Bitcoin Forum
November 08, 2024, 06:52:35 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: MTGOX learns a lesson on cyber security, so should you  (Read 1143 times)
mjoz (OP)
Member
**
Offline Offline

Activity: 61
Merit: 10


View Profile
June 19, 2011, 11:49:21 PM
 #1

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

To my knowledge they have not said if the database compromise lead to the hacked account.  It seems very likely though, with access to the password hash weak passwords can be easily dictionary/bruteforced.  Why anyone with 500k bitcoins would have a weak password leaves me guessing though.  This is a lesson everyone can learn from though, if your password is not long, random, and mixed with letters, symbols and numbers you're at risk.

What is even more scary is it appears that the e-mail accounts on the list are now being attacked.  If someone compromises your e-mail box your generally screwed as they can then reset passwords other websites with lax security like MTGOX.
hiipii
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
June 20, 2011, 12:17:35 AM
 #2

It really is aggrivating seeing such a security sensitive sight being comprimised with an sql injection. This stuff was covered when I took an introductory web class.
fascistmuffin
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 20, 2011, 12:21:54 AM
 #3

"' RIGHT JOIN TABLE USERS; --

Dammit, didn't work.
Bittie
Newbie
*
Offline Offline

Activity: 4
Merit: 0



View Profile
June 20, 2011, 12:55:53 AM
 #4

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44
mmavipc
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
June 20, 2011, 01:07:06 AM
 #5

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

http://payb.tc/mmavipc

Want to gamble some bitcoins? Click here!
agedet
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
June 20, 2011, 01:08:58 AM
 #6

MtGox sucks, gonna see if Tradehill is any better.  Used code TH-R15720 when signing up to get reduced fees.
Bittie
Newbie
*
Offline Offline

Activity: 4
Merit: 0



View Profile
June 20, 2011, 01:16:14 AM
 #7

I used a windows install to see what infections I could pick up. Registered with bit faucet. 1/2hr later attacks from various IP's mainly 91.213.175.240 + 8.15.246.44

are you talking about this http://freebitcoins.appspot.com/recent_sends ?

Yes.. See how they list all the IP's?
Perfect for port attacks + sniffing as you know the IP will have a coin client + wallet.. Shocked
rcsheets
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
June 20, 2011, 02:37:48 AM
 #8

In their defense, they didn't start up with a million dollar budget and man years of development time. It was a hobby project that got out of hand quickly.
You don't need a million dollars to store passwords properly. See http://codahale.com/how-to-safely-store-a-password/ for example. The software libraries for doing this correctly are free.
tnkflx
Sr. Member
****
Offline Offline

Activity: 349
Merit: 250


View Profile
June 21, 2011, 10:11:26 AM
 #9

Rumor mill says it was an SQL injection attack that allowed the hacker to steal the user database.  Protecting against an SQL injection attack on a website is fairly trivial which makes me doubt the ability and "security sense" of whomever developed that site. 

You are probably referring to this:
http://seclists.org/fulldisclosure/2011/Jun/417 and http://seclists.org/fulldisclosure/2011/Jun/418?

| Operating electrum.be & us.electrum.be |
TerraHertz
Newbie
*
Offline Offline

Activity: 16
Merit: 0



View Profile
June 21, 2011, 11:03:08 AM
 #10

Bitcoin. Bringing hackers, naive users and serious money together, since 2011

What could possibly go wrong?
Sannyasi
Sr. Member
****
Offline Offline

Activity: 454
Merit: 250



View Profile WWW
June 21, 2011, 11:14:36 AM
 #11

ignorance......

yay i have another post to get out of the newb section.... then i can waste my time on topics that i give a shit about

LET THE TROLLS FEED ON EACH OTHER!

1DxP5iL6hN5Gd3cwmDz9uFSntW8ALBQaGK

http://gamerkeys.net/common/home.htm <- the best place to get games!

my portfoio: http://windowsofamind.com
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!