Today's Man-In-The-Middle

[pascal257]

News: If you used your password to login between 06:00 Dec 1 UTC and 20:00 Dec 2 UTC, then your password may have been captured in a man-in-the-middle attack, and you should change your password here and wherever else you used it. If you were only logged in via the "remember me" feature, then you're OK.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here's what we think happened:

8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.

Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.

For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of:
29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B

Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+
MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs
=465T
-----END PGP SIGNATURE-----

I think the end date in the news is wrong, it seems to be in the future. Or is that a precaution regarding DNS propagation?

[1715139555]

1715139555

[1715139555]

1715139555

[1715139555]

1715139555

[smeagol]

yes, the date is tomorrow.  that is interesting

[theymos]

it seems to be in the future. Or is that a precaution regarding DNS propagation?

Right.

[anti-scam]

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

[theymos]

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you.

[anti-scam]

Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.

There was only one report of that, and I think that he was probably thinking of JavaScript. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you.

Well I had a random browser crash after being served an odd page when accessing the site (though I don't have Java or JS enabled) but it must have been a coincidence.

[extortion]

Was the Hacker Named Robert DROP TABLES?

[justusranvier]

[maurya78]

you are right, hadn't noticed that the end date is in the future

Very interesting

[Sindelar1938]

I just changed my password and other settings
Anything else that I need to do to be safe?
Thanks for any input

[wachtwoord]

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?

[Kluge]

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

[jarhed]

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

All letters in my SHA1 fingerprint are full Caps.
29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3
EB 1F 46 6B

[wachtwoord]

I logged on just now via the ip 109.201.133.195 then everything should be peachy right?

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

Thanks, it checks out

[CIYAM]

All letters in my SHA1 fingerprint are full Caps.

Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless).

[jarhed]

All letters in my SHA1 fingerprint are full Caps.

Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless).

Thanx.

[Phinnaeus Gage]

Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b

All letters in my SHA1 fingerprint are full Caps.
29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3
EB 1F 46 6B

Let's pretend for a sec that I don't have a clue as to where to look for the above. Remember, we're only pretending, but any help would be appreciated by those who don't know how to pretend.

~TMIBTCITW

[jackjack]

Click on the padlock, then try to find it

[wachtwoord]

Click on the padlock, then try to find it

The little lock in the address bar indicating it uses https (SSL)

[jackjack]

Click on the padlock, then try to find it

The little lock in the address bar indicating it uses https (SSL)

Yeah sorry I should have clarified that