NiceHash hacked? - page 10. | Bitcointalksearch.org

dlezama

member

Activity: 140

Merit: 17

Quote from: joblo on December 08, 2017, 12:43:40 PM

Quote from: Sledge0001 on December 08, 2017, 12:11:35 PM

Play nice kiddies... NOTHING IS HACK PROOF. End of story.

Now.... Let's stay on the subject.

The engineer whose credentials were obtained and used on the other hand no doubt is a major person of interest. I did find it intriguing though that they said several credentials were tried which would elude to someone that had an intricate knowledge of their staff.

I belive they said his PC was compromised. That's probably how they obtained his credentials then used those credentials
to launch the attack from the dev's PC with no security red flags. This kind of thing happens all the time and as long as
people are allowed to connect with their PCs, likely Windows, it will always be a threat.

The security failure was the dev had access to all the funds without any control. No single individual should have
that access, and especially not from an insecure PC.

I would expect that from a basement pool operator but not from an organisation like Nicehash.

I also wans't thrilled about them bragging about how many billions they mined, and how users would have to help
them recover. If they were so successful they can eat the cost of reimbursing users without our help.
Only then will trust be restored.

Their incompetence is incredible, I think they actually are a "basement pool operator" that just found itself managing millions of dollars. An immature industry where anyone can make it big and become market leader.
Besides the obvious stupidity of making all the money available to single devs, they didn't need to have all this money in the first place. It is entirely possible to build a service like this minimizing the amount of money held at any given time, after all their business is (was) to connect buyers and sellers, not becoming a bank.

joblo

legendary

Activity: 1470

Merit: 1114

Quote from: Sledge0001 on December 08, 2017, 12:11:35 PM

Play nice kiddies... NOTHING IS HACK PROOF. End of story.

Now.... Let's stay on the subject.

The engineer whose credentials were obtained and used on the other hand no doubt is a major person of interest. I did find it intriguing though that they said several credentials were tried which would elude to someone that had an intricate knowledge of their staff.

I belive they said his PC was compromised. That's probably how they obtained his credentials then used those credentials
to launch the attack from the dev's PC with no security red flags. This kind of thing happens all the time and as long as
people are allowed to connect with their PCs, likely Windows, it will always be a threat.

The security failure was the dev had access to all the funds without any control. No single individual should have
that access, and especially not from an insecure PC.

I would expect that from a basement pool operator but not from an organisation like Nicehash.

I also wans't thrilled about them bragging about how many billions they mined, and how users would have to help
them recover. If they were so successful they can eat the cost of reimbursing users without our help.
Only then will trust be restored.

Sledge0001

full member

Activity: 626

Merit: 159

But if it can be stolen as we all now it can I would say it is not hack proof.

BenRickert

full member

Activity: 420

Merit: 110

Quote from: Sledge0001 on December 08, 2017, 12:11:35 PM

Play nice kiddies... NOTHING IS HACK PROOF. End of story.

Now.... Let's stay on the subject.

I am hopeful that the stolen funds and associated wallet is blacklisted at this point and that NH will recover from this eventually.

The engineer whose credentials were obtained and used on the other hand no doubt is a major person of interest. I did find it intriguing though that they said several credentials were tried which would elude to someone that had an intricate knowledge of their staff.

In any event I am ready for NH to fire up their servers again and get back to business. They can do a pay share until all of the funds are recovered or are covered but lets get back to it!

....accept BTC.

Sledge0001

full member

Activity: 626

Merit: 159

Play nice kiddies... NOTHING IS HACK PROOF. End of story.

Now.... Let's stay on the subject.

I am hopeful that the stolen funds and associated wallet is blacklisted at this point and that NH will recover from this eventually.

The engineer whose credentials were obtained and used on the other hand no doubt is a major person of interest. I did find it intriguing though that they said several credentials were tried which would elude to someone that had an intricate knowledge of their staff.

