Bitcoin Forum

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated? Until theymos can figure out what exactly happened that allowed who was potently TF access to the KVM then it will be difficult to know if the attack could reasonably be anticipated. 

Didn't you claim to be the victim of a hack yourself, before disappearing with thousands of coins?   ::)

It's impossible to prevent against social engineering.  A sympathetic moron will always do the wrong thing.

These instructions are routinely ignored, seen it myself many times.  They either don't see it at all and just follow the ordinary procedure or are easily convinced by things like "but that key is _on_ that server and by other backup was erased, thats why I need in!" Of course, actual users do things like this-- which is part of why the social engineering works so well.  Even if it doesn't fail that way, they'll likely use the age old xkcd (https://xkcd.com/1181/)method for verifying the signature.

Of course, maybe if someone can't even pull off sounding like a competent adult on the phone; then perhaps they'll have a harder time convincing a facilities operator to do the wrong thing.  I understand in this case the attacker(s) came off as barely literate. (but again, since plenty of legitimate customers are barely literate...)

And at what cost. Without anyone knowing the details we can probably guess that having the equipment in its own, isolated, security facility, behind armed guards and no remote administrative access would likely have prevented this issue (and many others-- since the site would probably be down most of the time ... :) ) but that kind of cost is hardly justified for the forum.

It should be preventable but as long as a human is involved i agree it is always possible sadly.  I mean we really don't know if there was a inside man, a idiot worker, etc.

Whoever on data center side who helped should be fired.  I did user provisioning for a while as part of a job I had.  If you could not be verified 100 percent I did not give access.   It was not fun telling anyone but especially someone they would have to wait... but I did it. 

It was a massive company not a data center though.  So security for on accounts with there being company secrets, private info, internal figures, etc was treated very serious.

Obviously is not, its impossible. Im sure you know a lot of cases of way bigger companies getting hacked and when i say way bigger i mean the biggest, for fuck sake even NASA got hacked by a kid. Its plain impossible to prevent such thing if someone skilled enough is willing to do attack the forum.

It's impossible to protect yourself 100% and there's always weaknesses and vulnerabilities and things that can be cleverly bypassed. Even 2-factor isn't foolproof. A hacker could call your mobile phone provider if he got enough details and convince them that your phone was stolen or whatnot and to block the phone and send a new sim to his address or something. Similar things have happened before. You can also reset things like google auth so nothing is ever watertight its just about minimizing risk and keeping yourself protected as much as you can.

The intelligence and creativity of the best hackers astounds me.  I hate to say it but as soon as one hole is plugged another will be opened.  One way or another any website with a target on its back will be hacked.  I don't think its possible to prevent it 100% of the time.

I am not saying that this is a particularly creative or intelligent attack, as I do not really know the details.

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

uhh? all depends, how much money you want to spend to train personal and invest to security..

^^ this.

"ponzi" section is somehow ok, because at least all of this shit is concentrated on one subsection and they are not even trying to infect other sections.

but I really dunno, why is officially enabled here to sell and buy accounts, even hero/legendary with years of history and green trust.

Ponzis are ok but selling accounts isn't? Selling accounts is allowed because banning their sale wouldn't stop it from going on, but this has been discussed to death and just goes round and round. Just do a search for the many other threads.

I believe that in the post that theymos made prior to moving the forum to a new data center that the server that hosts the DB is now using FDE that would have prevented this attack, although the Google cash of the thread has since been overwritten so I can't see what exactly he wrote.

Sure, you can spend exorbitant amounts of money on security to prevent *all* possible attacks however doing so would probably be defending against attacks that will never materialize. If you can reasonably anticipate what an attacker is going to try then you can make your security budget more reasonable.

One thing that could have prevented the attack would be the data center refusing to reset the password for say 24 hours after receiving a request to do so (and to send out a notification of a password reset request in the meantime). This would have allowed theymos to become aware of the situation prior to the attacker gaining access to the server although it could mean that we would have 24 hours of downtime in the event that theymos ever looses his password.

This is true, but how much time would it take to really monitor all account sales?  You would need at least one full time position to do this.  Maybe the forum staff feel that their time is better spent elsewhere?

Woow, really nice point of view... now I think the things should change here in the forum (only for a question of security, nothing else).



Maybe with a single forum rules you can discourage the forum account buying/selling (but a lot of censorship is not really a good thing, but if the forum is always attacked ... the things *must* change).

The forum *is* under constant attack, but the only attacks you hear about are the ones you get through. Then Theymos gets blamed, not praised for the 500 he thwarted passively.

Preventable? maybe not.... epicly diverted by theymos? apparettly yes ;D ;D ;D

serious tho... social engineering is screwd up :D it always seems to work and people don't have any real security measures for it...... everyone thinks everyone is trustable

This is called security by obscurity. It works until it doesn't, and the guy happens to know how to work that system. Does it make you safer? Maybe. Is it worth your time doing this compared to other measures? Probably not.

It's probably safer to know how to secure Linux than to use a system you are not familiar with.

You are actually completely wrong. Those systems are significantly safer for two reasons:

1) they are (AIX & Solaris) or support (HP/UX with their PA/RISC emulation) big-endian binaries which for some strange but reproducible reasons seem to confound the vast majority of hackers/crackers and other mediocre programmers.

2) they are targeted for psychologically mature customers with stable requirements and not beholden to chasing most recent advance, change, regression, marketing trick of Microsoft, Google, and many others.

Definitely there's a component of obscurity in their safety, but it is a good obscurity, not a marketing euphemism for weak secrecy.

The true, large scale, hacking statistics are hard to come by. I believe the F5 Networks has the best statistics gathered through their application delivery appliances. But their keep it secret besides disclosing a little in their configuration examples how to remap the HTTP server names & fingerprints to trip up automated & scripted hacking tools.