several high-risk security vulnerabilities in EOS ’ s blockchain platform . These vulnerabilities would enable remote attacks on all EOS nodes , Qihoo 360 claimedVulnerability-related.DiscoverVulnerabilityon Weibo Tuesday , May 29 . Qihoo 360 writesVulnerability-related.DiscoverVulnerabilitythat they reportedVulnerability-related.DiscoverVulnerabilitythe vulnerability to the EOS team and that the EOS mainnet will not launch until the security problems are resolvedVulnerability-related.PatchVulnerability. Local news outlet Jinse , which noted that EOS asked 360 not to reportVulnerability-related.DiscoverVulnerabilitythe vulnerability , claimed that the vulnerabilities have been fixedVulnerability-related.PatchVulnerabilityon the same day , by around 2:00 pm China Standard Time . According to 360 ’ s Weibo postVulnerability-related.DiscoverVulnerability, the vulnerability would allow an attacker to use a smart contract with malicious code to open a security hole , and then use the supernode to enter the malicious smart contract into a new block , thus putting all network nodes under the attacker ’ s control . Once this action has been completed , the attacker could then control the digital currency on the EOS network , obtain user ’ s private keys and data , launch a cyber attack , or begin mining for other cryptocurrencies . 360 describesVulnerability-related.DiscoverVulnerabilitythese vulnerabilities as a new “ series of unprecedented security risks ” that could affect other blockchain platforms besides EOS : “ 360 expressed [ hope ] that the discovery and disclosureVulnerability-related.DiscoverVulnerabilityof this loophole will cause the blockchain industry and security peers to pay more attention to the security of such issues and jointly enhance the security of the blockchain network. ” EOS , whose mainnet is scheduled to launch on June 2 , is currently down by 2.76 percent over a 24 hour period , trading at around $ 11.70 by press time , according to Coinmarketcap data .
When it comes to fixingVulnerability-related.PatchVulnerabilitysecurity vulnerabilities , it should be clear by now that words only count when they ’ re swiftly followed by actions . Ask peripherals maker Logitech , which last week became the latest company to find itself on the receiving end of an embarrassing public flaw disclosureVulnerability-related.DiscoverVulnerabilityby Google ’ s Project Zero team . In September , Project Zero researcher Tavis Ormandy installed Logitech ’ s Options application for Windows ( available separately for Mac ) , used to customise buttons on the company ’ s keyboards , mice , and touchpads . Pretty quickly , he noticedVulnerability-related.DiscoverVulnerabilitysome problems with the application ’ s design , starting with the fact that it… opens a websocket server on port 10134 that any website can connect to , and has no origin checking at all . Websockets simplify the communication between a client and a server and , unlike HTTP , make it possible for servers to send data to clients without first being asked to , which creates additional security risks . The only “ authentication ” is that you have to provide a pid [ process ID ] of a process owned by your user , but you get unlimited guesses so you can bruteforce it in microseconds . Ormandy claimedVulnerability-related.DiscoverVulnerabilitythis might offer attackers a way of executing keystroke injection to take control of a Windows PC running the software . Within days of contacting Logitech , Ormandy says he had a meeting to discussVulnerability-related.DiscoverVulnerabilitythe vulnerability with its engineers on 18 September , who assured him they understood the problem . A new version of Options appearedVulnerability-related.PatchVulnerabilityon 1 October without a fix , although in fairness to Logitech that was probably too soon for any patch for Ormandy ’ s vulnerability to be includedVulnerability-related.PatchVulnerability. As anyone who ’ s followed Google ’ s Project Zero will know , it operates a strict 90-day deadline for a company to fixVulnerability-related.PatchVulnerabilityvulnerabilities disclosedVulnerability-related.DiscoverVulnerabilityto it , after which they are made publicVulnerability-related.DiscoverVulnerability. I would recommend disabling Logitech Options until an update is availableVulnerability-related.PatchVulnerability. Clearly , the disclosure got things moving – on 13 December , Logitech suddenly updatedVulnerability-related.PatchVulnerabilityOptions to version 7.00.564 ( 7.00.554 for Mac ) . The company also tweeted that the flaws had been fixedVulnerability-related.PatchVulnerability, confirmed by Ormandy on the same day . Logitech aren ’ t the first to feel Project Zero ’ s guillotine on their neck . Earlier in 2018 , Microsoft ran into a similar issue over a vulnerability foundVulnerability-related.DiscoverVulnerabilityby Project Zero in the Edge browser . Times have changed – vendors have to move from learning about a bug to releasingVulnerability-related.PatchVulnerabilitya fix much more rapidly than they used to .
After the publication of an article in Security Affairs called `` ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure , SCADA and industrial control systems , '' security researchers used Twitter to bash the company for what they felt were lies about real world attacks , the company orchestrating a media stunt , and not releasing any research they could vet . Following this criticism , the company ended up apologizing , saying they forgot to mention it was only a proof-of-concept ransomware , and promised to release more details in the upcoming days . According to a blog post published a day later , CRITIFENCE experts only revealedVulnerability-related.DiscoverVulnerabilitythey discoveredVulnerability-related.DiscoverVulnerabilitytwo issues in the Modicon Modbus protocol used in PLC ( Programmable Logic Controllers ) , equipment that is often found in industrial facilities all over the world , and used to control and automate sensors and motors . In their blog post , CRITIFENCE experts claimedVulnerability-related.DiscoverVulnerabilityto have developed a proof-of-concept ransomware that can use the two issues ( CVE-2017-6032 and CVE-2017-6034 ) to delete a PLC 's ladder logic diagram , if a ransom isn't paidAttack.Ransomin due time , effectively wiping the PLC 's software . At the time of writing , CRITIFENCE has not published the technical report they promised . Nevertheless , the two security flaws CRITIFENCE discoveredVulnerability-related.DiscoverVulnerabilityare real and have resultedVulnerability-related.PatchVulnerabilityin a patch from Schneider Electric , the PLC vendor whose products are affectedVulnerability-related.DiscoverVulnerability. Earlier this year , researchers from the Georgia Institute of Technology ( GIT ) have created a proof-of-concept ransomware strain named LogicLocker that can alter programmable logic controller ( PLC ) parameters