SourceForge mirror hacked. Bitcoin could be next target.

[jimbobway]

Make sure you use pgp to test your download before installing bitcoin.

http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php

Summary

One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor.

Description

One of the SourceForge.net mirrors, namely cdnetworks-kr-1, was being used to distribute a modified archive of phpMyAdmin, which includes a backdoor. This backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

Severity

We consider this vulnerability to be critical.

[1713537828]

1713537828

[1713537828]

1713537828

[1713537828]

1713537828

[Blinken]

Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.

[jimbobway]

Obviously the hackers are going to change the hash on the site as well. How do you know you have a good hash? That is the problem.

Using Gavin's PGP signature you can test the SHA256SUMS.asc file to see if the hash in the file is legit.

EDIT: See this thread https://bitcointalk.org/index.php?topic=69355.0

[gusti]

Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?

[jimbobway]

Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?

This was discussed a while back.  Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable.

Maximum security is to use PGP.

[gusti]

Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?

This was discussed a while back.  Bitcoin devs considered hosting downloads on github which uses SSL and is more secure, but is attackable.

Maximum security is to use PGP.

I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.

[jgarzik]

Checking PGP signatures is fine, but I suspect this is not a procedure an average user will be doing.
Is not possible to setup a dedicated, hardened and fully audited server, only for bitcoin updates repository ?

A single server doesn't help much against DDoS, and bitcoin sites have often been DDoS victims in the past.

Multiple servers + active admin team can do it...  but at that point you've just reinvented SourceForge or CloudFlare.

If you go through a DDoS hardened proxy, you are back to trusting SF/CF/...

[jimbobway]

I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.

Gavin would probably say something like, "You want to do it?" 

[gusti]

I understand PGP is secure, but it's not convenient for the average Joe. I bet that the great majority of users never checked a download before. While a dedicated server, opposed to github, can be audited and verified by dev team at the file level before each download.

Gavin would probably say something like, "You want to do it?" 

Sure, why not, though Jeff is right on the DDoS issues. I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?

[jgarzik]

I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?

Absolutely.  That is a perfect example of decentralized action at work...  we need as many people as possible checking these things.

[Gavin Andresen]

I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?

Absolutely.  That is a perfect example of decentralized action at work...  we need as many people as possible checking these things.

I was just about to say the same thing; if there were multiple people all over the world downloading and checking the binaries against the PGP signatures that would be a wonderful thing, and would be much more robust against all the various attacks that might happen (DNS poisoning on some subset of the Internet, compromising one mirror, etc etc etc).

[jimbobway]

This link might be helpful on Sourceforge mirrors:

http://sourceforge.net/apps/trac/sourceforge/wiki/Mirrors

[gusti]

I'm also thinking in setting up a script which every hour will download and PGP verify the files, and send an alarm by email if see any problem. Do you think that procedure can be helpful ?

Absolutely.  That is a perfect example of decentralized action at work...  we need as many people as possible checking these things.

This script will download and verify the bitcoin installer, and send an email if any problem found. Mailutils package is needed.

Code:

#!/bin/bash

cd /path to files/

if [ ! -f gavinandresen.asc ]
then
    wget http://bitcoin.org/gavinandresen.asc
fi

rm -f SHA256SUMS.asc
rm -f bitcoin-0.7.0-win32-setup.exe

wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/SHA256SUMS.asc
wget http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.7.0/bitcoin-0.7.0-win32-setup.exe

gpg --import gavinandresen.asc
gpg --verify SHA256SUMS.asc

sha256sum bitcoin-0.7.0-win32-setup.exe > shafile.txt
cat SHA256SUMS.asc |grep bitcoin-0.7.0-win32-setup.exe > shafile2.txt

if diff shafile.txt shafile2.txt >/dev/null ; then
  echo ""
else
   echo "Verify problem !" | mail -s Bla xxx@yyyy.com
fi

[jgarzik]

Just import Gavin's key once, rather than once each time you run the script.

[gusti]

Just import Gavin's key once, rather than once each time you run the script.

Yes, I think it only imports it once, if file is not present.

[dooglus]

The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.

[Draino]

forgive my ignorance, but uh

what about bit torrent?

[gusti]

The script checks whether the SHA256SUMS.asc file is correctly signed or not, and then ignores the result and continues whether or not the signature is valid.

Yes, you are right, script is very basic (I'm not a programmer, really) and does not check signature validity.

[intel-core-i7]

I will post a new script + a php version to put it on a shared hosting - for people who have just that...

When I post - I will be happy for donations

162QsQNozzpF242K3n7nXuzkBAtbjcsbQF

[kokojie]

Can't someone just create a monitoring script, using PHP, and tell us if the current file is valid? Everyone can run this on their own server or host it for others.