Pages:
Author

Topic: MyBitcoin Back Up! (with a press release) - page 4. (Read 12357 times)

donator
Activity: 2772
Merit: 1019
August 05, 2011, 05:46:48 AM
#73
Here's a google cached version of an earlier posting on the site "From the desk of Tom Williams", including PGP sig:

http://webcache.googleusercontent.com/search?q=cache:EN0mtcwBftAJ:https://www.mybitcoin.com/downloads/incident-report-2011-06-22.txt+From+the+desk+of+Tom+Williams,+operator+of+MyBitcoin.com&cd=1&hl=en&ct=clnk&gl=de&source=www.google.de

You really have to wonder why the current info is not signed...

I somehow doubt it's Tom Williams talking to us...

EDIT: decided to post the text here, in case google cache forgets:

Quote from: ""
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            From the desk of Tom Williams, operator of MyBitcoin.com

                          For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.

At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.

The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.

We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.

The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.

We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)

An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.

(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)

We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.

The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.

Now to address the rumors:

No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.

No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.

Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.

We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.

A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.

Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.

Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----
sr. member
Activity: 574
Merit: 250
August 05, 2011, 05:26:52 AM
#72
This still has the feeling to me of a site that was being run by a bitcoin enthusiast who  'got hit by a bus'.    I think if the main operator of the site was not out of commission for whatever reason this type of message would have been posted sooner and with his usual MO of signing it.    The way the site failed with the breakdown of communications the some weeks before it stopped running also leads me to hang onto this idea.   If it was set up as a scam site the shut down could have been  done in a way to get more loot, no need to actually turn off the site so quickly but rather they would still allow money to trickle in for as long as they could.   If it was a discovered breach as the current letter posted says,   there would not have been the break down in communications ahead of time and the change in MO.  I still think something has happened to the operator of the site, and someone has gotten around to finding and invoking some shutdown plan he had made.
hero member
Activity: 504
Merit: 504
PGP OTC WOT: EB7FCE3D
August 05, 2011, 05:02:07 AM
#71
imo there 'll be a haircut when it comes to enabling the service.
(speculation: let's assume he had 3/4 of the bitcoins offsite, 1/4 is gone; he'll not enable withdrawing 1:1 but rather get the offloaded bitcoins from backup online and enables the appropriate share of coins to be returned, with an equal loss to every account)

I wouldn't expect it to be a rapid process either.  The receiver will have to ensure that Bitcoins are being sent to valid depositors and not to false claimants or other wallets owned by the operators.  That's going to take time.

I'd imagine a period for claims, each user should login to prove s/he is the rightfull user of the service (knows the uname/pwd) and could indicate a btc address to receive the leftovers from the original btc holdings with that account. that's what I would to to reimbourse users if I'd be operating similar service. I see an option to keep the funds in the site for users who do not want to migrate away from MBC (just to make the use cases list complete). I'll revisit in a few days to see eventual progress.

it interests me, wether the attacking party moved coins away from the site or just to an internal account. this would interest the folks with tools to analyze blockchain to trace them. and also what ratio of btc holdings left MBC unauthorized (what's the ratio of lost coins to total holdings)

let's see when that press release will be replaced with news or site returning to operation (if ever)
legendary
Activity: 910
Merit: 1001
Revolutionizing Brokerage of Personal Data
August 05, 2011, 04:20:08 AM
#70
Well - this announcement could also just be a reaction from "Tom" realizing that people will eventually track him down. The community did a great job gathering bits and pieces pointing towards the real identity of mybitcoin.com's operator and IMHO we were already pretty close - props all the others from #bitcoin-police!

It is certainly easier for him to state that he was hacked (maybe even fake some convincing evidence on his servers) than to just disappear with the money and hoping to get away with it.

I'm pretty sure that's what dawned upon him during this week and that's why it took him so long to come up with this announcement. A simple "we've been hacked - please hold on while we're investigating" page soon after the incident would have been the most logical step if he did not plan on just running away.

Anyway - it doesn't matter much if he stole the money or someone else did. Finding the somewhat anonymous operator of a website is easy compared to proving that someone owns stolen Bitcoins unfortunately Sad
member
Activity: 84
Merit: 10
I yam what I yam. - Popeye
August 05, 2011, 04:16:16 AM
#69
Hope this isn't true.
Then the Tom Williams impostor can create a claim page installing loads of shit on your computer.

One more reason to wait and see whether there's any statement forthcoming naming a receiver.

IMHO the only way to get real movement on this is for someone to plant his butt on Nevis and retain one of the top lawyers there. Money talks on a small island.
hero member
Activity: 868
Merit: 1000
August 05, 2011, 04:13:14 AM
#68
Hope this isn't true.
Then the Tom Williams impostor can create a claim page installing loads of shit on your computer.

One more reason to wait and see whether there's any statement forthcoming naming a receiver.
hero member
Activity: 686
Merit: 564
August 05, 2011, 04:12:34 AM
#67
I called it. This is basically exactly what I've been theorizing happened. After MtGox got a lot of criticism for explaining before they knew the facts, it only makes sense that MyBitcoin (or anyone else exploited) would keep silent until they had a good idea what was going on.
That's not why MtGox got criticism. MtGox released specific statements that not just turned out to be premature and wrong, but that they had to have known were false at the time; for example, there's no way they could honestly have claimed both that it was just a single account that was compromised and that they had enough Bitcoin funds to cover their deposits because even from the outside it was easy to see they didn't have enough Bitcoins to cover the amount in that single account, let alone everyone else's deposits.
hero member
Activity: 530
Merit: 500
August 05, 2011, 04:08:32 AM
#66
it's an index page on the domain name mybitcoin.com ...  that means whoever wrote that has full access to his server...   It's him.

uhm, how does that follow? server might be owned.

Hope this isn't true.
Then the Tom Williams impostor can create a claim page installing loads of shit on your computer.
legendary
Activity: 1092
Merit: 1001
August 05, 2011, 03:55:02 AM
#65
it's an index page on the domain name mybitcoin.com ...  that means whoever wrote that has full access to his server...   It's him.

uhm, how does that follow? server might be owned.

In that case - we can't even trust that any messages signed with his private key are from him any more.
Tom seemed to use the same key to sign his personal correspondence as that which was used for mybitcoin's automatic payment notifications.

This suggests the corresponding private key was stored on the server and the mybitcoin software had access to the passphrase.

Of course if an imposter 'Tom Williams 2' was posting.. one would hope that 'Tom Williams 1' would pipe up somehow and warn us that the key was compromised.
(but if he completely lost access to his private key - he'd probably know he'd be assumed to just be a troll.... so maybe we'd hear nothing)

That's the double edged sword of anonymity.
In some cases Mr anonymous 1's digital world can be usurped by Mr anonymous 2 with no recourse.
Anonymous identities vulnerable to identity theft.. how about that.

That he shared his key with an automated system, and didn't properly participate in a web of trust is an indication that really.. his signing of messages was little more than a marketing ploy to make us think he took security seriously.












hero member
Activity: 767
Merit: 500
August 05, 2011, 03:54:33 AM
#64
This post is not being seen because it's stickied... I didn't see it until someone linked it and I've seen many posts since this was written still asking about mybitcoin... Most people just skip over the stickies...

Will
hero member
Activity: 868
Merit: 1000
August 05, 2011, 03:16:17 AM
#63
I see a lot of similarities with the MtGox hack, they got out of it stronger. This should be possible for MyBitcoin as well.

You are dreaming. MBC is going into receivership. Game. Over.

Receivers do sometimes trade businesses out of trouble rather than liquidate them, but we have no idea of the size of the hole Mybitcoin is in and whether that's a viable option.  The nature of Mybitcoin's business probably isn't going to count in favour of continuing to trade while under administration, though.
newbie
Activity: 58
Merit: 0
August 05, 2011, 03:09:33 AM
#62
I see a lot of similarities with the MtGox hack, they got out of it stronger. This should be possible for MyBitcoin as well.

You are dreaming. MBC is going into receivership. Game. Over.

What is it about BitCoin users that compels them to ask for a proverbial reach around after they've so clearly been raped?
full member
Activity: 168
Merit: 100
August 05, 2011, 02:57:12 AM
#61
I see a lot of similarities with the MtGox hack, they got out of it stronger. This should be possible for MyBitcoin as well.

You are dreaming. MBC is going into receivership. Game. Over.
hero member
Activity: 868
Merit: 1000
August 05, 2011, 02:50:49 AM
#60
It would be best for Tom to distribute all the Bitcoins as best he can, THEN to call in the receivers. Otherwise, I predict that the Receiver's fees will be about equal to the value of the coins, and depositors will get nothing. That's how it tends to work when a small business is wound up.

Because of the look-back period, this would be unwise.  And how could he prove to a receiver that he wasn't sending Bitcoins to himself or his family and friends?  If he's legit, he'll do it by the book and the receiver will be the one who decides who gets what and when.  I doubt that many people would be willing to take Tom's word on what's available for distribution anyway.
donator
Activity: 826
Merit: 1060
August 05, 2011, 02:45:30 AM
#59
It would be best for Tom to distribute all the Bitcoins as best he can, THEN to call in the receivers. Otherwise, I predict that the Receiver's fees will be about equal to the value of the coins, and depositors will get nothing. That's how it tends to work when a small business is wound up.
donator
Activity: 2772
Merit: 1019
August 05, 2011, 02:42:04 AM
#58
www.mybitcoin.com doesn't work for me, What URL are you guys using to view this press release?

Sorry I just have to see it for myself before believing it.

https://www.mybitcoin.com/
donator
Activity: 2772
Merit: 1019
August 05, 2011, 02:34:47 AM
#57
it's an index page on the domain name mybitcoin.com ...  that means whoever wrote that has full access to his server...   It's him.

uhm, how does that follow? server might be owned.
hero member
Activity: 868
Merit: 1000
August 05, 2011, 02:09:52 AM
#56
If MyBitcoin wants to come back online and stay in business, they should prevent a bank run. Which is quite likely to happen and would worsen the situation.

imo there 'll be a haircut when it comes to enabling the service.
(speculation: let's assume he had 3/4 of the bitcoins offsite, 1/4 is gone; he'll not enable withdrawing 1:1 but rather get the offloaded bitcoins from backup online and enables the appropriate share of coins to be returned, with an equal loss to every account)

I wouldn't expect it to be a rapid process either.  The receiver will have to ensure that Bitcoins are being sent to valid depositors and not to false claimants or other wallets owned by the operators.  That's going to take time.
hero member
Activity: 504
Merit: 504
PGP OTC WOT: EB7FCE3D
August 05, 2011, 01:58:28 AM
#55
If MyBitcoin wants to come back online and stay in business, they should prevent a bank run. Which is quite likely to happen and would worsen the situation.

imo there 'll be a haircut when it comes to enabling the service.
(speculation: let's assume he had 3/4 of the bitcoins offsite, 1/4 is gone; he'll not enable withdrawing 1:1 but rather get the offloaded bitcoins from backup online and enables the appropriate share of coins to be returned, with an equal loss to every account)
hero member
Activity: 868
Merit: 1000
August 05, 2011, 01:08:43 AM
#54
If MyBitcoin wants to come back online and stay in business, they should prevent a bank run. Which is quite likely to happen and would worsen the situation.

If they're going into receivership then they can't move any assets at all - everything will be under the control of the receiver and there'll be a look-back period as well.  Assuming that they really do go that route, it's going to be one very interesting and complicated case for the receiver managing it and trying to verify claims.
Pages:
Jump to: