Bitcoin Forum>Economy>Economics>Speculation
Pages:
Author

Topic: Sell, sell, sell The hack of Bitcoin 2013 again (Read 2962 times)

Gareth Nelson
hero member
Activity: 721
Merit: 503
Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 12:13:51 PM
#30
Quote from: Richy_T on March 08, 2013, 10:52:33 AM
Quote from: Richy_T on March 08, 2013, 10:46:33 AM
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

This was explained in the blog post but essentially they redirected emails to a server under their control and got sent a password reset link.
Fiyasko
legendary
Activity: 1428
Merit: 1001
Okey Dokey Lokey
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 12:04:27 PM
#29
Goes to show how competent Site5 is.
This is seriously not BitInstants fault
Richy_T
legendary
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 11:53:22 AM
#28
Quote from: Morblias on March 08, 2013, 11:40:43 AM
Comment from Site5

Quote
Hi everyone,

We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering.

Here is our public post as well with details:
http://www.site5.com/blog/s5/security-and-social-engineering/20130307/

Please let me know if you have any questions,
Thanks, Ben
CEO at Site5

I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.

Security questions are about the dumbest kind of "security enhancement" out there. Especially when they are used as a way to get around a password (I can keep a password secret, I can't keep my mother's maiden name secret and any question which isn't public record is probably easily findable (favorite authors, bands etc) or has been used on a dozen other sites). It's like the people implementing security out there (or at least the people in charge of them) are sheep, only able to consider and adopt the latest fad non-security measure and not able to sit down, read some papers and comprehend and work things from the ground up.

DAMMIT THESE ARE SOLVED PROBLEMS, PEOPLE!!!

Sorry for the rant.
Morblias
hero member
Activity: 576
Merit: 500
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 11:40:43 AM
#27
Comment from Site5

Quote
Hi everyone,

We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering.

Here is our public post as well with details:
http://www.site5.com/blog/s5/security-and-social-engineering/20130307/

Please let me know if you have any questions,
Thanks, Ben
CEO at Site5

I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.
malevolent
legendary
Activity: 3472
Merit: 1722
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 11:12:01 AM
#26
Quote from: Gareth Nelson on March 08, 2013, 10:47:00 AM
Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.

Well, if you DO manage to regain the lost money let us know on the forums and how you did it, it might be useful to some.
DeathAndTaxes
donator
Activity: 1218
Merit: 1079
Gerald Davis
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 11:11:27 AM
#25
Quote from: Richy_T on March 08, 2013, 10:52:33 AM
Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

Agreed though it wasn't BitInstant's security which was compromised it was VirWox.

VirWox WTF are you thinking?   It is 2013.   Implement 2FA on your exchange or shut down.  Period.   
Richy_T
legendary
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 10:52:33 AM
#24
Quote from: Richy_T on March 08, 2013, 10:46:33 AM
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.
Gareth Nelson
hero member
Activity: 721
Merit: 503
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 10:47:00 AM
#23
Quote from: malevolent on March 08, 2013, 10:35:09 AM
Quote from: Gareth Nelson on March 08, 2013, 10:10:26 AM
Quote from: Morblias on March 08, 2013, 09:51:43 AM
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.

Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.
Richy_T
legendary
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 10:46:33 AM
#22
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.
malevolent
legendary
Activity: 3472
Merit: 1722
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 10:35:09 AM
#21
Quote from: Gareth Nelson on March 08, 2013, 10:10:26 AM
Quote from: Morblias on March 08, 2013, 09:51:43 AM
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.
Gareth Nelson
hero member
Activity: 721
Merit: 503
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 10:10:26 AM
#20
Quote from: Morblias on March 08, 2013, 09:51:43 AM
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.
Morblias
hero member
Activity: 576
Merit: 500
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 09:51:43 AM
#19
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?
bullioner
full member
Activity: 166
Merit: 101
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 04:57:57 AM
#18
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Roll on the day when we can securely register names via some kind of global proof-of-work-based transaction log, providing a secure basis for every aspect of name registration.
piramida
legendary
Activity: 1176
Merit: 1010
Borsche
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 04:34:57 AM
#17
Quote from: apetersson on March 08, 2013, 03:51:41 AM
the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

Well if it originated in Russia it could be an annual salary; but nevertheless, obviously thiefs were aiming for more, but that's the most they managed to get out in that 12 hours or how long they owned the domain. The hack itself cost hundreds of dollars, so it definitely paid off anyway.

There is a good lesson in all of this. Don't register your domains with cheap shops. Keep your security questions unguessable. No, you don't have to use your actual mother's maiden name.
pinger
legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 03:56:45 AM
#16
Quote from: apetersson on March 08, 2013, 03:51:41 AM
the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

Maybe it was just an attention touch.
apetersson
hero member
Activity: 668
Merit: 501
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 03:51:41 AM
#15
the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.
pinger
legendary
Activity: 1512
Merit: 1001
Bitcoin - Resistance is futile
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 02:48:28 AM
#14
Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Thanks for the link Gareth
creativex
sr. member
Activity: 434
Merit: 250
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 01:38:03 AM
#13
I've tried to use bitinstant several times in the last couple days, but there's always an error. Huh
Gareth Nelson
hero member
Activity: 721
Merit: 503
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 08, 2013, 01:15:06 AM
#12
We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.
twolifeinexile
full member
Activity: 154
Merit: 100
Re: Sell, sell, sell The hack of Bitcoin 2013 again
March 06, 2013, 10:54:55 AM
#11
Quote from: Morblias on March 06, 2013, 10:04:39 AM
Quote
However, says the post, various security measures, such as multi-factor authentication and auto lockdowns prevented any more theft and no personal or transactional information from users has been leaked.

+1 for BitInstant

unfornately to BitInstant, but it seems their security practice prevented a much bigger disaster.
Pages:
Bitcoin Forum>Economy>Economics>Speculation
Jump to: