Stories
Slash Boxes
Comments

SoylentNews is people

How To Hack Wi-Fi For Fun And Imprisonment With Crypto-Mining Injection

posted by Fnord666 on Sunday January 07 2018, @04:11PM   Printer-friendly
from the another-reason-for-using-VPNs dept.

janrinok writes:

Arthur T Knackerbracket has found the following story:

Thanks to the ridiculous valuation of Bitcoin and other cryptocurrencies, cryptomining code has become a common mechanism for converting authorized and stolen computing cycles into potential cash.

Antivirus and ad-blocker makers have responded by trying to halt crafty coin-crafting code from hijacking CPU time, particularly in browsers.

For those interested in violating computer laws – please, don't – and those interested in computer security research projects, a developer named Arnau, based in Spain, has published a proof-of-concept walkthrough for hacking public Wi-Fi networks to inject crypto-mining code in connected browsing sessions.

[...] As Arnau explained, the attack – demonstrated on a VirtualBox set up rather than in the wild – can be automated. The published version doesn't work with requests for HTTPS webpages, though the addition of sslstrip could solve that.

The code, mostly Python, is available on GitHub. ®

Original Submission

 
This discussion has been archived. No new comments can be posted.
How To Hack Wi-Fi For Fun And Imprisonment With Crypto-Mining Injection | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by aiwarrior on Sunday January 07 2018, @08:08PM (1 child)

    by aiwarrior (1812) on Sunday January 07 2018, @08:08PM (#619264) Journal

    Totally agree. In noscript it is so complicated due to the shear number of domains I would need to audit that, that I just go away. When there are few domains to audit and they seem legit i promptly temporarily white-list them. As far as I go.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 5, Insightful) by Justin Case on Sunday January 07 2018, @08:57PM

    by Justin Case (4239) on Sunday January 07 2018, @08:57PM (#619276) Journal

    When a site is pulling in code (often not even over https!) from other domains you can bet they probably haven't audited it either*. In other words, they are handing off their -- and your -- data to strangers whose motives are unknown.

    That alone is a large enough mark of incompetence -- or they just don't care, which is close to the same thing -- that I will usually decide to stay away.

    * Yeah, maybe one developer had a look at it before deciding to use the latest cool dancing-fonts library. Do they check every hour to see if the other site posted an update? Do they check if the other site delivers different code to different clients? Most are too dim-bulb to even imagine such issues, much less realize that it would be essentially impossible to defend against them.