Possible false alarm: MtGox break in

[julz]

I notified MagicTux through his support email, and he sent back a useless form letter as a reply.

Recently there has been a large increase in the number of “phishing” attacks that have been made against the users of Mt.Gox.
...
We sincerely apologize for the inconvenience our users have suffered at the hands of phishers, and are doing all that we can to prevent further attacks in the future.

Thanks,

MtGox.com Team

I consider this a smoking gun.

What about browsing other sites whilst you are logged into mtgox?  
Due to CSRF attacks - this is something you shouldn't do when you are logged in to an important account.

You can argue that the site should be fully protected against CSRF, especially as this has come up before regarding mtgox - but it's possible there is a regression in this area or even that your specific browser version is contributing to this risk.

 

[1713937799]

1713937799

[1713937799]

1713937799

[1713937799]

1713937799

[1713937799]

1713937799

[fcmatt]

Man in the middle attacks are hard because actually being the in the middle is hard.
Most packets now days go not go through a linux/bsd box or something else with enough of an OS to do such
attacks. Unless you want to portray hackers having enough skills to take over cisco/juniper/extreme/foundry/etc..
switches and routers to actually get in the middle and subvert them enough to do the attack...

CSRF sounds much more plausible especially when this entire forum was abused recently.

[geek-trader]

-a third party is engaging in a cyberwar against bitcoin using man in the middle attacks.

After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat.

Even if they dumped the password database, the passwords are sufficiently salted and hashed that it is extremely unlikely they grabbed my password first.

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

DigiNotar knew about the break in for months, and I obviously have logged in since then.

Tux has replaced the missing BTC.

i'm sure at his own expense too.  you should at least say thank you.

i'm sick and tired of ppl blaming mtgox and MagTux as some sort of lying crook.  if he were would he have done this?  as well as bailing out Bitomat and donating many btc to charity and btc businesses?

This.

MtGox makes a shit-ton of money every day.  They know if they lose people's trust this money fountain they have will dry up.  Do you REALLY think they are going to cheat people?

NO.  In fact, it is the exact opposite.  They pay out people out of their pocket to keep our trust.

Everyone always says "follow the money".  In the case of MtGox, it is their best interest to be safe, to be honest, to stay the #1 exchange, AND grow Bitcoin as well.

To think they would skim or cheat for some short term gain when the long term gain is so HUGE for them, is just stupid.

[fastandfurious]

-a third party is engaging in a cyberwar against bitcoin using man in the middle attacks.

After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat.

Even if they dumped the password database, the passwords are sufficiently salted and hashed that it is extremely unlikely they grabbed my password first.

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

DigiNotar knew about the break in for months, and I obviously have logged in since then.

Tux has replaced the missing BTC.

Asking once again. Do you use a Yubikey on Mt.Gox?

As Ive said in the past, I do not believe that they improve security.

You are much smarter than "15,000 customers and over a million users in 90 countries" (from the Yubico homepage), becuase you know that a two-factor authentication is just bull shit. Banks use it just for fun. Or maybe you don't know what you are talking about.

[Valhalla1]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

[stsbrad]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

+1

[fastandfurious]

I can recommend everyone with a larger amount of BTC/fiat on Mt.Gox to start using a Yubikey, I really think it will make a different security-wise. If anyone can give facts that tells me it is the contrary of my thinking, please tell me.

[fcmatt]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

+1

did the users who got hacked due to the password file being taken on mtgox and whatever else went on during that time frame get
reimbursed? Why random users and the polish exchange but not all the customers of mtgox? Hey.. i felt like piling in.

[fcmatt]

I can recommend everyone with a larger amount of BTC/fiat on Mt.Gox to start using a Yubikey, I really think it will make a different security-wise. If anyone can give facts that tells me it is the contrary of my thinking, please tell me.

It does appear it would stop a lot of the most common attacks that take place around here when it comes to mtgox.
Now if an attacker has control of the mysql db as well as possible write permits to the file system.. I do not think a yubikey
will matter much.

[fastandfurious]

I can recommend everyone with a larger amount of BTC/fiat on Mt.Gox to start using a Yubikey, I really think it will make a different security-wise. If anyone can give facts that tells me it is the contrary of my thinking, please tell me.

It does appear it would stop a lot of the most common attacks that take place around here when it comes to mtgox.
Now if an attacker has control of the mysql db as well as possible write permits to the file system.. I do not think a yubikey
will matter much.

I understand that is not 100 % secure, nothing is. But having said that it will make it much harder if we think Mt.Gox is using a two-factor authentication plus having a secure site that together gives a very high security level. This is the way banks does it, and last I looked they are still in business.

[cypherdoc]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

he spent 17000 BTC bailing out Bitomat.  he could've just let them and their btc holders die on the vine and he would've been better off than buying a worthless exchange.

[fastandfurious]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

[DiabloD3]

-a third party is engaging in a cyberwar against bitcoin using man in the middle attacks.

After a lengthy conversation with MagicTux, unless it does turn up that mtgox has been hacked, neither of us can figure out what happened. Its obviously not me and I didn't fall for a phishing expedition, and Im pretty sure its not on his end. His description of security on the new post-hack mtgox is pretty decent. Its not perfect, but he has gone to great lengths to prevent a repeat.

Even if they dumped the password database, the passwords are sufficiently salted and hashed that it is extremely unlikely they grabbed my password first.

I also do not think it is likely the recent DigiNotar or Globalsign break ins have produced SSL certs to attack mtgox with (which WOULD explain this) because mtgox uses EV certs and as far as I know none of the fake certs were for EV, but DigiNotar and Globalsign both DO issue EV certs. Although I am not ruling this out.

DigiNotar knew about the break in for months, and I obviously have logged in since then.

Tux has replaced the missing BTC.

I believe that fraudulent EV certificates were issued.

For reasons unrelated to this, I would like to have this citation notated.

[Valhalla1]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

he spent 17000 BTC bailing out Bitomat.  he could've just let them and their btc holders die on the vine and he would've been better off than buying a worthless exchange.

so is that a 'yes' answer to my question?  Awesome, everybody load up, bitcoin bailouts for all!

[DiabloD3]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

As a supporter of Ron Paul, that is the most slanderous and insulting thing I've seen said on this message board in awhile.

As it stands, there are no other people reporting account problems. I still believe I was targeted because I'm a well known face for the Bitcoin community and a developer of software that is used in conjunction with Bitcoin frequently.

[cypherdoc]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC. 

[DiabloD3]

Tux has replaced the missing BTC.

oh wow.  How many BTC are we talking about here?  So can I now log in to my own account from some foreign VPN or Tor, withdraw my own bitcoins and claim I was hacked and get free BTC?  Or do I have to have one of those "staff" labels to qualify?  

he spent 17000 BTC bailing out Bitomat.  he could've just let them and their btc holders die on the vine and he would've been better off than buying a worthless exchange.

$60 USD worth. It was a trivial amount, I was more worried about a large scale attack, which doesn't seem to be underway. Its better to warn everyone instead of sit on the information. I'm glad I was the only one hit so far.

[tvbcof]

This was yesterday in the MtGox IRC channel:

17:31 < kinlo> there is something wrong, how can it have gone above 10 when my sell order at 8 didn't occur?
17:31 < molecular> it didnt reall go above 10, I assume
17:31 < Ymgve> kinlo: bugs, the orders didn't happen or there was something wrong in the matching algorithm
17:32 < kinlo> MagicalTux: ?
17:32 < molecular> likely has to do with the "new currency markets"
17:32 <@MagicalTux> no
17:32 <@MagicalTux> has to do with hackers trying their best to do stuff normal people wouldn't by dropping large amounts of stolen funds/coins

...

17:35 < molecular> flushing bad orders? How do I make a "bad sell order" at 30 USD? ^^
17:35 < xelister> molecular: =)
17:35 <@MagicalTux> molecular, I blocked ~2000 accounts created most likely for the purpose of killing bitcoin on 9/11
17:35 <@MagicalTux> their trades do remain however
17:35 < molecular> MagicalTux, holy moly!
17:35 <@MagicalTux> but they cannot execute, causing weird results

I must say, it would take balls of steel to fuck with people who have stolen a large amount of money and wish to capitalize.  If one does not have a pretty good sense of their dispositions and means at least.  That would be a much bigger commitment to Bitcoin than I could ever muster.

[fastandfurious]

I have to say one more thing. It is not right to bail out some (because they are a staff member on Bitcoin forum etc.) ans let others that get hacked for different reasons get nothing. This sounds to me like what the Federal Reserve did and are doing today, they bailed out friends/banks with trillions of dollars of interest free/low interest money and let "Main street" take the hit.

except that the Fed uses USD it prints up out of thin air at taxpayer expense via devaluation of the USD.  MagTux used his own BTC. 

The principle is the same. If he just bails out some people, the others have to pay for that through higher trading fees, trading fees that in theory could have been lower because bailing out is a cost that in the end has to be taking from somewhere.

[DiabloD3]

I can recommend everyone with a larger amount of BTC/fiat on Mt.Gox to start using a Yubikey, I really think it will make a different security-wise. If anyone can give facts that tells me it is the contrary of my thinking, please tell me.

It does appear it would stop a lot of the most common attacks that take place around here when it comes to mtgox.
Now if an attacker has control of the mysql db as well as possible write permits to the file system.. I do not think a yubikey
will matter much.

I will expand on this. If someone gains control of mtgox, the attacker can just alter logs and dbs to make it appear that users are doing it themselves with little to no evidence that the machine was broken into.

Magic hardware oracles only make it harder for attackers to attack from the perspective of the user. They are also not perfect due to lack of public third party auditing. The one RSA produces and is used by secure government and corporate facilities and was recently defeated.

tl;dr: It prevents attacks like keylogging, it doesn't prevent attacking mtgox itself.