Bitcoinica MtGox account compromised

[sadpandatech]

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

How does one decrypt that file?
Some research is due.

According to the pastbin announcement they were going to make the sourcecode public on the 9th by releasing the instructions to decrypt it on freenode. anyone got a log of freenode #bitcoin at around 1900 on the 9th of July 2012?

[1714200706]

1714200706

[1714200706]

1714200706

[1714200706]

1714200706

[1714200706]

1714200706

[nomnomnom]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/

[tbcoin]

That still doesn't explain how the attacker knew that specific password should be tried at all.

We are talking about the password needed to convince LastPass to hand over your encrypted passwords right, not the passphrases needed to actually decrypt those passwords once having gotten a copy of them from LastPass?

-MarkM-

What's to say they "knew" at all? If the source was public and there were obviously duff security practices all round, wouldn't it be pretty straightforward to bruteforce LastPass with grepped strings from source and public e-mails?

Doesn't explain why the passwords were the same though. I guess laziness and hubris.

How can you brute-force a secure download protocol? If you fail to provide an initial response that proves you possess the correct decrypt password you don't get the file. Is all of this afterall a total comically silly fail on LastPass's part of delivering the crypted passwords to random anonymous hackers to have them brute-forced at leisure?

-MarkM-

That's right, you can't sync LastPass without the master password.

I still can't find any evidence of the bitcoinica source code leak, all google results are pointing back to genjix's original post in this thread. Does anyone know where it was first leaked?

http://pastebin.com/htzdAJGF

Its a new hack?? the code was stolen from github, not from the cloned machines ....
Maybe github user:info@bitcoinica.com/ passwd 123

How does one decrypt that file?
Some research is due.

It was posted on reddit a few days ago:
http://www.reddit.com/r/Bitcoin/comments/w6xen/bitcoinica_press_release/

"
genjix 1 punto 5 días atrás
This is legit. Run "git log" to see the development history.
"
if you already knew, did not occur to review the code filtering, if there was something sensible?

[Raoul Duke]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

[Bitcoin Oz]

So basically they just open sourced all their passwords

 

[tbcoin]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/log/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise
drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

+ pastebin > BY: A GUEST ON JUL 7TH, 2012  

And again, please genjix can you explain this? Everything is falsifiable but ...

[Raoul Duke]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/log/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

And again, please genjix you explain this? Everything is falsifiable but ...

He won't explain shit. If he wanted to explain he would've done it by now.

[Mt.Gox Support]

I use lastpass but man the passwords i use now for mtgox and all other websites I have been changing to 40 character plus passwords.

My YUBIKEY CAN NOT ARRIVE FAST ENOUGH!

Wish a regular YUBIKEY would work with MtGox though

Hey TUX! Any chance of getting a MtGox Yubikey free or at least allowing us to use our own?

Please use Google Auth for the moment, we will see with Mark what can be done regarding people that already own a Yubikey.

[markm]

So basically they just open sourced all their passwords

 

Not quite. How many attempts does LastPass allow before locking an account?

Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code.

So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on...

-MarkM-

[bitcoinBull]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

[Bitcoin Oz]

So basically they just open sourced all their passwords

 

Not quite. How many attempts does LastPass allow before locking an account?

Someone had to have some reason to "waste" one attempt on that particular string of characters from the source code.

So, who tipped them off that if they wanted to spend those limited number of attempts, this particular string of characters might be a darn good guess to spend one of their attempts on...

-MarkM-

 One would still have to know that particular string relates to lastpass ....Im not sure how many attempts they allow.

[tbcoin]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

Pastebin
"
Monday 9th July, the Bitcoinica sourcecode will be made public.
 
Encrypted file for download: http://depositfiles.com/files/u8e6gd032
 
Secret key + instructions for decryption will be released on Monday at 19:00 UTC in #bitcoin on Freenode IRC.
"

Until day 9 not public how to decrypt and "re-pack" was genjix day 7, the same as it was published in pastebin


EDIT:
Cold thinking, ok, if possible, the dates remain the original.

