Sell, sell, sell The hack of Bitcoin 2013 again

Gareth Nelson

hero member

Activity: 721

Merit: 503

Quote from: Richy_T on March 08, 2013, 10:52:33 AM

Quote from: Richy_T on March 08, 2013, 10:46:33 AM

I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

This was explained in the blog post but essentially they redirected emails to a server under their control and got sent a password reset link.

Fiyasko

legendary

Activity: 1428

Merit: 1001

Okey Dokey Lokey

Goes to show how competent Site5 is.
This is seriously not BitInstants fault

Richy_T

legendary

Activity: 2674

Merit: 2373

1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k

Quote from: Morblias on March 08, 2013, 11:40:43 AM

Comment from Site5

Quote

Hi everyone,

We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering.

Here is our public post as well with details:
http://www.site5.com/blog/s5/security-and-social-engineering/20130307/

Please let me know if you have any questions,
Thanks, Ben
CEO at Site5

I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.

Security questions are about the dumbest kind of "security enhancement" out there. Especially when they are used as a way to get around a password (I can keep a password secret, I can't keep my mother's maiden name secret and any question which isn't public record is probably easily findable (favorite authors, bands etc) or has been used on a dozen other sites). It's like the people implementing security out there (or at least the people in charge of them) are sheep, only able to consider and adopt the latest fad non-security measure and not able to sit down, read some papers and comprehend and work things from the ground up.

DAMMIT THESE ARE SOLVED PROBLEMS, PEOPLE!!!

Sorry for the rant.

Morblias

hero member

Activity: 576

Merit: 500

Comment from Site5

Quote

Hi everyone,

We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering.

Here is our public post as well with details:
http://www.site5.com/blog/s5/security-and-social-engineering/20130307/

Please let me know if you have any questions,
Thanks, Ben
CEO at Site5

I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.

malevolent

legendary

Activity: 3472

Merit: 1727

Quote from: Gareth Nelson on March 08, 2013, 10:47:00 AM

Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.

Well, if you DO manage to regain the lost money let us know on the forums and how you did it, it might be useful to some.

DeathAndTaxes

donator

Activity: 1218

Merit: 1080

Gerald Davis

Quote from: Richy_T on March 08, 2013, 10:52:33 AM

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

Agreed though it wasn't BitInstant's security which was compromised it was VirWox.

VirWox WTF are you thinking? It is 2013. Implement 2FA on your exchange or shut down. Period.

Richy_T

legendary

Activity: 2674

Merit: 2373

1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k

Quote from: Richy_T on March 08, 2013, 10:46:33 AM

I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.

Gareth Nelson

hero member

Activity: 721

Merit: 503

Quote from: malevolent on March 08, 2013, 10:35:09 AM

Quote from: Gareth Nelson on March 08, 2013, 10:10:26 AM

Quote from: Morblias on March 08, 2013, 09:51:43 AM

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.

Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.

Richy_T

legendary

Activity: 2674

Merit: 2373

1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k

I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.

It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.

malevolent

legendary

Activity: 3472

Merit: 1727

Quote from: Gareth Nelson on March 08, 2013, 10:10:26 AM

Quote from: Morblias on March 08, 2013, 09:51:43 AM

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.

Gareth Nelson

hero member

Activity: 721

Merit: 503

Quote from: Morblias on March 08, 2013, 09:51:43 AM

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first.

Morblias

hero member

Activity: 576

Merit: 500

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss?

bullioner

full member

Activity: 166

Merit: 101

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Roll on the day when we can securely register names via some kind of global proof-of-work-based transaction log, providing a secure basis for every aspect of name registration.

piramida

legendary

Activity: 1176

Merit: 1010

Borsche

Quote from: apetersson on March 08, 2013, 03:51:41 AM

the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

Well if it originated in Russia it could be an annual salary; but nevertheless, obviously thiefs were aiming for more, but that's the most they managed to get out in that 12 hours or how long they owned the domain. The hack itself cost hundreds of dollars, so it definitely paid off anyway.

There is a good lesson in all of this. Don't register your domains with cheap shops. Keep your security questions unguessable. No, you don't have to use your actual mother's maiden name.

pinger

legendary

Activity: 1512

Merit: 1001

Bitcoin - Resistance is futile

Quote from: apetersson on March 08, 2013, 03:51:41 AM

the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

Maybe it was just an attention touch.

apetersson

hero member

Activity: 668

Merit: 501

the description of the hack sounded like an awful lot of work and risk for only 333 BTC. Where i live, you earn that easily in three months of honest work as a developer.

pinger

legendary

Activity: 1512

Merit: 1001

Bitcoin - Resistance is futile

Quote from: Gareth Nelson on March 08, 2013, 01:15:06 AM

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

Thanks for the link Gareth

creativex

sr. member

Activity: 434

Merit: 250

I've tried to use bitinstant several times in the last couple days, but there's always an error. Huh

Gareth Nelson

hero member

Activity: 721

Merit: 503

We posted full details of the incident here:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Nobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving.

twolifeinexile

full member

Activity: 154

Merit: 100

Quote from: Morblias on March 06, 2013, 10:04:39 AM

Quote

However, says the post, various security measures, such as multi-factor authentication and auto lockdowns prevented any more theft and no personal or transactional information from users has been leaked.

+1 for BitInstant

unfornately to BitInstant, but it seems their security practice prevented a much bigger disaster.

Morblias

hero member

Activity: 576

Merit: 500

Quote

However, says the post, various security measures, such as multi-factor authentication and auto lockdowns prevented any more theft and no personal or transactional information from users has been leaked.

+1 for BitInstant

Blazr

hero member

Activity: 882

Merit: 1006

It wasn't the hosting company it was the domain registrar, they used Site5 to register the domain and the hacker convinced them to hand over control of the domain name to him/her. IMO it isn't such a good idea to use Site5 to register domains seeing as it isn't actually an accredited registrar but a reseller for eNom.

I've seen similar happen before, I don't know the exact details of this attack, but the problem of using a reseller like Site5 is that eNom, the actual registrar, don't have the customers details on file, and a hacker can contact eNom directly claiming to own the domain and they would have no idea if its true or not.

Herodes

hero member

Activity: 868

Merit: 1000

Quote from: bullioner on March 06, 2013, 08:07:01 AM

In which case, why are Bitinstant using virtual servers hosted by someone else?

A good question - perhaps Bitinstant can answer it ?

bullioner

full member

Activity: 166

Merit: 101

The article doesn't explain the vector from getting access to domain registration administration via the domain registrar, to how the Bitcoins were stolen. It isn't obvious what this vector would be, and must depend on the specifics of Bitinstant's setup. Does anyone have more details on this? Was it actually that they got access to a virtual server? In which case, why are Bitinstant using virtual servers hosted by someone else?

Herodes

hero member

Activity: 868

Merit: 1000

Quote from: proudhon on March 06, 2013, 07:55:40 AM

Hosting companies and the like have become fruitful attack vectors. A lot of them clearly don't take security seriously enough if you can call up or write in with a close enough looking email address and get elevated rights.

Well - for the average customer - security is good enough - bitcoin businesses on the other hand has a lot higher demands for security.

proudhon

legendary

Activity: 2198

Merit: 1311

Hosting companies and the like have become fruitful attack vectors. A lot of them clearly don't take security seriously enough if you can call up or write in with a close enough looking email address and get elevated rights.

Herodes

hero member

Activity: 868

Merit: 1000

12K USD was an unfortunate loss, but I do think that this also showed that BitInstant had security measures in place, it could've been worse. This sounds like basically one of the worst things that can happen.

But now that this vector of attach has been revealed, it's time to learn and secure it even more.

Digikeys

member

Activity: 115

Merit: 10

Quote from: piramida on March 06, 2013, 07:12:35 AM

12 000 dollars, really? my grandma gets regularly hacked for more money.

+2 for piramida.. I lol'd at this and the 'religion permits you from using google'

Well played sir.

piramida

legendary

Activity: 1176

Merit: 1010

Borsche

12 000 dollars, really? my grandma gets regularly hacked for more money.

pinger

legendary

Activity: 1512

Merit: 1001

Bitcoin - Resistance is futile

Well, is not like that, But it looks that Bitinstant was hacked.

http://www.finextra.com/News/FullStory.aspx?newsitemid=24607

So sell your BTC now, so I can buy more.

Topic: Sell, sell, sell The hack of Bitcoin 2013 again (Read 2984 times)