Pages:
Author

Topic: Info about the recent attack - page 5. (Read 52589 times)

donator
Activity: 2772
Merit: 1019
September 13, 2011, 01:38:03 PM
were wallet.dat files uploaded or not?
To answer your question with another question:

Why would they go after your wallet.dat when they could just go after your browser's (unprotected by default) password store?

What are you talking about? How would they gain access to the browser password store?
full member
Activity: 196
Merit: 100
September 13, 2011, 01:30:55 PM
Sure this has been answerd. Not trying to be annoying. Just couldn't find it and didn't feel like reading the entire thread and got e-mail from one of the pools (or could be bull spam) saying wallet.dats were attempted being uploaded when you came here during the cosbycoin time.  I did not on a machine that has a bitcoin wallet on it.  This is posted on several pools though including bitcoinpool so I was just checking.

Passwords changed, and I don't store any passwords in the browser of any importance anyway.
full member
Activity: 176
Merit: 100
September 13, 2011, 12:01:24 PM
were wallet.dat files uploaded or not?
To answer your question with another question:

Why would they go after your wallet.dat when they could just go after your browser's (unprotected by default) password store?
hero member
Activity: 560
Merit: 501
September 13, 2011, 11:46:48 AM
were wallet.dat files uploaded or not?
My oh my.

EDIT: Did you know the progress bar was brought to you by Mt.Gox?
full member
Activity: 196
Merit: 100
September 13, 2011, 11:44:43 AM
were wallet.dat files uploaded or not?
hero member
Activity: 530
Merit: 500
September 12, 2011, 10:56:26 PM
The principle of this browser extension is that at any site where you are asked to enter a password, the extension will enter a password that is sha256( + domain) (or any other cryptographic hash function). For example, if my chosen password is "masterpassword", the password that would be used to log into gmail.com would be sha256("masterpasswordgmail.com") (=9b2b649d3124c81093f9080a88b9d3723940dfe0707d8524d0403c9641bc99c3).

According to your description you only get entropy matching your password. Unless your password is a complex 12 char password that means an attacker can still bruteforce it. While they do need to know that your passwords are generated this way, they have knowledge of the domain of the site and the above indeed looks like an obvious hash.

Security by obscurity isn't.


hero member
Activity: 530
Merit: 500
September 12, 2011, 10:53:29 PM
The point is

... that you even after having been told you've completely misunderstood "salt" kept posting your misinformed rants.

"Ignore user" is the best thing that's happened to these forums.

legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
September 12, 2011, 09:32:16 PM

Create 4 random passwords which contains no special characters and are 10 characters long:
Code:
cat /dev/urandom| tr -dc 'a-zA-Z0-9' | fold -w 10| head -n 4


It struck me as strange that /dev/uramdom is being used instead of /dev/random. The latter blocks until the entropy pool is replenished. The reason /dev/urandom is needed is that the above script throws away a lot of information. It is still an interesing little script (using tools installed by default in many distros), but a dedicated tool like pwgen (that another user suggested) is probably better.

I am posting this reply because another user was suggesting using /dev/urandom as a source of entropy based on the above script, possibly not understanding the implications. If you want guaranteed entropy, you use /dev/random. If all you need is "very good psuedorandom," then you would use /dev/urandom.

In the above script, the following happens:
  • High quality psuedorandom bytes are generated.
  • 75% of those are filtered out because they are not one of the 62 allowed characters.
  • The lines are wrapped to the desired width.
  • The first 4 lines (passwords) are displayed. I think the whole chain quits when 'head' exits (+- buffering).

Edit: I totally used the 12 digit, special character version for my updated forum password. The use of 'grep' at the end may actually weaken the passwords by omiting any that do not use special characters.
sr. member
Activity: 350
Merit: 251
September 12, 2011, 04:52:27 PM
you are unable to refute therefore you go after the way i write, WTG! i congradz you on your proper spelling and capitalization and grammar and all that, while in reality i also am perfectly able to do so, but it simply takes longer to type the additional punctuation, yet you are perfectly able to understand everything i write out.
I shit you not, it actually takes me longer to backspace and un-capitalize words, and to write improperly. You should practice it... most people don't have to sit there and think about how to spell and use proper grammar. Kinda like using blinkers in a lane change (I'm guessing you're too holier-than-thou to do that, either). It just becomes habit if you ever gave 2 shits enough to think about it.

And really, I already refuted you 2 pages ago. I just didn't have to (nor want to) reply to you, but rather to the other people that actually took the minuscule amount of mental effort to present their ideas in a meaningful and more linguistically-respectable manner.

tldr: Suck it, you're not worth the time nor mental effort I've already expended in trying to reason with you.

edit: But 'gratz on your 666th post.  Roll Eyes

u2
full member
Activity: 176
Merit: 100
September 12, 2011, 04:36:52 PM
you are unable to refute therefore you go after the way i write, WTG! i congradz you on your proper spelling and capitalization and grammar and all that, while in reality i also am perfectly able to do so, but it simply takes longer to type the additional punctuation, yet you are perfectly able to understand everything i write out.
I shit you not, it actually takes me longer to backspace and un-capitalize words, and to write improperly. You should practice it... most people don't have to sit there and think about how to spell and use proper grammar. Kinda like using blinkers in a lane change (I'm guessing you're too holier-than-thou to do that, either). It just becomes habit if you ever gave 2 shits enough to think about it.

And really, I already refuted you 2 pages ago. I just didn't have to (nor want to) reply to you, but rather to the other people that actually took the minuscule amount of mental effort to present their ideas in a meaningful and more linguistically-respectable manner.

tldr: Suck it, you're not worth the time nor mental effort I've already expended in trying to reason with you.

edit: But 'gratz on your 666th post.  Roll Eyes
sr. member
Activity: 350
Merit: 251
September 12, 2011, 04:21:19 PM
what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping.
I stopped taking you seriously at that "your" part, but continued to read through your self-perpetuated lack of capitalization* just for entertainment value. And for similar entertainment value, I figure I should tell you that it would've been just as effective, and much less damaging, to have just left out the part about "how the passwords are stored" and just cut to the "if your password is this long" part. There was absolutely no benefit to blurting out exactly how the passwords are stored.

* - that is, "what does it matter to me what some idiot forum noob thinks about my spelling" / "i don't need to be in grammer class whenever i go onlien, fukk you" / "i feel like relaying my low mood and chronic depression through the use of nocaps" / "I Swear i could write Proper Grammar when I need too, I don't need some Stupid forum troll telling me what too do!"

Srsly?
So, in short. You belong to the crowd who believe your own non-vetted coding to be vastly superior to the joint work of others, when it comes to writing secure online software, yet you have no idea what salt is or why it's used?
Salting bascially changes the original value and the comparison value with a known figure so the hashes can't be referenced to a lookup table, and so they can't be broken without knowing the salt value. Oh wait, we know the salt value now. Haha, that was easy™.

Again, with the big exclamation of, "Everyone lock your doors, they might have gotten a copy of the KEY TO THE KINGDOM! *attachment: high-res picture of key to the kingdom.jpg*"

you are unable to refute therefore you go after the way i write, WTG! i congradz you on your proper spelling and capitalization and grammar and all that, while in reality i also am perfectly able to do so, but it simply takes longer to type the additional punctuation, yet you are perfectly able to understand everything i write out.
hero member
Activity: 560
Merit: 501
September 12, 2011, 02:13:22 PM
Goddammit, theymos.
full member
Activity: 120
Merit: 100
September 12, 2011, 02:11:35 PM
Fortunately for me, for all forum accounts I use one of four usernames, and one of six passwords. So even factoring in prefering a username and a password over the others, the majority of forum accounts I have will be safe. And then for important accounts, obviously use a safe semi-secure password and change it semi-annually.

Hardly the best security policy, but it's better than most.
full member
Activity: 176
Merit: 100
September 12, 2011, 01:30:28 PM
I suppose that is true. With admin access, they just had to press one button to get a full database dump. That is much less work than coding a dump program yourself.

Basically, this is a case where you just have to weigh the risks that the hacker would decide to suddenly start cracking the passwords after you release the details, to the damage that anything less than full disclosure would cause to your reputation. Remember when Mt.Gox was hiding things how pissed everyone was?
Well, wasn't around for that, but I do remember hearing all the uproar about it (in fact, I hopped on the Bitcoin wagon just as things were beginning to crash-and-burn around then - I tend to do that with tech trends *facepalm*). But just to contrast: SMF is "open source", remember? "Anyone could figure out how passwords are hashed", or so the parroting went just a few pages ago Wink I still don't think it was necessary at all to rehash (pun) the details of how SMF hashes passwords. It wouldn't've been hiding anything to have not mentioned it - the notification that passwords may have been compromised is really all that needed to be disclosed.

Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post Wink
Nobody here really thinks that mods are special. We just happen to read more posts than everyone else, so we were given the power to moderate the forum ourselves instead of having to report everything.
Hey, that works for me (and I also noticed in the subsequent [lack of] replies). Certainly a change of pace from the typical forum behavior I'd grown accustomed to after 10+ years of forums Smiley

FWIW, I haven't had any spam yet, and I do the unique-email thing as well (so I'd know where it came from). Does everyone getting Liberty Reserve emails have an account there? They could be bouncing the addresses off Liberty Reserve to see if they have an account, before sending the phishing mails...
legendary
Activity: 1204
Merit: 1015
September 12, 2011, 01:27:26 PM
I'm getting that spam on my old MtGox address, not my forum address.
legendary
Activity: 1855
Merit: 1016
September 12, 2011, 01:09:51 PM
Well, I'm already getting spam on my unique email address generated for the forum so we might consider that if that leaked, the hashes leaked as well:

+1.

I am also getting spams from libertyreserve.com that i got gift, my account blocked....
Besides i got an email to my inbox from libertyreserve saying some one sent me money. 0.01 USD to my account.
But nothing was in my account.

legendary
Activity: 1112
Merit: 1000
September 12, 2011, 12:58:22 PM

Passwords

It is not known for sure that the attacker copied any password hashes, but it should be assumed that he did.


Well, I'm already getting spam on my unique email address generated for the forum so we might consider that if that leaked, the hashes leaked as well:

Code:
Received: by 10.42.220.135 with SMTP id hy7cs191738icb;
        Mon, 12 Sep 2011 05:57:14 -0700 (PDT)
Received: by 10.14.13.14 with SMTP id a14mr1481921eea.41.1315832233374;
        Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Return-Path:
Received: from x
        by mx.google.com with ESMTPS id 36si4325308eeh.202.2011.09.12.05.57.12
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 12 Sep 2011 05:57:13 -0700 (PDT)
Received-SPF: fail (google.com: domain of [email protected] does not designate Y as permitted sender) client-ip=Y;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate Y as permitted sender) [email protected]
Received: from yama-bousai-web.bosai.vill.yamato.lg.jp ([61.194.116.165])
by X (8.14.1/8.14.1) with ESMTP id p8CCvAWf028904
for ; Mon, 12 Sep 2011 14:57:11 +0200 (CEST)
Message-Id: <201109121257.p8CCvAWf028904@X>
Received: from User ([66.219.29.150])
          by yama-bousai-web.bosai.vill.yamato.lg.jp
          (Post.Office MTA v4.1.0.4 release 20090417
           ID# 6014-053U50L50S0V41J) with ESMTP id jp;
          Mon, 12 Sep 2011 19:48:48 +0900
From: "[email protected]"
Subject: Liberty Reserve Bonus Winner
Date: Mon, 12 Sep 2011 19:48:28 +0900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-9"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000











 



 border="0" cellpadding="0" cellspacing="0">
 
   




       
         
         
       
       
         
       
     

 
20% Bonus Winner
 src="" width="1">

       border="0">
       

         
         
       
     
    CONGRATULATIONS!

            You have won a the chance to WIN 20% Bonus of your Liberty Reserve account balance. One time - Limited BONUS Offer! You can earn 0.5usd (Balance: 10usd) or up to 500usd (Balance: 10.000usd) depending on your account balance. This BONUS Form must be completed in maximum 5 days using the link below or you will not qualify for the 20% Bonus. Please be aware that if your account balance is 10usd your bonus will be 0(zero) and you will not qualify for the instant Free Bonus. You can use one of our authorized exchangers listed on www.libertyreserve.com website and upload money secure in your account.
           

                 

           
         
 width="5">

     
       
         
       
       
         
         
       
       
         
       
     
 src="" width="1">
How can I get my Bonus?
 src="" width="1">

       border="0">
       

         
         
       
     


                  Click "GET BONUS!" text below and complete the Bonus Request Form
  on our website
and find your bonus using your current balance:

     






   GET BONUS!   



           

 width="5">

     
       
         
       
     
 src="" width="1">

       border="0">
       
         


         
         
       
     
 

     
 
To increase your bonus you can use one of our autorized exchangers to upload money in your account! Please be aware that this Bonus Offer will expire in 5 bussiness days! Bonus amount will be added to your account balance in maximum 24 hours!

     

    2002 � 2011  Liberty Reserve S.A. All rights reserved.

         

           
 width="5">


         
 
 



 

 
   
 src="" width="1">
 src="" width="1">




legendary
Activity: 1204
Merit: 1015
September 12, 2011, 12:30:49 PM
[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]

Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted).
I suppose that is true. With admin access, they just had to press one button to get a full database dump. That is much less work than coding a dump program yourself.

Basically, this is a case where you just have to weigh the risks that the hacker would decide to suddenly start cracking the passwords after you release the details, to the damage that anything less than full disclosure would cause to your reputation. Remember when Mt.Gox was hiding things how pissed everyone was?

Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post Wink
Nobody here really thinks that mods are special. We just happen to read more posts than everyone else, so we were given the power to moderate the forum ourselves instead of having to report everything.
full member
Activity: 176
Merit: 100
September 12, 2011, 11:55:43 AM
[doc_brown] You're not thinking 4th-dimensionally! [/doc_brown]

Imagine for a moment that they took a snapshot of the database as any good "hello, world!" hack would do. And they didn't take a snapshot just for the sake of cracking passwords, but just part of a routine "let's see what we can get out of it" thing. That enables a 3rd possibility: that they have the database (no need for further hacks/exploits from that point on to get hashes), that they didn't have the intention of snooping passwords, but now they have the motivation to try it (which they didn't, before the information was posted).

Of course, since it's my reasoning against a person wearing the title "mod", if this is anything like any other forum, cue the community blindly bashing the guy that doesn't 100% agree with the post Wink
legendary
Activity: 1204
Merit: 1015
September 12, 2011, 11:04:24 AM
Helped? No. Sparked the idea? That's my point. It's a psychological thing, not a technological thing. It's like the candy stands at the checkout... when you go through a grocery store, do you ever actually SEEK OUT the candy? Well, only if you've got candy issues Wink But generally, no. You get to the checkout, and bam: candy. Mm... candy, that would be nice to have! I can afford it, whatever. *grab*

Now, the hack. Mm, I've done all my deeds for the day, Cosbycoin is floating all over the forum, screenshots are taken, lulz are collectively had, it's been a fun day. Ahh, it's offline. Ahh, it's back online. What'd that whiny brat admin say about us? ("checkout" phase) Ooh, what's this? Haha, that's stupid-easy to do. ("candy" phase) Sure enough, it works! Haha, suckers, now we have all their passwords too.

They may or may not have actually investigated the passwords, and even still there's a probability that they hadn't. But the probability pretty much exploded the moment some dingbat thought it would be smart to advertise how the passwords are hashed.
Here's the thing: this information was only revealed AFTER the attack. As such, the hacker no longer has access to the system. If they had the idea of taking the user database and cracking the passwords, they either already did or they didn't. There is literally no way to take the user database without explicitly thinking "I want to crack everyone's password!". If they did take the user database, you can bet that they also downloaded the entire source code of the forum, just in case we made any changes to how the passwords were stored (I don't know that we did, and if we didn't change how the passwords were stored, they could have found this out from the SMF source code any time they wanted to - including well before the attack). Basically, the attacker already would have known all this. There is NO danger in revealing this information after the fact.
Pages:
Jump to:
© 2020, Bitcointalksearch.org