Bitcoin Forum
December 14, 2017, 03:34:23 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: BTC-E hacked - still unfolding  (Read 21931 times)
proudhon
Legendary
*
Offline Offline

Activity: 1260



View Profile
July 31, 2012, 04:08:57 PM
 #41

Who would have guessed that BTC-E was more secure than Bitcoinica?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513265663
Hero Member
*
Offline Offline

Posts: 1513265663

View Profile Personal Message (Offline)

Ignore
1513265663
Reply with quote  #2

1513265663
Report to moderator
unclemantis
Member
**
Offline Offline

Activity: 98


(:firstbits => "1mantis")


View Profile
July 31, 2012, 04:12:40 PM
 #42

Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
proudhon
Legendary
*
Offline Offline

Activity: 1260



View Profile
July 31, 2012, 04:18:38 PM
 #43

Who would have guessed that BTC-E was more secure than Bitcoinica?

I am not like most people. I DON"T judge the security of a website based on AWESOME WEB DESIGN.

dree12
Legendary
*
Offline Offline

Activity: 1246



View Profile
July 31, 2012, 04:21:22 PM
 #44

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Gabi
Legendary
*
Offline Offline

Activity: 1092


If you want to walk on water, get out of the boat


View Profile
July 31, 2012, 04:51:57 PM
 #45

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy
cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 04:55:06 PM
 #46

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).
adamstgBit
Legendary
*
Offline Offline

Activity: 1904


Trusted Bitcoiner


View Profile WWW
July 31, 2012, 05:28:18 PM
 #47

From https://btc-e.com/news/81:

Quote
Dear users of the Exchange Btc-e.com

The exchange is not going to close. We will refund all losses from our reserves.

Neither the servers nor the database were compromised. There were no SQL injections.

At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Using the key the hacker imitated LR deposits from many accounts and bought up Bitcoins, Namecoins and Litecoins.

We lost our daily volume, approx. 4500 BTC. The attacker couldn't withdraw more
as most BTC were distributed over several offline wallets.

At 10:30 we restored the database to the state it was at 04:00, right before the attack. All trades after 4:00 are reverted.

People who attempted withdrawals before 04:00 MSK will get their funds withdrawn later today.

For people who deposited BTC, LTC and NMC after 04:00 MSK the funds will be put to their balances before market opens.
We are working on the scripts for this.

If you deposited USD after 04:00 MSK you should send us your login, amount and payment system used by email or PM.

Our plan:

1. The trade will be disabled until we restore the balances to the point before market crash.

2. After that, the trade and deposit/withdrawal will be back on, approx. within 1-2 days.

Icq - 610112128
Skype - btc-e.support
E-mail - support@btc-e.com

Well, BTC-E is doing everything in the correct way. They had backups, they reverted the trades and they will pay for everything.

+1

It actually gives me a lot of confidence.

this is gr8 news,
Excellent work btc-e!

Ente
Legendary
*
Offline Offline

Activity: 2076



View Profile
July 31, 2012, 05:32:05 PM
 #48

Indeed.
I will watch this closely.
BTC-E just instantly catapulted themselves to #1 of my favorite exchange. After MtGox and Intersango more or less disqualified themselves in the last few days..

Ente
andrewbadr
Full Member
***
Offline Offline

Activity: 173

Posts made Jan-March 2017 are not by me


View Profile
July 31, 2012, 06:21:03 PM
 #49

From https://btc-e.com/news/81:

Quote
At 04:07 MSK (GMT+4) our LR API Secret Key was compromised. It's 16 uppercase, lowercase letters and digits. They may have bruteforced it for long.

Really? That would make it the longest known brute forced key I've heard of.

caveat: I haven't studied the actual implementation in LR, maybe there are shortcuts. I would've just assumed to end up in the right ballpark with an estimation along these lines:

GPU brute forcing speed - let's go with 3Mhash/s (SHA-1) based on http://golubev.com/gpuest.htm

Time-to-find 16 char l/U/# at 3Mhash/s estimation using http://lastbit.com/pswcalc.asp

Result: 510892508003511 years

(Feel free to halve for each added GPU and a final halving for 50% time instead of 100% - assume a lucky hacker)

I'm guessing there's a timing attack on LR's end.
ElectricMucus
Legendary
*
Offline Offline

Activity: 1596


God of the code.


View Profile WWW
July 31, 2012, 06:23:42 PM
 #50

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).

cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 06:24:49 PM
 #51

To be fair, Bitcoinica was never hacked due to a coding error. It seemed to be management and VPS on every occasion.
Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).



LMAO...
elux
Legendary
*
Offline Offline

Activity: 1458



View Profile
July 31, 2012, 06:29:20 PM
 #52

Probably bitcoinica was never hacked altogether, bitcoinica to me looks like a scam (especially after the "no backup" and the last "money that was on mtgox lost" news) Cheesy

Yeah, their story is about as fake as the Colorado shooting. Someday, soon hopefully, it will come out that all the Bitcoinica/InterSango guys are establishment cronies (freemasons).


defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
July 31, 2012, 06:38:23 PM
 #53

I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)

cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 07:11:24 PM
 #54

I'm guessing there's a timing attack on LR's end.

Oh that brings back memories from the old embedded system days. Interesting hypothesis - I wouldn't be surprised to see Internet services not realizing such attacks very well can be performed over Internet-distances if you get enough tries.

Posting additional information for those who plan on making their own password-validation code not having heard about this class of attacks before: http://www.computerworld.com/s/article/9179224/Researchers_Authentication_crack_could_affect_millions

(However, if there is such an information leak on LR's side we would surely see other services accepting LR to be affected as well)



Interesting stuff. If that's the case...

Quote
the fix is simple: Program the system to take the same amount of time to return both correct and incorrect passwords. This can be done in about six lines of code, Lawson said.

Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
July 31, 2012, 07:20:12 PM
 #55

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.
cryptoanarchist
Legendary
*
Offline Offline

Activity: 1106



View Profile
July 31, 2012, 07:26:55 PM
 #56

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalk.org/index.php?topic=93115.0
unclemantis
Member
**
Offline Offline

Activity: 98


(:firstbits => "1mantis")


View Profile
July 31, 2012, 07:45:40 PM
 #57

OK people. I think it is about time to create 2 keys to access API shit! If this thing was brute forced then we need to ramp up security.

BTW. If it was brute forced, how did they confirm if it was valid or not without triggering a flag in log reports on either website?

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
proudhon
Legendary
*
Offline Offline

Activity: 1260



View Profile
July 31, 2012, 07:48:23 PM
 #58

I think a web-library should be made to help assist those who want to integrate Bitcoin into their website but don't know what kind of security measures needed to be taken.

Something like that has been brought up before: https://bitcointalk.org/index.php?topic=93115.0

Yep.  It's been suggested before.  I think Matthew was one of the first to suggest it.  Basically, I think the most successful and secure bitcoin businesses should form a bitcoin security forum, maybe include a security expert/crypto guy or two (and pay them a little bit), and publish best practices.  Even better, but probably much more difficult to implement, and it comes with its own trust issues, would be for something like that to perform audits and companies could get some sort of certification and be included in a list of companies complying with best practices.
coretechs
Donator
Sr. Member
*
Offline Offline

Activity: 360



View Profile
July 31, 2012, 10:54:06 PM
 #59

Kudos to BTC-e for handling this situation well.  My account issues are all resolved, thanks.

I was cautious of the site prior to this event and kept a minimal balance, but I have a lot more confidence in them after this and will continue to trade BTC & LTC there.  Smiley

http://bitcoindoc.com - The Rise and Rise of Bitcoin | http://nxtportal.org - Nxt blockchain explorer
kiba
Legendary
*
Offline Offline

Activity: 980


View Profile
July 31, 2012, 11:03:20 PM
 #60

I am going to wait until they announce a fix to the vulnerability.

Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!