Bitcoinica MtGox account compromised - page 23.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: bitcoinBull on July 13, 2012, 07:59:15 PM

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

This

Code:

$ tar -jtvf bit.tar.bz2 | head -n1

gives this

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

which means that the bitcoinica_legacy folder that was packed to the encrypted file had the owner genjix from group genjix and was last modified at 2012-07-07 20:18

If I unpack the file to my system it will have owner "me" from group "me". If I pack it again and run the above command it will give me a similar line but with my name and the date on which the folder was created/modified on my system when I unpacked it.

I posted all you needed to do to. Not sure why you're asking lol

sadpandatech

hero member

Activity: 504

Merit: 500

Quote from: Bitcoin Oz on July 13, 2012, 08:00:58 PM

How did the hacker also get access to genjix account on github ?

that is what I am wondering, with following that part of the thread..

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

How did the hacker also get access to genjix account on github ?

bitcoinBull

legendary

Activity: 826

Merit: 1001

rippleFanatic

Quote from: Raoul Duke on July 13, 2012, 07:17:52 PM

Quote from: bitcoinBull on July 13, 2012, 07:12:35 PM

Quote from: Raoul Duke on July 13, 2012, 07:00:54 PM

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix  1338505438 +0200	clone: from [email protected]:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

[...]

After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Try it yourself.

You're right, my mistake.

This line is in the original encoded file.

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix  1338505438 +0200	clone: from [email protected]:bitcoinica/bitcoinica_legacy.git

This shows that somebody accessed genjix's copy of the bitcoinica source code (maybe it was on that VPS which also had the SSH key which was re-used on the consultancy's e-mail server for the prior breach).

But how did you get this to claim that he packed it:

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

You are implying that genjix intentionally leaked the code. I can't confirm that.

Mt.Gox Support

vip

Activity: 308

Merit: 250

Quote from: Aseras on July 13, 2012, 07:31:44 PM

Which is BS since you can be a level 47 verified and you all will sit on a wire transfer for weeks. Especially a larger transfer.

No BS here. As I said before and as Mark explained, we cannot discuss these details here, however I strongly advise you to read the 20 (pages) of this thread.

PS. We are on your side not against you.

bpd

member

Activity: 114

Merit: 10

Quote from: Bitcoin Oz on July 13, 2012, 07:38:43 PM

Quote from: markm on July 13, 2012, 07:32:35 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:29:39 PM

I think the probability is about the same as finding a sha-256 collision in bitcoin

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-

I didnt see a "lastpass master pasword " label on that string.

This.

Was ANYONE here even aware that the bitcoinica source code had been leaked, prior to genjix's OP on this thread?

Plugging the file URL into Google gives only a handful of results, with this thread being the earliest incidence of it, as far as I can tell.

That, plus the fact that the tar file appears to have been packed by username genjix.

Additionally, there's the fact that the lastpass password was supposedly the MtGOX KEY (username) and not the SECRET. A bizarre thing to do, which smells more like it's a fuck-up in an attempt to make up a plausible hack story.

The whole story is just too cute for me.

Mt.Gox Support

vip

Activity: 308

Merit: 250

Mt.Gox Support

vip

Activity: 308

Merit: 250

Quote from: kokjo on July 13, 2012, 01:02:48 PM

Quote from: Mt.Gox Support on July 13, 2012, 07:55:25 AM

As far as Mt.Gox is concerned and as Genjix explained, we did not suffer any breach or any hack, all other account are safe and the thief only targeted Bitconica's account. Mark (MagicalTux) has been in contact with many Bitcoin players since this announcement and offered any help we can give, but unfortunately all funds (USD & BTC) are no longer within our reach.

Once again, someone with a US IP succeed to get Bitcoinica's account credential which did not trigger any alarms since they were fully identified. Since Bitconica's account was a verified account the owner of this account asked (This happened when Zhou was still controlling Bitconica) to have his limits lifted to the maximum possible, giving the possibility to the thief to move Bitcoinica's assets to another external account (External to MtGox).

Despite our effort on securing Mt.Gox and protecting everyone's asset I would like to remind everyone that it is also your responsibility to secure your account with a very strong password and use either a Yubikey or Google Auth (You can even use both at the same time).

Mt.Gox

-- EDIT --

We would like to stress that Mt.Gox Verified Bitconica as a Company and NOT as an Individual.

to what (bank-)account was the usd sent to? ie. where can we find the guy, and beat him?

We wish things could be so simple, unfortunately they are not! But if you read a little further we explain that we know how and where the money goes and we will give all these details to the appropriate authorities to get this done right. Despite what some want to believe we are at Mt.Gox extremely furious about this situation a lot of good people and very close friends lost a LOT of money. We have of course nothing to do with what happen and will help the community has much as we can on this matter.

