Bitcoin Forum
November 21, 2017, 10:02:30 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 [All]
  Print  
Author Topic: Bitcoin is a magnet for hackers and crooks  (Read 7632 times)
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
August 01, 2011, 06:43:38 AM
 #1

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

Check out the first physical bitcoin at http://CoinedBits.com
1511258550
Hero Member
*
Offline Offline

Posts: 1511258550

View Profile Personal Message (Offline)

Ignore
1511258550
Reply with quote  #2

1511258550
Report to moderator
1511258550
Hero Member
*
Offline Offline

Posts: 1511258550

View Profile Personal Message (Offline)

Ignore
1511258550
Reply with quote  #2

1511258550
Report to moderator
1511258550
Hero Member
*
Offline Offline

Posts: 1511258550

View Profile Personal Message (Offline)

Ignore
1511258550
Reply with quote  #2

1511258550
Report to moderator
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511258550
Hero Member
*
Offline Offline

Posts: 1511258550

View Profile Personal Message (Offline)

Ignore
1511258550
Reply with quote  #2

1511258550
Report to moderator
wumpus
Hero Member
*****
Offline Offline

Activity: 812

No Maps for These Territories


View Profile
August 01, 2011, 06:47:06 AM
 #2

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
August 01, 2011, 06:52:52 AM
 #3

Everyone, from crappy forums to e-tailer sites, gets SQL injection attempts, SSH scans, portscans, and other exploit testing crap... this has nothing to do with bitcoin.  A lot of it is automated, even.

If you don't protect your site well enough, you're screwed in this day and age. No matter what forms of payment that you accept.

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

Check out the first physical bitcoin at http://CoinedBits.com
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
August 01, 2011, 07:15:40 AM
 #4

My point is that the attacks seem to be much more frequent with bitcoin services.

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

if you invent a new soft fluffy toy and build a new community of soft fluffy toy lovers, you're probably going to get a different type of fan base and a far lower level of SQL injection attempts or other technical hacks perpetrated against merchants
JoelKatz
Legendary
*
Offline Offline

Activity: 1582


Democracy is vulnerable to a 51% attack.


View Profile WWW
August 01, 2011, 07:19:32 AM
 #5

What possible difference could the frequency of hack attempts make? Do you investigate every attempt?

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
djex
Full Member
***
Offline Offline

Activity: 196


View Profile
August 01, 2011, 07:26:37 AM
 #6

I'd say the thing that attracts the attackers to bitcoin sites is that its easy to get what their looking for (money). If they were to attack a bank for example they would face all sorts of variables that would cause them more work not to get caught. For example, first finding a hole, then getting in, then making sure you clear logs and are not caught. With many bitcoin sites they are not highly protected due to the fact they are coded by your average programmer that isn't a security specialist. Often many attack vectors are left wide open and it's only a matter of time that they get exploited. Also there is the concept of bitcoin it self. Once the attacker gets in or finds a way to exploit a vulnerability its easy to send the bitcoins to an anonymous address that is likely not going to be traced. With a bank on the other hand routing money in a way not to get caught isn't so easy.

In short bitcoins are easy to steal because 1. There 100% digital 2. There anonymous (to a point to discourage someone from tracing the transfers) 3. Bitcoins are new and the security knowledge of its supports is just beginning to catch up.

In time it will get better. It's like anything new really, to become stronger and better the weaknesses have to be found and exploited first.

Smiley  : 1LbvSEJwtQZKLSQQVYxQJes8YneQk2yhE3
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 01, 2011, 07:32:53 AM
 #7

Because bitcoin is new, there are many reasons why people are trying to exploit it.
I wouldn't go around testing exploits on a sites that's been around for ~10-15 years (although PayPal did have a few exploits on the non-US site).

the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 02:21:52 PM
 #8

Yes, good point, it happens to everyone. My point is that the attacks seem to be much more frequent with bitcoin services. Can any other merchants back up my theory?

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.  

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

Everyone is worried about security...    and rightfully so.

look at the nature of bitcoins,  the average truck driver has no idea what they are...   only a small percentage of the average guys on the street know what they are...  only a small percentage of even programmers that work for ecommerce sites, etc know what they are....  but every self taught hacker on earth knows what they are...

 

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
nmat
Hero Member
*****
Offline Offline

Activity: 602


View Profile
August 01, 2011, 02:38:57 PM
 #9

You can tell just from basic discussion on the forum...  it's always in this order as well... 

1 - security
2 - how it works
3 - security
4 - ease of use
5 - security

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?
julz
Legendary
*
Offline Offline

Activity: 1092



View Profile
August 01, 2011, 02:51:08 PM
 #10

People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?

They'll each complain that the other is doing X wrong and it'd be better if the other guy used exactly what we're using..  and they'd all be afraid to do the slightest pragmatic tweak (which doesn't actually affect security much, but might actually let these systems talk to each other) for fear of being called out as insecure by the others.

I'm guessing their systems would be more secure than their egos so no one would back down to get things to actually work.

Ok - that's the cynical version..

If you can find a bunch of security experts who recognize that all security is a compromise and are able to gauge relative risks well  - maybe they'll even produce something with a user interface that doesn't suck.

(alright.. so it was still a slightly cynical version)


@electricwings   BM-GtyD5exuDJ2kvEbr41XchkC8x9hPxdFd
fennec
Member
**
Offline Offline

Activity: 76



View Profile WWW
August 01, 2011, 02:53:36 PM
 #11

i would have guessed that to be true simply because bitcoin enthusiasts were already technically-minded (possibly 'hackers') before bitcoin even was invented.

I've got to agree with this. A higher proportion of programmers must mean a higher proportion of hackers, all other things being equal.

Also, have you considered the high volume of attacks might be due to an Internet-wide increase in the volume of automated attacks (I have no idea if this is the case; just speculating).

Preev – simple Bitcoin converter with live exchange rates
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 01, 2011, 02:56:46 PM
 #12

mine bitcoins, buy bitcoins or steal bitcoins.

we have a place for 2 of the options but this forum is lacking on the third most popular way of obtaining bitcoins.
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 03:00:44 PM
 #13

It's more like:

1 - OpenSource?
     No: Scam/Vírus/Trojan. I will never download it.
     Yes: Let me check the code and I will tell you.

2 - Got reputation on the forum?
      No: Nobody will use your service.
      Yes: Let's wait for feedback from someone respectable

3 - How do you save user's passwords? No salt? No HTTPS?! Are you kidding?!
(.....)


People interested in bitcoins are in general computer geeks with a great interest in security. Now tell me, what happens if you take a bunch of security experts and make them run sites to sell stuff to each other?


Perhaps the best way to phrase it is that it's 1994 ... and you're opening an eCommerce store...    I don't know how many of you guys were around during the 1990's dot com boom times...  and the early 2000's crash times..   but honestly there were some things that people tend to forget.

At one point Ebay banned Paypal.  

literally a business decision was made to lock paypal out of Ebay,  ebay looked at paypal and realized that at the current growth rate of paypal ebay would not be able to fuction without it.  So they banned it hoping someone else would show up.   they citied security concerns and that "some company is stealling usernames and passwords'   literally that is what they used as an excuse.

 eventually within a few weeks ebay unbanned paypal then subsequently bought them realizing that they couldn't grow without it.

The point is that yes a security concern is a MAJOR issue,  but at the same time, there's a bunch of reading between the lines going on.   Because from time to time I get these crazy "suggestions"  and in reality I find out the guy works for "bitcoin startup A or bitcoin startup B"  those suggestions may on the face look good.. but in reality aren't.

Example,  I got a PM that stated I needed to make the minimum password length 20 characters for 'security reasons' ...  now I am all for allowing 20 characters.. but minimum length 20?

I find out the suggestion came from a guy that worked at one the exchanges that is now considering an ewallet ...   hence my suspicion that perhaps it wasn't so sincere.  

20 character minimums would lock grandma out of every using the system.

Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
August 01, 2011, 03:02:41 PM
 #14

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear
the founder
Sr. Member
****
Offline Offline

Activity: 448


Bitcoin


View Profile WWW
August 01, 2011, 03:04:22 PM
 #15

steal bitcoins.

1. set up llc in nevis
2. build community trust for your new wallet service over a period of many months
3. disappear


I honestly want to know what happened to that service.   I can't even ping the domain anymore.   I suspect something bad happened... and instead of owning up to it he just vanished.




Bitcoin RSS App / Bitcoin Android App / Bitcoin Webapp http://www.ounce.me  Say thank you here:  1HByHZQ44LUCxxpnqtXDuJVmrSdrGK6Q2f
foggyb
Legendary
*
Offline Offline

Activity: 1344


View Profile
August 01, 2011, 03:18:59 PM
 #16


I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.



Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
airdata
Hero Member
*****
Offline Offline

Activity: 672


View Profile
August 01, 2011, 03:24:49 PM
 #17




Not to diminish that better security is needed, but I'd like to point out that increased hacker/scammer interest is further affirmation of the bitcoin's high relevance and worth in today's world. In light of this, investors and retail startups should feel confident about moving a lot of funds towards beefing up bitcoin security for merchants and customers alike.
[/quote]

Hacking / Scamming has held bitcoin down and stunted it's growth.

Scamming bitcoins could be cool and all... but not when your activities drive their prices from 25-30 each to 13-14 each.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
August 01, 2011, 03:51:49 PM
 #18

I can confirm that...  every bitcoin related site that we have is subjected to a much higher rate of hacking attempts.

It's simply the nature of the beast... the pseudonymous and irreversible nature of Bitcoin simply means that there's a more attractive apple on the other side of the wall. Instead of hacking a site and using it to phish, or robbing bank accounts that can be reversed, or stealing credit card data which you can card physical goods at high risks...

... if you steal BTC, the victim stands almost no chance at getting it back and there's a pretty good chance you'll get away scot free.

Everyone who has half a working brain and was looking at starting up a Bitcoin-related business should realize this going in - the reward is much sweeter so people are going to try harder and therefore security has to be a higher priority.

That said I wouldn't panic at every scan, because that too is just the nature... of being on the internet. This isn't the 90s anymore, you'll go hoarse if you scream on IRC every time someone port-scans you.

^_^
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
August 01, 2011, 06:43:15 PM
 #19

My main email address has been out there in the public eye for close to a dozen years now.  It has been posted on forums, websites, mailing lists, and even, God help me, USENET.

The throwaway address that leaked out of mtgox gets VASTLY more spam.


p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
Vladimir
Hero Member
*****
Offline Offline

Activity: 812


-


View Profile
August 01, 2011, 07:29:13 PM
 #20

Quote
Bitcoin is a magnet for hackers and crooks

So is cash. Does it come as a surprise?

-
xcooling
Member
**
Offline Offline

Activity: 103


View Profile
August 01, 2011, 07:59:42 PM
 #21

edit:

Yeah its easy atm for them, but there is still far more money in stealing credit card numbers and personal identities.

foggyb
Legendary
*
Offline Offline

Activity: 1344


View Profile
August 01, 2011, 09:55:41 PM
 #22


Hacking / Scamming has held bitcoin down and stunted it's growth.

Scamming bitcoins could be cool and all... but not when your activities drive their prices from 25-30 each to 13-14 each.

Scamming/hacking did not drive the price to 13$. The free market has decided 13-15$ is a fair price for a bitcoin. Wild speculation drove it to $30.




willphase
Hero Member
*****
Offline Offline

Activity: 770


View Profile
August 01, 2011, 10:16:30 PM
 #23


Scamming/hacking did not drive the price to 13$. The free market has decided 13-15$ is a fair price for a bitcoin. Wild speculation drove it to $30.


Greed drove the price to $30.

Will

Indemnified
Full Member
***
Offline Offline

Activity: 203


View Profile
August 01, 2011, 10:22:10 PM
 #24

My main email address has been out there in the public eye for close to a dozen years now.  It has been posted on forums, websites, mailing lists, and even, God help me, USENET.

The throwaway address that leaked out of mtgox gets VASTLY more spam.



This^
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 01, 2011, 11:36:15 PM
 #25

OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.
Smiley

just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.

could even set up a site directory with bounties in BTC.

It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven  hats.

creation and destruction.

May as well make the destroyers skwirm. xD
smoothie
Legendary
*
Offline Offline

Activity: 2072


LEALANA Monero Physical Silver Coins


View Profile
August 02, 2011, 06:00:16 AM
 #26

"Bitcoin is a magnet for hackers and crooks" .... AND BEER AND HOOKERS!!
 Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin Grin

███████████████████████████████████████

            ,╓p@@███████@╗╖,           
        ,p████████████████████N,       
      d█████████████████████████b     
    d██████████████████████████████æ   
  ,████²█████████████████████████████, 
 ,█████  ╙████████████████████╨  █████y
 ██████    `████████████████`    ██████
║██████       Ñ███████████`      ███████
███████         ╩██████Ñ         ███████
███████    ▐▄     ²██╩     a▌    ███████
╢██████    ▐▓█▄          ▄█▓▌    ███████
 ██████    ▐▓▓▓▓▌,     ▄█▓▓▓▌    ██████─
           ▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌          
           ▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌          
    ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─  
     ²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩    
        ▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀       
           ²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`          
                   ²²²                 
███████████████████████████████████████

. ★☆ WWW.LEALANA.COM        My PGP fingerprint is A764D833.        SMOOTHIE'S HEALTH AND FITNESS JOURNAL          History of Monero development Visualization ★☆ .
LEALANA  PHYSICAL MONERO COINS 999 FINE SILVER.
 
bitrebel
Sr. Member
****
Offline Offline

Activity: 364


View Profile
August 02, 2011, 06:05:36 AM
 #27

The problem boils down to this:

Victim: Officer, I want to report a theft.

Officer: What happened?

Victim: Someone stole my bitcoins!

Officer: Your what?

Victim: My BITCOINS!!!!

Officer: Did you have them in your bank account or in your credit card?

Victim: They are not stored in banks or credit cards.

Officer: Then we don't give a rat's ass. Sorry.

Victim: Why won't you do anything?

Officer: We work for Bankers, not you, Fuck Off common Pleb!

Why does Bitrebel have 65+ Ignores?
Because Bitrebel says things that some people do not want YOU to hear.
bitrebel
Sr. Member
****
Offline Offline

Activity: 364


View Profile
August 02, 2011, 06:59:07 AM
 #28

There is also the WAR ON BITCOINS, you are not considering. It's not just greedy hackers, it's people who want to intentionally destroy bitcoin because they work for the bankers. ALL media, politicians, police, and governments are beholden to the central bankers, so bitcoin does not have many friends in the concrete jungle. Bitcoin is popular among people who value freedom and self responsibility and used by those without fear of computers or immediate persecution. Bitcoin is up again enormous odds and powers in the world. It will only succeed if people can endure the early hardships. Even then, we will continue to be fought against by the system. Bitcoins will NEVER be embraced by the real mainstream, paypal, ebay, bank of america, chase, and safeway or walmart. And maybe those are it's best features yet. One thing is for sure, bitcoin will probably never be for the masses until things change, and maybe bitcoin is supposed to be a large part of that change.

Why does Bitrebel have 65+ Ignores?
Because Bitrebel says things that some people do not want YOU to hear.
qwk
Donator
Legendary
*
Offline Offline

Activity: 1596


Bitcoin Foundation Member


View Profile WWW
August 02, 2011, 08:58:39 AM
 #29

Victim: Someone stole my bitcoins!
(...)
Officer: Then we don't give a rat's ass. Sorry.

Just because your regular police officer won't know what a bitcoin is, doesn't mean it's not a criminal offence to steal them and that i can't be prosecuted. You may have a hard time explaining, sure.

Yeah, well... I'm gonna go build my own blockchain, with blackjack and hookers. In fact, forget the blockchain!
brandon@sourcewerks
Member
**
Offline Offline

Activity: 62



View Profile
August 02, 2011, 01:02:09 PM
 #30

Feel like some of the replies in this thread couple programmers with hackers...

Not all programmers need to exploit systems to feel complete.
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
August 09, 2011, 06:09:04 AM
 #31

It will be interesting to see if the hacking attempts slow down at a parallel rate to the value of the bitcoin.

Check out the first physical bitcoin at http://CoinedBits.com
NothinG
Hero Member
*****
Offline Offline

Activity: 560



View Profile
August 09, 2011, 06:24:30 AM
 #32

It will be interesting to see if the hacking attempts slow down at a parallel rate to the value of the bitcoin.
or...hackers go further underground and release scripts to the public.

RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
November 16, 2011, 07:43:18 AM
 #33

Just wanted to report for documentation sake that I'm still getting hit with hack attempts. The latest attempt was yesterday someone who speaks good English using a server (118.192.35.57) from China tried over 1,500 various methods to hack into my server.

It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).

Here are some of the methods he tried:
  • Tried to access boot information
  • Tried to access file system (ie /etc/passwd)
  • Various SQL injection techniques
  • javascript injection
  • Tried executing system commands with buffer over-runs

It's kinda funny that they never tried to find my wallet.dat file :-)

Check out the first physical bitcoin at http://CoinedBits.com
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
November 16, 2011, 07:57:06 AM
 #34

Just wanted to report for documentation sake that I'm still getting hit with hack attempts. The latest attempt was yesterday someone who speaks good English using a server (118.192.35.57) from China tried over 1,500 various methods to hack into my server.

It's hard to stay ahead of these guys, if they are persistent, they will eventually get in (as evident with the other already hacked bitcoin services).

Here are some of the methods he tried:
  • Tried to access boot information
  • Tried to access file system (ie /etc/passwd)
  • Various SQL injection techniques
  • javascript injection
  • Tried executing system commands with buffer over-runs

It's kinda funny that they never tried to find my wallet.dat file :-)

What types of attacks were they using?  Just web requests?

I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
November 16, 2011, 08:05:06 AM
 #35

What types of attacks were they using?  Just web requests?
I've found that a well configured fail2ban setup has made my logs vastly less annoying to read.

Yes, all attacks were using HTTP. fail2ban looks pretty good. Thanks.

Check out the first physical bitcoin at http://CoinedBits.com
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
November 16, 2011, 08:08:25 AM
 #36

One other interesting thing. It looks like he is on a Windows NT machine using IE 6!

I guess he could be spoofing the agent string.

Check out the first physical bitcoin at http://CoinedBits.com
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
November 16, 2011, 08:32:07 AM
 #37

I guess he could be spoofing the agent string.

i was going to say '118' looks like Australia. which service told you it was China? (other than the IE6 usage Cheesy)
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
November 16, 2011, 08:38:51 AM
 #38

i was going to say '118' looks like Australia. which service told you it was China? (other than the IE6 usage Cheesy)

You gotta use the Asia Pacific Network whois search to lookup the IP address

http://www.apnic.net/apnic-info/whois_search

Check out the first physical bitcoin at http://CoinedBits.com
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
February 24, 2012, 08:08:22 AM
 #39

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.

Check out the first physical bitcoin at http://CoinedBits.com
Timo Y
Legendary
*
Offline Offline

Activity: 938


bitcoin - the aerogel of money


View Profile
February 24, 2012, 10:45:39 AM
 #40

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.


The Netherlands was probably just the last link in a proxy chain.

We shouldn't be surprised by this. Bitcoin wallets are perceived as an easy target, and there is no shortage of desperate people in the world with basic hacking skills.

Have you thought about storing your wallets offline and advertising this fact on your site?

GPG ID: FA868D77   bitcoin-otc:forever-d
organofcorti
Donator
Legendary
*
Offline Offline

Activity: 2044


Poor impulse control.


View Profile WWW
February 24, 2012, 11:05:02 AM
 #41

I actually think it's a good thing.

What doesn't kill you makes you stronger.


You mean like cancer? Or schizophrenia? In all the time I heard Nietzsche's phrase "That which does not kill us makes us stronger" parroted about, I've yet to hear of one convincing example. In this case, no, getting hacked will not make RSantana's business any stronger. And for any new merchant who doesn't have RSantana's server skills, getting hacked might put them off altogether.

I know you mean well znort987, but remember we're trying to encourage bitcoin access to the wider community. This means helping them be safe, not waiting until they get wiped out - or even nearly wiped out.

Bitcoin network and pool analysis 12QxPHEuxDrs7mCyGSx1iVSozTwtquDB3r
follow @oocBlog for new post notifications
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
February 24, 2012, 11:06:34 AM
 #42

I know various forms of this topic and have been discussed at length, but I thought it would be beneficial to hear another first hand account. After looking through 256 recent SQL injection attempts at my site I thought I'd share my experience thus far as a new bitcoin etailer.

I've been running various online retail websites for over 10 years. As many of you know, I recently started CoinedBits.com. I've been the receiver of more hack attempts in the last month at CoinedBits.com than the previous 10 years on all my other sites.

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.

Thanks for listening.

I actually think it's a good thing.

What doesn't kill you makes you stronger.

I'm thinking along these lines, too, and wondering if there aren't a good few white-hats doing these attacks. Funny OP mentioned the crackers never looked for the wallet.dat file. I had VNC servers compromised a few months ago, not too long after the MtGox attack. What did the invader do? Was very obvious and tried infecting one computer (which did not run the Bitcoin daemon) with adware. - And I was very confused by this at first, but I'm since started thinking they were doing a service of pointing out a very obvious security flaw in my setup which I quickly corrected. I immediately disconnected my router, but I regret not trying to communicate with him.

After the Gox attack, security improved (both in Gox and the affected users) and we're better for it. After Bitscalper's security flaw was noted, security improved and... well.... security improved. All of these attacks are bad short-term, but long-term, they make us more alert and wiser, and may be necessary for Bitcoin to continue being used 10 years from now.

Don't mix your coins someone said isn't legal
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
February 24, 2012, 03:33:06 PM
 #43

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
foggyb
Legendary
*
Offline Offline

Activity: 1344


View Profile
February 24, 2012, 03:43:57 PM
 #44

I actually think it's a good thing.

What doesn't kill you makes you stronger.


You mean like cancer? Or schizophrenia?


Those diseases kill and maim. Web servers are immune to diseases, last time i checked.
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
February 24, 2012, 04:59:25 PM
 #45

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

This is more than a bitcoin maturity issue, the security & trust problems are larger than we want to admit. We need evolutionary security & trust changes around bitcoin to make this thing happen.
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.
There is no such thing as a secure server.
Trust, is Bitcoin's #1 problem.

Check out the first physical bitcoin at http://CoinedBits.com
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 24, 2012, 05:17:12 PM
 #46

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
Timo Y
Legendary
*
Offline Offline

Activity: 938


bitcoin - the aerogel of money


View Profile
February 24, 2012, 05:35:57 PM
 #47

I'll put it simply.  It is the site owner's responsibility to fully secure their site. If they do not, it *will* be compromised sooner or later.  This has nothing to do with Bitcoin and everything to do with website owners being responsible.

Don't know what you mean by "fully secure". There is no such thing as perfect security.

Anyhow, it does have something to do with Bitcoin because, if you store wallets on servers, the level of security required is so much higher than for a site like Wikipedia, where any damage caused by hackers can easily be reversed.  

Security is fiendishly hard to get right even for experienced web developers.   Hiring a team of 10 security experts should NOT be a requirement for every startup in the Bitcoin economy, otherwise there will be very few startups and this economy will never bootstrap.  

This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.  

GPG ID: FA868D77   bitcoin-otc:forever-d
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1358


Bitcoin: An Idea Worth Spending


View Profile
February 24, 2012, 08:38:12 PM
 #48

Quote
This barrier to entry is a problem at the moment. Multisig alone doesn't solve the problem for any system that is automated. What we need is something like LinuxCoin for web developers - a separate preconfigured server just for handling wallets. This server could then be thoroughly tested by the community, just like the Satoshi client, and individual web developers wouldn't need to reinvent the wheel.

Let's see if I don't know what I'm talking about--again.

I think we need not one LinuxCoin, but seven--one for each 10 fold increase of Bitcoin, all the way to what is currently know as a satoshi. And don't start developing the next level until it looks like it's going to be needed soon, therefore all the latest security features and fixes can be in place, eliminating as many future patches as possible.

It can be called LinuxCoin, or any other name, but Bitcoin would remain its brand status, to satisfy the purist and not confuse the ongoing adapters.

Work should start on the next level now. Once in place, and Bitcoin reaches a certain level, say trading at $100 USD (but doesn't have to be exact), then the new client would be LC1, therefore whoever had 10 bitcoins prior to the move, now has 100 coins, valued at the same price. But now it resides on the new secure cliet without all the previous mundane luggage which, by the way, is still made available somewhere, somehow, for obvious reasons.

It's days like this that I wish I was a programmer. You guys are truly smart lads and lassies. But, then again, if I were a programmer, perhaps Atlas would then be the DaBitcoinGuy.

~Bruno~
Coinbuck @ BTCLot
Hero Member
*****
Offline Offline

Activity: 540

The future begins today


View Profile WWW
February 25, 2012, 01:09:29 PM
 #49

For anyone who cares or is keeping track. Yesterday I got another 2000 hack attempts. It was mostly injecting harmful scripts into my forms, and random endpoint guessing looking for login pages.

These attempts all came from the Netherlands.

In here they come from Russia. It's really annoying.

Bitcoin is the future !
k9quaint
Legendary
*
Offline Offline

Activity: 1190



View Profile
February 25, 2012, 08:26:22 PM
 #50

There is no such thing as a secure server.

Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.

Bitcoin is backed by the full faith and credit of YouTube comments.
RSantana
Member
**
Offline Offline

Activity: 111


CoinedBits.com


View Profile WWW
February 25, 2012, 09:30:42 PM
 #51

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

Check out the first physical bitcoin at http://CoinedBits.com
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266


The king and the pawn go in the same box @ endgame


View Profile
February 25, 2012, 09:35:37 PM
 #52

OP, I'm glad you brought this to our attention.
Means we can get free or cheap penetration testing.
Smiley

just post your URL in the forum or your sig,
and state there is a wallet with 0.1BTC in it, if you can get it, it's yours!
I wouldn't lie about it though, they will be sneaky bastards.

could even set up a site directory with bounties in BTC.

It's like an anti-sec dream, super cheap pen testing, thwarting the expensive job seeking vanity driven  hats.

creation and destruction.

May as well make the destroyers skwirm. xD

Basically, set up honey pots, and see how many bees you can collect?

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
k9quaint
Legendary
*
Offline Offline

Activity: 1190



View Profile
February 25, 2012, 10:23:31 PM
 #53

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

People who can.

Bitcoin is backed by the full faith and credit of YouTube comments.
Jan
Legendary
*
Offline Offline

Activity: 1043



View Profile
February 25, 2012, 11:25:37 PM
 #54

If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Thats why we have Bit-Pay.

Mycelium let's you hold your private keys private.
Liberate
Member
**
Offline Offline

Activity: 70


Freedom is Free


View Profile
February 25, 2012, 11:42:44 PM
 #55

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
If you can't secure your sites then you should not be handling other peoples money/bitcoins.

Will code for coins, python c#, php(+html, jss, sql) scripts can also pen testing(not a skid) PM me https://bitcointalk.org/index.php?topic=71889.msg813212#msg813212

BTC: 1X8Uwr6vxtuudvxgPv9SqP2c6omWUC3qn
LTC: LaZ8A9YTHbNiFuhRFdCt7KNRuU2XFPXgfA
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
February 25, 2012, 11:44:01 PM
 #56

There is no such thing as a secure server.
Based on this statement, you should exit the internet business.
Too many people punt the security aspect just because it is hard.
So who do you think is worthy to stay in the Internet business?

People who can.

sony?
Jon
Donator
Member
*
Offline Offline

Activity: 98


No Gods; No Masters; Only You


View Profile
February 25, 2012, 11:57:34 PM
 #57

I would be more concerned if Bitcoin only attracted law-abiding citizens and government officials.

The Communists say, equal labour entitles man to equal enjoyment. No, equal labour does not entitle you to it, but equal enjoyment alone entitles you to equal enjoyment. Enjoy, then you are entitled to enjoyment. But, if you have laboured and let the enjoyment be taken from you, then – ‘it serves you right.’ If you take the enjoyment, it is your right.
NASDAQEnema
Full Member
***
Offline Offline

Activity: 182


View Profile
February 26, 2012, 12:30:50 AM
 #58

This is increasing the barrier to entry & risk for new merchants and bitcoin services, and making it harder to gain the trust of users.
Increasing barrier and risk? If you site is secured, you have no risk. If you site is not secure, YOU are causing the risk, no people probing your servers.

Wait, it's the victims fault if s/he is attacked?

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Quote
OP is right, this does create a higher barrier for establishing a bitcoin business. It's like establishing a brick and mortar business in a violent neighborhood: you'll have to invest more in security, and even that might not be enough. Such costs and risks might be prohibitive to some. Even if they're not prohibitive, they'll have to be accounted for in the price of whatever product or service they sell.

The prize in bitcoin land is BTC. The prize in fiat land is Credit Card numbers. Both can be sold for fiat. The barrier to entry is exaggerated.
It's just easier at the moment for large sums of BTC to trade into fiat. There's no secret trading platform where you can invest in credit card haxor teams. Not yet.

Quote
Incorrect.  You cannot base the security of your ecommerce website on "trusting" everyone not to attack it even though it's vulnerable.

Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.

Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

If you feel Universe has trolled you exclusively, please donate to Emergency Butthurt Support Fund:
1Jv4wa1w4Le4Ku9MZRxcobnDFzAUF9aotH
Proceeds go to Emergency Butthurt Escape Pod none of you will be allowed to use. If you have read this far, you must pay Emergency Butthurt Internet Tax.
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266


The king and the pawn go in the same box @ endgame


View Profile
February 26, 2012, 08:09:07 PM
 #59

Trust, is Bitcoin's #1 problem.

Time to downgrade back to the good ol' credit cards, checks, and cash; systems where we don't need to trust anyone at all!  Grin



riiiiiiight.

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 27, 2012, 09:56:12 AM
 #60

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?

Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.

Quote
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.

But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
organofcorti
Donator
Legendary
*
Offline Offline

Activity: 2044


Poor impulse control.


View Profile WWW
February 27, 2012, 10:22:44 AM
 #61

Just going off-topic here and injecting a bit of levity, but did anyone notice that if you spoonerise "hackers and crooks" you get:

"Bitcoin is a magnet for crack and hookers"

I wonder how the security at Silk Road is?

Bitcoin network and pool analysis 12QxPHEuxDrs7mCyGSx1iVSozTwtquDB3r
follow @oocBlog for new post notifications
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
February 27, 2012, 02:28:57 PM
 #62

A victim is not expected to be armed or prepared.
A business is.

The audacity of businesses thinking they are victims amazes me. Don't leave the safe open and don't fail to use a time lock.
You are responsible for the safety of your business.

Wait...
So, according to you, being the victim of a crime depends on whether you were engaging in business? If my personal car gets stolen, I'm a victim, but if it's my function car while I'm working, I'm responsible for being robbed? If a woman is raped, she's a victim, unless it was a prostitute during her business, then she's responsible for being raped?

Please. Of course people would better be prudent and protect themselves from criminals, but your notion of ethics is completely twisted if you really believe "business are not victims". Being the victim or the responsible of a crime has absolutely nothing to do with whether you were engaging in business, pleasure or whatever.

Quote
Sometimes you can. The local restaurant website where I often order my meals is quite lame. I know, for ex., that they don't hash passwords, it's stored as clear text. There are probably other security vulnerabilities. Judging by the web design, they probably had a very limited budget for building that site. If they had to have the level of security a site needs to have to exist safely in the bitcoin world, maybe they wouldn't even have a site at all, or their meals would be more expensive just to account for that.
Hashing passwords is standard practice expected. Fix your website. There's plenty of high schoolers out of work who could do it for nearly nothing or even a few BTC.

Stop avoiding responsibility.

It's not "my website". But it is a good example. Why should they even care about spending money on a high schooler to have a decent site? All they want is to deliver sandwiches and meals. The only reason they've probably done a site at all was because they work in a "geek area", and have many clients that prefer ordering by clicking instead of using the phone.
They don't really care about having a good, secure site, and it's fine enough for them, as long as they keep delivering good meals at an affordable price.
But that's only because they don't accept bitcoin (or any other digital means of payment, for that matter). If they ever consider the possibility, their site will be completely rapped by the crooks OP talks about. So, summarizing, OP has a point. The high level of "cyberviolence" we are submitted to (and also the fact we can't even try to punish these hackers as we may do with meatspace criminals) makes life harder for honest people, unfortunately.

But maybe a better comparison would be to compare the level of security needed to safely maintain a bitcoin wallet in a site, and the level of security needed to safely store credit card numbers. I have no idea which kind of site is more attacked.
I goes both ways. Sure, you're still a victim, but on the flip side, you should secure your site.  And that goes for any site, not just a bitcoin-related site.

If you don't want to be a victim, secure you site. Smiley

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
zer0
Sr. Member
****
Offline Offline

Activity: 350



View Profile
February 27, 2012, 06:09:29 PM
 #63

'Crooks' are already using existing payment methods to move multi millions in laundered funds they don't need bitcoin. They need fake ID, social engineering and some socks proxies. There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams
payb.tc
Hero Member
*****
Offline Offline

Activity: 812



View Profile
February 27, 2012, 09:28:18 PM
 #64

There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams

so, how many bitcoins would be enough?
btc_artist
Full Member
***
Offline Offline

Activity: 154


Bitcoin!


View Profile WWW
February 27, 2012, 09:37:02 PM
 #65

There isn't enough bitcoins in the world to satisfy the daily laundering requirements of a typical mexican cartel or even most nigerian scams

so, how many bitcoins would be enough?

One bitcoin would be enough. You could probably even do it with a half a bitcoin Wink

BTC: 1CDCLDBHbAzHyYUkk1wYHPYmrtDZNhk8zf
LTC: LMS7SqZJnqzxo76iDSEua33WCyYZdjaQoE
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 700


Wat


View Profile WWW
February 28, 2012, 12:01:10 AM
 #66

This is why mt advice is if you cant code for shit dont go bringing out bitcoin sites.


kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
February 28, 2012, 01:28:22 AM
 #67

I've had a couple of ideas for bitcoin sites that I haven't bothered doing because I don't want the hassle.

Of course, I've had similar ideas for non-bitcoin sites too, and I usually don't bother with them either, because of the hassles that come with other payment systems.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
dooglus
Legendary
*
Offline Offline

Activity: 2338



View Profile
February 28, 2012, 04:31:00 AM
 #68

Quote from: kjj link=topic=33391.msg620332#msg620332
Here are some of the methods he tried:
[list
[li]Tried to access boot information[/li]
[li]Tried to access file system (ie /etc/passwd)[/li]
[li]Various SQL injection techniques[/li]
[li]javascript injection[/li]
[li]Tried executing system commands with buffer over-runs [/li]
[/list]

It's kinda funny that they never tried to find my wallet.dat file :-)

He's almost certainly using a program that does all that stuff automatically for him.  I've seen the same pattern of attacks myself.  If you look in the logs closely, you'll see the same word coming up over and over.  Google it - it's the name of the hacking tool he's using.

That's what I found, anyway.  I don't remember the name now though sorry.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
dooglus
Legendary
*
Offline Offline

Activity: 2338



View Profile
February 28, 2012, 05:06:21 AM
 #69

"Pangolin".  That was it.

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
Strophon
Newbie
*
Offline Offline

Activity: 21


View Profile
February 28, 2012, 09:16:55 PM
 #70

RSantana: I don't understand; why are you keeping your wallet on your server? Shouldn't it be kept on a different machine? As a retailer, you only need to collect payment except for the occasional refund (which you can do manually), which means your wallet doesn't have to be on the server at all, right? Or am I missing something here? I thought only exchanges like Mt.Gox that have to pay Bitcoins out in addition to accepting them had to worry that much about security, because they have to actually have a wallet file on a machine connected to the server. I mean, a hacker could still put up a fake BTC address on your site if it got compromised, but that's not the same degree of problem as losing your whole wallet...
Pages: 1 2 3 4 [All]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!