MPEx Security Breach

[timewaster]

From http://trilema.com/2013/mpex-security-breach/:

Today in the interval 2 pm - 7 pm GMT MPEx suffered a layered attack which eventually resulted in unexecuted trades being relayed through to the market data feeds, brokers et al. We will go here into the details of what happened, why, how and what measures have been taken as a result.

First off, all funds are safe. No sum of BTC was obtained by the attacker as a result of his efforts. Second off, market data is also safe, in the sense that there exists no ambiguity as to what orders are in fact legitimate and what orders were illegitimately conveyed.

Unfortunately this also means a number of trades that appeared to be made in the respective interval will be rolled back. Third parties can trivially verify which is which, because while the legitimate orders contain tracking information, the illegitimate orders do not. Affected are a few dozen trades in the S.MPOE and S.BBET symbols.

In order to understand what happened, we will have to refer to the earlier tech stuff article. The particular architecture MPEx employs leaves it vulnerable to a situation very similar to what is known in Bitcoin as a 50% attack. That is to say, in some circumstances the proxies caching content from MPEx may find themselves in the situation of incorrectly identifying data as valid.

Such circumstances occur rarely under very heavy load. The first occurrence was on April 12, 2013. At that time one user had a trade erroneously reported as executed when in fact his counterparty had already cancelled his order, resulting in a pretty ruffled user and a sustained effort to refine and improve the proxy synchronisation mechanics so as to avoid such occurrences in the future.

MPEx has been sustaining significant floods since September the 22nd, peaking at around 3.2 Mbi. Nevertheless, outside of transient page timeouts trade was not significantly impaired, and proxy desynchronisation was not an issue at that time.

Today however the attacker also approached the admin of one proxy machine, and managed to convincingly impersonate me. This resulted in him acquiring login privileges, which he spent about three hours trying to use to effect trades without success. Eventually his lucky star and an overloaded router severed the proxy graph in such a manner that he was able to seemingly push trades through. It is my estimate that his window had maybe one hour left, and I would guess the odds of the various events required occuring in any given day to be under 1%. Nevertheless, it is factually correct to say that MPEx didn’t have enough safeguards in place for the case of hostile proxy on deck.ii

The attacker may have obtained partial, obfuscated copies of the MPEx databases. While I won’t go into details with regards to said obfuscation, it is a fact that breaching one proxy is not, as far as I can see, sufficient to obtain complete trade history. As directed in the FAQ, users are expected to take steps within their own control and at their own convenience to ensure their anonimity, and further,

    Internet-facing machines do hold copies of the database. They are reasonably secured, which probably means they are more secure than most any other bitcoin-based application at this time. However, their absolute security is not considered a strategic priority and no extraordinary measures are undertaken to ensure it.

Moving to measures taken, we have reported the attempt with the involved datacenter’s FBI contact as a matter of course.iii I do not expect this to yield any particular results or be any kind of silver bullet. We have taken steps to significantly strengthen the protocol used for communication with the proxy sysadmins. This will come at a cost of convenience and perhaps in time may delay efforts to recover from other types of problems, but nevertheless, I judge it prudent at this juncture. We are also making a number of code modifications, and the entire proxy farm will be moved on updated software as a matter of paranoia. This will result in a service interruption of about four to six hours, starting just as soon as we have everything together. I will also be taking this opportunity to create a new, stronger MPEx key, which was something that I had been wanting to do ever since the recent NSA debacle but have been hesitant to actually implement on account of the process requiring everything being taken offline.

I will try my best to answer any questions you may have below (and I would prefer you ask your questions below so they may remain related to their context and easily accessible in the future), nevertheless there are topics which I will not discuss in arbitrary detail for various reasons.
———

    The “very heavy” epithet used in the log will have to be rectified at this time. It wasn’t actually as heavy as it momentarily seemed. [↩]
    I do not however believe the design as it was could be called “bad” or “wrong”. It is a fact that security and convenience are inverse functions, and I am and remain firmly convinced that increases in deployed security should follow actual need rather than imagination. [↩]
    The exact choice of venue is a matter of convenience. Law enforcement shares information in any case. [↩]

[kingcrimson]

Why would anyone bother? No one uses it or lists there. Glad the 'funds and data' are safe, that part made me laugh.

[twentyseventy]

Thanks for the link, mate

[🏰 TradeFortress 🏰]

Ah, so another case of social engineering.

[bittop100]

Thanks for the link

[burnside]

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist. 

[stslimited]

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist. 

nice to see some comedy (esp from you) in this perpetual clusterfuck

[twentyseventy]

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist. 

Hahaha love to see that from burnside

Also, why aren't any of the former BTC-TC fund managers considering MPEx for their new home? /s 

[kakobrekla]

Ah, so another case of social engineering.

I'll pretend I'm MPOE-PR giving some noob a beatdown.  Here goes.



What kind of moron lets their hosting company have access to their box?

And how many sites have already used their hosting company as a scapegoat when their site is hacked?  Anatomy of a scam!  Inject fake trades, wait for market to react, execute insider trades.

When will people get a clue and do everything like MPEX does?

GPG FTW.  (and stuff)

Failing last.  (and stuff)

So you want to start a bitcoin business?  blah blah.



Heh, all tongue in cheek of course, but I couldn't resist. 

Nefarious.

[drawingthesun]

Well this puts an end to all the bragging about MPEx being the only Bitcoin service never to suffer a security breach.

[EskimoBob]

LOL. Mircea The Asshole Popescu, the gloating asshole of BTC world got his butt handed to him. LOL
 How many fkn times has this moron bragged how his shitty 0 stock wunder bazaar can not be hacked?

Mirceas business is to rip you off. Period. His .us TLD are registered under fake names and businesses that do not exist. Hes made few pennies spamming and ripping off people. Now he thinks now he is a god and only BTC financier on this planet. LOL!
I mean, WTF do you guys think, when you send this idiot your coin? Do you really expect him to take his pills regularly?

I bets some of you recall his fabulous options trading bot, where you guys financed his little game, while he took zero risk and "lost" 14K BTC in a month - YOUR MONEY!

Anyone doing business with this asshole or on sites related to this egomaniac, is either a scumbag or total moron.

MPOE-BS (aka Mircea The Asshole) , start yapping, crickets are waiting

[iCEBREAKER]

LOL. Mircea The Asshole Popescu, the gloating asshole of BTC world got his butt handed to him. LOL
 How many fkn times has this moron bragged how his shitty 0 stock wunder bazaar can not be hacked?

Mirceas business is to rip you off. Period. His .us TLD are registered under fake names and businesses that do not exist. Hes made few pennies spamming and ripping off people. Now he thinks now he is a god and only BTC financier on this planet. LOL!
I mean, WTF do you guys think, when you send this idiot your coin? Do you really expect him to take his pills regularly?

I bets some of you recall his fabulous options trading bot, where you guys financed his little game, while he took zero risk and "lost" 14K BTC in a month - YOUR MONEY!

Anyone doing business with this asshole or on sites related to this egomaniac, is either a scumbag or total moron.

MPOE-BS (aka Mircea The Asshole) , start yapping, crickets are waiting

Learn to read please!

First off, all funds are safe. No sum of BTC was obtained by the attacker as a result of his efforts. Second off, market data is also safe, in the sense that there exists no ambiguity as to what orders are in fact legitimate and what orders were illegitimately conveyed.

[timewaster]

What part of iCEBREAKERs post is refuted by the quote you provided?

Also, while it is said market data is safe. This part makes things concerning regarding user data:

The attacker may have obtained partial, obfuscated copies of the MPEx databases. While I won’t go into details with regards to said obfuscation, it is a fact that breaching one proxy is not, as far as I can see, sufficient to obtain complete trade history. As directed in the FAQ, users are expected to take steps within their own control and at their own convenience to ensure their anonimity, and further,

    Internet-facing machines do hold copies of the database. They are reasonably secured, which probably means they are more secure than most any other bitcoin-based application at this time. However, their absolute security is not considered a strategic priority and no extraordinary measures are undertaken to ensure it.

[freedomno1]

Still down whistle to Tor with you

[Rannasha]

well at least we know mpex still has one active user.

are there any sort of securities still listed there anyway?

Trade in shares of the exchange itself make up something like 80% of the volume.