Are these attacks preventable?

[Xiaoxiao]

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

[1715555818]

1715555818

[1715555818]

1715555818

[Vod]

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

[🏰 TradeFortress 🏰]

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

[Quickseller]

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated? Until theymos can figure out what exactly happened that allowed who was potently TF access to the KVM then it will be difficult to know if the attack could reasonably be anticipated. 

[Vod]

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

Didn't you claim to be the victim of a hack yourself, before disappearing with thousands of coins?   

It's impossible to prevent against social engineering.  A sympathetic moron will always do the wrong thing.

[gmaxwell]

"Please do not perform any actions on my account without a signed PGP message".

These instructions are routinely ignored, seen it myself many times.  They either don't see it at all and just follow the ordinary procedure or are easily convinced by things like "but that key is _on_ that server and by other backup was erased, thats why I need in!" Of course, actual users do things like this-- which is part of why the social engineering works so well.  Even if it doesn't fail that way, they'll likely use the age old xkcdmethod for verifying the signature.

Of course, maybe if someone can't even pull off sounding like a competent adult on the phone; then perhaps they'll have a harder time convincing a facilities operator to do the wrong thing.  I understand in this case the attacker(s) came off as barely literate. (but again, since plenty of legitimate customers are barely literate...)

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated?

And at what cost. Without anyone knowing the details we can probably guess that having the equipment in its own, isolated, security facility, behind armed guards and no remote administrative access would likely have prevented this issue (and many others-- since the site would probably be down most of the time ... ) but that kind of cost is hardly justified for the forum.

[notlist3d]

Bitcointalk is pretty important to the crypto community.  Were these attacks preventable?

It's hard if not impossible to protect against social engineering.

Not _that_ hard.

"Please do not perform any actions on my account without a signed PGP message".

Didn't you claim to be the victim of a hack yourself, before disappearing with thousands of coins?   

It's impossible to prevent against social engineering.  A sympathetic moron will always do the wrong thing.

It should be preventable but as long as a human is involved i agree it is always possible sadly.  I mean we really don't know if there was a inside man, a idiot worker, etc.

Whoever on data center side who helped should be fired.  I did user provisioning for a while as part of a job I had.  If you could not be verified 100 percent I did not give access.   It was not fun telling anyone but especially someone they would have to wait... but I did it. 

It was a massive company not a data center though.  So security for on accounts with there being company secrets, private info, internal figures, etc was treated very serious.

[XinXan]

Obviously is not, its impossible. Im sure you know a lot of cases of way bigger companies getting hacked and when i say way bigger i mean the biggest, for fuck sake even NASA got hacked by a kid. Its plain impossible to prevent such thing if someone skilled enough is willing to do attack the forum.

[Gervais]

It's impossible to protect yourself 100% and there's always weaknesses and vulnerabilities and things that can be cleverly bypassed. Even 2-factor isn't foolproof. A hacker could call your mobile phone provider if he got enough details and convince them that your phone was stolen or whatnot and to block the phone and send a new sim to his address or something. Similar things have happened before. You can also reset things like google auth so nothing is ever watertight its just about minimizing risk and keeping yourself protected as much as you can.

[Beefcake]

The intelligence and creativity of the best hackers astounds me.  I hate to say it but as soon as one hole is plugged another will be opened.  One way or another any website with a target on its back will be hacked.  I don't think its possible to prevent it 100% of the time.

I am not saying that this is a particularly creative or intelligent attack, as I do not really know the details.

[2112]

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

[Xialla]

It's hard if not impossible to protect against social engineering.

uhh? all depends, how much money you want to spend to train personal and invest to security..

[Xialla]

^^ this.

"ponzi" section is somehow ok, because at least all of this shit is concentrated on one subsection and they are not even trying to infect other sections.

but I really dunno, why is officially enabled here to sell and buy accounts, even hero/legendary with years of history and green trust.

[hilariousandco]

Ponzis are ok but selling accounts isn't? Selling accounts is allowed because banning their sale wouldn't stop it from going on, but this has been discussed to death and just goes round and round. Just do a search for the many other threads.

[Quickseller]

Pretty much all attacks are preventable. The real question is was the recent attack reasonably able to be anticipated?

And at what cost. Without anyone knowing the details we can probably guess that having the equipment in its own, isolated, security facility, behind armed guards and no remote administrative access would likely have prevented this issue (and many others-- since the site would probably be down most of the time ... ) but that kind of cost is hardly justified for the forum.

I believe that in the post that theymos made prior to moving the forum to a new data center that the server that hosts the DB is now using FDE that would have prevented this attack, although the Google cash of the thread has since been overwritten so I can't see what exactly he wrote.

Sure, you can spend exorbitant amounts of money on security to prevent *all* possible attacks however doing so would probably be defending against attacks that will never materialize. If you can reasonably anticipate what an attacker is going to try then you can make your security budget more reasonable.

One thing that could have prevented the attack would be the data center refusing to reset the password for say 24 hours after receiving a request to do so (and to send out a notification of a password reset request in the meantime). This would have allowed theymos to become aware of the situation prior to the attacker gaining access to the server although it could mean that we would have 24 hours of downtime in the event that theymos ever looses his password.

[Beefcake]

because banning their sale wouldn't stop it from going on

That's like saying: We don't ban child porn, because there will always be pedophiles.

You can't prevent anything completely , but you can reduce the bad impact and stop it from happening on your forum.

This is true, but how much time would it take to really monitor all account sales?  You would need at least one full time position to do this.  Maybe the forum staff feel that their time is better spent elsewhere?

[redsn0w]

because banning their sale wouldn't stop it from going on

That's like saying: We don't ban child porn, because there will always be pedophiles.

You can't prevent anything completely , but you can reduce the bad impact and stop it from happening on your forum.

Woow, really nice point of view... now I think the things should change here in the forum (only for a question of security, nothing else).

...
This is true, but how much time would it take to really monitor all account sales?  You would need at least one full time position to do this.  Maybe the forum staff feel that their time is better spent elsewhere?

Maybe with a single forum rules you can discourage the forum account buying/selling (but a lot of censorship is not really a good thing, but if the forum is always attacked ... the things *must* change).

[dogie]

Maybe with a single forum rules you can discourage the forum account buying/selling (but a lot of censorship is not really a good thing, but if the forum is always attacked ... the things *must* change).

The forum *is* under constant attack, but the only attacks you hear about are the ones you get through. Then Theymos gets blamed, not praised for the 500 he thwarted passively.

[IDKwhatimdoing]

Preventable? maybe not.... epicly diverted by theymos? apparettly yes

serious tho... social engineering is screwd up it always seems to work and people don't have any real security measures for it...... everyone thinks everyone is trustable

[iopq]

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

This is called security by obscurity. It works until it doesn't, and the guy happens to know how to work that system. Does it make you safer? Maybe. Is it worth your time doing this compared to other measures? Probably not.

It's probably safer to know how to secure Linux than to use a system you are not familiar with.