BTCT.com hacked and lost 107 btc

[hl5460]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

I would agree with what you are implying. If an exchange is offering interest on bitcoin deposits then they are giving incentives for people to hold bitcoin at their exchange. They do this so when they eventually do run away with customer funds they have more money to run away with

BTCT is not a interest-bearing exchange. It's more like  taobao, allowing merchants to open shops and accept bitcoin as payment.

[mkc]

This is sad. but again, bitcoin should be place offline, with electrum

[neha]

This is sad. but again, bitcoin should be place offline, with electrum

The fact is that offline is not possible for service providers as the customers expect instant transfers which is not possible with offline. Thus a combination of Hot and Cold works.

[neha]

Well, as their website is offline, I can neither confirm nor deny my suspicion.

However, the general notion is that anyone willing to give you bitcoin interest for the privilege of holding onto your bitcoins (i.e. 'interest-bearing accounts') is likely engaging in partial reserve banking. IOW, they don't have all the bitcoins that clients have on deposit.....

I thought it was a service similar to bitpay for china, thus I highly doubt they are offering interest. Its not possible to give out interest unless the bitcoins are invested which would completely defy the objective of a payment processor. If suddenly all the customers want their money back, the service provider would be screwed.

[hl5460]

A bit off topic:
The 1st Chinese bitcoin APP channel launched on app.8btc.com
https://bitcointalk.org/index.php?topic=798174.0

[LuaPod]

When the companies are supposed to store most of their funds in cold wallets, how is it possible that they loose so much funds. Alternatively, if 107 btc's only accounts for lets say 3-5% which might be kept in the hot wallet, then it shouldn't matter as the company should be able to pay back their customers if not instantly, then within sometime by their operating incomes.

The fact however remains that if a Webserver has access to the wallets, their is always a possibility of hacking. There is not much any of us can do as the hacks keep evolving and if you dont know about a vulnerability, then there is not much you can do to prevent it. Its not like the Crypto companies are as big as google that they can be on top of everything. Thus, the only option is to sever the link between the webserver and the wallet server and still make them talk somehow. Its very difficult to do but possible.

YOU ARE EXACTLY RIGHT! The reason exchanges keep getting hacked is because their webservers have some sort of access to the MONEY. Take a look at luapod if this is your type of area. I have already completely separated the handling of users money from the webserver. The webserver actually has no permission to handle anybodies money. It only builds and signs requests. EVEN though a request is signed that doesn't mean the backend server accepts it as true. The backend does its own check on the information. You can read up a little bit on how it works at the index page: http://luapod-web.cloudapp.net/index.lua



If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

[neha]

If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

[newyorker91]

Let me guess. BTCT is one of those exchanges that tries to attract deposits via interest-bearing accounts?

Yeah - they got 'hacked'.

True. It's hard to prove who and how hacked and you get all money. Perfect plan with 100% profit

[LuaPod]

If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

How could you make changes with a SQL user that has no write access to any of the finance tables nor any direct access to methods manipulating balances? If you were to read the description on the front page it clearly states that the SQL gives no permissions to the front-end except to view user information and to view balance information. IT can submit a request to be processed by the back end server that is structured like
create/trade/5/1000/100/5 and is signed and encrypted. Even if you managed to figure out the signing and encryption the backend servers do another check to verify the trade is even allowed to be created.

The servers all are on a closed network with communication enabled ONLY to the SQL database. Each server has its own SQL user with its own permission.



To even prove that you lacked the true effort of reading here is an excerpt from the main page:

Code:

[The webserver must only be capable of reading information and relaying commands without having any 
direct access or direct command of the wallets. Any transactions believed to be taking place on the website are
 in fact not taking place on the website. The users input is checked and their balances verified; Then the 
system puts forth a structured request that is then processed by the Wallets server.]

ANOTHER THING IS you can't just change a balance on this. If you change the balance on any transaction the system comes to a halt (because it detects that there is an discrepancy between the information inside the account balance and the signature for the transaction that has been changed) NOT ONLY does it know that it has been changed, but it knows what it was changed from. So through a type of persistence I can also keep transactions from being deleted.

[RustyNomad]

Somewhere in the near future.....

"The highest paying tech related job according to our latest survey is that of a Bitcoin Security Expert....."

[OrientA]

I'll never trust any online service be that a wallet and or an exchange.

All boast 100% secure and what not but this just goes to show again that if there is a will there is a way.

Agreed, how can you achieve "Security and control over your money" when you are trusting somebody else with it (Counter-party risk)?

I store most in my own wallet.

[neha]

If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

How could you make changes with a SQL user that has no write access to any of the finance tables nor any direct access to methods manipulating balances? If you were to read the description on the front page it clearly states that the SQL gives no permissions to the front-end except to view user information and to view balance information. IT can submit a request to be processed by the back end server that is structured like
create/trade/5/1000/100/5 and is signed and encrypted. Even if you managed to figure out the signing and encryption the backend servers do another check to verify the trade is even allowed to be created.

The servers all are on a closed network with communication enabled ONLY to the SQL database. Each server has its own SQL user with its own permission.



To even prove that you lacked the true effort of reading here is an excerpt from the main page:

Code:

[The webserver must only be capable of reading information and relaying commands without having any 
direct access or direct command of the wallets. Any transactions believed to be taking place on the website are
 in fact not taking place on the website. The users input is checked and their balances verified; Then the 
system puts forth a structured request that is then processed by the Wallets server.]

Trust me I read but the fact is that if there is no way to write something in a db, then how will the user modify data. You cannot expect to provide manual intervention to each and every data entry. Again, if someone hacks the server, the purpose wont be to perform trades but to perform withdrawals. How have you designed your system so that you know for sure that the incoming request is true and is also automated. You dont need to tell everyone but you do need to think.

Also, for this argument, assume that I have hacked the webserver and I exactly know your db username and password and even if the db server is on an internal network, I can still access it using the webserver ssh. Moreover, most probably if I have SSH access to the webserver, I will exactly know your DB encryption passwords.

[LuaPod]

If I wanted to I could have my computer running a VPS with 13 GB of ram aloted and close all ports with outbound requests only. I could then use that Virtual machine to run the wallets. No ports being forwarded or any direct communications from anything. The servers decide their job based off of the Mysql Database they are connected to through a virtual network that is hub and spoke managed.

Its actually a little more complicated because if your webserver has access to the MYSQL db, then I could hypothetically just go and make changes in Mysql and take all your funds. You need to think how to ensure that even if I get access to the Mysql DB connected to the webserver, I shouldn't be able to cause any damage financially.

How could you make changes with a SQL user that has no write access to any of the finance tables nor any direct access to methods manipulating balances? If you were to read the description on the front page it clearly states that the SQL gives no permissions to the front-end except to view user information and to view balance information. IT can submit a request to be processed by the back end server that is structured like
create/trade/5/1000/100/5 and is signed and encrypted. Even if you managed to figure out the signing and encryption the backend servers do another check to verify the trade is even allowed to be created.

The servers all are on a closed network with communication enabled ONLY to the SQL database. Each server has its own SQL user with its own permission.



To even prove that you lacked the true effort of reading here is an excerpt from the main page:

Code:

[The webserver must only be capable of reading information and relaying commands without having any 
direct access or direct command of the wallets. Any transactions believed to be taking place on the website are
 in fact not taking place on the website. The users input is checked and their balances verified; Then the 
system puts forth a structured request that is then processed by the Wallets server.]

Trust me I read but the fact is that if there is no way to write something in a db, then how will the user modify data. You cannot expect to provide manual intervention to each and every data entry. Again, if someone hacks the server, the purpose wont be to perform trades but to perform withdrawals. How have you designed your system so that you know for sure that the incoming request is true and is also automated.

Also, for this argument, assume that I have hacked the webserver and I exactly know your db username and password and even if the db server is on an internal network, I can still access it using the webserver ssh. Moreover, most probably if I have SSH access to the webserver, I will exactly know your DB encryption passwords.

I will give you the username and password for the DB right now

Mysql_User = "front-end"
Mysql_Pass = "m1taLu4ayu84vO7eVu27JOw1vIk7mo"
Mysql_Host = "25.15.147.88"


DNS NAME
luapod-sql.cloudapp.net
HOST NAME
LuaPod-Sql
PUBLIC VIRTUAL IP (VIP) ADDRESS
191.238.226.47

There you go. I already thought of the things you have said. The system is secure enough that I can give a hacker the mysql information and they would be incapable of financially harming me NOR revealing private user information other than email addresses.

The funny thing is you still couldn't get access to the database.


Also, the database isn't encrypted. The signature and hash passwords are entered upon each server boot. You would have to intercept me trying to boot the software. But good luck getting past the subversion code control with code signing.

[neha]

I will give you the username and password for the DB right now

Mysql_User = "front-end"
Mysql_Pass = "m1taLu4ayu84vO7eVu27JOw1vIk7mo"
Mysql_Host = "25.15.147.88"


There you go. I already thought of the things you have said. The system is secure enough that I can give a hacker the mysql information and they would be incapable of financially harming me NOR revealing private user information other than email addresses.

The funny thing is you still couldn't get access to the database.

Man I am not challenging you nor I have the time to go hack. We are discussing a topic and this is a pure discussion maybe to help someone. Also, if you really want to test out your security by disclosing passwords, I suggest you give out your password for your webserver and then see the magic happen. I am sure someone in the forum might be interested.

[LuaPod]

I will give you the username and password for the DB right now

Mysql_User = "front-end"
Mysql_Pass = "m1taLu4ayu84vO7eVu27JOw1vIk7mo"
Mysql_Host = "25.15.147.88"


There you go. I already thought of the things you have said. The system is secure enough that I can give a hacker the mysql information and they would be incapable of financially harming me NOR revealing private user information other than email addresses.

The funny thing is you still couldn't get access to the database.

Man I am not challenging you nor I have the time to go hack. We are discussing a topic and this is a pure discussion maybe to help someone. Also, if you really want to test out your security by disclosing passwords, I suggest you give out your password for your webserver and then see the magic happen. I am sure someone in the forum might be interested.

Server Login:

justin7674
HACKMEPLEASEorz94358




#Wastingmylifewaitingformagic

I have 1 bitcoin on that server. Almost EVERY btc exchange hack is the stupidity of the creator and programmer.  


PASSWORD WILL REMAIN THE PREVIOUS SAID FOR A MONTH

[neha]

Server Login:

justin7674
HACKMEPLEASEorz94358

#Wastingmylifewaitingformagic

I have 1 bitcoin on that server. Almost EVERY btc exchange hack is the stupidity of the creator and programmer. 


PASSWORD WILL REMAIN THE PREVIOUS SAID FOR A MONTH

BOLD !!!

[LuaPod]

Server Login:

justin7674
HACKMEPLEASEorz94358

#Wastingmylifewaitingformagic

I have 1 bitcoin on that server. Almost EVERY btc exchange hack is the stupidity of the creator and programmer.  


PASSWORD WILL REMAIN THE PREVIOUS SAID FOR A MONTH

BOLD !!!

I have spent a year racking my brain on this. I have pretty good confidence in it's security and stability (Except that the webserver currently doesn't have ddos protection turned on)

So much faith that even with the authentication given out I believe that it is safe still.

[cassieheart]

https://www.youtube.com/watch?v=lu3VTngm1F0

Server Login:

justin7674
HACKMEPLEASEorz94358

#Wastingmylifewaitingformagic

I have 1 bitcoin on that server. Almost EVERY btc exchange hack is the stupidity of the creator and programmer.  


PASSWORD WILL REMAIN THE PREVIOUS SAID FOR A MONTH

BOLD !!!

I have spent a year racking my brain on this. I have pretty good confidence in it's security and stability (Except that the webserver currently doesn't have ddos protection turned on)

So much faith that even with the authentication given out I believe that it is safe still.

[LuaPod]

https://www.youtube.com/watch?v=lu3VTngm1F0

classic

[neurotypical]

This is getting ridiculous. Would be cool to have some kind of graphics or statistic about stolen coins in similar services. I think im going to have everything in Bitcoin QT and forget about it. Too much risk.