Slashdot Mirror
Suspicious Event Hijacks Amazon Traffic For 2 hours, Steals Cryptocurrency (arstechnica.com)
Amazon lost control of some of its widely used cloud services for two hours on Tuesday morning when hackers exploited a known Internet-protocol weakness that allowed them to redirect traffic to rogue destinations, according to media reports. ArsTechnica: The attackers appeared to use one server masquerading as cryptocurrency website MyEtherWallet.com to steal digital coins from unwitting end users. They may have targeted other customers of Amazon's Route 53 service as well. The incident, which started around 6am California time, hijacked roughly 1,300 IP addresses, Oracle-owned Internet Intelligence said on Twitter. The malicious redirection was caused by fraudulent routes that were announced by Columbus, Ohio-based eNet, a large Internet service provider that is referred to as autonomous system 10297. Once in place, the eNet announcement caused some of its peers to send traffic over the same unauthorized routes. [...] Tuesday's event may also have ties to Russia, because MyEtherWallet traffic was redirected to a server in that country, security researcher Kevin Beaumont said in a blog post. The redirection came by rerouting domain name system traffic and using a server hosted by Chicago-based Equinix to perform a man-in-the-middle attack. MyEtherWallet officials said the hijacking was used to send end users to a phishing site. Participants in this cryptocurrency forum appear to discuss the scam site. Further reading: Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000 (BleepingComputer).
This was not dns hijacking. It’s BGP hijacking. The routing protocol is horribly outdated and has no security at all. No authentication, no validation. We need a new version of BGP that includes some way to authenticate updates and ensure the routes are for addresses the AS number is authoritative for in some way.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Try following the "Out" transactions. Eventually (five or six hops) you're going to end up at this wallet, which currently contains over $17 MILLION USD of ETH. Not bad for a couple of hours work...
UNIX? They're not even circumcised! Savages!
It has security. The edge providers have responsibility to not accept announces from customers for IP subtest that do not belong to them. It seems like the guys in Ohio screwed up and allowed receiving and redistributing any announce whatsoever. This is not backbone. Edges should use BGP filters from customers
No authentication, no validation. We need a new version of BGP that includes some way to authenticate updates and ensure the routes are for addresses the AS number is authoritative for in some way
Authentication normally involves some form of authority. (They even use the same root word). How would you authorize routes when no authority exists?
I think there has to be a better way to do this, but I suspect it's not through authentication or authorization.
That's not "security", that's "good intentions".
Socialism: a lie told by totalitarians and believed by fools.
Why the hell would the Russian government steal a few millions of crypto currency? It's the scale equivalent of a millionaire setting up a sophisticated shop and scheme to heist a few pennies, it just makes no sense.
You are confusing two technologies. The DNS systems employed by lets encrypt doo foot server lookups, and it would be difficult to have a coordinated attack hijack all of their authorization servers. The vulnerability here is in BGP, which advertises routes to public IPs. There are no defenses or security against route hijacking, which allows an attack to take place.
From the fine article:
"the phishing site used a fake HTTPS certificate that would have required end users to click through a browser warning."
So: yes it's protected from https... if the user is smart enough to do not accept a fake certificate.
GPP said "real certificate to a fake site". Did you real that carefully? It's one of the proven DNS-related attacks, although one that's a lot harder these days than when it was first exploited. Attacks included:
* Typosquatting name (or common misspelling)
* Names with different punctuation, e.g. "bank-of-america.com" has a certificate, and it looks like "bankofamerica.com", but I wouldn't trust it.
*Lookalike names via UTF8 tricks (I think every current browser protects against this one now)
* long URLs that start with something legit-looking and hide the ".attacker.com" off the irght of the display.
I'm sure you see the pattern. There was even a name like "citibank\0attacker.com" with a null in the registered name at one point, which I though was pretty clever.
Of course, all these required phishing to be useful, but the point is that HTTPS doesn't protect against phishing. Most of the obvious approaches to fake site names have been closed by browser venders or companies waking up to the need to register "nearby" sites to avoid confusion, and not by any improvements to the underlying protocols.
Socialism: a lie told by totalitarians and believed by fools.
I think you mean best practices. You can't just update the routing protocol and expect people to use it properly.
You can't fix incompetence by simply changing standards all the time.
Really, this attack was made possible by a whole lot of incompetence at many layers.
In the end, DNS will likely fix everything...
https://www.rfc-editor.org/rfc...
120 characters ought to be enough for anyone