Topic: Ask TF thread - page 5. (Read 21608 times)

Yeah, there is definitely some sort of connection between TradeFortress and Hashie and I'd like to hear his explanation too.

At this point I don't have much to go on. The only things that stand out is that this email had to deal with the inputs.io hack. there are chat logs that are pretty much one sided in that they all seem to be from TraderFortress. in the chat logs there is a person called crypt0queen. probably would fit the whole frozen thing. it boils down to two things 1. we either believe that inputs.io was breached and that TradeFortress didn't hack it himself. or 2. that he was the victim of social engineering and had all of his shit compromised. the log is found here http://btcfaucet.com/logs/TradeFortress_inputsio.txt

09:10 < TradeFortress> hi
09:12 < TradeFortress> I take full responsibility for leaving that much in the hot wallet.
09:13 < TradeFortress> The hacker tried resetting passwords for my email addresses, and was able to reset one which was created 6 years earlier, without phone / recovery email and gmail happily allowed resetting.
09:14 < TradeFortress> That compromised email account was the recovery for another hotmail email, which was also compromised.
09:15 < TradeFortress> BigBitz|wrk, read please.
09:15 < TradeFortress> I didn't use the old email account without MFA
09:15 < TradeFortress> That old email acc was the recovery email of another account
09:15 < TradeFortress> @gmail > @hotmail > @gmail (2, recv'd forwarding from [email protected])
09:16 < TradeFortress> BigBitz|wrk: yes
09:16 < TradeFortress> linode 2FA was bypassed
09:16 < TradeFortress> they seem to be aware of it and don't bother to fix it.
09:16 < TradeFortress> BigBitz|wrk: yes
09:17 < TradeFortress> the attacker also used a (compromised?) server close to my geographical location
09:17 < TradeFortress> I think that helped massively with email recovery
09:18 < TradeFortress> pbase: no. I want to be open and communcative about what has happened.
09:19 < TradeFortress> BigBitz|wrk: I took significant efforts in protecting Inputs' server, but I've never thought about old abandoned emails.
09:20 < TradeFortress> BCB: What do you want me to do then? Invent a magic wand?
09:20 < TradeFortress> I'm refunding as much as I can from all the BTC I have, and the assets I or CL owns.
09:21 < TradeFortress> 9536feebe3a50b94f85ca27d56e669a7209bd4188385d55c5b97227c95cf7f74
09:21 < TradeFortress> BTC was sent here, it's still unspent. https://blockchain.info/address/1EMztWbGCBBrUAHquVeNjWpJKcB8gBzAFx
09:24 < TradeFortress> Quite simply, I wasn't sure what to do, if I could acquire 4K btc so users are not at a loss, and as well as investigating the scope of the hack.
09:25 < TradeFortress> *sign*
09:26 < TradeFortress> BigBitz|wrk: the txid was the first inputs hack
09:26 < TradeFortress> the API was the second, done by the same attacker who dumped the user DB, and then used the API
09:27 < TradeFortress> TheButterZone, I can't see how that'd hurt.
09:28 < TradeFortress> bitsav3: 2x gmail, 1x hotmail
09:30 < TradeFortress> bitnumus, if you check the txid lots of deposits are recent
09:32 < TradeFortress> bitnumus: yes, there's cold storage, but there was more in the hot pocket than cold storage
09:34 < TradeFortress> viboracecata?
09:35 < TradeFortress> theboos, I'm very interested in what security vulns viboracecata claims to have on Inputs.
09:35 < TradeFortress> so has he followed up with the claim? and how long ago?
09:36 < TradeFortress> I'm not aware of any unsolved security vulnerabilities relating to Input's code and enviroment, other than the DB has been compromised. The attack was done through email resets and bypassing security features on Linode's side.
09:37 < TradeFortress> 2FA
09:38 < TradeFortress> BCB: no.
09:38 < TradeFortress> web server was bought from Linode, bitcoind server was on macminicolo
09:38 < TradeFortress> (I own the metal to the macminicolo)
09:39 < TradeFortress> crypt0queen: that's what was used
09:39 < TradeFortress> it wasn't compromised through a server vuln
09:40 < TradeFortress> Linode's position is that my account was not compromised. The attacker simply reset my Linode password through an email request, and then ssh'd into Linode's lish, and got console access to my Linode through lish with my linode account password.
09:40 < TradeFortress> linode lets you reset  root passwords..
09:42 < TradeFortress> the attacker copied certain files via FTP using mc, to another (I believe compromised server), and accessed the bitcoind server by pretending to make withdraw requests for an account with an inflated balance
09:42 < TradeFortress> BigBitz: NO
09:42 < TradeFortress> FTP WAS NOT ENABLED
09:42 < TradeFortress> yes
09:43 < TradeFortress> I have obtained the logs
09:43 < TradeFortress> (through Linode)
09:43 < TradeFortress> attacker installed mc
09:43 < TradeFortress> transferred files to 10;[email protected]:[email protected]
09:43 < TradeFortress> BigBitz|wrk: yes, internal ones
09:45 < TradeFortress> BigBitz|wrk, multiple files that relates to internal functions of Inputs, ie the controller.
09:46 < TradeFortress> I have no evidence of the bitcoind mac mini getting compromised. it didn't bark. I suspect the attacker also made one account have -4000 BTC
09:46 < TradeFortress> which allowed it to pass sanity checks
09:46 < TradeFortress> as the total balance as reported by the db matched.
09:46 < TradeFortress> BigBitz|wrk: I have the logs of what they did to the server.
09:47 < TradeFortress> on the server, via lish, I should say.
09:47 < TradeFortress> theboos: did it directly through the DB
09:47 < TradeFortress> wasn't logged.
09:47 < TradeFortress> as it copied DB access creds
09:48 < TradeFortress> BigBitz|wrk: not on the database
09:48 < TradeFortress> bitsav3, I think they're compromised hosts
09:48 < TradeFortress> like http://mastersearching.com/
09:48 < TradeFortress> theboos, of course I've audited the db
09:49 < TradeFortress> the DB doesn't log every single change
09:50 < TradeFortress> general_log wasn't enabled
09:50 < TradeFortress> nor binary logs
09:51 < TradeFortress> +infinity
09:53 < TradeFortress> BCB: it's not enabled.
09:54 < TradeFortress> I didn't disable them, I'm pretty sure they're not enabled by default.
09:55 < TradeFortress> yup BCB
09:55 < TradeFortress> coingenuity, yes, macmini bitcoind iplocked to the web linode
09:55 < TradeFortress> that's a surprise to me
09:56 < TradeFortress> pbase: no, I have saved disk images as soon as I detected the compromise
09:56 < TradeFortress> yep
09:56 < TradeFortress> BigBitz|wrk: installed the env myself.
09:57 < TradeFortress> pbase: definitely not publicly. I'd expect there to be quite a lot of sensitive information in RAM, such as cached mysql data.
09:58 < TradeFortress> actually, no, I didn't do a ram dump.
09:58 < TradeFortress> but the disk image includes db data
09:59 < TradeFortress> I am not aware of if it was forensically sound. I estimate not.
09:59 < TradeFortress> The disk image was dumped via cloning using linode manager.
09:59 < TradeFortress> took like half a hour too
10:01 < TradeFortress> no, not booted
10:01 < TradeFortress> it was cloned to another linode that have not been booted
10:01 < TradeFortress> another as in brand new.
10:02 < TradeFortress> first of all, I'll have to figure out how to transfer the disk image
10:03 < TradeFortress> then I'll have to boot the disk image and remove the db files?
10:04 < TradeFortress> user DB is sorta sensitive. while passwords are hashed w/ bcrypt, PINs are exposed, and there's emails
10:05 < TradeFortress> theboos, that sounds like a good idea
10:05 < TradeFortress> BCB: password reset for my emails, linode, yes.
10:06 < TradeFortress> bitsav3, I will
10:06 < TradeFortress> BCB: they're like typical resets, what do you want to see?
10:07 < TradeFortress> http://i.imgur.com/sQnXsx0.png
10:07 < TradeFortress> the second time the attacker tried to get in
10:08 < TradeFortress> apisnetworks (my shared host, attacker thought there was something useful in here)
10:09 < TradeFortress> pastebin?
10:09 < TradeFortress> http://pastebin.com/J7S9xWyT
10:10 < TradeFortress> BigBitz|wrk: yep, there was one from Oct 23 that I can't now find for some reason.
10:10 < TradeFortress> BigBitz|wrk: hence 'the second time'.
10:10 < TradeFortress> right
10:11 < TradeFortress> BigBitz|wrk: where did you get the impression that I 'didn't do anything'?
10:11 < TradeFortress> I didn't just disregard the password reset email, especially since I couldn't login to linode again
