I just got hacked - any help is welcome! (25,000 BTC stolen) - page 16.

CharlieContent

full member

Activity: 210

Merit: 100

Quote from: Maged on June 15, 2011, 02:20:40 PM

Quote from: ribuck on June 15, 2011, 02:09:56 PM

A newbie who can't post in this forum has identified that the address your coins went to is a donation receiving address of LulzSec:

http://forum.bitcoin.org/index.php?topic=17386.msg223015

It wasn't LulzSec. That press release was a fake copy.

Real press release:
http://pastebin.com/i5M0LB58
Fake:
http://pastebin.com/88nGp508

True, that press release is fake, but look at the thief's BlockExplorer record: http://blockexplorer.com/address/1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg

One of the sent transactions from this wallet goes to 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP
And what is this wallet? The GENUINE LulzSec donation wallet.

So we can surmise that the thief is at least sympathetic to LulzSec if not directly linked, which would give weight to this guys claims: http://twitter.com/#!/Anonakomis . He is a guy affiliated with LulzSec. On this twitter account, he boasts about being responsible for the theft, and how he has donated a small amount from it to LulzSec.

Fuck, I feel like Poirot.

synergy543

newbie

Activity: 19

Merit: 0

@Allinvain - Bitcoins are apparently very traceble. Check this out....

This article has some very interesting information.
http://www.forexyard.com/en/news/Bitcoin-exchanges-offer-anti-money-laundering-aid-2011-06-15T220113Z

"Karpeles [MagicalTux] said Bitcoin transactions were in fact traceable. He said that while the system had been built to be anonymous, it was "really easy to track Bitcoins across the network."

"Donald Norman, the co-founder of a London-based consultancy that serves Bitcoin exchanges, said that a data file existed which reflected the complete history of Bitcoin transactions, so that "the ownership of every single coin is completely known and traceable."

ShadowOfHarbringer

legendary

Activity: 1470

Merit: 1006

Bringing Legendary Har® to you since 1952

Quote from: Nescio on June 15, 2011, 01:25:18 PM

none of that helps against a compromised machine.

Actually, it does.
You may fool an attacker into thinking that he hacked all the layers, while he only hacked top 2 of them.
Security by obscurity + surprise element.

Quote from: Nescio on June 15, 2011, 01:25:18 PM

It will still happily grab all of your TrueCrypt passwords, your mouse movements, all the fractal windows you have open etc.

Who needs mouse movements when you can connect to a (virtual) machine using encrypted VNC connection ?
The possibilities are endless. VM is just the beginning of the things you can do.

Quote from: Nescio on June 15, 2011, 01:25:18 PM

there have been exploits for detecting and getting out of a VM (exactly because people expect VMs to be safe).

Not all of the exploits work on all kinds of VM's.
Also, a possible attacker may not be prepared for task of this level of complexity.

Quote from: Nescio on June 15, 2011, 01:25:18 PM

The only way you can be secure is by using a separate, clean, minimal installation on different hardware from the daily use, net connected machine.

This is certainly the best way, but having a hall of mirrors is also useful when you are only using single machine.
As I said, "the possibilities are endless. VM is just the beginning of things you can do".

Generally my thinking is that you can create multiple levels of complexity and every one of the makes it more difficult for the attacker to hack you.

MoonShadow

legendary

Activity: 1708

Merit: 1010

Quote from: allinvain on June 15, 2011, 02:38:03 PM

I'd like to use that system for secure banking also, but hmm...guess that may not be a good idea. It would be nice if there was a portable version of the client that stores the wallet.dat file within it's own directory. This way say you can run the client from an encrypted USB drives like IronKey.

The standard client can do that. That is the only way I run a client on a Windows machine, ever.

allinvain

legendary

Activity: 3080

Merit: 1080

Quote from: jerfelix on June 15, 2011, 12:06:59 PM

Quote from: beyondnotion on June 15, 2011, 12:09:14 AM

I had an idea for this concept a couple of months ago when I was thinking about running my own Bitcoin ATM drive through bank.

Run a computer with some kind of secure linux distro. Tiny core would be a good base to work from since its one of the most lightweight distros.(Only 10 MB or so!)

Run the standard stable bitcoin server with every port blocked except the ports need by the bitcoin server.

