Pages:
Author

Topic: I suspect GPUMax was compromised and passwords stolen - page 2. (Read 6407 times)

vip
Activity: 574
Merit: 500
Don't send me a pm unless you gpg encrypt it.
How many of those users had bitcoinica accounts?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.
sr. member
Activity: 462
Merit: 250
I heart thebaron
Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.

No, the right thing would have been to tell people to check their passwords and not blindly tell them (as I quoted above) that GPUMAX was to blame for this.
REF
hero member
Activity: 529
Merit: 500
Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.
donator
Activity: 2772
Merit: 1019
If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

nefario. this is great, so your effort already payed off. congrats!
sr. member
Activity: 462
Merit: 250
I heart thebaron
The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

That is some fine deductive reasoning....completely obvious if you ask me, ALTHOUGH, before pointing your finger, couldn't you have put another 2 minutes of Detective work into formulating your conclusion for all of this ?

Perhaps in common, they also had BTC-E accounts ? BitcoinTalk.org accounts ? Common Email providers ? .....used a wallet address as a password ?


If you have a GPUMax account it is highly likely that it's password has somehow been compromised.
Obviously....

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.
This smells too much like a weakness on YOUR end and an attempt to cover tracks by asking people to change passwords.


If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.
Over 3 ? .....as in, 4 accounts ?

This entire thread is horse shit.

Considering the growing pains that the GLBSE has gone through, you should be the last one to point fingers at anyone else.



PS. WTF does this have to do with 'Project Development' ?
hero member
Activity: 614
Merit: 500
I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.
legendary
Activity: 2618
Merit: 1007
The killer service that everyone wants and that highly recommends/nearly requires 2 factor auth is for example World of Warcraft + Diablo III.

Even my web banking account doesn't force me to do 2 factor auth... People are just too lazy/stupid for that. Facebook, Google - you name it, they offer 2FA! I have yet to actually see anyone reaching for their mobile phone though when going on FB or gmail.

Back to topic:
What leads to GPUMax just from a handful of GLBSE accounts being emptied? What about other potential big account pools like deepbit?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system? It needs to happen, and the day it does happen is the day many people realize that it really isn't as hard as they thought, and increase their security awareness accordingly. People are stupid, so they need to be forced to make the right choices, and not conditioned to believe that what happens now is "good enough".
donator
Activity: 1218
Merit: 1079
Gerald Davis
You really think bcrypt makes a difference when users use the same password all over the place?
And no, bcrypt is not "the only secure method."  There is no secure method.  That kind of thinking leads to compromised applications and systems.

Of course it does.  If ever site properly protected their password list it would have no value.
As far as bcrypt is not secure please explain to me how you would brute force an 8 digit bcrypt (work=12) password?

Pretty simple to keep passwords secure.
a) use bcrypt (period, unless you have a degree in cryptography anything scheme you can "think" of likely has a couple dozen flaws which are already solved by bcrypt)*
b) require 8 digit password
c) check passwords against "common password list"
d) periodically update the worklevel of bcrypt to keep up with Moore's law


* an alternative to bcrypt are PBKDF2 (Password-Based Key Derivation Function) and scrypt.  Unless you have a pressing reason I would still recommend bcrypt.  scrypt is relatively untested and PBKDF2 uses at its heart SHA-2 which we all know is masively parallelizable.
newbie
Activity: 20
Merit: 0
In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.
How do you know it wasn't the GLBSE database that was compromised? Or some third party website? No offence Nefario but you're really jumping to conclusions here
donator
Activity: 1218
Merit: 1079
Gerald Davis
Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.

Yeah I am getting tired of this never ending stream of Bitcoin sites claiming they stored passwords properly yet users should change their passwords because their password db was stolen.

If you properly protect your password db and set realistic min password lengths then it shouldn't matter if you are compromised.  The salted passwords are worthless.
hero member
Activity: 560
Merit: 501
For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.
It usually takes a while.
hero member
Activity: 714
Merit: 504
^SEM img of Si wafer edge, scanned 2012-3-12.
For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.

MD5, SHA256 (or whatever) hashed hundreds of times simply isn't enough(all these hashing also's were meant to be fast), it also depends on what code you are using for this.

Is it a tried and tested library you're using or did you write your own crypto code?

If it's not BCrypt and a well used library you're using then it's certainly not secure, the latest crypto-methods are not the best, the ones that are tried and tested are(think AES, RSA, and in this case BCrypt).
legendary
Activity: 1358
Merit: 1002
Confirmed, found your email in spam.  Don't know how you got there but I'm sorry about jumping the gun.

 

Spam filters have the terrible habit of sending to spam any email that mentions the word "password" in them
And the subject line being "your site may have been compromised" also helped lol
sr. member
Activity: 378
Merit: 250
"Yes I am a pirate, 200 years too late."
Confirmed, found your email in spam.  Don't know how you got there but I'm sorry about jumping the gun.

 
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
What kind of anti-bot protections does GPUMAX have to prevent automated password retries, if any?
hero member
Activity: 560
Merit: 501
I'll give Dr. Nefario the win for this round.

Round two... fight!
hero member
Activity: 602
Merit: 513
GLBSE Support [email protected]
We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them.  If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well.

Our users information is hashed and salted using the latest cryptography methods available.  I can assure you, we didn't leak anything.  

On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market.

Edit:  Our whois lists [email protected] which shows nothing from you or anything related to security.

-pirate

Quote
Message-ID: <[email protected]>
Date: Thu, 31 May 2012 16:18:54 +0100
From: Doctor Nefario <[email protected]>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0
MIME-Version: 1.0
To: [email protected]
Subject: your site may have been compromised
X-Enigmail-Version: 1.3.4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

There is a high chance that gpumax.com, or the database with users
passwords have been compromised.

A GLBSE use has had their account logged into and cleared out, they were
using the same login details they use for GPUMax.

Thought you should know.

Nefario


I was not aware GPUMax was run by you, I've had no interest use or need of the service and still don't, I'm only reporting the information I have available.
Pages:
Jump to: