Bitcoin Forum

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?

gpg: Signature made Mon May 25 10:53:03 2015 EDT using DSA key ID DAB591E7
gpg: Good signature from "Michael Marquardt <michael_m+pgp@mm.st>"
gpg:                 aka "theymos <theymos+pgp@mm.st>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5E6B 3F3B A961 193C 5C9B  4435 C655 5693 DAB5 91E7

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?

NO update on Twitter or Reddit.
We assume that you are fake theymos.
Nice done hacking man !

You got a lot done for only a few days of down time. Have you slept yet?

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?

]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.

---

Thanks theymos for all the time/effort you put into this

What was the message of the email, since I can't find any email from Bitcointalk or Theymos.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

What are you talking about? Neither IP address shows up as a tor exit node (https://check.torproject.org/exit-addresses).

https://twitter.com/bitcointalk/status/602421967291985920 ???  :-\

@bitcointalk Non-authoritative answer:
Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The tweet for those who didn't follow the link:
According to the OP, Theymos changed from his previous host NForce to another host because of suspicious activity. This would explain the IP change.

Edit: Found the quote:

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

Thank you for keeping this site safe  :)
Maybe you could invest in some kind better security in the future? just in case something like this happening again
and im still trying to figure out what's the motive of the attacker to attack this site  :-\

Would not 2fa protected this from occurring?

He might not want 2fa because it lowers conversion rate. Less people would use the forum and the forum's only strength is its community. BUT the forum would be still big enough after 2fa. It's a classic in the scene, so ppl will continue to use it. I would use it with 2fa :D

He might not want 2fa because it lowers conversion rate. Less people would use the forum and the forum's only strength is its community. BUT the forum would be still big enough after 2fa. It's a classic in the scene, so ppl will continue to use it. I would use it with 2fa :D

Received my first spam email last night.   :-[

theymos, thank you for you hard work. Let's hope we will not have to deal this in the future.

Received my first spam email last night.   :-[

Have you not changed the email you linked to this site mate? I have & I've deleted the other account.

uhh already received spam also + many unsuccessful attempts to mail login:(

anyway, thanks for bring the forum up.

Thanks theymos for the hardwork. I changed my password but not my email ID as I'm not sure if I should do it as the pwd used on this forum wasn't used anywhere else fortunately. I've not received any phishing email except this one yesterday:


You are receiving this message because your email address is associated
with an account on bitcointalk.org.

-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGI..........................

I hope the above message is genuine.

What is theymos's GPG key? Is it published somewhere official? I received the signed email but I can't find a verified source with the key.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Confirming Badbear is Badbear, and not Goodbear or other variations of bears. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJVY0O5AAoJEKAjO3S1eXxPH40H/jvkkJhKUVxKB6a1whLFE08p
jIJi3qw1WkZPFkM9QWwNXNq+8p8bZxiC+0mIskITUiZBwLqgHgyogFf5FjWNnhSy
lhhmLLh6L+LxXtXg+6kITn2nEPiP+wiZRXkRWwzqRd5mh8c3I1hMMfnYa9DarQG3
hC+TjJXwHKvdYXL5FjcGv4HXGX0QMhXUzwodF05SWXJmH6v8uG3vn6QFej4XRVPd
kWWHh61GlzUAZix0EOxd/cvElgJW6Y8sWl/gH5qBnqhnHDTVnS4/cnQVLjgScyGF
QXVoLZG71Mjkgq+PFX8GRqatKIt/vzMvhBYz7DKKDM8NNzbLRRVexlb2MnpeTx8=
=QK2I
-----END PGP SIGNATURE-----

What spam did you get? Has anyone else had attempts to compromise their email?

wtf you are talking about? mail addresses are already leaked, so even you will change the mail here, you will get spam..

What spam did you get? Has anyone else had attempts to compromise their email?

Can they do anything with our IP addresses?

something like "buy iphone with btc" or "some viagra with btc" and similar..

I dunno, if it is related, but I had this acc for years and I never received similar mails until yesterday. coming from some non-sense yahoo addresses.

Can they do anything with our IP addresses?

It is possible the attacker is selling the stolen email address database to spammers to make quick bucks.

It is possible the attacker is selling the stolen email address database to spammers to make quick bucks.

Yeah, DDOS you out of digital existence.

ahh, I really don't wanna start any drama. maybe it was just spam in "wrong time" and it is not related at all. just reporting..:)

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.


Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email acctcomp15@theymos.e4ward.com from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

Also, is it just me or the forum looks plain to everyone? Like I am not able to identify what has changed by the layout looks a bit flat.

I guess the password changes which were done yesterday (when the forum cane online for a few hours) were reverted back, cause I changed my password yesterday but I had to use my previous password to login today. Idk why was it done.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

Hey guys!

One more thing: DON'T FORGET TO CHECK YOUR WALLET ADDRESS, TOO!!! IN YOUR PROFILE.

This is most important for users already participating in campaigns (FOR AUTOMATED PAID campaigns like bitmixer etc)

Hacker would easily check the participants accounts and just change the payment address to his own, in order to receive the payments.

 ;)

A hacker after small change.  ;D
Good joke. :)

Thanks for the info, but don't you think it is time you really take some of those donations and upgrade this forum software? There are quite a few new styles out there that are really nice. This pretty much static version has been around and looked the same since it was installed. And last year when there was a thread about how you had so much bitcoin worth millions of dollars I think it was, you wanted other user's to hold on to it in case some of it was lost. Why can't you take some of those donations, build a brand new dedicated box, hire one of the best programmers you can find and get this forum software out of the dark ages?

Thanks for the info, but don't you think it is time you really take some of those donations and upgrade this forum software? There are quite a few new styles out there that are really nice. This pretty much static version has been around and looked the same since it was installed. And last year when there was a thread about how you had so much bitcoin worth millions of dollars I think it was, you wanted other user's to hold on to it in case some of it was lost. Why can't you take some of those donations, build a brand new dedicated box, hire one of the best programmers you can find and get this forum software out of the dark ages?

There is actually , here is his wallet as far as I know : https://blockchain.info/address/1M4yNbSCwSMFLF9BaLqzoo2to1WHtZrPke
Source is from here , those are people who are helding the money of the forum (which is not out yet ) : https://bitcointalk.org/index.php?topic=155000.0

@Theymos , thanks for your hard work .. a question tho ... if we don't change password and that password isn't the same as our email adresses then we should be good right ? just curious i will change my pass anyway

Glad that it's back, but as previously said it's fairly unacceptable that a forum with such a security aura can still be compromised by attackers.
When will the new forum be happening? It's been in speculation for at least a year, if not longer now. It cannot take this long to code a forum software.

Do you think that they would bother? Surely to take down as many people as it would be worth here it would take more resources than what the attacker could get back.

A hacker after small change.  ;D
Good joke. :)

This doesn't look like the average email spam hack to me.

If our account still gets compromised, are you still able to revert permissions back with a PGP btc address to confirm user?

15 XAU....how much is that in US Dollars? 

15 XAU....how much is that in US Dollars?  If it isn't enough for me I will not tell what I know about the attack.  Hint -- it came from China.  They are trying to counterfeit and steal everything in the world, and it seems like no one tries to stop them.

My password was a single keyboard character repeated 10 times, maybe I should change it?

And no amount of security in the world will stop this if some dumbass at the data center believes what someone on the phone tells him and resets the access password.

15 XAU....how much is that in US Dollars?  If it isn't enough for me I will not tell what I know about the attack.  Hint -- it came from China.  They are trying to counterfeit and steal everything in the world, and it seems like no one tries to stop them.

My password was a single keyboard character repeated 10 times, maybe I should change it?

And no amount of security in the world will stop this if some dumbass at the data center believes what someone on the phone tells him and resets the access password.

XAU-USD 1,206.9400 Price of 1 XAU in USD

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

I am glad that too much damage wasn't done and that too much personal information wasn't leaked. This is just one more example of the importance of using GPG when sending or receiving any kind of sensitive information.

- Last-used IP address and registration IP address

Actually there is quite some damage. Passwords are irrelevant,as they can be changed.
A lot of people are going to be targeted due to this
There are people who sometimes use a VPN, and some that don't use it at all. We will see what happens in the future.
Hopefully the attacker gets found.

Actually there is quite some damage. Passwords are irrelevant,as they can be changed.
A lot of people are going to be targeted due to this
There are people who sometimes use a VPN, and some that don't use it at all. We will see what happens in the future.
Hopefully the attacker gets found.

9800 Savage Rd
Fort Meade, MD 20755
USA

 ;)

What is this?

What is this?

Welcome Back!

Just out of curiosity, I wander what could be the possible 'gain' for attacker by attacking BCT forum, other then mental satisfaction ?

Yes, a lots of user contact data, related to CryptoCurrency  which can be use for other phishing attack...

Other then above, what could be the 'direct' gain he/she/they (The attacker) had in mind at time of attacking??

Cheers!

Welcome Back!

Just out of curiosity, I wander what could be the possible 'gain' for attacker by attacking BCT forum, other then mental satisfaction ?

Yes, a lots of user contact data, related to CryptoCurrency  which can be use for other phishing attack...

Other then above, what could be the 'direct' gain he/she/they (The attacker) had in mind at time of attacking??

Cheers!

Whoever claims theymos is not doing a great job with this forum should consider this forum is probably one of the most attacked ones because attackers potentially have so much to gain in the financial sense. Consider also that a lot of security expertise lurks around the forum. When you look at it this way, the amount of successful attacks is quite low, TBH. Keep up the good work, theymos.

I was using a moderately strong password which I could remember too. Now I will have to come with another system.

Address of the most loved agency in this world :P

No Such Agency?

LastPass is a good idea for generating passwords you don't need to remember. You'll need to remember one complex password but then it'll store any others you need. [Link] (https://lastpass.com/) | [Link with referral ID which gives both of us 1 free month premium] (https://lastpass.com/f?11992496).

No Secrets Allowed.
Never Say Akbar.

So many good variants.

That's just one donation wallet. It was supposed to be spread around last year when bitcoin was really high. So you may want to at least triple that number. 6 million dollars in donations. Although we will never know the true numbers. He just happen to be at the right place, right time. BAM and people donated like crazy to keep the site up. I'm not complaining, because I donated myself (knowing the forum had millions of dollars) but really thought security and features, and updates would be top priority here. You can have the sweetest forum running on the Internet. I say try out discourse.

What's the limit for passwords? I tried using an unreasonably large string as my password and didn't receive any error messages (despite the load time after I press the login button being huge). Were the last characters of the string cut off for it to fit a certain limit?

No, the last characters are not cut off, at least not at any "reasonable" password length.  My password here is over 60 characters, and it still cares about whether the last character is entered. 

Now I started receiving spam emails from maximeco******@gma and some vayne*****@gmail.com. Any way to report these emails or ban these users' accounts as they seem to be the hackers.

Thanks theymos, I have changed my password yesterday and also today... and I hope to be 'safe' (a big word) now ;).   XAU for his real identity, it is a lot of money.... and I do not think he is stupid (he made a soc. engir. attack... only a few people are able to do it).


PS: however good luck with the search.

Of course they can be reported to your email provider but blocking out the emails doesn't do much good for the forum to be able to do anything about it not that they could anyway as they likely wont be linked to accounts here.

You'd probably be suprised by how easy some people can trick others into giving them sensitive information. I've seen it done on a much smaller scale and all it took was a little bit of confidence. There's also been reports over the years of simple techniques used against big companies and much more sensitive data.

Beside our emails and passwords of course ... how bad it could be when the hackers have this "Last-used IP address and registration IP address" , im not an expert or anything but don't the IP change each time we reboot the modem ? :o Probably not the IP range but well

Yes I am surprised and I know that a 100% security doesn't really exist but c'mon... we are talking about a big service provider and it should not be easy to trick them (in my honest opinion) but everything is possible. The real problem is always the people, you can build the security that you want but you are fuc**ed if an employee will reset the pwd http://techforum.it/styles/default/xenforo/smilies/asd.gif.

Beside our emails and passwords of course ... how bad it could be when the hackers have this "Last-used IP address and registration IP address" , im not an expert or anything but don't the IP change each time we reboot the modem ? :o Probably not the IP range but well

I am not sure why anyone would consider not using a VPN. They are really not very expensive to use and they provide a lot of added privacy.

For most people it doesn't matter if their IP address is now in the hands of the hacker, they will most likely target those with the highest ranks and based on how important that person is in the community.

I used a 2024 character string though. Not the most reasonable password length eh? I was pretty surprised to see that there wasn't any warning or error message and that's why I came here to ask if there's any limit.

Thanks theymos, I have changed my password yesterday and also today... and I hope to be 'safe' (a big word) now ;).   XAU for his real identity, it is a lot of money.... and I do not think he is stupid (he made a soc. engir. attack... only a few people are able to do it).
PS: however good luck with the search.

Theymos,

Check your PMs. I sent you some info on something that might get the ball rolling. That said there are obvious suspects which info I already provided to CCN. Some press coverage might get the right wheels greased to get an actual investigation going.

If you believe that the majority of the users here use a VPN you are wrong.

Have others received an email from the forum? I took a quick peek. Just want to verify if isn't something fishy.

Yes. I also have a database snapshot from a little before the attack which I can use to verify people by email if necessary.

I'm sorry, but has theymos actually confirmed his forum identity after the attack yet?  And also, is it just me or is the forum currently loading slower than normal?

I don't think he stated or insinuated that, just that people should consider using them.


Yes, they were sent out by theymos en masse, though that doesn't mean you might not have recieved a phishing mail. I'm sure the hacker will try something with our emails.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

I'm sorry, but has theymos actually confirmed his forum identity after the attack yet?  And also, is it just me or is the forum currently loading slower than normal?

Was running ok earlier but it's got a bit sluggish now, but that's to be expected as everyone tries logging on and resetting their passwords etc. Wouldn't surprise me if the forum will get ddosed as well.

Personally what I am most curious about is why someone would go to such trouble to hack this forum ?

As most here are going to be way above average in security habits the chance of getting a password to something else is almost nil (and they were not stored in plaintext although I guess the attacker may have hoped they would be) . 

Was it an enemy of bitcoin ??

   

If it happens again I'm going to stop posting on here & find somewhere else.
It's ridiculous that with 1.5 million USD donated they can't stop attacks like this happening.
Imagine if people had wallet back ups in their emails, bank details etc.
I think it's disgraceful.

It wasn't the forum's fault but the hosting. The new forum is being made now but that wouldn't have stopped this either and its being tested to make sure there are no holes or ways to exploit it. And people shouldn't keep their bank details or back ups of their wallets in their emails especially if they can't keep it secure.

If it happens again I'm going to stop posting on here & find somewhere else.
It's ridiculous that with 1.5 million USD donated they can't stop attacks like this happening.
Imagine if people had wallet back ups in their emails, bank details etc.
I think it's disgraceful.

Theymos claims it was the hosting. That's what you meant to say.
He openly states, in this very thread, that before any of the alleged social engineering took place,
"... The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything ..."

Not sure why everyone is acting like lax DC security is the issue,

The NSA hacked the forum to link users' information (nicknames, emails, IP's, passwords) with illegal activity made elsewhere..  ::)

have a strong feeling they inserted a backdoor somewhere or a keylogger.

something that would keep them getting access to the forum and retrieve data

have a strong feeling they inserted a backdoor somewhere or a keylogger.

something that would keep them getting access to the forum and retrieve data

The site has become incredibly slow since the compromise and I'm getting a lot of "502 Bad Gateway" notifications.

The site has become incredibly slow since the compromise and I'm getting a lot of "502 Bad Gateway" notifications.

Not actually see errors here. And the site works fine and fluent, however sometimes when I do actions(PM,Posts) it laggs so much that it usually takes about 30 seconds to post something

The forum was very laggy earlier on but it's been working ok since. I'm sure it'll be up and down every now and again until the forum gets back on its feet.

Just back after a long break and saw this, that explain why I can't access the forum recently.

Also I suddenly receive spam email from somewhere (mostly german or something), anyone got the same problem?

Was the email related to the forum or was it just someone trying to sell you some medicines or electronics?
I just hope the email was not for phishing.

Not sure if I missed it somewhere, but if the "secret question" field is blank, does this mean it is not set? I don't believe I ever set one in the past and want to make sure that is still the case.

ddosbtc is fucking around with his annoying booter.

The hoster denied beeing attacked with SE. It is still not clear how attacker gained access and why.

Where did you see this? People here are still under the impression it was Social Engineering....

I don't remember where it was. It was one of the crypto news sites. They wrote, they have called NFOrce about the incident and they denied beeing attacked with SE.

of course they would deny it. Social engineering is the worst PR for them, no one would trust them anymore

If they get an email/password combo figured out, they could have passed them self off as a well respected member and done deals where they get money and run. Or, just use the email/password to log into a bank account, or exchange account and withdraw the money. One of the main things is to use a unique password for each site. Lastpass.com is good for that, if anyone hasn't heard of them.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Thanks for the explanation theymos.  


Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways :)

Off to change the password
It's good to know that a Bitcoin miner can't be used to break encryption
Thanks for the hard work theymos

Although the majority of the passwords will still get broken.

Why is this news, "News: Change your password!" only showed on the index page?
I believe that right now this news is the like the most important thing for the forum and should be displayed on all the threads.

Do we have to change our passwords or it is fine to keep before one. Please answer fast.

So, since the forums have been back up, Topic Notifications of new replies have not been getting e-mailed out.

May 28 17:42:22 B184CA91EB5: to=<...>,
relay=mx1.hotmail.com[65.55.37.72]:25, delay=0.55,
delays=0.16/0/0.28/0.1, dsn=5.0.0, status=bounced (host
mx1.hotmail.com[65.55.37.72] said: 550 OU-002 (COL004-MC1F36)
Unfortunately, messages from 198.251.81.170 weren't sent. Please
contact your Internet service provider since part of their network
is on our block list. You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to
MAIL FROM command))

They are getting mailed out, your mail provider is just rejecting them. Maybe I will get a new IP address in the future to stop this from happening, but IMO this is a problem on hotmail's end.

why reject them ??

Probably due to the fact that the site has sent out thousands of mails within a short period of time, due to the recent compromise.

They are getting mailed out, your mail provider is just rejecting them. Maybe I will get a new IP address in the future to stop this from happening, but IMO this is a problem on hotmail's end.

How do I get hotmail to accept the mail from bitcointalk?

How do I get hotmail to accept the mail from bitcointalk?

Why did you not even send a warning mail to all addresses? Thousands of casual forum users don't even know about this incident and their password hashes stolen.

There was an email on the 24th of May, 2015.

I am not using Hotmail, but are you receiving forum emails in 'Junk' folder or you're not receiving them at all?

If you're receiving them in Junk, it should be very easy to just mark them as 'Not Junk'.
If you're not receiving them altogether, you should find out if Hotmail allows 'white-listing' specific domains or email addresses, like MZ suggested above.

I certainly did not get it, and I asked a few people from whom nobody got it either.

Some service providers block certain IPs the forum uses to send emails so that may be why.

I certainly did not get it, and I asked a few people from whom nobody got it either.

I certainly did not get it, and I asked a few people from whom nobody got it either.

from:	noreply@bitcointalk.org
to:	xxxxxxxxxxxxx
date:	25 May 2015 at 20:41
subject:	Bitcoin Forum: Password change required
mailed-by:	bitcointalk.org


-----BEGIN PGP SIGNED MESSAGE----
Hash: SHA256

You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----

Just saying. Get a decent way to send them, theymos, and send all of them again. You cannot just set up a random server with a random IP address and send mails. It's not the 80's any more. Due to spam epidemic, major mail providers will reject those mails.

Just saying. Get a decent way to send them, theymos, and send all of them again. You cannot just set up a random server with a random IP address and send mails. It's not the 80's any more. Due to spam epidemic, major mail providers will reject those mails.

Wait, you are suggesting because few guys' spam filters blocked the circular mail theymos should spam us all with that mail again?!? That makes no sense. Have you ever, I mean ever, seen same circular mail re-sent to you just in case somebody may miss it? No serious entity does that, so should not Bitcointalk either.

Database error
Please try again. If you come back to this error screen, report the error to an administrator.

Second time I get the error after a post:


But my posts got posted so I don't know if there is really an error or if the message itself is the error

Everyone get a load of this?

https://www.reddit.com/r/Bitcoin/comments/37w9a0/bitcointalk_database_for_sell/

Seem legit?

someone is/has been spamming the goods section with that, but got banned pretty quickly.

For me is just scam. Any kid can make a large file that looks more or less like a database with lots of nonsense then put it for sale in the hope that some moron will buy it

That would make sense it must have triggered some spam filter and ended up on hotmails block list
Guess it might fix itself sooner or later

How many times is this place going to get hacked and beat up? Now on two years saying the forum SW will be updated from the thousands and thousands of dollars in donations. Are we all missing something? Jesus, even try discourse if you have to.

This time was not forum's fault, but ISP's fault. At least is what theymos says.

And thheymos changed ISP, he said, so I guess the odds of another attack of same kind are lowered

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.

and that's the point. social engineering depends on human error.

...
 
1. Educate yourself.

"Our first mitigation is security through education," Hadnagy said. "If people aren't educated to the types of attacks being used, then they cannot possibly defend against them."
Social-Engineer.org provides a number of information resources on social engineering attacks. The two most commonly used and effective approaches, or "pretexts," used in the contest were posing as an internal employee or posing as someone hired by corporate to perform an audit or take a survey.
"Contestants used the survey pretext a lot," Hadnagy said. "It allowed them to ask questions that are believable in that context."
Hadnagy noted that employees rarely sought to confirm the pretext with another source, like a manager, before giving away information.

 
2. Be aware of the information you're releasing.

This tip encompasses both verbal communication and social media like Facebook or Twitter. Hadnagy noted that serious social engineers, as opposed to someone participating in a contest for fun, would get deep background on their targets before moving.
"You would know where they live," he said. "You would know whether they're happy or unhappy in their jobs."


3. Determine which of your assets are most valuable to criminals.

Even companies that actively seek to protect themselves from social engineering attacks often focus on protecting the wrong things, according to Jim O'Gorman, a security consultant and member of Social-Engineer.org.
"When a lot of companies focus on protecting their assets, they're very focused on that from the perspective of their business," O'Gorman said. "That's not necessarily the way an attacker will look at your company. They'll look for assets that are valuable to them, assets that they can monetize."
"Information perceived as having no value will not be protected," Social-Engineer.org said in the primary findings of its report. "This is the underlying fact that most social engineering efforts rely upon, as value to an attacker is different than value to an organization. Companies need to consider this when evaluating what to protect, considering more than just the importance of value to the delivery of service, product, or intellectual property."
O'Gorman said an independent assessment is the best tool to determine which of your assets criminals are most likely to target.

 
4. Write a policy and back it up with good awareness training.

Once you know which of your assets are most tempting to criminals and the pretexts they're most likely to use to pursue them, write a security policy for protecting your data assets. Then back up that policy with good awareness training.
"A policy is just a written statement," Hadnagy said. "It doesn't mean anything if people don't follow it."
In the primary findings of its report on the contest, Social-Engineer.org noted, "For awareness training to be truly effective it requires complete coverage of all employees. In many instances contestants would contact call centers, which often do not have as complete of awareness training programs. This translated into information leakage that could have been avoided, as well as significant increase of risk to the target organizations. Demonstration of the ineffectiveness of awareness training was apparent by the lack of employee resistance to answering questions."
Social-Engineer.org believes employees need a clear set of guidelines in place to respond well to a given situation. Absent such guidelines, employees will default to actions they perceive as helpful, which often means giving away information they shouldn't.

 
5. Keep your software up to date.

Hackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software they can exploit.
"A lot of the information given out really would not be damaging if the target keeps his software up to date," Hadnagy said.
Staying on top of patches and keeping your software updated can mitigate a lot of risk.

 
6. Give employees a sense of ownership when it comes to security

"Security programs in this country are failing miserably," Hadnagy said. "The reason is that they're not personal. They don't make security a personal thing. Employees need to feel a sense of ownership when it comes to security."
O'Gorman added, "I think it's important that employees understand that what applies in the workplace also applies at home. Make it personal to that extent. Changing habits, changing culture is extremely difficult."
Both noted that criminals will not respect boundaries between one's work life and one's personal life, and any personal information obtained from a compromised work computer may also compromise one's personal life.

 
7. When asked for information, consider whether the person you're talking to deserves the information they're asking about.

This is where the rubber meets the road. Whenever you are in a conversation with someone you don't know, before you answer a question they ask, make sure they deserve to know the information that they're asking about.
In most cases, the person you're talking to has no need to know what version of an operating system you're running, or who handles trash collection at your company.
As Hadnagy is fond of pointing out, social engineers know that most people instinctively try hard to be helpful to their fellow human beings when asked. Social engineers leverage that instinct to their advantage. Companies certainly want their employees—especially customer-facing employees—to be friendly and helpful, but they must also temper that helpfulness with restraint.
For instance, an employee in sales wants to be as helpful to a potential customer as possible. But that employee should still make sure that the questions the potential customer is asking are relevant before answering.
"From a sales point of view, it's hard to say that," Hadnagy said. "If you're a sales guy, you don't want to lose that potential sale. You have to determine if the information you're giving out really is relevant to the potential sale."

 
8. Watch for questions that don't fit the pretext.

The last tip leads directly into this one. If a person asks a question that does not fit the persona they present, it should set off alarm bells.
"In a business sense, I think you have to be really aware of questions that do no match the person on the phone," Hadnagy said.
 Additionally, a sudden sense of pressure or urgency is often a sign.
"When you're on the phone with someone, or you're talking to someone, and all of a sudden you feel this pressure to make a decision, to take an action, you have to stop and think where is this pressure coming from? They'll try to put pressure on the target so they don't have time to think about their decision," O'Gorman said. "Don't get caught up in the story that's being told to you. A sense of pressure that shouldn't be there, that's a big red flag."

 
9. Stick to your guns.

If you do get a feeling that someone is fishing for information that they shouldn't, stick to your guns.
"If someone asks for information that you don't know if you should release, ask your manager," Hadnagy said. "Many social engineers will break if off if there's a break in the conversation."
Hadnagy pointed to one call during the contest in which the employee who received the call put up some resistance, but ultimately gave in to the social engineer's persistence.
"The employee actually had a pretty good sense," Hadnagy said. "Three times, he said, ‘our corporate policy is that you e-mail these questions, and we answer them together as a team.’ That whole phone call would have failed from a social engineering standpoint if that employee had stuck to his guns."

 

Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.

not really. social engineering is omnipresent and can happen everywhere. hopefully the new ISP has some stricter quality management and certain processes to prevent it.

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

LOL! A server admin needs a mommy to reset his password for him? I'm sorry, but if you can't keep your root password safe, you don't deserve to be a server admin. No one ever needs to know the root passwords to my servers. No one. Ever.

So servers should die with their admins?

Ha, ha!  I like it!

But seriously, the normal course of action is to terminate sysadmins who are incapable of producing the proper credentials to the equipment they manage. "Termination" doesn't mean "killing", just "firing from employment 'for cause'".

There was an really interesting case of a network sysadmin for San Francisco municipial government that went insane (schizophrenia/paranoia) and refused to disclose passwords to the Cisco equipment which he was supervising. Sorry, I don't have a link handy.

To be fair, my wife knows the root passwords on all my machines/servers incase I face an untimely death.

What if an admin dies? Should access to the servers die with him?

So servers should die with their admins?

I've worked with DoD facilities. They would never pass root passwords to upstream ISPs.