Topic: [ATTN] Clarification of Mt Gox Compromised Accounts and Major Bitcoin Sell-Off - page 4. (Read 18489 times)
June 30, 2011, 04:31:41 PM
Has anybody checked whether jed's password was one that's been publicly leaked yet? I'm interested in how strong it was...
June 30, 2011, 04:22:53 PM
Some degree of withholding information to be expected when you are compromised. Gox may have been concerned that immediately releasing all they knew could aid the people who did this.
June 30, 2011, 01:59:18 PM
Aha, the long-awaited clarification. Turns out the majority of speculations were correct after all.
Still, existence of the SQL injection vulnerability should've been disclosed two weeks ago(!), instead of dodging all speculations.
Still, existence of the SQL injection vulnerability should've been disclosed two weeks ago(!), instead of dodging all speculations.
June 30, 2011, 12:59:42 PM
Hmm.. interesting. I'm surprised to hear that they did have an SQL vulnerability. I thought that the "admin" account is what leaked the database.
And to everyone insisting on no rollback, I hope you can see now that it was necessary. I always assumed it was.
And to everyone insisting on no rollback, I hope you can see now that it was necessary. I always assumed it was.
June 30, 2011, 12:50:20 PM
So what about Kevin?
June 30, 2011, 12:42:53 PM
Being forthcoming does help. I may be a little less critical of MtGox now but they still have a long way to go to regain my trust. But this is a step in the right direction. Thanks OP for posting the MtGox statement.
Yep. Good stuff.
June 30, 2011, 12:37:25 PM
Being forthcoming does help. I may be a little less critical of MtGox now but they still have a long way to go to regain my trust. But this is a step in the right direction. Thanks OP for posting the MtGox statement.
June 30, 2011, 12:23:58 PM
Now to get everything back in working order like it was before all this mess.
June 30, 2011, 12:11:34 PM
This is more or less what I've figured all along (although it's interesting to hear that the admin account could just grant himself arbitrary bitcoins; I reckoned instead that somebody had used an admin account to collect bitcoins together from other accounts).
Many thanks to the person, obviously a native English speaker, that actually crafted the press release.
Can we move on now please?
Many thanks to the person, obviously a native English speaker, that actually crafted the press release.
Can we move on now please?
June 30, 2011, 12:07:38 PM
What they really need is layered security:
- a distinct authentication machine that is accessible via a narrow API; no "select * from users" !
- a distinct trading machine that takes in trading requests, responsible for making the market and tracks the BTC/$ ownership of every user in the system; narrow API: enter buy and sell orders, receive callbacks when they are completed
- distinct withdrawal machines that make actual bank and bitcoin transactions
- a front-end machine that runs the PHP interface and is responsible for the user interface
Each interface is logged and monitored, and does not allow someone who attacks the front-end machine to access the rest of the system. The backend machines are firewalled and not accessible by other means than the narrowly defined interface.
As long as they are using a single system running a home-brewed PHP + Mysql application, parametrized queries will not prevent the next breakin.
- a distinct authentication machine that is accessible via a narrow API; no "select * from users" !
- a distinct trading machine that takes in trading requests, responsible for making the market and tracks the BTC/$ ownership of every user in the system; narrow API: enter buy and sell orders, receive callbacks when they are completed
- distinct withdrawal machines that make actual bank and bitcoin transactions
- a front-end machine that runs the PHP interface and is responsible for the user interface
Each interface is logged and monitored, and does not allow someone who attacks the front-end machine to access the rest of the system. The backend machines are firewalled and not accessible by other means than the narrowly defined interface.
As long as they are using a single system running a home-brewed PHP + Mysql application, parametrized queries will not prevent the next breakin.
June 30, 2011, 11:52:29 AM
THIS is what I've wanted to hear from them. Nutting up and taking responsibility is a big step. Good job, guys, and I can honestly say that I wish you well.
June 30, 2011, 11:50:13 AM
I'm glad they posted this. I trust them a lot more after seeing this. The only thing missing is the exact number of coins stolen and the address they were sent to. I can't imagine why they didn't make that public.
June 30, 2011, 11:38:41 AM
So the mystery auditor was Jed...
June 30, 2011, 11:29:48 AM
https://mtgox.com/press_release_20110630.html
https://mtgox.com/press_release_20110630.html
Quote
CLARIFICATION OF MT. GOX COMPROMISED ACCOUNTS AND MAJOR BITCOIN SELL-OFF
Dear members of the press and Bitcoin community,
I. Background
March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.
II. Bitcoin Sell-Off
On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes. With the price low, the thief was able to make a larger withdrawal (approximately 2000 BTC) before our security measures stopped further action.
We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible. Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense. Again, apart from the compromised admin account, no individual user’s account was manipulated in any way. All BTC and cash balances remain intact.
Given the relatively small amount of damage considering what was potentially possible, we have to question what the true motives of the attacker were. Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.
III. Database Breach
Late last week we discovered a SQL injection vulnerability in the mtgox.com code that we suspect is responsible for allowing an attacker to gain read-only access to the Mt. Gox user database. The information retrieved from that database included plain text email addresses and usernames, unsalted MD5 passwords on accounts that had not logged in since prior to the Mt. Gox ownership transfer, and salted MD5 passwords on those accounts created or logged in to post-ownership transfer. We speculate that the credentials of the compromised admin account responsible for the market crash were obtained from this database. The password would have been hashed but it may not have been strong enough to prevent cracking.
Regrettably, we can confirm that our list of emails, usernames and hashed passwords has been released on the Internet. Our users and the public should know that these hashed passwords can be cracked, and many of our users’ more simple passwords have been cracked. This event highlights the importance of having a strong password, which we will now be enforcing. We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.
IV. Present Steps
We have been working tirelessly with other service providers in order to mitigate the potential damage to our users caused by the security breach. We’ve been informing our users to be especially cautious of Bitcoin-related phishing attempts at the email addresses associated with their Mt. Gox accounts. Users should continue to be especially observant of indicators of account compromise with other services—especially email and financial services.
We would like to give a special thanks to the Google team who were extremely proactive about flagging and temporarily locking customer accounts that appeared in our stolen user list. Their quick response no doubt significantly reduced unauthorized account access to Gmail addresses associated with Mt. Gox user accounts.
We’ve been actively researching the origin of the attack that led to the compromise of Mt. Gox’s previous owner’s admin account; however, our priority has been getting the Mt. Gox service back online and getting people access to their funds. We were finally able to simultaneously relaunch the service and launch our new site, with greatly improved security and back end, on June 26th, 2011.
V. Future Steps
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.
The recent successful attacks on huge institutions like Sony and Citibank remind us that nobody is impenetrable. We are now operating under the presumption that another security breach will happen at some point in the future and we are implementing layers of fail-safe mechanisms to greatly limit the amount of damage possible. Of course, we’re doing our best to make sure those fail-safe mechanisms are never necessary.
While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.
VI. Apology
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
We can attempt to blame the owner of the compromised account for the recent events but at the end of the day the responsibility to secure the site and protect our users rests with us. The admin account responsible had more permissions than necessary, and our security triggers were not as tight as they could have been.
Since the change of ownership, we have actively been patching holes while at the same time building a new Bitcoin exchange from the ground up. Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown.
We’ve got a backlog of emails we’re catching up on now but if you have any questions or comments about the recent security breaches and events, Mt. Gox in general, its founder or Bitcoin, please do not hesitate to contact us. We’re reading every message and we’ll get back to you as soon as we can.
Mark Karpeles - CEO
Tibanne Co. Ltd.
Dear members of the press and Bitcoin community,
I. Background
March, 2011 – MtGox.com (Mt. Gox), now the world’s leading Bitcoin exchange, was purchased by Tibanne Co. Ltd. As part of the purchase agreement, for a period of time, Tibanne Co. Ltd was required to pay the previous owner a percentage of commissions. In order to audit and verify this percentage, the previous owner retained an admin level user account. This account was compromised. So far we have not been able to determine how this account’s credentials were obtained.
II. Bitcoin Sell-Off
On June 20th at approximately 3:00am JST (Japan Time), an unknown person logged in to the compromised admin account, and with the permissions of that account was able to arbitrarily assign himself a large number of Bitcoins, which he subsequently sold on the exchange, driving the price from $17.50 to $0.01 within the span of 30 minutes. With the price low, the thief was able to make a larger withdrawal (approximately 2000 BTC) before our security measures stopped further action.
