Pages:
Author

Topic: 135 BTC Stolen from my Deepbit account!!!!!!!! - page 4. (Read 29040 times)

hero member
Activity: 742
Merit: 500
E-mail confirmation should be working now.
PM me if your e-mail was non-existent or you can't receive the message.
legendary
Activity: 1400
Merit: 1005
Even though my account appears to be fine, I appreciate you being completely transparent with us Tycho, and taking full responsibility for it.  Much respect.
full member
Activity: 126
Merit: 100

Quote
408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000


Hint: scientific notation.

He's learning. Unfortunately, still wrong conclusions
hero member
Activity: 742
Merit: 500
Last week was slush's pool that succumbed to an as yet unidentified failure ... and now deepbit gets hacked for a measly 150 BTC.
I'm not sure yet how the attacker got the passwords, but some of his data was not correct.
May be he sniffed the mining traffic and tried to log in with same credentials, may be he used some other kind of exploit.

I'll look into it after finishing with confirmation system.
legendary
Activity: 2198
Merit: 1311
My deepbit password is now over 20 characters long with caps and symbols.
That just shortened the time to crack now didn't it?

How so?

Because now you don;t have to waste time searching all the combinations between 1 and 20 characters.

Well, sure.  But you've still got to search through at least all the 20 character combinations and the password is longer than that so it's still a pretty big task.  But, yes, you're right, it'll take less time.  Less time to make a realistic difference?  Probably not.

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).

That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

You shouldn't take this personally; in fact, you should be gracious. I was reminded to be more aware of accidentally revealing personal info online.

To be clear, the personal info I revealed is that my password is more than 20 characters long.  I just don't see how telling the world that my password is more than 20 characters long compromises me that much.  You've still got to test a huge set of keyboard characters, including capitalization, for 20+ character passwords and for all anyone knows knows my password could be 40 characters long.  Just for reference, if my password is exactly 21 characters long, and if it uses upper and lower case alphabet characters plus numbers and common symbols, then there are 408,162,404,503,791,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possibilities.
hero member
Activity: 742
Merit: 500
Either the email verification is taking a long time - or it's not working.
It's not deployed yet, i'm testing it atm. Wait a bit more please.
hero member
Activity: 481
Merit: 500
Either the email verification is taking a long time - or it's not working.
hero member
Activity: 575
Merit: 500
The North Remembers
+1 Tycho. Most people wouldn't be so nice. Sounds like some of the people attacking mt. gox have been looking for other attack vectors.
vip
Activity: 1052
Merit: 1155
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security.
Additional details will be available shortly.

I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address.
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.

Wow!
That is very generous of you!
Can I ask about how many users had their bitcoin addresses changed?
So this sounds like it means that none of my employees violated my trust.  (I'm still implementing stronger security measures.)
Would you agree?

I have been worried all day about who could be a thief at my company.
I was worried even more about it than the missing bitcoins.

Thank you again, and I will gladly continue mining with deepbit because of your help!  (I'll keep a much lower balance though)
hero member
Activity: 742
Merit: 500
Bitcoin addresses of all users were removed by me in order to implement new system for enhanced security.
Additional details will be available shortly.

I found that someone changed bitcoin addresses of some users. I'm not sure how the attacker got passwords, but now you'll have to use e-mail confirmation for changing your wallet address.
I'm very sorry that I haven't implemented this feature earlier, so your stolen bitcoins will be reimbursed.
(Please note: I can't garantee that I can do such reimbursment in the future).

Your money is safe and i'll give instructions on setting your address again. Please wait.

A total of ~150 BTC were stolen: 136 from this user and ~14 BTC from others.
hero member
Activity: 588
Merit: 500
Code:
error@underground ~ $ host 94.75.217.249
Host 249.217.75.94.in-addr.arpa. not found: 3(NXDOMAIN)
error@underground ~ $ whois 94.75.217.249
[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '94.75.217.0 - 94.75.217.255'

inetnum:        94.75.217.0 - 94.75.217.255
netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "[email protected]" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        assignment LEASEWEB 20080723
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         LEASEWEB-MNT
source:         RIPE # Filtered

person:         RIP Mean
address:        P.O. Box 93054
address:        1090BB AMSTERDAM
address:        Netherlands
phone:          +31 20 3162880
fax-no:         +31 20 3162890
abuse-mailbox:  [email protected]
nic-hdl:        LSW1-RIPE
mnt-by:         OCOM-MNT
source:         RIPE # Filtered

% Information related to '94.75.192.0/18AS16265'

route:          94.75.192.0/18
descr:          LEASEWEB
origin:         AS16265
remarks:        LeaseWeb
mnt-by:         OCOM-MNT
source:         RIPE # Filtered
member
Activity: 61
Merit: 10
This whole situation brings , to my mind at least, a fair question : What can we do about this sort of thing when BC's entire basis is one of semi-anonymity? Block explorer ( http://blockexplorer.com/ ) provides some tools for tracking transaction.. perhaps a RiSKAPI of some sort for merchants? Flagging accounts with odd behaviors (though how would you define odd?)  I don't know myself I'm simply tossing the idea out for discussion. As it stands though even a RiSKAPI would be limited as one wallet.dat / user can contain many many keys.
vip
Activity: 1052
Merit: 1155
The IP address information was provided by the Admin from deepbit.
full member
Activity: 126
Merit: 100
It belongs to http://www.leaseweb.com/en

It's probably a proxy, tor node or a compromised box. I'd be looking for a tech savvy employee

Try writing to the admin
member
Activity: 61
Merit: 10
I just heard that:
The money was taken by someone logged in from:

94.75.217.249
"Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

It shows up as being in Holland.

Any other ideas on how I could track this down any further?


Holland? probably a proxy then , I'd really want to take a close look at the employees  myself as that looks like the most obvious rout, and usually the most obvious is the most likely.
newbie
Activity: 9
Merit: 0
I just heard that:
The money was taken by someone logged in from:

94.75.217.249
"Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

It shows up as being in Holland.

Any other ideas on how I could track this down any further?


Is this info from deepbit?
newbie
Activity: 9
Merit: 0
My deepbit password is now over 20 characters long with caps and symbols.
That just shortened the time to crack now didn't it?

How so?

Because now you don;t have to waste time searching all the combinations between 1 and 20 characters.

Well, sure.  But you've still got to search through at least all the 20 character combinations and the password is longer than that so it's still a pretty big task.  But, yes, you're right, it'll take less time.  Less time to make a realistic difference?  Probably not.

80 bits is considered safe. 20 characters of letters+numbers make it 20*6=120 bits, an overkill (even if the attacker knows how many bits there are exactly).

That's what I thought, but, hey, apparently I'm a dummy for revealing this personal data on a public forum.

You shouldn't take this personally; in fact, you should be gracious. I was reminded to be more aware of accidentally revealing personal info online.
vip
Activity: 1052
Merit: 1155
I just heard that:
The money was taken by someone logged in from:

94.75.217.249
"Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

It shows up as being in Holland.

Any other ideas on how I could track this down any further?
staff
Activity: 4172
Merit: 8419
I think you are right about this being my weakest link.

The deepbit screen hides the actual login password, but displays all the passwords for each worker in the client.
Until today,  we used the same password for both.
Multiple people (about ten) in the warehouse could of looked at the screen and noticed the username and password.
I think my only chance is by finding the IP address of the person who logged into my deepbit account.

Every worker is frequently sending their password in clear over the internet, anyone with access to sniff the network between you and the other end at any point can easily get it. Also, deepbit doesn't use https for the management screens either, so a similar (if somewhat reduced) risk exist there.

This is why services which have no accounts are good.


member
Activity: 82
Merit: 10
I don't know, but could this error i receive be related to this somehow?
There is nothing to steal in my account as my daily BTC is ~0.8-1.1, but i started to wonder because i can't access to Deepbit :/


https://bitcointalksearch.org/topic/m.120901


And sorry if this is totally OT to this thread.
Pages:
Jump to: