Pages:
Author

Topic: Are these attacks preventable? (Read 1368 times)

legendary
Activity: 2128
Merit: 1073
May 27, 2015, 06:32:37 PM
#21
This is called security by obscurity. It works until it doesn't, and the guy happens to know how to work that system. Does it make you safer? Maybe. Is it worth your time doing this compared to other measures? Probably not.

It's probably safer to know how to secure Linux than to use a system you are not familiar with.
You are actually completely wrong. Those systems are significantly safer for two reasons:

1) they are (AIX & Solaris) or support (HP/UX with their PA/RISC emulation) big-endian binaries which for some strange but reproducible reasons seem to confound the vast majority of hackers/crackers and other mediocre programmers.

2) they are targeted for psychologically mature customers with stable requirements and not beholden to chasing most recent advance, change, regression, marketing trick of Microsoft, Google, and many others.

Definitely there's a component of obscurity in their safety, but it is a good obscurity, not a marketing euphemism for weak secrecy.

The true, large scale, hacking statistics are hard to come by. I believe the F5 Networks has the best statistics gathered through their application delivery appliances. But their keep it secret besides disclosing a little in their configuration examples how to remap the HTTP server names & fingerprints to trip up automated & scripted hacking tools.
hero member
Activity: 658
Merit: 500
May 27, 2015, 06:17:23 PM
#20
2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.


This is called security by obscurity. It works until it doesn't, and the guy happens to know how to work that system. Does it make you safer? Maybe. Is it worth your time doing this compared to other measures? Probably not.

It's probably safer to know how to secure Linux than to use a system you are not familiar with.
full member
Activity: 138
Merit: 100
May 27, 2015, 02:54:24 PM
#19
Preventable? maybe not.... epicly diverted by theymos? apparettly yes Grin Grin Grin

serious tho... social engineering is screwd up Cheesy it always seems to work and people don't have any real security measures for it...... everyone thinks everyone is trustable
legendary
Activity: 1666
Merit: 1185
dogiecoin.com
May 27, 2015, 02:31:32 PM
#18
Maybe with a single forum rules you can discourage the forum account buying/selling (but a lot of censorship is not really a good thing, but if the forum is always attacked ... the things *must* change).

The forum *is* under constant attack, but the only attacks you hear about are the ones you get through. Then Theymos gets blamed, not praised for the 500 he thwarted passively.
legendary
Activity: 1778
Merit: 1043
#Free market
May 27, 2015, 01:03:28 PM
#17
because banning their sale wouldn't stop it from going on

That's like saying: We don't ban child porn, because there will always be pedophiles.

You can't prevent anything completely , but you can reduce the bad impact and stop it from happening on your forum.

Woow, really nice point of view... now I think the things should change here in the forum (only for a question of security, nothing else).


...
This is true, but how much time would it take to really monitor all account sales?  You would need at least one full time position to do this.  Maybe the forum staff feel that their time is better spent elsewhere?

Maybe with a single forum rules you can discourage the forum account buying/selling (but a lot of censorship is not really a good thing, but if the forum is always attacked ... the things *must* change).
full member
Activity: 279
Merit: 132
Beefcake!!!
May 27, 2015, 09:05:21 AM
#16
because banning their sale wouldn't stop it from going on

That's like saying: We don't ban child porn, because there will always be pedophiles.

You can't prevent anything completely , but you can reduce the bad impact and stop it from happening on your forum.

This is true, but how much time would it take to really monitor all account sales?  You would need at least one full time position to do this.  Maybe the forum staff feel that their time is better spent elsewhere?
copper member
Activity: 2996
Merit: 2374
May 26, 2015, 07:55:56 AM
#15

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated?
And at what cost. Without anyone knowing the details we can probably guess that having the equipment in its own, isolated, security facility, behind armed guards and no remote administrative access would likely have prevented this issue (and many others-- since the site would probably be down most of the time ... Smiley ) but that kind of cost is hardly justified for the forum.
I believe that in the post that theymos made prior to moving the forum to a new data center that the server that hosts the DB is now using FDE that would have prevented this attack, although the Google cash of the thread has since been overwritten so I can't see what exactly he wrote.

Sure, you can spend exorbitant amounts of money on security to prevent *all* possible attacks however doing so would probably be defending against attacks that will never materialize. If you can reasonably anticipate what an attacker is going to try then you can make your security budget more reasonable.

One thing that could have prevented the attack would be the data center refusing to reset the password for say 24 hours after receiving a request to do so (and to send out a notification of a password reset request in the meantime). This would have allowed theymos to become aware of the situation prior to the attacker gaining access to the server although it could mean that we would have 24 hours of downtime in the event that theymos ever looses his password.
global moderator
Activity: 4018
Merit: 2728
Join the world-leading crypto sportsbook NOW!
May 26, 2015, 07:41:28 AM
#14
Ponzis are ok but selling accounts isn't? Selling accounts is allowed because banning their sale wouldn't stop it from going on, but this has been discussed to death and just goes round and round. Just do a search for the many other threads.
legendary
Activity: 1036
Merit: 1001
/dev/null
May 26, 2015, 07:37:40 AM
#13
^^ this.

