Pages:
Author

Topic: BTC-E hacked - still unfolding (Read 22045 times)

legendary
Activity: 980
Merit: 1020
July 31, 2012, 06:03:20 PM
#60
I am going to wait until they announce a fix to the vulnerability.
donator
Activity: 362
Merit: 250
July 31, 2012, 05:54:06 PM
#59
Kudos to BTC-e for handling this situation well.  My account issues are all resolved, thanks.

I was cautious of the site prior to this event and kept a minimal balance, but I have a lot more confidence in them after this and will continue to trade BTC & LTC there.  Smiley
legendary
Activity: 2198
Merit: 1311
July 31, 2012, 02:48:23 PM
#58
I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalksearch.org/topic/we-need-a-comprehensive-guide-for-making-safe-bitcoin-apps-93115

Yep.  It's been suggested before.  I think Matthew was one of the first to suggest it.  Basically, I think the most successful and secure bitcoin businesses should form a bitcoin security forum, maybe include a security expert/crypto guy or two (and pay them a little bit), and publish best practices.  Even better, but probably much more difficult to implement, and it comes with its own trust issues, would be for something like that to perform audits and companies could get some sort of certification and be included in a list of companies complying with best practices.
member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
July 31, 2012, 02:45:40 PM
#57
OK people. I think it is about time to create 2 keys to access API shit! If this thing was brute forced then we need to ramp up security.

BTW. If it was brute forced, how did they confirm if it was valid or not without triggering a flag in log reports on either website?
legendary
Activity: 1120
Merit: 1003
July 31, 2012, 02:26:55 PM
#56
I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalksearch.org/topic/we-need-a-comprehensive-guide-for-making-safe-bitcoin-apps-93115
legendary
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
July 31, 2012, 02:20:12 PM
#55
I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.
legendary
Activity: 1120
Merit: 1003
July 31, 2012, 02:11:24 PM
#54
I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)



Interesting stuff. If that's the case...

Quote
the fix is simple: Program the system to take the same amount of time to return both correct and incorrect passwords. This can be done in about six lines of code, Lawson said.

hero member
Activity: 530
Merit: 500
July 31, 2012, 01:38:23 PM
#53
I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)

legendary
Activity: 1458
Merit: 1006
July 31, 2012, 01:29:20 PM
#52
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).


legendary
Activity: 1120
Merit: 1003
July 31, 2012, 01:24:49 PM
#51
To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).



LMAO...
legendary
Activity: 1666
Merit: 1057
Marketing manager - GO MP
July 31, 2012, 01:23:42 PM
#50
To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

full member
Activity: 174
Merit: 100
Posts made Jan-March 2017 are not by me
July 31, 2012, 01:21:03 PM
#49
From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

I'm guessing there's a timing attack on LR's end.
legendary
Activity: 2126
Merit: 1001
July 31, 2012, 12:32:05 PM
#48
Indeed.
I will watch this closely.
BTC-E just instantly catapulted themselves to #1 of my favorite exchange. After MtGox and Intersango more or less disqualified themselves in the last few days..

Ente
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
July 31, 2012, 12:28:18 PM
#47
From https://btc-e.com/news/81:

Quote
Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - [email protected]

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.

this is gr8 news,
Excellent work btc-e!
legendary
Activity: 1120
Merit: 1003
July 31, 2012, 11:55:06 AM
#46
To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
July 31, 2012, 11:51:57 AM
#45
To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy
legendary
Activity: 1246
Merit: 1077
July 31, 2012, 11:21:22 AM
#44
To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
legendary
Activity: 2198
Merit: 1311
July 31, 2012, 11:18:38 AM
#43
Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.

member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
July 31, 2012, 11:12:40 AM
#42
Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.
legendary
Activity: 2198
Merit: 1311
July 31, 2012, 11:08:57 AM
#41
Who would have guessed that BTC-E was more secure than Bitcoinica?
Pages:
Jump to: