Instawallet/Bitcoin-Central Security Breach

[ninjaboon]

I think Vircurex is down....lol
this is surreal!

Vircurex has some tweets, they are moving to a bigger server due to DDOS.

[1714102011]

1714102011

[1714102011]

1714102011

[1714102011]

1714102011

[psilos]

There is an update from Bitcoin-Central on their site

[hous]

Where is this claim form then???

[Injust]

Read:

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

[tvbcof]

Read:

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

[coinuser4000]

Read:

In the next few days we are going to open the claim process for Instawallet balance holders to claim the funds they had stored before the service interruption.

Make sense? Or do I need to increase the font size and italicize it too?

Also stated are that the first claim gets priority.

This bothers me because an attacker who has the entire database, and possibly the server log records showing IP addresses as well if they were being retained, will probably be paying pretty close attention to the availability of the claims form.  He and likely an army of friends will swoop in to claim the high value accounts.

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I been wondering this exact thing for the last few days.

And how can those people who use Tor to access wallets prove ownership outside of having the url? What if someone gets there before the real owner and claims the coins? How do you dispute that?

[moni3z]

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there

[tvbcof]

Hopefully ~davout/~bousac will have anticipated this.  I'll be curious to fine out how users will be able to 'cryptographically prove' ownership or whatever.

I don't ever remember instawallet handing out private keys either, just URLs. It wasn't strongcoin or blockchain.info
Glad I only had 0.015 BTC lost there

In my opinion, a straight URL like this not much different than a username/password scheme.  Possibly better in some ways as one is unlikely to type it in and get hit with a keystroke logger, use crappy passwords, re-use passwords and get nicked that way, etc, etc.

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

A private key for a user who had their act together enough to keep a hold of it for situations like the one we are now facing would be kind of a good idea.  20/20 hindsight I guess.  Maybe for the next go-around.  And I would go right back to using something like Instawallet-II if Paytunia or some other trustworthy entity brings it up...and goes into a little detail about the precautions they took in implementation.

edit: spelling

[Phinnaeus Gage]

Each time I moved my second largest wallet of 123.xxxx (or was it 132.xxxx (seriously)), the wallet would always show that I had O bitcoins on BlockChain. When I first encountered this, I paid it no mind for the URL page always showed that I still had the coins is the wallet and was able to transfer them, saving only the URL and not the Bitcoin address.

But a couple weeks or so ago, something else happened I couldn't explain, nor now remember what the heck it was, and soon thereafter I happened upon the concerned thread discussing IW of which I added my concerns. I tried to be as tough as possible with my line of questioning, not wanting to come across as an ass, for I truly liked IW, coupled with having every coin I owned in their control.

The responses made enough sense to me, so I put my worries to the side and moved on. I hadn't a clue that they were down for good until a couple days into this mess.

[Joost]

Of course if one's browser/computer/smartphone is spying on them (i.e., Carrier-IQ and God knows what is in Windows) then all bets are off.  For a lot of things and not just URL-secured access.

Or, you know, Google Chrome.

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

[tvbcof]

...

On the back end it should be handled with the same sensitivity as a password.  Off hand I would say inserted into a database as an encrypted blob with the encryption/decryption/hashing done by a daemon process or some such.  That way loss of the database would not compromise the sensitive data as easily.  Dunno if this is how the Frenchmen had Instawallet working or not.

I agree with you on this point - assuming the hacker was not able to actually access the source code of the process running Instawallet (and I'd assume they'd use compiled source for decrypting), encrypting the URL's would have helped. From what we've read so far, it seems as though a single database table just listed all the URL's..

I'd probably implement it as something that an operator typed in when the process was instantiated (only on server re-boot.)  And disable core dumps.  I think that I would also have an off-wire method ready to go such that I could quickly re-construct the database with a different key if I felt there was a loss of custody of the original, and it would probably be part of a backup regime which stored the database cold in decrypted format.  That's just the off-the-top-of-my-head thoughts on how to deal with the issues.  There are probably database implementations which have support for this kind of thing natively I would suspect.

