As you might have noticed, bitinstant.com was down the entire weekend. It's still down for me as it is (probably DNS issues), but pigeons was kind enough to send their explanatory blogpost as a pastebin. I wish to take the time and comment this, because it's important enough.
The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother's maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account). We immediately realized what was going on, and logged in to change the information back.
They immediately also failed to report this event.
This is important, and Bitcoin bussinesses (or, more adequately in the case at hand, outfits aspiring to be businesses one day) need to learn to start reporting properly. That means, the good with the bad.
The person you pretend-businesses need to learn from is, again, me. When BitBet fucks up, you learn about it from right here : The anatomy of a disaster. When BitBet's infrastructure fucks up, you learn about it also from right here : Bitcoind : not quite ready for prime time.
This is the correct way to handle communications, as a Bitcoin business, this is the standard, etch it in your brains : you report. The good and the bad. To recap :
- the wrong way to do business communication is like CoinFail does it : brash claims with no basis in fact that end up attracting the negative attention of much smarter, larger and more powerful entities than you'll ever be.i
- the right way to do business communication is like MPEx does it : things as they are, no matter who or what gets trampled in the process.ii
Moving right along :
After changing this info and locking the attacker out, overnight he was able to revert my changes and point our website somewhere else. Site5 is denying any damages, but we suspect this was partly their fault.
After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner's nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths's login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC.
This is another important point : the website-and-account system does not work. The fact that everyone uses it just shows everyone is not intellectually equipped to handle Bitcoin as a business. The actual standard is, again, MPEx. To quote :
The reason DDOS doesn’t work on MPEx is also simple : you don’t have to send your order to any particular website, as long as MPEx eventually hears of it. Take the classical way phishing works : you intend to use paypal.com. Unbeknownst to you, evil phisher is feeding your browser pages from paupa1.com. You type in your password. paupa1.com sends it along to paypal.com, discovers it’s valid, feeds you back the page and now evil phisher has your password, and your account, and all your jools.
On the other hand, imagine you intend to talk to MPEx. Unbeknownst to you, you’re not talking to MPEx, but to ButtPlox. You naively paste your hard-earned PGP code into ButtPlox. Well… ButtPlox doesn’t have MPEx’ private key, and consequently has no idea what your order says. If ButtPlox passes this black box mystery along to MPEx, it will receive a reply, which is of course encrypted with your private key, which ButtPlox also doesn’t have. If it passes it along to you then you decode it and that’s that, transaction successful. If it doesn’t pass it along to you then you know it’s ButtPlox and just move on.
This is the only correct way. If your Bitcoin service uses sessions you are deluding yourself : what you're running there is a Bitcoin disservice. Abandon the pretense, submit to your intellectual leaders and do what you're told already, this can't continue. "Login" works for myspace, it works for tripod, it works for all the other sites nobody cares about. There's no Login for Bitcoin.
Moving even further along :
Information about the attacker:
Based on their general MO, the attacker is not highly technically skilled but is sneaky enough to cover their tracks.
This is superfluous nonsense. The last people I'd be interested in asking for a profile of a successful attacker is the ninnies that got raped. I really, really, really don't need to hear about how "he was holding a really big gun".
So, we wanted to provide this update in order to continue our practice of transparency, but also as a lesson to the community - you must be ever-vigilant in making security your top priority.
The problem here, Bitinstant, is that you are not making security your top priority. You are making talking your top priority.
To make security your top priority you have to
- Start reporting properly, as explained above. The good and the bad. You've had a foreign email added to your DNS ? That goes on your blog, right then and there. Let people know. Forget about how "it won't look good", you are making security a top priority, not talking. Not looking good. Security.
- Think about how someone hijacking MPEx's DNS would have exactly zero success whatsoever. Are you still making security your top priority ? Then why aren't you ?
There is indeed a lesson "the community" needs to learn in all of this. You are part of that community, and apparently about as ill equipped to detach the respective lesson as the average forum bloke. No, "based on past fruitless attempts" is not thinking, seeing how you're apparently unwittingly positing that past failure is equal to present success (and if that's what your business plan looks like I'd be worried). Just so, "more of the crap that failed in the past is going to be our way of making security our top priority" isn't thinking either.
Stop with the pretense. Pretense is a dime a dozen in Bitcoin world. Start making security your top priority rather than talking about it, with a leaky, dilated asshole.———
- You may think that there's value in being brash and putting up an empty show, mostly because idiots like Graham promote this side-channel in lieu of actual competence, as if "wanting to succeed" is a substitute for being able to actually succeed. This is a dead end. [↩]
- From Strategic superiority, a saga :
This happens to be exactly what PR is not. PR is not about clogging the channels with meaningless formulaic stupidity and actively attempting to prevent anything from moving either direction. PR is the effort of clearly communicating the position of the company to the market and the position of the market to the company. Clearly communicating means that sometimes the customer will be delivered a large steaming plate of “You’re stupid”. Clearly communicating means that sometimes the company will have to come out with a “We’ve been stupid” dounce hat and eat some crow.