Bitcoin Forum
January 18, 2020, 07:52:34 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 [All]
  Print  
Author Topic: Today's Man-In-The-Middle  (Read 4511 times)
pascal257
Sr. Member
****
Offline Offline

Activity: 479
Merit: 250


View Profile
December 02, 2013, 01:26:41 AM
 #1

Quote
News: If you used your password to login between 06:00 Dec 1 UTC and 20:00 Dec 2 UTC, then your password may have been captured in a man-in-the-middle attack, and you should change your password here and wherever else you used it. If you were only logged in via the "remember me" feature, then you're OK.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here's what we think happened:

8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.

Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.

For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+
MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs
=465T
-----END PGP SIGNATURE-----


I think the end date in the news is wrong, it seems to be in the future. Or is that a precaution regarding DNS propagation?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
smeagol
Hero Member
*****
Offline Offline

Activity: 966
Merit: 1000


bitclicker.ga


View Profile WWW
December 02, 2013, 01:57:09 AM
 #2

yes, the date is tomorrow.  that is interesting

  BITMIXER.IO   High Volume Bitcoin MIXER  
BTC: 1JH2jybjWruvDD23wSe5PCY9Epmr45u6nQ - DVC: 1SMEAGqpm9JSpJ6JZaM5dEBptPTNahpFa - Earn Devcoins by Writing | Devcoin Official Site  | SAT
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3626
Merit: 7415


View Profile
December 02, 2013, 02:12:09 AM
 #3

it seems to be in the future. Or is that a precaution regarding DNS propagation?

Right.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
anti-scam
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


COINECT


View Profile
December 02, 2013, 04:51:29 AM
 #4

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

.
                ▄▄▓▓▄▄   ▄▓▓▓▄
            ▄▄▓▓▀    ▀▓▓▓▀   ▀▓▓▓▄
         ▄▓▓▀▀        ▐▓         ▀▓▓▓
         ▓▓   ░▓▓▒    ▐▓     ▓▓░   ▐▓
         ▓▓    ░▀▓▓   ▐▓   ░▓▀▀    ▐▓
      ▄▓▓▓▓▓▓▓░  ▓▓   ▐▓   ░▓   ▒▓▓▓▓▓▓▄
    ▓▓▀     ▀▀   ▓▓   ▐▓   ░▓▄   ▀▀    ▀▓▓░
    ▓▓        ▓▓▓░    ▐▓     ▀▓▓▄        ▓░
    ▓▓▄▄▄    ▐▓░   ▄▓▄▓▓▒▄▓▄   ▓▓░   ▄▄▄▄▓░
    ▓▓▀▀▀    ▐▓░   ▀▀▀▓▓▒▀▀    ▓▓░   ▀▀▀▒▓░
    ▓▓        ▀▓▓▓▄   ▐▓    ▄▓▓▓▀       ░▓░
    ▀▓▓▄▄  ▄▓▄   ▓▓   ▐▓   ▐▓▒   ▓▄   ▄▓▓▓░
        ▀▓▓▓▀▀   ▓▓   ▐▓   ▐▓░   ▀▀▓▓▓▀░
         ▓▓    ▄▓▓▓   ▐▓    ▓▓▄░   ▐▓░░
         ▀▓▄   ▀▓     ▐▓     ▀▀   ▄▓▓░
           ▀▓▓▓▄      ▓▓░      ▄▓▓▀░
               ▀▓▓▓▓▓▓▀░▓▓▓▄▓▓▓░
.
COINECT
██
██
██
██
██
██
██
AI-based decentralized
arbitrage trading system
██
██
██
██
██
██
██
.

 
                              ▄████▄
                        ▄▄█████▀▀███
                    ▄▄████▀▀     ███
              ▄▄▄████▀▀    ▄▄   ▐██
          ▄▄█████▀       ▄█▀    ██▌
     ▄▄████▀▀▀       ▄███▀      ██▌
    ████▀        ▄▄████▀       ▐██
     ██████▄▄  ▄█████▀         ██▌
          ▀████████           ▐██
            ▀████▌            ███
             ▀███  ▄██▄▄     ▐██▀
              ███▄███▀███▄   ███
              ▀███▀▀   ▀▀███▄██▌
                          ▀▀█▀▀
.

▄▀▀▀▀▀▀▀▀▀▀▀▄
█   ▄▄▄▄▄▄   ██▄
█  ▓▓▓▓▓▓▓▌  ████▄
█  ▓▓▓▓▓▓▓▌  ███████▄
█  ▓▓▓▓▓▓▓▌  ▐▓███████▄
█              ▀▀▀▀▀▀▀▀█
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
██
██
██
██
██
██
██
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3626
Merit: 7415


View Profile
December 02, 2013, 04:53:14 AM
 #5

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
anti-scam
Sr. Member
****
Offline Offline

Activity: 476
Merit: 251


COINECT


View Profile
December 02, 2013, 05:07:43 AM
 #6

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you.

