Topic: BTCT.com hacked and lost 107 btc - page 2. (Read 4648 times)

Man I am not challenging you nor I have the time to go hack. We are discussing a topic and this is a pure discussion maybe to help someone. Also, if you really want to test out your security by disclosing passwords, I suggest you give out your password for your webserver and then see the magic happen. I am sure someone in the forum might be interested.

I will give you the username and password for the DB right now

Mysql_User = "front-end"
Mysql_Pass = "m1taLu4ayu84vO7eVu27JOw1vIk7mo"
Mysql_Host = "25.15.147.88"


DNS NAME
luapod-sql.cloudapp.net
HOST NAME
LuaPod-Sql
PUBLIC VIRTUAL IP (VIP) ADDRESS
191.238.226.47

There you go. I already thought of the things you have said. The system is secure enough that I can give a hacker the mysql information and they would be incapable of financially harming me NOR revealing private user information other than email addresses.

The funny thing is you still couldn't get access to the database.


Also, the database isn't encrypted. The signature and hash passwords are entered upon each server boot. You would have to intercept me trying to boot the software. But good luck getting past the subversion code control with code signing.

Trust me I read but the fact is that if there is no way to write something in a db, then how will the user modify data. You cannot expect to provide manual intervention to each and every data entry. Again, if someone hacks the server, the purpose wont be to perform trades but to perform withdrawals. How have you designed your system so that you know for sure that the incoming request is true and is also automated. You dont need to tell everyone but you do need to think.

Also, for this argument, assume that I have hacked the webserver and I exactly know your db username and password and even if the db server is on an internal network, I can still access it using the webserver ssh. Moreover, most probably if I have SSH access to the webserver, I will exactly know your DB encryption passwords.

I store most in my own wallet.

Somewhere in the near future.....

"The highest paying tech related job according to our latest survey is that of a Bitcoin Security Expert....."

How could you make changes with a SQL user that has no write access to any of the finance tables nor any direct access to methods manipulating balances? If you were to read the description on the front page it clearly states that the SQL gives no permissions to the front-end except to view user information and to view balance information. IT can submit a request to be processed by the back end server that is structured like
create/trade/5/1000/100/5 and is signed and encrypted. Even if you managed to figure out the signing and encryption the backend servers do another check to verify the trade is even allowed to be created.

The servers all are on a closed network with communication enabled ONLY to the SQL database. Each server has its own SQL user with its own permission.



To even prove that you lacked the true effort of reading here is an excerpt from the main page:




ANOTHER THING IS you can't just change a balance on this. If you change the balance on any transaction the system comes to a halt (because it detects that there is an discrepancy between the information inside the account balance and the signature for the transaction that has been changed) NOT ONLY does it know that it has been changed, but it knows what it was changed from. So through a type of persistence I can also keep transactions from being deleted.

True. It's hard to prove who and how hacked and you get all money. Perfect plan with 100% profit

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

YOU ARE EXACTLY RIGHT! The reason exchanges keep getting hacked is because their webservers have some sort of access to the MONEY. Take a look at luapod if this is your type of area. I have already completely separated the handling of users money from the webserver. The webserver actually has no permission to handle anybodies money. It only builds and signs requests. EVEN though a request is signed that doesn't mean the backend server accepts it as true. The backend does its own check on the information. You can read up a little bit on how it works at the index page: http://luapod-web.cloudapp.net/index.lua



If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

A bit off topic:
The 1st Chinese bitcoin APP channel launched on app.8btc.com
https://bitcointalksearch.org/topic/the-1st-chinese-bitcoin-app-channel-launched-on-8btccom-798174

I thought it was a service similar to bitpay for china, thus I highly doubt they are offering interest. Its not possible to give out interest unless the bitcoins are invested which would completely defy the objective of a payment processor. If suddenly all the customers want their money back, the service provider would be screwed.

The fact is that offline is not possible for service providers as the customers expect instant transfers which is not possible with offline. Thus a combination of Hot and Cold works.

This is sad. but again, bitcoin should be place offline, with electrum

BTCT is not a interest-bearing exchange. It's more like  taobao, allowing merchants to open shops and accept bitcoin as payment.

I would agree with what you are implying. If an exchange is offering interest on bitcoin deposits then they are giving incentives for people to hold bitcoin at their exchange. They do this so when they eventually do run away with customer funds they have more money to run away with

Who knows?

What is the more likely explanation?

Any chance the Bash exploit was used here?

Nothing will ever be 100% secure, online or offline.


I'm missing Mark and MtGox dramas, sometimes.  

Well, as their website is offline, I can neither confirm nor deny my suspicion.

However, the general notion is that anyone willing to give you bitcoin interest for the privilege of holding onto your bitcoins (i.e. 'interest-bearing accounts') is likely engaging in partial reserve banking. IOW, they don't have all the bitcoins that clients have on deposit. They have skimmed - in order to pay the interest at minimum, but also as likely to line their own pockets. Where does that bitcoin-denominated interest come from? Other folks who think their bitcoins are held safely on their behalf.

Such a business, even if it is not lining the pockets of the owners, has a significant liquidity exposure. If anything goes astray, there is no way that such a business can repay each account holder all the bitcoins they think they own. And that's just if the business owners are not dipping into the till for their own personal gain.

But experience hath shewn that owners that operate fast and loose thusly are more often than not even more dishonest, stealing from depositors' funds.

Hence the 'hack' as opposed to the hack. The 'hack' is a time-tested tool in the bitcoin-scammers' toolbox. No _real_ hack, just a claim that the site was hacked. Allows them to run off with all the 'hacked' funds themselves.

Its a common pattern here in bitcoin-land.

It remains to be seen whether or not BTCT.com has stolen the funds or not. Heck, not knowing the details of the business, I may be way off on my suspicion. As I said, with their website drawing a 404...

In the meantime, it might be wise for all to consider the possibility that BTCT has indeed done so, and is using the 'hack' excuse to cover their tracks.

More importantly, it is wise for all to consider the fact that if you do not have sole control of your private keys, those bitcoin you think you own are as good as gone.

Add a Separate Database Server in the chain and it should become a perfect chain and then add firewalls everywhere with a Separate VPN connection to the headoffice.