Bitcoin Forum
April 24, 2014, 11:49:08 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
  Print  
Author Topic: Bitcoinica MtGox account compromised  (Read 99328 times)
genjix
Hero Member
*****
Offline Offline

Activity: 1064


View Profile

Ignore
July 13, 2012, 09:00:07 AM
 #1

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

Unbeknownst to us, Tihan was using the mtgox api key as the password for a website called LastPass.

LastPass contains all your passwords. The username was info@bitcoinica.com. After the initial compromise, the sourcecode would have been tainted. But the password for LastPass was not changed.

The operators of Bitcoinica probably did not think to change it because they may have assumed that the LastPass password was not the same password as the MtGox API key. Such a flaw is a huge security breach. The original hacker could have compromised the funds on May 11th or any day thereafter.

Such security practices resulted in the initial theft. By the time we took over the claims process it was under information that the LastPass password was secure. This was infact supposed to be the secure way the new passwords were communicated.

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC and 40K USD - the mtgox daily limits)

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
Sourcecode download link: http://depositfiles.com/files/2p6zvadzs

The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.

Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. They gained access to MtGox. They transferred a third of the refund money, presumably to themselves. Bitcoinica has had at least 5 major security breaches since it's start. We had recommended that their codebase be entirely rewritten but were not aware of their security practices.

I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.

Edit: The API key was changed, but someone had a LastPass account with the same password as that, and was actively updating it with new passwords.

40k USD and 40k BTC were stolen (~350k USD).

For those who doubt we were not the GP, you can run 'git log' in the sourcecode. We had no responsibility to take on payments, but we did (and finalised the formation of Bitcoinica Consultancy to do so).  The payments process was looking good, but now Patrick has walked away and I'm unsure what happens next. The sourcecode illustrates the magnitude of the problems involved with Bitcoinica (passwords all over the source, bad design, flawed code).

We were not privy to all the problems when taking on Bitcoinica. Zhou was being paid $8000 a month for operating Bitcoinica in his part time while Tihan was scrambling to get the site working. During the last month, Zhou was not taking pay, to refund the money stolen by the Linode compromise. Tihan was rushing to get the paperwork finished because Zhou is attending school. We kept sending the paperwork back saying it's incomplete and there's problems, so when the initial compromise happened, the company was not yet fully formed. The initial confusion was over who is responsible as the GP - the part time owner devoting maybe 5 hours a week? The new owners who had no experience operating the site? The middleman who acts on behalf of the owner and has no technical knowledge? That's why payments were initially complicated and delayed.

I will post another update once I know more. I'm guessing that payments will have to take a forced 30% cut. This has cost everyone a lot of money, time and stress dealing with this mess. We are actively losing money from dealing with the payouts.

Update: here's the facts from my point of view:

- Patrick quit.
- Zhou quit.
- Tihan was fired, and no longer acting on behalf of Bitcoinica LP.
- Bitcoinica Consultancy were the new operators coming onboard, and the company was formed after the compromise to facilitate payments out.
- Bitcoinica LP is the owner.

The payments process is at a deadlock. Technically when a company is in debt, and cannot pay off its debtors in full, it hands the process to the government (called receivership). Bitcoinica LP would have to make a police report, and hand over the payments process as the owners.

That's it basically. Just a standstill.

has anyone been paid out after the latest mtgox theft?

No.

Update 19th July: payments are still stuck at 38%. Considering that those are 50% payouts, that means a good 76% of the claims. That's not 76% of claimants, but 76% of the total funds.

However given that nobody is doing anything, I've been talking with some of the people with large claims. They've proposed helping take over the process with me. I suppose we need to get written consent that Bitcoinica Consultancy doesn't exist or that if it does that the members resign. This allows Bitcoinica LP to take over and hand the payouts process to us. Technically Bitcoinica LP owns the assets.

trifecta of a new world: economy, technology and industry | Freenode IRC #darkwallet
1398383348
Hero Member
*
Offline Offline

Posts: 1398383348

View Profile Personal Message (Offline)

Ignore
1398383348
Reply with quote  #2

1398383348
Report to moderator
1398383348
Hero Member
*
Offline Offline

Posts: 1398383348

View Profile Personal Message (Offline)

Ignore
1398383348
Reply with quote  #2

1398383348
Report to moderator
Private Internet Access™ - No logs, Unlimited Bandwidth, PC Magazine's Editor's Choice
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398383348
Hero Member
*
Offline Offline

Posts: 1398383348

View Profile Personal Message (Offline)

Ignore
1398383348
Reply with quote  #2

1398383348
Report to moderator
1398383348
Hero Member
*
Offline Offline

Posts: 1398383348

View Profile Personal Message (Offline)

Ignore
1398383348
Reply with quote  #2

1398383348
Report to moderator
Transisto
Donator
Hero Member
*
Offline Offline

Activity: 1134



View Profile WWW

Ignore
July 13, 2012, 09:02:54 AM
 #2

How I read it. "my comments"  (See edit)

...there has been another huge breach of Bitcoinica. ..."WE THOUGHT" the password for LastPass was not compromised and thus we left it unchanged. The password for LastPass was in fact a duplicate password which ..."Was written in the source code, which was recently made publicly available". ...

... Tihan was using the mtgox api key as the password ...

LastPass contains all your "?" passwords. ... After the initial compromise,  the sourcecode would have been tainted."What has sourcecode to do with payout process ?" ...

..."We" assumed that the LastPass password was not the same password as the MtGox API key. The original hacker could have compromised the funds on May 11th or any day thereafter.

Such security practices resulted in the initial theft. "What security ?" By the time we took over the claims process it was under information that the LastPass password was secure "Who told you this ?" . This was infact supposed to be the secure way the new passwords were communicated.

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits) "So 40k USD have vanished ?"

... it was not taken advantage of until many users had access to the sourcecode in a recent leak:

...

The LastPass password was set to the semi-public api key, this is very similar to using the username for one site as the password on another.

Whoever is responsible for the latest theft used the MtGox API key as a password in LastPass hoping that simple security measures were not followed in the setting up of the LastPass. "This is not weak security measure, it's completely fucked up" ...
We had recommended that their codebase be entirely rewritten but were not aware of their security practices. "again codebase has nothing to do with this" + "Your main duty after the takeover was making sure site was secure, then after the hack you had to make sure funds were secure at all cost."

I'm starting to regret becoming embroiled with such a shoddy and badly secured site as Bitcoinica.
"It stopped being a "site" more than 2 months ago"
IMO Lastpass without a Yubikey or 2nd factor auth is like a safe without a lock.
These thing are ~15$


EDIT :
30% cut ?

How can 40k USD be untraceable
How can 40k BTC be untraceable or easily spendable ?

Why don't we instead agree to give the hacker an honest and untainted 30% of the BTC he moved ?
By honest I mean we know who he is, we know what he did, we're happy with it, and we respect him for both getting into your gox account and returning funds.
This "hacker" is tech-savvy person that achieved something worth being rewarded for.

This is not a home invasion or a physical robbery, as much as some may hate it, if we get anything stolen because of a weak password or weak security policy then we should have no-one but our-self to blame.

I think this concept should be well understood by this community.

Pro tip,
When I was using Bitcoinica :
I was doing it with an uncompromised PC, Firewall, AV(s) ect. (HARD)
I was closing my Bitcoinica browser sessions every-time I was done,
I had two account to spread the risk, both were secured with Google Authenticator, (phone app)
I had ~14 char randomly created passwords,
 different ones,
 all stored into LastPass,
With a safe lastpass password,
With a 2nd factor Yubikey, (my home pc is not considered safe on LastPass, so I have to push the button every time.)
The LastPass recovery email is dedicated to this, the password is paper stored in a safe place.
My HDD is truecrypted,
My firewire port are disabled,
I don't use a Wireless keyboard
I never leave the PC with an open session, (session autolock after ~10 min.)
...I do not have any felling it is all secure. I'm by no mean a security expert.

I had nowhere near the same value to protect and ... were not someone else assets.[/b]

IMO, This is rather basic protection scheme for a regular "geek" PC user...

Whatever your previous story, ;
In over 2 months...
You failed to disable Mt.Gox API,
You failed to protect mt. Gox with a Yubikey,
You failed to change Lastpass password,
You failed to protect Lastpass with one of their many 2nd factor auth. (some free)

Don't be surprised if people don't believe you.

Edit 2: Found markm analysis informative : https://bitcointalk.org/index.php?topic=93074.msg1027484#msg1027484

Visit and contribute to reddit.com/r/Bitcoin
rebuilder
Hero Member
*****
Offline Offline

Activity: 951



View Profile

Ignore
July 13, 2012, 09:09:48 AM
 #3

I remained hopeful I'd see the BTC I had on Bitcoinica once more. Now, not so much.
davout
Staff
Hero Member
*****
Offline Offline

Activity: 1148


1davout


View Profile WWW

Ignore
July 13, 2012, 09:11:53 AM
 #4


Stephen Gornick
Hero Member
*****
Offline Offline

Activity: 1246



View Profile WWW

Ignore
July 13, 2012, 09:12:00 AM
 #5

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits)

You had 40K BTC / $40K USD or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?

Herodes
Hero Member
*****
Offline Offline

Activity: 868


View Profile

Ignore
July 13, 2012, 09:12:18 AM
 #6

I'm glad I had 0 money on Bitcoinica, those who had substantional funds there, I'm sure is not that happy.

There's much that could be said about the current Bitcoinica situation, but I'm pretty sure anything that I could say would not cause more harmony in the community, so I keep my mouth shut! Smiley
BlackBison
Sr. Member
****
Offline Offline

Activity: 252



View Profile

Ignore
July 13, 2012, 09:14:40 AM
 #7

Erm wtf?? this script is playing out like some retarded hollywood spy film plot.

Thank god I only had 15btc in this joke of a site...

markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
July 13, 2012, 09:15:21 AM
 #8

Seems like each instance of criminal negligence (or conscious conspiracy with thieves or whatever the exact crime turns out to be) ends up back at this Tihan character then eh?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
davout
Staff
Hero Member
*****
Offline Offline

Activity: 1148


1davout


View Profile WWW

Ignore
July 13, 2012, 09:15:31 AM
 #9

You had 40K BTC or more in Mt. Gox and weren't using a YubiKey or TOPT/Google Authenticator?  Seriously?
The theft was authenticated using an API token that doesn't require a second authentication factor.
That's by design, otherwise APIs wouldn't be able to work in an automated fashion.

On the other you can set specific constraints on what the API can do (if you authenticate with an API token you do not necessarily have the same access rights/limits as the ones you have when authenticating with a username+password+2nd factor)

EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.

flower1024
Hero Member
*****
Offline Offline

Activity: 770


luck is just a share away


View Profile WWW

Ignore
July 13, 2012, 09:21:13 AM
 #10

you shouldn't be trusted with money anymore.

you claim you are security experts and didn't lock all api keys? are you kidding me?

why didnt you just move it to another account?
why didnt you revoked all api access? - i see no need for it as bitcoinica is OFFLINE

btw: i dont really care about that theft.
its just another story why we should wait for OUR money and why we should be nice to you.

Cheesy BitSource.org Buy, Sell and Trade Bitcoins and Litecoins Easily! http://BitSource.org/ Wink
***Premier Exchange - VISA/Mastercard Accepted Soon. Get Trading Today!***
ninjarobot
Hero Member
*****
Offline Offline

Activity: 669


Mine Silent, Mine Deep


View Profile

Ignore
July 13, 2012, 09:24:02 AM
 #11

Can someone from MtGox support please weigh in and provide more details on what happened, when, how much?

