Kevin Beaumont reports that, by compromising a router at Equinix in Chicago, attackers were able to forge DNS responses for myetherwallet.com, with users "redirected to a server hosted in Russia, which served the website using a fake certificate." Victims' online wallets were drained of cryptocurrency.
Also at The Verge and Ars Technica which said
Amazon lost control of a small number of its cloud services IP addresses for two hours on [April 24] when hackers exploited a known Internet-protocol weakness that let them to redirect traffic to rogue destinations. By subverting Amazon's domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end users. They may have targeted other Amazon customers as well.
(Score: 5, Interesting) by bradley13 on Monday April 30 2018, @07:54AM (8 children)
"Amazon lost control of a small number of its cloud services IP addresses"
No they didn't. The hack was pure MITM: someone intercepted and redirected traffic before it ever got to Amazon. The fact that the website is hosted on AWS is completely irrelevant. This is such bad reporting that I wonder if Amazon shouldn't demand compensation for damage to their reputation.
Also: stupid users. The certificate will have almost certainly been invalid (unless a root CA was compromised). While the exact appearance varies from browser to browser, all of them make it blindingly obvious that there is a certificate problem. So users, logging into their accounts, had to click past a fat, red warning and authorize a security exception. These are users who consider themselves technically competent enough to trade in digital currencies. It's theft, but there's still an element of that old saying: "a fool and his money are soon parted".
Everyone is somebody else's weirdo.
(Score: 5, Interesting) by maxwell demon on Monday April 30 2018, @08:20AM (4 children)
or did not properly do its job of verifying the applicant.
I wonder if redirection attacks could be used to get "legitimate" certificates from Let's Encrypt, using this simple receipt:
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Interesting) by Anonymous Coward on Monday April 30 2018, @01:20PM
> I wonder if redirection attacks could be used to get "legitimate" certificates from Let's Encrypt
Yes, absolutely. It doesn't need to be from Let's Encrypt either, since other CAs will issue certs using different proof mechanisms (email, DNS TXT entry, and so on) which, if you control the machine serving the IP, you may have control over (email) or may not (DNS TXT entry if the NS is on a different IP).
Getting this cert does force an initial delay in where you can only serve unsigned, while the cert is acquired.
(Score: 0) by Anonymous Coward on Monday April 30 2018, @01:22PM (2 children)
Are you using Let's Encrypt as an example, or are you saying there's something especially lax about Let's Encrypt? Other CAs offer certificates that are verified by showing control of a hostname by putting a special file on a website, or by receiving an e-mail. Reportedly, that didn't happen in this attack: the Verge says visitors to the malicious site were getting warned by their browsers because of problems with the certificate.
(Score: 2) by maxwell demon on Monday April 30 2018, @01:50PM (1 child)
I used LE specifically because I knew that LE uses such a mechanism, but I didn't know that other CAs use similar mechanisms. Of course as far as other CAs use similar mechanisms, similar strategies should work for them as well.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday May 01 2018, @01:48PM
> I didn't know that other CAs use similar mechanisms
Think about it. There has to be a way to transfer domains to new, legitimate owners. There has to be a way to verify ownership in the first place. Maybe the WHOIS data has a working phone number - but what are the odds that goes to the person making the request, in a large org?
Point being: it's not write-once. IP control is over-relied upon as identity proof.
(Score: 0) by Anonymous Coward on Monday April 30 2018, @08:23AM
And, crappy Bradley?
Let me get this straight, "almost certainly", which is to say, "not certainly", and root CA compromised? Is there any other kind? So, yeah, stupid users, not scammer Ponzi scheme DeVoss level of evilness. Of Course.
Old song from the '30's:
"Once I built a blockchain, now it's borked, brother can you spare an Uber."
(Score: 2) by JoeMerchant on Monday April 30 2018, @12:10PM
Yes, yes they do, every few seconds whenever you visit one of the millions of sites without a valid cert. Blinding is right.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Monday April 30 2018, @12:52PM
Well yeah, stupid users.
1. They use kryptokurrency.
2. See 1.