Bitcoin Forum

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

if you invent a new soft fluffy toy and build a new community of soft fluffy toy lovers, you're probably going to get a different type of fan base and a far lower level of SQL injection attempts or other technical hacks perpetrated against merchants

What possible difference could the frequency of hack attempts make? Do you investigate every attempt?

I'd say the thing that attracts the attackers to bitcoin sites is that its easy to get what their looking for (money). If they were to attack a bank for example they would face all sorts of variables that would cause them more work not to get caught. For example, first finding a hole, then getting in, then making sure you clear logs and are not caught. With many bitcoin sites they are not highly protected due to the fact they are coded by your average programmer that isn't a security specialist. Often many attack vectors are left wide open and it's only a matter of time that they get exploited. Also there is the concept of bitcoin it self. Once the attacker gets in or finds a way to exploit a vulnerability its easy to send the bitcoins to an anonymous address that is likely not going to be traced. With a bank on the other hand routing money in a way not to get caught isn't so easy.

In short bitcoins are easy to steal because 1. There 100% digital 2. There anonymous (to a point to discourage someone from tracing the transfers) 3. Bitcoins are new and the security knowledge of its supports is just beginning to catch up.

In time it will get better. It's like anything new really, to become stronger and better the weaknesses have to be found and exploited first.

Because bitcoin is new, there are many reasons why people are trying to exploit it.
I wouldn't go around testing exploits on a sites that's been around for ~10-15 years (although PayPal did have a few exploits on the non-US site).

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.  

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

Everyone is worried about security...    and rightfully so.

look at the nature of bitcoins,  the average truck driver has no idea what they are...   only a small percentage of the average guys on the street know what they are...  only a small percentage of even programmers that work for ecommerce sites, etc know what they are....  but every self taught hacker on earth knows what they are...

 

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

They'll each complain that the other is doing X wrong and it'd be better if the other guy used exactly what we're using..  and they'd all be afraid to do the slightest pragmatic tweak (which doesn't actually affect security much, but might actually let these systems talk to each other) for fear of being called out as insecure by the others.

I'm guessing their systems would be more secure than their egos so no one would back down to get things to actually work.

Ok - that's the cynical version..

If you can find a bunch of security experts who recognize that all security is a compromise and are able to gauge relative risks well  - maybe they'll even produce something with a user interface that doesn't suck.

(alright.. so it was still a slightly cynical version)

I've got to agree with this. A higher proportion of programmers must mean a higher proportion of hackers, all other things being equal.

Also, have you considered the high volume of attacks might be due to an Internet-wide increase in the volume of automated attacks (I have no idea if this is the case; just speculating).

mine bitcoins, buy bitcoins or steal bitcoins.

we have a place for 2 of the options but this forum is lacking on the third most popular way of obtaining bitcoins.

Perhaps the best way to phrase it is that it's 1994 ... and you're opening an eCommerce store...    I don't know how many of you guys were around during the 1990's dot com boom times...  and the early 2000's crash times..   but honestly there were some things that people tend to forget.

At one point Ebay banned Paypal.  

literally a business decision was made to lock paypal out of Ebay,  ebay looked at paypal and realized that at the current growth rate of paypal ebay would not be able to fuction without it.  So they banned it hoping someone else would show up.   they citied security concerns and that "some company is stealling usernames and passwords'   literally that is what they used as an excuse.

 eventually within a few weeks ebay unbanned paypal then subsequently bought them realizing that they couldn't grow without it.

The point is that yes a security concern is a MAJOR issue,  but at the same time, there's a bunch of reading between the lines going on.   Because from time to time I get these crazy "suggestions"  and in reality I find out the guy works for "bitcoin startup A or bitcoin startup B"  those suggestions may on the face look good.. but in reality aren't.

Example,  I got a PM that stated I needed to make the minimum password length 20 characters for 'security reasons' ...  now I am all for allowing 20 characters.. but minimum length 20?

I find out the suggestion came from a guy that worked at one the exchanges that is now considering an ewallet ...   hence my suspicion that perhaps it wasn't so sincere.  

20 character minimums would lock grandma out of every using the system.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear

I honestly want to know what happened to that service.   I can't even ping the domain anymore.   I suspect something bad happened... and instead of owning up to it he just vanished.

Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.

Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
[/quote]

Hacking / Scamming has held bitcoin down and stunted it's growth.

Scamming bitcoins could be cool and all... but not when your activities drive their prices from 25-30 each to 13-14 each.

It's simply the nature of the beast... the pseudonymous and irreversible nature of Bitcoin simply means that there's a more attractive apple on the other side of the wall. Instead of hacking a site and using it to phish, or robbing bank accounts that can be reversed, or stealing credit card data which you can card physical goods at high risks...

... if you steal BTC, the victim stands almost no chance at getting it back and there's a pretty good chance you'll get away scot free.

