Bitcoin Forum
December 17, 2017, 04:29:06 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20]  All
  Print  
Author Topic: BTC-E.COM NICE RECOVERY FROM THE HACK! =)  (Read 50585 times)
runeks
Legendary
*
Offline Offline

Activity: 952



View Profile WWW
August 02, 2012, 03:02:57 PM
 #381

^ Good info. I read the Flickr vulnerabilty paper and it also appears than an attacker needs to know the length of the original message M, in order to perform a length-extension attack. Because the length of the original message is added to the end of the data that is hashed.

I presumed that performing a pre-image attack on such a construction (a secret with known information added to the end) would not require 2^n attempts, on average, for a n-bit entropy hash function. But I think that may be wrong, since a full iteration of the compression function for SHA-256 hasn't been broken yet. And as was proved by Merkle and Damgård, if a full iteration of the compression function is secure, then doing them sequentially is also secure, as I understand it.

if indeed they dont use any scheme to integrity protect their messages, someone that is sitting ANYWHERE between lr and btc-e can modify/inject anything they want into the messages...this could give the person essentially free reign to do whatever it wanted actually.
Well they would need to circumvent the HTTPS encryption first. If they didn't use HTTPS then yes, they were very poorly protected against MITM attacks.
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
1513484946
Hero Member
*
Offline Offline

Posts: 1513484946

View Profile Personal Message (Offline)

Ignore
1513484946
Reply with quote  #2

1513484946
Report to moderator
ErebusBat
Hero Member
*****
Offline Offline

Activity: 560

I am the one who knocks


View Profile
August 02, 2012, 06:15:53 PM
 #382

It seems more like a Man-in-the-Middle attack, there would have been sniffing involved in uncovering the secret keys. It is also possible that a simple XSS "Cross-Site-Scripting" vulnerability been involved in revealing the secrets "it could be the account number field Wink".
Except this API key shouldn't be doing anything that would be overly vulnerable to XSS.  MiM is possible, but if LR isn't using HTTPS, or they were not verifying the certificate chain (entirely possible) then someone is an idiot.
I often hear man-in-the-middle attacks mentioned, but how do they work exactly? I mean, I know the attacker is able to position himself between the target and whatever server the target is trying to reach, but how on earth does he do this? By poisoning the DNS cache of the target? Or through some other means? I mean, I find it pretty hard to understand how I can connect to a site, and someone can somehow inject himself into the path between me and the site.
However the above scenario is HIGHLY unlikely, to the point I have a better chance of answering my door to find mila kunis there ready to be my sex slave AND my wife being ok with it.
What if Mila Kunis is your wife?
CHRISTMAS!

░▒▓█ Coinroll.it - 1% House Edge Dice Game █▓▒░ • Coinroll Thread • *FREE* 100 BTC Raffle

Signup for CEX.io BitFury exchange and get GHS Instantly!  Don't wait for shipping, mine NOW!
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
August 02, 2012, 07:32:13 PM
 #383

It seems more like a Man-in-the-Middle attack, there would have been sniffing involved in uncovering the secret keys. It is also possible that a simple XSS "Cross-Site-Scripting" vulnerability been involved in revealing the secrets "it could be the account number field Wink".
Except this API key shouldn't be doing anything that would be overly vulnerable to XSS.  MiM is possible, but if LR isn't using HTTPS, or they were not verifying the certificate chain (entirely possible) then someone is an idiot.
I often hear man-in-the-middle attacks mentioned, but how do they work exactly? I mean, I know the attacker is able to position himself between the target and whatever server the target is trying to reach, but how on earth does he do this? By poisoning the DNS cache of the target? Or through some other means? I mean, I find it pretty hard to understand how I can connect to a site, and someone can somehow inject himself into the path between me and the site.
However the above scenario is HIGHLY unlikely, to the point I have a better chance of answering my door to find mila kunis there ready to be my sex slave AND my wife being ok with it.
What if Mila Kunis is your wife?

I for one would never get on the forums again.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [20]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!