Pages:
Author

Topic: ** BITVEGAS HACKED ** (Read 2669 times)

full member
Activity: 238
Merit: 100
KUPO!
September 08, 2013, 06:20:08 PM
#23

pretty funny stuff Tongue

maybe its time to start listening to your staff? and updating a little sooner Wink
sr. member
Activity: 252
Merit: 250
hero member
Activity: 672
Merit: 500
September 07, 2013, 09:40:09 AM
#21
I don't think a 'booby trap' is neccesary, that seems a bit too much. A simple login system could have prevented this.

Well, in hindsight preventing any hack is simple. But game engines usually show hundreds or thousands of cases of undesired behavior. IIRC a lot of public Minecraft servers have given up on trying to secure anything but identification -- with varying results -- and fight cheaters using booby traps and manual bans.

I admit I don't know how much money clients of BitVegas put in. But if it is to become anything like other gambling places the problem becomes incomparably harder than keeping "normal" Minecraft servers safe.

Minecraft servers have been repeatedly hacked and exploited in the most ridiculous manners, with no money involved, just for the lulz. It was clearly not designed with security in mind -- if BitVegas becomes successful, it also becomes the premier target of all future Minecraft hacks. As soon as there's enough money around there will be no warning period, all "zero day" exploits would strike BitVegas first.

Oh well, I guess I'm getting a bit off topic here. Anyway, good luck with keeping things safe.

Yes, this is quite worrysome. I have a small server myself which stores BTC, and the problem is with hosting it on Minecraft, you have no control over the updates, and possible bugs or exploits that come with it. But if secured well I assume it wouldn't happen again. Bitvegas wouldn't be the same if it was a website, what makes it unique is that it is a casino in Minecraft.
legendary
Activity: 1036
Merit: 1002
September 07, 2013, 09:35:57 AM
#20
I don't think a 'booby trap' is neccesary, that seems a bit too much. A simple login system could have prevented this.

Well, in hindsight preventing any hack is simple. But game engines usually show hundreds or thousands of cases of undesired behavior. IIRC a lot of public Minecraft servers have given up on trying to secure anything but identification -- with varying results -- and fight cheaters using booby traps and manual bans.

I admit I don't know how much money clients of BitVegas put in. But if it is to become anything like other gambling places the problem becomes incomparably harder than keeping "normal" Minecraft servers safe.

Minecraft servers have been repeatedly hacked and exploited in the most ridiculous manners, with no money involved, just for the lulz. It was clearly not designed with security in mind -- if BitVegas becomes successful, it also becomes the premier target of all future Minecraft hacks. As soon as there's enough money around there will be no warning period, all "zero day" exploits would strike BitVegas first.

Oh well, I guess I'm getting a bit off topic here. Anyway, good luck with keeping things safe.
hero member
Activity: 672
Merit: 500
September 07, 2013, 09:16:19 AM
#19
Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.

Yep, that's the right step to take.

I'd really recommend to at least modify the login or command-giving process of admins to include a booby trap. If admin commands are normally input in a weird manner, a hacker who tries normal methods would trigger the trap. The server would then shut down immediately and wait for an admin with local or SSH access. (This may or may not have prevented this incident depending on when the hacker logged in as an admin, not just as users withdrawing their "own" funds. But at least then he would've been stopped.)

Of course, this would still be security by obscurity. The professional solution is a back-end that executes withdrawals, so that a game engine cannot just dump all user wallets or things like that. But anything that makes a hacker's life harder is a good start.

I don't think a 'booby trap' is neccesary, that seems a bit too much. A simple login system could have prevented this.
legendary
Activity: 1036
Merit: 1002
September 07, 2013, 09:06:06 AM
#18
Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.

Yep, that's the right step to take.

I'd really recommend to at least modify the login or command-giving process of admins to include a booby trap. If admin commands are normally input in a weird manner, a hacker who tries normal methods would trigger the trap. The server would then shut down immediately and wait for an admin with local or SSH access. (This may or may not have prevented this incident depending on when the hacker logged in as an admin, not just as users withdrawing their "own" funds. But at least then he would've been stopped.)

Of course, this would still be security by obscurity. The professional solution is a back-end that executes withdrawals from a more secure interface, so that the game engine cannot just dump all user wallets or things like that. But anything that makes a hacker's life harder is a good start.
sr. member
Activity: 252
Merit: 250
September 07, 2013, 08:57:38 AM
#17
Sorry, but... the images in the OP are hilarious. Grin

Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole?

I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.)

Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.
hero member
Activity: 672
Merit: 500
September 07, 2013, 08:55:32 AM
#16
Sorry, but... the images in the OP are hilarious. Grin

Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole?

I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.)

Well, there is no money being stolen by the owner right now, from what I've heard, everything will be re-imbursed.
legendary
Activity: 1036
Merit: 1002
September 07, 2013, 08:47:33 AM
#15
Sorry, but... the images in the OP are hilarious. Grin

Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole?

I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.)
sr. member
Activity: 252
Merit: 250
September 07, 2013, 08:01:45 AM
#14
I am looking into this now!
full member
Activity: 141
Merit: 100
September 07, 2013, 06:38:49 AM
#13
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).

As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.

The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.

All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.

Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures.

Thanks for clarifying.

I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not.

We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented.

I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off.

Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas

I know it's not the staffs' vault. I'm just very disappointed at how poorly Murder protected/secured the server, and the lack of communication is worrysome too.

I hear you. It's been incredibly frustrating for us to not have any contact with him for so long.
hero member
Activity: 672
Merit: 500
September 07, 2013, 06:37:23 AM
#12
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).

As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.

The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.

All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.

Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures.

Thanks for clarifying.

I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not.

We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented.

I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off.

Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas

I know it's not the staffs' fault. I'm just very disappointed at how poorly Murder protected/secured the server, and the lack of communication is worrysome too.
full member
Activity: 141
Merit: 100
September 07, 2013, 06:31:41 AM
#11
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).

As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.

The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.

All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.

Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures.

Thanks for clarifying.

I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not.

We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented.

I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off.

Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas
hero member
Activity: 672
Merit: 500
September 07, 2013, 06:23:12 AM
#10
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).

As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.

The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.

All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.

Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures.
full member
Activity: 141
Merit: 100
September 07, 2013, 06:08:55 AM
#9
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.

I have tried looking up murderscene on here, but couldnt find his username... If anyone has his email or username plz let me know!

Murderscene's username on Bitcointalk is BitVegas.
full member
Activity: 141
Merit: 100
September 07, 2013, 06:07:23 AM
#8
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).

As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.

The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.

All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
hero member
Activity: 672
Merit: 500
September 07, 2013, 05:31:04 AM
#7
What the hell? He deals with real money but hasn't updated craftbukkit/spigot properly? There was a major exploit where anyone could login without their name being verified, it was spread everywhere fairly quickly and solved, but in cases where there is being dealt with real money you should be so extremely careful like this, or atleast protect the admin account with a password? This is really a poor job on protecting the server,  and I hope he has backups, or can see the logs to give the balances back.
legendary
Activity: 1092
Merit: 1000
nahtnam.com
September 06, 2013, 10:08:49 PM
#5
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.

I have tried looking up murderscene on here, but couldnt find his username... If anyone has his email or username plz let me know!
newbie
Activity: 8
Merit: 0
September 06, 2013, 10:04:48 PM
#4
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.
Pages:
Jump to: