Hacker News new | past | comments | ask | show | jobs | submit login
Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins (wired.com)
171 points by muneeb on Aug 7, 2014 | hide | past | web | favorite | 64 comments



I work in InfoSec and it is mind-boggling to see the sophistication levels of some of the Bitcoin heists, like this BGP incident. When was the last time you saw a BGP attack? 99.9% of real-world attacks don't even bother targetting such a core routing service. Another example: in March 2012, internal Linode management infrastructure was compromised to steal 47k BTC: http://blog.zorinaq.com/?e=67 http://www.theregister.co.uk/2012/03/02/linode_bitcoin_heist... This means attackers had effectively root access to any Linode's customers' VM! When was the last time you saw an entire cloud provider environment being compromised?

I like to see it as ISPs and cloud providers increasing their security and patching vulnerabilities thanks to Bitcoin's growing adoption :)


That there is this level of investment is not particularly surprising when the item is fungible for cash (even at a fractional rate to market). There is the added kicker that often the failure/loss will go unreported if the victim has more to lose than the attacker (see early Mt Gox moves at 'covering' the fact that bitcoins were stolen).

It is difficult for me to imagine a better way to incentivize the creation and deployment of malware than Bitcoin today.


Well given how long Target and others sit on massive CC data breaches you'd have to say the same incentives exist for CC attacks and bitcoin.


That is true, but as we've seen in both the Krebsonline posts and elsewhere converting a stolen credit card into cash has more risk than converting bitcoin into cash. Some of the things that make bitcoin useful (its cash like behaviors) also make it a juicier target I think.


Actually, based on the numbers in the article I do find the level of investment surprising.

> Though each redirection lasted just 30 second or so, the thief was able to perform the attack 22 times, each time hijacking and gaining control of the processing power of a group of bitcoin miners

> At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day.

An estimated 22 half-minute episodes of hijacking a flow worth $9000 / day. There are 1440 minutes in a day, so $9000*11/1440 = $68.75 . The means here are much more impressive than the ends.

edit: forget what I said, the article later says that $83,000 of currency was taken.


The half minute window was only required to reprogram mining pools to mine into the attackers pool. The effects of the attack last much longer than the time needed to execute the attack.


People were mining for him for weeks at a time without realising anything was amiss.


It's a fundamental problem with bitcoin in that it hugely incentivizes computer hacking. The more widespread bitcoin and blockchain becomes, the greater the incentive. There will be a lot of collateral damage from all this.


The great thing about this is it that it puts a floor on the bounty on all network bugs. Since we know that lots of national security folks are regularly exploiting various bugs for their own purposes, this means that the internet will be significantly improved. I see it as a bonus.


The unfortunate thing about this is a lot of people are going to lose a lot of money before either 1. Mainstream web security catches up to the cleverness of the bitcoin hackers or 2. People lose faith in bitcoin because the internet is generally not secure enough to support it.


Lots of money has been lost in other security breaches, oftentimes with much worse consequences because the data is centralized. This hasn't stopped people from shopping at Target for instance.

The nice thing is, security breaches in a decentralized network like bitcoin serve to make the entire network anti-fragile. There's a huge incentive for people with bitcoin to secure their own bitcoins against known exploits and hence make that exploit null while inevitably protecting against similar class exploits.


The difference is that with the Target breach, people knew that they would get their credit card $$ back.


But the way this is implemented is "credit card companies will take 3% of every transaction they perform, and then give back a very small portion of that to counteract fraud". The power we give these organizations - basically a 3% tax on every transaction - is mind boggling.


The credit card companies don't actually don't give up part of their 3%. Chargebacks are up to the merchant: http://en.wikipedia.org/wiki/Chargeback_fraud.


Compared to the spread and inconvenience on $ -> bitcoin -> $ transactions, that's quite cheap.

Keeping bitcoin online enough for convenient transactions carries the small but important risk of losing your entire wallet.


True, and there are benefits you get for that 3% (rental car insurance, reduced cost of a mugging, etc. etc.) but I still wonder if cash (not necessarily bitcoin) would be better for the system as a whole for everyday purchases.


Keep in mind that cash has costs too. It has to be counted and secured. You have to hire a security company to pick up deposits and most banks charge for cash deposits over a certain amount.


But then that tax gets selectively reimbursed via dividend to shareholders. Upward redistribution.


There are externalities to this "you don't have to worry at all about the security of your credit card info" feature.


