Bitcoin Forum
November 23, 2017, 10:05:31 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  

Warning: Moderators do not remove likely scams. You must use your own brain: caveat emptor. Watch out for Ponzi schemes. Do not invest more than you can afford to lose.

Pages: [1]
  Print  
Author Topic: MPEx Security Breach  (Read 2006 times)
timewaster
Jr. Member
*
Offline Offline

Activity: 42


View Profile
September 26, 2013, 01:32:51 AM
 #1

From http://trilema.com/2013/mpex-security-breach/:
Quote
Today in the interval 2 pm - 7 pm GMT MPEx suffered a layered attack which eventually resulted in unexecuted trades being relayed through to the market data feeds, brokers et al. We will go here into the details of what happened, why, how and what measures have been taken as a result.

First off, all funds are safe. No sum of BTC was obtained by the attacker as a result of his efforts. Second off, market data is also safe, in the sense that there exists no ambiguity as to what orders are in fact legitimate and what orders were illegitimately conveyed.

Unfortunately this also means a number of trades that appeared to be made in the respective interval will be rolled back. Third parties can trivially verify which is which, because while the legitimate orders contain tracking information, the illegitimate orders do not. Affected are a few dozen trades in the S.MPOE and S.BBET symbols.

In order to understand what happened, we will have to refer to the earlier tech stuff article. The particular architecture MPEx employs leaves it vulnerable to a situation very similar to what is known in Bitcoin as a 50% attack. That is to say, in some circumstances the proxies caching content from MPEx may find themselves in the situation of incorrectly identifying data as valid.

Such circumstances occur rarely under very heavy load. The first occurrence was on April 12, 2013. At that time one user had a trade erroneously reported as executed when in fact his counterparty had already cancelled his order, resulting in a pretty ruffled user and a sustained effort to refine and improve the proxy synchronisation mechanics so as to avoid such occurrences in the future.

MPEx has been sustaining significant floods since September the 22nd, peaking at around 3.2 Mbi. Nevertheless, outside of transient page timeouts trade was not significantly impaired, and proxy desynchronisation was not an issue at that time.

Today however the attacker also approached the admin of one proxy machine, and managed to convincingly impersonate me. This resulted in him acquiring login privileges, which he spent about three hours trying to use to effect trades without success. Eventually his lucky star and an overloaded router severed the proxy graph in such a manner that he was able to seemingly push trades through. It is my estimate that his window had maybe one hour left, and I would guess the odds of the various events required occuring in any given day to be under 1%. Nevertheless, it is factually correct to say that MPEx didn’t have enough safeguards in place for the case of hostile proxy on deck.ii

The attacker may have obtained partial, obfuscated copies of the MPEx databases. While I won’t go into details with regards to said obfuscation, it is a fact that breaching one proxy is not, as far as I can see, sufficient to obtain complete trade history. As directed in the FAQ, users are expected to take steps within their own control and at their own convenience to ensure their anonimity, and further,

    Internet-facing machines do hold copies of the database. They are reasonably secured, which probably means they are more secure than most any other bitcoin-based application at this time. However, their absolute security is not considered a strategic priority and no extraordinary measures are undertaken to ensure it.

Moving to measures taken, we have reported the attempt with the involved datacenter’s FBI contact as a matter of course.iii I do not expect this to yield any particular results or be any kind of silver bullet. We have taken steps to significantly strengthen the protocol used for communication with the proxy sysadmins. This will come at a cost of convenience and perhaps in time may delay efforts to recover from other types of problems, but nevertheless, I judge it prudent at this juncture. We are also making a number of code modifications, and the entire proxy farm will be moved on updated software as a matter of paranoia. This will result in a service interruption of about four to six hours, starting just as soon as we have everything together. I will also be taking this opportunity to create a new, stronger MPEx key, which was something that I had been wanting to do ever since the recent NSA debacle but have been hesitant to actually implement on account of the process requiring everything being taken offline.

I will try my best to answer any questions you may have below (and I would prefer you ask your questions below so they may remain related to their context and easily accessible in the future), nevertheless there are topics which I will not discuss in arbitrary detail for various reasons.
———

    The “very heavy” epithet used in the log will have to be rectified at this time. It wasn’t actually as heavy as it momentarily seemed. [↩]
    I do not however believe the design as it was could be called “bad” or “wrong”. It is a fact that security and convenience are inverse functions, and I am and remain firmly convinced that increases in deployed security should follow actual need rather than imagination. [↩]
    The exact choice of venue is a matter of convenience. Law enforcement shares information in any case. [↩]
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
kingcrimson
Legendary
*
Offline Offline

Activity: 1024


View Profile
September 26, 2013, 01:40:43 AM
 #2

Why would anyone bother? No one uses it or lists there. Glad the 'funds and data' are safe, that part made me laugh.
twentyseventy
Legendary
*
Offline Offline

Activity: 1386


View Profile
September 26, 2013, 01:43:22 AM
 #3

Thanks for the link, mate
TradeFortress
VIP
Legendary
*
Offline Offline

Activity: 910


View Profile
September 26, 2013, 02:18:59 AM
 #4

Ah, so another case of social engineering.
bittop100
Full Member
***
Offline Offline

Activity: 182


View Profile
September 26, 2013, 04:03:55 AM
 #5

Thanks for the link

burnside
Legendary
*
Offline Offline

Activity: 1008



View Profile WWW
September 26, 2013, 06:34:36 AM
 #6

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist.  Wink

I'm not a Coinbase fan -- I placed a buy order, they took the funds out of my account, then a week later the price went up and they canceled the buy and closed my account.  You've been warned.  Use a different exchange.
stslimited
Hero Member
*****
Offline Offline

Activity: 546


View Profile
September 26, 2013, 11:47:23 AM
 #7

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist.  Wink


nice to see some comedy (esp from you) in this perpetual clusterfuck
twentyseventy
Legendary
*
Offline Offline

Activity: 1386


View Profile
September 26, 2013, 05:02:08 PM
 #8

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist.  Wink


Hahaha love to see that from burnside

Also, why aren't any of the former BTC-TC fund managers considering MPEx for their new home? /s  Grin
kakobrekla
Hero Member
*****
Offline Offline

Activity: 714


Psi laju, karavani prolaze.


View Profile
September 26, 2013, 05:07:08 PM
 #9

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist.  Wink


Nefarious.

drawingthesun
Legendary
*
Offline Offline

Activity: 1078


View Profile
September 26, 2013, 05:08:10 PM
 #10

Well this puts an end to all the bragging about MPEx being the only Bitcoin service never to suffer a security breach.
EskimoBob
Legendary
*
Offline Offline

Activity: 910


Quality Printing Services by Federal Reserve Bank


View Profile
September 26, 2013, 05:22:09 PM
 #11

LOL. Mircea The Asshole Popescu, the gloating asshole of BTC world got his butt handed to him. LOL
 How many fkn times has this moron bragged how his shitty 0 stock wunder bazaar can not be hacked?

Mirceas business is to rip you off. Period. His .us TLD are registered under fake names and businesses that do not exist. Hes made few pennies spamming and ripping off people. Now he thinks now he is a god and only BTC financier on this planet. LOL!
I mean, WTF do you guys think, when you send this idiot your coin? Do you really expect him to take his pills regularly?

I bets some of you recall his fabulous options trading bot, where you guys financed his little game, while he took zero risk and "lost" 14K BTC in a month - YOUR MONEY!

Anyone doing business with this asshole or on sites related to this egomaniac, is either a scumbag or total moron.

MPOE-BS (aka Mircea The Asshole) , start yapping, crickets are waiting

While reading what I wrote, use the most friendliest and relaxing voice in your head.
BTW, Things in BTC bubble universes are getting ugly....
iCEBREAKER
Legendary
*
Offline Offline

Activity: 1848


[LOL2X]


View Profile WWW
September 26, 2013, 06:14:41 PM
 #12

LOL. Mircea The Asshole Popescu, the gloating asshole of BTC world got his butt handed to him. LOL
 How many fkn times has this moron bragged how his shitty 0 stock wunder bazaar can not be hacked?

Mirceas business is to rip you off. Period. His .us TLD are registered under fake names and businesses that do not exist. Hes made few pennies spamming and ripping off people. Now he thinks now he is a god and only BTC financier on this planet. LOL!
I mean, WTF do you guys think, when you send this idiot your coin? Do you really expect him to take his pills regularly?

I bets some of you recall his fabulous options trading bot, where you guys financed his little game, while he took zero risk and "lost" 14K BTC in a month - YOUR MONEY!

Anyone doing business with this asshole or on sites related to this egomaniac, is either a scumbag or total moron.

MPOE-BS (aka Mircea The Asshole) , start yapping, crickets are waiting

Learn to read please!

Quote
First off, all funds are safe. No sum of BTC was obtained by the attacker as a result of his efforts. Second off, market data is also safe, in the sense that there exists no ambiguity as to what orders are in fact legitimate and what orders were illegitimately conveyed.


██████████
█████████████████
██████████████████████
█████████████████████████
████████████████████████████
████
████████████████████████
█████
███████████████████████████
█████
███████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
████████████████████████████
██████
███████████████████████████
██████
██████████████████████████
█████
███████████████████████████
█████████████
██████████████
████████████████████████████
█████████████████████████
██████████████████████
█████████████████
██████████

Monero
"The difference between bad and well-developed digital cash will determine
whether we have a dictatorship or a real democracy." 
David Chaum 1996
"Fungibility provides privacy as a side effect."  Adam Back 2014
Buy and sell XMR near you
P2P Exchange Network
Buy XMR with fiat
timewaster
Jr. Member
*
Offline Offline

Activity: 42


View Profile
September 26, 2013, 10:16:42 PM
 #13

What part of iCEBREAKERs post is refuted by the quote you provided?

Also, while it is said market data is safe. This part makes things concerning regarding user data:

Quote
The attacker may have obtained partial, obfuscated copies of the MPEx databases. While I won’t go into details with regards to said obfuscation, it is a fact that breaching one proxy is not, as far as I can see, sufficient to obtain complete trade history. As directed in the FAQ, users are expected to take steps within their own control and at their own convenience to ensure their anonimity, and further,

    Internet-facing machines do hold copies of the database. They are reasonably secured, which probably means they are more secure than most any other bitcoin-based application at this time. However, their absolute security is not considered a strategic priority and no extraordinary measures are undertaken to ensure it.
freedomno1
Legendary
*
Offline Offline

Activity: 1372


Activity: 9001 == OP


View Profile WWW
September 27, 2013, 07:27:20 PM
 #14

Still down whistle to Tor with you
Rannasha
Hero Member
*****
Offline Offline

Activity: 728


View Profile
September 28, 2013, 05:45:28 AM
 #15

well at least we know mpex still has one active user.

are there any sort of securities still listed there anyway?



Trade in shares of the exchange itself make up something like 80% of the volume.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!