The peer-to-peer currency BitCoin (BTC) recently entered the mainstream media after news of the silk road, Lulzsec, and the flash crash grabbed second rate headlines. There was even news that an Australian IT guy had misused company hardware to mine BTC. Oddly enough, these things are synonymous with BitCoin in the news spotlight– but BitCoin is not aligned with any of them. Think of BitCoin as an online medium of exchange.
BitCoin is a digital currency. In terms of currency that we can hold in our hands, like a Euro or a US Dollar, we could associate the same sensationalist media stories. Along the same lines we could see the headline “Cash used as an anonymous was to buy crack cocaine- 20 Bill remains bill of choice for dealers.” I could buy drugs in a real world situation with reasonable anonymity with cash, I could make an anonymous donation to a hacker group with cash, so we’ll just dismiss those as tabloid headlines. What draws great interest in the economy of BitCoin is the flash crash of MtGox, and the wallet.dat theft. Let’s take a look at the flash crash first.
The flash crash happened over approximately ten minutes. In that time, the MtGox exchange was flooded with BTC contained in a compromised account. The mass sell-off intentionally caused prices to drop from around 16.50USD to a penny.
The sell-off happened by setting in motion a series of sell offers as well as a series of ever lowering buy offers, in effect inflating the currency at an unprecedented rate. This was because MtGox had a withdraw limit. 1000 USD per day or the equivalent of 1000 USD worth of BTC. The intent seems to have been to withdraw BTC, not money, as the money would instantly be linked with other accounts in order to convert it to a more familiar currency. With built in pseudo-anonymity, the attacker could send the BTC to a new address without revealing any other information in the transaction.
With the limit, the compromised account, and the price of BTC at around 16.50, the most that could be stolen from the account would have been 60.6 BTC. With that knowledge, the attack initiated the huge sell off, eventually filling every offer to buy down to .01 USD. In effect, the amount of BTC that could be withdrawn was 100,000 BTC at .01 USD.
The MtGox flash crash happened over about twenty minutes. While I sat watching the price drop, I pulled my BTC out under the assumption that the site had been compromised. After several days of waiting, the official explanation about the crash had to do with a spear attack of a pen testers computer being hacked. The computer apparently had a list of unused accounts and hashed passwords.
After the mass sell off, an undisclosed amount of BTC was withdrawn from the hacked account at MtGox. So after all was said and done, the exchange was frozen for seven days in order to reexamine security and roll back what it deemed to be fraudulent transactions. MtGox was forced to bite the bullet and replace the BTC which were withdrawn prior to the freeze.
MtGox also stated that the exchange, which was started as a hobby project, had exponentially outgrown its security. It was also known in the BitCoin community that the site was vulnerable to cross site scripting attacks. Even the BitCoin wiki had best practice recommendations for more secure browsing when dealing with BitCoin.
So, as the value of the BitCoin kept rising, and security stayed the same, it was only a matter of time before exploits were found. In question was that unpatched or poorly configured computer with as admin privileged account.
Tracing the exact route of attack includes details which are not public knowledge. The sensitive information which has come to light are files which were posted for sale to the highest bidder on PasteBin (http://pastebin.com/). PasteBin is a message board of sorts for pirates, hackers, pr0n lovers and harmless John Does alike, where it is easy to communicate with relative anonymity using Tor. The first database contained inactive accounts. MtGox claimed this information came from a hacked computer.
Also, originally posted was a for-sale offer for Mtg ox’s user database– over 60,000 accounts in all. About a week later that accounts database was posted in a comma separated file. The contents of that file proved worthless, as MtGox was frozen, bit it did show that the site had been successfully exploited. SQL injection was described to be the method of obtaining the active account data, which included the user name, optional e-mail, and hashed password of each account.
Shortly after the accounts file came to light, all of the accounts with simple passwords were cracked and posted on paste bin as well. One interesting thing to note is the hardware currently involved in mining also has the Accelerated Parallel Processing power to be applied to hash cracking. BitCoin mining computers use APP with AMD graphics cards to hash solutions for the blockchain in the first place, as the AMD chipset can perform the calculations with a fraction of the instructions that an Nvidia card would require. A mining rig equipped with 4 ATI Radeon 5970′s running whitepixel could approach 33 billion brute force password hashes per second. Check out Whitepixel at http://whitepixel.zorinaq.com/ for an example of hash auditing software.
The purpose of a block is to verify all the timestamped transactions to prevent double-spending. The block itself contains a ledger of all recent transactions. “The timestamp proves that the data must have existed at that time, obviously in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.”
BitCoin mining uses a proof-of-work chain in order to verify and incorporate new transactions into each block. The solution to a block is found by “[...] scanning for a value that when hashed, such as with sha-256, the hash begins with a number of zero bits.” The zero bits vary with difficulty based upon the strength of the network to prevent over-issuing BitCoins. Currently, 50 BTC (which will lower over time at a fixed rate) is awarded to the solution finder to compensate for the computational power used to verify the transactions. The difficulty changes to adjust the block solves so that there is one approximately every ten minutes.
Once the solution of a block is found, the client which found the solution sends the block to all of its connected peers. Each of those connected peers verifies the solution to the block and in turn send it out to its connected peers as well, in a ‘best-effort’ manner.
Each and every block must mature in the blockchain, and each block generated after incorporates the hash of the previous block to show the longest proof of work chain. Any attempt to alter transactions in a block would require rehashing the entire blockchain, or successively solving blocks faster than the entire network and basing the subsequent blocks’ hash on the original altered on. The amount of computer power required to do this would not likely be available, and even Amazon’s cloud services couldn’t scale to alter a block. The website Block Explorer (http://blockexplorer.com/) makes examining the transactions and various data in the block chain easier, and I recommend everyone take a look.
Occasionally, more than one client will produce a solution to the same block at the same time. If this is the case, whichever block is used to generate the next block will be the valid solution. The other block will be considered an orphan and disregarded, except that any unincluded transactions will be re-added to the queue to be re-included in a future block.