10:11 < TradeFortress> second reset was mine, to regain access
10:12 < TradeFortress> BCB: no
10:12 < TradeFortress> BigBitz|wrk: what?
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> how many emails do you see
10:12 < TradeFortress> 2
10:12 < TradeFortress> 1st one: second time attacker tried to get access
10:12 < TradeFortress> 2nd one: me regaining access
10:15 < TradeFortress> glados.cc is powered by google apps
10:15 < TradeFortress> btcfaucet, tried pass resets
10:16 < TradeFortress> btcfaucet, I do not know what they performed, I do not remember the answer to security questions myself.
10:16 < TradeFortress> BigBitz|wrk: when you have shell access you can easily disable that.
10:16 < TradeFortress> BCB: k
10:16 < TradeFortress> duh
10:17 < TradeFortress> with gmail account, I recovered access simply by entering my old (changed) password
10:17 < TradeFortress> probably due to that I usually sign in from that device
10:17 < TradeFortress> BCB: http://pastebin.com/MhKTa5zN
10:19 < TradeFortress> BCB: show original > I see this.
10:19 < TradeFortress> bitcoind was dedi, I own the metal to it.
10:19 < TradeFortress> web was xen
10:20 < TradeFortress> BCB: tell me how.
10:20 < TradeFortress> just like the apisnetworks?
10:20 < TradeFortress> I'm accessing it the same way
10:20 < TradeFortress> 'Show Original'
10:21 < TradeFortress> BCB: I copied the entirety
10:21 < TradeFortress> understatement :p
10:23 < TradeFortress> http://i.imgur.com/H0NEeI7.png
10:24 < TradeFortress> for the linode
10:25 < TradeFortress> balances were signed because it's POSSIBLE that someone would have a negative balance on inputs
10:25 < TradeFortress> but in normal operation it hsouldn't
10:25 < TradeFortress> btcfaucet, that won't work because the mini does some sanity checking, such as SUM(balance)
10:26 < TradeFortress> stqism: no
10:26 < TradeFortress> whitelisted
10:28 < TradeFortress> BCB: they are.
10:28 < TradeFortress> you asked for the second email
10:28 < TradeFortress> I sent you the original (as exposed by mail.google.com) and pastebinned & screenshotted it.
10:29 < TradeFortress> stqism: I thought tcp packets with a faked source won't be accepted.
10:30 < TradeFortress> BCB: haven't I already told this twice
10:30 < TradeFortress> the email, on the top, was the attacker's 2nd reset
10:30 < TradeFortress> then I was unable to login, so I had to reset it again
10:30 < TradeFortress> you asked for the SECOND
10:30 < TradeFortress> so I sent you the SECOND
10:30 < TradeFortress> ie the one at the bottom
10:31 < TradeFortress> you want the one on the top? ask for the FIRST then.
10:31 < TradeFortress> go look at the screenshots
10:31 < TradeFortress> BCB: of?
10:31 < TradeFortress> have you looked at the screenshot
10:31 < TradeFortress> look at the SECOND email because you asked for the 2nd's original.
10:32 < TradeFortress> check the scrollback
10:32 < TradeFortress> it's this, http://i.imgur.com/sQnXsx0.png, correct?
10:35 < TradeFortress> BigBitz|wrk: not after this.
10:35 < TradeFortress> BigBitz|wrk: to?
10:36 < TradeFortress> BigBitz|wrk: I exercise my right to reject it.
10:36 < TradeFortress> BCB: then why don't you ask.
10:38 < TradeFortress> http://i.imgur.com/pCtanaU.png
10:38 < TradeFortress> ever realize I might be screenshotting and uploading?
10:38 < TradeFortress> coingenuity, yep
10:39 < TradeFortress> BigBitz|wrk: gmail uses local time zones
10:39 < TradeFortress> BCB: did I? that's the full email.
10:41 < TradeFortress> kk, I've spent 1.5 hours or so here now.
10:42 < TradeFortress> I have another hundred emails to handle for Inputs.io
10:42 < TradeFortress> email me at [email protected] if you want to contact me, I'll try and pop in tomorrow.
10:43 < TradeFortress> what is wrong with you BCB
10:43 < TradeFortress> do you need glasses
10:43 < TradeFortress> they are different emails
10:44 < TradeFortress> BCB: post them, show where it was the same timestamp
10:48 < TradeFortress> BCB: nothing useful on apisnetworks
10:48 < TradeFortress> most you could do is change the index.html on http://glados.cc/!
19:35 <@gribble> TradeFortress was last seen in #bitcoin-otc 8 hours, 46 minutes, and 30 seconds ago: most you could do is change the index.html on http://glados.cc/!

Quote from: Mabsark on January 14, 2015, 09:23:40 PM

Quote from: darkgamer on January 14, 2015, 01:47:21 PM

*update looks like hashie had control of email since it was started https://code.google.com/p/chromium/issues/detail?id=429395 Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by [email protected], Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

That could have been someone completely different just using that as their username there. It's not though. It is TradeFortress as the same user made an earlier post here:

Quote

Oct 16, 2013
#2 [email protected]

I am also experiencing this bug on my website, https://coinchat.org .

So, there's now a definite link between TradeFortress and hashie. Interesting.

Do you have any  idea who the hacker could of been?

apparently hashie
https://code.google.com/p/chromium/issues/detail?id=429395

Security: Window.opener bypasses same origin policy    
   1 person starred this issue and may be notified of changes.    Back to list
Status:     WontFix
Owner:    ----
Closed:     Nov 2
Type-Bug-Security


Add a comment below
     
Reported by [email protected], Oct 31, 2014

VULNERABILITY DETAILS
Opened windows (through normal hrefs with target="_blank") can modify window.opener.location and replace the parent webpage with something else, even on a different origin (bypassing same origin policy).

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab (which a user already mentally trusts).

window.opener.location should not be modifiable if on a different origin.

VERSION
Chrome Version: 37.0.2062.94 + stable
Operating System: Ubuntu

REPRODUCTION CASE

https://hashie.co/chrome/demo.html

Oct 31, 2014
#1 [email protected]

Thanks for the report, but the repro doesn't seem to be working on Chrome 38 on Linux. Could you try reproducing with a more recent version?

Oct 31, 2014
#2 [email protected]

Unfortunately the latest version of Chromium in my PPA is 37.

I've been able to reproduce this on Chrome 38.0.2125.114 for Android.

Oct 31, 2014
#3 [email protected]

To clarify, the actual POC is in the link on the page. The https://hashie.co/chrome/demo.html page will be replaced with example.org by pix4bit.com

Nov 1, 2014
#4 [email protected]

The demo page doesn't work for me on M37 on Mac either. When I switch back to example.com tab I see a very brief flash of https://hashie.co/chrome/demo.html but otherwise the actual example.com page is displayed in page contents. I haven't tested on Android yet though.

