malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1722
|
|
March 08, 2013, 03:35:09 PM |
|
We posted full details of the incident here: http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlNobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving. Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss? In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first. What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes.
|
Signature space available for rent.
|
|
|
Richy_T
Legendary
Offline
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
March 08, 2013, 03:46:33 PM |
|
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.
It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.
|
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
|
Gareth Nelson
|
|
March 08, 2013, 03:47:00 PM |
|
We posted full details of the incident here: http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.htmlNobody to date has managed to actually break into any of our systems, this was a vulnerability at our domain registrar and sadly there was not a lot we could have done other than choosing another registrar - which is something we will be doing as soon as possible, most likely within the next week we'll start moving. Just curious, since this was 100% the domain registrar's fault, do they compensate you for the loss? In an ideal world they would, there's a possibility we could hold them liable but i'd not want to comment on that either way without taking legal advice first. What was the ToS and what is the law in the country the company is based in? Don't repeat Bitcoinica's, Slush's and others' mistakes IIRC they didn't try to recover the money (almost a quarter of a million $) via legal routes. Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.
|
|
|
|
Richy_T
Legendary
Offline
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
March 08, 2013, 03:52:33 PM |
|
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.
It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.
Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.
|
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
March 08, 2013, 04:11:27 PM |
|
Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of.
Agreed though it wasn't BitInstant's security which was compromised it was VirWox. VirWox WTF are you thinking? It is 2013. Implement 2FA on your exchange or shut down. Period.
|
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1722
|
|
March 08, 2013, 04:12:01 PM |
|
Again, not commenting either way until seeking legal advice, customers aren't affected by this so it's not as high priority as it would be if we'd lost customer funds. Basically, it's BitInstant that takes the hit, not our clients.
Well, if you DO manage to regain the lost money let us know on the forums and how you did it, it might be useful to some.
|
Signature space available for rent.
|
|
|
Morblias
|
|
March 08, 2013, 04:40:43 PM |
|
Comment from Site5 Hi everyone, We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering. Here is our public post as well with details: http://www.site5.com/blog/s5/security-and-social-engineering/20130307/Please let me know if you have any questions, Thanks, Ben CEO at Site5 I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions.
|
Tips / Donations accepted: 1Morb18DsDHNEv6TeQXBdba872ZSpiK9fY
|
|
|
Richy_T
Legendary
Offline
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
March 08, 2013, 04:53:22 PM |
|
Comment from Site5 Hi everyone, We conducted a full investigation internally and this in no way was due to any slip in our security. The only reason the attacker was able to add an email and take over this account was because they knew the two answers to the security questions on this account. They did not receive that information from us in anyway. We take security very seriously and have stringent safe guards in place to prevent social engineering. Here is our public post as well with details: http://www.site5.com/blog/s5/security-and-social-engineering/20130307/Please let me know if you have any questions, Thanks, Ben CEO at Site5 I guess it only takes 2 security questions to gain access. Is this typical for site registrar's? I would think something as important as a business website would be protected by more then 2 questions. Security questions are about the dumbest kind of "security enhancement" out there. Especially when they are used as a way to get around a password (I can keep a password secret, I can't keep my mother's maiden name secret and any question which isn't public record is probably easily findable (favorite authors, bands etc) or has been used on a dozen other sites). It's like the people implementing security out there (or at least the people in charge of them) are sheep, only able to consider and adopt the latest fad non-security measure and not able to sit down, read some papers and comprehend and work things from the ground up. DAMMIT THESE ARE SOLVED PROBLEMS, PEOPLE!!! Sorry for the rant.
|
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
March 08, 2013, 05:04:27 PM |
|
Goes to show how competent Site5 is. This is seriously not BitInstants fault
|
|
|
|
Gareth Nelson
|
|
March 08, 2013, 05:13:51 PM |
|
I haven't heard the full details but once you have control of a domain name, there's a lot you can do. If you can reset or recover your password with an email, if someone gets the domain, they can redirect all email to that domain to their own mail server. Et voila, they're in. If your site doesn't use HTTPS (and possibly even if it does), there are man-in-the-middle attacks.
It's even not terribly hard to take control of a domain name even without social engineering. Typically, most registrars just require a copy of your DL on company headed notepaper and some trivial other stuff. I've had to do it for domains that were legitimately our company's several times.
Though with that said, security really shouldn't depend on DNS if it's being done properly. I'd be interested to hear what the actual method of attack was just to see if it's one I've heard of. This was explained in the blog post but essentially they redirected emails to a server under their control and got sent a password reset link.
|
|
|
|
|