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Quote from: markm on July 13, 2012, 07:32:35 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:29:39 PM

I think the probability is about the same as finding a sha-256 collision in bitcoin

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-

I didnt see a "lastpass master pasword " label on that string.

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Well I hope they have changed all the intersango passwords and are using 2 factor auth on any exchange accounts. They have done this havent they.........

markm

legendary

Activity: 2940

Merit: 1090

Quote from: Bitcoin Oz on July 13, 2012, 07:29:39 PM

I think the probability is about the same as finding a sha-256 collision in bitcoin

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-

Aseras

hero member

Activity: 658

Merit: 500

Quote from: Mt.Gox Support on July 13, 2012, 07:28:31 PM

Quote from: Bitcoin Oz on July 13, 2012, 05:22:27 PM

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

AML as nothing to do with warning. AML is just here to make sure you are who you say you are, and then once a person on here in this case a company prove they are who they say they are they become Trusted or Verified. Once you have a Verified Account or a Trusted account your limits are not lifted, you or in this case the representative of the company need to contact us and ask us to lift their account limits.

AML has once again nothing to do with that. Now Mt.Gox offers many withdrawal methods, and the thief use the one(s) that fit his/her/their needs in that matter.

Which is BS since you can be a level 47 verified and you all will sit on a wire transfer for weeks. Especially a larger transfer.

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Quote from: markm on July 13, 2012, 07:26:38 PM

Quote from: NothinG on July 13, 2012, 07:23:58 PM

Quote from: markm on July 13, 2012, 07:08:05 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:04:11 PM

So basically they just open sourced all their passwords

Huh

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...

Cool

-MarkM-

I think the probability is about the same as finding a sha-256 collision in bitcoin

Clipse

hero member

Activity: 504

Merit: 502

Quote from: ?? on ??

Quote from: Raoul Duke on July 13, 2012, 07:17:52 PM

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

I confirm this. So the hacker had access to git even after 15th... So they didnt change password or this is an inside job.

or intersango/bitcoin consultancy simply think everyone on this forum is a moron.

Mt.Gox Support

vip

Activity: 308

Merit: 250

Quote from: Bitcoin Oz on July 13, 2012, 05:22:27 PM

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

AML as nothing to do with warning. AML is just here to make sure you are who you say you are, and then once a person on here in this case a company prove they are who they say they are they become Trusted or Verified. Once you have a Verified Account or a Trusted account your limits are not lifted, you or in this case the representative of the company need to contact us and ask us to lift their account limits.

AML has once again nothing to do with that. Now Mt.Gox offers many withdrawal methods, and the thief use the one(s) that fit his/her/their needs in that matter.

markm

legendary

Activity: 2940

Merit: 1090

Quote from: NothinG on July 13, 2012, 07:23:58 PM

Quote from: markm on July 13, 2012, 07:08:05 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:04:11 PM

So basically they just open sourced all their passwords

Huh

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...

Cool

-MarkM-

NothinG

hero member

Activity: 560

Merit: 500

Quote from: markm on July 13, 2012, 07:08:05 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:04:11 PM

So basically they just open sourced all their passwords

Huh

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: bitcoinBull on July 13, 2012, 07:12:35 PM

Quote from: Raoul Duke on July 13, 2012, 07:00:54 PM

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix  1338505438 +0200	clone: from [email protected]:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following

Code:

$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Try it yourself.

tbcoin

legendary

Activity: 1022

Merit: 1000

Quote from: bitcoinBull on July 13, 2012, 07:12:35 PM

Quote from: Raoul Duke on July 13, 2012, 07:00:54 PM

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix  1338505438 +0200	clone: from [email protected]:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting Wink

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

Pastebin
"
Monday 9th July, the Bitcoinica sourcecode will be made public.

Encrypted file for download: http://depositfiles.com/files/u8e6gd032

Secret key + instructions for decryption will be released on Monday at 19:00 UTC in #bitcoin on Freenode IRC.
"

Until day 9 not public how to decrypt and "re-pack" was genjix day 7, the same as it was published in pastebin

EDIT:
~~Cold thinking, ok, if possible, the dates remain the original.~~

EDIT2:

Quote from: Raoul Duke on July 13, 2012, 07:17:52 PM

Quote

That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following

Code:

$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Bitcoin Oz

hero member

Activity: 686

Merit: 500

Wat

Quote from: markm on July 13, 2012, 07:08:05 PM

Quote from: Bitcoin Oz on July 13, 2012, 07:04:11 PM

So basically they just open sourced all their passwords

Huh

Not quite. How many attempts does LastPass allow before locking an account?

Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code.

So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on...

-MarkM-

One would still have to know that particular string relates to lastpass ....Im not sure how many attempts they allow.

Topic: Bitcoinica MtGox account compromised - page 23. (Read 156012 times)