MyEtherWallet Hacked Via BGP Hijacking

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
At midnight, users visiting MyEtherWallet.com found a warning for an unsigned SSL certificate. Those that chose to ignore the warning, got their wallets emptied. The Verge is reporting that hackers attacked the infrastructure of the internet, by hijacking a Border Gateway Protocol router in the vicinity of an internet exchange in Chicago, and directed traffic from MyEtherWallet to a server in Russia. So far at least $13,000 was stolen.

Based on what security researcher Kevin Beaumont has to say about the attack in the quote below, it is possible that more domains were affected during the attack. It is also worth noting that the attackers already had more than $17 million in Ethereum in it before the attack today.

The security vulnerabilities in BGP and DNS are well known, and have been attacked before. This is the largest scale attack I have seen which combines both, and it underscores the fragility of internet security.
 
It's all in the risk of using convenience websites.

I find it weird to call it a vulnerability in BGP and DNS since it requires access to a trusted node. Sure, my wallet is insecure because it can be picked from my pocket, but that's on me, not the wallet.
 
upload_2018-4-24_17-46-54.png
 
Your cryptocurrency is not secure. The defenses against theft that you believe your cryptocurrency has are all immutable and can be analyzed and then broken. The only thing that makes Bitcoin mildly secure is that if they steal too much it becomes worthless.

Ask China about the Great Wall.


P.S. I am going to make a new currency based on my butt hair. You can buy strands of my butt hair for dollars, and then use my butt hair to buy other things. If you don't want to handle my butt hair, I will allow you to invest in unharvested butt hair, allowing it to grow and increase in value. Let them try to hack my ass.

When this idea takes off I will be a semoleonaire.
 
Last edited:
Your cryptocurrency is not secure. The defense that you believe your cryptocurrency has is immutable and can be analyzed and then broken. The only thing that makes Bitcoin mildly secure is that if they steal too much it becomes worthless.

Ask China about the Great Wall.


P.S. I am going to make a new currency based on my butt hair. You can buy strands of my butt hair for dollars, and then use my butt hair to buy other things. If you don't want to handle my butt hair, I will allow you to invest in unharvested butt hair, allowing it to grow and increase in value. Let them try to hack my ass.

When this idea takes off I will be a semoleonaire.

This is going to revolutionize banking once we fork your butt hair to add support for smart contracts. Why bother with traditional banking or notary when we can just store all our important info in between your strands of butt hair.
 
Getting closer to movie level realism of taking money where you can download money from one account.
 
Given how people tend to ignore such warnings (often out of ignorance not everyone can be a techie) maybe the default in browsers should be to prevent people going to such sites (maybe with a feature that periodically checks and lets you know when the certificate is valid again).
 
This is going to revolutionize banking once we fork your butt hair to add support for smart contracts. Why bother with traditional banking or notary when we can just store all our important info in between your strands of butt hair.

My butt hair reeks of potential. I'm working on a prospective and business case right now. I really want investors to see the size and scope of my ass.
 
Meanwhile, in other news, crypto rally almost doubles in market cap within 2 weeks.

But hey, I don't see THOSE news anywhere. All I read about is exit scams, hacks, etc. Only negatives news but no tech news or updates.
Stop being so fucking one sided and biased, blockchain is new tech just like your fucking video cards and potentially far more important for the world.

Newsposters here sound like a bunch of butthurt amateurs.
 
Not really a specific problem with crypto. They could do this to a banking website, if you ignore the certificate warnings it could happen to anything.

Yes and no. Yes you can carry out a man-in-the-middle attack against any kind of site, if you can find a way to interdict the traffic. However no it isn't quite the same. Thing with bank transactions is they are all tracked and centrally controlled, which means they are often reversible. Someone gets in your account and siphons money out without your permission, there is the possibility they can reverse it. That aside there are regulations on banks such that even if they can't get the money back, they often have to cover it from their own funds. Those "zero fraud liability guarantees" they advertise aren't out of the goodness of their heart but because they have to offer it, so they use it as a marketing point.

It really IS a problem with crypto, in that the distributed, anonymous, "no taksies backsies" nature of crypto means an attack like this can work and there's basically fuck-all you can do. Crypto works like cash in that regard that it is a bearer note: Whoever possess it is able to use it.

Plus many banks have better security these days. To transfer money or to add a pay-to account on my bank, you have to 2-factor auth. So even if someone gets in, they have to then get the code sent to my cellphone. Not iron-clad security but a significant barrier to getting money out of a hijacked account.
 
Given how people tend to ignore such warnings (often out of ignorance not everyone can be a techie) maybe the default in browsers should be to prevent people going to such sites (maybe with a feature that periodically checks and lets you know when the certificate is valid again).

my android does that already.

Some public wifi hotspots, like the ones at airports and train stations, couldn't verify SSL certificates of hardOCP, so it gave me a stern warning and I just clicked 'nope, get me out of here'
I could connect and get verified SSL certificates using hotel wifi and over 4G, so I knew it was the public wifi.
 
The average non techie end user is screwed. How are they supposed to tell the difference between a pop up box that says "Your security settings are out of date - Danger!" and a pop up box that says "Your security certificate is misconfigured - Danger!" One they are supposed to ignore to avoid malware installation or worse, the other they are supposed to believe to avoid a security breach or worse.
 
You people do realize the percentage that $13,000 is to the total market cap of $400 billion right? It's 0.00000325%. It's like the change you find in your couch compared to all the money you make in your lifetime.

< Cue Grumpy Cat anti-Crypto "Good" meme for people who don't understand math >
 
You people do realize the percentage that $13,000 is to the total market cap of $400 billion right? It's 0.00000325%.

The amount is irrelevant. The idea that it isn't supposed to happen, but it did happen, means that the percentage is 100%. And I would add, $400 billion dollars of what? $400 billion dollars of a gentlemen's agreement?

P.S. Something bad happened, and by design it cannot be fixed. Bitcoin is fun, but it's still an experiment - an experiment that was set loose without controls. Still fun, but no one has any idea what it might do.

P.P.S. Bitcoin has a real possibility of having it's own 1% crash. I admit it's a veridical paradox to explain that bitcoin has no value when you can buy things with it, but that's what happens when both the buyer and the seller accept the premise.

P.P.P.S. Power-up points for using 'veridical paradox' on a hardware forum! I touch myself! I'm still trying to justify those three years of English Criticism in college before I finally took a huge crap and changed my major to computer science.
 
Last edited:
my android does that already.

Some public wifi hotspots, like the ones at airports and train stations, couldn't verify SSL certificates of hardOCP, so it gave me a stern warning and I just clicked 'nope, get me out of here'
I could connect and get verified SSL certificates using hotel wifi and over 4G, so I knew it was the public wifi.

This is confusing to me. WiFi is just a layer two medium, like Ethernet. What does it have to do with SSL? You do an HTTPS connection to a web site, it gives you a cert, and either your phone has the CA certs in the chain, or downloads them, and verifies the trust. I'm missing how WiFi gets involved.
 
Given how people tend to ignore such warnings (often out of ignorance not everyone can be a techie) maybe the default in browsers should be to prevent people going to such sites (maybe with a feature that periodically checks and lets you know when the certificate is valid again).

Making it never possible to click through the warnings breaks a lot of (reasonably dumb) use cases. Thankfully, there's an http(s) header you can add that says everything is https, and don't let people click throith the warnings, and you can get that added to browsers, so it works on the first visit to the site too. There's two big problems with that though: a) this site found out about that header after the attack was already over, b) the attackers probably could have gotten a domain validated certiticate during the attack (but they didn't because lazy)
 
Who the fuck accepts a certificate error on a site like that? Like, seriously? You'd have to be brain dead level stupid.

isnt that par for the course for the average bitcoin investor? not miner, those guys at least have a basic grasp of what they're doing. but of the ~8 or so people I know who've purchased BTC, not a single one of them could tell me why, or what it does, and none of them owned any equities outside of their company 401k, if that. you can have your beliefs either way on bitcoin, but the vast majority of it's price right now is speculation from people who have no idea what they're doing.
 
Meanwhile, in other news, crypto rally almost doubles in market cap within 2 weeks.

But hey, I don't see THOSE news anywhere. All I read about is exit scams, hacks, etc. Only negatives news but no tech news or updates.
Stop being so fucking one sided and biased, blockchain is new tech just like your fucking video cards and potentially far more important for the world.

Newsposters here sound like a bunch of butthurt amateurs.

Hehe,...just because it is new, does not make it good. Like any new technology, if there is a way to pervert it, it will happen. Question is, is the benefit enough to warrant dealing with the perversions? As far as I am concerned, the current implementations of cryptocrap is quite the perversion of the technology itself and warrants shutting it all down until, at what time, it can be done wihout abusing limited resources.

Until that is fixed, I am going to giggle each, and every time something bad happens in the cryptocrazed sector.

My opinion, your opinion,....hell we all have them.
 
The amount is irrelevant. The idea that it isn't supposed to happen, but it did happen, means that the percentage is 100%. And I would add, $400 billion dollars of what? $400 billion dollars of a gentlemen's agreement?

P.S. Something bad happened, and by design it cannot be fixed. Bitcoin is fun, but it's still an experiment - an experiment that was set loose without controls. Still fun, but no one has any idea what it might do.

P.P.S. Bitcoin has a real possibility of having it's own 1% crash. I admit it's a veridical paradox to explain that bitcoin has no value when you can buy things with it, but that's what happens when both the buyer and the seller accept the premise.

