BTC-E hacked - still unfolding

[proudhon]

Who would have guessed that BTC-E was more secure than Bitcoinica?

[1714218607]

1714218607

[1714218607]

1714218607

[1714218607]

1714218607

[1714218607]

1714218607

[unclemantis]

Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.

[proudhon]

Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.

[dree12]

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.

[Gabi]

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news)

[cryptoanarchist]

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news)

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

[adamstgBit]

From https://btc-e.com/news/81:

Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.

this is gr8 news,
Excellent work btc-e!

[Ente]

Indeed.
I will watch this closely.
BTC-E just instantly catapulted themselves to #1 of my favorite exchange. After MtGox and Intersango more or less disqualified themselves in the last few days..

Ente

[andrewbadr]

From https://btc-e.com/news/81:

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

I'm guessing there's a timing attack on LR's end.

[ElectricMucus]

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news)

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

[cryptoanarchist]

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news)

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

LMAO...

[elux]

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news)

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

[defxor]

I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)

[cryptoanarchist]

I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)

Interesting stuff. If that's the case...

the fix is simple: Program the system to take the same amount of time to return both correct and incorrect passwords. This can be done in about six lines of code, Lawson said.

[Xenland]

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

[cryptoanarchist]

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalk.org/index.php?topic=93115.0

[unclemantis]

OK people. I think it is about time to create 2 keys to access API shit! If this thing was brute forced then we need to ramp up security.

BTW. If it was brute forced, how did they confirm if it was valid or not without triggering a flag in log reports on either website?

[proudhon]

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalk.org/index.php?topic=93115.0

Yep.  It's been suggested before.  I think Matthew was one of the first to suggest it.  Basically, I think the most successful and secure bitcoin businesses should form a bitcoin security forum, maybe include a security expert/crypto guy or two (and pay them a little bit), and publish best practices.  Even better, but probably much more difficult to implement, and it comes with its own trust issues, would be for something like that to perform audits and companies could get some sort of certification and be included in a list of companies complying with best practices.

[coretechs]

Kudos to BTC-e for handling this situation well.  My account issues are all resolved, thanks.

I was cautious of the site prior to this event and kept a minimal balance, but I have a lot more confidence in them after this and will continue to trade BTC & LTC there. 

[kiba]

I am going to wait until they announce a fix to the vulnerability.