Stories
Slash Boxes
Comments

SoylentNews is people

$150,000 Worth of Ethereum Stolen Via Attack on BGP and DNS

posted by Fnord666 on Monday April 30 2018, @06:26AM   Printer-friendly
from the the-internet-was-broken dept.

An Anonymous Coward writes:

Kevin Beaumont reports that, by compromising a router at Equinix in Chicago, attackers were able to forge DNS responses for myetherwallet.com, with users "redirected to a server hosted in Russia, which served the website using a fake certificate." Victims' online wallets were drained of cryptocurrency.

Also at The Verge and Ars Technica which said

Amazon lost control of a small number of its cloud services IP addresses for two hours on [April 24] when hackers exploited a known Internet-protocol weakness that let them to redirect traffic to rogue destinations. By subverting Amazon's domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end users. They may have targeted other Amazon customers as well.

Wikipedia on BGP

Original Submission

 
This discussion has been archived. No new comments can be posted.
$150,000 Worth of Ethereum Stolen Via Attack on BGP and DNS | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Interesting) by bradley13 on Monday April 30 2018, @07:54AM (8 children)

    by bradley13 (3053) on Monday April 30 2018, @07:54AM (#673631) Homepage Journal

    "Amazon lost control of a small number of its cloud services IP addresses"

    No they didn't. The hack was pure MITM: someone intercepted and redirected traffic before it ever got to Amazon. The fact that the website is hosted on AWS is completely irrelevant. This is such bad reporting that I wonder if Amazon shouldn't demand compensation for damage to their reputation.

    Also: stupid users. The certificate will have almost certainly been invalid (unless a root CA was compromised). While the exact appearance varies from browser to browser, all of them make it blindingly obvious that there is a certificate problem. So users, logging into their accounts, had to click past a fat, red warning and authorize a security exception. These are users who consider themselves technically competent enough to trade in digital currencies. It's theft, but there's still an element of that old saying: "a fool and his money are soon parted".

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Informative=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 5, Interesting) by maxwell demon on Monday April 30 2018, @08:20AM (4 children)

    by maxwell demon (1608) on Monday April 30 2018, @08:20AM (#673639) Journal

    unless a root CA was compromised

    or did not properly do its job of verifying the applicant.

    I wonder if redirection attacks could be used to get "legitimate" certificates from Let's Encrypt, using this simple receipt:

    1. Put up rogue web server, and get it ready for the LE certificate.
    2. Use this attack on whatever DNS the LE servers use, to redirect LE traffic for the target domain to the rogue server.
    3. Request a certificate from LE.
    4. The LE server tries to connect the domain, and thanks to the redirection attack contacts the rogue server.
    5. The rogue server responds to LE as required, "convincing" the LE algorithm that it legitimately owns the domain.
    6. The certificate for the domain gets granted by LE.
    7. Now having a "legitimate" certificate, put up redirection attack on the actual target.
    --
    The Tao of math: The numbers you can count are not the real numbers.

    • (Score: 1, Interesting) by Anonymous Coward on Monday April 30 2018, @01:20PM

      by Anonymous Coward on Monday April 30 2018, @01:20PM (#673707)

      > I wonder if redirection attacks could be used to get "legitimate" certificates from Let's Encrypt

      Yes, absolutely. It doesn't need to be from Let's Encrypt either, since other CAs will issue certs using different proof mechanisms (email, DNS TXT entry, and so on) which, if you control the machine serving the IP, you may have control over (email) or may not (DNS TXT entry if the NS is on a different IP).

      Getting this cert does force an initial delay in where you can only serve unsigned, while the cert is acquired.

    • (Score: 0) by Anonymous Coward on Monday April 30 2018, @01:22PM (2 children)

      by Anonymous Coward on Monday April 30 2018, @01:22PM (#673709)

      Are you using Let's Encrypt as an example, or are you saying there's something especially lax about Let's Encrypt? Other CAs offer certificates that are verified by showing control of a hostname by putting a special file on a website, or by receiving an e-mail. Reportedly, that didn't happen in this attack: the Verge says visitors to the malicious site were getting warned by their browsers because of problems with the certificate.

      • (Score: 2) by maxwell demon on Monday April 30 2018, @01:50PM (1 child)

        by maxwell demon (1608) on Monday April 30 2018, @01:50PM (#673720) Journal

        Are you using Let's Encrypt as an example, or are you saying there's something especially lax about Let's Encrypt?

        I used LE specifically because I knew that LE uses such a mechanism, but I didn't know that other CAs use similar mechanisms. Of course as far as other CAs use similar mechanisms, similar strategies should work for them as well.

        --
        The Tao of math: The numbers you can count are not the real numbers.

        • (Score: 0) by Anonymous Coward on Tuesday May 01 2018, @01:48PM

          by Anonymous Coward on Tuesday May 01 2018, @01:48PM (#674129)

          > I didn't know that other CAs use similar mechanisms

          Think about it. There has to be a way to transfer domains to new, legitimate owners. There has to be a way to verify ownership in the first place. Maybe the WHOIS data has a working phone number - but what are the odds that goes to the person making the request, in a large org?

          Point being: it's not write-once. IP control is over-relied upon as identity proof.

  • (Score: 0) by Anonymous Coward on Monday April 30 2018, @08:23AM

    by Anonymous Coward on Monday April 30 2018, @08:23AM (#673641)

    And, crappy Bradley?

    Also: stupid users. The certificate will have almost certainly been invalid (unless a root CA was compromised).

    Let me get this straight, "almost certainly", which is to say, "not certainly", and root CA compromised? Is there any other kind? So, yeah, stupid users, not scammer Ponzi scheme DeVoss level of evilness. Of Course.

    Old song from the '30's:
    "Once I built a blockchain, now it's borked, brother can you spare an Uber."

  • (Score: 2) by JoeMerchant on Monday April 30 2018, @12:10PM

    by JoeMerchant (3937) on Monday April 30 2018, @12:10PM (#673687)

    blindingly obvious

    Yes, yes they do, every few seconds whenever you visit one of the millions of sites without a valid cert. Blinding is right.

    --
    🌻🌻 [google.com]

  • (Score: 0) by Anonymous Coward on Monday April 30 2018, @12:52PM

    by Anonymous Coward on Monday April 30 2018, @12:52PM (#673696)

    Well yeah, stupid users.

    1. They use kryptokurrency.

    2. See 1.