P.P.P.S. Power-up points for using 'veridical paradox' on a hardware forum! I touch myself! I'm still trying to justify those three years of English Criticism in college before I finally took a huge crap and changed my major to computer science.


Bitcoin wasn't hacked though. It was an "ETH" wallet, nothing to do with BTC... less than $20k were stolen during this window and could happen to any site.
 
Wow lots of dumb 'hur dur, crypto bad. serve them right' replies in this thread, like that is even the issue.

You're missing the point of the attack that was used. Yes, this time they used it to try and drain some crypto wallets. What if next time they started hijacking the DNS requests to say your bank, or your main email (to reset other account passwords), and sending you to a fake site to scrape users credentials. How many computer illiterate people will click right past the SSL warning and get fucked?



So how about we get back to focusing on the actual article/issue posted, instead of just jumping into any threads with the word 'crypto' to tell the world again how much you hate it.
 
Bitcoin wasn't hacked though. It was an "ETH" wallet, nothing to do with BTC.

Yes, that's true, but ... um .. you're a neener-head. Fair point, though.

So how about we get back to focusing on the actual article/issue posted, instead of just jumping into any threads with the word 'crypto' to tell the world again how much you hate it.

I can't help it, it's like watching someone leave the restroom without washing their hands, you just get the urge to call after them and say, "Hey, I don't mean to be a jerk, but your haircut is ugly."
 
seanreisk crypto has its pros/cons like any tech, i wouldn't just hate something because some of it is dumb, if that were the case none of us would be on hardocp.com due to all the dumb technologies major companies release each year.

cryptos that may make it in the long run:
a. have a purpose, and actually work (not theory/white paper)
b. have a business purpose/product and work (not theory/white paper)
c. solve a problem
d. do not burn down the planet with excessive mining
e. are not scams, shils etc

in the short term most of it is speculation, investment etc and there are not many actual products. BTC functions as a currency only because it is the "entry point" on most sites to convert CURRENCY to BTC which is a bit ironic. 99% of the market does not mine to get in, they use USD or their local currency. In the long run faster, cheaper, environmentally products will take off that have product suites of their own .
 
Wow lots of dumb 'hur dur, crypto bad. serve them right' replies in this thread, like that is even the issue.

You're missing the point of the attack that was used. Yes, this time they used it to try and drain some crypto wallets. What if next time they started hijacking the DNS requests to say your bank...
Well those are insured...
 
Making it never possible to click through the warnings breaks a lot of (reasonably dumb) use cases. Thankfully, there's an http(s) header you can add that says everything is https, and don't let people click throith the warnings, and you can get that added to browsers, so it works on the first visit to the site too. There's two big problems with that though: a) this site found out about that header after the attack was already over, b) the attackers probably could have gotten a domain validated certiticate during the attack (but they didn't because lazy)
That's why I said the default should be blocking the site. There can be a setting to over-ride that, but it should not be in the warning, it should be in a settings or security menu. I've gone on to sites ocassionally with outdated certificates because I was reasonably sure they weren't compromised, but for safety this shouldn't be a yes/no one time question. I would not go to my banking site with such a warning...but a lot of people would-- not understanding what they were being told, or even just in the haste of everyday life.
 
Where can I purchase this email insurance you speak of that will help if anyone takes control of my account to use to reset passwords for other accounts?

Ohhhhh,....sounds like a business opportunity to me!

First, hire hackers to do exactly that, then sell insurance to cover that. Accept payment in Bitcoin, then when the price of Bitcoin is stupid high, abscond with the proceeds to the Caymans!!!!

YES! I AM GOING TO BE CRAZY RICH!!! WOOT! NEENER! NEENER!
 
That's why I said the default should be blocking the site. There can be a setting to over-ride that, but it should not be in the warning, it should be in a settings or security menu. I've gone on to sites ocassionally with outdated certificates because I was reasonably sure they weren't compromised, but for safety this shouldn't be a yes/no one time question. I would not go to my banking site with such a warning...but a lot of people would-- not understanding what they were being told, or even just in the haste of everyday life.

Ok, so if the default is blocking the site, the attackers take the 5 minutes to get a certificate issued, which shouldn't be too hard, given they pretty much controlled the DNS ip space. Meanwhile, if you're running something with money, you should probably have gotten on the HSTS preload list. (which reminds me, I need to get some short domains preloaded for work)
 
Ok, so if the default is blocking the site, the attackers take the 5 minutes to get a certificate issued, which shouldn't be too hard, given they pretty much controlled the DNS ip space. Meanwhile, if you're running something with money, you should probably have gotten on the HSTS preload list. (which reminds me, I need to get some short domains preloaded for work)
Then what's the point in having certification in the first place if it's that easy to defeat? But no prophylactic is 100%, I'm only suggesting something to make it harder. More than one approach is often good too.
 
Back
Top