It’s been an amazing week in bitcoin news. We’ve seen continued development and innovation within the BT economy:
We’ve also seen an upswing in security issues:
- A Recent Trojan in the Wild Targeting Bitcoin Wallets
- $500,000 Geek Cyber-Heist
- How To Make 100% Secure Wallet
But the most bombass (bitcoin) news has been the hack, crash, shutdown and leaked database of the largest USD/BT exchange, MtGox:
MtGox is a prime target for espionage, so it’s no surprise they got hit. But what went wrong? How bad is the damage? What do investors and developers need to know? The MSM has responded with the usual uninformed hysteria. We’ve got the full story and analysis. Keep going for the realness…
Recently there have been increased reports of MtGox accounts being hacked. On Saturday MtGox owner, MagicalTux, responded that some accounts were “hacked” via a legitimate username and password and that MtGox would “assume no responsibility should your funds be stolen by someone using your own password.” But that same day various users reported that they had discovered a “massive CSRF vulnerability”. Although CSRF vulnerabilities are somewhat difficult to exploit, they allow for potentially devastating attacks. MtGox quickly fixed the problem, but it remains unclear how long this vulnerability existed and what data may have been compromised.
The next day, Sunday, 20:00 UTC the MtGox market crashed precipitously from around $15 down to $.01 per BT. There was no apparent reason for the selloff, as approximately 400,000BT flooded the market. For a short time “lucky” buyers scooped up bitcoins at amazing prices, while a few panicked sellers dumped their assets. MtGox soon closed down the market and locked customers out of their accounts.
Around the same time as Sunday’s selloff the following message was posted on pastebin:
I have hacked into mtgox database. Got a huge number of logins password combos.
Mtgox has fixed the problem now. Too late, cause I’ve already got the data.
Will sell the database for the right price.
Send your offers to:
Soon after this message was posted, someone publicly dumped the MtGox database and thus published every customers’ username, email and encrypted password. In short, MtGox had an absolutely miserable weekend.
At this time MtGox remains closed as they assess damages and improve security. They plan to reopen customer accounts for withdraw/deposit on June 25th 15:00 UTC. They will reopen the market an hour later with all transactions rolled back to before the selloff. Customers are required to reset their passwords before they can “reclaim” their account. Click here for MtGox’s official updates.
While MtGox has not addressed concerns about earlier hacks or the CSRF vulnerability, they had no choice but to acknowledges that their database was leaked. So obviously some joker(s), whom we’ll refer to as GFC06, gained at least read-only access to the MtGox database at some point. Database hacks are typical of a SQL Injection on a stupid insecure website (eg. Sony). But MtGox denies reports of SQLI claiming instead that an auditor’s computer was “compromised”:
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
This is a subtle but potentially important difference to technology-minded investors who might be willing to forgive a basic human error more than a basic computing error.
But regardless of the causes, a leaked database is a fundamental security breach. MtGox’s explanation of a “compromised computer” only raises more questions. Who is this auditor? Why would they need access to customers’ emails and passwords? How and when was their computer compromised? Was the CSRF vulnerability exploited in this attack? If MtGox is found negligent in securing their accounts and database, then they could be liable for an unknown number of hacked accounts. It’s possible that peeps have been exploiting the CSRF vulnerability for some time on a small enough scale to avoid being discovered. But, once GFC06 obtained a copy of the database, they had easy access to 61,020 MtGox accounts.
Although the passwords in the database are encrypted, stupid passwords are easily decrypted. As “bitsalame” so eloquently explains:
MtGox now requires strong passwords.
MtGox also admits that older passwords, sometimes containing large BT, were insecurely encrypted with an outdated md5 hashing algorithm. But even strong passwords encrypted with modern hashes can be cracked given enough time. Once the database leaked, it was game over for MtGox.
(note: md5 = no longer secure)
The leaked database is obviously a security concern for MtGox customers. Please be aware:
- Your email account is now a target. Make sure it has a good password. Also, be aware of email scams (eg. phishing, spoofing, trojans, etc). Do not download anything suspicious.
- If you have usernames/passwords at multiple sites that are similar to your MtGox un/pw, then you need to change those passwords.
- Click here for some advice on choosing and remembering good passwords.
MtGox claims that only $1000 in BT was stolen in the big selloff:
One account with a lot of coins was compromised and whoever stole it (using a HK based IP to login) first sold all the coins in there, to buy those again just after, and then tried to withdraw the coins. The $1000/day withdraw limit was active for this account and the hacker could only get out with $1000 worth of coins.
But this figure seems to ignore reports that customers who bought (stolen) BT at rock bottom prices were able to withdraw their BT before the shutdown. In addition, if customers’ accounts were previously compromised through CSRF exploits or cracked passwords, then the total amount stolen could be much larger than $1000. The wild boyz in the MSM are pushing the story that $9,000,000 in BT was stolen (eg. here, here and here) but these fools provide no reliable reference for that number. I can only assume they’re approximating the value of the 400,000BT involved in the selloff, but again MtGox claims that a withdraw limit capped those losses at $1000. It’s probably impossible to accurately assess the total financial damages until MtGox reopens and customers check their accounts.
While MtGox’s security breach is particularly biting to a bitcoin community that values privacy and security, there is nothing exceptional about MtGox getting hacked. We’ve seen the unhackable get hacked (eg. the CIA), databases leaked all over (eg. Sony) and sometimes millions of dollars disappeared (eg. Citibank). Security is perhaps the most difficult aspect of internet development. People fuck up, CSRF is tricky and it’s difficult to keep up with the latest hash techniques. MtGox has been running 24/7/365 for almost a year nonstop. An informal post by jed, the previous owner of MtGox, paints a company overwhelmed by its success, understaffed and led by a frazzled MagicalTux:
Things have been very hectic with mtgox since MagicalTux took over. He has simultaneously been trying to fend off persistent ddos attacks, hire more staff, deal with the huge increase in users, improve the code to support the much larger trade volume, ensure regulatory compliance and deal with various security issues. Obviously things haven’t gone as smoothly as we would like but we can see the light at the end of the tunnel with more people being hired and the backend changes done. MtGox will hopefully be able to regain your trust in the coming weeks.
There have been many vocal critics of MtGox but also many loyal customers. If the financial damages are indeed minimal, then MtGox will probably survive.
Shortly after MtGox closed, their main competitor, Trade Hill, also shut down as a precaution in case customers needed to update their passwords. Trade Hill has already reopened and their volume is unsurprisingly up. Almost immediately after GFC06 exposed MtGox’s email list, each MtGox customer received spam containing the following “helpful” advice:
For a more secure alternative to Mt Gox, the community appears to be moving to TradeHill. So this is no reason to lose faith in Bitcoin itself. It must be seen as a warning that not every website can be trusted with your data however!
Hooray for the free market! (Booooo spam.)
Of course the bitcoin network itself is still secure. The overall bitcoin market has been relatively stable. Domestic and international markets are currently trading around $15 per BT. However, MtGox customers remain anxiously awaiting access to their accounts and, when MtGox finally reopens, nobody knows what will be unleashed.
The MSM has exploited this uncertainty with the usual misinformation and sensationalism designed to denigrate bitcoin and promote the statist agenda. For example, Shawn Drew calls for “regulation” and “a large enough body [that] can create a secure Internet currency with their assurances that they won’t manipulate the price.” But it’s unclear what exactly should be “regulated” in this situation. MtGox discovered a security breach so they shut down to fix it. No regulation required. If Mr. Drew considers this a “crime”, then he should be happy to hear that MagicalTux snitched to the Feds. I was naturally disappointed that state violence would be introduced into a fundamentally peaceful market. However, I understand that not contacting the Feds could bring that violence directly upon MagicalTux. Also, if Mr. Drew wants a “large body” to “secure” his currency with “assurances” of honesty, he should look no further than the USD. The USD is guaranteed by an international banking cartel who assure the world that they’re not manipulating anything, while they finance violence, destroy our economies and enslave the people with debt. Don’t be fooled by shoddy, demagogic journalism. Bitcoin rules. The fed drools.
Despite the hatas, this debacle could ultimately help the bitcoin economy. MtGox will emerge humbled but more secure. Tradehill will see an upswing in users. The market will benefit from competition and decentralization. Hopefully, investors and developers will have learned something.
Since the bitcoin economy is essentially based on information, those with the best information always win. In this case the best information was knowledge of CSRF and the worst was choosing your username as your password. The selloff was a whistleblower alerting MtGox to major issues and waking up sleepy investors. Good Morning! MtGox is about to reopen. Keep that BT close to your heart, homies….
Thanks for reading. Please let me know about any mistakes. What’s the best nation? BT doNation: 17qz8a1YRZmJ19xTjdaKXxSXFNVBgFM4sq