[Emergency ANN] Bitcoinica site is taken offline for security investigation

[hatshepsut]

LOL good try.

If you are implying that I am guruvan, then you are sorely mistaken.

[1715035726]

1715035726

[1715035726]

1715035726

[1715035726]

1715035726

[muyuu]

LOL good try.

If you are implying that I am guruvan, then you are sorely mistaken.

Not implying that.

No way they are both forfeiting losses and paying off virtual positive positions. They will force liquidate, deal with it.

[dizzy1]

So now http://bitcoinica.com points to a google 404 error page. Maybe they are finally readying some kind of claim page?

[M4v3R]

Ive asked earlier in the thread, is there any way/evidence that shows bitcoinica actually ever traded on any of the available exchanges, or was it all just shuffling funds internally?

They were trading on MtGox as soon as they couldn't balance out the trades internally. They were even displaying a number of BTC they have traded on MtGox (aka. "hedged") on their home page.

For most of the time you wouldn't see this, unless your trade was quite big, sometimes it needed to be over 1000 BTC. Lately, they even raised this internal buffer to ~3000 BTC, and tweaked the engine so it traded 100 BTC at the same time instead of 50, for faster execution. It was really cool, and is a shame that now it's gone.

[tvbcof]

Explaining the details of your operations might not be a wise thing to do in public.

Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.

[JusticeForYou]

Explaining the details of your operations might not be a wise thing to do in public.

Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.

Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it ! 

[rdponticelli]

Explaining the details of your operations might not be a wise thing to do in public.

Might make some sense if one has the time, interest, and skill to run an effective honeypot.  But I cannot see that laying out the welcome mat here and in this way is likely to pull in more than an handful of ankle-biter class victims.

Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it ! 

Obviously you have any valuable information on a strongly encrypted vm image with a complex password which is not hosted on the machine. And you have arranged really frequent off site rsyncs, so you have several images ready to be launched anytime you need them. If anybody steals your server, he only gets a lot of useless information.

[ashleyconnor]

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it ! 

He explained before that he is encrypting his filesystem

The big security let down is the fact that you can reset a VPS root password from the control panel. Great if you are a VPS company as it reduces support issues, but for God's sake if you are running an operation with money at stake then that needs to be disabled.

The mentions of KVM etc are just more options for hackers. In fact remote administration of any sort gives hackers opportunities to compromise the servers.

One of the best methods, which I think somebody mentioned, is 2-factor SSH authentication:

http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

Even if your key is compromised due to a security breach on your local system; attacks will still not be able to access the server.

[JusticeForYou]

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it ! 

He explained before that he is encrypting his filesystem

The big security let down is the fact that you can reset a VPS root password from the control panel. Great if you are a VPS company as it reduces support issues, but for God's sake if you are running an operation with money at stake then that needs to be disabled.

The mentions of KVM etc are just more options for hackers. In fact remote administration of any sort gives hackers opportunities to compromise the servers.

One of the best methods, which I think somebody mentioned, is 2-factor SSH authentication:

http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

Even if your key is compromised due to a security breach on your local system; attacks will still not be able to access the server.

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

[MrTeal]

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

That still requires breaking into his office and installing the hardware without tripping the alarm or getting caught or them noticing. You'd probably also want to know which box actually holds the server and which room it's in.

Physically breaking into someone's office is an entirely different class of crime than hacking into a system. You'd need someone with both the computer skills to deal with whatever technical issues arise, who also lives near the office or is willing to fly in, and also have experience with physical break and enters. The risk is also much higher; convicting someone of hacking into a system and stealing $10k worth of virtual money is a lot less likely than convicting someone of B&E. Someone who has that skillset could probably do a lot better than all that risk for $10k.

[ashleyconnor]

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

No doubt 2-factor-authentication can still be compromised by a man-in-the-middle attack. The Google Authenticator PAM allows you to detect this, so you'd know if your local machine had been compromised.  You then might be able to remotely shut down the server through some administration panel.

However there's no 100% way to do remote administration. Period.

[JusticeForYou]

Well, I was trying to not be so obvious.

I wouldn't steal the server from his office.  Common guys... Do we have to lay it out, why it is bad to let people where your server resides and has thousands of dollars of money in it.

If so, there is this little device that attaches to the keyboard wire, etc... Or if you are really high tech, there is a device that can read your keystrokes from outside.

That still requires breaking into his office and installing the hardware without tripping the alarm or getting caught or them noticing. You'd probably also want to know which box actually holds the server and which room it's in.

Physically breaking into someone's office is an entirely different class of crime than hacking into a system. You'd need someone with both the computer skills to deal with whatever technical issues arise, who also lives near the office or is willing to fly in, and also have experience with physical break and enters. The risk is also much higher; convicting someone of hacking into a system and stealing $10k worth of virtual money is a lot less likely than convicting someone of B&E. Someone who has that skillset could probably do a lot better than all that risk for $10k.

Yes, it does. I just mean to show that people associate the criminals with being 'dumb'. There are 'smart' criminals. Social Engineering has acquired way more results than electronic trickery.

For Example:

Lets presume this was a Bitcoinica server in the 'Office'. One could pay the cleaning lady or maintenance man 10K to do it, because the total theft was 87K. That would leave 77K to the thieves. Once enough keystrokes have been acquired, then you could steal the server if necessary.

Sorry for sounding nefarious: I have had a class that dealt with 'What Ifs'. Actually that class was about more than just circumventing a server, was more about disrupting industries.  Given SOP knowledge, getting information is quite easy. Looking at problems from different perspectives also can reveal things that are not known to be public. i.e. Apple's suppliers were kept 'secret' but the guy on the loading dock didn't think it was a secret.

Most people from High Tech think high tech and forget about low tech.

Granted though, people aren't going to employ these methods over some kids computer with 10 BTC on it. But the reference was from an Exchange of sorts that deals in lots of money.

Telling people where the server resides wasn't a good idea. But meh... it's his money and possibly yours.

[vampire]

Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it ! 

Now you just need to decrypt the harddrives :-)

[JusticeForYou]

Actually the app server is in my office, but I do realize not every company can afford a dedicated pipe inbound. We do have a couple of encrypted KVM VMs for "non paying" servers (mail, etc) at some dedicated servers out there.

Or a guy that just breaks into the office. Not much skill required.



Edit: Come to think of it. That would be a novel excuse these days: Hey, someone stole my server, I mean physically stole it !  

Now you just need to decrypt the harddrives :-)

Yes as explained it can be done.

However, this is all public knowledge that I can explain.

I believe this guy is a Mac User ( I can explain how I know, if needed). I wonder if he has fixed the debug.log for the vault on his computer. (PS. If you see this, do so.) He might already be compromised and not know it.

Security for Financial Systems especially with lots of money actually residing on the computer, needs to be elevated to absolute paranoia.

[vampire]

Yes as explained it can be done.

However, this is all public knowledge that I can explain.

I believe this guy is a Mac User ( I can explain how I know, if needed). I wonder if he has fixed the debug.log for the vault on his computer. (PS. If you see this, do so.) He might already be compromised and not know it.

Security for Financial Systems especially with lots of money actually residing on the computer, needs to be elevated to absolute paranoia.

Isn't that FV1? How do you exploit that on FV2 with solo user setup?

[SgtSpike]

BTC_Bear, you seem to know a good deal about security.  What are your credentials?  Do you have a related degree?  Related job experience?

Just curious more than anything.

[JusticeForYou]

BTC_Bear, you seem to know a good deal about security.  What are your credentials?  Do you have a related degree?  Related job experience?

Just curious more than anything.

Well that fact you ask that, tells me I have already talked to much.

Do you have a related degree?

I do not hold a degree in IT Security and/or Cybersecurity. Although I have during the course of work, pointed out and have shown flaws in IT systems and many other Risk Management Issues and writing Root Cause Analysis for problems that occur.

Related job experience?

I have had related job experience in the field of security. (And no, not Security Guard)

What are your credentials?

Well, when able to look for jobs when necessary, I carry credentials in a portfolio (more of a long CV with supporting documents than anything else.)


Other than that:

I'm a dumb crazy country bumpkin, pay me no mind. If my arguments make sense, then ponder them. If not, then disregard them. I like letting my hair down here without excessive peer review over every word or idea I spout out.

btw: I give credentials and/or degrees little weight other than the ability to learn. (i.e. If the janitor proves P=NP, I don't argue over who's credentials mean more or less.) I treat each individual as an individual irrespective of documented knowledge.

[SgtSpike]

I'm just thinking you might be a good consultant if/when I ever decide to launch a Bitcoin site that actually handles people's Bitcoins.  Sometimes, you seem to be the only logical thinker in a group full of people discussing proper security methods and techniques.  Lots of people can't seem to think outside the box, and miss important potential threats.

Anyway, thanks for answering my questions.

[tvbcof]

...if/when I ever decide to launch a Bitcoin site that actually handles people's Bitcoins.  ...

If you are handling Bitcoins, they are your bitcoins.  That is one of the things which distinguishes Bitcoin from most other instruments (imho.)  If more people shared my philosophical view of the situation, fewer people would be whining about their Bitcoins having gone missing.

Naturally to run a good business you'll want to be able to give the Bitcoins back to your customers upon demand, and having a good security consultant would go along way toward achieving this goal.

Alternately, with Bitcoin there are creative ways to invalidate my assertions about ownership.  Having both and outstanding security consultant and a skilled scientist/engineer could blaze some trails here.  It seems to be starting though I cannot say that I have followed things closely.

[mb300sd]

All this security discussion is great, but WHERE IS THE CLAIM PAGE? It was supposed to be up monday, then last night, and its still not up...