Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!? (Read 9952 times)

This should really be an option.

In fact, a user should be able to specify their own time limit, in hours, that they want a withdrawal address change to be delayed.  They might set it to 1 hour, or 5 days.  A good default might be 48 hours.

The email should contain a link required to confirm the address change.

A person should be allowed to lock their account indefinitely in the event of it being compromised.  A "Freeze my account - it may be compromised" link.  Perhaps this could be a unique link existing in their original registration email (to prevent just anyone from locking other random people's accounts).  This lock could be undone by the person verifying their identification with MtGox support.

The yubikey is good, but not everyone uses it or has one.  Even with the yubikey, I am still afraid of a keylogger.  The above security procedures would largely mitigate risk even against keyloggers and other malware.

Let this be a reminder that keyloggers / trojans are far more common than most people suspect. Enable 2-factor, better safe than sorry.

How to use 2-factor auth on mtgox, even without a smartphone

Everyone would all agree no system is attack proof, but a two factor model and secured software/behavior practice do add up to the total difficulty of the attack, which shouldn't be put up as a "total security thertre", at least from my understanding.

I already showed that the man in the middle attack doesnt require root. Remember how this discussion started, someone who got his MtGox account emptied and someone else claiming that couldnt have happened when he used ubikey and/or linux. Clearly this is not true, it could have happened with yubikey and running an up to date linux with nothing but very common OSS software from the official repositories (in this case, OpenJDK).

I am in no way suggesting Linux is less safe than windows, Im just arguing against the mindset that a yubi key and Linux is all you need to be safe. Thats no less silly than thinking a windows antivirus program solves all problems.

You nicely illustrate a point by using for an example a piece of software that is closed-source.

That is not strictly true....
One example.. Oracle under linux.. oracle runs java inside the database, actually it does not... what it does is launch a JVM as ROOT!!!!! then links that back into the database and onto the user.
Back in 2006/2007 on 9i I found a number of exploits to leverage an attack via java in oracle.... I'm still waiting for oracle to reply back to me. and that was before the current bolox of oracle buying sun and making things 100x worse........

This is an excellent point.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

Phishing attacks by their very nature work on any OS, so one could in principle get a GNU/Linux user to provide a root password in order to install malware with the right temptation such as some good old Microsoft or propriety software bashing.

As for a man in the middle attack, this involves forging certificates and spoofing the DNS. Again GNU/Linux gives a powerful tool against a DNS spoofing attack namely running bind9 to set up one's own DNS on ones network. An attack on the ISP's DNS will fail not only on the GNU/Linux machine but also on Microsoft Windows Machines that use the DNS on the local GNU/linux machine.

The bottom line with Bitcoin is that if one wishes to use a currency whose entire security model is based on software and hardware freedom, it is only prudent to say the least to use an operating system based upon Free Software.

Im not sure about that. For instance, it would help a whole lot if MtGox/yubi didnt only authenticate the user, but also the transaction. A more intelligent and versatile device (or a smartphone) could show you the transaction and let you authenticate that specific transaction, and nothing else. Hacking that would be orders of magnitude more difficult I think.

Im sure there are other ways, and perhaps what I describe isnt feasible or can be hacked in other ways, its just that this yubi key as is seems to add extremely little extra security (and using linux doesnt add all that much either).

We certainly agree on that score: no "website" style interface is sufficiently secure or can be made sufficiently secure to handle bitcoins. As long as you see a "login" over http it's vulnerable. All the dongles and doohickeys in the world, be they yubikeys or whatever else, all the software solutions in the world, be they https or whatever else can't fix the simple fact that http is not a stateful protocol, and consequently the notion of "logged in" is irretrievably broken.

Good for you. A windows user that doesnt have java installed isnt vulnerable to this exploit either.

But I think I made my point clear enough ; Yubi key doesnt protect you from much if anything other than easy to guess or non unique/stolen passwords. And running Linux doesnt change anything about that. The vast majority of linux users, even the ones that also use a ubi key will still be vulnerable to these kinds of attacks.

What nao?

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of

What you describe most certainly adds security because it does not require Microsoft Windows, it is actually very similar to what Google Authenticator or a Yubikey would do. I have come across situations where a bank has required the reader to be connected to the PC with a Windows only driver for the reader. In which case this actually makes the situation far worse by forcing the user to use Microsoft Windows



I have and while it is theoretically possible to compromise a GNU/Linux system it is way way harder than with Microsoft Windows. One of the reasons is cultural. How do you get the malware software on to the end user system in the first place? With GNU/Linux say Ubuntu the end user is encouraged to use trusted repositories, with the alternative being downloading the source code and compiling the software. The latter deters those users that are not technically savvy, who are precisely the most vulnerable. With Microsoft Windows the vast majority of the software is not obtained from a centralized trusted source. Furthermore many otherwise legitimate vendors prompt for the installation of all sorts of adware and toolbars. This effectively blurs the line between legitimate software and malware. I have seen even very experienced Windows administrators get fooled by Windows malware. I know because I had to clean up the mess.

What you are describing is a malicious Firefox add on that is downloaded from an untrusted source. I suggest that between two users with the same level of expertise one on Microsoft Windows and one on GNU/Linux, the Windows user is far more likely to download malware for the cultural reasons above.

Its standalone, it doesnt even connect to your PC, so you could be running OS/2 for all I care. It looks like a calculator, you insert your ATM card, enter your pin, enter the numbers (=challenge) from the website on the "calculator" and you retype the response on your PC. Tedious? Yeah, it is, but at least it does offer more real security then a USB dongle that will sign anything.


Though Im a linux user, I cant agree. If windows were to be eliminated and replaced by linux, malware would just follow. If firefox has some vulnerability that can be exploited, running linux offers no help. As I demonstrated, for the kind of attack I described, no root access is even needed. Any dodgy user level software could open one up to such an attack, regardless if you run windows, os-x or linux. Regardless if you use a ubikey or use google authenticator.


I guess you read nothing of what I wrote.

Does the card reader work on GNU/Linux? Or does it require Microsoft Windows? If it requires Microsoft Windows or some other propriety OS then I suggest that the setup above is security theatre. Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated. For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

By the way the savings in unnecessary software licensing costs by switching form Microsoft Windows and proprietary applications to GNU/Linux and Free Software may be enough to replace a portion if not all of the OP's loss. 

?
Website specific, yeah sure, but the website specific code would be like a few dozen lines of javascript that just changes the bitcoin address. And there is no need to implement a full browser, your victim already has a perfectly capable browser, you only need to enable an addon with functionality like greasemonkey and the "10 line" script. Thats not harder than copying a few readily available files to your victims mozilla folder. No root needed. Greasemonkey is opensource, so it would also be trivial to make a few changes that even the button doesnt appear. Honestly, i think even I could even pull this off, and I cant really code.


Ah, you mean the HTML5 spoof? Okay. Well, obviously you can spoof the certificate checking just as well (Im a little surprised the author didnt), because you arent even looking at a real address bar.  And the site is not responsive because the author didnt want to steal your money. Its a proof of concept.


None. Im using ubuntu, no sudo popup, meaning anyone with user access to my machine could install it. Makes sense since the browser addons are stored in the user's home folder, so there is nothing to prompt for root. Feel free to try on windows, but even if the windows GUI would popup some security question, I suspect in windows its fundamentally no different, and only user privileges are required if you do it by accessing the file system directly, as any hacker would.

Isn't installing addons trigger a security response?