[Global DDOS attack!] OculusVR hacked again? MITM attack?

[geekmaster]

Maybe not safe to visit https://developer.oculusvr.com until they fix their SERIOUS security flaw!

oculsvr.jpg

[geekmaster]

It seems they are aware of the problem. A new screenshot:

oculsvr2.jpg

[Popopinsel]

I guess it's because of the recently discovered OpenSSL heartbleed exploit. Nice.

[geekmaster]

I am dearly missing my external memory stored at the OculusVR forums already.

The main reason I moved most of my new post activity from here to there was the long outage here at MTBS3D. Is it now time to move back?

[geekmaster]

I guess it's because of the recently discovered OpenSSL heartbleed exploit. Nice.

I hope MTBS3D has protected themselves from that attack vector! Or are we immune here, not being HTTPS in the forums?

Nice? My literal mind finds that highly illogical. I can only assume that was satire/sarcasm, right?

http://www.youtube.com/watch?v=lbg6xoS3K3U

[geekmaster]

Hmm... They are back to the "not the site you are looking for" page again... Not good.

http://www.youtube.com/watch?v=h7l8rWfLAus

[Popopinsel]

that was satire/sarcasm, right?

Yes, Sir. And because those things are part of my job and I (falsely) expected admins to take immediate actions I have to sarcastically say "well done".

[Popopinsel]

Not good.

Nope. R.I.P. SSL certificate...

P.S.: http://heartbleed.com/

[geekmaster]

It did not take long for their "down for maintenance" page to get hacked too. Now you have to agree to a potential MITM to just view that "down for maintenance" page. Awesome hack, but aweful results.

Do they need a new security cert now? I do not yet know details of that attack vector.

In the days before the DMCA/Patriot Act/etc., tunneling under paywalls was a fun thing to "read about"...

[Popopinsel]

It was not directly a particular website of Oculus which was hacked, the attackers potentially have stolen/corrupted their SSL certificate. Bad thing: a) their certificate gets blocked by CA's and/or b) attackers use their certificate to sign a faked website and/or c) attackers corrupt their certificate so it's not validated anymore (which refers to a) ). We now see the results of either a) or c).

[geekmaster]

So, their cert is apparently blacklisted by the cert authority, and now they need a new one, eh?

In the case of MTBS3D and Technical Illusions, they use unsecured HTTP, so not a problem.

Why are the FORUMS at oculusvr.com locked in secure HTTPS, causing this mess? Only the oculus STORE should have been HTTPS, it seems...

Funny that secure websites are more vunerable to hackers, eh?

[geekmaster]

Why would oculusvr.com be using a cloudfront.net certificate? Or do I have that backwards? Please enlighten me! Thanks!

oculsvr3.jpg

[Popopinsel]

It's faked because the attackers stole their private key. That's what I guess. Or whould do. Whatever.

[Popopinsel]

Funny that secure websites are more vunerable to hackers, eh?

They're not. But they're more attractive. Because you usually protect vulnerable or sensible data P.S.: most login actions, even on presumably unsecured websites, are SSL-secured.

[Popopinsel]

P.S.: It wasn't me

[cgp44]

When oculus vr.com goes down completely do the emotional clowns turn their
Intention to this site next?

[geekmaster]

The oculusvr website pages changed again. Now they look like this:

oculsvr4.jpg

[geekmaster]

Not good.

Nope. R.I.P. SSL certificate...

P.S.: http://heartbleed.com/

Confirmed by Oculus support staff:

Chad (Oculus VR Support)
Apr 08 01:01 PM

Hello <geekmaster>,

I apologize for the delay.

We've taken our site down to address the internet wide Heartbleed issue.

We'll keep everyone updated at http://twitter.com/oculus

Thanks,

Chad
Oculus VR Support

I wish them luck. I am already suffering withdrawal symptoms.

I am hoping (desperately) that they come back before the sweating and shaking begins.

[geekmaster]

Here are the latest Tweets:

Oculus ‏@oculus 2h
We've taken down http://oculusvr.com while we apply fixes for the internet-wide Heartbleed issue. Thanks for your patience!

Oculus ‏@oculus 1h
If you're interested in learning more about the Heartbleed vulnerability, we recommend reading http://heartbleed.com/ .

Oculus ‏@oculus 1h
We'll keep everyone posted on status as we bring http://oculusvr.com , Share, and the Developer Center back online.

[cybereality]

The reason the site is down is because the the Heartbleed SSL bug.

We are working on it, and the site should be back up soon.

Thanks.

[Popopinsel]

[...] be back up soon.

Thanks.

I doubt that. Crossing fingers nevertheless. OculusLover here. Just drunk. Palmer you know I love you. Proposal lover here, period.

Thanks.

