Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

Linode Compromised; Bitcoins Stolen

Linode Compromised; Bitcoins Stolen

AldryicAldryic Member
edited March 2012 in General

And this is why complete anonymity will bite you in the ass :P

Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC ("hot" coins ready for payouts). Cold backup was not affected in any way by this hack.

It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.

Robery of Bitcoins has no impact to pool users, I'm covering the loss from my own income (although it means that many months of my work is wasted Roll Eyes ).

Read More || Another Article || WHT Thread

«1

Comments

  • AldryicAldryic Member
    edited March 2012

    This is also a prime example of just how much access your host has over your VMs. Choose your providers carefully, folks.

  • MaouniqueMaounique Member
    edited March 2012

    You never quit, do you ? This is what control freaks cant stop anyway: http://www.usatoday.com/money/perfi/credit/2009-01-21-visa-mastercard-credit-security-breach_N.htm http://blogs.computerworld.com/node/4405 One from major payment systems, one from an individual, some random search for 2 seconds which yielded some million hits. Good luck using VISA/EUROPAY/PayPal... One day the boogie man will run with your money and pay some child porn site. I hope they are very kind with child molesters in the jail, or at least they will believe your story... Besides, you can be mugged in the street, good luck tracing your 1$ bill series. Or you dont use cash also since it can be used in crime rings ? Besides, who doesnt keep data in an encrypted container, mounted remotely only, deserves that fate. Also, using encrypted communication, etc. M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • @Maounique said: You never quit, do you ?

    No, I'm merely pointing out that had this been PayPal, 1) it would be MUCH easier to trace the offender, and 2) there's a pretty good chance the guy would've gotten his cash back.

    Get off your high horse, kid.

    Thanked by 1TheHackBox
  • Our investigation has revealed a customer support interface was used to access your account Well that sucks, clearly Linode will have to repay the 12k€ in loss.

    But why wouldn't some support guy in India that gets paid 1€ an hour or so just take the 12k€?

  • @gsrdgrdghd said: But why wouldn't some support guy in India that gets paid 1€ an hour or so just take the 12k€?

    Accountability, I guess. If you hire third-party support (from a reputable company, anyways) you're at least going to have records of who's doing what, unlike an outside compromise.

  • vedranvedran Moderator

    That's why I love small VPS providers: if something like this happens you know whom you have to introduce with your crowbar in a dark alley, you can't do that with unnamed "compromised credentials".

    We appreciate your business and certainly want to keep you as a happy and satisfied customer. If there is anything we can do to make this up to you, certainly let us know.

    You just lost 12k due to our incapability, but hey, we'll give you a free month and it's all good.

  • I'm surprised Linode hasn't made a public statement about this yet...

  • This is pretty recent; they're probably still in the 'oh shit' phase of planning just how to announce it.

  • kalamkalam Member

    I was just looking at purchasing a Linode, maybe I'll hold off for a while longer.

  • Here's my guess... It was an employee (ex-employee) who specifically targeted servers running bitcoind. Linode will make a long blog post, stating they screwed up and will be changing the way the backend works and who has access to it. They will refund this guy for his lost bitcoins (or they will wish they did after the backlash).

  • @Aldryic said: This is also a prime example of ...

    ... why I prefer anonymity - providers are unable to keep my data save :P

    Thanked by 1NanoG6
  • Heheh, good point. :P That's why I tend to ridiculously overdo our own security.

  • DamianDamian Member
    edited March 2012

    Well at least they didn't lose any real money. :X

    I am no longer affiliated with IPXcore.
  • I'm curious, is stealing bitcoins really as easy as just getting the private key from the server? That seems like a pretty sloppy way to handle that much money.

  • NanoG6NanoG6 Member
    edited March 2012

    ... why I prefer anonymity - providers are unable to keep my data save :P

    Ya I love anonymity, but that love has made me rejected by MaxMind :P

  • SpiritSpirit Administrator
    edited March 2012

    @vedran said: That's why I love small VPS providers: if something like this happens you know whom you have to introduce with your crowbar in a dark alley, you can't do that with unnamed "compromised credentials".

    With little problem. Ocean between you and them :)

    -

    btw. is 3094 BTC a lot? I am not familiar with virtual/real btc value.

  • DamianDamian Member
    edited March 2012

    3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

    I am no longer affiliated with IPXcore.
  • @Damian said: 3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

    That sucksssssssssssss.

  • SpiritSpirit Administrator

    Damn. I feel sorry for this guy and his work invested into this.

  • @Damian said: 3094 BTC = $15314 USD, IF you can figure out how to actually get it as USD.

    There's brokers for it, that's not a problem.

    'coins are used a lot for drugs deals since there's no paper trail anywhere

    BuyVM - OpenVZ & KVM Based / TUN, PPTP, FUSE, SIT & GRE Enabled! / Stallion Control Panel
  • BuzzPoetBuzzPoet Member
    edited March 2012

    I actually have a Linode, but I use it to host podcasts, nothing mission critical.

    @Aldryic "This is also a prime example of just how much access your host has over your VMs. Choose your providers carefully, folks."

    Actually, this is a good example of why the only reliable hosting is self-hosting, as Eben Moglen has been pointing out for 2 years now:

    hxxp://www.youtube.com/watch?v=QOEMv0S8AcA

    hxxp://www.youtube.com/watch?v=9bDDUyJSQ9s

    (Edit: I didn't know that would actually embed. Sorry.)

    The "cloud", or "putting your data in someone else's hands", is fundamentally insecure.

    The home is the last place in civilized society that still requires a warrant, so it's the best legally protected place to host data, and potentially the most technically secure and private, given a competent admin (nobody else gets to see your logs).

    The only problem with that is the terrible uplink for high bandwidth sites. In other words, we need fiber to the home.

    (BTW, the Diaspora social network was inspired by the first talk, since the devs were sitting in the audience.)

  • DerekDerek Member

    Man, that is horrible. Really sad to hear.

  • "All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin"."

    I called it. Now, do they refund the idiot who thought it was a good idea to keep $12k worth of bitcoins on a $20/month vps or do they deal with the backlash that will follow if they don't?

  • subigosubigo Member
    edited March 2012

    @BuzzPoet said: Actually, this is a good example of why the only reliable hosting is self-hosting

    Exactly. Nobody should be setting up a server with $12k worth of data on a vps, anywhere.

  • So, I don't get it. Linode was the culprit? A worker on Linode? Or just a security bug in their panel?

  • @yomero said: So, I don't get it. Linode was the culprit? A worker on Linode? Or just a security bug in their panel?

    They haven't said, but I would assume it was an employee. And if it was an employee, they should easily be able to track down who did it and repay this guy. If it was not an employee, it will most likely mean they guy is out $12k and Linode's panel has an exploit in the wild.

  • KairusKairus Member
    edited March 2012

    @subigo said: If it was not an employee, it will most likely mean they guy is out $12k and Linode's panel has an exploit in the wild.

    Or one of their employees didn't have secure enough information? Maybe got a keylogger on his computer, a lot of possibilities.

  • KuJoeKuJoe Member

    @BuzzPoet said: The "cloud", or "putting your data in someone else's hands", is fundamentally insecure.

    "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)" - Linus Torvald

    :D

    -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, TX, and AZ
    Test our network here: Drgn.biz
  • So, dedicated servers FTW?

    And, how Linode let you run this ultra cpu abusive Bitcoin stuff?

  • They aren't.

    All of the bitcoin stuff is just the 'banks', so it's just a simple PHP website that stores the hashes.

    Francisco

    BuyVM - OpenVZ & KVM Based / TUN, PPTP, FUSE, SIT & GRE Enabled! / Stallion Control Panel
  • Meh it was bitcoin... there for imho it was worthless money, not real money anyway. You don't see any legitimate company accepting bc.

    BlueVM | Best VPS Deals [~] 1GBPS, RAID-10, OpenVZ/KVM, 8 amazing locations. [~]
  • NateN34NateN34 Member
    edited March 2012

    @ yomero

    I don't see how dedicated servers would be any different.

    You can just hookup a monitor and keyboard......change a few things in the startup lines and change the root password, then get full access to the machine easily.

    @BuzzPoet

    That also has security issues. A "friend" could come over and tamper with it. OR someone could just break into your house and steal the whole darn box.

  • yomeroyomero Member
    edited March 2012

    @NateN34 said: You can just hookup a monitor and keyboard......change a few things in the startup lines and change the root password, then get full access to the machine easily.

    Ahm yes, but is more obvious. The datacenters are secure environments. They have cameras, controlled access, etc. Also, if you cypher your hard disks there is no way to retrieve the info.

    @Francisco said: All of the bitcoin stuff is just the 'banks', so it's just a simple PHP website that stores the hashes.

    So, this bitcoin stuff isn't the same as the bitcoin mining, right?

  • So, a little offtopic... can we use Raspberry Pi to calculate hashes and make bitcoins?

    Referral links: DigitalOcean referral link | Free 15GB with Copy | Get 500MB free with Dropbox | I sell domains with Google Apps, $0.50 p/ user
  • debugdebug Member

    @yomero said: So, this bitcoin stuff isn't the same as the bitcoin mining, right?

    From what I read, their just storing the wallets (which is the cash). They don't do the mining on the servers.

    Hello, World.

  • BTW, the talk at the water cooler is that a Linode employee did it. That's why the status update mentioned "credentials" being revoked. A hacker has no credentials, and certainly none that would apply to 8 independent clients. No technical security in the world can stop an evil admin, which is why, once again, no mission critical data should be left in the hands of someone else.

    If it's that critical, you either host it on your own property, or you buy your own hardware and physically secure it against tampering before you ever ship it to the data center. Putting $15K on a VPS was just dumb. Doesn't matter who the host is.

  • @BuzzPoet said: That's why the status update mentioned "credentials" being revoked. A hacker has no credentials, and certainly none that would apply to 8 independent clients.

    Unless a Linode staffer, or the active account of a former staffer, had a weak/reused password. For instance... let's say you're using the same password here and on some other 3rd party forum. Say the admin of said forum isn't very honest, and is storing passwords in plaintext for the purpose of social mining. He suddenly has your password to both accounts. It could be a similar situation with Linode... especially if their admins can request pass resets. It's no good simply changing a password if someone has access to the email account tied to that admin login, they can just reset and get the new pass.

  • @Aldryic said: It's no good simply changing a password if someone has access to the email account tied to that admin login, they can just reset and get the new pass.

    Google authenticator<3.

  • It has now been confirmed that multiple containers were exploited and over $250k in bitcoins were stolen.

    On a side note, people put over $250k worth of ANYTHING on a vps. LMAO.

  • @subigo said: On a side note, people put over $250k worth of ANYTHING on a vps. LMAO.

    Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container. It was a big exploit, many customers compromised at Linode, they will have a lot of trouble washing the eggs off their face. M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • @Maounique said: Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container.

    Wrong... one of them had almost $200k.

  • fanfan Member

    I've been mining for a short period and the result was: 1 PTC each 3 to 5 days, not even worth the cost to run a computer fulltime. :-D

    Anyway both sides hold responsibility for this disaster, Linode can fix their system but the PTC's are gone, and not coming back.

  • vedranvedran Moderator

    Damn, $250k. I don't think Linode will pay that back.

    If Linode can screw up this badly, imagine how your $1/m VPS is secure.

  • MaouniqueMaounique Member
    edited March 2012

    @subigo said: @Maounique said: Well, not on A VPS, but on MANY VPSs. They add up, but nobody store 250 k on same container.

    Wrong... one of them had almost $200k.

    This sonds like some ppl we know... I say nobody store 250 k on same container, and you say, wrong, someone actually has less than 200 k... M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • My God... please give this forum an ignore user option...

  • MaouniqueMaounique Member
    edited March 2012

    @Aldryic said: @Maounique said: You never quit, do you ?

    No, I'm merely pointing out that had this been PayPal, 1) it would be MUCH easier to trace the offender, and 2) there's a pretty good chance the guy would've gotten his cash back.

    Get off your high horse, kid.

    To make the comparison correct, it means the guy store his paypal credentials unencrypted in the vps. 1. Cool, so PayPal would have known how the data was compromised, who the user behind the open anonymous proxies, botnets, VPS/VPNs bought with fake CC/PayPal, open wi-fi or WEP ones, hacked sites, whatever, was. Linode, on the other hand, knows who did it. 2. Sure, PayPal gives the money back to anyone which has his account data compromised, especially when we deal with hundreds of thousands. On the other hand, Linode, which accepted responsibility from what I know, has some chance to do that.

    [@vedran said] If Linode can screw up this badly, imagine how your $1/m VPS is secure.

    Well, depends who the host is, some ppl here never make mistakes. They forbid all kinds of services to make it sure, except static pages hosted on bullet-proof web servers, such as boa, since apache2 is not exactly known to be flawless. They also inspect the content 24/7 to make sure every data there is legally owned and legal to be displayed so the hardware will never be seized by the cops during some investigation. M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • @liam said: Also by choosing providers who own their servers, it shows they're commited.

    Yes, but Linode does own their servers, while most LEB ppl dont, including those that bragg around here. They still failed and anyone can fail, even VeriSign issued fake Microsoft certificates, there are hundreds of failure cases for the most reputable companies. Nobody can be safe out there, no matter the precautions taken, if we try to be 100% safe we dont host even on home computers. M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • MaouniqueMaounique Member
    edited March 2012

    And I was merely expanding that, bottom of line is this: 1. No VPS is secure or could ever be; 2. No dedicated server is secure or could ever be; 3. No home hosting is secure or could ever be; 4. Some providers are less risky than others, but if you have really valuable data, encrypt it hard no matter where you hold it. M

    top - 22:32:38 up 906 days, 2:58, 1 user, load average: 3.94, 5.13, 8.38

  • NickWNickW Member

    $200K stored on a VPS or not, this is not the fault of the customer. Anybody who knows Bitcoins knows that a wallet has to be stored somewhere. Even with cold storage, it would be pretty silly to only have a personal copy at your own address. If the private key data is lost, all associated Bitcoins are permanently and irrecoverably lost. Once Bitcoins have been "spent"/"stolen" (i.e. sent to another Bitcoin address), the transaction is 100% irreversible, unlike all other transfer methods and currencies since there is no central authority. This fundamental way that Bitcoins are "issued" and are transferred is cryptographically very secure and the only way against it is if there's a vulnerability in the hashing algorithms OR a rogue party has access to a monumental amount of processing power. At the moment we're talking significantly more than any government supercomputer, and the system only gets stronger as more people get involved.

    If you're running some kind of application using Bitcoins then at least some of it has to be at some sort of online service. Before today, which VPS company would you trust with critical data more then Linode? Provided you back things up elsewhere of course.

    Yes, a customer should assume that a breach inside the company they are trusting is possible, but if/when it happens it is beyond the control/fault of the customer. This kind of breach is theoretically possible wherever you host it. Even a rogue employee at a dedicated server host could walk up to your server and pull all of the data off your HDD.

Sign In or Register to comment.