Tiny core runs completely in memory so if some one were to try and compromise the machine and it lost power then everything would be permanently erased. No trace. In order for your wallet to be recoverable, enable a script that periodically encrypts your wallet and sends it a remote databank, like google docs, drop box, ect. Do not use hard drives.

Install SSH but use key based authentication with a password needed to unlock your private key. This would allow you access to your machine from any terminal on your local network. Disable password logins and make sure the ssh port is blocked from outside access.

Connect the headless server to your Ethernet, never use a wifi network!

Also connect the pc to a back up power supply and surge protector.

Hope this helps!

PS: I'm thinking about making a linux distro based off of this called SecuCoin. Using microcore+bitcoind+openssh = ~10 MB for the whole OS!

This OS would not have a gui and would need a gui implementation for access from a external terminal.

Why even connect to the net at all? You can create a "vault" wallet file on a disconnected PC, store the wallet file in a real safe, and send bitcoins from your minimal wallet to your "vault" Bitcoin Address anytime you want.

Years from now, when you need to access your savings, retrieve the wallet file from the safe. Once the whole blockchain is loaded, your coins will be waiting for you.

I'd like to use that system for secure banking also, but hmm...guess that may not be a good idea. It would be nice if there was a portable version of the client that stores the wallet.dat file within it's own directory. This way say you can run the client from an encrypted USB drives like IronKey.

Maged

legendary

Activity: 1204

Merit: 1015

Quote from: ribuck on June 15, 2011, 02:09:56 PM

A newbie who can't post in this forum has identified that the address your coins went to is a donation receiving address of LulzSec:

http://forum.bitcoin.org/index.php?topic=17386.msg223015

It wasn't LulzSec. That press release was a fake copy.

Real press release:
http://pastebin.com/i5M0LB58
Fake:
http://pastebin.com/88nGp508

ribuck

donator

Activity: 826

Merit: 1060

A newbie who can't post in this forum has identified that the address your coins went to is a donation receiving address of LulzSec:

http://forum.bitcoin.org/index.php?topic=17386.msg223015

Nescio

jr. member

Activity: 56

Merit: 1

Quote from: ShadowOfHarbringer on June 15, 2011, 10:33:07 AM

Quote from: gene on June 15, 2011, 10:21:23 AM

This is the dumbest bullshit ever.

Of course it is, because you said so.
How can we ever doubt you, you are such a SMART-ASS !

Quote from: gene on June 15, 2011, 10:21:23 AM

Everybody please ignore this "advice."

Yes, and become easy prey to hackers of all sorts.

He's got a point. You are advocating layering a lot of complexity on top of eachother, but none of that helps against a compromised machine. It will still happily grab all of your TrueCrypt passwords, your mouse movements, all the fractal windows you have open etc.

A VM is only useful for protecting the host from guests, not the other way around. Also, that may not be the case anymore either, as there have been exploits for detecting and getting out of a VM (exactly because people expect VMs to be safe).

The only way you can be secure is by using a separate, clean, minimal installation on different hardware from the daily use, net connected machine.

Waschtel

newbie

Activity: 18

Merit: 0

I just started a poll asking any victims about the miners they have installed on their systems.

I have listed all the miners you had installed on your system, allinvain.

The post can be found here:

http://forum.bitcoin.org/index.php?topic=17432.0

Maybe there will be a pattern.

jerfelix

sr. member

Activity: 266

Merit: 250

Quote from: beyondnotion on June 15, 2011, 12:09:14 AM

I had an idea for this concept a couple of months ago when I was thinking about running my own Bitcoin ATM drive through bank.

Run a computer with some kind of secure linux distro. Tiny core would be a good base to work from since its one of the most lightweight distros.(Only 10 MB or so!)

Run the standard stable bitcoin server with every port blocked except the ports need by the bitcoin server.

Tiny core runs completely in memory so if some one were to try and compromise the machine and it lost power then everything would be permanently erased. No trace. In order for your wallet to be recoverable, enable a script that periodically encrypts your wallet and sends it a remote databank, like google docs, drop box, ect. Do not use hard drives.

Install SSH but use key based authentication with a password needed to unlock your private key. This would allow you access to your machine from any terminal on your local network. Disable password logins and make sure the ssh port is blocked from outside access.

Connect the headless server to your Ethernet, never use a wifi network!

Also connect the pc to a back up power supply and surge protector.

Hope this helps!

PS: I'm thinking about making a linux distro based off of this called SecuCoin. Using microcore+bitcoind+openssh = ~10 MB for the whole OS!

This OS would not have a gui and would need a gui implementation for access from a external terminal.

Why even connect to the net at all? You can create a "vault" wallet file on a disconnected PC, store the wallet file in a real safe, and send bitcoins from your minimal wallet to your "vault" Bitcoin Address anytime you want.

Years from now, when you need to access your savings, retrieve the wallet file from the safe. Once the whole blockchain is loaded, your coins will be waiting for you.

jerfelix

sr. member

Activity: 266

Merit: 250

Quote from: Dude65535 on June 14, 2011, 07:34:41 PM

On the positive side, if you can sufficiently document the loss you have one hell of a tax deduction.

Not quite, unless he declared the Bitcoin gain, in which case, it's a wash.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: allinvain on June 15, 2011, 10:26:43 AM

Quote from: casascius on June 15, 2011, 10:05:46 AM

A lingering question I have is, why were only 25,000 coins taken? It sounds like you had more coins than that. And what have you done to secure the remainder of your coins?

Yep I had a bit more than that..not much more..the thief took 25,000.61 BTC.

My only theory is that he had an earlier copy of my wallet? But still that does not make sense as I used the same payout address for all the funds I mined as for the very first address the client generated...soo technically he should've been able to get those funds as well. Maybe this was his way of showing me the middle finger..sort of like "here you go you stupid fuck..I left you something so you can buy yourself something.."

I don't know, I am merely speculating and speculation does me no good.

It's possible that he didn't have the entire blockchain downloaded when he thought he did, so it didn't show the entire balance.

ShadowOfHarbringer

legendary

Activity: 1470

Merit: 1006

Bringing Legendary Har® to you since 1952

Quote from: gene on June 15, 2011, 10:21:23 AM

This is the dumbest bullshit ever.

Of course it is, because you said so.
How can we ever doubt you, you are such a SMART-ASS !

Quote from: gene on June 15, 2011, 10:21:23 AM

Everybody please ignore this "advice."

Yes, and become easy prey to hackers of all sorts.

allinvain

legendary

Activity: 3080

Merit: 1080

Quote from: casascius on June 15, 2011, 10:05:46 AM

A lingering question I have is, why were only 25,000 coins taken? It sounds like you had more coins than that. And what have you done to secure the remainder of your coins?

Yep I had a bit more than that..not much more..the thief took 25,000.61 BTC.

My only theory is that he had an earlier copy of my wallet? But still that does not make sense as I used the same payout address for all the funds I mined as for the very first address the client generated...soo technically he should've been able to get those funds as well. Maybe this was his way of showing me the middle finger..sort of like "here you go you stupid fuck..I left you something so you can buy yourself something.."

I don't know, I am merely speculating and speculation does me no good.

gene

sr. member

Activity: 252

Merit: 250

Quote from: ShadowOfHarbringer on June 15, 2011, 10:01:00 AM

Quote from: allinvain on June 15, 2011, 09:32:16 AM

So what you're saying though is to encrypt the entire linux HD with trucrypt? right? not just create a truecrypt image on the VM's HD.

I am saying about a following scheme:

1. Create encrypted TrueCrypt hard drive.
2. Put a VirtualBox disk with VirtualBox Linux machine on it.
3. Install TrueCrypt within the Virtual Machine
4. Create encrypted TrueCrypt hard drive within the VM.
================== (LAYER 2) ==================
5. Create a VirtualBox disk with VirtualBox Linux machine on the VM.
6. Install TrueCrypt within the Virtual Machine in Virtual Machine
7. Create encrypted TrueCrypt hard drive within the VM in VM.
================== (LAYER 3) ==================
(...)
================== (LAYER 4) ==================
(...)

And so on...

This is the dumbest bullshit ever.

Everybody please ignore this "advice." Also, VMs cannot protect data.

allinvain

legendary

Activity: 3080

Merit: 1080

Quote from: Mageant on June 15, 2011, 09:53:22 AM

Quote from: allinvain on June 15, 2011, 08:34:38 AM

Quote from: Waschtel on June 15, 2011, 07:07:11 AM

One obvious question:

Have you installed any alternative bitcoin clients or mining software? I have been seeing many programs pop up lately in the bitcoin eco-system, and nobody is vetting them.
As this is an attack against a bitcoin wallet, it is most likely that the virus/malware is mimicking legit bitcoin software - a generic, automated virus would not be looking for bitcoins.

no alternative bitcoin clients but mining software for sure Sad

...I ran phoenix, guiminer, poclbm, cpu miner, ufasoft sse miner..I also gave namecoin a try on the same machine...

Yes this could be cause whoever stole this sure knows BTC. It seems he's a pro at laundering btc.

The next question is, which client were you using to connect to Slush's pool when your account there got hacked?
That one could be the culprit.

I was using phoenix 1.48 and I still am..(oh oh, should I dump it?) and before that I was using all the previous versions of phoenix, but all my miners are and were running phoenix pretty much for a long time. I also had guiminer running idle in the background for some time too - I would use it to ensure that my gpu's are being detected. I also had plans to maybe switch to it when it supported phoenix with the phatk kernel.

Btw, I've been using the phatk kernel for some time now.

casascius

vip

Activity: 1386

Merit: 1140

The Casascius 1oz 10BTC Silver Round (w/ Gold B)

A lingering question I have is, why were only 25,000 coins taken? It sounds like you had more coins than that. And what have you done to secure the remainder of your coins?

ShadowOfHarbringer

legendary

Activity: 1470

Merit: 1006

Bringing Legendary Har® to you since 1952

Quote from: allinvain on June 15, 2011, 09:32:16 AM

So what you're saying though is to encrypt the entire linux HD with trucrypt? right? not just create a truecrypt image on the VM's HD.

I am saying about a following scheme:

1. Create encrypted TrueCrypt hard drive.
2. Put a VirtualBox disk with VirtualBox Linux machine on it.
3. Install TrueCrypt within the Virtual Machine
4. Create encrypted TrueCrypt hard drive within the VM.
================== (LAYER 2) ==================
5. Create a VirtualBox disk with VirtualBox Linux machine on the VM.
6. Install TrueCrypt within the Virtual Machine in Virtual Machine
7. Create encrypted TrueCrypt hard drive within the VM in VM.
================== (LAYER 3) ==================
(...)
================== (LAYER 4) ==================
(...)

And so on...

Mageant

legendary

Activity: 1145

Merit: 1001

Quote from: allinvain on June 15, 2011, 08:34:38 AM

Quote from: Waschtel on June 15, 2011, 07:07:11 AM

One obvious question:

Have you installed any alternative bitcoin clients or mining software? I have been seeing many programs pop up lately in the bitcoin eco-system, and nobody is vetting them.
As this is an attack against a bitcoin wallet, it is most likely that the virus/malware is mimicking legit bitcoin software - a generic, automated virus would not be looking for bitcoins.

no alternative bitcoin clients but mining software for sure Sad

...I ran phoenix, guiminer, poclbm, cpu miner, ufasoft sse miner..I also gave namecoin a try on the same machine...

Yes this could be cause whoever stole this sure knows BTC. It seems he's a pro at laundering btc.

The next question is, which client were you using to connect to Slush's pool when your account there got hacked?
That one could be the culprit.

Serge

legendary

Activity: 1050

Merit: 1000

Quote from: sonba on June 15, 2011, 07:42:10 AM

ok, so what I learned from this thread is that I shouldn't use IRC any more as it might lead to being attacked. I understand that connecting to IRC via webchat is safe? Is this correct? (Sorry, I'm a bit worried now, too *g*)

After I posted my comment about IRC early in this thread I realized that even webchat interface won't help you much as it takes your host mask/IP and relays it to the rest of IRC network, so even with web chat others in IRC will know your "physical" connection and can probe to penetrate router/firewall security - I've been out of IRC for a long time and can't really say it router/firewall is sufficient in protecting from such probes.

Then, even if you don't go on IRC, a believe there are some channels where all client/miner nodes are, so as we mine and use clients our IPs/hostmasks are visible from the IRC. and as been mentioned before intruder can get full list of all IPs and and go through each one looking for least secure ones.

Topic: I just got hacked - any help is welcome! (25,000 BTC stolen) - page 16. (Read 381810 times)