Author

Topic: [ANN][EXCHANGE] Poloniex - Crypto Exchange with BTC/NXT - page 129. (Read 272544 times)

hero member
Activity: 966
Merit: 501
poloniex doesnt work for me most of the time recently. am i alone?
member
Activity: 98
Merit: 10
Yeah, its an awesome exchange but nobody can run something so big alone man. You need to get a crew on board, a security specialist. Don't let your pride ruin the magic you have created! Smiley

member
Activity: 112
Merit: 10
Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.

I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.

The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.

Garbage might have been the wrong word. Please, stop fear mongering.

I was going to stay quiet in this, however seeing that you are trying to censor people who have legitimate concerns, and I happen to have a few BTC worth of coins on your exchange, I think its time to say something.

#1. its not "fear mongering" if he is speaking the truth, he is just asking questions/making statements that YOU dont like, therefor its "FUD"
#2. You are too easily passing the blame on to the Sys admin, your site has already been hacked once and lost money that you then ILLEGALY created debt instruments to get back the money that your incompetence lost in the first place.
#3. Chiz is the guy that I talk to when I have a question about security for any of my sites, so if i were you I would be asking him for help or to tell you how he might fix an issue like this so it never happens again, not just calling him a "fear mongerer".

TLDR, dont be a douchebag and listen when people ask you questions. You haven't learned from the last hack, so start learning now or shut down your exchange.
full member
Activity: 222
Merit: 101
Novus ordo seclorum
this sucks ass, no friday night trade action  Tongue
member
Activity: 70
Merit: 10
so sick!!!
im sure they want to hack XBC! wc and some others coins were frozen since 2 days too.
fucking hackers! go to hell!
full member
Activity: 182
Merit: 100
Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.

I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.

The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.

Garbage might have been the wrong word. Please, stop fear mongering.
hero member
Activity: 574
Merit: 500
Anyways, sounds like maybe the box was brought up on a separate network without the firewall rules or maybe the user was given access to the entire account and not just a single box.


In the end all that matters is our coins our safe.

But please do the above mentioned questions etc for account recovery and lock down all access to your accounts via associated IPs as well.

The bad guys will always find a way but its our job to make them work harder.
member
Activity: 98
Merit: 10
Can't...live...without...polo & trollboxxxx
sr. member
Activity: 446
Merit: 250
when do you expect to be back online?
hero member
Activity: 756
Merit: 500
Is the trollbox really just an irc chan we can join?  I need my fix and I'm pretty sure I'm not alone.

Screw it.. I made my own...  #polotrollbox

Nevermind... everyone seems to be gathering here:  #poloniextraders
full member
Activity: 182
Merit: 100
mugwampbro, I hear you, I really do. I haven't been able to duplicate the log-out issue, and I will change the Captcha. But I need to get the site running again first.

Let me ask you guys this -- is there any defense against incompetent systems administrators? They decided this guy was me. Are they going to say "sorry, you're locked out forever"?

Thank you..I figured you cared cause you did at least ask all the trollers. I don't think it is a firefox issue, because it doesn't happen to me on MP , c-cex or Bittrex.
legendary
Activity: 1386
Merit: 1023
Setup a protocol with your new host so that every time you want to enter recovery mode or anything of that nature - they MUST call you
at the phone number you provided upon signup. And that phone number cannot ever be changed unless you provide payment details and the like.
And if that phone number is changed they must call the old one to make sure you changed it.

That would solve it. Well... it would if it was followed 100% of the time.

The only other solution would be on-site servers in your own offices or a locked cage at the datacenter. Where there is a physical
restriction to the servers. Which is obviously far more expensive.
hero member
Activity: 574
Merit: 500
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  

Who said anyone was able to SSH into the server without firewall rules blocking him? Stop spreading garbage.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider.

Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.
full member
Activity: 182
Merit: 100
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  

Who said anyone was able to SSH into the server without firewall rules blocking him? Stop spreading garbage.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider.
sr. member
Activity: 364
Merit: 250
Owner of Poloniex
mugwampbro, I hear you, I really do. I haven't been able to duplicate the log-out issue, and I will change the Captcha. But I need to get the site running again first.

Let me ask you guys this -- is there any defense against incompetent systems administrators? They decided this guy was me. Are they going to say "sorry, you're locked out forever"?
full member
Activity: 182
Merit: 100
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  



Unfortunately Busoni will probably not be able to give the exact details except that he "caught" it and it never went down
as the attacker hoped. You cannot show all your cards as of course hackers read all this that we write.

Usually in a security situation the site owner cannot say anything at all.

Way to skirt the question.  The explanation given does not make any sense if they are really using proper firewall rules for server access.  All I can read from this as a security expert is that the SSH port of the wallet server has been open to the entire world this whole time.

good answer
full member
Activity: 182
Merit: 100
constantly having to sign in if you leave the page for a minute or two. Oh and that sign in Craptcha

Odd, never usually get logged out. Captcha takes about 5s  Roll Eyes


it would be ok if they at least gave you the option "keep me logged in for____ mins.

make a suggestion to one of the mods in trollbox or email it busoni is always open to new ideas

Tried that already..couple guys commented about their hate for the captcha. Busoni was on and asked everyone about the log off problem but no was interested in answering...coins to talk about, yah know..then busoni went back to trolling, so i said fuck it Wink

 support said: we've never had anyone complain about a log-off problem. So I suggested they put up a poll for.... log off/ captcha problem, and never heard back.
hero member
Activity: 574
Merit: 500
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  



The provider, as most providers do, allowed booting into "recovery mode." They did this first via support tickets, then got on the phone to get the password reset. Ordinarily, firewalls are up at all times on all servers.

So you are confirming that there are no network level protections in place?  You are relying solely on the host firewall?  Or did the provider also bring down the network level firewall for this user?
hero member
Activity: 574
Merit: 500
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  



That is a good point, the sshd_conf should be locked down..

Password authentication should be turned off immediately. Shell keys should be used otherwise _YOU HAVE ZERO SECURITY_.

I love Poloniex and Busoni, Angela, all of them, but seriously guys, a wallet server that you do not own, that means the host always has root access.

Either you own the server and co-locate, which isn't happening right now, or someone else owns the server and co-locates and you rent it from them, which is what is happening right now.

They will ALWAYS have a backdoor into the server, they have to since they own it. I work for a webhost and this is exactly how we (and all others) have to do it.

So, you need to turn off password authentication in sshd_conf , turn off root login too. Set up an account in the wheel group (su privileges) and create shell keys for that user. Log in to that user with your shell keys and su to root. You host will have to do the same thing if they log in for tech support.

I hope this helps.

Well thats a good start but seriously, the entire internet shouldn't be able to get that far, thats what firewalls are for.  The firewall should have ssh access locked to only the IPs of personnel who should be accessing it.  
sr. member
Activity: 364
Merit: 250
Owner of Poloniex
Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  



The provider, as most providers do, allowed booting into "recovery mode." They did this first via support tickets, then got on the phone to get the password reset. Ordinarily, firewalls are up at all times on all servers.
Jump to: