Bitcoin Forum
November 25, 2017, 11:58:03 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [17] 18 19 »  All
  Print  
Author Topic: Instawallet/Bitcoin-Central Security Breach  (Read 84341 times)
ninjaboon
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 05, 2013, 11:02:18 PM
 #321

I think Vircurex is down....lol
this is surreal!

Vircurex has some tweets, they are moving to a bigger server due to DDOS.

Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511611083
Hero Member
*
Offline Offline

Posts: 1511611083

View Profile Personal Message (Offline)

Ignore
1511611083
Reply with quote  #2

1511611083
Report to moderator
psilos
Jr. Member
*
Offline Offline

Activity: 44


View Profile
April 05, 2013, 11:49:31 PM
 #322

There is an update from Bitcoin-Central on their site
hous
Member
**
Offline Offline

Activity: 93


View Profile
April 06, 2013, 12:10:03 AM
 #323

Where is this claim form then??? Huh
Injust
Legendary
*
Offline Offline

Activity: 1008



View Profile
April 06, 2013, 12:42:50 AM
 #324

Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?
tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
April 06, 2013, 01:02:22 AM
 #325

Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.


coinuser4000
Member
**
Offline Offline

Activity: 94



View Profile
April 06, 2013, 01:13:49 AM
 #326

Read:
Quote
In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.



I been wondering this exact thing for the last few days.

And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that?
moni3z
Hero Member
*****
Offline Offline

Activity: 887



View Profile
April 06, 2013, 02:22:57 AM
 #327

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there









tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
April 06, 2013, 02:52:40 AM
 #328

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there


In my opinion, a straight URL like this not much different than a username/password scheme.  Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea.  20/20 hindsight I guess.  Maybe for the next go-around.  And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.

edit: spelling

Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1358


Bitcoin: An Idea Worth Spending


View Profile
April 06, 2013, 03:39:11 AM
 #329

Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.

But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control.

The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess.
Joost
Member
**
Offline Offline

Activity: 68



View Profile
April 06, 2013, 07:07:00 AM
 #330

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.
Or, you know, Google Chrome.


On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.
tvbcof
Legendary
*
Offline Offline

Activity: 2324


View Profile
April 06, 2013, 07:40:01 AM
 #331

...
On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.)  And disable core dumps.  I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format.  That's just the off-the-top-of-my-head thoughts on how to deal with the issues.  There are probably database implementations which have support for this kind of thing natively I would suspect.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.


Joost
Member
**
Offline Offline

Activity: 68



View Profile
April 06, 2013, 08:02:14 AM
 #332

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

At the risk of venturing off-topic: a while ago I was pointed to PwdHash, and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt Smiley Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems.
moni3z
Hero Member
*****
Offline Offline

Activity: 887



View Profile
April 06, 2013, 09:19:27 AM
 #333

I don't trust any browser kept passwords, browsers are not nor have they ever been remotely secure. They are gigantic blobs of code to leak data everywhere and are a 0day exploit factory. I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA

http://www.schneier.com/passsafe.html by Bruce Schneier is good, plus works with Yubikeys
Joost
Member
**
Offline Offline

Activity: 68



View Profile
April 06, 2013, 10:25:39 AM
 #334

I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA

I don't see how the fact that it's a browser addon reduces its security. It does not store your 'seed' password, you type that in each time. What makes it insecure?
psilos
Jr. Member
*
Offline Offline

Activity: 44


View Profile
April 08, 2013, 09:20:41 AM
 #335

What `s wrong again with bitcoin-central  Huh

The platform was running for a while but now it s again down for maintance.
HATA28
Newbie
*
Offline Offline

Activity: 14


View Profile
April 08, 2013, 09:33:31 AM
 #336

What `s wrong again with bitcoin-central  Huh

The platform was running for a while but now it s again down for maintance.
Actually, its online and you can trade again Smiley
addi
Hero Member
*****
Offline Offline

Activity: 628


https://satoshibet.com


View Profile WWW
April 08, 2013, 10:21:04 AM
 #337

What `s wrong again with bitcoin-central  Huh

The platform was running for a while but now it s again down for maintance.
Actually, its online and you can trade again Smiley

Incorrect, no trades are going through atm

Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1456



View Profile
April 08, 2013, 11:54:09 AM
 #338

No trades and no withdrawals.
I have SEPA transfers and BTC withdrawals pending, the SEPA transfers are still from before it going down.
Davout likes to shout that Mtgox works fractional reserve style on their euro accounts but bitcoin-central doesn't look much better to me. Grin

nurbili
Newbie
*
Offline Offline

Activity: 15


View Profile
April 08, 2013, 01:00:16 PM
 #339

I also have incoming SEPA transfer from 25.03.2013 pending... no reaction on tickets and PMs. Sad
1PFYcabWEwZFm2Ez5LGTx3ftz
Full Member
***
Offline Offline

Activity: 120


View Profile
April 08, 2013, 04:09:34 PM
 #340

"BTC withdraws will be processed manually for the next couple of days until we switch back to immediate automatic withdraws.
This temporary restriction is meant to allow careful monitoring of our operations in the initial phase of the recovery."


This looks way too much like Cyprus situation. Oh, the irony.

Why oh why on Earth would you do this? Why open the website for trade, but not allow people to withdraw? Even if you are sincere about "is meant to allow careful monitoring of our operations", don't you see how messed up this looks to your users?

I didn't lose my trust when you were hacked, I didn't lose my trust when you were offline for a week, I didn't lose my trust when the deadline for re-opening the website was extended several times, but NOW I lost any trust I had in you. I am withdrawing everything I have (assuming that will be possible at all; my bitcoin withdrawal is "pending" for ~36 hours now), and never using your website again.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 [17] 18 19 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!