In any event I am ready for NH to fire up their servers again and get back to business. They can do a pay share until all of the funds are recovered or are covered but lets get back to it!

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: joblo on December 08, 2017, 11:02:33 AM

Quote from: armenmerikyan on December 08, 2017, 10:22:43 AM

Please lookup a product from IBM called Datapower, nobody has been able to hack a Datapower device to this date, nobody even knows what type of operating system it is running, if you actually try to open the box unplugged it has a battery to wipe the os clean. the only way to do hardware replacement on the box is to ship it back to IBM and they replace it for you. typical box costs about 40k and you need 30 to 40 of them for a basic configuration. The energy grid is level 3 security which essentially puts it above credit card systems and health care systems because it is a war time target. Please stop watching TV.

You seem a bit too cocky for a security expert. If you were legit you would never be so confident.
Your praise of security by obsurity also diminishes any security credentials you might have.
But the killer is your failure to recognize that absent of an air gap no network is 100% secure.
There will always be human factors.

I do watch TV but I worked professionally on another critical inftastructure system with "six 9's up time"
including software upgrades. Although I am not a security expert security was always a concern. In the over 20 years
I was there the only security compromises were inside jobs or physical breach.

The biggest computer security threat ever is c/c++ and it's lack of built in array bound checking.
Imagine a world where buffer overflow exploits never existed. I don't have to imagine, I saw it.

Yes I am cocky because I saved the world more energy than fucken Elon Musk. Look up my resume on LinkedIn. Armen Merikyan. I didn't say I was a security expert I design the architecture that was reviewed by multiple security experts and actually taken as a blueprint for other energy companies to follow.

not gonna comment on this topic anymore, you guys watched to much TV and believe to much bullshit, regarding this hack they should of had encrypted laptops for the developers and 2factor authentication setup for the VPN which they probably did neither also you must run background check on anyone that is going to work on the system. With a third party phishing services to test and make sure none of your developers are stupid enough to open random emails. there are people that know how to do a job and then their are armatures yes i said Arm-atures

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: n00bsaibot on December 08, 2017, 10:47:10 AM

Quote from: armenmerikyan on December 08, 2017, 10:22:43 AM

Please lookup a product from IBM called Datapower, nobody has been able to hack a Datapower device to this date, nobody even knows what type of operating system it is running, if you actually try to open the box unplugged it has a battery to wipe the os clean. the only way to do hardware replacement on the box is to ship it back to IBM and they replace it for you. typical box costs about 40k and you need 30 to 40 of them for a basic configuration. The energy grid is level 3 security which essentially puts it above credit card systems and health care systems because it is a war time target. Please stop watching TV.

You are a funny guy, they must love you for that at work (since your sec skills are not up to par) Grin

.... hack that would go against US power grid wouldn't come from bored kid in the basement but government sponsored group that (imagine this) can afford to buy and reverse engineering any type of equipment. But that is to SCI-FY and TV for you ...

Quote from: armenmerikyan on December 08, 2017, 10:32:14 AM

Quote from: Mikanoshi on December 08, 2017, 07:24:47 AM

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

I secured major power grids in the US

And just like that you've made yourself a target for terrorists Cheesy

Actually I would be of no help to anyone regarding that system, my design is well understood by many security experts and locked down like a mother fuckers, basically you have one Datapower device acting as a security gateway in the DMZ, with another DataPower device acting as a mediation service inside a trusted zone. there is mutual authentication setup between the two devices. All requests must be strongly typed and registered in a product called IBM Webspehre Service Registry and Repository ... it's a bad ass architecture that's all I can tell you and to this day it has not been hacked. Southern California Edison go ahead make my day and try to hack them. They can use some free pen testing.

That is a great network layout there, completely impenetrable Tongue

.... how will your fancy IBM gateway protect you from compromised credential???

I don't think IBM sells products to any old hacker specifically the latest Datapower products, so go fuck yourself, how do you think we secure the nukes you moron. stop talking nonsense you have not even worked on a secured network let alone secure a network.

joblo

legendary

Activity: 1470

Merit: 1114

Quote from: armenmerikyan on December 08, 2017, 10:22:43 AM

Please lookup a product from IBM called Datapower, nobody has been able to hack a Datapower device to this date, nobody even knows what type of operating system it is running, if you actually try to open the box unplugged it has a battery to wipe the os clean. the only way to do hardware replacement on the box is to ship it back to IBM and they replace it for you. typical box costs about 40k and you need 30 to 40 of them for a basic configuration. The energy grid is level 3 security which essentially puts it above credit card systems and health care systems because it is a war time target. Please stop watching TV.

You seem a bit too cocky for a security expert. If you were legit you would never be so confident.
Your praise of security by obsurity also diminishes any security credentials you might have.
But the killer is your failure to recognize that absent of an air gap no network is 100% secure.
There will always be human factors.

I do watch TV but I worked professionally on another critical inftastructure system with "six 9's up time"
including software upgrades. Although I am not a security expert security was always a concern. In the over 20 years
I was there the only security compromises were inside jobs or physical breach.

The biggest computer security threat ever is c/c++ and it's lack of built in array bound checking.
Imagine a world where buffer overflow exploits never existed. I don't have to imagine, I saw it.

BlomBaster

member

Activity: 234

Merit: 10

A very strange story, a large company holds such funds in one wallet. Very strange. I hope all users have lost only small amounts

n00bsaibot

member

Activity: 98

Merit: 10

Quote from: armenmerikyan on December 08, 2017, 10:22:43 AM

Please lookup a product from IBM called Datapower, nobody has been able to hack a Datapower device to this date, nobody even knows what type of operating system it is running, if you actually try to open the box unplugged it has a battery to wipe the os clean. the only way to do hardware replacement on the box is to ship it back to IBM and they replace it for you. typical box costs about 40k and you need 30 to 40 of them for a basic configuration. The energy grid is level 3 security which essentially puts it above credit card systems and health care systems because it is a war time target. Please stop watching TV.

You are a funny guy, they must love you for that at work (since your sec skills are not up to par) Grin

.... hack that would go against US power grid wouldn't come from bored kid in the basement but government sponsored group that (imagine this) can afford to buy and reverse engineering any type of equipment. But that is to SCI-FY and TV for you ...

Quote from: armenmerikyan on December 08, 2017, 10:32:14 AM

Quote from: Mikanoshi on December 08, 2017, 07:24:47 AM

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

I secured major power grids in the US

And just like that you've made yourself a target for terrorists Cheesy

Actually I would be of no help to anyone regarding that system, my design is well understood by many security experts and locked down like a mother fuckers, basically you have one Datapower device acting as a security gateway in the DMZ, with another DataPower device acting as a mediation service inside a trusted zone. there is mutual authentication setup between the two devices. All requests must be strongly typed and registered in a product called IBM Webspehre Service Registry and Repository ... it's a bad ass architecture that's all I can tell you and to this day it has not been hacked. Southern California Edison go ahead make my day and try to hack them. They can use some free pen testing.

That is a great network layout there, completely impenetrable Tongue

.... how will your fancy IBM gateway protect you from compromised credential???

Kronos21

sr. member

Activity: 434

Merit: 255

If you really NiceHash was hacked but this is their fault. They save money on security and jeopardized the money of all users. In the beginning I even had no doubt that they were hacked. I thought they wanted to earn money from users. View. Now the price of bitcoin has decreased and maybe they will open up again.

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: Mikanoshi on December 08, 2017, 07:24:47 AM

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

I secured major power grids in the US

And just like that you've made yourself a target for terrorists Cheesy

Actually I would be of no help to anyone regarding that system, my design is well understood by many security experts and locked down like a mother fuckers, basically you have one Datapower device acting as a security gateway in the DMZ, with another DataPower device acting as a mediation service inside a trusted zone. there is mutual authentication setup between the two devices. All requests must be strongly typed and registered in a product called IBM Webspehre Service Registry and Repository ... it's a bad ass architecture that's all I can tell you and to this day it has not been hacked. Southern California Edison go ahead make my day and try to hack them. They can use some free pen testing.

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: n00bsaibot on December 08, 2017, 06:56:16 AM

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

........ I don't buy that bullshit story that everything can be hacked, I secured major power grids in the US and it requires expensive equipment and all kinds of other expensive software. Don't get me wrong I really want to see them back because I liked the service and I think people are going to have a service like this in the future to connect their home datacenter for currency trading and whatever social media needs they have. It's just stupid and careless. I don't think it was an inside job, they were just in over their heads.

You must be a poor security expert than Grin

there is not such thing as hack proof system, but there are measures that can be taken to make hack extremely difficult to execute. One of only ways to protect your self is to "unplug the cord" but even then there are ways of penetrating systems ...... hacks do not require expensive equipment but extensive knowledge of equipment in place and its vulnerabilities, possible 0 day knowledge or having someones credentials (which NH team confirmed already was used in this hack). How did "they" obtained credentials, it remains to be seen.

Quote from: Cereberus on December 08, 2017, 03:46:37 AM

I don't want to blame Nicehash although they are the only responsible to be blamed on. I don't want any reimbursement but I only hope they come back with the highest possible security like they claim. I have had enough of Winminer paying me half of what Nicehash used to pay me and honestly mining on pools is a PAITA , lots of converting to do while I love being paid directly in Bitcoin most of the time.

It will be nice to see them recover and pay put peoples balances but there will be a looooooot of trust issues if they re-surface. Why dont you mine singles and leave winminer and other pools alone?

Please lookup a product from IBM called Datapower, nobody has been able to hack a Datapower device to this date, nobody even knows what type of operating system it is running, if you actually try to open the box unplugged it has a battery to wipe the os clean. the only way to do hardware replacement on the box is to ship it back to IBM and they replace it for you. typical box costs about 40k and you need 30 to 40 of them for a basic configuration. The energy grid is level 3 security which essentially puts it above credit card systems and health care systems because it is a war time target. Please stop watching TV.

BenRickert

full member

Activity: 420

Merit: 110

Quote from: armenmerikyan on December 08, 2017, 01:57:28 AM

Quote from: joblo on December 08, 2017, 01:34:59 AM

If they got robbed of 64 Million it's their own stupidity they had that much in a hot wallet.

Regarding legalities it has to do with the laws in their jurisdiction. Contrary to what many
Americans would like to believe, if that jurisdiction is not the US the FBI can do nothing
until the perps step foot in the US, unless they are willing to kidnap them on foreign soil.

I don't think it's that simple. You been watching too much TV

Actually, since they were not transacting in USD, the FBI is going to have a difficult jurisdictional challenge. This is how " Onecoin" ( scam) avoided prosecution in the USA. They always denominated their currency balances in Pound Sterling. As soon as something transacts in USD, boom, US jurisdiction. There is a heavy burden on these two cats to make good on those stolen funds. If like you say, they were out of compliance, (which they almost certainly were) their only hope of avoiding being locked up is to give full restitution to their client base. This thing is FAR from settled. I believe one of their "engineers" started riding dirty and colluded with someone to extract the BTC. Notice they said that 45:00 before the successful penetration using someone's "secure computer", they tried to hack into the system and failed. Sounds like the use of the secure system was a last ditch desperation move to grab the cash. This was FAR from a sophisticated and well planned operation. It was a clusterfuck. If not, that money would be already washed and gone. These idiots didn't even get it out of the wallet it went to. It sure doesn't seem like these two cats were involved knowingly.

Mikanoshi

sr. member

Activity: 798

Merit: 252

Insane In The Blockchain ⚠

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

I secured major power grids in the US

And just like that you've made yourself a target for terrorists Cheesy

n00bsaibot

member

Activity: 98

Merit: 10

Quote from: armenmerikyan on December 07, 2017, 11:40:46 PM

........ I don't buy that bullshit story that everything can be hacked, I secured major power grids in the US and it requires expensive equipment and all kinds of other expensive software. Don't get me wrong I really want to see them back because I liked the service and I think people are going to have a service like this in the future to connect their home datacenter for currency trading and whatever social media needs they have. It's just stupid and careless. I don't think it was an inside job, they were just in over their heads.

You must be a poor security expert than Grin

there is not such thing as hack proof system, but there are measures that can be taken to make hack extremely difficult to execute. One of only ways to protect your self is to "unplug the cord" but even then there are ways of penetrating systems ...... hacks do not require expensive equipment but extensive knowledge of equipment in place and its vulnerabilities, possible 0 day knowledge or having someones credentials (which NH team confirmed already was used in this hack). How did "they" obtained credentials, it remains to be seen.

Quote from: Cereberus on December 08, 2017, 03:46:37 AM

I don't want to blame Nicehash although they are the only responsible to be blamed on. I don't want any reimbursement but I only hope they come back with the highest possible security like they claim. I have had enough of Winminer paying me half of what Nicehash used to pay me and honestly mining on pools is a PAITA , lots of converting to do while I love being paid directly in Bitcoin most of the time.

It will be nice to see them recover and pay put peoples balances but there will be a looooooot of trust issues if they re-surface. Why dont you mine singles and leave winminer and other pools alone?

Cereberus

legendary

Activity: 910

Merit: 1000

I don't want to blame Nicehash although they are the only responsible to be blamed on. I don't want any reimbursement but I only hope they come back with the highest possible security like they claim. I have had enough of Winminer paying me half of what Nicehash used to pay me and honestly mining on pools is a PAITA , lots of converting to do while I love being paid directly in Bitcoin most of the time.

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: joblo on December 08, 2017, 01:34:59 AM

If they got robbed of 64 Million it's their own stupidity they had that much in a hot wallet.

Regarding legalities it has to do with the laws in their jurisdiction. Contrary to what many
Americans would like to believe, if that jurisdiction is not the US the FBI can do nothing
until the perps step foot in the US, unless they are willing to kidnap them on foreign soil.

I don't think it's that simple. You been watching too much TV

joblo

legendary

Activity: 1470

Merit: 1114

If they got robbed of 64 Million it's their own stupidity they had that much in a hot wallet.

Regarding legalities it has to do with the laws in their jurisdiction. Contrary to what many
Americans would like to believe, if that jurisdiction is not the US the FBI can do nothing
until the perps step foot in the US, unless they are willing to kidnap them on foreign soil.

armenmerikyan

member

Activity: 244

Merit: 10

BrownieCoins.org The Recognition Cryptocurrency

Quote from: MiningDoc on December 08, 2017, 12:47:47 AM

Quote from: joblo on December 08, 2017, 12:05:33 AM

According to Nicehash they got robbed of our coins. If the funds were segregated there is a technical
distinction whose coins were actually stolen. But it doesn't matter, they still have an obligation to
pay users what is due.

The semantics games are getting a little stretched.

What obligation are they bound to that says they have to pay us what is owed when coins are stolen? They are not an insured bank, they are not a Registered Currency Exchange Business and don't have to follow the guide lines/laws of an exchange. They don't have to follow KYC regulations. So I'm curious, other than a "moral" obligation (which would be great to see happen), what makes them have to pay users back? Nothing (if it wasn't them). The only way we get money back would be if they actually catch the person whole stole the coins, then they can return "stolen" property.

stop talking out of your ars, you don't know shit about the company and EU regulations, if they even failed on basic regulatory checks they can go to jail. the question is about negligence and that means jail time buddy. Like I said I really want the service back but authorities don't give a shit they just want to put someone in jail and get their Brownie Coins(plugging Brownie Coins here)

Topic: NiceHash hacked? - page 10. (Read 32068 times)