Bitcointalk and Security

[chrisvl]

Bitcointalk is the largest community of bitcoin users,and this will always be a hacker target..

what will win the hacker if hack bitcointalk ??

most believe that if they manage to hack bitcointalk database and steal the user's information that will be able to access for example on users exchanges to still bitcoins to private messages e.g from bitcoin developments even  to learn who is the famous satoshi nakamoto
for that matter hackers are not wrong and most if not all users use the same email and passwords e.g same email and password to bitcointalk and same email to btc-e right there hackers betting

safety exists naturally not

Security is not exist generally there every day discovering new vulnerabilities |0-day exploits
if one wants to make a secure website that can not be attacked by hackers no one development programmer can't confirm that because its is impossible

I believe that each year must be organized a hacking challenge who can join in  security researchers|hackers| penetration testers which would aim to find vulnerabilities in bitcointalk forum and as a reward their will get bitcoins...

[1715139245]

1715139245

[1715139245]

1715139245

[Blazr]

The forum already has security bounties that pay almost the same as Google/Facebook does for their security bounties:

https://bitcointalk.org/index.php?topic=309785.0

One problem is web application vulnerabilities aren't the only way we can be hacked. In this case the hacker used social engineering, there were no security vulnerabilities in the forum software, in fact the hacker likely had little technical skills at all, they just needed to convince the hosting company they were theymos and the hosting company let them in. There really isn't a whole lot we can do about attacks like that, there are thousands of ways to execute social engineering attacks against the forum, it is of course a good idea to check what information your host requires to let you reset your account, and it would also be a good idea to inform the host there may be social engineering attacks, but I mean I can think of a million other ways this could be done and I can't think of many ways to prevent them. What we really need is a more layered approach, for example if we had javascript-side PM encryption then we could store the PM's fully encrypted on the server and prevent against even a root attacker from grabbing them. The forum already stored passwords in a secure manner. Honestly the only things we need to protect are PM's, email addresses and passwords/security questions.

Additionally I would highly recommend the account recovery feature be changed. I think that it should require both a recovery email and answer to security question, currently it only requires one of those. I would think this would greatly reduce the amount of hacked accounts.

[Lauda]

I'm not sure why people are complaining that much in regards to the security of the forum. You should all be thanking theymos that this isn't happening much more often.
Seriously, do you think that there have been only a handful of hacking attempts since the last hack (not this one)?

[chrisvl]

Sure theymos ar doing the best it's people not machine..

[Grand_Voyageur]

=snip=
In this case the hacker used social engineering, there were no security vulnerabilities in the forum software, in fact the hacker likely had little technical skills at all, they just needed to convince the hosting company they were theymos and the hosting company let them in. There really isn't a whole lot we can do about attacks like that, there are thousands of ways to execute social engineering attacks against the forum, it is of course a good idea to check what information your host requires to let you reset your account, and it would also be a good idea to inform the host there may be social engineering attacks, but I mean I can think of a million other ways this could be done and I can't think of many ways to prevent them. What we really need is a more layered approach, for example if we had javascript-side PM encryption then we could store the PM's fully encrypted on the server and prevent against even a root attacker from grabbing them. The forum already stored passwords in a secure manner. Honestly the only things we need to protect are PM's, email addresses and passwords/security questions.
=snip=

The man in the loop is always a security flaw; however, you cannot remove it from the process. So the best response to such events will be recovery preparedness - since you'll always need to recover from unavoidable hacks - while trying to mitigate the frequency of such attacks by educate parties - e.g. the host - to use best practices like safer off-line authentication, etc.

=snip=
Additionally I would highly recommend the account recovery feature be changed. I think that it should require both a recovery email and answer to security question, currently it only requires one of those. I would think this would greatly reduce the amount of hacked accounts.

+1.

[spud21]

I'm not sure why people are complaining that much in regards to the security of the forum. You should all be thanking theymos that this isn't happening much more often.
Seriously, do you think that there have been only a handful of hacking attempts since the last hack (not this one)?

This forum must be constantly under attack all day every day. It's a credit to theymos that more attacks aren't successful. The social engineering attack was not successful because of any deficiency in theymos's administrative skills, it was successful because social engineering is the weak link in the chain.

[2112]

There really isn't a whole lot we can do about attacks like that,

I see the time-share salesmen are spewing their bullshit in another thread.

I'll repost here what I posted nearby:

https://bitcointalk.org/index.php?topic=1068157.0

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

[The Bad Guy]

We just should be thankful , probably the forum is getting attacked each day or at least more often then we see , but theymos is able to stop them . people who hack simply sell users informations on Darknet maybe or just re-sell the accounts here which is a good amount of money.
Now we should simply wait for the new forum which should be much much more secure . (let's hope)

[Xialla]

Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

uhh...what is advantage of running System P with AIX over System X with RHEL in terms of security? I really don't get this.)

safety exists naturally not

lol? we are in 2015 my friend, security is just about amount of money (human effort), which you want to invest..HW tokens, DMZ clusters, reverse proxy, T4 DC with all security measurements, locked cabinet...omfg. just money..

[Athertle]

I don't think you guys really appreciate the security levels. It's the Internet; it's practically impossible for anything to be completely hack-proof. I wouldn't be surprised if the forum had over 5 hack attempts per day. The staff members are doing everything they can and all you guys can do is whine about a single break-in that was dealt with pretty quickly.

[2112]

uhh...what is advantage of running System P with AIX over System X with RHEL in terms of security? I really don't get this.)

1) System P is big-endian. Apparently big-endian-ness completely confuses weakly-skilled programmers to the point that their brains go "tilt".

2) Practice shows that unfamiliar environment of AIX greatly confuses the attackers, again to the point that they just do some damage and leave instead of stealing the data or wreaking some skillful havoc.

I have years of practice in this field. Originally when young, I thought that it shouldn't be the case either, any person who is intelligent enough to program should be understand how to number bytes in a multi-byte integer. But the practice shows otherwise. For the confirmation of this fact go lookup various discussions of endian-ness on this forum and the source code for "getwork" in the Satoshi's client.

[2112]

It's the Internet; it's practically impossible for anything to be completely hack-proof.

Yeah, go hack OpenVMS, there are several freely accessible installations under the "enthusiast" license now offered by HP.

[Athertle]

It's the Internet; it's practically impossible for anything to be completely hack-proof.

Yeah, go hack OpenVMS, there are several freely accessible installations under the "enthusiast" license now offered by HP.

I'm sure that one of the bigger hack groups like Anonymous would be able to hack that.

[2112]

I'm sure that one of the bigger hack groups like Anonymous would be able to hack that.

How "sure" you are? Wanna bet? They'll just DDoS them out of anger and claim success.

[Xialla]

I'm sure that one of the bigger hack groups like Anonymous would be able to hack that.

please read at least something about openvms before posting shits like this..your "sure" just make me smile.

 

[The Bad Guy]

I'm sure that one of the bigger hack groups like Anonymous would be able to hack that.

please read at least something about openvms before posting shits like this..your "sure" just make me smile.

 

I'am not expert on those things to be honest , and I don't even know what OpenVMS is , but I don't think it's about the money because anything is hackable no matter how secure is it . big goverment agencies got hacked ,  NASA for example  got hacked and I don't think that they don't have money , right ?

[Xialla]

big goverment agencies got hacked, NASA for example got hacked and I don't think that they don't have money, right ?

ahh you know..from my perspective there is difference between "pure technical hack" and some social engineering, insiders, man in the middle or spreading some nasty code from internal network..even the result is same.

[Lauda]

I'm sure that one of the bigger hack groups like Anonymous would be able to hack that.

please read at least something about openvms before posting shits like this..your "sure" just make me smile.

 

He knows nothing and just made a useless post. First of Anonymous is not a group. Secondly their skills are very low, they usually just DDOS. DDOS can be initiated by anyone who has used their computer for a while.
Since it has been brought up here's an image:



OpenVMS is considered a highly secure and reliable operating system relied upon by large enterprises around the globe such as Stock Exchanges, Governments and Infrastructure for critical operations.
It is supposedly the most secure system in the world.


Now, why did someone even mention this?

Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

You've got to be kidding. Check the graph.

[2112]

OpenVMS is considered a highly secure and reliable operating system relied upon by large enterprises around the globe such as Stock Exchanges, Governments and Infrastructure for critical operations.
It is supposedly the most secure system in the world.

As well as many small & medium businesses that continue to run it on HP Integrity/Itanium boxes.

You've got to be kidding. Check the graph.

I'm not kidding. This graphs is a classical example of data falsification. Solaris is actually a pair of quite distinct OS-es: the classic big-endian SPARC one and the newfangled little-endian on x86/x64. They have significantly different security profiles.

[Lauda]

You've got to be kidding. Check the graph.

I'm not kidding. This graphs is a classical example of data falsification. Solaris is actually a pair of quite distinct OS-es: the classic big-endian SPARC one and the newfangled little-endian on x86/x64. They have significantly different security profiles.

Are you by any chance trying to say that I falsified data?
I pulled it from a source that should be much more credible than your words. Saying that they have different security profiles doesn't make them secure.

Now, why did someone even mention this?