This is just incredulous.
iddo
Sr. Member
****
Offline Offline

Activity: 343


View Profile

Ignore
July 13, 2012, 09:24:06 AM
 #12

This has resulted in the loss of one third of all the Bitcoinica money which has been stolen from MtGox. (40k BTC / 40K USD - the mtgox daily limits)

I'm not sure whether I understand what you meant here: are you saying that 40K USD were also stolen via MtGox ? If so, MtGox knows the identity of the thief who withdrew the USD ? If you meant that 40K BTC were withdrawn but not USD, then please ignore my question.
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
July 13, 2012, 09:24:12 AM
 #13

EDIT : Oh wait, I misread, it indeed went through the username+password authentication. I don't have words to describe the sheer amounts of fail this represents and how easily it could have been prevented.

Ah so then it does not all point to Tihan, someone else aided and abetted by setting Gox up ready for his "negligence" to work?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
eleuthria
Hero Member
*****
Online Online

Activity: 1120


Michael Marsee


View Profile WWW

Ignore
July 13, 2012, 09:24:16 AM
 #14

You have to be joking.  There aren't words to describe how terrible Bitcoinica has been at "losing" money.  Quite frankly I don't see how anybody can believe this isn't an inside job/run with the money scheme anymore.

aq
Full Member
***
Offline Offline

Activity: 238


View Profile

Ignore
July 13, 2012, 09:24:32 AM
 #15

Sorry, but whoever handles this whole bitcoinica mess should probably leave bitcoins, or better anything related to computers.
davout
Staff
Hero Member
*****
Offline Offline

Activity: 1148


1davout


View Profile WWW

Ignore
July 13, 2012, 09:24:41 AM
 #16

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

[...]

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code

DarkEmi
Full Member
***
Offline Offline

Activity: 208


View Profile

Ignore
July 13, 2012, 09:25:40 AM
 #17

I am not sure I understand. You are telling us you lost ANOTHER 40 k ?

If thats the case, I am becoming increasingly depressed.
I will state publicly that I had 5k btc on bitcoinica and thats basically a majority of my wealth, which was accumulated trough hard work...
Because I was having that much faith into bitcoins.

I was kinda closing my eyes to the disaster so far hoping for a good news but I dont know what to do anymore

speculate on the mtgox price - http://www.btcoracle.com/
buy Mastercoin - http://masterxchange.com
Justin00
Hero Member
*****
Offline Offline

Activity: 607



View Profile

Ignore
July 13, 2012, 09:27:03 AM
 #18

who didn't see this coming ?

In fairness I though it would be a few weeks earlier.

aq
Full Member
***
Offline Offline

Activity: 238


View Profile

Ignore
July 13, 2012, 09:29:38 AM
 #19

We regret to inform you that there has been another huge breach of Bitcoinica. While all passwords were changed after the theft which occurred May 11th, the password for LastPass was not compromised and thus left unchanged. The breach today occured because the password for LastPass was in fact a duplicate password which had been compromised during the hack.

[...]

While the initial hacker had the ability to cause this breach it is likely that it was not taken advantage of until many users had access to the sourcecode in a recent leak:

Code:
genjix:~/tmp/bitcoinica_legacy/config/initializers$ cat mtgox_credentials.rb
if Rails.env.production?
  MtGox.configure do |config|
    config.key = "c02e1a27-5524-449f-ba65-aff9581ddedc"
    config.secret = '83U1ROG++O3vwBqFrxpcdyLIoChpgnowImy1oMVQwBLalaLevZDmWeCPJFTrYW00OQ7XUgG53LsIL2pBZ2PQgA=='
    end
end
See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code
They got hacked. Site was shut down. So they left the API open for what? Only for the hacker?
markm
Hero Member
*****
Offline Offline

Activity: 1148



View Profile WWW

Ignore
July 13, 2012, 09:30:28 AM
 #20

See https://github.com/davout/bitcoin-central to see how you properly store production passwords.

protip : not directly in the fucking source code

Pro tip 2: for months now the whole problem of how to properly store passwords has been holding up Open Transactions development because of the intricacies of how to convince the various different operating-systems never ever ever to let it land on disk, including by not allowing the memory it is remembering it in get swapped to disk. Its stuff like this that has made Open Transactions late to market.

Better to get in fast and out with a fast buck than wait until ready to "do it right" though maybe eh?

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!