Author

Topic: MTGOX learns a lesson on cyber security, so should you (Read 1149 times)

sr. member
Activity: 454
Merit: 250
ignorance......

yay i have another post to get out of the newb section.... then i can waste my time on topics that i give a shit about

LET THE TROLLS FEED ON EACH OTHER!
newbie
Activity: 16
Merit: 0
Bitcoin. Bringing hackers, naive users and serious money together, since 2011

What could possibly go wrong?
sr. member
Activity: 349
Merit: 250
Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

You are probably referring to this:
http://seclists.org/fulldisclosure/2011/Jun/417 and http://seclists.org/fulldisclosure/2011/Jun/418?
newbie
Activity: 9
Merit: 0
In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly.
You don't need a million dollars to store passwords properly. See http://codahale.com/how-to-safely-store-a-password/ for example. The software libraries for doing this correctly are free.
newbie
Activity: 4
Merit: 0
I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

Yes.. See how they list all the IP's?
Perfect for port attacks + sniffing as you know the IP will have a coin client + wallet.. Shocked
newbie
Activity: 2
Merit: 0
MtGox sucks, gonna see if Tradehill is any better.  Used code TH-R15720 when signing up to get reduced fees.
member
Activity: 98
Merit: 10
I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?
newbie
Activity: 4
Merit: 0
I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44
newbie
Activity: 56
Merit: 0
"' RIGHT JOIN TABLE USERS; --

Dammit, didn't work.
newbie
Activity: 9
Merit: 0
It really is aggrivating seeing such a security sensitive sight being comprimised with an sql injection. This stuff was covered when I took an introductory web class.
member
Activity: 61
Merit: 10
Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

To my knowledge they have not said if the database compromise lead to the hacked account.  It seems very likely though, with access to the password hash weak passwords can be easily dictionary/bruteforced.  Why anyone with 500k bitcoins would have a weak password leaves me guessing though.  This is a lesson everyone can learn from though, if your password is not long, random, and mixed with letters, symbols and numbers you're at risk.

What is even more scary is it appears that the e-mail accounts on the list are now being attacked.  If someone compromises your e-mail box your generally screwed as they can then reset passwords other websites with lax security like MTGOX.
Jump to: