Bitcoin Forum
December 11, 2016, 02:09:10 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 [7] 8 »  All
  Print  
Author Topic: Possible false alarm: MtGox break in  (Read 14003 times)
mrb
Legendary
*
Offline Offline

Activity: 1120


View Profile WWW
September 13, 2011, 07:41:22 AM
 #121

Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly.  However, you still have to accept the change in certificate for the forged-SSL MIM attack to work.  Did you log in to MtGox from strange internet connections in shady places?  Or did MtGox get their DNS forged as well?

No, a forged cert from DigiNotar would allow to transparently execute a MiTM attack against an end-user, without her seeing any security warning whatsoever. Except in 1 scenario, see below...

Quote from: kjj
Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?

...only 1 browser would warn you: Chrome, because Google hard-coded hashes of the public keys for a small number of high-profile websites certificates keys. This is called public key pinning.
1481465350
Hero Member
*
Offline Offline

Posts: 1481465350

View Profile Personal Message (Offline)

Ignore
1481465350
Reply with quote  #2

1481465350
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481465350
Hero Member
*
Offline Offline

Posts: 1481465350

View Profile Personal Message (Offline)

Ignore
1481465350
Reply with quote  #2

1481465350
Report to moderator
1481465350
Hero Member
*
Offline Offline

Posts: 1481465350

View Profile Personal Message (Offline)

Ignore
1481465350
Reply with quote  #2

1481465350
Report to moderator
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
September 13, 2011, 07:47:20 AM
 #122

Tux has replaced the missing BTC.
That's unusual. He didn't even do that for people whose accounts were compromised in circumstances suggesting it was due to the password database being extracted by hackers...

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
September 13, 2011, 07:56:49 AM
 #123

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.


Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly.  However, you still have to accept the change in certificate for the forged-SSL MIM attack to work.  Did you log in to MtGox from strange internet connections in shady places?  Or did MtGox get their DNS forged as well?

The problem is you DONT need to accept the cert since its signed by a CA. Thats why this was so dangerous. All you need is someone at Tux's ISP juping the traffic and bam MITM attack and no one is the wiser.

DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
September 13, 2011, 08:00:31 AM
 #124

Forging a SSL cert only enables the possibility of a man-in-the-middle attack from being transparently obvious when it's no longer signed properly.  However, you still have to accept the change in certificate for the forged-SSL MIM attack to work.  Did you log in to MtGox from strange internet connections in shady places?  Or did MtGox get their DNS forged as well?

No, a forged cert from DigiNotar would allow to transparently execute a MiTM attack against an end-user, without her seeing any security warning whatsoever. Except in 1 scenario, see below...

Quote from: kjj
Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?

...only 1 browser would warn you: Chrome, because Google hard-coded hashes of the public keys for a small number of high-profile websites certificates keys. This is called public key pinning.


Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)).

DigiNotar is a clusterfuck, regardless.

mrb
Legendary
*
Offline Offline

Activity: 1120


View Profile WWW
September 13, 2011, 08:24:45 AM
 #125

Mozilla is considering pinning keys on first site access. So the only way to MITM false certs is during the first access (which makes it same to ssh's flaw on server fingerprint (aka ~/.ssh/known_hosts)).

I would love it  Kiss The only way to provide this sort of pinning with any browser is to delete all trusted CAs before browsing any HTTPS site.
nhodges
Sr. Member
****
Offline Offline

Activity: 308


View Profile
September 13, 2011, 08:30:34 AM
 #126

It's possible with the recent security lapses at certificate authorities (a la comodohacker) that someone, for some period of time, was able to do a csrf / mitm attack, no?

[Edit: Should have read 3 posts further, I guess I'll leave my original reply, lol.]

DiabloD3
Legendary
*
Offline Offline

Activity: 1162


DiabloMiner author


View Profile WWW
September 13, 2011, 08:32:15 AM
 #127

It's possible with the recent security lapses at certificate authorities (a la comodohacker) that someone, for some period of time, was able to do a csrf / mitm attack, no?

This is what I implied earlier. It is, in fact, possible. Just very unlikely.

hugolp
Hero Member
*****
Offline Offline

Activity: 742



View Profile
September 13, 2011, 08:35:41 AM
 #128

Sorry if this is a bit offtopic, but does anyone has a propper explanation of what happen at MtGox on Sunday with the ghost trades? The technical explanations Ive heard until now dont seem to make much sense.
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
September 13, 2011, 09:26:59 AM
 #129

http://www.youtube.com/watch?v=MK6TXMsvgQg



Otoh
Donator
Legendary
*
Offline Offline

Activity: 1918



View Profile
September 13, 2011, 09:46:40 AM
 #130

Sorry if this is a bit offtopic, but does anyone has a propper explanation of what happen at MtGox on Sunday with the ghost trades? The technical explanations Ive heard until now dont seem to make much sense.

It seems MtGox blocked about 2,000 accounts so that their trades still showed up but were not actually executed, opperating with alededly stolen funds & Bitcoins with the intent to seriously disrupt the market, why wasn't there a MtGox warning that their data was going to be completely off - people make trading decisions based on this

What now happens to the funds & Btc now locked down at MtGox, how much is this worth, if they were stolen from MyBitCoin will they be expropriated & returned for additional refund to clients there

Far too little information comes out of MtGox about these constant shenanigans - I guess that the OP also gets a free MtGox Yubi key as well as his Btc back

Node40.com is a leader in DASH hosting, dedicated exclusively to fully managed masternode hosting. Professional, organized, and responsive. I have many dozens of nodes with them.    
BTC = $c²     BTC = 1otohotohMoQoxHuxLBveQiZcV3Pji3Tc      DASH, Digital Cash = www.dash.org   
   CHARITY | MY REP | DICE
hugolp
Hero Member
*****
Offline Offline

Activity: 742



View Profile
September 13, 2011, 10:01:15 AM
 #131

It seems MtGox blocked about 2,000 accounts so that their trades still showed up but were not actually executed,

Yes, I read MagicalTux chat explanations. But I think the explanation is lacking. How does a user manage to create an order that does not get executed but still shows in the data? Is this normal at MtGox?

Without more information Im guessing it might be a bug more than a hack, but the explanation he has given is lacking (as you already said).

Quote
opperating with alededly stolen funds & Bitcoins with the intent to seriously disrupt the market, why wasn't there a MtGox warning that their data was going to be completely off - people make trading decisions based on this

What now happens to the funds & Btc now locked down at MtGox, how much is this worth, if they were stolen from MyBitCoin will they be expropriated & returned for additional refund to clients there

Far too little information comes out of MtGox about these constant shenanigans - I guess that the OP also gets a free MtGox Yubi key as well as his Btc back
EhVedadoOAnonimato
Hero Member
*****
Offline Offline

Activity: 616



View Profile
September 13, 2011, 10:11:30 AM
 #132

The problem is you DONT need to accept the cert since its signed by a CA. Thats why this was so dangerous. All you need is someone at Tux's ISP juping the traffic and bam

It shouldn't be that easy to be in the middle of the traffic like that. Unless you were using Tor or any similar kind of proxy. Were you?
Sukrim
Legendary
*
Offline Offline

Activity: 1848


View Profile
September 13, 2011, 11:10:34 AM
 #133

repeat with me, mtgox is not bitcoin

Not yet, they are trying to register it as a trademark though - have fun paying them license fees just to use the name!
Proof:
http://esearch.oami.europa.eu/copla/trademark/data/010103646

https://bitfinex.com <-- leveraged trading of BTCUSD, LTCUSD and LTCBTC (long and short) - 10% discount on fees for the first 30 days with this refcode: x5K9YtL3Zb
Mail me at Bitmessage: BM-BbiHiVv5qh858ULsyRDtpRrG9WjXN3xf
kripz
Full Member
***
Offline Offline

Activity: 182



View Profile
September 13, 2011, 12:43:04 PM
 #134

Probably radiation (Fukishima? Cosmic?) effected the ram, flipped a bit and the account ID that was being liquidated happen to be Diablo's (and others in the past since the Fukishima incident).

 Merged mining, free SMS notifications, PayPal payout and much more.
http://btcstats.net/sig/JZCODg2
ElectricMucus
Legendary
*
Offline Offline

Activity: 1540


Drama Junkie


View Profile
September 13, 2011, 12:51:32 PM
 #135

Probably radiation (Fukishima? Cosmic?) effected the ram, flipped a bit and the account ID that was being liquidated happen to be Diablo's (and others in the past since the Fukishima incident).
Possibly

http://xkcd.com/378/

First they ignore you, then they laugh at you, then they keep laughing, then they start choking on their laughter, and then they go and catch their breath. Then they start laughing even more.
BlockHash
Member
**
Offline Offline

Activity: 84



View Profile
September 13, 2011, 12:52:14 PM
 #136

repeat with me, mtgox is not bitcoin

Not yet, they are trying to register it as a trademark though - have fun paying them license fees just to use the name!
Proof:
http://esearch.oami.europa.eu/copla/trademark/data/010103646

This is exactly what reputable and forthright companies would do. Roll Eyes
Littleshop
Legendary
*
Offline Offline

Activity: 1316



View Profile WWW
September 13, 2011, 12:57:19 PM
 #137

-a third party is engaging in a cyberwar against bitcoin using man in the middle attacks.

After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat.

Even if they dumped the password database, the passwords are sufficiently salted and hashed that it is extremely unlikely they grabbed my password first.

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

DigiNotar knew about the break in for months, and I obviously have logged in since then.

Tux has replaced the missing BTC.

Asking once again. Do you use a Yubikey on Mt.Gox?

As Ive said in the past, I do not believe that they improve security.

They do not prevent every kind of attack but they stop entire categories of attacks.  You are wrong on this one and should think about it a bit more. 

phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
September 13, 2011, 03:49:48 PM
 #138

Is there actually a browser that will remember a certificate and complain if that cert is replaced with a different valid CA-signed cert?

There is a browser plug-in that will do that: Certificate Patrol.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
rotrott
Jr. Member
*
Offline Offline

Activity: 47



View Profile
September 13, 2011, 10:48:07 PM
 #139

Was this a mtgox session hijack from the forum hack?  Were you logged into mtgox when the forum hack occurred?

tvbcof
Legendary
*
Offline Offline

Activity: 1988


View Profile
September 13, 2011, 11:55:18 PM
 #140


Asking once again. Do you use a Yubikey on Mt.Gox?

As Ive said in the past, I do not believe that they improve security.

They do not prevent every kind of attack but they stop entire categories of attacks.  You are wrong on this one and should think about it a bit more. 

They stop entire categories of attacks which not everyone is especially prone to.  SSO is a nice to have and very worthwhile in a lot of cases, but it introduce yet another layer of expense and complexity.  I don't use one at my exchange but I am quite careful about my username, password, access methods, etc.

Most importantly, I do consider the funds I have at my exchange to be disposable.  I consider the risk from incompetence, dishonesty, and government intervention to put the assets I have at my exchange at risk more than my authentication being compromised.  A good number of people would be well advised to NOT follow suite here.

Pages: « 1 2 3 4 5 6 [7] 8 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!