(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Jonathunder)

Imagine a $50 million diamond heist that isn't investigated by any police body, and more than four days later, the broken vault that made the whole thing possible remains unfixed and suffers follow-on attacks by a group of marauding copycats. In essence, that's what's happening to an elite group of investors holding Bitcoin rival Ethereum, and the events threaten the very survival of the fledgling cryptocurrency.

The ransacked jeweler in this parable is The DAO, a crowdfunded investment fund that relies on highly specialized computer code and Ethereum to automatically execute investment decisions made by its members. On Friday, thieves exploited a software bug that allowed them to transfer more than 3.6 million "ether"—the base unit of the Ethereum currency—out of The DAO's coffers. The digital loot made up more than a third of The DAO's 11.5 million ether endowment. The seized booty is valued at anywhere from $45 million (based on the plummeting value of ether following the attack) to as high as $77 million (based on pre-attack exchange rates).

In the days following the theft, there have been at least a half-dozen copycat attacks (for instance, as documented here and here) that combined have purloined more than 785 ether. While the smaller attacks don't pose the same devastating blow, they underscore a problem that's vexingly hard to fix. As long as the flaw remains active, The DAO and the Ethereum currency are at risk of additional attacks that could further sink its viability. (Note: as this story was close to going live, there were indications that at least some of the follow-on attacks were being carried out by whitehat hackers who in essence are attempting to save Ethereum from itself.)

Read 8 remaining paragraphs | Comments

[ERPSCAN-16-015] SAP NetWeaver Java AS - multiple XSS vulnerabilities
[ERPSCAN-16-016] SAP NetWeaver Java AS WD_CHAT - Information disclosure vulnerability
[slackware-security] pcre (SSA:2016-172-02)
[slackware-security] libarchive (SSA:2016-172-01)
APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and 7.7.7
Internet Storm Center Infocon Status