

Bitcoin exchange hacked via WordPress hosted on production machines - mplewis
https://www.allcrypt.com/blog/2015/03/what-happened-and-whats-going-on/?

======
jamez1
I like how they tried to come up with answers to most peoples criticisms.

Why on earth would you have Wordpress hosted in the same network as the one
with access to your critical infrastructure?

That wouldn't fly in any finance shop, and they at least they have insurance.

~~~
dscrd
Why would they have a host with PHP installed on the same server where money
is handled?! Totally irresponsible.

I'm being serious. Unless you have Facebook's resources (and probably not even
then) DO NOT USE PHP FOR ANYTHING THAT REQUIRES SECURITY! If you are, start a
migration process today. Whatever you think it'll cost, it'll be worth it.

If you cannot decide from the billions of choices out there, go with Go. It's
hardly perfect, but way better and simple.

~~~
ukigumo
It may come as a surprise to many, but on high security services such as
banks, servers that handle critical data cannot have any build tools installed
or usable.

Having said this, I've found limited proof that a particular language is any
safer than another as it comes down to safe coding policies and risk
mitigation strategies.

~~~
spacemanmatt
Would you say that there is 'limited proof' that C is inherently more
dangerous than Java?

I would estimate PHP is inherently more dangerous than C.

~~~
sanswork
Why would you say that? What does C offer as a language that makes it more
secure in your mind than php?

~~~
tveita
There are no systems to my knowledge where the server will compile and execute
a .c file from a directory when accessed.

Yet that seems to be the default configuration for many PHP installations
unless you specifically guard against it it. A common PHP vulnerability is
just the user uploading a php file and then accessing it.

~~~
ukigumo
This is what I mean with knowing what risks your application / framework /
language will bring and mitigating them accordingly.

(edited for clarity)

------
fletom
According to them their marketing guy _clearly_ had to have the ability to
upload arbitrary executable files to their Wordpress site. Which by the way
ran their entire exchange and had direct read/write access to their balances
database.

That's utterly comical. It makes me think there should be a The Onion for
crypto/infosec news because I haven't laughed that hard in a while. I feel bad
for them but thinking they could run a cryptocurrency exchange with a solid
zero on the scale of zero to having a clue about security was pure hubris on
their part.

Also the author's level of denial about their incompetence is incredible:

"Even the most secure systems can be circumvented with enough time and
ingenuity."

"And we were secure and solid for a year..."

"Well, due to some apparent exploit in wordpress, someone, somehow, got into
the server tonight, installed some files, and managed to empty the goddamned
BTC wallet. Best I can tell it was something with that worthless pile of shit
software wordpress." (earlier notice on allcrypt.com)

------
ukigumo
The part that shocks me the most about this attack is the userbalances table.
What a terrible decision to give up on securing the integrity of your most
important data in the name of performance.

------
8557056
As Sterling Archer put it: "Holy shit. [That] security is atrocious.
Seriously, it’s really bad. [...] No way. It can’t be. Jesus Christ, that is
just Baby Town frolics."

