Bitcoin Forum
December 11, 2017, 12:23:02 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: BTC-E hacked - still unfolding  (Read 21927 times)
dishwara
Legendary
*
Offline Offline

Activity: 1568



View Profile
July 31, 2012, 07:12:24 AM
 #21

I think this may be the root cause of hack or theft or whatever today happened/happening on btc-e

https://bitcointalk.org/index.php?topic=94573.0


btc-e dev said its not supa.
I apologize to supa & edited my post to reflect change.
sorry supa.

BitSend ◢◤Clients | Source
www.bitsend.info
█▄
█████▄
████████▄
███████████▄
██████████████
███████████▀
████████▀
█████▀
█▀












Your Digital Network | 10MB Blocks
Algo: XEVAN | DK3 | Masternodes
Bitcore - BTX/BTC -Project












BSD -USDT | Bittrex | C.Gather | S.Exchange
Cryptopia | NovaExchange | Livecoin
CoinPayments | Faucet | Bitsend Airdrop













████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████

████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████
1512951782
Hero Member
*
Offline Offline

Posts: 1512951782

View Profile Personal Message (Offline)

Ignore
1512951782
Reply with quote  #2

1512951782
Report to moderator
1512951782
Hero Member
*
Offline Offline

Posts: 1512951782

View Profile Personal Message (Offline)

Ignore
1512951782
Reply with quote  #2

1512951782
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
July 31, 2012, 10:20:15 AM
 #22

How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784


firstbits:1MinerQ


View Profile WWW
July 31, 2012, 10:40:25 AM
 #23

How do you "fake" USD or LR on an exchange?
Can any outsider created nonexistent currency and deposit onto an exchange?
There's probably at least a few ways. No one is supposed to be able to but if the programming has defects then it's possible. Hackers specialize in finding programming defects.

If you study how LR communicates account info with it's customers then you can mimic that. If the site programming does not completely authenticate any info from LR then it may take fake info at face value and credit accounts with what it believes to be real deposits. Crediting an account on BTC-E is the same as having the money, ie. fake money, that you can spend to buy BTC.

So a relatively simple act of intercepting data flow and replaying it may lead to funds to play with. This is only one way. SQL Injection into poorly designed API/site code could lead to being able to adjust account balances without proper auditing or verification. All these things result from poorly thought out and tested code but they allow altering database records that say how much money a user has.

bg002h
Donator
Legendary
*
Offline Offline

Activity: 1358


I outlived my lifetime membership:)


View Profile WWW
July 31, 2012, 11:11:04 AM
 #24

It's a little unwise to permit instantaneous irreversible withdrawals...anyone running the exchange who was watching events unfold would have known to halt trading...but once the funds are gone, you can't just roll it all back.

If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.

I feel bad for everyone who lost their funds.

Hardfork aren't that hard.
1GCDzqmX2Cf513E8NeThNHxiYEivU1Chhe
R-
Full Member
***
Offline Offline

Activity: 238

Pasta


View Profile WWW
July 31, 2012, 11:28:47 AM
 #25

Has the admin of BTC-E signed on yet? My condolences go out to him, as well as the victims, because the hack doesn't appear to be an inside job.

*also equilibrium in the orderbook has been reached*
ElectricMucus
Legendary
*
Offline Offline

Activity: 1596


God of the code.


View Profile WWW
July 31, 2012, 11:44:20 AM
 #26

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided
bitcoinism
Newbie
*
Offline Offline

Activity: 15


View Profile
July 31, 2012, 12:06:43 PM
 #27

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.
ElectricMucus
Legendary
*
Offline Offline

Activity: 1596


God of the code.


View Profile WWW
July 31, 2012, 12:09:22 PM
 #28

The track records of these "hacks" points to "we have been hacked your money is gone, make your claim here".

If this was a genuine hack not a "hack" I would be positively surprised.
Just sain'  Undecided

I'd say it's highly unlikely it was an inside job... after the hack started there was plenty of time for people to withdraw what they could until the hot wallets were depleted.

People said exactly the same kind of thing last time.
Vorksholk
Legendary
*
Offline Offline

Activity: 1624



View Profile WWW
July 31, 2012, 12:45:22 PM
 #29

From https://btc-e.com/news/81:

Quote
Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

Fold Proteins, earn cryptos! CureCoin.
https://bitcointalk.org/index.php?topic=603757.0
cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 12:56:59 PM
 #30


If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley

People are bitchin on here, but I think they've done right and made a good name for themselves out of this. At least they didn't keep 18,000+ coins in their hot wallet like some other people we know.
dishwara
Legendary
*
Offline Offline

Activity: 1568



View Profile
July 31, 2012, 01:01:21 PM
 #31


If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley
You also got back USD for which u sold btc?

BitSend ◢◤Clients | Source
www.bitsend.info
█▄
█████▄
████████▄
███████████▄
██████████████
███████████▀
████████▀
█████▀
█▀












Your Digital Network | 10MB Blocks
Algo: XEVAN | DK3 | Masternodes
Bitcore - BTX/BTC -Project












BSD -USDT | Bittrex | C.Gather | S.Exchange
Cryptopia | NovaExchange | Livecoin
CoinPayments | Faucet | Bitsend Airdrop













████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████

████
 ████
  ████
   ████
    ████
     ████
      ████
       ████
        ████
       ████
      ████
     ████
    ████
   ████
  ████
 ████
████
cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 01:03:13 PM
 #32


If you won't program your computer to halt trading when ludicrous events occur, perhaps one should build a time delay in before withdrawals are permitted to allow time for human review.


This is the simplest thing. All exchanges need to do to prevent this is write some code that will halt withdrawals (not trading) when something suspicious occurs.

Anywho, BTCe sent me all my coins and I got back the BTC I sold after the hack.  Smiley
You also got back USD for which u sold btc?

They reversed the trade so I got back the BTC I sold. Since those coins should have been stolen by the hacker, that means they came out of BTCe's reserves. Very kind of them.
Gabi
Legendary
*
Offline Offline

Activity: 1092


If you want to walk on water, get out of the boat


View Profile
July 31, 2012, 01:09:36 PM
 #33

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
ElectricMucus
Legendary
*
Offline Offline

Activity: 1596


God of the code.


View Profile WWW
July 31, 2012, 01:12:33 PM
 #34

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.
Lets hope it stays that way.
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
July 31, 2012, 02:24:08 PM
 #35

From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

Vorksholk
Legendary
*
Offline Offline

Activity: 1624



View Profile WWW
July 31, 2012, 02:39:58 PM
 #36

From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)



Any idea how LibertyReserve stores passwords?

Fold Proteins, earn cryptos! CureCoin.
https://bitcointalk.org/index.php?topic=603757.0
proudhon
Legendary
*
Offline Offline

Activity: 1260



View Profile
July 31, 2012, 02:41:37 PM
 #37

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 31, 2012, 02:42:28 PM
 #38

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

I know.  For all the crap BTC-E gets around here, it seems like this has been handled very well and they were following a lot of the standards that have emerged around here.  Keep it up BTC-E.  BTW, my balances were restored.  I didn't lose anything, as far as I can tell.


We have standard?

unclescrooge
aka Raphy
Hero Member
*****
Offline Offline

Activity: 868


View Profile
July 31, 2012, 02:55:25 PM
 #39

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.

Yankee (BitInstant)
Legendary
*
Offline Offline

Activity: 1078


Charlie 'Van Bitcoin' Shrem


View Profile WWW
July 31, 2012, 03:04:42 PM
 #40

Trading has resumed: https://bitcointalk.org/index.php?topic=96912.0;topicseen

Bitcoin pioneer. An apostle of Satoshi Nakamoto. A crusader for a new, better, tech-driven society. A dreamer.

More about me: http://CharlieShrem.com
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!