
Security Incident – DNS Breach - ponytech
https://coinhive.com/blog/dns-breach
======
graystevens
A great example of folks either re-using passwords, or simply not being aware
that their credentials have been included in a previous leak/breach.

For an idea of a timeline, and a useful reminder to check your own personal
accounts (and those dreaded shared accounts internally):

    
    
      - Feb 15 2014 - Kickstarter breach occurred 
      - Oct 08 2017 - HaveIBeenPwned import the dump, suggesting it is publicly available, or at least being shared around.
      - Oct 24 2017 - Coinhive suffer their DNS breach.
    

Services such as Troy's HaveIBeenPwned are an excellent resource, and I can
whole heartedly recommend signing up for the 'Notify Me' function:
[https://haveibeenpwned.com](https://haveibeenpwned.com)

I recently released something similar for corporate environments, allowing
businesses to produce pseudo-users to insert into their user base. These
'canaries' are unique to them & come with real email addresses and phone
numbers, so should they ever be contacted you can be pretty sure you've
suffered a breach of some kind. We of course also check the usual suspects
(Pastebin, Tor) for any similar evidence of a breach. Can see some more
details here: [https://breachinsider.com](https://breachinsider.com)

------
Artemis2
Cloudflare will not let you have individual users without the (unspecified)
“Enterprise” pricing plan. Even on the Business plan, we get to copy/paste one
password around the team. Great for security.

Every other service (especially that critical!) we use gives it away with the
actual service. I really dislike this about Cloudflare.

~~~
thebiglebrewski
Have you thought of using a group password manager like 1Password, Dashlane,
etc so you're not copy and pasting a password around the team? Just a
suggestion :)

~~~
Artemis2
We do use Dashlane and GPG for sharing secrets. In this article’s case I would
bet that nobody changed the account’s password because (i) it’s no one’s
responsibility (ii) they do not want to disrupt someone else’s workflow.

~~~
thebiglebrewski
Nice. Didn't mean to insinuate that you weren't. Yeah it's definitely not the
best thing but some people really do copy and paste passwords around!

------
dumbfounder
Anyone that hosts javascript for 3rd parties is a target for this type of
breach. That Coinhive miner script could easily be embedded into any other
javascript file.

~~~
wolco
Why did everyone stop hosting js files locally? Why not pull content from the
same server that is sending html, the speed improvement by using a cdn should
be low with the size of libruaries these days.

~~~
dumbfounder
I wouldn't underestimate the value of the CDN. And updates.

------
0x0
Can you imagine the damage done to a CDN if the attacker would supply
extremely long Expire/Caching/key-pinning headers? All clients visiting the
malicious server would be cache poisoned for a loooong time.

~~~
AgentME
For extra fun, the attacker could send HTTP 301 redirects from the
(temporarily) stolen domain to a different domain. Browsers don't forget
those.

~~~
esnard
Clearing the cache actually clears cached redirections.

~~~
AgentME
Good luck to any victim site instructing the entirety of their userbase to do
that. Especially when the users can't access the site to begin with.

------
joshstrange
> This third party server hosted a modified version of the JavaScript file
> with a hardcoded site key.

A site key for a user on coinhive or pointed at a different website all
together? If it's just a site key it should be dead-simple to close that
account:

    
    
        <script src="https://coinhive.com/lib/coinhive.min.js"></script>
        <script>
            var miner = new CoinHive.User('<site-key>', 'john-doe');
            miner.start();
        </script>

~~~
esnard
CoinHive has automatic payouts. They could easily close the account, but they
can't get Moneros back.

~~~
joshstrange
That's fair, I just expected there to be enough of a delay they would be
caught first but maybe not.

------
avitzurel
We use Okta internally.

As much as I hated it at first, we don't choose any provider that doesn't
support single sign on and multiple users.

You can choose a password policy that is different (stricter) than the
downstream services.

One more good thing about it is that you have all of your services in one
place and you know when you need to change password on one of them or all of
them. You can do it with a nice dashboard.

This made managing access a much nicer experience for us and I can imagine
will minimize things like that from happening.

~~~
dopamean
I used okta at my last job and IIRC there was a breach with HipChat that
necessitated us resetting our okta passwords as well. It turned out that using
okta for HipChat meant that okta just set your HipChat password to whatever
your okta password was. It did not leave me feeling very secure.

~~~
avitzurel
Yeah.

For us, we have a review process internally for every 3rd party we use. We
figure out the auth process and how secure is it etc...

------
ceejayoz
I'd say the internet was better off for a bit, but it looks like the hack just
temporarily made Coinhive's malware make money for a separate set of bad
actors for a while.

 _edit:_ For the downvoters, if you've noticed your CPU fans running while
visiting a variety of sites lately, chances are Coinhive's the reason. Non-
consensual altcoin mining as a service!

~~~
taternuts
I hate the idea of that just as much as you do, but you can always add the
coinhive domain to your blocklist and be fine (just as you do with ad
providers). Also, I'd be willing to bet bad Ads are still way more of a cause
of CPU spikes/usage than coinhive.

~~~
wolco
coinhive promotes the option of hosting the files locally on the site domain
so a simple block may not work for all.

------
user5994461
"uBlock Origin has prevented the following page from loading: coinhive.com"

I can't read what it's about but it looks like it's already blocked.

Anyone would mind to give a summary?

~~~
ceejayoz
Click the "Disable strict blocking for coinhive.com temporarily" button.

~~~
user5994461
No thanks. I've seen enough zero day to learn to not do that, especially when
the only hint so far indicates the site was breached.

~~~
joshstrange
_sigh_ uBlock is blocking the site so your computer isn't used to mine coins.
It just blocks the whole domain, this is just a blog post.

------
fortythirteen
How is blowing out your visitor's CPU for profit, without an opt-in
notification, not malware itself?

Thieves stealing from thieves, IMHO.

Edit: from the downvotes to any comment that's critical of Coinhive I see the
Coinhivemind is not fond of simple ethical quandaries.

~~~
taternuts
Well, Coinhive has nothing to do with how certain people implement their lib,
they just provide it. It's really up to the site owner to ask for permission
to run it instead of forcing it (like ads).

~~~
ceejayoz
Coinhive could require sites to notify or ask permission, or even build it
into the script itself.

~~~
TimWolla
They support that using AuthedMine [1].

[1]
[https://coinhive.com/blog/authedmine](https://coinhive.com/blog/authedmine)

~~~
ceejayoz
Opt-in, "previous solutions will continue to work exactly as they did", and
only because they got blackholed by all the ad blockers in like 24h.

