
Bitstamp Incident Report 2-20-15 - edward
http://www.scribd.com/doc/270137312/Bitstamp-Incident-Report-2-20-15
======
edward
"The sender was offering Mr. Kodric the opportunity to join Upsilon Pi Epsilon
(UPE), the International Honour Society for the Computing and Information
Disciplines. The UPE site is hosted within the acm.org domain. On 11 December,
as part of this offer, the attacker sent a number of attachments. One of
these, UPE_application_form.doc, contained obfuscated malicious VBA script.
When opened, this script ran automatically and pulled down a malicious file
from IP address 185.31.209.145, thereby compromising the machine."

~~~
billyhoffman
It's 2015 and Visual Basic for Application scripts embedded in Word Docs is
still a viable channel for attacking people.

That makes me pretty sad. Who needs bare-metal/firmware rootkits or
virtualization escape exploits when a DOC file + some VBS let's you rob some
crypto currency?

~~~
TodPunk
Social engineering will ALWAYS be the most effective means of compromising a
system. If you can get the user to run a thing, you have got them to run
anything you want forever. This is not a problem with VBA, VBA is merely
providing functionality (and useful functionality in many respects). There is
no way to prevent this in VBA or any other technology. The only vector of
mitigation is educating the user.

~~~
makmanalp
Social engineering will be always effective, but that's not the point. This
/is/ a problem with VBA - as a person viewing a document, it doesn't seem like
you're running anything, but really you're running arbitrary unsigned code
that has full r/w access to everything on your system. To make it worse, this
has been a major attack vector for over a decade yet it's still completely
unsandboxed.

~~~
gnaritas
That's not really true, it doesn't run by default, the user is prompted and
warned about possible malicious scripts AND they run them anyway. All you have
to do is put instructions/picture in the doc telling the user to click that
button to see the content, and they usually will. Users are simply ignorant of
the dangers, that's the problem and it's always been the problem and that's
unlikely to change.

~~~
makmanalp
I know it doesn't run by default - a warning about malicious scripts is a cop
out and everyone knows it. Yes, if we trained everyone to be programmers, then
maybe no one would click it.

However, the point is, how do I know what will happen when I click this
button? Will it run a helpful macro to format my data or will it delete all my
files? Why is a macro language allowed to do that? Why do those two things
have the same security level assigned to them?

You should run executables only from trusted sources - that's what we're told,
right? Now - do you trust an email appearing to genuinely be from a very
prestigious honor society from the world's largest CS authority? Why not? Why
was the person not able to cryptographically verify that, yes, that is indeed
where this file came from? What is that - you say that since they didn't know
the sender personally, they shouldn't have trusted the file anyway? A
different example: What if, say, someone used windowsupdate or apt-get as an
attack vector? I bet you're trusting those strangers already, as we speak, and
you have pretty much no say in the matter.

"Oh, we'll put in a warning dialog" is the most crappy duct-tape there-I-
fixed-it style solution to this extremely nuanced problem, and blaming the
user does nothing to secure real world systems.

~~~
gnaritas
> You should run executables only from trusted sources - that's what we're
> told, right?

No, that's what computer savvy people know, normal users don't think twice
about running an executable from any source, that's the whole point. Nothing
you suggested will stop what people simply do continually, open anything from
anyone without caring who the sender is. Sandboxes don't just protect things,
they forbid necessary and useful things so you can't simply sandbox everything
because users will simply refuse to use your crippled software and opt for the
less secure but more functional version. Users don't care about security,
that's the problem; it's a social problem, not a technical one.

------
jessaustin
_Moreover, we need to be very careful not to educate other criminal hackers
about how we "safeguard" our assets and information. Accordingly, no part of
this report may be made public or given to a third party without the prior
express written permission of Bitstamp Ltd._

If this is public now, presumably they've finally airgapped wallet.dat? It
sounds like Kodric is getting the blame for this, with his boneheaded doc
opening, but with the architecture they had this might have been just a matter
of time. After all the CTO had previously opened another doc, but the embedded
VBA didn't run for unspecified reasons.

------
chinathrow
Are there some stats on how effective spear phising is these days? Need to
train my co-founder live, but some facts would sure help.

~~~
at-fates-hands
Here you go:

[http://www.symantec.com/content/en/us/enterprise/other_resou...](http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-
us.pdf)

 _While the total number of emails used per campaign has decreased and the
number of those targeted has also decreased, the number of spear-phishing
campaigns themselves saw a dramatic 91 percent rise in 2013._

and

[http://blog.wombatsecurity.com/spear-phishing-everything-
eve...](http://blog.wombatsecurity.com/spear-phishing-everything-ever-needed-
know/)

91% of cyber attacks begin with a spear phishing email.

94% of targeted spear phishing emails have attachments

Here is the referenced report in the above article:

Spear-Phishing Email: Most Favored APT Attack Bait

[http://www.trendmicro.com/cloud-content/us/pdfs/security-
int...](http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-
bait.pdf)

------
adricnet
Ah, the document at that link is

a) labelled confidential and

b) scanned and OCR'd with some problems visible on the first page.

If this is officially public I would like to read it, please provide a legible
copy. If this a leaked document than I can't use it and don't particularly
want to read it.

Motive: I write this sort of thing from time to time and I would not enjoy
seeing it leaked and discussed.

