Taras (OP)
Legendary
Offline
Activity: 1386
Merit: 1053
Please do not PM me loan requests!
|
|
September 06, 2013, 11:09:52 PM |
|
It looks like a player is abusing some sort of exploit on BitVegas, and has successfully logged in as both murderscene, Dinnerbone and myself. EVERYONE's balances in the server have struck 0. Someone needs to shut the server off asap before further damage can be caused. If any of you are reading this, the server staff, take it down now!
|
|
|
|
maanto
Newbie
Offline
Activity: 30
Merit: 0
|
|
September 06, 2013, 11:24:36 PM |
|
I can confirm that this happened. Somebody was logged into my account, and appeared to log into others' accounts too.
|
|
|
|
nahtnam
Legendary
Offline
Activity: 1092
Merit: 1000
nahtnam.com
|
|
September 06, 2013, 11:54:14 PM |
|
It looks like a player is abusing some sort of exploit on BitVegas, and has successfully logged in as both murderscene, Dinnerbone and myself. EVERYONE's balances in the server have struck 0. Someone needs to shut the server off asap before further damage can be caused. If any of you are reading this, the server staff, take it down now! Hahahahaha. Good thing I always cashout EVERYTHING when I log out!
|
|
|
|
UltimateNoob
Newbie
Offline
Activity: 8
Merit: 0
|
|
September 07, 2013, 03:04:48 AM |
|
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.
|
|
|
|
nahtnam
Legendary
Offline
Activity: 1092
Merit: 1000
nahtnam.com
|
|
September 07, 2013, 03:08:49 AM |
|
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.
I have tried looking up murderscene on here, but couldnt find his username... If anyone has his email or username plz let me know!
|
|
|
|
ingrownpocket
Legendary
Offline
Activity: 952
Merit: 1000
|
|
September 07, 2013, 08:54:42 AM |
|
|
|
|
|
Boelens
|
|
September 07, 2013, 10:31:04 AM |
|
What the hell? He deals with real money but hasn't updated craftbukkit/spigot properly? There was a major exploit where anyone could login without their name being verified, it was spread everywhere fairly quickly and solved, but in cases where there is being dealt with real money you should be so extremely careful like this, or atleast protect the admin account with a password? This is really a poor job on protecting the server, and I hope he has backups, or can see the logs to give the balances back.
|
|
|
|
TheUntitled
|
|
September 07, 2013, 11:07:23 AM |
|
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).
As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.
The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.
All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
|
Freelance writer at CoinBuzz.com
|
|
|
TheUntitled
|
|
September 07, 2013, 11:08:55 AM |
|
I know MurderScene has an account on Bitcointalk. It would be nice to have at least an acknowledgement from him regarding the hack.
I have tried looking up murderscene on here, but couldnt find his username... If anyone has his email or username plz let me know! Murderscene's username on Bitcointalk is BitVegas.
|
Freelance writer at CoinBuzz.com
|
|
|
Boelens
|
|
September 07, 2013, 11:23:12 AM |
|
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).
As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.
The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.
All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures.
|
|
|
|
TheUntitled
|
|
September 07, 2013, 11:31:41 AM |
|
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).
As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.
The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.
All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures. Thanks for clarifying. I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not. We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented. I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off. Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas
|
Freelance writer at CoinBuzz.com
|
|
|
Boelens
|
|
September 07, 2013, 11:37:23 AM |
|
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).
As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.
The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.
All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures. Thanks for clarifying. I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not. We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented. I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off. Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas I know it's not the staffs' fault. I'm just very disappointed at how poorly Murder protected/secured the server, and the lack of communication is worrysome too.
|
|
|
|
TheUntitled
|
|
September 07, 2013, 11:38:49 AM |
|
Hey there everyone. I'm staff on BitVegas (my username there is The_Untitled1).
As of yet, we're not sure exactly how we're going to handle the situation. All we currently know is that Murderscene's account was hacked, all accounts are drained (mine included, though I only lost about 0.038 mBTC) and Level 6 was screwed up with World Edit.
The reason this most likely happened is the fact that Murder just did not update. We staff have not have contact with him for about 3 weeks (this is the third time this has happened in my time staffing BitVegas), and as such we could not update or release Poker. He's been seemingly ignoring PMs, and is always on Do Not Disturb on Skype. We cannot contact him. This may have led to security issues which enabled the attack, but it's too early to tell.
All I can say is: bear with us. Me and the other staff are going to send a lot of messages to Murderscene and HOPEFULLY we'll be able to reimburse everyone; but once again: it is too early to tell.
Murderscene hasn't been hacked. It's a simple exploit, nowehere near close to hacking. This could have all been prevented so easily. A casino that handles money in a game where you have no control over the updates of, you should atleast take proper security measures. Thanks for clarifying. I'm well aware we should take proper security measures, but we as staff only have access to certain things. At the core of BitVegas is Murderscene, whether we like it or not. We have been sending him messages for weeks now begging him to update but he has not responded, which is why this happened. We have wanted to update a long time ago, and had we done so this could have been prevented. I've shut the server down via MCMyAdmin until further notice. We (staff) are all sending Murder messages in every way we know possible, through Skype, Bitcointalk and Reddit. Until he responds, the server remains shut off. Furthermore, if anyone would like to report something to me which might help us figure out the scale of the attack, or just wants to talk to me about the situation, add me on Skype. My username is: The_Untitled1-BitVegas I know it's not the staffs' vault. I'm just very disappointed at how poorly Murder protected/secured the server, and the lack of communication is worrysome too. I hear you. It's been incredibly frustrating for us to not have any contact with him for so long.
|
Freelance writer at CoinBuzz.com
|
|
|
BitVegas
|
|
September 07, 2013, 01:01:45 PM |
|
I am looking into this now!
|
|
|
|
Vandroiy
Legendary
Offline
Activity: 1036
Merit: 1002
|
|
September 07, 2013, 01:47:33 PM Last edit: September 07, 2013, 02:03:40 PM by Vandroiy |
|
Sorry, but... the images in the OP are hilarious. Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole? I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.)
|
|
|
|
Boelens
|
|
September 07, 2013, 01:55:32 PM |
|
Sorry, but... the images in the OP are hilarious. Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole? I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.) Well, there is no money being stolen by the owner right now, from what I've heard, everything will be re-imbursed.
|
|
|
|
BitVegas
|
|
September 07, 2013, 01:57:38 PM |
|
Sorry, but... the images in the OP are hilarious. Direct management of BTC using Craftbukkit, with no back-end system that has sanity checks or at least a booby trap? And then not reacting to a known fatal security hole? I'll be frank, that's asking for it and should be treated equivalent to the owners stealing the money. (Those cases are indistinguishable anyway since an admin could have pretended to be the hacker.) Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.
|
|
|
|
Vandroiy
Legendary
Offline
Activity: 1036
Merit: 1002
|
|
September 07, 2013, 02:06:06 PM Last edit: September 07, 2013, 02:16:47 PM by Vandroiy |
|
Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.
Yep, that's the right step to take. I'd really recommend to at least modify the login or command-giving process of admins to include a booby trap. If admin commands are normally input in a weird manner, a hacker who tries normal methods would trigger the trap. The server would then shut down immediately and wait for an admin with local or SSH access. (This may or may not have prevented this incident depending on when the hacker logged in as an admin, not just as users withdrawing their "own" funds. But at least then he would've been stopped.) Of course, this would still be security by obscurity. The professional solution is a back-end that executes withdrawals from a more secure interface, so that the game engine cannot just dump all user wallets or things like that. But anything that makes a hacker's life harder is a good start.
|
|
|
|
Boelens
|
|
September 07, 2013, 02:16:19 PM |
|
Yes. All money will be refunded. We have 100% accurate logs of all BTC lost. No players will be affected by this and the casino will take the loss.
Yep, that's the right step to take. I'd really recommend to at least modify the login or command-giving process of admins to include a booby trap. If admin commands are normally input in a weird manner, a hacker who tries normal methods would trigger the trap. The server would then shut down immediately and wait for an admin with local or SSH access. (This may or may not have prevented this incident depending on when the hacker logged in as an admin, not just as users withdrawing their "own" funds. But at least then he would've been stopped.) Of course, this would still be security by obscurity. The professional solution is a back-end that executes withdrawals, so that a game engine cannot just dump all user wallets or things like that. But anything that makes a hacker's life harder is a good start. I don't think a 'booby trap' is neccesary, that seems a bit too much. A simple login system could have prevented this.
|
|
|
|
Vandroiy
Legendary
Offline
Activity: 1036
Merit: 1002
|
|
September 07, 2013, 02:35:57 PM |
|
I don't think a 'booby trap' is neccesary, that seems a bit too much. A simple login system could have prevented this.
Well, in hindsight preventing any hack is simple. But game engines usually show hundreds or thousands of cases of undesired behavior. IIRC a lot of public Minecraft servers have given up on trying to secure anything but identification -- with varying results -- and fight cheaters using booby traps and manual bans. I admit I don't know how much money clients of BitVegas put in. But if it is to become anything like other gambling places the problem becomes incomparably harder than keeping "normal" Minecraft servers safe. Minecraft servers have been repeatedly hacked and exploited in the most ridiculous manners, with no money involved, just for the lulz. It was clearly not designed with security in mind -- if BitVegas becomes successful, it also becomes the premier target of all future Minecraft hacks. As soon as there's enough money around there will be no warning period, all "zero day" exploits would strike BitVegas first. Oh well, I guess I'm getting a bit off topic here. Anyway, good luck with keeping things safe.
|
|
|
|
|