Bitcoin Forum
December 05, 2016, 08:47:06 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3] 4 5 6 7 8 9 »  All
  Print  
Author Topic: MtGox account compromised  (Read 108215 times)
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322


Do The Evolution


View Profile
February 01, 2011, 05:48:15 PM
 #41

Captcha is better than nothing. Do the ad ones and make a few pennies off the hackers.

Store a column on the table for failed attempts. If the count > 5 then require a captcha with the password. On a successful login, reset the count.

If the count say, gets over 50, lock the account for verification, or run a cron to reset it on a daily basis.

Another flag inside the account when they first login could show these hack attempts, something along the lines of "57 attempts to login to your account were done prior to this login from IP: " etc... TOR IP's of course won't be very helpful.

Last log in from IP can also be helpful if people pay attention to it and normally login from a similar address.

None of that makes it bullet proof, but it certainly makes it easier to quickly spot an issue. Needless to say, your password shouldn't be password for something that stores money in it.

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

1480927626
Hero Member
*
Offline Offline

Posts: 1480927626

View Profile Personal Message (Offline)

Ignore
1480927626
Reply with quote  #2

1480927626
Report to moderator
1480927626
Hero Member
*
Offline Offline

Posts: 1480927626

View Profile Personal Message (Offline)

Ignore
1480927626
Reply with quote  #2

1480927626
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
ElectricGoat
Jr. Member
*
Offline Offline

Activity: 42


View Profile WWW
February 01, 2011, 05:53:56 PM
 #42

You _never_ lock based on an accunt. You _lock_ based on an IP address the request came from.(Look into the account lockout denial of service attack)

Locking an IP doesn't protect against distributed attacks. A temporary lock of the account seems preferable to a loss of hundreds of bitcoins. Simply locking an account for one minute makes it horribly slow to try a brute force attack.

Art experiment with bitcoins: http://greta.electricgoat.net
fabianhjr
Sr. Member
****
Offline Offline

Activity: 322


Do The Evolution


View Profile
February 01, 2011, 06:05:13 PM
 #43

What if my goal is just to stop you for participating in the market? If I just want to kick you I just let some bruteforcers on forever and you would never be able to enter again. Even if it is just 1 minute, then in 0.000001 seconds you are blocked again and again and again. :/

ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
February 01, 2011, 06:13:31 PM
 #44

Simply locking an account for one minute makes it horribly slow to try a brute force attack.
No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.
DarkMatter
Member
**
Offline Offline

Activity: 86


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 06:21:25 PM
 #45

Hi everyone,
I'm sorry for not introducing me before, but guess we have much more important things to talk about right now.
Considering the actual situation (I'm sorry for the user using a common dictionary word as his "bank" account password, and mtgox not having any dictionary attack protection implementation ... ), I just noticed a great drop of the BTC available for free at http://freebitcoins.appspot.com. It dropped about 300BTC in 36hrs. Should we worry?

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
Hal
VIP
Sr. Member
*
Offline Offline

Activity: 314



View Profile
February 01, 2011, 06:24:42 PM
 #46

Now I'm paranoid. I just tried to login to mtgox from my iPad and got an invalid certificate error. The issuer is certificates.godaddy.com. Has anyone else gotten this? I suspect it is a misconfiguration of the mtgox server a la http://blog.boxedice.com/2009/05/11/godaddy-ssl-certificates-and-cannot-verify-identity-on-macsafari/.

Hal Finney
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 01, 2011, 06:46:19 PM
 #47

I can not find my orders in the Depth Table! Does anybody else? Undecided

"Never invest unless you can afford to lose your entire investment." © S3052
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 01, 2011, 06:50:11 PM
 #48

Code:
01/24/11 00:16 Payment Process united 0 0 0.003 0
It seem that I'll have to change my security practice too.

ElectricGoat
Jr. Member
*
Offline Offline

Activity: 42


View Profile WWW
February 01, 2011, 06:51:35 PM
 #49

No, that doesn't work. Instead of trying 100,000 passwords on one account, the attacker simply tries one password on 100,000 accounts. Same chance of success.
Of course, it shouldn't be the only security measure, but that's a very helpful one. Trying a password on 100k accounts is slighly more difficult, because you need 100k user names.

Art experiment with bitcoins: http://greta.electricgoat.net
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
February 01, 2011, 06:58:32 PM
 #50

Code:
01/24/11 00:16 Payment Process united 0 0 0.003 0
It seem that I'll have to change my security practice too.
Code:
01/24/11 00:16 Payment Process united 0 0 -0.002 0.005

Don't we all... funny how the times are sync'd though.
LZ
Staff
Legendary
*
Offline Offline

Activity: 1456


Satoshi everywhere!


View Profile WWW
February 01, 2011, 07:01:47 PM
 #51

Yeah, what is that?
Code:
01/24/11 14:51 Payment Process united
01/24/11 00:16 Payment Process united

"Never invest unless you can afford to lose your entire investment." © S3052
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 01, 2011, 07:02:25 PM
 #52

Don't we all... funny how the times are sync'd though.

Well, I didn't have a dictionary password. I used numbers, and a symbol. Maybe it wasn't long enough? In any case, this is a terrible thing to happen.

kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 01, 2011, 07:09:12 PM
 #53

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

DarkMatter
Member
**
Offline Offline

Activity: 86


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:11:17 PM
 #54

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

[edit]
A brute force/dictionary attack would lead to many "errors" in the platform log.
You are logging failed login attempts, right MtGox?
[/edit]

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
nelisky
Legendary
*
Offline Offline

Activity: 1554


View Profile
February 01, 2011, 07:12:49 PM
 #55

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

I'm no security expert nor am I knowledgeable of mtgox's code, but as a coder when I see my account being stripped of 0.005 coins, which you can't see on the UI unless you look at history and do some math... well, it sounds like the actual server was compromised and DB's scraped.

Just saying.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 01, 2011, 07:15:55 PM
 #56

MtGox said that the event on 1/24 was people merely accessing my account for name.

In other words, it wasn't compromised, maybe?

Even so, I do not feel safe.

DarkMatter
Member
**
Offline Offline

Activity: 86


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:17:27 PM
 #57

Have a look at https://mtgox.com/support/tradeAPI
User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.


My bad, that's false.
Didn't read the "The following take your Mt Gox username and password as parameters. They must be sent as a POST. " part.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
DarkMatter
Member
**
Offline Offline

Activity: 86


Stop breeding! Save the Earth! www.vhemt.org


View Profile WWW
February 01, 2011, 07:19:33 PM
 #58

Bitcoiners from IRC channel reported that their password are randomly generated but their accounts are still compromised.

That's the problem. As you have already stated, this was not a "weak password" hack.
Guess Vladimir is wrong. Could the whole MtGox platform be compromised? Looks so.

I am not wrong, I might be not very well informed  Grin

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 Smiley.

Hopefully, mtgox will come up with a statement and stop all these speculations soon.


Sorry man, didnt meant to treat you bad Tongue
MtGox should put the whole stuff offline before more BTC are stolen.
And then investigate further.

Feed The Troll!! | 1JKdTyUjxo5VJoaQKjp4oUnXqdSSErC1mp
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
February 01, 2011, 07:22:36 PM
 #59

I am not wrong, I might be not very well informed  Grin

Yea, it might be worse. Speculating further, in presence of virtually no useful information, just knowing general way how web developers do stuff these days  I would guess that this might be a SQL injection attack, where attacker got to  user auth database and bruteforced  password hashes (probably even using a bunch of 5970 Smiley.

Hopefully, mtgox will come up with a statement and stop all these speculations soon.


Maybe you could start a bitcoin security company in which you certify sites for following security protocols?

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2492


View Profile
February 01, 2011, 07:35:01 PM
 #60

User credentials are passed along in clear text with GET method, not POST method.
That's sad man, anyone able to sniff the server traffic would have all the credentials.

POST is also easily-readable plaintext... GET is just visible in the URL. GET parameters are encrypted when using HTTPS.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Pages: « 1 2 [3] 4 5 6 7 8 9 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!