Barely 0.01% of the world population uses Bitcoin and we already see a technology on the market that is expected to significantly improve security, and this was the result of 1+ year of engineering effort from teams of engineers: hardware wallets like http://www.bitcointrezor.com So security isn't great overall right now, but clearly it is improving way ahead of time with respect to a potential mainstream adoption of Bitcoin.


It seems to be a transitional period where people must trade security for freedom, while the industry figures out the security part.

Much like early immigrants to North America who had leaving the stability and safety of UK/European banks for an emerging market and/or the Wild West.


You should not "invest" in bitcoin if you cannot afford losing it. So I would not shed a single tear.


I agree. I actually leverage this by leaving a couple Bitcoins unencrypted in my 1Password file and have setup an alert to let me know if any of those coins ever move. Which would be a good indication that its time to use a new password manager.

Seems like the right kind of way to do a canary.


At the same time, it hugely incentivizes improvements in computer security. After all, it's "our" fault for still using crappy and buggy Linux, Windows and Mac OSes, written in crappy and error-prone languages such as C and C++. Mind you, this crappy software is responsible for a lot more thefts than just bitcoin (e.g. China hacking and stealing trade secrets), but with bitcoin, you can put a definitive (if volatile) dollar price on the hacking.


Sounds like a problem with computers, not Bitcoin.


Yes. I believe the same sophisticated attack could be used to target banking systems. It would just need a few more sophisticated services to be in place or more inside information.

But why bitcoin is targeted?

Because bitcoin is an open protocol, they could target it's root, mining rigs because that's where the value is generated. In banking systems, to generate money you need to have internal access and secure credits .


Bitcoin is targeted because it's a digital asset, true digital cash. Banks don't have that. You can never really own your bank money in digital form, it always stays in the bank's computers.


No I'm not talking about targeting banks directly. What about targeting consumers or ecomm sites? A consumer need to give card information, websites should make vpos operations.

These can be target vectors too.


The same thing can be said about credit cards. If there is a problem with Bitcoin (and I'm not sure that there is) it is that unlike with credit cards there is no possible recovery of stolen coins.


Converting stolen CC numbers to cash actually turns out to be difficult since government and other authorities can revoke the cards, freeze fraudulent merchant accounts, and seize assets once they've hit your bank accounts. You have to mitigate all of these risks and won't always be successful.

If you manage to steal Bitcoin, you can transfer it all to your personal wallet in one transaction in broad daylight and, by design, no one can stop you or reverse the transaction once it's discovered to be fraudulent. Maybe run it through a darknet tumbler for good measure, but you're basically home free the second you get the private keys.

Stealing $100m worth of Bitcoin would be massively more valuable than stealing CC numbers with access to $500m in credit because you can actually cash out all of it. So much larger R&D budgets and more sophisticated attacks make financial sense.


I think this is really the sticking point that makes consumer Bitcoin adoption pretty much impossible, as the level of computer security required to keep Bitcoin safe and easy to use at the same time is just not something available to your average joe.

If your private key is compromised, the thief takes your entire balance, and there's nothing you can do about it. So you really want to keep it safe.

Lose your private key, lose everything it was protecting. So keeping the key in only one place, and one place where only you can access, is a big problem. There is nobody out there to give access to your money if you pass away. A hardware failure can be catastrophic.

The problem is that everything that makes the private key survive accidents makes it easier to hack. The way we treat something like this in a corporation is with things like shared secrets: Need 3 out of 5 people to use their issued keys so that the real private key protecting everything is revealed. And even with that level of effort, getting the key is still possible with enough effort.


Exactly. Nobody is going to want to manage their own bitcoin holdings, much as I don't keep all of my savings in a safe in my house. So that gets out-sourced and insured, and somebody has to pay for that. I expect it's much less than the credit card's take, but when it's paid for by the consumer it's much different psychologically. Consumers are going to have to get a cut of the savings.


There is good research that indicates that the bottleneck in electronic bank theft is finding the endpoints that are irreversible (think ATMs). Doubling the amount of stolen credit cards wouldn't come anywhere close to doubling the amount of money stolen out of the system.

With Bitcoin, every marginal theft adds 100% to the total Bitcoin thefts.


Could you give a citation for that? Not saying I disbelieve you, it sounds plausible, but I'd be interested to read that research.


That's not a problem, it's a feature. It's like saying "the problem with gold is that you can't recover it". But that's precisely what gold holders want: Not letting the government "recover" it (ie. seize/steal it).


Nothing fundamental with bitcoin, same thing happens with online banking. In general, people will try to steal anything of value.


It is incredible, the equivalent of the "Oceans" movies but electronic instead. For everyone one of these sophisticated attacks there is a huge number of smash and grabs.

Really interesting stuff. It is only getting better as well (imho). I am honestly not noticing any increase in security aptitude in the average engineer. People are still making the same mistakes.


Maybe I should buy some Bitcoin... Keeping a online wallet may be a great way to test a computer's security.

(Ok, half kidding, it's not secure, whatever computer I could talk about.)


> I like to see it as ISPs and butt providers increasing their security and patching vulnerabilities thanks to Bitcoin's growing adoption :)

They'd have every reason already to increase their security. So I'll take the other approach, and continue to enjoy popcorn when I read about yet another one of these heists.


What are you using to replace "cloud" with "butt" :)



best extension ever


The infamous Cloud2Butt browser extension strikes again.


The finger-pointing at BGP is red herring: the problem is that the stratum protocol has zero authentication. If you can intercept those streams, you can trivially ask anyone to start mining for you instead. This could also have been done using DNS poisoning, ISP-side intercepts, or anything else in the standard bag of tricks. http://blog.kevmod.com/category/bitcoin/


Indeed, for bitcoin it's a solvable problem, however let's not let that distract us from the monumental revelation that BGP hacking is so easy to do that someone motivated by a relatively paltry reward can pull it off.

This is one aspect of bitcoin that I really like, it shows us where the weaknesses are.


You're certainly not looking, because BGP insecurity is very old news.


Here is the link to the original research.

http://www.secureworks.com/cyber-threat-intelligence/threats...


Upvote the parent!


The lack of auth and encryption is only part of the problem with Stratum's implementation. At Toorcamp 2014 I presented about the vulnerabilities discovered when looking into common miners and their impact on the network. More details available in the associated white paper:

http://www.dejavusecurity.com/blog/2014/7/15/bitcoin-researc...


Could this be prevented by adding some TLS to the mining control channels?


Yes.

It's both hilarious and ironic that they didn't.


It's mind boggling to me that this wasn't done a year or two ago.

If bitcoin were genuinely anonymous (it isn't, because it's highly linkable, even if essentially pseudonymous), it would probably be vastly more dangerous in this way -- there would be billions of dollars spent on exploiting security outside bitcoin++ to steal bitcoin++.


> It's mind boggling to me that this wasn't done a year or two ago.

Two years ago, obtaining the same amount of bitcoins as this attack did would net you 1/100th the profit in dollars (bitcoins were around $6 a piece two years ago).

I think it's likely that attackers started considering this scheme around a year ago, when the bitcoin price shot up to $100, and the potential rewards became sizable.


Nobody has pointed it out so far. Since it is an attack on IP routing, it could be prevented by using SSL for the Stratum protocol used by mining pools.


Would it? With this sophistication and latest exposures of CAs security I'm not fully sure that TLS MITM is a remote probability.


I know a number of people who got hit by this type of reconnect attack. I suspect I may have been hit by it for short periods of time. Most of the big altcoin pools were targeted. Soon after most miner software was modified to disable this Stratum feature but there are still plenty of other issues with the Stratum protocol as highlighted by other comments.


Wow. Not sure why they don't name-and-shame the ISP, but that's really ridiculous.


As a Canadian, using a Canadian ISP, I would like to know as well.

Not entirely surprised regarding rogue employee possibility.


There are two things at play here: attacker has to have access to one ISP to inject the route (eg. rogue employee) and there has to be another ISP that accepts such route from BGP (I would say that filtering weirdly specific routes is good and common practice). When you have access to ISP network you don't have to inject things into BGP to attack your own customers.


A /24 is not a 'weirdly specific route'. I agree, that the upstream should have been filtering things, but you can't expect them to just filter out all the /24's.

For example, Google DNS anycast would stop working: http://bgp.he.net/net/8.8.8.0/24 as would basically anyone else doing anycast.


NANOG post from this morning has the AS path:

http://mailman.nanog.org/pipermail/nanog/2014-August/069131....

I'm unsure exactly which was originating the route.


"the CTU research team provided the BGP evidence to the upstream ISP closest to the origin of the malicious activity."

I think this likely means it's a smaller ISP.


Jack Bauer will take good care of this issue


Link is a 404 for me.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: