Bitcoin Forum

In the last 24 hours there have been two GLBSE accounts (that I know of) that have been cleared out.

The common theme between them is that both users had GPUMax accounts, with passwords that were either the same (as the GLBSE accounts password) or similar.

I emailed the GPUMax website yesterday (the email in their whois records as there isn't anything on the site) to inform them of this.

Since I've not seen any notice regarding GPUMax I feel that it is my responsibility to bring this to public attention.

If you have a GPUMax account it is highly likely that it's password has somehow been compromised.

If you use the same or a similar password elsewhere (GLBSE, MtGox, Email whatever) please change them now.

If you are a GLBSE user I would encourage you to use two-factor authentication, there have already been over 3 accounts which have been protected by this.

Nefario.

If the people used the same or similar password on 2 sites, isn't it reasonable to expect that they used it on other sites as well?

Perhaps nothing is compromised, but it is just the operator exploiting his password haul?

We have a lot of users and I guess since your users have a GPUMAX account with the "same" password it must have been us that leaked them.  If users are using the same password on GLBSE and GPUMAX, you can be pretty sure they're using the same password for other sites as well.

Our users information is hashed and salted using the latest cryptography methods available.  I can assure you, we didn't leak anything.  

On a side note, considering you know who runs GPUMAX, you could have easily sent me PM before spreading more FUD in the market.

Edit:  Our whois lists support@gpumax.com which shows nothing from you or anything related to security. Found it hiding in the spam trap.

-pirate

The question should be what percentage of GBLSE users also use GPUmax? If this percentage is very low, then Nefario is probably right.

I was not aware GPUMax was run by you, I've had no interest use or need of the service and still don't, I'm only reporting the information I have available.

I'll give Dr. Nefario the win for this round.

Round two... fight!

What kind of anti-bot protections does GPUMAX have to prevent automated password retries, if any?

Confirmed, found your email in spam.  Don't know how you got there but I'm sorry about jumping the gun.

 

Spam filters have the terrible habit of sending to spam any email that mentions the word "password" in them
And the subject line being "your site may have been compromised" also helped lol

Also regarding hashing and salting passwords, the only secure method is to use BCrypt with a sufficient number of rounds.

MD5, SHA256 (or whatever) hashed hundreds of times simply isn't enough(all these hashing also's were meant to be fast), it also depends on what code you are using for this.

Is it a tried and tested library you're using or did you write your own crypto code?

If it's not BCrypt and a well used library you're using then it's certainly not secure, the latest crypto-methods are not the best, the ones that are tried and tested are(think AES, RSA, and in this case BCrypt).

For the record, did you suspend withdrawals or is it just the hot wallet that's empty? I did a withdrawal (legit, 2-factor'd) but it's not on the blockchain or in my history. It's deducted from my account though. I sent an email to support before I knew about the stolen password issue.

It usually takes a while.

Yeah I am getting tired of this never ending stream of Bitcoin sites claiming they stored passwords properly yet users should change their passwords because their password db was stolen.

If you properly protect your password db and set realistic min password lengths then it shouldn't matter if you are compromised.  The salted passwords are worthless.

How do you know it wasn't the GLBSE database that was compromised? Or some third party website? No offence Nefario but you're really jumping to conclusions here

Of course it does.  If ever site properly protected their password list it would have no value.
As far as bcrypt is not secure please explain to me how you would brute force an 8 digit bcrypt (work=12) password?

Pretty simple to keep passwords secure.
a) use bcrypt (period, unless you have a degree in cryptography anything scheme you can "think" of likely has a couple dozen flaws which are already solved by bcrypt)*
b) require 8 digit password
c) check passwords against "common password list"
d) periodically update the worklevel of bcrypt to keep up with Moore's law


* an alternative to bcrypt are PBKDF2 (Password-Based Key Derivation Function) and scrypt.  Unless you have a pressing reason I would still recommend bcrypt.  scrypt is relatively untested and PBKDF2 uses at its heart SHA-2 which we all know is masively parallelizable.

Question: when is someone going to invent a be-all, end-all service that is totally full of awesome and win, and then decide to force all users to use a proper 2-factor authentication system? It needs to happen, and the day it does happen is the day many people realize that it really isn't as hard as they thought, and increase their security awareness accordingly. People are stupid, so they need to be forced to make the right choices, and not conditioned to believe that what happens now is "good enough".

The killer service that everyone wants and that highly recommends/nearly requires 2 factor auth is for example World of Warcraft + Diablo III.

Even my web banking account doesn't force me to do 2 factor auth... People are just too lazy/stupid for that. Facebook, Google - you name it, they offer 2FA! I have yet to actually see anyone reaching for their mobile phone though when going on FB or gmail.

Back to topic:
What leads to GPUMax just from a handful of GLBSE accounts being emptied? What about other potential big account pools like deepbit?

I'd love to use two factor auth, but I don't even have a cell phone. Are there other ways to do two factor auth? And are there any plans to implement them soon? I hope so.

That is some fine deductive reasoning....completely obvious if you ask me, ALTHOUGH, before pointing your finger, couldn't you have put another 2 minutes of Detective work into formulating your conclusion for all of this ?

Perhaps in common, they also had BTC-E accounts ? BitcoinTalk.org accounts ? Common Email providers ? .....used a wallet address as a password ?


Obviously....

This smells too much like a weakness on YOUR end and an attempt to cover tracks by asking people to change passwords.


Over 3 ? .....as in, 4 accounts ?

This entire thread is horse shit.

Considering the growing pains that the GLBSE has gone through, you should be the last one to point fingers at anyone else.



PS. WTF does this have to do with 'Project Development' ?

nefario. this is great, so your effort already payed off. congrats!

Im sure he also asked if they had other accounts besides GPUmax. From what I see he did nothing wrong. He even tried contacting pirate, when he got no response he gave a warning to the community.


I dont remember where I saw the link but recently nefario posted a link to google auth desktop version.

No, the right thing would have been to tell people to check their passwords and not blindly tell them (as I quoted above) that GPUMAX was to blame for this.

Several ways. Yubikey is my personal favorite, but here is a bunch of links:

http://yubico.com/ <-- The makers of the Yubikey
http://www.symantec.com/verisign/vip-authentication-service <-- paid service that PayPal and many others use for authentication. Yubico makes a credential that is compatible with this service as well.
http://onlinenoram.gemalto.com/ <-- TOTP token that AWS uses for authentication, made by Gemalto. This is a dedicated device that can do the same thing as Google Auth, without the phone.
http://motp.sourceforge.net/#7 <-- links to lots of tokens and related software.
https://lastpass.com/ <-- password storage software that works on almost any platform and almost any browser, and that can use 2-factor auth for logging in.

How many of those users had bitcoinica accounts?

Please stay on topic. This is clearly GPUMAX's fault (as stated in the first post).
It couldn't possibly have anything to do with another service  ::)

...I mean, just look at GPUMAX's (and Pirate's....in general) track record when it comes to security and loss.

Please re-apply tunnel vision and/or add blinders to continue this conversation ;)

Probably unrelated, but just wanted to bring it up in case it is relevant:

"My mtgox account got compromised, what can I do?" [June 1, 2012]
 - http://bitcointalk.org/index.php?topic=84585.0

I've been proposing the following:


https://bitcointalk.org/index.php?topic=84585.msg937236#msg937236

Please, exchanges, implement this SOON. You cannot implement it soon enough.

http://yourlogicalfallacyis.com/false-cause (http://yourlogicalfallacyis.com/false-cause)

"cum hoc ergo propter hoc"

<3 latin

I think this thread belongs in the "speculation" sub-category.  Better yet, create a "wild speculation" sub-category.  It would fit better there.

The title needs to be changed imo.

Do you know if you can use the same yubikey for several different services, or do you need to get a separate one for each account?

The Yubikey from Mt. Gox can only be used with Mt. Gox (and BlockChain.info wallet, apparently, which I'm guessing has permission to auth through Mt. Gox API or something)

It doesn't work on other services where a Yubikey is used.

The Yubikey from Yubico works at Mt. Gox and [Edit: see rjk's correction below] elsewhere where Yubikeys are supported.

Slight correction - only keys programmed by MtGox can be used with MtGox - you can't use one that you got direct from Yubico. The reason is that MtGox runs their own authentication server with their own keypairs, instead of using Yubico's free cloud authentication system.

However, any website that uses the free service provided by Yubico for authentication will support a generic device ordered from Yubico.

+3 funny, FreeMoney

There is no perfect way. As soon as you make one someone else wind find a way to break it or work around it. If its accessible in any form. Someone can break in.

Give up human!

+1. Nefario it would be great if you could get this put on glbse.

you can already activate 2-factor withdrawal on glbse... oh, via API, hmm, didn't check that. Is it possible to withdraw without 2-factor-auth using the api even if it's activated for withdrawals?

You cannot withdraw using the API.

thanks for clarifying.

This has happened, except it forces users to use gpg not worthless 2fa. And the users complain about the