Author

Topic: How can we prevent this attack from recurring? (Read 1246 times)

-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/
August 15, 2014, 06:13:30 AM
#5
TLS requirement is overkill. Simply preventing redirection to a URL from a different domain is enough to avoid it and has been successful at doing so for a while now. The report is for ancient versions of software that have long since provided protection against it. Mining is changing so rapidly that any news you read outside of these forums is long since ancient and irrelevant by the time it's published.
staff
Activity: 4284
Merit: 8808
BFGminer supports TLS and can do cert validation.

Or better, just run P2Pool. This sort of thing isn't a threat when you're not blindly selling your hashrate to third parties.
member
Activity: 96
Merit: 10
esotericnonsense
Pretty much any boring auth method would work.

You don't need a CA or WoT even to gain a huge improvement on the current status quo.

See SSH 'known hosts'. After first connection, halt work and sound a bell / send e-mail to hardware owner if the key changes.
legendary
Activity: 3472
Merit: 4801
http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/

1) Get access to a switch at an ISP (or, really, anywhere in the network fabric)
2) Divert mining getwork requests to the cracker's own pool server
3) Run a mining pool that none of the participants know they're in
4) Don't pay the participants.
5) Profit!

Have miners sign the getwork reply?
legendary
Activity: 924
Merit: 1132
http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/

1) Get access to a switch at an ISP (or, really, anywhere in the network fabric)
2) Divert mining getwork requests to the cracker's own pool server
3) Run a mining pool that none of the participants know they're in
4) Don't pay the participants.
5) Profit!

Jump to: