Title: Today's Man-In-The-Middle Post by: pascal257 on December 02, 2013, 01:26:41 AM Quote News: If you used your password to login between 06:00 Dec 1 UTC and 20:00 Dec 2 UTC, then your password may have been captured in a man-in-the-middle attack, and you should change your password here and wherever else you used it. If you were only logged in via the "remember me" feature, then you're OK. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Here's what we think happened: 8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate. Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password. For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of: 29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once. -----BEGIN PGP SIGNATURE----- iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+ MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs =465T -----END PGP SIGNATURE----- I think the end date in the news is wrong, it seems to be in the future. Or is that a precaution regarding DNS propagation? Title: Re: Today's Man-In-The-Middle Post by: smeagol on December 02, 2013, 01:57:09 AM yes, the date is tomorrow. that is interesting
Title: Re: Today's Man-In-The-Middle Post by: theymos on December 02, 2013, 02:12:09 AM it seems to be in the future. Or is that a precaution regarding DNS propagation? Right. Title: Re: Today's Man-In-The-Middle Post by: anti-scam on December 02, 2013, 04:51:29 AM Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.
Title: Re: Today's Man-In-The-Middle Post by: theymos on December 02, 2013, 04:53:14 AM Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets. There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you. Title: Re: Today's Man-In-The-Middle Post by: anti-scam on December 02, 2013, 05:07:43 AM Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets. There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you. Well I had a random browser crash after being served an odd page when accessing the site (though I don't have Java or JS enabled) but it must have been a coincidence. Title: Re: Today's Man-In-The-Middle Post by: extortion on December 02, 2013, 05:21:43 AM Was the Hacker Named Robert DROP TABLES?
Title: Re: Today's Man-In-The-Middle Post by: justusranvier on December 02, 2013, 05:23:23 AM Title: Re: Today's Man-In-The-Middle Post by: maurya78 on December 02, 2013, 09:54:26 AM you are right, hadn't noticed that the end date is in the future
Very interesting Title: Re: Today's Man-In-The-Middle Post by: Sindelar1938 on December 02, 2013, 10:28:12 AM I just changed my password and other settings
Anything else that I need to do to be safe? Thanks for any input Title: Re: Today's Man-In-The-Middle Post by: wachtwoord on December 02, 2013, 11:51:01 AM I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Title: Re: Today's Man-In-The-Middle Post by: Kluge on December 02, 2013, 11:54:59 AM I logged on just now via the ip 109.201.133.195 then everything should be peachy right? Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6bTitle: Re: Today's Man-In-The-Middle Post by: jarhed on December 02, 2013, 12:06:04 PM Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b All letters in my SHA1 fingerprint are full Caps. 29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3 EB 1F 46 6B Title: Re: Today's Man-In-The-Middle Post by: wachtwoord on December 02, 2013, 12:12:02 PM I logged on just now via the ip 109.201.133.195 then everything should be peachy right? Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6bThanks, it checks out :) Title: Re: Today's Man-In-The-Middle Post by: CIYAM on December 02, 2013, 12:21:09 PM All letters in my SHA1 fingerprint are full Caps. Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless). Title: Re: Today's Man-In-The-Middle Post by: jarhed on December 02, 2013, 12:38:46 PM All letters in my SHA1 fingerprint are full Caps. Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless). Thanx. Title: Re: Today's Man-In-The-Middle Post by: Phinnaeus Gage on December 03, 2013, 12:09:20 AM Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b All letters in my SHA1 fingerprint are full Caps. 29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3 EB 1F 46 6B Let's pretend for a sec that I don't have a clue as to where to look for the above. Remember, we're only pretending, but any help would be appreciated by those who don't know how to pretend. ~TMIBTCITW Title: Re: Today's Man-In-The-Middle Post by: jackjack on December 03, 2013, 12:10:31 AM Click on the padlock, then try to find it
Title: Re: Today's Man-In-The-Middle Post by: wachtwoord on December 03, 2013, 12:16:40 AM Click on the padlock, then try to find it The little lock in the address bar indicating it uses https (SSL) Title: Re: Today's Man-In-The-Middle Post by: jackjack on December 03, 2013, 12:18:27 AM Click on the padlock, then try to find it The little lock in the address bar indicating it uses https (SSL) Title: Re: Today's Man-In-The-Middle Post by: devthedev on December 03, 2013, 12:53:12 AM I wonder which resource on the page is not secure...
Title: Re: Today's Man-In-The-Middle Post by: Raize on August 26, 2014, 03:51:53 PM I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following:
7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6 Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it. Title: Re: Today's Man-In-The-Middle Post by: Kluge on August 27, 2014, 02:29:58 AM I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following: Yep, that's what I have. Issued on July 7th. Connecting directly to server IP address provides same. Does the thumbprint change if cert is renewed??7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6 Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it. Title: Re: Today's Man-In-The-Middle Post by: theymos on August 28, 2014, 11:57:51 PM I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following: 7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6 Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it. https://bitcointalk.org/index.php?topic=568146.0 Does the thumbprint change if cert is renewed?? No. |