Theft-as-a-Service on Ethereum

Predatory trading is a growing threat in both traditional and cryptocurrency exchanges. Some aspects of these behaviors have been popularized in the news, such as in the recent downfall of FTX and its CEO Sam Bankman-Fried. These however, only tell part of the story of fraud and theft that regularly occur within the most popular cryptocurrencies. Under less public scrutiny has been the unethical monetary extraction, which is occurring trade-by-trade in cryptocurrencies, and the ad-hoc solutions designed to ameliorate their negative consequences. One such solution, the Flashbots project was created to address the negative externalities associated with some types of predatory trading in cryptocurrency exchanges, specifically, frontrunning on Ethereum. With a market cap of nearly 150 billion USD, Ethereum is the second-most valuable cryptocurrency in the world. In Q3 2022, Ethereum saw over 16 million active users. Anyone can make an account in Ethereum for free using a well-known procedure not much more complicated than generating a public key pair.

Continue Reading

PHP Version Check - Cold LAMPin' Your IT

Running a LAMP server used to be what the cool kids did. Nowadays, cold lampin’ it ain’t cutting it no more. Setting the Cultural Context To me, “It Takes a Nation of Millions to Hold Us Back” represents the epitome of rap music that speaks out about the cultural division of US society, which has only polarized in recent years. Why I dare say that I know something about it in practice, is the fact that to me, a white, privileged Nordic teenager, living in the periphery of Detroit in 1990 highlighted the the black versus white dichotomy in a concrete way: affluent versus poor country club buffets versus food stamps. More importantly, the lyrics of Carlton Douglas Ridenhour, have been the cultural inspiration for the name of this blog, Public Exposure. In a sense, he represents the attitude to speak out cold truths about the reality in which you live in, which in the context of this blog relates to the poor state of cyber security of the Internet as a whole.

Continue Reading

How to Identify Attack Surface that Must be Addressed

Some time in January 2022, I promised to Lari to write up some thoughts on attack surface management. I thought I’d perhaps have material for a single blog post. Now two posts later, we will still have to dig into some of the most difficult problems in the process. If you haven’t read my earlier posts, the first covered asset discovery and the second focused on exposure assessment. Should you have adopted an attack surface identification process such as the one I have outlined in my previous posts, by this point you will have a lot of data. In a larger assignment, I usually end up using a couple of online services, half a dozen open source tools, and numerous ad-hoc scripts. The result is a hot mess of JSON files, tool-specific text files, files with HTTP headers, and HTML content. Some integrated scanning frameworks or third-party services might make things easier for you.

Continue Reading