|
Title: MTGOX learns a lesson on cyber security, so should you Post by: mjoz on June 19, 2011, 11:49:21 PM Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database. Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site.
To my knowledge they have not said if the database compromise lead to the hacked account. It seems very likely though, with access to the password hash weak passwords can be easily dictionary/bruteforced. Why anyone with 500k bitcoins would have a weak password leaves me guessing though. This is a lesson everyone can learn from though, if your password is not long, random, and mixed with letters, symbols and numbers you're at risk. What is even more scary is it appears that the e-mail accounts on the list are now being attacked. If someone compromises your e-mail box your generally screwed as they can then reset passwords other websites with lax security like MTGOX. Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: hiipii on June 20, 2011, 12:17:35 AM It really is aggrivating seeing such a security sensitive sight being comprimised with an sql injection. This stuff was covered when I took an introductory web class.
Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: fascistmuffin on June 20, 2011, 12:21:54 AM "' RIGHT JOIN TABLE USERS; --
Dammit, didn't work. Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: Bittie on June 20, 2011, 12:55:53 AM I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44
Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: mmavipc on June 20, 2011, 01:07:06 AM I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44 are you talking about this http://freebitcoins.appspot.com/recent_sends ? Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: agedet on June 20, 2011, 01:08:58 AM MtGox sucks, gonna see if Tradehill is any better. Used code TH-R15720 when signing up to get reduced fees.
Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: Bittie on June 20, 2011, 01:16:14 AM I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44 are you talking about this http://freebitcoins.appspot.com/recent_sends ? Yes.. See how they list all the IP's? Perfect for port attacks + sniffing as you know the IP will have a coin client + wallet.. :o Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: rcsheets on June 20, 2011, 02:37:48 AM In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly. You don't need a million dollars to store passwords properly. See http://codahale.com/how-to-safely-store-a-password/ for example. The software libraries for doing this correctly are free.Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: tnkflx on June 21, 2011, 10:11:26 AM Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database. Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. You are probably referring to this: http://seclists.org/fulldisclosure/2011/Jun/417 (http://seclists.org/fulldisclosure/2011/Jun/417) and http://seclists.org/fulldisclosure/2011/Jun/418 (http://seclists.org/fulldisclosure/2011/Jun/418)? Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: TerraHertz on June 21, 2011, 11:03:08 AM Bitcoin. Bringing hackers, naive users and serious money together, since 2011
What could possibly go wrong? Title: Re: MTGOX learns a lesson on cyber security, so should you Post by: Sannyasi on June 21, 2011, 11:14:36 AM ignorance......
yay i have another post to get out of the newb section.... then i can waste my time on topics that i give a shit about LET THE TROLLS FEED ON EACH OTHER! |