[ANN][EXCHANGE] Poloniex - Crypto Exchange with BTC/NXT

[busoni]

mugwampbro, I hear you, I really do. I haven't been able to duplicate the log-out issue, and I will change the Captcha. But I need to get the site running again first.

Let me ask you guys this -- is there any defense against incompetent systems administrators? They decided this guy was me. Are they going to say "sorry, you're locked out forever"?

[getmining.info]

Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  

Who said anyone was able to SSH into the server without firewall rules blocking him? Stop spreading garbage.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider.

[chiznitz]

Nobody else is concerned that this person was able to ssh to the server without firewall rules blocking him?  

Sounds like the only reason anyone even knew what was going on was due to the entire server being down and a bunch of wallets being offline.  

Who said anyone was able to SSH into the server without firewall rules blocking him? Stop spreading garbage.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider.

Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.

[YoyodyneSystems]

Setup a protocol with your new host so that every time you want to enter recovery mode or anything of that nature - they MUST call you
at the phone number you provided upon signup. And that phone number cannot ever be changed unless you provide payment details and the like.
And if that phone number is changed they must call the old one to make sure you changed it.

That would solve it. Well... it would if it was followed 100% of the time.

The only other solution would be on-site servers in your own offices or a locked cage at the datacenter. Where there is a physical
restriction to the servers. Which is obviously far more expensive.

[mugwampbro]

mugwampbro, I hear you, I really do. I haven't been able to duplicate the log-out issue, and I will change the Captcha. But I need to get the site running again first.

Let me ask you guys this -- is there any defense against incompetent systems administrators? They decided this guy was me. Are they going to say "sorry, you're locked out forever"?

Thank you..I figured you cared cause you did at least ask all the trollers. I don't think it is a firefox issue, because it doesn't happen to me on MP , c-cex or Bittrex.

[tripppn]

Is the trollbox really just an irc chan we can join?  I need my fix and I'm pretty sure I'm not alone.

Screw it.. I made my own...  #polotrollbox

Nevermind... everyone seems to be gathering here:  #poloniextraders

[Kuttingcorners]

when do you expect to be back online?

[ibfragalot]

Can't...live...without...polo & trollboxxxx

[chiznitz]

Anyways, sounds like maybe the box was brought up on a separate network without the firewall rules or maybe the user was given access to the entire account and not just a single box.


In the end all that matters is our coins our safe.

But please do the above mentioned questions etc for account recovery and lock down all access to your accounts via associated IPs as well.

The bad guys will always find a way but its our job to make them work harder.

[getmining.info]

Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.

I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.

The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.

Garbage might have been the wrong word. Please, stop fear mongering.

[Faura888]

so sick!!!
im sure they want to hack XBC! wc and some others coins were frozen since 2 days too.
fucking hackers! go to hell!

[ErnieRox]

this sucks ass, no friday night trade action 

[Rawdawg-]

Ok.  How do you access your servers?  Console access?  That's not locked down via ip then either?  So I can login from anwhere in the world?

Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways.  In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.

So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.

I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.

The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.

Garbage might have been the wrong word. Please, stop fear mongering.

I was going to stay quiet in this, however seeing that you are trying to censor people who have legitimate concerns, and I happen to have a few BTC worth of coins on your exchange, I think its time to say something.

#1. its not "fear mongering" if he is speaking the truth, he is just asking questions/making statements that YOU dont like, therefor its "FUD"
#2. You are too easily passing the blame on to the Sys admin, your site has already been hacked once and lost money that you then ILLEGALY created debt instruments to get back the money that your incompetence lost in the first place.
#3. Chiz is the guy that I talk to when I have a question about security for any of my sites, so if i were you I would be asking him for help or to tell you how he might fix an issue like this so it never happens again, not just calling him a "fear mongerer".

TLDR, dont be a douchebag and listen when people ask you questions. You haven't learned from the last hack, so start learning now or shut down your exchange.

[ibfragalot]

Yeah, its an awesome exchange but nobody can run something so big alone man. You need to get a crew on board, a security specialist. Don't let your pride ruin the magic you have created!

[seek4dream]

poloniex doesnt work for me most of the time recently. am i alone?

[byteflush]

poloniex doesnt work for me most of the time recently. am i alone?

Yep, it's just you. It works for everyone else.

[Hash72]

All funds are safe. Poloniex does use cold wallets.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider. Fortunately, I caught the attempt in time and was able to shut down the server before anything was taken. All BTC has been moved into cold storage, and then next step is to set up a new server with a different provider.

Please stop sending BTC to your old BTC deposit addresses. The funds will not be lost, but all new addresses must be generated, as I must assume the old wallet is compromised. It is very unlikely that it was, but "unlikely" is not good enough.

I appreciate everyone's patience while I take proper security measures before bringing the exchange back online.

Thanks For clarification because of the honesty you have ...Many trust you and a few will attempt to attack good luck ...we will wait .

[Wolf Rainer]

I need to buy more coins and the trollbox!

[Jonesd]

All funds are safe. Poloniex does use cold wallets.

What happened was an attacker used social engineering to gain root access to a wallet server. This was made possible by absolutely jaw-dropping negligence on the part of the hosting provider. Fortunately, I caught the attempt in time and was able to shut down the server before anything was taken. All BTC has been moved into cold storage, and then next step is to set up a new server with a different provider.

Please stop sending BTC to your old BTC deposit addresses. The funds will not be lost, but all new addresses must be generated, as I must assume the old wallet is compromised. It is very unlikely that it was, but "unlikely" is not good enough.

I appreciate everyone's patience while I take proper security measures before bringing the exchange back online.

Thanks For clarification because of the honesty you have ...Many trust you and a few will attempt to attack good luck ...we will wait .

Thanks for the honest indeed! Good luck!

[Sierpazo]

It's over...