Nov 2, 2014
#5 [email protected]

The user decides to trust a particular tab by inspecting the URL and determining the origin.  In all cases here both tabs area always showing the correct origin for the content being shown.

On android, when entering any data into a form, the origin is always shown, even if it's previously been elided by scrolling down.  The user can then make a trust decision based on this visible origin.

Given this, I don't see any risk to users more than the users just clicking on a link and visiting a new page, so I am closing with WontFix.

Got any new projects which might gain some of your reputation back?

That's pretty funny, anyway.

I understand it could be some dude just posting an email. The whole way the scam took place is weird. all I know is dude dropped an email that has a past. inputs.io had social engineering tactics and someone has gone around impersonating trade fortress. from what I have found people believe that trade fortress was another member called milkshake. the domain name for the email that was used was registered to yan wang and now shows mark russells. https://bitcointalksearch.org/topic/do-we-have-a-potential-fraudster-among-us-211169

With this logic...

I'm not saying it was, all I'm asking is does he still have control of that email?  wondering if the hashie scam is some how related to the inputs.io hack and wondering who he has talked with on btc-otc as I think someone from there has vendettas against other members.

LOL and why do you think that was him?

That doesn't look like TF coming out as hashie that looks like hashie trying to pass the blame, TF can you confirm are you hashie?

You weren't happy with your take?

Another question:

(sorry for the multiple posts and sorry if this has been answered already).

I know that inputs/CL lost 4,100+ bitcoin from the attack (the headline number), however how much was "lost" after you account for the money that was repaid to investors from funds? In other words what was the net amount lost by investors?

In regards to the money that was paid back, where did this money come from? was it from cold storage? from your personal funds?

What you do think the overall chances of your investors being able to recoup additional recoveries from inputs/CL are? Is it close to zero or do you think there is a fighting chance they could get repaid?

So I take it that his RL identity is not known by anyone in the community?

I'm sorry for how CL/Inputs ended.

exactly my point to prove that people hold him responsible and that he owes the community still.

Charlie Hedbo thought they did nothing wrong but someone did,  now 12 are dead. http://m.bbc.com/news/world-europe-30710883

If you were TF right now would you reveal your identity?

Even when he was highly trusted TF wished to remain anonymous, why would he reveal himself when there is so much bad blood towards him?

You were once one of the most trusted members of bitcointalk. Now many of the threads you post in and the posts you make, and the threads you make are trolled with people saying how much of a thief (they think) you are.

Do you think you will ever be able to rebuild your reputation on bitcointalk and throughout the bitcoin community?

---

Does anyone have your dox or know your RL identity?

Do you feel any responsibility or remorse for those people that got screwed because of you?  Still feeling the pinch because part of my wedding budget was in coinlenders, as well as, my fiancée's tuition money, and as far as I knew you were going to reimburse people from your own personal stash if anything went wrong (those were the terms I agreed to and was never asked to agree to something different), so I felt like they were pretty safe and obviously wasn't my whole amount.  Do you think its fair to sit on a couple hundred shares of AsicMiner, as well as other securities and bitcoin, and leave those you damaged as if nothing happened?  Certainly if you think that all of that is OK, you will show yourself at some conference or give out your personal details so people can talk with you face to face, because you don't think you did anything wrong, why would others?

made a typo.

Yeah, I don't have any explanation other than (i) lazyness (the system wasn't set up to make sending to cold storage easy, and it had to be performed manually), (ii) wanting to keep sufficient amounts on the server so nobody worries/panics, and (iii) about 1500 BTC was deposited within 48 hrs of the hack.

The later systems I've built do make sending to cold storage easier, but for the most recent site it was still an manual process. I intend on doing automatic cold storage transfers (hourly cronjob) for my future projects.