Bitcoin Forum
July 07, 2022, 01:00:04 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Camp BX Hacker / Security Audit: Results  (Read 15847 times)
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 299
Merit: 250



View Profile WWW
June 29, 2011, 01:39:08 AM
 #1

Hi everyone,
      The results are in!  https://campbx.com/testnet/main.php

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.


Here is an executive summary of our results:

OWASP top-10 web vulnerabilities:
    A1: Injection - Pass
    A2: Cross-Site Scripting (XSS) - Pass
    A3: Broken Authentication and Session Management - Pass
    A4: Insecure Direct Object References - Pass
    A5: Cross-Site Request Forgery (CSRF) - Pass
    A6: Security Misconfiguration - Pass
    A7: Insecure Cryptographic Storage - Pass
    A8: Failure to Restrict URL Access - Pass
    A9: Insufficient Transport Layer Protection - Pass
    A10: Unvalidated Redirects and Forwards - Pass

Distributed Denial-of-Service attack: Pass with no noticeable slowdown in response time

All vulnerabilities are classified on a scale of 1-to-5, with 5 being Urgent and 1 being informational.  Camp BX final scorecard is:
Sev 5: zero
Sev 4: zero
Sev 3: zero
Sev 2: zero
Sev 1: 29
(Sev 1 includes information like "DNS Server detected", "NTP Server detected", "SSL Certificate mismatch on Testnet.CampBX.com"...)


This makes Camp BX is  the first Bitcoin platform certified for compliance with 7 information and data security standards!  

We have also achieved all requirements for the McAfee Secure Trustmark, and on our livenet launch Camp BX platform will proudly wear this badge.  A HUGE thank you to Alex and Yuriy for burning the midnight oil to fix all issues identified, and ensuring that we are able to achieve this crucial certification prior to our launch.


Going forward Camp BX will be re-tested daily for all known vulnerabilities.  We realize that security is a process, and we have put together alerts and escalation procedures in place to ensure that anything higher than Sev 1 is fixed within 72 hours.


Thank you and good night,
      Keyur


Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
1657155604
Hero Member
*
Offline Offline

Posts: 1657155604

View Profile Personal Message (Offline)

Ignore
1657155604
Reply with quote  #2

1657155604
Report to moderator
1657155604
Hero Member
*
Offline Offline

Posts: 1657155604

View Profile Personal Message (Offline)

Ignore
1657155604
Reply with quote  #2

1657155604
Report to moderator
1657155604
Hero Member
*
Offline Offline

Posts: 1657155604

View Profile Personal Message (Offline)

Ignore
1657155604
Reply with quote  #2

1657155604
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1657155604
Hero Member
*
Offline Offline

Posts: 1657155604

View Profile Personal Message (Offline)

Ignore
1657155604
Reply with quote  #2

1657155604
Report to moderator
1657155604
Hero Member
*
Offline Offline

Posts: 1657155604

View Profile Personal Message (Offline)

Ignore
1657155604
Reply with quote  #2

1657155604
Report to moderator
BTC Economist
Member
**
Offline Offline

Activity: 112
Merit: 10


View Profile
June 29, 2011, 01:58:16 AM
 #2

I wonder how Mt Gox would do.

When BTC soars, you need to be READY!  PM me to learn more about my new e-book, How to Create and Profit from the Second Bitcoin Bubble available exclusively to BTC forum members!

17JzkreEBYNHQM9tMTiUKCHANofwzHRLhP
mouse
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 29, 2011, 02:00:35 AM
 #3

Hopefully this encourages other exchanges to add similar security value in order to remain competative. Overall this should help lift the image of bitcoin trading.

Well done! (and best of luck)
Alex Thornton
Newbie
*
Offline Offline

Activity: 46
Merit: 0


View Profile
June 29, 2011, 02:12:43 AM
 #4

Hopefully this encourages other exchanges to add similar security value in order to remain competative. Overall this should help lift the image of bitcoin trading.

Well done! (and best of luck)
I agree. More openess at the exchanges would be a huge boost to confidence in bitcoin. Competing exchanges should force greater security and transparity.
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Hide your women


View Profile WWW
June 29, 2011, 02:16:50 AM
 #5

I signed up. Looking forward to your site going live.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
charliesheen
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile WWW
June 29, 2011, 02:18:08 AM
 #6

all this really means is that the hackers will need to be a little more clever

Shinobi
Full Member
***
Offline Offline

Activity: 196
Merit: 100


View Profile
June 29, 2011, 02:35:50 AM
 #7

The benefit of this effort on the part of Camp BX is that it highlights just how non-transparent and less sophisticated Magical Tux and Co. are in both PR and security implementation. I have more faith in Camp BX from this posting alone than anything MT. Gox has done. You'd think they'd do something similar. But I guess that as long as people patronize them and don't force their hand, they don't have to bother - the zealots will come to their defense no matter what people point out.

These BX folks clearly understand how to market themselves, if nothing else. I'm impressed, though I'd think the BTC community could use you as a direct exchange as opposed to a brokerage.

_______
Thinking of using a cheap, yet reliable VPN? Go with PrivateInternetAccess. Not a referral link. Just a satisfied customer!
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1014

No Maps for These Territories


View Profile
June 29, 2011, 02:39:44 AM
 #8

Sounds good, too bad this will be an US exchange only.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56
Merit: 1


View Profile
June 29, 2011, 02:51:34 AM
 #9

I think I'm looking forward to this exchange. The mt gox "delay" is getting annoying. And I've always wanted the ability to put in a fill-or-kill order.
MeSarah
Full Member
***
Offline Offline

Activity: 154
Merit: 100


View Profile
June 29, 2011, 03:00:41 AM
 #10

Congratz. I think its apparent who the new king of the mountain is going to be. Keyur, CampBX will restore faith and confidence for many people. Best of luck to CBX.

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
wujh
Newbie
*
Offline Offline

Activity: 49
Merit: 0


View Profile
June 29, 2011, 03:05:20 AM
 #11

good for you
Serge
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000


View Profile
June 29, 2011, 03:05:44 AM
 #12

Very professional approach

Hopefully you will be able to do international bitcoin trading


What are your fees going to be like for the service?
Horkabork
Full Member
***
Offline Offline

Activity: 140
Merit: 100



View Profile
June 29, 2011, 03:19:53 AM
 #13

That's awesome. May I suggest something else as well?

Put up some security bug bounties in BTC (Or maybe just offer no fees a while as the bounty?)

They wouldn't have to be massive. As places like google and mozilla have found, they'll never be able to beat what a person could get for selling an exploit package, so the rewards are kind of just token.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
billyjoeallen
Legendary
*
Offline Offline

Activity: 1106
Merit: 1006


Hide your women


View Profile WWW
June 29, 2011, 03:24:29 AM
 #14

I think I'm looking forward to this exchange. The mt gox "delay" is getting annoying. And I've always wanted the ability to put in a fill-or-kill order.

I'd like to see call options.

insert coin here:
Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s



1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
ius
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
June 29, 2011, 03:27:11 AM
 #15

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.

Congratulations, you fell for the same ploy as Costco, Petco & friends - you're paying for a useless logo.

Correct me if I'm wrong, but iirc. McAfee only performs an automated remote scan - nothing you couldn't do yourself with Nessus or some other equivalent.

Get a proper audit done - a white/grey box pentest and a source audit. They didn't do that, did they?
datguywhowanders
Member
**
Offline Offline

Activity: 112
Merit: 10



View Profile
June 29, 2011, 03:31:15 AM
 #16

Keyur,

Now that you have completed your audit successfully, congratulations btw, does CBX have a tentative launch date?

I find myself very anxious to try out your service live.

Awesome work, keep it up!

Donations Welcome: 163id7T8KZ6MevqT86DjrBF2kfCPrQsfZE
datafish
Donator
Full Member
*
Offline Offline

Activity: 129
Merit: 100


Swimming in a sea of data


View Profile
June 29, 2011, 04:01:01 AM
 #17

Now that you have completed your audit successfully, congratulations btw, does CBX have a tentative launch date?

Go to campbx.com and see the countdown timer for yourself.
ananas5
Newbie
*
Offline Offline

Activity: 28
Merit: 0


View Profile
June 29, 2011, 04:18:48 AM
 #18

Hi everyone,
      The results are in!  https://campbx.com/testnet/main.php

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.


Here is an executive summary of our results:

OWASP top-10 web vulnerabilities:
    A1: Injection - Pass
    A2: Cross-Site Scripting (XSS) - Pass
    A3: Broken Authentication and Session Management - Pass
    A4: Insecure Direct Object References - Pass
    A5: Cross-Site Request Forgery (CSRF) - Pass
    A6: Security Misconfiguration - Pass
    A7: Insecure Cryptographic Storage - Pass
    A8: Failure to Restrict URL Access - Pass
    A9: Insufficient Transport Layer Protection - Pass
    A10: Unvalidated Redirects and Forwards - Pass

Distributed Denial-of-Service attack: Pass with no noticeable slowdown in response time

All vulnerabilities are classified on a scale of 1-to-5, with 5 being Urgent and 1 being informational.  Camp BX final scorecard is:
Sev 5: zero
Sev 4: zero
Sev 3: zero
Sev 2: zero
Sev 1: 29
(Sev 1 includes information like "DNS Server detected", "NTP Server detected", "SSL Certificate mismatch on Testnet.CampBX.com"...)


This makes Camp BX is  the first Bitcoin platform certified for compliance with 7 information and data security standards!  

We have also achieved all requirements for the McAfee Secure Trustmark, and on our livenet launch Camp BX platform will proudly wear this badge.  A HUGE thank you to Alex and Yuriy for burning the midnight oil to fix all issues identified, and ensuring that we are able to achieve this crucial certification prior to our launch.


Going forward Camp BX will be re-tested daily for all known vulnerabilities.  We realize that security is a process, and we have put together alerts and escalation procedures in place to ensure that anything higher than Sev 1 is fixed within 72 hours.


Thank you and good night,
      Keyur


I was looking forward to use your site but now I just figured out that it's US only. If I may ask, what's the reason for it?
NO_SLAVE
Newbie
*
Offline Offline

Activity: 56
Merit: 0



View Profile
June 29, 2011, 04:21:15 AM
 #19

GOX are you watching? Learning?
modrobert
Full Member
***
Offline Offline

Activity: 345
Merit: 230


-"When the going gets weird, the weird turn pro."


View Profile WWW
June 29, 2011, 05:00:34 AM
 #20

From campbx.com...

"Tested according to U.S. Government requirements"

I seriously doubt anyone will be impressed by that, it's more like a seal of certainty that lulzsec will breeze through the security measures in five minutes.

Fancy logos and certifications aside, any site can be hacked, what is more important is how hack attempts are dealt with from the user point of view (are losses covered?).

BTW:

Site running PHP/MySQL - Pass
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!