We would like to note that the Bitcoins sold were not taken from other users’ accounts—they were simply numbers with no wallet backing. For a brief period, the number of Bitcoins in the Mt. Gox exchange vastly outnumbered the Bitcoins in our wallet. Normally, this should be impossible. Unfortunately, the 2000 BTC withdrawn did have real wallet backing and they will be replaced at Mt. Gox’s expense. Again, apart from the compromised admin account, no individual user’s account was manipulated in any way. All BTC and cash balances remain intact.
Given the relatively small amount of damage considering what was potentially possible, we have to question what the true motives of the attacker were. Perhaps the attack simply was not well-orchestrated but the possibility exists that the attacker was more interested in making a statement, hurting Mt. Gox’s reputation, or hurting the public image of Bitcoins in general than he was in any monetary gain.
III. Database Breach
Late last week we discovered a SQL injection vulnerability in the mtgox.com code that we suspect is responsible for allowing an attacker to gain read-only access to the Mt. Gox user database. The information retrieved from that database included plain text email addresses and usernames, unsalted MD5 passwords on accounts that had not logged in since prior to the Mt. Gox ownership transfer, and salted MD5 passwords on those accounts created or logged in to post-ownership transfer. We speculate that the credentials of the compromised admin account responsible for the market crash were obtained from this database. The password would have been hashed but it may not have been strong enough to prevent cracking.
Regrettably, we can confirm that our list of emails, usernames and hashed passwords has been released on the Internet. Our users and the public should know that these hashed passwords can be cracked, and many of our users’ more simple passwords have been cracked. This event highlights the importance of having a strong password, which we will now be enforcing. We strongly encourage all our users to immediately change the passwords of any other accounts that now or previously shared a password with their Mt. Gox account, if they have not done so already.
IV. Present Steps
We have been working tirelessly with other service providers in order to mitigate the potential damage to our users caused by the security breach. We’ve been informing our users to be especially cautious of Bitcoin-related phishing attempts at the email addresses associated with their Mt. Gox accounts. Users should continue to be especially observant of indicators of account compromise with other services—especially email and financial services.
We would like to give a special thanks to the Google team who were extremely proactive about flagging and temporarily locking customer accounts that appeared in our stolen user list. Their quick response no doubt significantly reduced unauthorized account access to Gmail addresses associated with Mt. Gox user accounts.
We’ve been actively researching the origin of the attack that led to the compromise of Mt. Gox’s previous owner’s admin account; however, our priority has been getting the Mt. Gox service back online and getting people access to their funds. We were finally able to simultaneously relaunch the service and launch our new site, with greatly improved security and back end, on June 26th, 2011.
V. Future Steps
The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.
The recent successful attacks on huge institutions like Sony and Citibank remind us that nobody is impenetrable. We are now operating under the presumption that another security breach will happen at some point in the future and we are implementing layers of fail-safe mechanisms to greatly limit the amount of damage possible. Of course, we’re doing our best to make sure those fail-safe mechanisms are never necessary.
While we are making great strides with the advancement of our security, we should remind our users that they too play an important role in securing their accounts. Please use a long password—the standard is not whether a person could guess it but rather whether a computer could guess it—and computers can guess pretty fast. Please do not share passwords across services—where passwords are shared, a compromise at one service means a compromise at all services. Help us help you.
VI. Apology
The truth is that Mt. Gox was unprepared for Bitcoin’s explosive growth. Our dated system was built as a hobby when Bitcoins were worth pennies a piece. It was not built to be a Fort Knox capable of securely handling millions of dollars in transactions each day.
We can attempt to blame the owner of the compromised account for the recent events but at the end of the day the responsibility to secure the site and protect our users rests with us. The admin account responsible had more permissions than necessary, and our security triggers were not as tight as they could have been.
Since the change of ownership, we have actively been patching holes while at the same time building a new Bitcoin exchange from the ground up. Going forward, we are certain that the launch of the new site will exceed the rightful expectations our users have of the service. We only hope that we can once again earn the trust of the Bitcoin community. In the meantime, we sincerely appreciate the patience all our users have shown.
We’ve got a backlog of emails we’re catching up on now but if you have any questions or comments about the recent security breaches and events, Mt. Gox in general, its founder or Bitcoin, please do not hesitate to contact us. We’re reading every message and we’ll get back to you as soon as we can.
Mark Karpeles - CEO
Tibanne Co. Ltd.
https://mtgox.com/press_release_20110630.html
Jump to: