Bitcoin Forum
December 09, 2016, 05:51:52 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Camp BX Hacker / Security Audit: Results  (Read 14760 times)
Keyur @ Camp BX
Sr. Member
****
Offline Offline

Activity: 300



View Profile WWW
June 29, 2011, 01:39:08 AM
 #1

Hi everyone,
      The results are in!  https://campbx.com/testnet/main.php

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.


Here is an executive summary of our results:

OWASP top-10 web vulnerabilities:
    A1: Injection - Pass
    A2: Cross-Site Scripting (XSS) - Pass
    A3: Broken Authentication and Session Management - Pass
    A4: Insecure Direct Object References - Pass
    A5: Cross-Site Request Forgery (CSRF) - Pass
    A6: Security Misconfiguration - Pass
    A7: Insecure Cryptographic Storage - Pass
    A8: Failure to Restrict URL Access - Pass
    A9: Insufficient Transport Layer Protection - Pass
    A10: Unvalidated Redirects and Forwards - Pass

Distributed Denial-of-Service attack: Pass with no noticeable slowdown in response time

All vulnerabilities are classified on a scale of 1-to-5, with 5 being Urgent and 1 being informational.  Camp BX final scorecard is:
Sev 5: zero
Sev 4: zero
Sev 3: zero
Sev 2: zero
Sev 1: 29
(Sev 1 includes information like "DNS Server detected", "NTP Server detected", "SSL Certificate mismatch on Testnet.CampBX.com"...)


This makes Camp BX is  the first Bitcoin platform certified for compliance with 7 information and data security standards!  

We have also achieved all requirements for the McAfee Secure Trustmark, and on our livenet launch Camp BX platform will proudly wear this badge.  A HUGE thank you to Alex and Yuriy for burning the midnight oil to fix all issues identified, and ensuring that we are able to achieve this crucial certification prior to our launch.


Going forward Camp BX will be re-tested daily for all known vulnerabilities.  We realize that security is a process, and we have put together alerts and escalation procedures in place to ensure that anything higher than Sev 1 is fixed within 72 hours.


Thank you and good night,
      Keyur


Please stay tuned to our news and announcements feeds at:
Twitter: https://twitter.com/CampBX
Facebook: https://facebook.com/CampBX
1481305912
Hero Member
*
Offline Offline

Posts: 1481305912

View Profile Personal Message (Offline)

Ignore
1481305912
Reply with quote  #2

1481305912
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481305912
Hero Member
*
Offline Offline

Posts: 1481305912

View Profile Personal Message (Offline)

Ignore
1481305912
Reply with quote  #2

1481305912
Report to moderator
BTC Economist
Member
**
Offline Offline

Activity: 112


View Profile
June 29, 2011, 01:58:16 AM
 #2

I wonder how Mt Gox would do.

When BTC soars, you need to be READY!  PM me to learn more about my new e-book, How to Create and Profit from the Second Bitcoin Bubble available exclusively to BTC forum members!

17JzkreEBYNHQM9tMTiUKCHANofwzHRLhP
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 29, 2011, 02:00:35 AM
 #3

Hopefully this encourages other exchanges to add similar security value in order to remain competative. Overall this should help lift the image of bitcoin trading.

Well done! (and best of luck)

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
Alex Thornton
Jr. Member
*
Offline Offline

Activity: 47


View Profile
June 29, 2011, 02:12:43 AM
 #4

Hopefully this encourages other exchanges to add similar security value in order to remain competative. Overall this should help lift the image of bitcoin trading.

Well done! (and best of luck)
I agree. More openess at the exchanges would be a huge boost to confidence in bitcoin. Competing exchanges should force greater security and transparity.
billyjoeallen
Legendary
*
Offline Offline

Activity: 966


Hide your women


View Profile WWW
June 29, 2011, 02:16:50 AM
 #5

I signed up. Looking forward to your site going live.

insert coin here:
1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc

Open an exchange account at CampBX: options, lowest commissions, and best security
https://campbx.com/register.php?r=0Y7YxohTV0B
charliesheen
Member
**
Offline Offline

Activity: 98


View Profile WWW
June 29, 2011, 02:18:08 AM
 #6

all this really means is that the hackers will need to be a little more clever

Shinobi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 29, 2011, 02:35:50 AM
 #7

The benefit of this effort on the part of Camp BX is that it highlights just how non-transparent and less sophisticated Magical Tux and Co. are in both PR and security implementation. I have more faith in Camp BX from this posting alone than anything MT. Gox has done. You'd think they'd do something similar. But I guess that as long as people patronize them and don't force their hand, they don't have to bother - the zealots will come to their defense no matter what people point out.

These BX folks clearly understand how to market themselves, if nothing else. I'm impressed, though I'd think the BTC community could use you as a direct exchange as opposed to a brokerage.

_______
Thinking of using a cheap, yet reliable VPN? Go with PrivateInternetAccess. Not a referral link. Just a satisfied customer!
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
June 29, 2011, 02:39:44 AM
 #8

Sounds good, too bad this will be an US exchange only.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 02:51:34 AM
 #9

I think I'm looking forward to this exchange. The mt gox "delay" is getting annoying. And I've always wanted the ability to put in a fill-or-kill order.

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
MeSarah
Full Member
***
Offline Offline

Activity: 154


View Profile
June 29, 2011, 03:00:41 AM
 #10

Congratz. I think its apparent who the new king of the mountain is going to be. Keyur, CampBX will restore faith and confidence for many people. Best of luck to CBX.

60 GH/s BFL Single SC - Pre-Order Yours Today!
`````` Only $1299.99 - butterflylabs.com ``````
wujh
Jr. Member
*
Offline Offline

Activity: 49


View Profile
June 29, 2011, 03:05:20 AM
 #11

good for you

Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
June 29, 2011, 03:05:44 AM
 #12

Very professional approach

Hopefully you will be able to do international bitcoin trading


What are your fees going to be like for the service?
Horkabork
Full Member
***
Offline Offline

Activity: 140



View Profile
June 29, 2011, 03:19:53 AM
 #13

That's awesome. May I suggest something else as well?

Put up some security bug bounties in BTC (Or maybe just offer no fees a while as the bounty?)

They wouldn't have to be massive. As places like google and mozilla have found, they'll never be able to beat what a person could get for selling an exploit package, so the rewards are kind of just token.

Me: 15gbWvpLPfbLJZBsL2u5gkBdL3BUXDbTuF
A goat: http://i52.tinypic.com/34pj4v6.jpg
billyjoeallen
Legendary
*
Offline Offline

Activity: 966


Hide your women


View Profile WWW
June 29, 2011, 03:24:29 AM
 #14

I think I'm looking forward to this exchange. The mt gox "delay" is getting annoying. And I've always wanted the ability to put in a fill-or-kill order.

I'd like to see call options.

insert coin here:
1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc

Open an exchange account at CampBX: options, lowest commissions, and best security
https://campbx.com/register.php?r=0Y7YxohTV0B
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 29, 2011, 03:27:11 AM
 #15

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.

Congratulations, you fell for the same ploy as Costco, Petco & friends - you're paying for a useless logo.

Correct me if I'm wrong, but iirc. McAfee only performs an automated remote scan - nothing you couldn't do yourself with Nessus or some other equivalent.

Get a proper audit done - a white/grey box pentest and a source audit. They didn't do that, did they?

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
datguywhowanders
Member
**
Offline Offline

Activity: 112



View Profile
June 29, 2011, 03:31:15 AM
 #16

Keyur,

Now that you have completed your audit successfully, congratulations btw, does CBX have a tentative launch date?

I find myself very anxious to try out your service live.

Awesome work, keep it up!

Donations Welcome: 163id7T8KZ6MevqT86DjrBF2kfCPrQsfZE
datafish
Donator
Full Member
*
Offline Offline

Activity: 125


Swimming in a sea of data


View Profile
June 29, 2011, 04:01:01 AM
 #17

Now that you have completed your audit successfully, congratulations btw, does CBX have a tentative launch date?

Go to campbx.com and see the countdown timer for yourself.
ananas5
Newbie
*
Offline Offline

Activity: 28


View Profile
June 29, 2011, 04:18:48 AM
 #18

Hi everyone,
      The results are in!  https://campbx.com/testnet/main.php

We were tested for >1,000 known vulnerabilities specific to our platform and services by McAfee Secure (formerly McAfee Hacker-Safe), who are ranked #1 in security industry for threat detection.  This is the same auditing service used by well-known brands like Costco, Petco, and Roush Racing for their e-commerce websites.


Here is an executive summary of our results:

OWASP top-10 web vulnerabilities:
    A1: Injection - Pass
    A2: Cross-Site Scripting (XSS) - Pass
    A3: Broken Authentication and Session Management - Pass
    A4: Insecure Direct Object References - Pass
    A5: Cross-Site Request Forgery (CSRF) - Pass
    A6: Security Misconfiguration - Pass
    A7: Insecure Cryptographic Storage - Pass
    A8: Failure to Restrict URL Access - Pass
    A9: Insufficient Transport Layer Protection - Pass
    A10: Unvalidated Redirects and Forwards - Pass

Distributed Denial-of-Service attack: Pass with no noticeable slowdown in response time

All vulnerabilities are classified on a scale of 1-to-5, with 5 being Urgent and 1 being informational.  Camp BX final scorecard is:
Sev 5: zero
Sev 4: zero
Sev 3: zero
Sev 2: zero
Sev 1: 29
(Sev 1 includes information like "DNS Server detected", "NTP Server detected", "SSL Certificate mismatch on Testnet.CampBX.com"...)


This makes Camp BX is  the first Bitcoin platform certified for compliance with 7 information and data security standards!  

We have also achieved all requirements for the McAfee Secure Trustmark, and on our livenet launch Camp BX platform will proudly wear this badge.  A HUGE thank you to Alex and Yuriy for burning the midnight oil to fix all issues identified, and ensuring that we are able to achieve this crucial certification prior to our launch.


Going forward Camp BX will be re-tested daily for all known vulnerabilities.  We realize that security is a process, and we have put together alerts and escalation procedures in place to ensure that anything higher than Sev 1 is fixed within 72 hours.


Thank you and good night,
      Keyur


I was looking forward to use your site but now I just figured out that it's US only. If I may ask, what's the reason for it?

If you liked my post, you are free to donate: 17edqFhWUTMthCoLxXNzAxnes8roNLUcik
Thank you.
NO_SLAVE
Jr. Member
*
Offline Offline

Activity: 56


DEBT IS SLAVERY


View Profile
June 29, 2011, 04:21:15 AM
 #19

GOX are you watching? Learning?
modrobert
Member
**
Offline Offline

Activity: 70


-"When the going gets weird, the weird turn pro."


View Profile WWW
June 29, 2011, 05:00:34 AM
 #20

From campbx.com...

"Tested according to U.S. Government requirements"

I seriously doubt anyone will be impressed by that, it's more like a seal of certainty that lulzsec will breeze through the security measures in five minutes.

Fancy logos and certifications aside, any site can be hacked, what is more important is how hack attempts are dealt with from the user point of view (are losses covered?).

BTW:

Site running PHP/MySQL - Pass

Need modchips? We accept BTC...
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!