~~~
driverdan
> If this a leaked document than I can't use it and don't particularly want to
> read it.

Why?

~~~
placeybordeaux
Probably due to his morals or ethics.

------
tedunangst
"This content was removed at the request of Bitstamp Ltd."

:(

~~~
ikeboy
I downloaded it before. See
[https://drive.google.com/file/d/0BwzdZTHqha9tYjVEaklxODc5emc...](https://drive.google.com/file/d/0BwzdZTHqha9tYjVEaklxODc5emc/view)

------
escapologybb
That was fascinating, does anyone know where I can read more reports like
this?

~~~
joshstrange
I doubt there is a central repository of things like this as most (this one
included) are eyes-only and normally, in an effort to present the raw facts
and point out the failures, is not something that makes the company it's about
look good (Lax security or bad practices, I'm not saying that was the case
here one way or the other just that normally that's what they are going to
cover). I think the most telling line (in regards to your comment) is:

> ...we need to be very careful not to educate other criminal hackers about
> how we safeguard our assets and information. Accordingly, no part of this
> report may be made public or given to a third party without the prior
> express written permission of Bitstamp Ltd

Well I was going to quote it but it's been taken down already, wish I still
had it open in a tab. The line was something to effect of "This document
should not ever be made public as it outlines our weaknesses and we don't want
to give future attackers any more tools to attack us"

Edit: I've updated the above with the quote, I found it after all

Edit 2: All of that said I too would love to read more in-depth post-mortems
on hacks/breaches/thefts. I knew phising like this was possible but I would
have fallen prey to some of that probably. Now I don't use a windows computer
so I might have been marginally safer but there is nothing to say that the
attacker didn't have linux/osx tricks up his/her sleeve. The graphic that
shows the different avenues of attack and the one that finally succeeded was a
really cool way to visualize the attack as well.

------
microcolonel
This is so unbelievably pathetic.

How is anyone supposed to trust nincompoops who open word documents from
unsolicited emails on Windows while connected to a sensitive VPN? Furthermore:
with your money.

~~~
cjbprime
System administrators who do so, no less.

~~~
jessaustin
Pretty much everyone opened the docs, including the CTO. If you're more
comfortable on Windows, that's fine, use Windows, but _remember_ that you're
using Windows.

~~~
lcswi
I wouldn't blame windows, surely libreoffice could.be exploited similarly?

~~~
jessaustin
Perhaps? I don't use either package. If someone sends me a .doc and I _really_
want to read it then I upload to GDrive. If I'm sending something that can't
be text then it's a pdf. I'm not saying I can't be phished, but I certainly
won't be running any VBA without knowing it.

~~~
aw3c2
[http://www.cvedetails.com/vulnerability-
list/vendor_id-53/pr...](http://www.cvedetails.com/vulnerability-
list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html)

~~~
jessaustin
I haven't used acrobat in years. Is it even available on linux or chromeos?

------
westoque
I think the chance for remote execution would be far less if they used unix
based systems.

Also when dealing with sensitive stuff like this, I expect them to have better
monitoring of their services, like notifications on access, etc.

~~~
some1else
> I think the chance for remote execution would be far less if they used unix
> based systems.

OSX is a *nix based system and has had far worse security than Windows for
ages (lagging with basic things like address space randomization). Just
because Unix is not considered a primary attack surface area for viruses and
alike, it does not make it inherently more secure. That kind of attitude is
indeed even more dangerous than having a well secured Windows computer.

(Disclaimer, Mac user myself)

~~~
xorcist
Security isn't necessarily better or worse, but different. Remember that
Windows (used to?) run code on _every_ attached USB Mass Storage. The bundled
web browser executed native code embeded on web pages (but don't worry as it's
all signed, right?) and great efforts were made to build enterprise software
on top of it. That has nothing to do with unix-ness or lack thereof. It's also
nothing you can fix by layering more technology over it.

Both systems have unpatched root exploits if you have access to the display
subsystem. Both were initially developed for trusted local environments, then
adapted for public network use some ten or fifteen years later and whatever
security issues that brought was patched as they were found. I'm just not sure
how to argue more or less security in that environment. Users still get owned
by running Flash (so no ASLR for you) and Outlook.

------
benmmurphy
so if you are an insider and you wanted to steal a hot wallet a good way to do
it is to stage a fishing attack against yourself. (i think Mr Kodric is a
victim here)

------
jessedhillon
Can we stop using and supporting scribd yet? They don't let you get past page
3 on mobile devices without installing their app. Most phones have PDF viewing
capabilities, what is the need to host PDFs on scribd?

~~~
geographomics
Agreed, it's a most frustrating website to use on mobile and tablet. If it
helps, here are mirrors of the content:

[pdf]
[https://bitstampincidentreport.files.wordpress.com/2015/07/2...](https://bitstampincidentreport.files.wordpress.com/2015/07/270137312-bitstamp-
incident-report-2-20-15.pdf)

[docx]
[https://bitstampincidentreport.files.wordpress.com/2015/07/2...](https://bitstampincidentreport.files.wordpress.com/2015/07/270137312-bitstamp-
incident-report-2-20-15.docx)

~~~
chinathrow
Did anyone scan the docx for unknown/known vulns? :)

~~~
jessaustin
It would be pretty hilarious to read an incident report six months from now
that cited that link as a successful phish.