[cgp44]

how long does it take oculus support to update a dll???
Did they not do that the other night?

[Popopinsel]

how long does it take oculus support to update a dll???
Did they not do that the other night?

Not that easy. It's more than just to update a link-library (now). Not to discredit OculusVR people, it's hard to recover after you got affected by an attack like this.

[geekmaster]

If their SSL cert is blacklisted (as it seems) they will need a new one...

[Popopinsel]

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

Doh! They got our private key!

P.S.: They will find a solution. Somehow.

[cybereality]

Don't worry. We have all the guys working on this.

It's not as simple as just updating and restarting the server. There are lots of moving parts. We're getting to it, though.

[thewolf20]

After ive visited the site and rebooted, my PC is really, really slow. Does this have something to do with the hack?

[geekmaster]

After ive visited the site and rebooted, my PC is really, really slow. Does this have something to do with the hack?

I hope your post doesn't infect my 'puter!

Back in the days before Internet access, even before CDs, when apps and data were installed from floppy disks, those disks came with a plastic protection sleeve over them.

We called those plastic sleeves "diskette condoms". Hackers/nerds/geeks/techies in those days said the only way to keep a virus from infecting your computer was to never insert a "floppy disk" into your computer without a diskette condom. Of course that was just a joke...

One of our clients stuck her floppy disks to the side of her metal filing cabinet next to her desk (before the newer high-coercivity media), with refrigerator MAGNETS! She wondered why she kept needing new replacement disks.

And others folded up the old 5.25-inch floppies to fit into the slot in the newer 3.5-inch drives.

And too many folks really though that new-fangled CD-tray was a coffee cup holder, and were upset when a reboot sucked that tray in spilling their coffee! And reboots were required quite often in those days, before multitasking, when a program froze. If you did not warn them to remove their coffee cup from the CD tray before a reboot, the spill was all your fault!

And now even toddlers have no problems with modern tablet computers... Amazing!

http://www.youtube.com/watch?v=aXV-yaFmQNk

At least a paper magazine can't catch a computer virus from an infected web server.

[cybereality]

@thewolf20: I highly doubt your machine became slow just due to visiting the Oculus site. If you feel there is an issue, I'd suggest running a virus/malware scan and seeing if anything comes up.

[Drewbdoo]

Wow, geekmaster, that all really took me back. I'm only 30, but have been a techhead all my life. I never actually owned a 5.25in floppy drive, but used a bunch at school. I remember all about the disk condoms and especially the cd rom coffee tray thing when those started showing up. Ah, memories.

[cgp44]

Was this an attack that did damage or is Oculus now paranoid that all
the emotionally overwrought folks are out to get them.
The heartbeat description said it has a symptomless
attach, other than having things copied.

Could someone outline the timeline as to what happened here please.

[geekmaster]

Wow, geekmaster, that all really took me back. I'm only 30, but have been a techhead all my life. I never actually owned a 5.25in floppy drive, but used a bunch at school. I remember all about the disk condoms and especially the cd rom coffee tray thing when those started showing up. Ah, memories.

I am twice your age (and probably twice your weight too, but not for long!)...

And I still have THOUSANDS of 8-inch floppy disks too! And some reels of mag tape with my data on them, and paper tapes, and even punch card decks. The good old days, eh? I did steal the servo motors out of my reel-to-reel digital tape drive though before discarding it, to use in robot or CNC projects.

I left out a phrase (now added in yellow in that post) about the disks stuck to the filing cabinet using fridge magnets!

[bobv5]

Sorry if I am being slow, but it looks like they took the site down as a precaution, not because of a hack?

[geekmaster]

Sorry if I am being slow, but it looks like they took the site down as a precaution, not because of a hack?

My web browser shows an SSL certificate problem (see the screenshots previously posted in this thread), which is symptomatic of their private certificate being stolen (a symptom of the hack flooding the internet). Follow the link previously provided for more info.

Even kickstarter was compromised, requiring a password change now. However, I was unsuccessful trying to log into kickstarter, so I will have to deal with that later.

Many more websites will be affected too. The hackers have read-only access to all of RAM, allowing them to copy SSL certs, and user credentials, and more (which is why password changes will be needed). A stolen private cert lets hackers masquerade as OculusVR, perhaps setting up their own store and stealing money from people who buy Oculus stuff from them. And more... Oculus will get a new SSL certificate if necessary, and whatever else is needed to make their site safe, before bringing it back on line, to be sure.

My guess would be no more than a week of downtime, and hopefully a whole lot less. I would LOVE to see them back up tomorrow morning. Only time will tell...

[cgp44]

A stolen private cert lets hackers masquerade as OculusVR,

how does this happen. It seems hyperbole to me. We just get a certificate invalid warning.

[ExZero16]

The cloud front security warning is an amazon service. Oculus probably uses amazon cloud front for website redundancy and I'm assuming that since they completely took their website offline, the forwarding isn't working correctly and your getting stopped at a cloud front gateway and that's why you get the cert warning (cert is not actually matching the dns name of the website your visiting). I could be wrong on this because I don't know the full setup of their website. I doubt it is a man in the middle attack, the reason being is your going to oculusrift.com and something would have to provide you the wrong ip when you do the dns look up on oculusrift.com. I'm using google's dns and I doubt Google has the wrong ip address for oculus and that would mean that their name server got hacked too. SSL mitm attacks are usually performed by rouge network devices (access points are big ones), maliware that gives you bad dns responses (bad host entry's in your hosts file), and maliware on the website side that can respond with false information (website is completely down so I doubt that).

I am very surprised that they don't have external scanning for PCI compliancy (external services that test your network for know security flaws). That SSL security flaw has been known for a couple of years and if they had any type of external scanning they would have known a long time ago. They need some good netwok\security engineers and they should sit down with some of the IT team at Facebook (security officer, DIT, lead architecture enngineer) and figure out some best practices.

Just my two cents.

Btw, don't know if their cert is bad/private key stolen but they might was well get a new one. They aren't expensive and better safe than sorry (someone steals credit card info that will be expensive for them).

[ExZero16]

I hate auto correct

[geekmaster]

A stolen private cert lets hackers masquerade as OculusVR,

how does this happen. It seems hyperbole to me. We just get a certificate invalid warning.

The heartblood hack lets hackers grab the private key. With that, they can do naughty things to get the certificate blacklisted. One of those naughty things is if they control ANY computer on the traceroute path, allowing them to decode or INJECT traffic into a secure data stream (such as store purchase transactions and credit card information). That *is* a MITM attack.

However, the cloudfront cert we were seeing may well have been provided by an Amazon cloud server hosting the OculusVR "down for maintenance" web page, which did not include a cert belonging to oculusvr.com (a misconfiguration?)...

However, thankfully, they seem to be back online now, so all that is just a moot point. Whatever happened, and whatever COULD have happened, are behind us (unless credit card data was captured while resident in RAM on the hacked server).

Yay! It works again!

EDIT: Why would things you do not understand (such as how I phrase my ideas) sound like "hyperbole"? That does not sound like it comes from an open mind, willing to view things from a different PoV. I do not understand such a limited way of thinking... We are different, with different experiences and different ways of thinking, and we can learn from each other. You probably know far more than I at many things. I do not call your differing thoughts that you share "hyperbole"...

[geekmaster]

NEW PROBLEM!

When I went to OculusVR, I was automatically logged in, but I could not see options to view unread posts or to view my posts. I cleared my browser cache, and then it wanted me to log in again.

I had changed my password last week, after I got a "Password Expired" message while trying to login, on a computer for which I had cleared my browser cache. It said it would email me instructions to reset my password. I never did get that email, and I could never login again using that computer.

However, my NEW password is giving me ANOTHER "Password Expired" message, on my main computer that just had its browser cache cleared. I wonder if I will get that email this time.

I have had similar problems with Kickstarter (since yesterday), and with Technical Illusions (no activation email received). Luckily, Technical Illusions somehow actived my account without that email.

But at this time, I cannot login to Kickstarter, and much worse, I cannot login to OculusVR (except on a different computer with uncleared browser cache, but the "view" options are not working.

What to do? Hmm...

EDIT: Another complication of clearing my browser cache: Google mail will not let me login to SEE if I got that email from oculus. It wants to verify my account with an SMS message to my phone, but the beep will probably wake my wife. Not good! Even the key beeps to change phone notification sounds may wake her. I need to wait at least TWO hours before that is a good idea. I normally only sleep two or three hours per night, so I need to be quiet the rest of the time before she awakes. Messing with my cellphone is not a good idea... Having to repair damage from a cleared browser cache sucks at this early hour, but the Oculus website repair seems to require that...

EDIT2: I just noticed gmail has a "skip" option on that SMS verification. Choosing that shows the Oculus password reset email. Progress resumes... [But still, having to reset my password twice in two weeks (two hacks?) seems a bit much. I hope ALL required patches and updates have been installed to prevent another password reset in the near future, but the site came back online so fast that it makes me wonder if that could have been done. We will see...]

EDIT3: There are no new Tweets since the ones I posted previously. No news about being online again. It seems to be working fine, and I just replied to a PM sent to me before it went down.

[cgp44]

sorry for using 'hyperbole'. Would 'amazing' be better.
Lots of people call my ideas crap. We live in complicated technological
times with many black boxed things, ideas and assumptions.