"ponzi" section is somehow ok, because at least all of this shit is concentrated on one subsection and they are not even trying to infect other sections.

but I really dunno, why is officially enabled here to sell and buy accounts, even hero/legendary with years of history and green trust.
legendary
Activity: 1036
Merit: 1001
/dev/null
May 26, 2015, 06:09:09 AM
#12
It's hard if not impossible to protect against social engineering.

uhh? all depends, how much money you want to spend to train personal and invest to security..
legendary
Activity: 2128
Merit: 1073
May 26, 2015, 04:24:49 AM
#11
Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.
full member
Activity: 279
Merit: 132
Beefcake!!!
May 26, 2015, 03:37:53 AM
#10
The intelligence and creativity of the best hackers astounds me.  I hate to say it but as soon as one hole is plugged another will be opened.  One way or another any website with a target on its back will be hacked.  I don't think its possible to prevent it 100% of the time.

I am not saying that this is a particularly creative or intelligent attack, as I do not really know the details.
sr. member
Activity: 366
Merit: 250
May 26, 2015, 03:33:18 AM
#9
It's impossible to protect yourself 100% and there's always weaknesses and vulnerabilities and things that can be cleverly bypassed. Even 2-factor isn't foolproof. A hacker could call your mobile phone provider if he got enough details and convince them that your phone was stolen or whatnot and to block the phone and send a new sim to his address or something. Similar things have happened before. You can also reset things like google auth so nothing is ever watertight its just about minimizing risk and keeping yourself protected as much as you can.
hero member
Activity: 1064
Merit: 505
May 26, 2015, 03:07:13 AM
#8
Obviously is not, its impossible. Im sure you know a lot of cases of way bigger companies getting hacked and when i say way bigger i mean the biggest, for fuck sake even NASA got hacked by a kid. Its plain impossible to prevent such thing if someone skilled enough is willing to do attack the forum.
legendary
Activity: 1456
Merit: 1000
May 26, 2015, 02:53:58 AM
#7
Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

Didn't you claim to be the victim of a hack yourself, before disappearing with thousands of coins?   Roll Eyes

It's impossible to prevent against social engineering.  A sympathetic moron will always do the wrong thing.

It should be preventable but as long as a human is involved i agree it is always possible sadly.  I mean we really don't know if there was a inside man, a idiot worker, etc.

Whoever on data center side who helped should be fired.  I did user provisioning for a while as part of a job I had.  If you could not be verified 100 percent I did not give access.   It was not fun telling anyone but especially someone they would have to wait... but I did it. 

It was a massive company not a data center though.  So security for on accounts with there being company secrets, private info, internal figures, etc was treated very serious.
staff
Activity: 4284
Merit: 8808
May 26, 2015, 01:28:43 AM
#6
"Please do not perform any actions on my account without a signed PGP message".
These instructions are routinely ignored, seen it myself many times.  They either don't see it at all and just follow the ordinary procedure or are easily convinced by things like "but that key is _on_ that server and by other backup was erased, thats why I need in!" Of course, actual users do things like this-- which is part of why the social engineering works so well.  Even if it doesn't fail that way, they'll likely use the age old xkcdmethod for verifying the signature.

Of course, maybe if someone can't even pull off sounding like a competent adult on the phone; then perhaps they'll have a harder time convincing a facilities operator to do the wrong thing.  I understand in this case the attacker(s) came off as barely literate. (but again, since plenty of legitimate customers are barely literate...)

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated?
And at what cost. Without anyone knowing the details we can probably guess that having the equipment in its own, isolated, security facility, behind armed guards and no remote administrative access would likely have prevented this issue (and many others-- since the site would probably be down most of the time ... Smiley ) but that kind of cost is hardly justified for the forum.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
May 25, 2015, 09:18:44 PM
#5
Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

Didn't you claim to be the victim of a hack yourself, before disappearing with thousands of coins?   Roll Eyes

It's impossible to prevent against social engineering.  A sympathetic moron will always do the wrong thing.
copper member
Activity: 2996
Merit: 2374
May 25, 2015, 09:15:03 PM
#4
Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated? Until theymos can figure out what exactly happened that allowed who was potently TF access to the KVM then it will be difficult to know if the attack could reasonably be anticipated. 
vip
Activity: 1316
Merit: 1043
👻
May 25, 2015, 09:08:19 PM
#3
Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
May 25, 2015, 09:06:03 PM
#2
Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.
Pages:
Jump to: