Bitcoin Forum
December 06, 2016, 12:34:26 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 »
  Print  
Author Topic: [1423GH] ABCPool PPS - Proxy Pool For High & Steady Mining Rewards  (Read 140712 times)
plastic.elastic
Full Member
***
Offline Offline

Activity: 168


View Profile
November 04, 2011, 09:36:13 AM
 #301

I had an automatic payment of 25 bitcoins which went to a different address which is not mine.
..
Please advise!
.. We've immediately halted all payments while we investigate this matter to avoid additional losses. It could very well be that someone has gained unauthorized access to our systems.

I'm investigating the matter now, and will keep you posted as I learn more.
An update on the investigation: The traces left in our logs indicate that the transaction has almost certainly been initiated through the web interface (possibly scripted to guess the PIN numbers). A SQL-Injection is highly unlikely because it would have left a different pattern of traces. In addition, a code re-review did not reveal any open SQL-injection vectors.

The attacker probably did not have access to all accounts, otherwise he could have just as easily taken a lot more while he remained undetected.

In the mean time, we advise everybody to make sure they are not reusing their passwords for other pools or services at ABCPool; please choose a new & difficult password if that's the case. It's easy to guess usernames based on the MtGox list and the forum accounts, and the Bitcoin community isn't that big.

We'll leave the payout disabled for at least another day until we can introduce additional measures to protect our miners from any unwanted withdrawals. For example, enabling you to permanently lock the payout address will surely help.

Now it's time for me to get some sleep!

Why dont you use browser activation? When a user log into ABC pool from a non-activated browser, an email will be sent to the user's email address to activate that browser. This will help tremendously assuming ppl do use have great password for their email addresses. Only one browser can be activated at any time. So when a user log in from another browser, they will have to re do the process.

Its tedious  but its very effective against remote access hacking.

If the user's computer is hacked then its already game over.

Tips gladly accepted: 1LPaxHPvpzN3FbaGBaZShov3EFafxJDG42
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481027666
Hero Member
*
Offline Offline

Posts: 1481027666

View Profile Personal Message (Offline)

Ignore
1481027666
Reply with quote  #2

1481027666
Report to moderator
1481027666
Hero Member
*
Offline Offline

Posts: 1481027666

View Profile Personal Message (Offline)

Ignore
1481027666
Reply with quote  #2

1481027666
Report to moderator
siggy
Full Member
***
Offline Offline

Activity: 235



View Profile
November 04, 2011, 03:03:15 PM
 #302

In light of the previously mentioned wrong-address payouts:   Might I suggest removing the 1% contribution requirement for viewing the payout history?  At least for a week or so.  That way everyone can go in and verify their payout history to make sure they weren't affected.

Sigg.

I am Pentium of Borg. Division is futile. You will be approximated.
Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
November 04, 2011, 04:52:54 PM
 #303

In light of the previously mentioned wrong-address payouts:   Might I suggest removing the 1% contribution requirement for viewing the payout history?  At least for a week or so.  That way everyone can go in and verify their payout history to make sure they weren't affected.

Sigg.

I agree...I would like to ensure that my funds that were there, are there.
MintCondition
Sr. Member
****
Offline Offline

Activity: 322



View Profile
November 04, 2011, 06:19:22 PM
 #304

In light of the previously mentioned wrong-address payouts:   Might I suggest removing the 1% contribution requirement for viewing the payout history?  At least for a week or so.  That way everyone can go in and verify their payout history to make sure they weren't affected.

Sigg.

I agree...I would like to ensure that my funds that were there, are there.
The requirement has been lifted for the next 7 days.

Brian DeLoach
VIP
Full Member
*
Offline Offline

Activity: 158


View Profile
November 04, 2011, 06:35:44 PM
 #305

The requirement has been lifted during for the coming week.

When exactly? Starting next week?

Quote from: Matthew N. Wright
I use the blockchain to power my rotating love bed.
MintCondition
Sr. Member
****
Offline Offline

Activity: 322



View Profile
November 04, 2011, 06:37:30 PM
 #306

The requirement has been lifted during for the coming week.

When exactly? Starting next week?
Right now, for the duration of a week.

Eveofwar
Sr. Member
****
Offline Offline

Activity: 406


View Profile
November 04, 2011, 06:41:51 PM
 #307

In light of the previously mentioned wrong-address payouts:   Might I suggest removing the 1% contribution requirement for viewing the payout history?  At least for a week or so.  That way everyone can go in and verify their payout history to make sure they weren't affected.

Sigg.

I agree...I would like to ensure that my funds that were there, are there.
The requirement has been lifted during for the coming week.

Everything is how it should be.

Thanks !
Brian DeLoach
VIP
Full Member
*
Offline Offline

Activity: 158


View Profile
November 04, 2011, 06:42:50 PM
 #308

account: alphy

11/03/1110:01 AM3.66268195BTC1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
11/02/1108:41 AM10.27910886BTC1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/1101:56 PM0.76806254BTC1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/1107:43 AM0.72685549BTC1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ
10/29/1101:43 AM8.67988397BTC1Cs5ZsNG64RkiLAaWqTHKMxpXsjxAUCUUZ

account: squid

11/03/1110:02 AM3.64415207BTC1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
11/02/1108:43 AM10.28272094BTC1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/1101:57 PM0.77105942BTC1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/1107:42 AM0.74075010BTC1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ
10/29/1101:42 AM20.80623292BTC1NZQYkV1chJZPgvmxd6Yr4tWnmPZVn24wJ

 Embarrassed

60.36150826 BTC total for both accounts to an address I don't own. I guess it was bound to happen. I finally lost some bitcoins due to theft. I never used automatic payouts, it has nothing to do with that.

edit: added more info

Quote from: Matthew N. Wright
I use the blockchain to power my rotating love bed.
Mad7Scientist
Member
**
Offline Offline

Activity: 78


View Profile
November 04, 2011, 10:24:04 PM
 #309

I think the requirement to enter the pin should be removed on the cash out now option. Someone who is sniffing traffic can find out what the pin is that way.

The PIN should only really be needed when changing the payout address or other similar task.
chunglam
Donator
Full Member
*
Offline Offline

Activity: 221



View Profile
November 04, 2011, 10:55:37 PM
 #310

I highly suggest ABC to add HTTP secure mode access. Without https protecting the traffic, everything is plain text including your password and pin. I will not come back to ABC until your pool added https mode.
rTech
Sr. Member
****
Offline Offline

Activity: 305


Trust but confirm!


View Profile
November 05, 2011, 12:42:05 AM
 #311

How long it takes that we can get our precious bitcoins out again. I really need them before monday.
MintCondition
Sr. Member
****
Offline Offline

Activity: 322



View Profile
November 05, 2011, 01:20:58 AM
 #312

How long it takes that we can get our precious bitcoins out again. I really need them before monday.
UPDATE: Cause found, payouts will continue sunday-evening at the latest.

To all our users, thanks for your continued patience while we were getting to the bottom of this.

Earlier today we verified the exact details of how the theft took place, which was through session spoofing. Multiple accounts were compromised, resulting in unwanted payouts the bulk of which occurred between october 29 and november 3. We have deployed measures that prevent this type of session spoofing on ABCPool in the future.

What was potentially compromised:
* The attacker did not need your passwords for the intrusion
* No passwords have been leaked directly, since passwords are only stored as a hash.
* Weak passwords MAY have been guessed by brute-force abuse of the 'change password' function.
* The attacker COULD log in to any account through the ABCPool site and act as though they were that user
* PIN has been guessed (or brute-forced) in at least several cases

Steps we have taken to mitigate the issue thus far:
* We have fixed the session handling code
* We have reset the payment address for all our users, because it might have been set by the attacker to his own address.
* We have expired all current sessions
* We have introduced additional logging code

Steps still to be taken:
* Introduce additional security measures
* Re-activate payouts (this will happen sunday evening at the latest)
* Come to an agreement with you guys on how to handle the missing BTC.

What will change for you:
* For now, you'll need to (re)enter you payment address. You may take a look at past payouts and copy the address from there, but be sure to verify that it is actually your own address.
* It's always a good security practice to use difficult and unique passwords, and to change them regularly.

Brian DeLoach
VIP
Full Member
*
Offline Offline

Activity: 158


View Profile
November 05, 2011, 01:28:38 AM
 #313

* Come to an agreement with you guys on how to handle the missing BTC.

I know you guys aren't rolling in cash, most pools are in a negative cashflow as it is, so any percentage of the missing bitcoins that are reimbursed is more than I was expecting to get back anyway.

Quote from: Matthew N. Wright
I use the blockchain to power my rotating love bed.
chunglam
Donator
Full Member
*
Offline Offline

Activity: 221



View Profile
November 05, 2011, 02:18:16 AM
 #314

* Come to an agreement with you guys on how to handle the missing BTC.

I know you guys aren't rolling in cash, most pools are in a negative cashflow as it is, so any percentage of the missing bitcoins that are reimbursed is more than I was expecting to get back anyway.

Agree. To further support you guys, I will donate whatever amount/percentage you guys decide to give back. I was a long time ABC miner until this incident. I still keep one worker in ABC and this pool as my third fail-over pool. I will come back after I feel comfortable with pool's security/protection improvement.
LoupGaroux
Sr. Member
****
Offline Offline

Activity: 420



View Profile
November 05, 2011, 02:32:07 AM
 #315

I'm bumping my donation percentage up to help with these losses. You guys have been doing a damn fine job running this pool, and I appreciate how smoothly things normally run. It looks like I didn't get burned this time, but a few satoshis to the good might help.

54Gh/s bASIC Bitcoin Mining Devices
Pre-Order Yours Today!     
Only $1069.99 ! @ http://www.BitcoinASIC.com


Look^^ I'm selling my soul too!
Mad7Scientist
Member
**
Offline Offline

Activity: 78


View Profile
November 05, 2011, 03:13:34 AM
 #316

Is the purpose of not having a fee to attract users only to increase the hash rate of the pool, thus making a smoother pool for everyone?

I think it's perfectly acceptable to give a small portion to the pool owners. But why can't it be like 1% for everyone? Instead of say, 1/4 of the nice users giving 4% and everybody else giving 0%.


For the pool security my idea is this:
Make the PIN only for changing the payout address, password, or PIN. Immediately log out the account on a failed PIN entry.
mineriapepe
Newbie
*
Offline Offline

Activity: 23



View Profile
November 05, 2011, 03:38:19 AM
 #317

I'm affected too. Transaction of 4.02765368 BTC to 1KRJK2nAb78PU4b8ro3uG3HXsSH3mWq5Q at 2011-11-02 10:44
Hotdog453
Full Member
***
Offline Offline

Activity: 120



View Profile
November 05, 2011, 05:23:45 PM
 #318

You handled the issue well. I utilize you guys as a backup, and might be moving a big chunk, ~15k or so GHs, over here in a few days. Good work.
MintCondition
Sr. Member
****
Offline Offline

Activity: 322



View Profile
November 06, 2011, 05:47:11 AM
 #319

Brian, Chunglam, LoupGaroux & Hotdog453: Thanks for your kind words and your generous attitude! As you may have guessed ABCPool is a spare-time-and-money project for us. The support from people like you encourages us to keep improving ABCPool despite whatever setbacks we encounter. So thanks!

Reimbursement
We have a pretty good idea of the people and amounts that went missing. To be sure, we'd like to invite those that have lost funds and have not yet responded through the forum, to PM us with the details.

Chlorine & I have been thinking about how to handle reimbursement in a way that everybody will be happy, and I think we may have found a solution that could have your support. I'll come back to that that later this week. First I'd like to talk about some updates on the security front!

SECURITY UPDATE: Moments ago we've activated HTTPS access through https://www.abcpool.co, allowing encrypted access to ABCPool. We did not want to spend the resources for a third-party SSL Certificate so it's self-signed for the time being. That means you'll get a warning, which will disappear when you add our CA to your trusted authorities store. For details: http://www.abcpool.co/faq.php#toc4. On windows the process is real easy, for other systems.. I have no idea. If you figure it out for your device, don't forget to share it with the rest of us.

Another security feature that will be launched shortly is a permanent payout-address lock.

And as promised earlier, payouts will continue this sunday evening/night.

MC

MintCondition
Sr. Member
****
Offline Offline

Activity: 322



View Profile
November 06, 2011, 06:10:22 AM
 #320

Is the purpose of not having a fee to attract users only to increase the hash rate of the pool, thus making a smoother pool for everyone?
Our intentions were to create a stable pool with a respectable size. We want to introduce fees only as soon as we are confident that our miners get value for their money when mining with us. With the recent improvements we feel that moment is not far away now.
Quote
For the pool security my idea is this:
Make the PIN only for changing the payout address, password, or PIN. Immediately log out the account on a failed PIN entry.
The PIN-mechanism was inherited from SimpleCoin, and we were never completely satisfied with it. It will either receive a makeover like you suggested or be replaced by a better mechanism. Thanks for your suggestions!

MC

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [16] 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!