In a press statement yesterday, MtGox.com acknowledged the security issues and the hack that lead to the crash of the bitcoin economy earlier in June. After freezing all of their assets in the wake of the crash, Mt. Gox has undergone a lot of changes and expects further evolution of their service in the near future to address its security and capabilities. As one of the leading providers of bitcoin exchange on the Internet, Mt. Gox holds a role much like a central trust or bank and they think it’s about time they started acting like one.
During the intrusion on June 20th, a user compromised an administrative account and proceeded with a bulk sale of bitcoins. The massive sell-off caused the economy to tank, dropping almost $17 in under thirty minutes. Now, we’re clear to understand that the sell-off of coins didn’t even represent actual currency (but instead virtual “fake” currency added to an account by the attacker for sale.)
Late last week, Mt. Gox admins discovered a SQLi vulnerability in their database (the same type of vulnerability used by hacker group LulzSec to gain access to numerous user credentials during their reign of mayhem.) The exploit had been used to gain read-only access to their databases, revealing hashed passwords and e-mail addresses of numerous customers of Mt. Gox. As a result, they were forced to shut down all operations as they restored user accounts and asked them to change their passwords. Even though the passwords were protected with cryptographic hashes, it is still possible to break weak hashes given enough time.
As a result of these two security-related catastrophes that struck Mt. Gox’s exchange, they have set in motion a plan to resist future intrusions and better mitigate disasters when intrusions do happen.
Nobody is impregnable to intrusion on the Internet. Nobody.
“The new Mt. Gox site features SHA-512 multi-iteration, triple salted hashing,” Mt. Gox explain about their expected security measures, “and soon will have an option for users to enable a withdraw password that will be separate from their login passwords. Other security measures such as one-time password keys are planned for release very soon as well.”
SHA-512 is a powerful, modern-day cryptographic algorithm and the use of multi-iteration makes it exceedingly difficult to break the hash to determine the password. In fact, using iterations with a powerful crypto-function is the de facto standard in the industry to secure passwords against cracking. The fact that they intend to go to this length means that they have thought about the fact that nobody has perfect security and databases of user secrets are a primary target for theft. Combined with the ability to have a separate password for withdrawal and login, it would increase user security tremendously.
With the exchanges growing up, this might also mean that more organizations might climb on board and use bitcoins for products or services. Recently the EFF stopped taking bitcoins as donations due to legal concerns over the direction of the currency (or just insecurity about its nature.)
In spite of the economic crash the exchanges suffered the coin has returned to a stable high, exchanges like Mt. Gox are still trading, and while we cannot expect smooth sailing—we do expect bitcoin to maintain something of a celebrity status for a while to come.