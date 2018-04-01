from the the-internet-was-broken dept.
Kevin Beaumont reports that, by compromising a router at Equinix in Chicago, attackers were able to forge DNS responses for myetherwallet.com, with users "redirected to a server hosted in Russia, which served the website using a fake certificate." Victims' online wallets were drained of cryptocurrency.
Also at The Verge and Ars Technica which said
Amazon lost control of a small number of its cloud services IP addresses for two hours on [April 24] when hackers exploited a known Internet-protocol weakness that let them to redirect traffic to rogue destinations. By subverting Amazon's domain-resolution service, the attackers masqueraded as cryptocurrency website MyEtherWallet.com and stole about $150,000 in digital coins from unwitting end users. They may have targeted other Amazon customers as well.
(Score: 2) by Rosco P. Coltrane on Monday April 30, @07:32AM
150,000 *pretend* dollars were lost.
(Score: 2) by maxwell demon on Monday April 30, @07:45AM (1 child)
So the Ethereum was not in possession of the victims, but of whoever operates myetherwallet.com.
This attack is in no way different than if someone had managed to redirect traffic to your bank onto their server, and present a fake certificate to your browser, and then emptied your account with the credentials you enter on what you think is your bank's web site.
The true message here is: Certificates don't give you the security you might think they do (well, I guess to most users of this site, that's not really news).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by MichaelDavidCrawford on Monday April 30, @08:09AM
The money is on the blockchain. It never goes anywhere else. When you make a transaction that transaction is recorded in a future block.
Wallets are nothing more than a table of public/private key pairs.
MyEtherWallet wallets are on the user's machine. If the user's had used a local application to access their wallets there wouldn't have been a hack.
By using - and trusting - javascript that's downloaded every time they accessed their wallets, their private keys got snarfed by the bad guys.
It's ill-advised to leave significant money in online wallets. Online wallets should only be used for trading; there's no reason to use online wallets just for peer-to-peer payments. Local wallets - on your own box - work just fine for payments.
Even better is "cold storage" - put your wallet on an external storage device then make a couple offsite backups.
"MICHAEL DAVID CRAWFORD IS A LYING MOTHERFUCKER."
-- Anonymous Coward
(Score: 2) by bradley13 on Monday April 30, @07:54AM
"Amazon lost control of a small number of its cloud services IP addresses"
No they didn't. The hack was pure MITM: someone intercepted and redirected traffic before it ever got to Amazon. The fact that the website is hosted on AWS is completely irrelevant. This is such bad reporting that I wonder if Amazon shouldn't demand compensation for damage to their reputation.
Also: stupid users. The certificate will have almost certainly been invalid (unless a root CA was compromised). While the exact appearance varies from browser to browser, all of them make it blindingly obvious that there is a certificate problem. So users, logging into their accounts, had to click past a fat, red warning and authorize a security exception. These are users who consider themselves technically competent enough to trade in digital currencies. It's theft, but there's still an element of that old saying: "a fool and his money are soon parted".
Everyone is somebody else's weirdo.