EDIT2:

That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following

Code:

$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

[Raoul Duke]

So, the encoded file has the exact same thing on the /bitcoinica_legacy/.git/logs/HEAD file

Code:

0000000000000000000000000000000000000000 939e877106a5bd479f350adc6d9e4170c62df8f3 genjix <genjix@nite.(none)> 1338505438 +0200	clone: from git@github.com:bitcoinica/bitcoinica_legacy.git

Cloned by Genjix from the bitcoinica private github repo on May 31 2012... Interesting

And look at who packed it... surprise surprise

Code:

drwxr-xr-x genjix/genjix     0 2012-07-07 20:18 bitcoinica_legacy/

That's not the encoded file. You're still looking at genjix's re-pack.

Dude, I think I know what I did... I decoded the file... And yes, it has the exact same thing as the link genjix posted in the OP. Go look at yours if you wish.

Here's what I did, just so you know and don't call me a liar.
I downloaded bitcoinica.enc from http://depositfiles.com/files/u8e6gd032 to a dir named "b" on my home drive and I did the following

Code:

$ cd b

$ split --bytes=3000000 bitcoinica.enc

$ mv xaa 2

$ cat xab xac > 1

$ cat 1 2 > bit.tar.bz2

$ tar -jtvf bit.tar.bz2 | head -n1

After, I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

Try it yourself.

[NothinG]

So basically they just open sourced all their passwords

 

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

[markm]

So basically they just open sourced all their passwords

 

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...



-MarkM-

[Mt.Gox Support]

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

AML as nothing to do with warning. AML is just here to make sure you are who you say you are, and then once a person on here in this case a company prove they are who they say they are they become Trusted or Verified. Once you have a Verified Account or a Trusted account your limits are not lifted, you or in this case the representative of the company need to contact us and ask us to lift their account limits.

AML has once again nothing to do with that. Now Mt.Gox offers many withdrawal methods, and the thief use the one(s) that fit his/her/their needs in that matter.

[Clipse]

After I opened the bit.tar.bz2 file with Ubuntu file manager and navigated to /bitcoinica_legacy/.git/logs/ and opened the HEAD file with gedit.

I confirm this. So the hacker had access to git even after 15th... So they didnt change password or this is an inside job.

or intersango/bitcoin consultancy simply think everyone on this forum is a moron.

[Bitcoin Oz]

So basically they just open sourced all their passwords

 

How many attempts does LastPass allow before locking an account?

I think it's 3 attempts.

So picking that string out of all possible strings would be hmm, how much more or less likely than a fingerprint or DNA match cockup, I wonder...



-MarkM-

I think the probability is about the same as finding a sha-256 collision in bitcoin  

[Aseras]

How did someone initiate a $40 000 transfer without AML warning bells going off at Mt Gox since they use this excuse if you usually try it with anything close to $10 000 or in combinations that are close to that ? One doesnt just transfer $40 000 out of Mordor.

AML as nothing to do with warning. AML is just here to make sure you are who you say you are, and then once a person on here in this case a company prove they are who they say they are they become Trusted or Verified. Once you have a Verified Account or a Trusted account your limits are not lifted, you or in this case the representative of the company need to contact us and ask us to lift their account limits.

AML has once again nothing to do with that. Now Mt.Gox offers many withdrawal methods, and the thief use the one(s) that fit his/her/their needs in that matter.

Which is BS since you can be a level 47 verified and you all will sit on a wire transfer for weeks. Especially a larger transfer.

[markm]

I think the probability is about the same as finding a sha-256 collision in bitcoin  

So its probably silly to imagine it happened. Compare the chance of an inside job (someone told the thief where to look or told them the actual password) or a keylogger (etc) type attack was used to discover it, in such cases the fact one can find it in the source code is merely a red herring, whether deliberately dyed red or merely accidentally happening to be red.

-MarkM-