Pages:
Author

Topic: Bitcoin-Central.net "We have been compromised" - page 2. (Read 9332 times)

sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
Anyone tried submiting a ticket to ask for an ETA about BTC refunds ?
I just did, will let you know if they answer.
legendary
Activity: 1264
Merit: 1008
I'm wating for my BTC since 26-4-2013  Huh ... Any one already receive it ?

I'm with you Pedro, still waiting with confidence in the bitcoin-central team.  

Edit:  And now they have come through, merci mes amis!

legendary
Activity: 2097
Merit: 1070
What keeps the attacker (with access to webserver and therefor webserver signing key) from sending a signed message to wallet server for transfer of funds?

Something external to the web server alone would prevent this.

For example a request to process a withdrawal could be tied to a verified two factor login session stored in a database which the wallet processing server has access to and can verify. Something that can't be faked without a verified login. It should also be time sensitive.

This way withdrawals are tied to the login session of a user and would only be processed when they are checked against the individual session/login and not processed blindly based on where the request came from.

Obviously any system like this would require some thinking / planning before it's implemented properly to ensure that it's secure.

I hope this is what they're doing right now.

Just requiring that a Bitcoin withdrawal be processed on an isolated server only when a user is currently logged in would provide a greater degree of isolation but this could be expanded on to make the system very secure.
donator
Activity: 2772
Merit: 1019
They got hacked twice in bitcoin-central.net on April and once on instawallet, that's pretty obvious that now they want to take their time, and come back only when they are sure that every think is fine Smiley

translation: after getting hacked for the 2nd time they got so extremely pissed that they just felt the overwhelming urge to throw in the towel.
donator
Activity: 2772
Merit: 1019
OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479

I don't see why Bitcoin central had to close down, this seems a very drastic measure to me considering the error which led to this situation was beyond their control and is unlikely to be repeated.

Skimping on hosting by using a budget service like OVH was the big mistake here.

I would make the following suggestions :

Move out of your current hosting ASAP.

Purchase your own dedicated server if you haven't already. Something that nobody else has access to and colocate it somewhere.

Host it somewhere secure. I've been working with a guy at mycyberhosting.net for around the last 10 years or so who uses various datacenters and has many cabinets in them. A private cab will cost around 1000 Euro or more a month sepending on where it's located. This might be a bit too much for your needs, however partial cabinets are also available in the various datacenters.

I'm not entirely sure how the wallets are handled within the Bitcoin Central system but I gave this a little thought for a few minutes and if I were implementing a service handling Bitcoin like this online I would keep any wallet operations isolated on a physically separate server and merely send verificable signed messages between the online web server and the physically separated server for any wallet access.

This way the keys are completely isolated from the website system. Even if the whole server got hacked there would be no possibility of keys being leaked.

Wallet isolation is the key, even for the hot wallet. Additional layers of separation are important.

Just my thoughts.


What keeps the attacker (with access to webserver and therefor webserver signing key) from sending a signed message to wallet server for transfer of funds?
legendary
Activity: 2097
Merit: 1070
I logged in and requested a wire transfer for about 1200 Euros during the time when trading was turned off.

The wire transfer for my withdrawal arrived in my UK account today.

I hope the issues are sorted out quickly especially as I see this as being the fault of the web hosting service  and not Bitcoin Central.

New more professional secured hosting and some changes to where the hot wallet is stored and accessed should fix these issues.
member
Activity: 91
Merit: 10
I'm wating for my BTC since 26-4-2013  Huh ... Any one already receive it ?
sr. member
Activity: 392
Merit: 250
They got hacked twice in bitcoin-central.net on April and once on instawallet, that's pretty obvious that now they want to take their time, and come back only when they are sure that every think is fine Smiley
legendary
Activity: 2097
Merit: 1070
OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479

I don't see why Bitcoin central had to close down, this seems a very drastic measure to me considering the error which led to this situation was beyond their control and is unlikely to be repeated.

Skimping on hosting by using a budget service like OVH was the big mistake here.

I would make the following suggestions :

Move out of your current hosting ASAP.

Purchase your own dedicated server if you haven't already. Something that nobody else has access to and colocate it somewhere.

Host it somewhere secure. I've been working with a guy at mycyberhosting.net for around the last 10 years or so who uses various datacenters and has many cabinets in them. A private cab will cost around 1000 Euro or more a month sepending on where it's located. This might be a bit too much for your needs, however partial cabinets are also available in the various datacenters.

I'm not entirely sure how the wallets are handled within the Bitcoin Central system but I gave this a little thought for a few minutes and if I were implementing a service handling Bitcoin like this online I would keep any wallet operations isolated on a physically separate server and merely send verificable signed messages between the online web server and the physically separated server for any wallet access.

This way the keys are completely isolated from the website system. Even if the whole server got hacked there would be no possibility of keys being leaked.

Wallet isolation is the key, even for the hot wallet. Additional layers of separation are important.

Just my thoughts.
legendary
Activity: 1001
Merit: 1005
Will B-C resume trading soon?
mrb
legendary
Activity: 1512
Merit: 1028
OVH CEO confirms that a flaw in their password reset procedure is what lead to the compromise of bitcoin-central:
https://news.ycombinator.com/item?id=5632479
legendary
Activity: 1001
Merit: 1005
Good news indeed. I guess btc will be refunded soon.
newbie
Activity: 48
Merit: 0
Today i received my funds in my bank account now i am waiting for my btc to be send back
So they are transfering funds ....!!!!

Well thats good news, I have just received an email this morning from them that they have completed the first of my two withdraw request. I will post here to let you guys know if the money hits my account, fingers crossed!!!!
hero member
Activity: 540
Merit: 500
COINDER
Today i received my funds in my bank account now i am waiting for my btc to be send back
So they are transfering funds ....!!!!
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
I can now see the € SEPA transfert in my pending transactions.
They chose not to offer the transaction fee, so expect getting 0.99€ less than you should have.

Still no BTC refund.
sr. member
Activity: 355
Merit: 259
Only just started using B Central so not a lot in there.
As it seems to be an option I think I might just leave BTC/EUR with them and see if they get set up again soon.
full member
Activity: 225
Merit: 100
[...] does anyone else has any pending withdrawals still pending or confirmed and has anyone actually received their funds yet

Requested my BTCs on 04/26/2013 15:55 and it's (still) pending...
newbie
Activity: 48
Merit: 0
Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.


Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending

I did it as soon as the failover adress went public, on Apr. 26 2013 14:03 CEST

Thats interesting I have one still pending since 04/23/2013, and I have another one pending from the same time as you. does anyone else has any pending withdrawals still pending or confirmed and has anyone actually received their funds yet
sr. member
Activity: 336
Merit: 250
Cuddling, censored, unicorn-shaped troll.
Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.


Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending

I did it as soon as the failover adress went public, on Apr. 26 2013 14:03 CEST
newbie
Activity: 48
Merit: 0
Received a mail stating my € withdrawal was processed, too.
Still not showing up in my "pending transactions" on bank account, will update when it does.

And still no BTC either.


Could you tell when did you make your withdrawal request, I have one still pending from just before they closed down and is still pending
Pages:
Jump to: