Bitcoin Forum
March 19, 2024, 08:22:12 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 155925 times)
genjix (OP)
Legendary
*
Offline Offline

Activity: 1232
Merit: 1071


View Profile
July 13, 2012, 09:00:07 AM
Last edit: July 19, 2012, 04:56:28 PM by genjix
 #1

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

LastPass contains all your passwords. The username was info@bitcoinica.com. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.

The operators of Bitcoinica probably did not think to change it because they may have assumed that the LastPass password was not the same password as the MtGox API key. Such a flaw is a huge security breach. The original hacker could have compromised the funds on May 11th or any day thereafter.

Such security practices resulted in the initial theft. By the time we took over the claims process it was under information that the LastPass password was secure. This was infact supposed to be the secure way the new passwords were communicated.

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC and 40K USD - the mtgox daily limits)

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
Sourcecode download link: http://depositfiles.com/files/2p6zvadzs

The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.

Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. They gained access to MtGox. They transferred a third of the refund money, presumably to themselves. Bitcoinica has had at least 5 major security breaches since it's start. We had recommended that their codebase be entirely rewritten but were not aware of their security practices.

I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.

Edit: The API key was changed, but someone had a LastPass account with the same password as that, and was actively updating it with new passwords.

40k USD and 40k BTC were stolen (~350k USD).

For those who doubt we were not the GP, you can run 'git log' in the sourcecode. We had no responsibility to take on payments, but we did (and finalised the formation of Bitcoinica Consultancy to do so).  The payments process was looking good, but now Patrick has walked away and I'm unsure what happens next. The sourcecode illustrates the magnitude of the problems involved with Bitcoinica (passwords all over the source, bad design, flawed code).

We were not privy to all the problems when taking on Bitcoinica. Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it's incomplete and there's problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP - the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That's why payments were initially complicated and delayed.

I will post another update once I know more. I'm guessing that payments will have to take a forced 30% cut. This has cost everyone a lot of money, time and stress dealing with this mess. We are actively losing money from dealing with the payouts.

Update: here's the facts from my point of view:

- Patrick quit.
- Zhou quit.
- Tihan was fired, and no longer acting on behalf of Bitcoinica LP.
- Bitcoinica Consultancy were the new operators coming onboard, and the company was formed after the compromise to facilitate payments out.
- Bitcoinica LP is the owner.

The payments process is at a deadlock. Technically when a company is in debt, and cannot pay off its debtors in full, it hands the process to the government (called receivership). Bitcoinica LP would have to make a police report, and hand over the payments process as the owners.

That's it basically. Just a standstill.

has anyone been paid out after the latest mtgox theft?

No.

Update 19th July: payments are still stuck at 38%. Considering that those are 50% payouts, that means a good 76% of the claims. That's not 76% of claimants, but 76% of the total funds.

However given that nobody is doing anything, I've been talking with some of the people with large claims. They've proposed helping take over the process with me. I suppose we need to get written consent that Bitcoinica Consultancy doesn't exist or that if it does that the members resign. This allows Bitcoinica LP to take over and hand the payouts process to us. Technically Bitcoinica LP owns the assets.
"In a nutshell, the network works like a distributed timestamp server, stamping the first transaction to spend a coin. It takes advantage of the nature of information being easy to spread but hard to stifle." -- Satoshi
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
Transisto
Donator
Legendary
*
Offline Offline

Activity: 1731
Merit: 1001



View Profile WWW
July 13, 2012, 09:02:54 AM
Last edit: July 13, 2012, 11:19:56 PM by Transisto
 #2

How I read it. "my comments"  (See edit)

...there has been another huge breach of Bitcoinica. ..."WE THOUGHT" the password for LastPass was not compromised and thus we left it unchanged. The password for LastPass was in fact a duplicate password which ..."Was written in the source code, which was recently made publicly available". ...

... Tihan was using the mtgox api key as the password ...

LastPass contains all your "?" passwords. ... After the initial compromise,  the sourcecode would have been tainted."What has sourcecode to do with payout process ?" ...

..."We" assumed that the LastPass password was not the same password as the MtGox API key. The original hacker could have compromised the funds on May 11th or any day thereafter.

Such security practices resulted in the initial theft. "What security ?" By the time we took over the claims process it was under information that the LastPass password was secure "Who told you this ?" . This was infact supposed to be the secure way the new passwords were communicated.

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits) "So 40k USD have vanished ?"

... it was not taken advantage of until many users had access to the sourcecode in a recent leak:

...

The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.

Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. "This is not weak security measure, it's completely fucked up" ...
We had recommended that their codebase be entirely rewritten but were not aware of their security practices. "again codebase has nothing to do with this" + "Your main duty after the takeover was making sure site was secure, then after the hack you had to make sure funds were secure at all cost."

I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.
"It stopped being a "site" more than 2 months ago"
IMO Lastpass without a Yubikey or 2nd factor auth is like a safe without a lock.
These thing are ~15$


EDIT :
30% cut ?

How can 40k USD be untraceable
How can 40k BTC be untraceable or easily spendable ?

Why don't we instead agree to give the hacker an honest and untainted 30% of the BTC he moved ?
By honest I mean we know who he is, we know what he did, we're happy with it, and we respect him for both getting into your gox account and returning funds.
This "hacker" is tech-savvy person that achieved something worth being rewarded for.

This is not a home invasion or a physical robbery, as much as some may hate it, if we get anything stolen because of a weak password or weak security policy then we should have no-one but our-self to blame.

I think this concept should be well understood by this community.

Pro tip,
When I was using Bitcoinica :
I was doing it with an uncompromised PC, Firewall, AV(s) ect. (HARD)
I was closing my Bitcoinica browser sessions every-time I was done,
I had two account to spread the risk, both were secured with Google Authenticator, (phone app)
I had ~14 char randomly created passwords,
 different ones,
 all stored into LastPass,
With a safe lastpass password,
With a 2nd factor Yubikey, (my home pc is not considered safe on LastPass, so I have to push the button every time.)
The LastPass recovery email is dedicated to this, the password is paper stored in a safe place.
My HDD is truecrypted,
My firewire port are disabled,
I don't use a Wireless keyboard
I never leave the PC with an open session, (session autolock after ~10 min.)
...I do not have any felling it is all secure. I'm by no mean a security expert.

I had nowhere near the same value to protect and ... were not someone else assets.[/b]

IMO, This is rather basic protection scheme for a regular "geek" PC user...

Whatever your previous story, ;
In over 2 months...
You failed to disable Mt.Gox API,
You failed to protect mt. Gox with a Yubikey,
You failed to change Lastpass password,
You failed to protect Lastpass with one of their many 2nd factor auth. (some free)

Don't be surprised if people don't believe you.

Edit 2: Found markm analysis informative : https://bitcointalk.org/index.php?topic=93074.msg1027484#msg1027484
rebuilder
Legendary
*
Offline Offline

Activity: 1615
Merit: 1000



View Profile
July 13, 2012, 09:09:48 AM
 #3

I remained hopeful I'd see the BTC I had on Bitcoinica once more. Now, not so much.

Selling out to advertisers shows you respect neither yourself nor the rest of us.
---------------------------------------------------------------
Too many low-quality posts? Mods not keeping things clean enough? Self-moderated threads let you keep signature spammers and trolls out!
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
July 13, 2012, 09:11:53 AM
 #4


Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
July 13, 2012, 09:12:00 AM
 #5

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits)

You had 40K BTC / $40K USD or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


Herodes
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
July 13, 2012, 09:12:18 AM
 #6

I'm glad I had 0 money on Bitcoinica, those who had substantional funds there, I'm sure is not that happy.

There's much that could be said about the current Bitcoinica situation, but I'm pretty sure anything that I could say would not cause more harmony in the community, so I keep my mouth shut! Smiley
BlackBison
Sr. Member
****
Offline Offline

Activity: 250
Merit: 250



View Profile
July 13, 2012, 09:14:40 AM
 #7

Erm wtf?? this script is playing out like some retarded hollywood spy film plot.

Thank god I only had 15btc in this joke of a site...

markm
Legendary
*
Offline Offline

Activity: 2940
Merit: 1090



View Profile WWW
July 13, 2012, 09:15:21 AM
 #8

Seems like each instance of criminal negligence (or conscious conspiracy with thieves or whatever the exact crime turns out to be) ends up back at this Tihan character then eh?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
July 13, 2012, 09:15:31 AM
 #9

You had 40K BTC or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?
The theft was authenticated using an API token that doesn't require a second authentication factor.
That's by design, otherwise APIs wouldn't be able to work in an automated fashion.

On the other you can set specific constraints on what the API can do (if you authenticate with an API token you do not necessarily have the same access rights/limits as the ones you have when authenticating with a username+password+2nd factor)

EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.

flower1024
Legendary
*
Offline Offline

Activity: 1428
Merit: 1000


View Profile
July 13, 2012, 09:21:13 AM
 #10

you shouldn't be trusted with money anymore.

you claim you are security experts and didn't lock all api keys? are you kidding me?

why didnt you just move it to another account?
why didnt you revoked all api access? - i see no need for it as bitcoinica is OFFLINE

btw: i dont really care about that theft.
its just another story why we should wait for OUR money and why we should be nice to you.
ninjarobot
Hero Member
*****
Offline Offline

Activity: 761
Merit: 500


Mine Silent, Mine Deep


View Profile
July 13, 2012, 09:24:02 AM
 #11

Can someone from MtGox support please weigh in and provide more details on what happened, when, how much?

This is just incredulous.
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
July 13, 2012, 09:24:06 AM
Last edit: July 13, 2012, 09:45:39 AM by iddo
 #12

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits)

I'm not sure whether I understand what you meant here: are you saying that 40K USD were also stolen via MtGox ? If so, MtGox knows the identity of the thief who withdrew the USD ? If you meant that 40K BTC were withdrawn but not USD, then please ignore my question.
markm
Legendary
*
Offline Offline

Activity: 2940
Merit: 1090



View Profile WWW
July 13, 2012, 09:24:12 AM
 #13

EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.

Ah so then it does not all point to Tihan, someone else aided and abetted by setting Gox up ready for his "negligence" to work?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
eleuthria
Legendary
*
Offline Offline

Activity: 1750
Merit: 1007



View Profile
July 13, 2012, 09:24:16 AM
 #14

You have to be joking.  There aren't words to describe how terrible Bitcoinica has been at "losing" money.  Quite frankly I don't see how anybody can believe this isn't an inside job/run with the money scheme anymore.

RIP BTC Guild, April 2011 - June 2015
aq
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
July 13, 2012, 09:24:32 AM
 #15

Sorry, but whoever handles this whole bitcoinica mess should probably leave bitcoins, or better anything related to computers.
davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1007


1davout


View Profile WWW
July 13, 2012, 09:24:41 AM
 #16

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

[...]

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code

DarkEmi
Full Member
***
Offline Offline

Activity: 223
Merit: 100



View Profile
July 13, 2012, 09:25:40 AM
 #17

I am not sure I understand. You are telling us you lost ANOTHER 40 k ?

If thats the case, I am becoming increasingly depressed.
I will state publicly that I had 5k btc on bitcoinica and thats basically a majority of my wealth, which was accumulated trough hard work...
Because I was having that much faith into bitcoins.

I was kinda closing my eyes to the disaster so far hoping for a good news but I dont know what to do anymore

ProProfi.com
The first home improvement service cryptocurrency project
ICO | Discuss on Forum
Justin00
Legendary
*
Offline Offline

Activity: 910
Merit: 1000


★YoBit.Net★ 350+ Coins Exchange & Dice


View Profile
July 13, 2012, 09:27:03 AM
 #18

who didn't see this coming ?

In fairness I though it would be a few weeks earlier.


aq
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
July 13, 2012, 09:29:38 AM
 #19

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

[...]

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code
They got hacked. Site was shut down. So they left the API open for what? Only for the hacker?
markm
Legendary
*
Offline Offline

Activity: 2940
Merit: 1090



View Profile WWW
July 13, 2012, 09:30:28 AM
 #20

See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code

Pro tip 2: for months now the whole problem of how to properly store passwords has been holding up Open Transactions development because of the intricacies of how to convince the various different operating-systems never ever ever to let it land on disk, including by not allowing the memory it is remembering it in get swapped to disk. Its stuff like this that has made Open Transactions late to market.

Better to get in fast and out with a fast buck than wait until ready to "do it right" though maybe eh?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!