One very nice feature of Instwallet was the low overhead, and I am sure that it did a lot to help introduce people to Bitcoin.  I'd rather face a dental drill than yet another site to retain a username/password for, and I am sure that a lot of new-to-Bitcoin-and-vaguely-interested people feel the same way.

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

[Joost]

Generally the bitcoin community has had a certain level of technical skill - this would mean you'd expect everyone to have figured out a secure way to deal with the password problem (i.e. remembering a new password on every site) by now. Either a password manager or a cryptographic solution, or even something mnemonic-based.

I've introduced people to Bitcoin who were far from technically skilled and usually start out by showing them Instawallet, giving them a few coins, and having them e-mail the URL to themselves.  Also a stern warning about it being a solution only for chump-change and that more secure ones exist and work like x and y.

As long as they're aware of the fact that it's rather unsafe, I guess you're right and it provides for a very convenient way of accessing your funds. Judging by the accounts with over 50 BTC on them, though, this awareness wasn't as widespread.

It is also the case that almost everyone I know (including myself) have lost track of usernames and passwords, and generally hate having to keep track of them and type them in and such.  Since I need to keep track of scores of them (literally) I have my own techniques which vary depending on the sensitivity.  But it's always a pain in the ass.  It's really easy to search my mail for my instawallet link and click on it to get to the thing, and it works on any of my zillion computers.

At the risk of venturing off-topic: a while ago I was pointed to PwdHash, and have liked it ever since. It creates unique passwords per site by hashing your master password with the website's domain as a salt Especially convenient for services you only access on your own machine(s), so that you can use the Firefox addon - I do still have a few unique passphrases I use for stuff like my e-mail, since it's convenient to be able to access that from other systems.

[moni3z]

I don't trust any browser kept passwords, browsers are not nor have they ever been remotely secure. They are gigantic blobs of code to leak data everywhere and are a 0day exploit factory. I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA

http://www.schneier.com/passsafe.html by Bruce Schneier is good, plus works with Yubikeys

[Joost]

I like the hash idea but it's a browser addon thus only secure for minor sites, anything else should be 2FA

I don't see how the fact that it's a browser addon reduces its security. It does not store your 'seed' password, you type that in each time. What makes it insecure?

[psilos]

What `s wrong again with bitcoin-central 

The platform was running for a while but now it s again down for maintance.

[HATA28]

What `s wrong again with bitcoin-central 

The platform was running for a while but now it s again down for maintance.

Actually, its online and you can trade again

[addi]

What `s wrong again with bitcoin-central 

The platform was running for a while but now it s again down for maintance.

Actually, its online and you can trade again

Incorrect, no trades are going through atm

[Raoul Duke]

No trades and no withdrawals.
I have SEPA transfers and BTC withdrawals pending, the SEPA transfers are still from before it going down.
Davout likes to shout that Mtgox works fractional reserve style on their euro accounts but bitcoin-central doesn't look much better to me.

[nurbili]

I also have incoming SEPA transfer from 25.03.2013 pending... no reaction on tickets and PMs.

[1PFYcabWEwZFm2Ez5LGTx3ftz]

"BTC withdraws will be processed manually for the next couple of days until we switch back to immediate automatic withdraws.
This temporary restriction is meant to allow careful monitoring of our operations in the initial phase of the recovery."

This looks way too much like Cyprus situation. Oh, the irony.

Why oh why on Earth would you do this? Why open the website for trade, but not allow people to withdraw? Even if you are sincere about "is meant to allow careful monitoring of our operations", don't you see how messed up this looks to your users?

I didn't lose my trust when you were hacked, I didn't lose my trust when you were offline for a week, I didn't lose my trust when the deadline for re-opening the website was extended several times, but NOW I lost any trust I had in you. I am withdrawing everything I have (assuming that will be possible at all; my bitcoin withdrawal is "pending" for ~36 hours now), and never using your website again.