Author

Topic: [EDU] What to do if you've been hacked (Read 1149 times)

hero member
Activity: 616
Merit: 500
1BkEzspSxp2zzHiZTtUZJ6TjEb1hERFdRr
January 21, 2015, 03:00:39 AM
#4
Thank you mate for this guide. One of bigest bitcoin problems are hackers and this will sure improve safety of regular users. I am not some tech geek so readings like this are of great help for users like me.
legendary
Activity: 1022
Merit: 1008
Delusional crypto obsessionist
January 20, 2015, 05:00:11 PM
#3
Step 8: Reformat and do a full reinstall on any device which is compromised

Download your operating system for the device, preferable open source. During the partitioning stage, be sure to delete the entire partition table, so that you are sure both you MBR and boot partiton are going to be overwritten.

If your device is a phone/tablet/console, do a factory reset and check online to see if its possible to reflash the device. If so, reflash the device with a new firmware that you download from a trustworthy source.

Step 9: Improve your security

Do not install any software that is developed by or downloaded from a non-trustworthy source but preferable from an open source. Always check that the installer is digitally-signed by a trusted key.


Nice guide, I added some things.
My opinion is that open source software greatly increases security. Although it is not perfect, I think it is always better than closed source since you have to trust that single source.
sr. member
Activity: 353
Merit: 250
Zichain
January 19, 2015, 02:38:22 PM
#2
Pretty nice & simple to understand Educational Guide mate
Good job ,thank you Grin you may wanna ask the Moderators to stick this thread Smiley
hero member
Activity: 882
Merit: 1006
January 19, 2015, 02:32:55 PM
#1
If you have strong suspicions that one of your accounts or wallets has been hacked, then you'll need to follow the guide below. This guide will help you mitigate the damage of the hack and help ensure that you will not be the victim of another hack, so if you suspect you've been hacked, follow it step-by-step.

Step 1: Figure out what devices may be compromised and turn them off

First thing you should do is figure out which devices (such as your phone, tablet, laptop, gaming console) you used to login to those accounts or which ones had access to those wallets. For the time being, you will have to assume that those devices are entirely compromised until you figure out how the hack occurred.

Shut them down or pull the plug on them immediately. If they have been hacked or infected with sophisticated malware you cannot trust any output from them. Any application you use on the device could be manipulated and everything you do could be monitored or changed by the attacker, therefore you cannot use those devices until you are entirely sure they are 100% safe. Treat this like a crime scene and do not turn them on in order to preserve evidence.

Step 2: Get to a secure machine and attempt to secure all accounts/wallets that have been hacked

Next you'll need to find another device to use that you trust is not compromised. If you have an old spare computer, I would recommend using that. It would be advisable to download a Live OS, such as Ubuntu and run it on the device.
Do not use or download the Live OS on a device which you think might be compromised.

If your wallet has been hacked:
Generate a new wallet and move any remaining funds to it using a backup of your compromised wallet.
Do not use any of the old Bitcoin addresses ever again. If you are expecting a payment to one of them in the future, be sure to give the sender a new Bitcoin address.

If an account has been hacked:
Change the password to a secure unique password that you have never used before. It may be a good idea to write down the passwords for the time being so that you do not forget them.
Check for any other ways to recover your account, such as recovery questions and make sure to change those too. It may be a good idea to create a new account and abandon the old one after you have recovered it, it is possible the hacker has left a "backdoor" such as a hidden recovery question, in order to re-access the account in the future.

Step 3: Find out how you're accounts/wallets were accessed

Next you'll need to figure out exactly how you were hacked

If an account was hacked:
Try and figure out if the hacker logged in via password, or reset it via email/recovery questions.
If the hacker logged in via password, that password is compromised.
If the hacker reset your password via email, your email account was compromised.

If there is no record of the hacker logging in, but you still suspect the account was hacked, (for example, the last login to your PayPal account was you but there was an unauthorized withdrawal) or if the hacker logged into your account from your IP, then one of your suspected devices is compromised.

Step 4: Secure any other accounts that used those login credentials

If a password was compromised:
If you used that password for another account or wallet, you'll need to change your password on every account that you used it on. Follow the advice in step 2.

If an email account was compromised:
Email accounts are the "key" to your online identity as most websites will let you reset your password using your email address. It is possible that the hacker will have attempted to place a "backdoor" in your email account so that they can regain access to it at a later date, so never use the compromised email address ever again if possible.
-1. Try to regain access to the email account and change the password/recovery procedures ASAP.
-2. Create a new email address with an email provider that you trust.
-3. Change the email address on every account that is linked to the old email address to your new one
-4.  Set up your old email address to forward any emails to your new email address.

Step 5: Try and find out how your wallet/login credentials were compromised

Once you are at this step you'll have mitigated the possible damage the hacker can cause as much as you can.  Next you'll need to figure out how your login credentials were compromised in the first place.
This is the step most people skip, but it is arguably the most important step because if you do not figure out how they were compromised then it will happen to you again.

First of all, you'll need to do some ask yourself some questions and do some heavy thinking.

If your password was compromised, how did that happen?
-Did you reuse your password on any other website?
-If so, which ones?
-Is it possible one of those websites was hacked, or is it possible one of the websites is owned by a malicious entity?
-When did you last enter that password? How long have you been using it for?
-It may be a good idea to do a Google search for your old password once you have stopped using it for everything. Place quotes " " around your password to do an exact search. It is possible that your password ended up in a password leak from a hacked website.

If your email account was compromised
-Follow the advice in step 3 to figure out how it was accessed.
-If a password was compromised, follow the advice above.

If your wallet was compromised
-Where did you store the wallet?
-What devices are able to access it?
-Was the wallet encrypted?
-Where did you store the wallet backups? were they encrypted?

If the wallet and backups were only stored locally on your devices, and not on a remote service, then you can be sure that one of the devices that stored the wallet is compromised.

Did you run any software on a device that was not created by and downloaded from a trusted source? if so, what was it? Did you install anything recently on a device? Do some research online and see if you can find out if you have installed any trojan viruses.

Step 6: Try and find out if/how the device was compromised

If one of the devices you suspect is a computer or has a removable hard drive, I would recommend removing the hard drive and connecting it up as a secondary drive to your secure PC.

DO NOT RUN ANY EXECUTABLE FILE ON THIS HARD DRIVE

If you cannot remove the hard drive, turn on the device but make sure it cannot connect to the internet, so unplug ethernet cables, unplug WiFi adapters or if you can't unplug them, plug out your WiFi modem. Boot the device from a Live OS if possible, or boot the device in Safe Mode.

Check the browser history on the device. Did you recently visit a phishing website? If so, that is likely how your password was compromised and your device is likely safe.

Do some research online of all installed software on the computer. Is any of it known to contain malware? If so, then the device is compromised. Never install that piece of software again.

Download a trustworthy anti-virus program and scan the device. If you find anything, then the device is compromised.

Step 7: Secure any other accounts or wallets there were accessible by a compromised device

You will need to figure out every account/wallet you've accessed on a compromised device and repeat step 2 on those accounts/wallets. You can use the browser history to aid you with this part.

If you are unsure if a particular device is compromised, I would recommend getting help from a computer security forum such as BleepingComputer or even BitcoinTalk. If you are still unsure if a device is compromised you should error on the side of caution and assume it is.

Step 8: Reformat and do a full reinstall on any device which is compromised

Download your operating system for the device. During the partitioning stage, be sure to delete the entire partition table, so that you are sure both you MBR and boot partiton are going to be overwritten.

If your device is a phone/tablet/console, do a factory reset and check online to see if its possible to reflash the device. If so, reflash the device with a new firmware that you download from a trustworthy source.

Step 9: Improve your security

Do not install any software that is developed by or downloaded from a non-trustworthy source. Always check that the installer is digitally-signed by a trusted key.

Use an anti-virus program, but do not rely on it. Virus writers constantly scan their viruses with anti-virus scanners and when they are detected they stop distributing that version of the virus and they keep making small changes to the virus until the anti-virus program is unable to detect it, and then start distributing this new undetected version. Anti-virus products only provide a small amount of protection, you should use common sense first, just because a virus scanner says a file isn't a known virus that does not mean it is safe.

Use a password manager, such as LastPass

Use 2FA on your accounts whenever available. Note that 2FA will not protect you from sophisticated malware that can hijack your session, so don't rely on 2FA too much.

Keep all of your software up-to-date. Enable automatic updates wherever available.

Note: this guide is unfinished, I'll be adding more to it soon. Feel free to leave suggestions below. Donations are much appreciated: 16EJ8oEeFpGU6TcQKHMBedZTbVGRwHCWaZ
Jump to: