Topic: Cryptsy was hacked - lost 13,000 BTC & 300,000 LTC (Read 2124 times)

Okay, It's been some time since I had to deal with coding of this tricky nature.  But I just now was able to present that snip to someone who codes extensively/daily for a living, and he confirmed what I said.  "Read and send" (NOT write!!!).  For those more familiar with linux, it's like a remote kind of 'cat' command.  It dumps text files to the screen or output pipe.  Presumably directory structure as well (if readable/owned by same user), as they're files too.  All this exploit would do is put a backdoor into the infected wallet client such that someone knowing the backdoor existed could start looking around on the hard drive of the infected client for files that were set readable by the same user account that was running the infected client.  

So on a multi-user system, this should not have happened as Cryptsy said -- unless cryptsy was doing some incredibly negligent stuff regarding their server allocation and file permissions thereon.  They would have had to have global read permissions set on all their wallet files, either at the system or group level.  OR, they were running all the clients (including the bitcoin client) under the same username/account -- which then gave each and every one of the clients the ability to read the files created by all of them.  Again -- INCREDIBLY irresponsible, and unbelievable.  And it still doesn't explain why they'd be running them on the same physical or virtual machine that had wallet files containing keys protecting access to $6.6+million dollars (price of btc on the date of the alleged hack was ~$582).

This would have been a firing offense for anyone at any modern corporation.  I can assure you.  And anyone who has real-world experience would know better than to have made the mistakes that would have had to have been made if Cryptsy's account is true.

If you had $6.6 million sitting in a wallet.dat file on a computer, would you download strange unknown executables onto that same machine and run them?  Give me a break...

so, we r loss all altcoin in cryptsy.com??

 

Yes, I'd like to take the loss due to your incompetence on me, no problem. Your dishonesty doesn't matter, it's more important that your company will survive and you will make money 

I think you're jumping to conclusions that Cryptsy was run by experts who implemented proper security protocols.  If Cryptsy ignored basic security and ran the daemon as root, then the hardest part of the hack would have been convincing Cryptsy to install the client.  As epinnoia said, if you did nothing else other than run each daemon as a separate unprivileged user, then there would have to be an OS level exploit to access other users' files.  Not only is such an exploit exponentially harder to find, the same exploit would affect anyone running the OS, leaving it unlikely that the bug would not have already been detected and patched ages ago.

This code is generic enough to alllow everything from uploading a webshell, to running a local kernel exploit to elevate privs.

Think about it like this: In Unix/Linux ANYTHING is a file.

https://bitcointalksearch.org/topic/m.10259625


Without more familiarity with the code, my reading of this code is that it would, at most, have allowed the hacker to push the contents of some file (ONLY if said file/directory is set readable by the username executing the irc server and/or infected client program!) back to the person (and others) who put it in place. In short, it would explain how an attacker could pull a wallet.dat file off of an infected machine (which, assuming the wallet was password protected/hashed, would make the brute-force much MUCH easier). But it doesn't explain why the IRC server or wallet client progrm was running on a server which also had the filled wallet.dat files!!!!   And it sure as hell wouldn't explain the stupidity of running an irc server or infected client as root or however else we're expected to believe this happened.

Furthermore, it wouldn't grant more access to the user running the irc server or infected client than he had been given by root. And if the wallets were not owned and not readable at the OS level by the user account running the irc server or infected client, then this little exploit would NOT be able to read the wallet.dat file!!  The OS itself would have blocked it!!  Each and every coin's client, as well as the irc server itself, should have been running under its own separate username account that ONLY had, at most, access to an empty wallet file owned (so far as the OS is concerned) by that same username account.  User Bitcoin (or something appropriate) should have been running the bitcoin client, with another user like user Litecoin running the Litecoin client, etc., etc.  This would have limited the reach of any infected clients.  A separate or virtual machine for each coin would have been even better!

Are we really expected to believe that Cryptsy had a wallet.dat file with pub/priv keys that controlled $4mil or so on the same physical machine as one running an infected Lucky7coin client?  Sorry.  That's gross negligence if true.  And I for one do not believe it for a second.

Looks like someone took the gox script and made very tiny edits to the facts.  We have someone of a privileged position coming in through a hidden back door.  We have coins sitting without being accessed.

Do we also have creditors that needed paid first?  Employees that needed paid?  Credit lines that were extended when there was no competition, which never should have been extended?

How is this NOT a cryptocoin shakedown?  Give us ~$4million, or Cryptsy dies...

We deserve to see Cryptsy's books... Perhaps in a court of law.  Were they operating profitably these past years?  Or were they enriching themselves off of funds that were meant to be deposits?

Put more simply:  How do we know that isn't a little after-prison nest egg put there by someone inside Cryptsy?  I'm not seeing the PROOF of Lucky7coin's involvement.  For all I know, they concocted that proof because they know the creator of Lucky7coin died in a car crash recently.  I'm not saying he did die in a car crash...but only that they may have another reason for choosing him to be the fallguy.  But they'd be in a better position to know his identity than most anyone else.  And just WHY have they not released his name?  Do they REALLY think he'll be more likely to return the coins if they don't reveal his identity?  Or are they just SAYING that?

Has Cryptsy fired anyone over this?  Or was there conveniently no point?  SMH  Not even the idiot who would have had to put the cold storage coins onto the same machine as an IRC server for this to have happened?

Maybe Cryptsy felt they weren't getting enough from those they are laundering for?  And this is a way to put the squeeze to them...

A blog without any incriminating time-stamps....  I wonder if they let archive.org hit that blog? (re: http://blog.cryptsy.com/ )

What were they intending to do for this period of time that has passed since they discovered the loss of coins?  I think they said a year and a half.

Were they planning for a year and a half on eating the loss from their future profits?

And now they realize suddenly that they CAN'T?!!!?!!!?

They were letting people pay bitcoin to temp ban others in chat!  THe more you paid, the longer the ban!

That screams they're hemmoraging money!!

``I'd love for them to point to the timestamped github repo for the coin and say lines XXX-YYY is the malicious code, and here's what makes it malicious.``

Not my words, so I will put them in quotes.  If he wants to claim them, he's welcome to.  But I agree.  I want to see this little bot that goes in and drains wallets like they said.  I want to see how they hooked this irc bot into the lucky7coin client, as they claim.  Because what I do find in that blog is remarkably free of what I would consider proof positive.  It's an accusation and a wallet address with a LOT of coins in it.

I have some history of compiling IRC servers and playing around with IRC bots in the early 90s.  And this sounds rather far-fetched to me.  And more importantly, he has to know he has not given us PROOF -- proof that it happened AS HE CLAIMS.  And what one calls a malicious bot, another calls a hole in the irc server.  He seems with that blog post to be insisting that his irc server just couldn't have been to blame...  pffftt...  What version of the IRC server were they running at the time, and how obsolete was it at the time?  If it looks like a smokescreen, it may well be...

And that's another reason why bitcoin is failing.
Just sell now and cut ur losses dude.

The hack was bad and the cover up just makes it worse.  I'm not even sure this is really all there is to it.

I'm starting to worry that alt coin exchanges are only one step away from cloud mining services - they may be legitimate, but no way to tell for sure that they are.

Condolences to everyone who lost coins on this one.

I think I found the stolen LTC tx: (247,501 LTC)
http://explorer.litecoin.net/tx/61e61a63f35c951a16870df9e0a34df462ee473fde819d134da9485d2e7d8f44

Literally 3 minutes after the BTC tx Vern posted...

I also believe this to be Dash/DRK stolen 4 hours later: (456,501 Dash)
https://chainz.cryptoid.info/dash/block.dws?110242.htm

Both addresses were storing coins in 10k, 25k, 50k units, and both were started with a single 1 unit coin:
2014-05-20 05:44:45   + 1.0 LTC
2014-05-25 20:55:13   + 1.0 DASH

oh my god  13,000 and 300,000 LTC
sorry cryptsy i heard it  im only have 0.1 on there

Wrong or exaggerated simplyfied. It does take years of experience and dedication not to take any shortcuts.

Also we are talking (or should be talking) about dozens of systems and services that need to be firewalled, segregated, sandboxed, pentested, updated and monitored. This is a job for experts and should be done internally and externally in regular intervals.

The avenue of attack was not especially sophisticated or unique, and it could have been easily prevented with security precautions commonly employed by all server admins.  While I will never store large amounts of money in an exchange, I find it hard to believe that most exchanges are that vulnerable.  While no server is ever completely immune to hacking, it doesn't take much knowledge to secure a server.

As a normal user, we would't know that. Until now i know nearly all of the exchanages got hacked at different extent.Some cant survive and collapse. We shouldn't trust these exchanges with our money.

Maybe this will explain something or nothing---@ https://github.com/alerj78/lucky7coin/issues/1
You be the JUDGE!!

Looks like as I predicted on November 14, Deathpixie was real.  http://forums.prohashing.com/viewtopic.php?f=11&t=655

That was the same thought I had.  This screams incompetence.  They ignored three basic security protocols in setting up a secure daemon server:

• Sandbox each coin daemon to prevent it from accessing any other files
• Encrypt wallets so that even if the server is compromised, the wallet.dat is useless
• Store the cold wallets on a different machine

I already knew they couldn't maintain a daemon server since they always had about 20 coins in "maintenance" and never fixed any of them, but now this proves that they had no clue even how to secure it.  At the Prohashing mining pool, we run over 150 coin daemons each as a separate user and restrict each one so that they cannot access any files other than their own.  Even if we ever accidentally installed such a trojan, it could not gain access to the wallets of any other coins.  Even if a bug in Debian allowed users to access others' files, the wallets are locked with the keys stored on a separate server.  And they never could access our cold wallet because that is on a flash drive that is never connected to any PC.

We got out in November when we saw the cracks forming.  I wish the best of luck for others to retrieve their funds.  I wish the employees the best in finding new jobs, but at the same time I am glad that I do not have to deal with their customer support any longer.

How the hell did a Trojan steal from their cold wallets??

I just can't believe they did not disclose it as soon as they were aware of the losses.

Do you have any information on "Vern"? Even his personal email or full name would be sufficient. I'd like to see what I can find on this guy and hopefully do something in the case that it actually was an inside job (Most likely was, if you have over 5 million in a wallet then you would obviously pay quite a bit for your site to be fully secured and safe from hacks)
If you do have any information on the guy could you please PM me with it, I'd like to attempt to dox this guy.