Hackers Stole Over $20 Million From Misconfigured Ethereum Clients (bleepingcomputer.com) 65
Catalin Cimpanu, writing for BleepingComputer: A group of hackers has stolen over $20 million worth of Ethereum from Ethereum-based apps and mining rigs, Chinese cyber-security firm Qihoo 360 Netlab reported today. The cause of these thefts is Ethereum software applications that have been configured to expose an RPC [Remote Procedure Call] interface on port 8545. The purpose of this interface is to provide access to a programmatic API that an approved third-party service or app can query and interact or retrieve data from the original Ethereum-based service -- such as a mineror wallet application that users or companies have set up for mining or managing funds. Because of its role, this RPC interface grants access to some pretty sensitive functions, allowing a third-party app the ability to retrieve private keys, move funds, or retrieve the owner's personal details.
Re: (Score:1)
Re: (Score:2)
The russians just need to give up on that expensive country thing and just become a marketing firm. They were able to completely change the outcome of our elections spending only a couple hundred thousand bucks on some internet ads. Hilary spent quite a bit more and lost. Sounds like the most efficient marketing firm ever to me.
Re: (Score:2)
The Clinton campaign spent FAR more than that on online astroturfing trolls through Media Matters, Correct the Record, etc. Why no outrage over that?
Re: (Score:2)
I just read your link. The vast majority of those ads were in favor of progressive policies and organizations. Nice try tho.
Re: (Score:2)
That's the problem. Facebook doesn't really verify their ads for content. They'll only check after the fact if somebody complains. You can easily put up an ad saying "Vote for Candidate X" and get around any kind of campaign finance laws because nobody is keeping track of the ad content or doing their due diligence into who is paying for the ad. The Russians or anybody else could be pumping a whole lot of money into online advertising and swaying the vote, all while hiding where the advertising revenue was
Re: (Score:2)
You realize that Trump is in office because the Dem's were stupid enough to put Hillary on the ticket... had it been ANYONE else, (except maybe a socialist), the Oval Office would have been handed to the Democratic Party.
Re: (Score:1)
Anyone have the numbers? (Score:2)
Does anyone have the numbers- are you more likely to have money stolen from your wallet or your virtual wallet. For each $1 value in each- which is more vulnerable?
Seems to be a lot of big money heists from virtual wallets, but does that in %wise add up to more thefts per mano?
Re: Sounds like bad design (Score:2)
Not the default. It wasn't a failure to configure proper security, it was a decision people made to intentionally turn off default security.
But Crypto Currency is safe? (Score:3)
Was I lied to ?
Trust was to be decentralized so this cannot happen. The transaction is on the blockchain... so just fix it. :)
And I am sure it is backed by deposit insurance.... oh wait.....
Re: (Score:1)
Crypto is safe. Don't expose private RPC ports (that are disabled by default) to the internet if you don't know what you're doing.
Sorry for your loss. (Score:2, Insightful)
Being your own bank seems to work out well.
Re: Sorry for your loss. (Score:2)
Being your own bank is a bit like being your own armed defense. It's fine if you take the time to understand the role and get proper training.
Re: (Score:2)
Why! Dear God! Why!
I don't know why they're being blamed... but I fully endorse the blame Facebook train!
I'm in this field (Score:2, Informative)
Rpc for native clients has only been only been enabled for localhost. Someone or something has to configure it for remote access. It takes some work to make it happen
Re: (Score:3)
Like a massive router hack?
Re: (Score:2)
Re: (Score:2)
Insecure! (Score:2)
You mean writing apps on the blockchain doesn't make them magically secure? I am shocked!
So, Vitalik, gonna reverse all this? (Score:2)
Or are we still only doing this for the big players only, you fucking fraud?
Stolen? (Score:3)
Stolen seems like a strong word if the victims exposed an API online with calls to transfer away their balances....
Re: (Score:2)
Re: (Score:2)
Re: This sounds like designed for pilfering. (Score:2)
Managing the money in and money out is like the most basic API call for a cryptocurrency. What kinds of APIs would even be useful without those?
Who's fuckup was this? (Score:2)
How can you steal Tulips? (Score:1)
I mean, you say they're worth $200 million, but I say they make a fine bread for cookies.
All of this is due to certain nations permitting Russia and North Korea to hack to their hearts' content.
Percentage of currency (Score:5, Interesting)
The first thing I wondered was what percentage of the currency is that.
According to this site: https://etherscan.io/stat/supp... [etherscan.io]
The total market cap of etherium is $52B so $20M is about .2%. (1/5th of 1% in case the '.' is hard to see) of all etherium in circulation.
There's about $1.6T US dollars in circulation, so as a percentage of total money in circulation that $20M etherium heist is the equivalent of a $6B USD heist.
Admittedly an odd way of looking at it but it's hard to imagine somebody making off with $6B due to something as mundane as an RPC vulnerability.
BlockChain! BlockChain! (Score:2)
Re: (Score:2)
Re: (Score:2)
Blockchain is a complicated solution in search of a problem.
Re: (Score:2)