Bitcoin Forum
October 11, 2024, 06:24:01 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: From the desk of Tom Williams, operator of MyBitcoin.com  (Read 25372 times)
Oldminer (OP)
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001



View Profile
June 25, 2011, 03:12:31 AM
 #1

Just came across this message on https://www.mybitcoin.com :

----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            From the desk of Tom Williams, operator of MyBitcoin.com

                          For immediate release.

There are a lot of unanswered questions floating around on the Bitcoin
forum and other places about the recent Mtgox password leak, and theft
from the MyBitcoin system.

I will attempt to answer as many of the questions and concerns as best
as I can in order to silence the rumor-mill once and for all.

As many of you already know, Mtgox was hacked and its password file was
leaked. As soon as we heard about the leak we were closely monitoring
the system for abnormal activity, and we didn't see any.

At first glance, we didn't see any hard evidence that a password leak
had even occurred. There was just a lot of speculation to an SQL
injection vulnerability in Mtgox's site. A few clients of ours had
informed us of the forum threads, and we watched them carefully.

The following morning a client of ours sent us the download link to the
leaked Mtgox password file. We prompty downloaded the file, put up a
warning on the main page, and disabled the login.

We attempted to line up usernames from the leak, and we found a lot of
matching ones. We started locking down all of those accounts using a
script that we had to have written at a moment's notice. It was during
this time that we noticed a flurry of spends happening. Yes, even with
the site disabled.

The attacker had active sessions open to the site. We quickly flushed
them and the spends stopped abruptly. We disabled the SCI, all payment
forwarding, and all receipt URL traffic on all of the usernames in the
Mtgox leak.

We proceeded to change the password on every account where the username
matched our system's database. PGP-signed emails went out to all of the
accounts that we changed the password on. If an account didn't have an
email address or had already been compromised we put up a bulletin.
(Email addresses were mandatory when we opened our service initially,
but people complained that it wasn't truly anonymous so we made them
optional. Unfortunately this makes contacting a security-compromised
customer impossible.)

An investigation was conducted at that time, and we determined that the
attacker had opened up a session to each active user/password pair ahead
of time, solved the captcha, and used some sort of bot to maintain a
connection so our system wouldn't timeout on the session. It was likely
his intent to gain access to more accounts than he did, but as soon as
he noticed that we had changed the main page of the site he sprung into
action by sending a flurry of spends.

(Before you ask: no, we don't limit logins per IP address. We can't. We
have a lot of users that come in from Tor and I2P that all appear to
share the same source IP address.)

We've concluded that around 1% of the users on the leaked Mtgox password
file had their Bitcoins stolen on MyBitcoin. It is unfortunate, and a
horrible experience for the Bitcoin community in general.

The IP address that the attacker used was a Tor exit node and the spends
were to an address that is outside of our system.

Now to address the rumors:

No, our database wasn't compromised. We had a 3rd party company audit
our site for SQL injection attacks and we passed. (We did, however, have
one XSS hole in the address book page last month that would allow an
attacker to insert fake entries into a customer's address book. It was
promptly fixed and offending address book entries were purged. Not a
single customer had spent to the fake address book entries.) Every line
of code was audited last month. Literally line by line audited by
professionals, and it was deemed safe.

No, this site isn't being ran by some amateur that just learned how to
program computers. It was created by seasoned programmers that
understand security.

Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

We also use whole-disk level encryption on every single one of our
servers. When you fail a disk in a NOC and a level 1 technician replaces
it does he wipe the disk before the RMA/tossing it in the garbage? Not
usually! We know these mistakes happen, so we take precautions. Any and
all servers with an IP KVM on them are ran in secure console mode. The
root passwords are required even for single user mode. All disk keys are
held off-site and were never generated anywhere near the internet. All
server passwords are unique per server and per user, of course. Only two
technicians have access to the secure servers. This access is over a VPN
and we only use secured workstations running Linux and BSD to access
them.

We use BSD servers with MAC, immutable flags, jails, PAX, SSP,
randomized mmap, secure level, a WAF, a DDoS mitigation and alert system
- -- the works. Like I said earlier. We are not amateurs. In fact,
combined we have over 30 years of experience in the payment
processing (credit card arena) industry.

A large amount of the Bitcoin holding is in cold (offline) storage. We
only have a percentage of the holding available hot. This is done for
obvious reasons.

Going forward we are implementing a 2-factor login system,
user-configurable spend limits, better session token tumbling, and a
bunch of new SCI features.

Wishing the Bitcoin community all the best and a swift recovery, and
sincerely yours,


Tom Williams

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MBC v1.0

iQEcBAEBAgAGBQJOAki5AAoJEJ+5g06lAnqF3tcH/0QNKf7aBEg08vML9MCkwTjF
VCoTAPzVaVsdbZOqiRwE2/6420tcFZrsWTXYZYbjXckEiYrl7/DQ2XsLyhk4W567
T1sOCmpH99Z2/VAvTfAd5obRTEGpMQ0SLIrfznyc8MmG4C1GvtVUr4jM79asPmRY
jsIn7v53o9Ra1sN3QcvMskRUU1JmqfqU6MlJrYwXrtc/P9Tjm7D3AtsjfvJRX12Z
9g5y1N+zRGVpp7OK35VFnfmIKtOOtb3IMgG5EhiUllsoXKfz1eE08v4f4d0aQstL
+HGMi3PktL1HBpIRni2n4MAaIXq/EyzxDSzkSHp6v032H70c1kkUibL//QNxQuM=
=VaXC
-----END PGP SIGNATURE-----

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
EricJ2190
Full Member
***
Offline Offline

Activity: 134
Merit: 102


View Profile
June 25, 2011, 03:50:15 AM
 #2

I use the same username and email on MyBitcoin as I did on MtGox, and I was never contacted by MyBitcoin.
beeph
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
June 25, 2011, 03:54:26 AM
 #3

uh uh mybitcoin users prepare to be....

d.james
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250

Firstbits: 12pqwk


View Profile
June 25, 2011, 03:56:03 AM
 #4

This is the new rickroll!

You can not roll a BitCoin, but you can rollback some. Cheesy
Roll me back: 1NxMkvbYn8o7kKCWPsnWR4FDvH7L9TJqGG
kseistrup
Hero Member
*****
Offline Offline

Activity: 566
Merit: 500


Unselfish actions pay back better


View Profile WWW
June 25, 2011, 04:04:02 AM
 #5


I use the same username and email on MyBitcoin as I did on MtGox, and I was never contacted by MyBitcoin.

+1

Klaus Alexander Seistrup
Lynzoi
Jr. Member
*
Offline Offline

Activity: 58
Merit: 10



View Profile
June 25, 2011, 04:09:11 AM
 #6

Yeah, I used the same name on mybitcoin and gox, and mybitcoin never contacted me or changed my password. However, I had different passwords for both sites anyway, and after the hack I changed my passwords for everything.

1HX4zSn3yQpVH3v9Sv5TNwMqbfXoBbMuNf
Klestin
Hero Member
*****
Offline Offline

Activity: 493
Merit: 500


View Profile
June 25, 2011, 05:17:02 AM
 #7

Nvm, failure to read, etc.  1:21 AM = should be asleep.   Lips sealed
LittleGnome
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
June 25, 2011, 10:42:35 AM
Last edit: June 26, 2011, 09:19:19 AM by LittleGnome
 #8

Okay, so Mr. Williams is saying he did his security 'due diligence' and for that I suppose he wants a gold star...

Alright, so one gold star for security competency.

The trouble is, Mr. Williams, that you are at this point coming across as -Incompetent- at the other crucial aspect of secure financial services - Providing. Financial. Service.

I'm assuming that I am one of those customers who did not have an email on file, as I don't remember ever being prompted for one, and I know I have not received an email with reset instructions. So it's great that you put up a 'bulletin' stating what you had done. What was lacking there was -any- instructions on how to get in contact with you for those of us for whom the 'bulletin' was intended. There was a PGP key listed, which is great because now I can write you an encoded message, put it in a bottle, flush it down the toilet and hope that it makes it's way from the Great Lakes, down the St. Lawrence Sea Way to the Atlantic, where a passing sea turtle can take it to your front door.

 There's no other way to contact you on your site, beyond a snail-mail postal box address. I had to look up your email address on Whois (it's [REDACTED], in case any spam bots are reading), and still that hasn't gotten a response. Likewise, setting up a second account, so I could post a support request has also gotten no response. I'm sure you've got tens hundreds of other customers with similar problems, who are only now figuring out how to contact you, I'm sure you're swamped.

So, Mr. Williams, I'm going to refrain from asking you if you are a THIEF for the time being, and ask instead - as I am left speculating wildly, due to a lack of any meaningful public or private response...

Are you and INCOMPETENT KNOB?

Sincerely, LittleGnome, ESQ.

EDIT: I have now received an initial response to my support request sent through my second account. I intend to follow up with them, and if this leads to a solution for me I'll let you know. If it doesn't, I'll let you know that too. As a peace offering, I removed the email link to the address in the Whois database.
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1007


Hide your women


View Profile WWW
June 25, 2011, 06:42:44 PM
 #9

I have a different username than I do on mtGox and still my password was apparently changed as I cannot log in. I received no email. I'm not sure what recourse I have at this time.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
fellowtraveler
Sr. Member
****
Offline Offline

Activity: 440
Merit: 251


View Profile
June 25, 2011, 08:09:04 PM
 #10

There is no reason why any of these security problems had to happen.

http://forum.bitcoin.org/index.php?topic=20377.msg278729#msg278729


Someday, enough money will be stolen that the Bitcoin community will consider using public key cryptography that was invented back in the 70s.

As long as everyone is still storing passwords on the server, they deserve what they get.

co-founder, Monetas
creator, Open-Transactions
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1007


Hide your women


View Profile WWW
June 28, 2011, 01:04:13 PM
 #11

Just an update: STILL no reply from MyBitcoin.com
I had a tiny amount of BTC there, so I consider myself lucky. I'm assuming it's gone for good now.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
June 28, 2011, 01:23:25 PM
 #12

i tried to verify the signature, but i can't find the public key.

original message seems to be here, too: https://www.mybitcoin.com/downloads/incident-report-2011-06-22.txt
bitplane
Sr. Member
****
Offline Offline

Activity: 321
Merit: 250

Firstbits: 1gyzhw


View Profile WWW
June 28, 2011, 02:13:27 PM
Last edit: June 28, 2011, 04:22:39 PM by bitplane
 #13

I have 1BTC in my MyBitcoin account, and when the MtGox hack happened I hardened all my passwords to ones generated by KeePass.

However, being new to this I lost my first KeePass database and had to manually recover a lot of my accounts, but there is no f*%@ing password recovery on MyBitcoin.
foo
Sr. Member
****
Offline Offline

Activity: 409
Merit: 250



View Profile
June 28, 2011, 02:44:58 PM
 #14

i tried to verify the signature, but i can't find the public key.
http://pgp.mit.edu:11371/pks/lookup?search=mybitcoin&op=index

I know this because Tyler knows this.
ius
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 28, 2011, 03:08:10 PM
Last edit: June 28, 2011, 04:20:58 PM by ius
 #15

Yes, even with the site disabled.

Either it was disabled, or it wasn't.

Quote
Yes, we use password encryption. We are currently using SHA-256, but
since the recent Mtgox hack we will be upgrading that to something
stronger. It's surprising how many sites still use MD5, even though it
was broken years ago. It is my personal opinion that MD5 be deprecated
from modern operating systems.

Every time someone calls a (one-way) hash function 'encryption' the FSM kills a kitten.

Yes, MD5 should be deprecated due to known weaknesses (collision attacks), but using one of the SHA variants isn't going to magically make things unbreakable. MtGox's crypt(md5) is alot more resitant to attacks than plain SHA-256. The keywords are salting and stretching (or: bcrypt/scrypt) - all general purpose cryptographic hash functions were designed to be fast.
gigitrix
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500



View Profile
June 28, 2011, 03:11:39 PM
 #16

Say what you want, but these guys seem to know their stuff. As always, the error (if it exists) in this system is human in that the accounts weren't shut down immediately, but lets be honest, the bitcoin community is so full of speculation and rumour and you can't be awake 24/7. I don't use MyBitcoin but it sounds like they've done their jobs here.
LittleGnome
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
June 29, 2011, 01:54:08 AM
 #17

Say what you want, but these guys seem to know their stuff. As always, the error (if it exists) in this system is human in that the accounts weren't shut down immediately, but lets be honest, the bitcoin community is so full of speculation and rumour and you can't be awake 24/7. I don't use MyBitcoin but it sounds like they've done their jobs here.

I'm sure they've been doing a fine job of keeping bad people out. I say this because, from first experience, they are doing a fantastic job of keeping legitimate users out.

Still Waiting, Tom.
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1007


Hide your women


View Profile WWW
June 29, 2011, 01:59:15 AM
 #18

Say what you want, but these guys seem to know their stuff. As always, the error (if it exists) in this system is human in that the accounts weren't shut down immediately, but lets be honest, the bitcoin community is so full of speculation and rumour and you can't be awake 24/7. I don't use MyBitcoin but it sounds like they've done their jobs here.

I'm sure they've been doing a fine job of keeping bad people out. I say this because, from first experience, they are doing a fantastic job of keeping legitimate users out.

Still Waiting, Tom.

Me too.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5348
Merit: 13336


View Profile
June 29, 2011, 03:39:04 AM
 #19

I have a hard time believing any of this without proof.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
LittleGnome
Newbie
*
Offline Offline

Activity: 29
Merit: 0


View Profile
June 29, 2011, 07:09:43 AM
 #20

I have a hard time believing any of this without proof.

What kind of proof are you looking for?
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!