Hacker News new | past | comments | ask | show | jobs | submit login

genjix wrote in https://bitcointalk.org/index.php?topic=81045.msg920554#msg9...

  > To the person above, here's what happened: 
  > - Bitcoinica has an internet mailing list called info@bitcoinica.com  
  > - It was the email for the website and all sensitive accounts.  
  > - You could request a password for that email. In a production system, that
  > should never be possible.  
  > - Several people had access to this mailing list (non-admins and business
  > people included).  
  > - Patrick got added.  
  > - His personal email was compromised. Normally this shouldn't be a big deal; I
  > use my personal email at internet cafes and public computers.  
  > - Attacker was able to request a new password and login to rackspace.  
  >   
  > The assumption here was that info@bitcoinica.com did not have access to 
  > critical infrastructure.
  >
  > Lastly, it was my fault Patrick's email server got compromised. I had a VPS
  > for programming and development which many people had access to - randoms from
  > #c++ IRC, people from this forum, beginners I was teaching .etc It's a
  > public VPS for development. The SSH key on there was added to Patrick's server
  > because we were developing the bitcoinconsultancy.com website on there (that's
  > why it's now down). My SSH key was stolen and he ssh'ed into the box.
  > Then had access to his emails.
So there you have it: it was one of those damn "Forgot Password" buttons, combined with mishandling email. The security of a server can't be better than the security of the least-secure computer with administrative access, and it looks like in this case, that was spread a little further than it should've been. This attack might've been prevented by introducing a delay: send an email saying that a password reset was requested, with a cancelable reset after several hours. But as far as I know, no one does that.



It looks to me like the root cause was reusing an SSH key on a secure system and a public system. If the SSH key was compromised, that would lead me to believe that the private key was on the public/insecure system. That is a big security no-no as well.


Amusing. Seems like these guys should be engaging a consultancy for help, not trying to start one.


And the worse thing is, you can even re-use a password reset link for Rackspace Cloud even when it has already been used. Changing passwords won't log out existing sessions either.


Specifically this[1] is the page that is used in this hacking operation.

[1] : https://manage.rackspacecloud.com/pages/Login.jsp




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: