Nefario (OP)
|
|
June 20, 2011, 04:19:16 AM Last edit: July 08, 2011, 05:37:27 AM by Nefario |
|
As a result of the Mt. Gox breakin we're running a security audit, and have moved all our users bitcoin to secure storage. See here for more informaiton. http://glbse.com/forum/viewtopic.php?f=14&t=62
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
bitoption
Newbie
Offline
Activity: 56
Merit: 0
|
|
June 20, 2011, 10:52:24 PM |
|
Thanks Nefario,
Good luck on the audit; I appreciate the approach.
|
|
|
|
Nefario (OP)
|
|
June 21, 2011, 03:17:29 AM |
|
We we're certainly ready to bring GLBSE back up again.
However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.
Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.
It's going to add hours(6-12 depending) onto bringing GLBSE back up.
What you can look forward to will be to access GLBSE fully over SSL, using a self signed certificate, and the knowledge that our system has been hardended against breakin and exploitation.
We take the security of our users bitcoin seriously.
Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
BioMike
Legendary
Offline
Activity: 1658
Merit: 1001
|
|
June 21, 2011, 05:05:49 AM |
|
However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.
Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.
As far as I know the account data was leaked through an auditor, so servers weren't rooted. Second, I think kalyhost has many physical servers around the globe, so they don't need to be on the same server as MtGox (I guess the MtGox server was dedicated anyway). Got any link to support those claims?
|
|
|
|
Nefario (OP)
|
|
June 21, 2011, 05:13:15 AM |
|
However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.
Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.
As far as I know the account data was leaked through an auditor, so servers weren't rooted. Second, I think kalyhost has many physical servers around the globe, so they don't need to be on the same server as MtGox (I guess the MtGox server was dedicated anyway). Got any link to support those claims? These are not claims that we're making, but risks we perceive from the information we've gathered, risks that I'm not willing to take with other peoples money(my users). We know that we are not on the same server as Mt.Gox for sure, and this is not what we think to be the risk. I'm afraid that I can't say anymore. Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
BioMike
Legendary
Offline
Activity: 1658
Merit: 1001
|
|
June 21, 2011, 05:27:15 AM |
|
Ok, so a better safe then sorry case.
|
|
|
|
Xenland
Legendary
Offline
Activity: 980
Merit: 1003
I'm not just any shaman, I'm a Sha256man
|
|
June 21, 2011, 08:51:58 AM |
|
We we're certainly ready to bring GLBSE back up again.
However because of the increasing likelyhood that Mt.Gox's server was rooted, and a significant chance that bitcoin was stolen from their wallet we have to move server.
Prior to now we were using VPS's provided by Kalyhost, which is run by MagicalTux. As Mt.Gox remains down, and the situation is looking worse that we had previously thought, we cannot take the risk of having our customers bitcoin on servers accessible by Mt.Gox's people.
It's going to add hours(6-12 depending) onto bringing GLBSE back up.
What you can look forward to will be to access GLBSE fully over SSL, using a self signed certificate, and the knowledge that our system has been hardended against breakin and exploitation.
We take the security of our users bitcoin seriously.
Nefario.
Sorry to get off topic but how was your service at kalyhost? I purchased a vps server and i recieved automated messages saying my server was up and gave me the details but it wasent up the whole month. I sent letters to their 24/7 support, no replies the only service i got was at the end of the month which was an automated message stating my server will be taken down if i dont pay for the next month.
|
|
|
|
Nefario (OP)
|
|
June 21, 2011, 09:05:49 AM |
|
I did have trouble with the first VPS I'd gotten from them, the install hadn't worked.
But they resolved it quick enough(in a day or so I think).
Apart from that I've not had any trouble.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
Nefario (OP)
|
|
June 23, 2011, 01:09:32 PM Last edit: June 23, 2011, 05:56:29 PM by Nefario |
|
We're up and open. I've had cuddlefish do some poking and penetration testing on the servers and so far no obvious holes. Everything is over SSL now, all traffic to glbse.com will be redirected to https. The certificate is self signed (so on first visiting it will pop up a warning). This now means that you can use the keypair generation on the server (built into the web client) without the worry of it being sniffed. A few of the URL's have changed a little, and once we get our networking issues sorted out we'll update them. The web client is available at https://glbse.com/client/glbse/We have also update the command line client so that it's able to operate over SSL, to be able to use the command line client please use git to update the files. If you're not on git(Windows user?) please download these two files into the black-market directory. https://gitorious.org/black-market/black-market-client/blobs/raw/master/server.crthttps://gitorious.org/black-market/black-market-client/blobs/raw/master/bmc.pyFrom then on everything should be the same, with the exception that everything to the server is encrypted. Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
TheVirus
Member
Offline
Activity: 84
Merit: 10
|
|
June 23, 2011, 02:06:36 PM |
|
We're almost ready to launch, however our servers are having some network trouble, and as a result glbse.com is down. I've had cuddlefish do some poking and penetration testing on the servers and so far no obvious holes. Everything is over SSL now, all traffic to glbse.com will be redirected to https. The certificate is self signed (so on first visiting it will pop up a warning). This now means that you can use the keypair generation on the server (built into the web client) without the worry of it being sniffed. A few of the URL's have changed a little, and once we get our networking issues sorted out we'll update them. The web client is available at https://glbse.com/client/glbse/We have also update the command line client so that it's able to operate over SSL, to be able to use the command line client please use git to update the files. If you're not on git(Windows user?) please download these two files into the black-market directory. https://gitorious.org/black-market/black-market-client/blobs/raw/master/server.crthttps://gitorious.org/black-market/black-market-client/blobs/raw/master/bmc.pyFrom then on everything should be the same, with the exception that everything to the server is encrypted. Nefario. You can get a CA generated SSL cert from many places ( www.networksolutions.com, www.godaddy.com) for a few hundred dollars. I highly recommend this as it will prevent your site from being flagged by Google/Chrome as being malicious. Also, what kind of pen testing did you do? Did you use a Nessus scan or MetaSploit stuff? Do you have any IDS/IPS software installed? Do you have a secured wallet stored offline? I think banks are required to keep 10% of their deposits in-house, so it might be wise to follow a similar protocol. Are you running multiple servers, one for DB and one for web? Are you actively monitoring all access logs? Do you have anything in place that will send out alerts should something fishy happen (such as someone selling 500k BTC at once)? I'd want to make very large trades moderated. Are you tracking IPs to try and check for suspicious activity (much like Gmail does), so if I have an IP that originates from San Fran, CA, and then log in from South Korea, it should deny all write/execute access to the account until it's verified. It'd be nice to see a simplified version of how the data is protected and what security checks are in place (no need to get into the specific software/services used, just what they do).
|
|
|
|
Nefario (OP)
|
|
June 23, 2011, 03:49:25 PM |
|
Just to let people know, don't use GLBSE just yet, running tests at the moment to ensure all is working as it should.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
Nefario (OP)
|
|
June 23, 2011, 05:51:38 PM |
|
GLBSE is back up and open for business.
In answer to your comments TheVirus, We will be getting a CA signed certificate, it's not the top priority ATM(Also using self signed cert prevent's our traffic being sniffed if a CA is compromised, I wonder how big a worry this is for actual GLBSE users though).
I'm not sure what the testing was actually, this was cuddlefish's doing (cuddlefish, could you fill us in). No IDS yet. I do keep a secure backup of the wallet offline. The wallet on system has full funds ATM, this is because we're still using bitcoind's accounts (along with our own) to ensure we've got two sets of books so we can see where any problems arise when there's a difference.
DB is on the same server as webserver, however the DB has no identifying information or passwords, just a list of public keys. Not even emails. We try to keep identifying information we keep to an absolute min.
Also the server is chrooted with non root process permissions.
We have logs (of course) but no active monitoring system(bar myself). We also keep records of ip's, and use denyhosts.
We have no limits on transfer or trading once it's authorised by the user.
To be able to steal from a single users account (as opposed to breaking into the actual system) would require the attacker to get ahold of the users private key on their home machine. Once they have this there is no way to prove that they are not indeed the user. The private key is the users only proof of ownership of the account.
Unless we begin recording identifying information there is nothing we can do if the private key is compromised.
We do of course also disable root access for ssh, have long and unique passwords for each user on the system, and have a strictish firewall policy.
The security setup is going to change as time goes on bringing improvements.
On our list of security todo: Have the DB on a separate machine of the app server. Have fractional reserves kept in the system wallet (with the rest stored securly offline). Have an intrusion detection system. Begin using SELinux. Active log monitoring.
Any idea's for improving security is much appreciated(low hanging fruit preferable).
Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
cuddlefish
|
|
June 23, 2011, 06:35:15 PM |
|
GLBSE is back up and open for business.
In answer to your comments TheVirus, We will be getting a CA signed certificate, it's not the top priority ATM(Also using self signed cert prevent's our traffic being sniffed if a CA is compromised, I wonder how big a worry this is for actual GLBSE users though).
I'm not sure what the testing was actually, this was cuddlefish's doing (cuddlefish, could you fill us in). No IDS yet. I do keep a secure backup of the wallet offline. The wallet on system has full funds ATM, this is because we're still using bitcoind's accounts (along with our own) to ensure we've got two sets of books so we can see where any problems arise when there's a difference.
DB is on the same server as webserver, however the DB has no identifying information or passwords, just a list of public keys. Not even emails. We try to keep identifying information we keep to an absolute min.
Also the server is chrooted with non root process permissions.
We have logs (of course) but no active monitoring system(bar myself). We also keep records of ip's, and use denyhosts.
We have no limits on transfer or trading once it's authorised by the user.
To be able to steal from a single users account (as opposed to breaking into the actual system) would require the attacker to get ahold of the users private key on their home machine. Once they have this there is no way to prove that they are not indeed the user. The private key is the users only proof of ownership of the account.
Unless we begin recording identifying information there is nothing we can do if the private key is compromised.
We do of course also disable root access for ssh, have long and unique passwords for each user on the system, and have a strictish firewall policy.
The security setup is going to change as time goes on bringing improvements.
On our list of security todo: Have the DB on a separate machine of the app server. Have fractional reserves kept in the system wallet (with the rest stored securly offline). Have an intrusion detection system. Begin using SELinux. Active log monitoring.
Any idea's for improving security is much appreciated(low hanging fruit preferable).
Nefario.
I've run a Nessus scan and poked around a bit with Metasploit. The key auth (instead of password) does excellent things for the actual app's security. The only thing I've noticed is a lack of syn cookies, which if enabled would prevent a certain type of DoS.
|
|
|
|
marcus_of_augustus
Legendary
Offline
Activity: 3920
Merit: 2349
Eadem mutata resurgo
|
|
June 23, 2011, 08:29:24 PM |
|
took a look around GLBSE ... interesting project you are developing there... when will GLBSE be listed on the GLBSE, I could buy some shares of that?
|
|
|
|
Nefario (OP)
|
|
June 23, 2011, 09:00:06 PM |
|
took a look around GLBSE ... interesting project you are developing there... when will GLBSE be listed on the GLBSE, I could buy some shares of that? We're not selling ATM, I guess when we need funding then it will happen the, but we will be putting some other projects up. Nefario.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
sal002
|
|
June 24, 2011, 04:33:11 PM |
|
Updated (on the Vmware image) and get this error:
Server error: server certificate verification failed. CAfile: server.crt CRLfile: none
|
|
|
|
|
Nefario (OP)
|
|
July 04, 2011, 05:54:03 PM |
|
Web client has been updated.
Issues caused by the release last week have been fixed.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
July 06, 2011, 04:38:45 PM |
|
Some of the chart subpages (Trade History/Market depth) seem to still be broken, also the database below the charts still don't seem to include all transactions since the start of GLBSE. I guess this has low priority but I still wanted to report it. Keep up the great work!
|
|
|
|
Nefario (OP)
|
|
July 07, 2011, 01:48:34 AM |
|
Some of the chart subpages (Trade History/Market depth) seem to still be broken, also the database below the charts still don't seem to include all transactions since the start of GLBSE. I guess this has low priority but I still wanted to report it. Keep up the great work! charts had the readings backwards for a week or two, and has recorded that information. Thats what's being seen.
|
PGP key id at pgp.mit.edu 0xA68F4B7C To get help and support for GLBSE please email support@glbse.com
|
|
|
|