightforward, There is Only the Owner of the Contract should be able to make changes.

modifier onlyOwner { require(msg.sender == owner); _; }

Great, now you have the modifier available to use, if you put this in your contract, but now you need to actually use it, not just have it there. If you’re writing a solidity file called Owned, then you should have the line that says 

function transferOwnership(address newOwner) public onlyOwner {

        owner = newOwner;
}

and in Congress.sol, you should put 

contract Congress is owned, tokenRecipient {
/// your stuff here }

This works great, if you are following the Solidity Style guide, which is where the code snippets are from. Always follow the Solidity Styles whenever possible.


Hopefully this quick review of the Ethereum Smart contract modifier OnlyOwner has been helpful for you when writing your contract in Solidity. We understand this isn’t always an option, which is why we have a lot more articles coming soon for you.

Recovering Hacked Facebook & Defeating Porn Ransom

Author wefightforsecurityPosted on July 13, 2021July 13, 2021Categories web security14 Comments on Recovering Hacked Facebook & Defeating Porn Ransom
Cyber crime
Dealing with active cyber crime

Hacked Facebook and picture being held ransom cybercrime

Intent and motive are two important parts of solving any crime, the same goes for cyber-crime.

This is a real case we had with the names anonymized for privacy purposes. Someone woke up Saturday morning to two rude surprises. We dealt with a compromised Facebook while also dealing with ransom of a picture from a compromised email address.

Many experts say pay the ransom, but the ransom had already been paid two weeks ago. This was before they reached out to us.

This has two moving parts, a hacked facebook and a ransom of a personal porn picture that no one wanted released. We are going to cover how we dealt with the hacked Facebook first.

How to identify who hacked your Facebook

Make sure all tabs are closed and no applications are running in the background on your desktop. This is so you can see what IP addresses are inbound with as much accuracy as possible.

  1. open up Facebook messenger
  2. Open up command prompt on Windows and when the person is writing, where you see those bubbles type netstat -an and hit enter. This will show all outbound and inbound IP addresses, 192.168 is an internal IP for every computer, as is 127.0.0.1. Ignore those addresses as those are from your machine.
  3. Analyze the inbound IP addresses, then use an IP reverse lookup to google maps. This is helpful if the attacker forgets to mask their identity with say, a VPN or Tor.
  4. Check lists of known VPNS and tor relays. This isn’t full proof, but it is helpful, as you will see in a minute.

The compromised Facebook was asking everyone for $500 in BTC or an ebay gift card. They were also portraying themselves as an old lost friend by changing the accounts name. Playing along got us enough of the same IP addresses repeatedly, which is what was needed. When we brought up the town they were in and how it was was they replied “Good”. When they were told there was plenty of evidence against them they deleted the facebook, or so they thought.

The head of Facebook Security is involved and they should restore the account.

Porn Ransom and how to combat it

The second problem, the porn ransom of the picture is where we are now. This took time to solve and when you have a ransom you’re short on time. The demand of money for the ransom continued.

I finally decided to stop focusing on the ransom and the pornography and treat the criminal like a human. What was the motivation behind the crime, why did they need this money? Once asked, they claimed they needed it for something in their house. This was a major breakthrough, because my reply was simple. I offered to teach them how to make that money legally with some apps, if you delete the picture permanently. They agreed to the terms, and I showed them how to make $500 really quickly online.

The picture was allegedly permanently deleted, but with criminals, well take everything with a grain of salt.

Regaining control of a hacked email and securing it after a hack

We regained control of the compromised email, so unless they downloaded the contacts, they had nowhere to post it, since the socials were also tightened down.

Moral of these two cases is pretty straightforward, everyone wants something. In these cases, isolate the two most important things the what they want and why they want it. I was then able to show them a legal way to obtain it.

The hacked Facebook case doesn’t appear to be related, as the tone of the writing, the words chosen, and timestamps of the messages are radically different between the two people. What we were told for free is that the image is somewhere on the deep web with the contact info, so this issue may persist. Time will tell.

We take pride in pro-actively and re-actively fighting threats, which in simple terms means we do both defense and offense security. If you need help, just contact us.

Did John McAfee Die In Prison? Probably Not, here’s why

Author wefightforsecurityPosted on June 23, 2021June 23, 2021Categories Uncategorized18 Comments on Did John McAfee Die In Prison? Probably Not, here’s why

John McAfee, the pioneer of anti-virus software is reported dead by commiting suicide in a Spain prison. Is he dead? Probably not. Based on John’s past adventures, the chance of death by suicide is extremely low.

A quick history recap, McAfee escaped Belize when the police wanted him for questioning about the death of his neighbor. Suspecting the Belize government at the time would most likely murder him, he dissapeared and got out of Belize. He ended up in prison and faked a heart attack. This just is who McAfee is.

The report of John McAfees death lasts substance, namely a picture of the body, which of course can be faked, but is a lot more substantive than the jail saying he killed himself.

If you ever spent much time talking to John, he’s the type who confronts governments and won’t back down, so allegedly committing suicide because he was being extradited doesn’t hold up to his personal character.

So is John McAfee dead or alive? Right now, we really don’t know. At this point he is schrodingers McAfee, both possibly dead and possibly alive simultaneously.

This will be updated as more data comes available.

Krypton, a new encryption — is it worth our time?

Author wefightforsecurityPosted on June 20, 2021June 20, 2021Categories Uncategorized1 Comment on Krypton, a new encryption — is it worth our time?
Krypton Encryption

Do we need a new encryption? Why do we need a new cryptography? Those are the two questions I’ve asked the creator of Krypton-320 a 320 bit Java based symmetrical encryption repeatedly for months.

Creator notaidan, believes that we do need a new cryptography, many of his answers over the months to questions are privacy driven. In the early days of krypton formerly uwucrypt, i asked why not just use AES? Notaidan pointed to that AES is government approved and we need protection from the government. While he didn’t say it nor does he believe he implied it, this argument inherently states that AES must be insecure , which no one knows of for the government to approve it. We whole heartedly disagree here, since anyone can read the code of AES that’s been available for decades.

So why krypton cryptography? Could it be that notaidan is 14 per his github site and just wants to create for the fun of it? No, he believes it is stronger than aes-256 because it is 320 bits. He has rewritten it about ten times. Whenever a bug is found, he doesn’t just patch the bug, he rewrites it entirely.

So is krypton encryption something we should use? That’s where uncertainty lies. With the codebase being rewritten all the time, it’s hard to analyze it and decide okay this is secure or insecure. What was said about Krypton earlier this week, no longer applies, so trying to form an opinion about it, is simply not doable at this time.

Is the Java libraries used safe? It uses secure random, big integer, scanner, and one other. All of these are well known, secure, libraries so yes there is no problem there. The only thing left is for some of the cryptography community to decide if the latest krypton-320 bit encryption is indeed better than AES and more secure as it is being touted. This will be updated as information becomes available.