Everyone who has half a working brain and was looking at starting up a Bitcoin-related business should realize this going in - the reward is much sweeter so people are going to try harder and therefore security has to be a higher priority.

That said I wouldn't panic at every scan, because that too is just the nature... of being on the internet. This isn't the 90s anymore, you'll go hoarse if you scream on IRC every time someone port-scans you.

My main email address has been out there in the public eye for close to a dozen years now.  It has been posted on forums, websites, mailing lists, and even, God help me, USENET.

The throwaway address that leaked out of mtgox gets VASTLY more spam.

So is cash. Does it come as a surprise?

edit:

Yeah its easy atm for them, but there is still far more money in stealing credit card numbers and personal identities.

Scamming/hacking did not drive the price to 13$. The free market has decided 13-15$ is a fair price for a bitcoin. Wild speculation drove it to $30.

Greed drove the price to $30.

Will

This^

OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.
:)

just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.

could even set up a site directory with bounties in BTC.

It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven  hats.

creation and destruction.

May as well make the destroyers skwirm. xD

"Bitcoin is a magnet for hackers and crooks" .... AND BEER AND HOOKERS!!
 ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D

The problem boils down to this:

Victim: Officer, I want to report a theft.

Officer: What happened?

Victim: Someone stole my bitcoins!

Officer: Your what?

Victim: My BITCOINS!!!!

Officer: Did you have them in your bank account or in your credit card?

Victim: They are not stored in banks or credit cards.

Officer: Then we don't give a rat's ass. Sorry.

Victim: Why won't you do anything?

Officer: We work for Bankers, not you, Fuck Off common Pleb!

There is also the WAR ON BITCOINS, you are not considering. It's not just greedy hackers, it's people who want to intentionally destroy bitcoin because they work for the bankers. ALL media, politicians, police, and governments are beholden to the central bankers, so bitcoin does not have many friends in the concrete jungle. Bitcoin is popular among people who value freedom and self responsibility and used by those without fear of computers or immediate persecution. Bitcoin is up again enormous odds and powers in the world. It will only succeed if people can endure the early hardships. Even then, we will continue to be fought against by the system. Bitcoins will NEVER be embraced by the real mainstream, paypal, ebay, bank of america, chase, and safeway or walmart. And maybe those are it's best features yet. One thing is for sure, bitcoin will probably never be for the masses until things change, and maybe bitcoin is supposed to be a large part of that change.

(...)

Just because your regular police officer won't know what a bitcoin is, doesn't mean it's not a criminal offence to steal them and that i can't be prosecuted. You may have a hard time explaining, sure.

Feel like some of the replies in this thread couple programmers with hackers...

Not all programmers need to exploit systems to feel complete.

It will be interesting to see if the hacking attempts slow down at a parallel rate to the value of the bitcoin.

or...hackers go further underground and release scripts to the public.

Just wanted to report for documentation sake that I'm still getting hit with hack attempts. The latest attempt was yesterday someone who speaks good English using a server (118.192.35.57) from China tried over 1,500 various methods to hack into my server.

It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).

Here are some of the methods he tried:

• Tried to access boot information
• Tried to access file system (ie /etc/passwd)
• Various SQL injection techniques
• javascript injection
• Tried executing system commands with buffer over-runs

It's kinda funny that they never tried to find my wallet.dat file :-)

What types of attacks were they using?  Just web requests?

I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.

Yes, all attacks were using HTTP. fail2ban looks pretty good. Thanks.

One other interesting thing. It looks like he is on a Windows NT machine using IE 6!

I guess he could be spoofing the agent string.

i was going to say '118' looks like Australia. which service told you it was China? (other than the IE6 usage :D)

You gotta use the Asia Pacific Network whois search to lookup the IP address

http://www.apnic.net/apnic-info/whois_search

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.

The Netherlands was probably just the last link in a proxy chain.

We shouldn't be surprised by this. Bitcoin wallets are perceived as an easy target, and there is no shortage of desperate people in the world with basic hacking skills.

Have you thought about storing your wallets offline and advertising this fact on your site?

You mean like cancer? Or schizophrenia? In all the time I heard Nietzsche's phrase "That which does not kill us makes us stronger" parroted about, I've yet to hear of one convincing example. In this case, no, getting hacked will not make RSantana's business any stronger. And for any new merchant who doesn't have RSantana's server skills, getting hacked might put them off altogether.

I know you mean well znort987, but remember we're trying to encourage bitcoin access to the wider community. This means helping them be safe, not waiting until they get wiped out - or even nearly wiped out.

I'm thinking along these lines, too, and wondering if there aren't a good few white-hats doing these attacks. Funny OP mentioned the crackers never looked for the wallet.dat file. I had VNC servers compromised a few months ago, not too long after the MtGox attack. What did the invader do? Was very obvious and tried infecting one computer (which did not run the Bitcoin daemon) with adware. - And I was very confused by this at first, but I'm since started thinking they were doing a service of pointing out a very obvious security flaw in my setup which I quickly corrected. I immediately disconnected my router, but I regret not trying to communicate with him.

After the Gox attack, security improved (both in Gox and the affected users) and we're better for it. After Bitscalper's security flaw was noted, security improved and... well.... security improved. All of these attacks are bad short-term, but long-term, they make us more alert and wiser, and may be necessary for Bitcoin to continue being used 10 years from now.

Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

Those diseases kill and maim. Web servers are immune to diseases, last time i checked.

There is no such thing as a secure server.
Trust, is Bitcoin's #1 problem.

Wait, it's the victims fault if s/he is attacked?

OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.


Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Don't know what you mean by "fully secure". There is no such thing as perfect security.

Anyhow, it does have something to do with Bitcoin because, if you store wallets on servers, the level of security required is so much higher than for a site like Wikipedia, where any damage caused by hackers can easily be reversed.  

Security is fiendishly hard to get right even for experienced web developers.   Hiring a team of 10 security experts should NOT be a requirement for every startup in the Bitcoin economy, otherwise there will be very few startups and this economy will never bootstrap.  

This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.  

Let's see if I don't know what I'm talking about--again.

I think we need not one LinuxCoin, but seven--one for each 10 fold increase of Bitcoin, all the way to what is currently know as a satoshi. And don't start developing the next level until it looks like it's going to be needed soon, therefore all the latest security features and fixes can be in place, eliminating as many future patches as possible.

It can be called LinuxCoin, or any other name, but Bitcoin would remain its brand status, to satisfy the purist and not confuse the ongoing adapters.

Work should start on the next level now. Once in place, and Bitcoin reaches a certain level, say trading at $100 USD (but doesn't have to be exact), then the new client would be LC1, therefore whoever had 10 bitcoins prior to the move, now has 100 coins, valued at the same price. But now it resides on the new secure cliet without all the previous mundane luggage which, by the way, is still made available somewhere, somehow, for obvious reasons.

It's days like this that I wish I was a programmer. You guys are truly smart lads and lassies. But, then again, if I were a programmer, perhaps Atlas would then be the DaBitcoinGuy.

~Bruno~

In here they come from Russia. It's really annoying.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

So who do you think is worthy to stay in the Internet business?

Basically, set up honey pots, and see how many bees you can collect?

People who can.

Thats why we have Bit-Pay.

If you can't secure your sites then you should not be handling other peoples money/bitcoins.

sony?

I would be more concerned if Bitcoin only attracted law-abiding citizens and government officials.

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.


The prize in bitcoin land is BTC. The prize in fiat land is Credit Card numbers. Both can be sold for fiat. The barrier to entry is exaggerated.
It's just easier at the moment for large sums of BTC to trade into fiat. There's no secret trading platform where you can invest in credit card haxor teams. Not yet.


Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

riiiiiiight.

Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?

Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.


It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.

But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.

Just going off-topic here and injecting a bit of levity, but did anyone notice that if you spoonerise "hackers and crooks" you get:

"Bitcoin is a magnet for crack and hookers"

I wonder how the security at Silk Road is?

I goes both ways. Sure, you're still a victim, but on the flip side, you should secure your site.  And that goes for any site, not just a bitcoin-related site.

If you don't want to be a victim, secure you site. :)

'Crooks' are already using existing payment methods to move multi millions in laundered funds they don't need bitcoin. They need fake ID, social engineering and some socks proxies. There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams

so, how many bitcoins would be enough?

One bitcoin would be enough. You could probably even do it with a half a bitcoin ;)

This is why mt advice is if you cant code for shit dont go bringing out bitcoin sites.

I've had a couple of ideas for bitcoin sites that I haven't bothered doing because I don't want the hassle.

Of course, I've had similar ideas for non-bitcoin sites too, and I usually don't bother with them either, because of the hassles that come with other payment systems.

He's almost certainly using a program that does all that stuff automatically for him.  I've seen the same pattern of attacks myself.  If you look in the logs closely, you'll see the same word coming up over and over.  Google it - it's the name of the hacking tool he's using.

That's what I found, anyway.  I don't remember the name now though sorry.

"Pangolin".  That was it.

RSantana: I don't understand; why are you keeping your wallet on your server? Shouldn't it be kept on a different machine? As a retailer, you only need to collect payment except for the occasional refund (which you can do manually), which means your wallet doesn't have to be on the server at all, right? Or am I missing something here? I thought only exchanges like Mt.Gox that have to pay Bitcoins out in addition to accepting them had to worry that much about security, because they have to actually have a wallet file on a machine connected to the server. I mean, a hacker could still put up a fake BTC address on your site if it got compromised, but that's not the same degree of problem as losing your whole wallet...