Bitcoin Forum
April 24, 2014, 11:01:42 AM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 [47] 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
  Print  
Author Topic: [Emergency ANN] Bitcoinica site is taken offline for security investigation  (Read 133568 times)
Clipse
SCAMMER
Hero Member
*****
Offline Offline

Activity: 504


View Profile

Ignore
May 17, 2012, 11:25:27 PM
 #921

Posted in the apology threat: https://claims.bitcoinica.com/

...In the land of the stale, the man with one share is king... >> Clipse

We pay miners at 130% PPS | Signup here : Bonus PPS Pool (Please read OP to understand the current process)
1398337302
Hero Member
*
Offline Offline

Posts: 1398337302

View Profile Personal Message (Offline)

Ignore
1398337302
Reply with quote  #2

1398337302
Report to moderator
Buy a Blade, Get a 5-Chip Free!
Start Mining with GAWMiners.com
24/7 Live Phone & Tech Support
Free Hosting & Electricity for 1 Year!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398337302
Hero Member
*
Offline Offline

Posts: 1398337302

View Profile Personal Message (Offline)

Ignore
1398337302
Reply with quote  #2

1398337302
Report to moderator
1398337302
Hero Member
*
Offline Offline

Posts: 1398337302

View Profile Personal Message (Offline)

Ignore
1398337302
Reply with quote  #2

1398337302
Report to moderator
muyuu
Donator
Hero Member
*
Offline Offline

Activity: 770



View Profile

Ignore
May 17, 2012, 11:35:30 PM
 #922

Posted in the apology threat: https://claims.bitcoinica.com/

That totally looks like it needed 5 solid days of team work  Grin

 Wink Sorry... just on the wind up a bit before going to sleep.

GPG ID: 7294199D - OTC ID: muyuu (470F97EB7294199D)
forum tea fund BTC 1Epv7KHbNjYzqYVhTCgXWYhGSkv7BuKGEU DOGE DF1eTJ2vsxjHpmmbKu9jpqsrg5uyQLWksM CAP F1MzvmmHwP2UhFq82NQT7qDU9NQ8oQbtkQ
coinft
Full Member
***
Offline Offline

Activity: 174



View Profile

Ignore
May 17, 2012, 11:44:15 PM
 #923

Posted in the apology threat: https://claims.bitcoinica.com/

How can we be sure this page is legit? No official post here, and not even a link to it on www.bitcoinica.com. I don't feel good giving this information to anyone who might be able to divert a DNS record.

-coinft
DeathAndTaxes
Donator
Hero Member
*
Offline Offline

Activity: 966



View Profile WWW

Ignore
May 17, 2012, 11:50:12 PM
 #924

Posted in the apology threat: https://claims.bitcoinica.com/

How can we be sure this page is legit? No official post here, and not even a link to it on www.bitcoinica.com. I don't feel good giving this information to anyone who might be able to divert a DNS record.

-coinft

If they could divert a DNS record .... wouldn't that mean they could also spoof the www.bitcoinica.com page only? Smiley

Gerald Davis  CEO, Tangible Cryptography Inc.
BitSimple. A simpler way to buy and sell bitcoins
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW

Ignore
May 17, 2012, 11:55:50 PM
 #925

Posted in the apology threat: https://claims.bitcoinica.com/

How can we be sure this page is legit? No official post here, and not even a link to it on www.bitcoinica.com. I don't feel good giving this information to anyone who might be able to divert a DNS record.

-coinft

If they could divert a DNS record .... wouldn't that mean they could also spoof the www.bitcoinica.com page only? Smiley

They didn't divert a DNS record. The hacker manipulated our load balancer (which acts like a reverse proxy) to some site that I'm not supposed to access.

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
coinft
Full Member
***
Offline Offline

Activity: 174



View Profile

Ignore
May 18, 2012, 12:16:50 AM
 #926

Posted in the apology threat: https://claims.bitcoinica.com/

How can we be sure this page is legit? No official post here, and not even a link to it on www.bitcoinica.com. I don't feel good giving this information to anyone who might be able to divert a DNS record.

-coinft

If they could divert a DNS record .... wouldn't that mean they could also spoof the www.bitcoinica.com page only? Smiley

They didn't divert a DNS record. The hacker manipulated our load balancer (which acts like a reverse proxy) to some site that I'm not supposed to access.

What? Is this site safe to submit a claim or not? Because after your post in the apology thread I already did.

@DnT: www points to a blogspot google IP.

-coinft.
zhoutong
VIP
Hero Member
*
Offline Offline

Activity: 490


View Profile WWW

Ignore
May 18, 2012, 12:28:05 AM
 #927

Posted in the apology threat: https://claims.bitcoinica.com/

How can we be sure this page is legit? No official post here, and not even a link to it on www.bitcoinica.com. I don't feel good giving this information to anyone who might be able to divert a DNS record.

-coinft

If they could divert a DNS record .... wouldn't that mean they could also spoof the www.bitcoinica.com page only? Smiley

They didn't divert a DNS record. The hacker manipulated our load balancer (which acts like a reverse proxy) to some site that I'm not supposed to access.

What? Is this site safe to submit a claim or not? Because after your post in the apology thread I already did.

@DnT: www points to a blogspot google IP.

-coinft.

This is safe now because we no longer point to the load balancer.

The domain is being controlled by a single reliable team member. Just make sure that it's https. (There's no way to get a SSL certificate without proving the domain ownership. Please do not trust any SSL certificate for bitcoinica.com issued before May 10, 2012.)

Founder of NameTerrific (https://www.nameterrific.com/). Co-founder of CoinJar (https://coinjar.io/)

Donations for my future Bitcoin projects: 19Uk3tiD5XkBcmHyQYhJxp9QHoub7RosVb
Phinnaeus Gage
Hero Member
*****
Offline Offline

Activity: 1050


Bitcoin: An Idea Worth Spending


View Profile WWW

Ignore
May 18, 2012, 12:30:15 AM
 #928


Explaining the details of your operations might not be a wise thing to do in public.


Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.



Quote
Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.


Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  Smiley

I can see it now!


What the hell does 01000011 01101111 01101100 01100100 00100000 01010111 01100001 01101100 01101100 01100101 01110100 mean?

btcgoldsilver
Jr. Member
*
Offline Offline

Activity: 38


Bitcoins Gold Silver


View Profile

Ignore
May 18, 2012, 01:22:33 AM
 #929

Wheres the claims page?
All I'm getting is this ....

Unable to connect
       
Firefox can't establish a connection to the server at bitcoinica.com.
       
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure  that Firefox is permitted to access the Web.

 Huh

16ZodW6mxFkmxrCy5MSii7PLJ6VdfNknue
rdponticelli
Sr. Member
****
Offline Offline

Activity: 326


Our highest capital is the Confidence we build.


View Profile

Ignore
May 18, 2012, 01:29:16 AM
 #930

Wheres the claims page?
All I'm getting is this ....

Unable to connect
       
Firefox can't establish a connection to the server at bitcoinica.com.
       
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure  that Firefox is permitted to access the Web.

 Huh

Posted in the apology threat: https://claims.bitcoinica.com/
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile

Ignore
May 18, 2012, 01:37:41 AM
 #931

The weird thing is that Firefox won't connect, but Internet Explorer will.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Phinnaeus Gage
Hero Member
*****
Offline Offline

Activity: 1050


Bitcoin: An Idea Worth Spending


View Profile WWW

Ignore
May 18, 2012, 01:49:50 AM
 #932

The weird thing is that Firefox won't connect, but Internet Explorer will.

Or Chrome.

Quote
The server at claims.bitcoinica.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile

Ignore
May 18, 2012, 02:02:02 AM
 #933

The weird thing is that Firefox won't connect, but Internet Explorer will.

Or Chrome.

Quote
The server at claims.bitcoinica.com can't be found, because the DNS lookup failed. DNS is the network service that translates a website's name to its Internet address. This error is most often caused by having no connection to the Internet or a misconfigured network. It can also be caused by an unresponsive DNS server or a firewall preventing Google Chrome from accessing the network.
I was able to connect to the claims.bitcoinica.com site once in firefox, but have never been able to connect to www.bitcoinica.com. Now, I can't access it either. I'd guess the DNS is either being DDoSed, or it has a major problem with its round-robin setup.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Serge
Hero Member
*****
Offline Offline

Activity: 854


View Profile

Ignore
May 18, 2012, 02:04:07 AM
 #934

claims works fine on my chrome, www doesn't resolve ever since the incident
BCB
CTG
VIP
Hero Member
*
Offline Offline

Activity: 728


BCJ


View Profile

Ignore
May 18, 2012, 02:09:21 AM
 #935

claims works fine on my chrome, www doesn't resolve ever since the incident

this works for me.

https://173.45.224.244/
rdponticelli
Sr. Member
****
Offline Offline

Activity: 326


Our highest capital is the Confidence we build.


View Profile

Ignore
May 18, 2012, 02:17:29 AM
 #936

Cached dns may be causing all the troubles. They will surely work when the cached entries timeout.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile

Ignore
May 18, 2012, 02:26:17 AM
 #937

Cached dns may be causing all the troubles. They will surely work when the cached entries timeout.
It's a bit worse than that, the nameservers are acting really weird. http://www.intodns.com/bitcoinica.com
I did a bit of nslookup'ing, and the DNS servers don't respond when asked for SOA, NS or A records. OpenDNS has cached copies of the A records, but not all of them, and no cached copies of NS records.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
marcus_of_augustus
Hero Member
*****
Offline Offline

Activity: 1134



View Profile

Ignore
May 18, 2012, 05:38:15 AM
 #938


I luv these geeked out security discussions after the fact .... and in the end when everything is plain sailing they go back to hiding the key under the doormat.

Monetary Freedom - a basic human right
"Disarming money as a tool for tyranny."
"Disintermediating the State."
jixapori
Jr. Member
*
Offline Offline

Activity: 46


View Profile

Ignore
May 18, 2012, 06:44:41 AM
 #939


I luv these geeked out security discussions after the fact .... and in the end when everything is plain sailing they go back to hiding the key under the doormat.

Possibly people just do not have the resources or experience to set things up properly? For instance you clearly cannot rely on even physical security of any one machine, so at a minimum we are talking about multiple machines distributed across multiple physical locations for your site. Also dont forget your custom bitcoin client. None of this is cheap, least of all people to work on it who know what they are doing. Maybe it is not worth it to spend that much just to secure a few tens of thousands of bitcoins.
realnowhereman
Hero Member
*****
Offline Offline

Activity: 490



View Profile

Ignore
May 18, 2012, 09:03:07 AM
 #940

What's wrong with the claims page:

  • It's not asking for the account password.  Anyone who knows the usernames (and we can assume the attacker has a copy of the database) can submit a fake claim, and at the very least delay the real claim.
  • If the attacker had access to the database, how does any of the information asked for demonstrate my real identity?
  • It asks for real name and phone number.  I never gave bitcoinica that information in the first place (that bit of paranoia has paid off).  No advice is on the page for people in that position.
  • EXACT balances are requested, but if you supply exact balances it rejects the request saying "give only two decimal places".  It's not EXACT any more then is it?
  • Rejecting EXACT balances of more than two decimal places is pretty bad; but no advice is given as to whether the two decimal places you supply should be rounded up or down from your exact balance.  If I have 10.009 BTC is that "EXACT"ly 10.01 or 10.00?
  • Given that there was a complete database compromise -- exactly what is it that you're achieving with all this nonsense?  Assuming you kept the passwords hashed, then the only bit of information that can be used to verify the owner that is possibly not compromised is the real owner's knowledge of the unhashed password.
  • All you are actually verifying with this circus show is the owner of the email is the one making the claim.  However...
  • You send out a verification email, which has no information on it other than a URL to click.  You have to click the link to see what the verification details were; but the verification page has no "approve" or "cancel" button.  So if an attacker does submit a fake form, then they simply hope that the actual owner clicks the link.  Given the dearth of information about the process from bitcoinica, and the lack of advice in the verification email (i.e. "don't click this link if you haven't started a claim") the user will assume that this email is the start of a claims process and will click the link; giving legitimacy to the fake claim.
  • My email was verified when I registered the account -- what possible purpose is there in verifying it again?
  • As continued evidence that you still haven't learned your lesson... you are relying on unencrypted email (FOR THE THIRD TIME: EMAIL IS A POSTCARD) to deliver information that you specifically say "should remain confidential".  The claim ID should have been listed on the original claim page after confirmation and only half of it should have been sent in the email.
  • In short, this entire process is security theatre; not actual security.

In a situation that requires ambiguities be kept to an absolute minimum (one assumes the claims system will ideally be done automatically for the bulk of the work) you've added ambiguities where there need not have been any.  "Two decimal places" especially... what, are you short of bytes?

Seriously, what exactly do you think this "claims process" is achieving or protecting.  In what way is this a security measure?  Are you simply trying to verify if the database has been tampered with?  If so, SAY THAT.  Don't doll it up as if it's some kind of security measure for our benefit.  If the database has been tampered with you can't trust it anyway, so verifying emails is pointless.

1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 [47] 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!