Bitcoin Forum
December 04, 2016, 10:23:07 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: MTGOX learns a lesson on cyber security, so should you  (Read 941 times)
mjoz
Member
**
Offline Offline

Activity: 61


View Profile
June 19, 2011, 11:49:21 PM
 #1

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

To my knowledge they have not said if the database compromise lead to the hacked account.  It seems very likely though, with access to the password hash weak passwords can be easily dictionary/bruteforced.  Why anyone with 500k bitcoins would have a weak password leaves me guessing though.  This is a lesson everyone can learn from though, if your password is not long, random, and mixed with letters, symbols and numbers you're at risk.

What is even more scary is it appears that the e-mail accounts on the list are now being attacked.  If someone compromises your e-mail box your generally screwed as they can then reset passwords other websites with lax security like MTGOX.
1480890187
Hero Member
*
Offline Offline

Posts: 1480890187

View Profile Personal Message (Offline)

Ignore
1480890187
Reply with quote  #2

1480890187
Report to moderator
1480890187
Hero Member
*
Offline Offline

Posts: 1480890187

View Profile Personal Message (Offline)

Ignore
1480890187
Reply with quote  #2

1480890187
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
hiipii
Newbie
*
Offline Offline

Activity: 9


View Profile
June 20, 2011, 12:17:35 AM
 #2

It really is aggrivating seeing such a security sensitive sight being comprimised with an sql injection. This stuff was covered when I took an introductory web class.
fascistmuffin
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 20, 2011, 12:21:54 AM
 #3

"' RIGHT JOIN TABLE USERS; --

Dammit, didn't work.
Bittie
Newbie
*
Offline Offline

Activity: 4



View Profile
June 20, 2011, 12:55:53 AM
 #4

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

My rig runs @300khash/s.. Now that's power!
mmavipc
Member
**
Offline Offline

Activity: 98


View Profile
June 20, 2011, 01:07:06 AM
 #5

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

http://payb.tc/mmavipc

Want to gamble some bitcoins? Click here!
agedet
Newbie
*
Offline Offline

Activity: 2


View Profile
June 20, 2011, 01:08:58 AM
 #6

MtGox sucks, gonna see if Tradehill is any better.  Used code TH-R15720 when signing up to get reduced fees.
Bittie
Newbie
*
Offline Offline

Activity: 4



View Profile
June 20, 2011, 01:16:14 AM
 #7

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

Yes.. See how they list all the IP's?
Perfect for port attacks + sniffing as you know the IP will have a coin client + wallet.. Shocked

My rig runs @300khash/s.. Now that's power!
Patrón
Newbie
*
Offline Offline

Activity: 27


View Profile WWW
June 20, 2011, 01:22:39 AM
 #8

In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly. Mainstream attention for the exchange has risen so fast. You can't expect the impossible.

I wouldn't exactly assume that the smaller exchanges are doing a better job. They have even less resources, and their software has received much less testing. Unfortunately, I am positive that these sites will suffer similar attacks, and some of these attacks will be successful.

If Mt. Gox overcomes this crisis and the resulting bank run (does anyone know if they reinvest their USD accounts?), they might well become the most secure Btc exchange available.

Paypal doesn't get SQL injected everyday, nor does Gmail or Facebook.

Just because your site is 'hobbyist' level in regards to user numbers, it doesn't mean you can settle for hobbyist security, especially when money is involved.

All my bitcoin/altcoin addresses can be found here. (http://moveco.in/geoff)
Create a list of your easily at http://moveco.in/
rcsheets
Newbie
*
Offline Offline

Activity: 9


View Profile
June 20, 2011, 02:37:48 AM
 #9

In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly.
You don't need a million dollars to store passwords properly. See http://codahale.com/how-to-safely-store-a-password/ for example. The software libraries for doing this correctly are free.
tnkflx
Sr. Member
****
Offline Offline

Activity: 346


View Profile
June 21, 2011, 10:11:26 AM
 #10

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

You are probably referring to this:
http://seclists.org/fulldisclosure/2011/Jun/417 and http://seclists.org/fulldisclosure/2011/Jun/418?

| Operating electrum.be & us.electrum.be |
TerraHertz
Newbie
*
Offline Offline

Activity: 18



View Profile
June 21, 2011, 11:03:08 AM
 #11

Bitcoin. Bringing hackers, naive users and serious money together, since 2011

What could possibly go wrong?

"The price good people pay for their indifference to public affairs is to be ruled by evil men." -- Plato
Sannyasi
Sr. Member
****
Offline Offline

Activity: 455



View Profile WWW
June 21, 2011, 11:14:36 AM
 #12

ignorance......

yay i have another post to get out of the newb section.... then i can waste my time on topics that i give a shit about

LET THE TROLLS FEED ON EACH OTHER!

1DxP5iL6hN5Gd3cwmDz9uFSntW8ALBQaGK

http://gamerkeys.net/common/home.htm <- the best place to get games!

my portfoio: http://windowsofamind.com
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!