Well I had a random browser crash after being served an odd page when accessing the site (though I don't have Java or JS enabled) but it must have been a coincidence.

.
                ▄▄▓▓▄▄   ▄▓▓▓▄
            ▄▄▓▓▀    ▀▓▓▓▀   ▀▓▓▓▄
         ▄▓▓▀▀        ▐▓         ▀▓▓▓
         ▓▓   ░▓▓▒    ▐▓     ▓▓░   ▐▓
         ▓▓    ░▀▓▓   ▐▓   ░▓▀▀    ▐▓
      ▄▓▓▓▓▓▓▓░  ▓▓   ▐▓   ░▓   ▒▓▓▓▓▓▓▄
    ▓▓▀     ▀▀   ▓▓   ▐▓   ░▓▄   ▀▀    ▀▓▓░
    ▓▓        ▓▓▓░    ▐▓     ▀▓▓▄        ▓░
    ▓▓▄▄▄    ▐▓░   ▄▓▄▓▓▒▄▓▄   ▓▓░   ▄▄▄▄▓░
    ▓▓▀▀▀    ▐▓░   ▀▀▀▓▓▒▀▀    ▓▓░   ▀▀▀▒▓░
    ▓▓        ▀▓▓▓▄   ▐▓    ▄▓▓▓▀       ░▓░
    ▀▓▓▄▄  ▄▓▄   ▓▓   ▐▓   ▐▓▒   ▓▄   ▄▓▓▓░
        ▀▓▓▓▀▀   ▓▓   ▐▓   ▐▓░   ▀▀▓▓▓▀░
         ▓▓    ▄▓▓▓   ▐▓    ▓▓▄░   ▐▓░░
         ▀▓▄   ▀▓     ▐▓     ▀▀   ▄▓▓░
           ▀▓▓▓▄      ▓▓░      ▄▓▓▀░
               ▀▓▓▓▓▓▓▀░▓▓▓▄▓▓▓░
.
COINECT
██
██
██
██
██
██
██
AI-based decentralized
arbitrage trading system
██
██
██
██
██
██
██
.

 
                              ▄████▄
                        ▄▄█████▀▀███
                    ▄▄████▀▀     ███
              ▄▄▄████▀▀    ▄▄   ▐██
          ▄▄█████▀       ▄█▀    ██▌
     ▄▄████▀▀▀       ▄███▀      ██▌
    ████▀        ▄▄████▀       ▐██
     ██████▄▄  ▄█████▀         ██▌
          ▀████████           ▐██
            ▀████▌            ███
             ▀███  ▄██▄▄     ▐██▀
              ███▄███▀███▄   ███
              ▀███▀▀   ▀▀███▄██▌
                          ▀▀█▀▀
.

▄▀▀▀▀▀▀▀▀▀▀▀▄
█   ▄▄▄▄▄▄   ██▄
█  ▓▓▓▓▓▓▓▌  ████▄
█  ▓▓▓▓▓▓▓▌  ███████▄
█  ▓▓▓▓▓▓▓▌  ▐▓███████▄
█              ▀▀▀▀▀▀▀▀█
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█  ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  █
█                      █
█  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  █
█                      █
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
██
██
██
██
██
██
██
extortion
Full Member
***
Offline Offline

Activity: 141
Merit: 100


View Profile
December 02, 2013, 05:21:43 AM
 #7

Was the Hacker Named Robert DROP TABLES?

Extortion. We are Anonymous. We are legion. We do not forgive. We Do Not Forget. Expect Us.
justusranvier
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
December 02, 2013, 05:23:23 AM
 #8

maurya78
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


View Profile
December 02, 2013, 09:54:26 AM
 #9

you are right, hadn't noticed that the end date is in the future

Very interesting

Sindelar1938
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


View Profile
December 02, 2013, 10:28:12 AM
 #10

I just changed my password and other settings
Anything else that I need to do to be safe?
Thanks for any input

wachtwoord
Legendary
*
Offline Offline

Activity: 2100
Merit: 1039


View Profile
December 02, 2013, 11:51:01 AM
 #11

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1011



View Profile
December 02, 2013, 11:54:59 AM
 #12

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b
jarhed
Sr. Member
****
Offline Offline

Activity: 532
Merit: 254


BuyAnyLight - Blockchain LED Marketplace


View Profile
December 02, 2013, 12:06:04 PM
 #13

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

All letters in my SHA1 fingerprint are full Caps.
29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3
EB 1F 46 6B

            ▄▄▄▄▄           
       ▄▄███████████▄▄     
   ▄▄███████████████████▄▄
 ▄█████████████████████████▄
█████████████████████████████
████      ▀██▀  ▀██  ████████
████  ███   █    ██  ████████
████       █  ██  █  ████████
████  ███            ████████
████         █████        ███
█████████████████████████████
 ▀█████████████████████████▀
   ▀▀███████████████████▀▀
       ▀▀███████████▀▀     
            ▀▀▀▀▀           
.BUYANYLIGHT.


























wachtwoord
Legendary
*
Offline Offline

Activity: 2100
Merit: 1039


View Profile
December 02, 2013, 12:12:02 PM
 #14

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

Thanks, it checks out Smiley
CIYAM
Legendary
*
Offline Offline

Activity: 1890
Merit: 1003


Ian Knowles - CIYAM Lead Developer


View Profile WWW
December 02, 2013, 12:21:09 PM
 #15

All letters in my SHA1 fingerprint are full Caps.

Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless).

With CIYAM anyone can create 100% generated C++ web applications in literally minutes.

GPG Public Key | 1ciyam3htJit1feGa26p2wQ4aw6KFTejU
jarhed
Sr. Member
****
Offline Offline

Activity: 532
Merit: 254


BuyAnyLight - Blockchain LED Marketplace


View Profile
December 02, 2013, 12:38:46 PM
 #16

All letters in my SHA1 fingerprint are full Caps.

Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless).


Thanx.




            ▄▄▄▄▄           
       ▄▄███████████▄▄     
   ▄▄███████████████████▄▄
 ▄█████████████████████████▄
█████████████████████████████
████      ▀██▀  ▀██  ████████
████  ███   █    ██  ████████
████       █  ██  █  ████████
████  ███            ████████
████         █████        ███
█████████████████████████████
 ▀█████████████████████████▀
   ▀▀███████████████████▀▀
       ▀▀███████████▀▀     
            ▀▀▀▀▀           
.BUYANYLIGHT.


























Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1834
Merit: 1107


Bitcoin: An Idea Worth Spending


View Profile WWW
December 03, 2013, 12:09:20 AM
 #17

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

All letters in my SHA1 fingerprint are full Caps.
29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3
EB 1F 46 6B

Let's pretend for a sec that I don't have a clue as to where to look for the above. Remember, we're only pretending, but any help would be appreciated by those who don't know how to pretend.

~TMIBTCITW

IAO Launchpad Coming Soon
jackjack
Legendary
*
Offline Offline

Activity: 1134
Merit: 1028


May Bitcoin be touched by his Noodly Appendage


View Profile
December 03, 2013, 12:10:31 AM
 #18

Click on the padlock, then try to find it

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
wachtwoord
Legendary
*
Offline Offline

Activity: 2100
Merit: 1039


View Profile
December 03, 2013, 12:16:40 AM
 #19

Click on the padlock, then try to find it

The little lock in the address bar indicating it uses https (SSL)
jackjack
Legendary
*
Offline Offline

Activity: 1134
Merit: 1028


May Bitcoin be touched by his Noodly Appendage


View Profile
December 03, 2013, 12:18:27 AM
 #20

Click on the padlock, then try to find it

The little lock in the address bar indicating it uses https (SSL)
Yeah sorry I should have clarified that

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
devthedev
Legendary
*
Offline Offline

Activity: 1036
Merit: 1000



View Profile
December 03, 2013, 12:53:12 AM
 #21

I wonder which resource on the page is not secure...

Raize
Donator
Legendary
*
Offline Offline

Activity: 1417
Merit: 1008


View Profile
August 26, 2014, 03:51:53 PM
 #22

I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following:
7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6

Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it.

OrganofCorti's Neighbourhood Pool Watch - The most informative website on blockchain health
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1011



View Profile
August 27, 2014, 02:29:58 AM
 #23

I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following:
7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6

Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it.
Yep, that's what I have. Issued on July 7th. Connecting directly to server IP address provides same. Does the thumbprint change if cert is renewed??
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3626
Merit: 7415


View Profile
August 28, 2014, 11:57:51 PM
 #24

I have a SHA1 thumbprint for a 7/7/2014 certificate verified by Rapid SSL of the following:
7b:cf:43:ce:3b:6a:9e:78:62:81:76:6f:9a:71:7a:da:e2:7c:37:c6

Is this correct? I see references to a different cert in this thread. Sorry for the necro, I just thought it might be good to reference why I was posting rather than doing a new thread about it.

https://bitcointalk.org/index.php?topic=568146.0

Does the thumbprint change if cert is renewed??

No.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Pages: 1 2 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!