Last Monday, BitInstant announced the results of having suffered a successful social engineering hack that ended with them losing approximately $12,480 USD worth of BTC (believed to be ฿999 BTC). The attacker, who used socially engineered information in order to take control of the DNS registrar and redirect connections away from BitInstant’s servers and gain access to e-mail addresses to reset passwords.

In many cases of hacks, social engineering is the weakest link in any security structure and this time it was a very convoluted one. According to the blog post documenting the heist,

The attacker contacted our domain registrar at Site5 posing as me and using a very similar email address as mine, they did so by proxying through a network owned by a haulage company in the UK whom I suspect are innocent victims the same as ourselves. Armed with knowledge of my place of birth and mother’s maiden name alone (both facts easy to locate on the public record) they convinced Site5 staff to add their email address to the account and make it the primary login (this prevented us from deleting it from the account).

[…]

After gaining access, they redirected DNS by pointing the nameservers to hetzner.de in germany, they used hetzner’s nameservers to redirect traffic to a hosting provider in ukraine. By doing this, he locked out both my login and Gareths’s login and they used this to hijack our emails and reset the login for one exchange (VirWox), enabling them to gain access and steal $12,480 USD worth of BTC. No other exchanges were affected due to either Multi Factor Authentication, OTP, Yubikey’s and auto lockdowns.

In this instance, BitInstant learned the ever-present Lesson of the Kobayashi Maru, cybersecurity for valuable targets is an ever-changing space where attackers will take advantage of cultural weaknesses and exploit them.

The attacker also managed to download many archived internal e-mails from BitInstant; but according to the blog post, they have a mandatory PGP use for sensitive communication. The use of cryptography to secure individual communication adds a layer of protection that helped limit the total exposure and damage the attacker inflicted.

This is the not the first time that a Bitcoin exchange has been hit by a hacker intent on stealing BTC. Early on in MtGox’s growing-up-period led to the site thinking more seriously about security; in May 2012, Bitcoinica lost more than ฿18,000 BTC, which then led to a heist totalling ฿40,000 BTC in July of the same year. In March, Linode suffered a hack that opened up Bitcoinica (yet again) and others to a loss totalling ฿46,000 BTC. Hackers are most definitely out to get at Bitcoin holding exchanges.

Social engineering, hackers, and so-called “security questions”

One of the most interesting things to come out of this issue is the exchange between CEO of Site5, Ben Welch-Bolen, and Gareth Nelson CTO and co-founder of BitInstant. Site5 is the domain registrar where the DNS records were hijacked from; the attacker managed to gain access to the DNS via using two answers to “security questions.” Likelihood is the answers were socially engineered.

The CEO of Site5 mentions a method now suggested widely by many security pundits when it comes to “security questions” and that’s to use custom answers. That is, answers that in no way shape or form match the question (or are even potentially gibberish). As a result, an attacker cannot Kobayashi Maru the answers by interrogating family and friends for things such as “What is the name of your first pet?” or “What street did your family first live on?”

“You should always put in a custom answer,” wrote Welch-Bolen,  “for example I might use the question mother’s maiden name and then the answer is ‘L@J-289098=a9jaosdjf’ which I keep in an encrypted text doc or ecrypted note in 1Password.”

An excellent point–especially perhaps for people attempting to secure something so highly targeted as a Bitcoin exchange (regarding if they cannot turn off the security questions altogether.) What happened to BitInstant involved a determined attacker who used this one vulnerable point to profound effect and it’s further an object lesson when it comes to the use of security questions by any individual (especially those in highly targeted venues.)