Pages:
Author

Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!? (Read 10008 times)

legendary
Activity: 1400
Merit: 1005
Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

Add optional "withdraw to one address only".

Add 48 hour delay before changing the addresses, during which you'd get two emails, and see a giant warning when you log in.
This should really be an option.

In fact, a user should be able to specify their own time limit, in hours, that they want a withdrawal address change to be delayed.  They might set it to 1 hour, or 5 days.  A good default might be 48 hours.

The email should contain a link required to confirm the address change.

A person should be allowed to lock their account indefinitely in the event of it being compromised.  A "Freeze my account - it may be compromised" link.  Perhaps this could be a unique link existing in their original registration email (to prevent just anyone from locking other random people's accounts).  This lock could be undone by the person verifying their identification with MtGox support.

The yubikey is good, but not everyone uses it or has one.  Even with the yubikey, I am still afraid of a keylogger.  The above security procedures would largely mitigate risk even against keyloggers and other malware.
legendary
Activity: 826
Merit: 1001
rippleFanatic
Let this be a reminder that keyloggers / trojans are far more common than most people suspect. Enable 2-factor, better safe than sorry.

How to use 2-factor auth on mtgox, even without a smartphone
full member
Activity: 154
Merit: 100
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux.

I already showed that the man in the middle attack doesnt require root. Remember how this discussion started, someone who got his MtGox account emptied and someone else claiming that couldnt have happened when he used ubikey and/or linux. Clearly this is not true, it could have happened with yubikey and running an up to date linux with nothing but very common OSS software from the official repositories (in this case, OpenJDK).

I am in no way suggesting Linux is less safe than windows, Im just arguing against the mindset that a yubi key and Linux is all you need to be safe. Thats no less silly than thinking a windows antivirus program solves all problems.

Everyone would all agree no system is attack proof, but a two factor model and secured software/behavior practice do add up to the total difficulty of the attack, which shouldn't be put up as a "total security thertre", at least from my understanding.
legendary
Activity: 980
Merit: 1040
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux.

I already showed that the man in the middle attack doesnt require root. Remember how this discussion started, someone who got his MtGox account emptied and someone else claiming that couldnt have happened when he used ubikey and/or linux. Clearly this is not true, it could have happened with yubikey and running an up to date linux with nothing but very common OSS software from the official repositories (in this case, OpenJDK).

I am in no way suggesting Linux is less safe than windows, Im just arguing against the mindset that a yubi key and Linux is all you need to be safe. Thats no less silly than thinking a windows antivirus program solves all problems.
donator
Activity: 2772
Merit: 1019
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

That is not strictly true....
One example.. Oracle under linux.. oracle runs java inside the database, actually it does not... what it does is launch a JVM as ROOT!!!!! then links that back into the database and onto the user.
Back in 2006/2007 on 9i I found a number of exploits to leverage an attack via java in oracle.... I'm still waiting for oracle to reply back to me. and that was before the current bolox of oracle buying sun and making things 100x worse........

You nicely illustrate a point by using for an example a piece of software that is closed-source.
full member
Activity: 196
Merit: 100
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

That is not strictly true....
One example.. Oracle under linux.. oracle runs java inside the database, actually it does not... what it does is launch a JVM as ROOT!!!!! then links that back into the database and onto the user.
Back in 2006/2007 on 9i I found a number of exploits to leverage an attack via java in oracle.... I'm still waiting for oracle to reply back to me. and that was before the current bolox of oracle buying sun and making things 100x worse........
hero member
Activity: 756
Merit: 522
The bottom line with Bitcoin is that if one wishes to use a currency whose entire security model is based on software and hardware freedom, it is only prudent to say the least to use an operating system based upon Free Software.

This is an excellent point.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

Phishing attacks by their very nature work on any OS, so one could in principle get a GNU/Linux user to provide a root password in order to install malware with the right temptation such as some good old Microsoft or propriety software bashing.

As for a man in the middle attack, this involves forging certificates and spoofing the DNS. Again GNU/Linux gives a powerful tool against a DNS spoofing attack namely running bind9 to set up one's own DNS on ones network. An attack on the ISP's DNS will fail not only on the GNU/Linux machine but also on Microsoft Windows Machines that use the DNS on the local GNU/linux machine.

The bottom line with Bitcoin is that if one wishes to use a currency whose entire security model is based on software and hardware freedom, it is only prudent to say the least to use an operating system based upon Free Software.
legendary
Activity: 980
Merit: 1040
Im not sure about that. For instance, it would help a whole lot if MtGox/yubi didnt only authenticate the user, but also the transaction. A more intelligent and versatile device (or a smartphone) could show you the transaction and let you authenticate that specific transaction, and nothing else. Hacking that would be orders of magnitude more difficult I think.

Im sure there are other ways, and perhaps what I describe isnt feasible or can be hacked in other ways, its just that this yubi key as is seems to add extremely little extra security (and using linux doesnt add all that much either).
hero member
Activity: 756
Merit: 522
What nao?

Good for you. A windows user that doesnt have java installed isnt vulnerable to this exploit either.

But I think I made my point clear enough ; Yubi key doesnt protect you from much if anything other than easy to guess or non unique/stolen passwords. And running Linux doesnt change anything about that. The vast majority of linux users, even the ones that also use a ubi key will still be vulnerable to these kinds of attacks.

We certainly agree on that score: no "website" style interface is sufficiently secure or can be made sufficiently secure to handle bitcoins. As long as you see a "login" over http it's vulnerable. All the dongles and doohickeys in the world, be they yubikeys or whatever else, all the software solutions in the world, be they https or whatever else can't fix the simple fact that http is not a stateful protocol, and consequently the notion of "logged in" is irretrievably broken.
legendary
Activity: 980
Merit: 1040
What nao?

Good for you. A windows user that doesnt have java installed isnt vulnerable to this exploit either.

But I think I made my point clear enough ; Yubi key doesnt protect you from much if anything other than easy to guess or non unique/stolen passwords. And running Linux doesnt change anything about that. The vast majority of linux users, even the ones that also use a ubi key will still be vulnerable to these kinds of attacks.
hero member
Activity: 756
Merit: 522
The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of
Code:
java -version

Quote
The program 'java' can be found in the following packages:
 * gcj-4.4-jre-headless
 * openjdk-6-jre-headless
 * cacao
 * gij-4.3
 * jamvm
Try: sudo apt-get install

What nao?
legendary
Activity: 980
Merit: 1040
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.
legendary
Activity: 1904
Merit: 1002
The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of
Code:
java -version

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)
legendary
Activity: 980
Merit: 1040
The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of
Code:
java -version
legendary
Activity: 2282
Merit: 1050
Monero Core Team
Does the card reader work on GNU/Linux? Or does it require Microsoft Windows?

Its standalone, it doesnt even connect to your PC, so you could be running OS/2 for all I care. It looks like a calculator, you insert your ATM card, enter your pin, enter the numbers (=challenge) from the website on the "calculator" and you retype the response on your PC. Tedious? Yeah, it is, but at least it does offer more real security then a USB dongle that will sign anything.

What you describe most certainly adds security because it does not require Microsoft Windows, it is actually very similar to what Google Authenticator or a Yubikey would do. I have come across situations where a bank has required the reader to be connected to the PC with a Windows only driver for the reader. In which case this actually makes the situation far worse by forcing the user to use Microsoft Windows

Quote
Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated.

Quote
Though Im a linux user, I cant agree. If windows were to be eliminated and replaced by linux, malware would just follow. If firefox has some vulnerability that can be exploited, running linux offers no help. As I demonstrated, for the kind of attack I described, no root access is even needed. Any dodgy user level software could open one up to such an attack, regardless if you run windows, os-x or linux. Regardless if you use a ubikey or use google authenticator.

Quote
For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

I guess you read nothing of what I wrote.

I have and while it is theoretically possible to compromise a GNU/Linux system it is way way harder than with Microsoft Windows. One of the reasons is cultural. How do you get the malware software on to the end user system in the first place? With GNU/Linux say Ubuntu the end user is encouraged to use trusted repositories, with the alternative being downloading the source code and compiling the software. The latter deters those users that are not technically savvy, who are precisely the most vulnerable. With Microsoft Windows the vast majority of the software is not obtained from a centralized trusted source. Furthermore many otherwise legitimate vendors prompt for the installation of all sorts of adware and toolbars. This effectively blurs the line between legitimate software and malware. I have seen even very experienced Windows administrators get fooled by Windows malware. I know because I had to clean up the mess.

What you are describing is a malicious Firefox add on that is downloaded from an untrusted source. I suggest that between two users with the same level of expertise one on Microsoft Windows and one on GNU/Linux, the Windows user is far more likely to download malware for the cultural reasons above.
legendary
Activity: 980
Merit: 1040
Does the card reader work on GNU/Linux? Or does it require Microsoft Windows?

Its standalone, it doesnt even connect to your PC, so you could be running OS/2 for all I care. It looks like a calculator, you insert your ATM card, enter your pin, enter the numbers (=challenge) from the website on the "calculator" and you retype the response on your PC. Tedious? Yeah, it is, but at least it does offer more real security then a USB dongle that will sign anything.

Quote
Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated.

Though Im a linux user, I cant agree. If windows were to be eliminated and replaced by linux, malware would just follow. If firefox has some vulnerability that can be exploited, running linux offers no help. As I demonstrated, for the kind of attack I described, no root access is even needed. Any dodgy user level software could open one up to such an attack, regardless if you run windows, os-x or linux. Regardless if you use a ubikey or use google authenticator.

Quote
For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

I guess you read nothing of what I wrote.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
One more comment; with my homebanking, I have a card reader in which I have to insert my ATM card, and enter the challenge presented by my homebanking website. This challenge always includes the amount and some significant digits of the account Im transferring to. If someone were to use a "greasemonkey in the middle" attack on me, at least I might notice the amount/and or account number dont match what Im trying to send. As I understand, Yubi key doesnt have anything like that, you just plug it in, and thats it. I hate to say it, but that sounds like security theatre to me. Having a unique and decently safe password would give the exact same security AFAICT. If your PC is compromised, not even rooted (!), you are SOL with or without yubi.

Does the card reader work on GNU/Linux? Or does it require Microsoft Windows? If it requires Microsoft Windows or some other propriety OS then I suggest that the setup above is security theatre. Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated. For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

By the way the savings in unnecessary software licensing costs by switching form Microsoft Windows and proprietary applications to GNU/Linux and Free Software may be enough to replace a portion if not all of the OP's loss. 
legendary
Activity: 980
Merit: 1040
I checked with your illustration, I definitely agree it is possible to attack this way, but as I said, they need to implement a full browser functionality and specific website functionality to get this working

?
Website specific, yeah sure, but the website specific code would be like a few dozen lines of javascript that just changes the bitcoin address. And there is no need to implement a full browser, your victim already has a perfectly capable browser, you only need to enable an addon with functionality like greasemonkey and the "10 line" script. Thats not harder than copying a few readily available files to your victims mozilla folder. No root needed. Greasemonkey is opensource, so it would also be trivial to make a few changes that even the button doesnt appear. Honestly, i think even I could even pull this off, and I cant really code.

Quote
, otherwise, a little savvy will help you quickly realize something is wrong. At least when I press the button, I got two address bars, mine and the fake one. And the "website" is not reactive to normal operations. (Checking certificate, for example, and my address bar did show it is not BOA.)

Ah, you mean the HTML5 spoof? Okay. Well, obviously you can spoof the certificate checking just as well (Im a little surprised the author didnt), because you arent even looking at a real address bar.  And the site is not responsive because the author didnt want to steal your money. Its a proof of concept.

Quote
Isn't installing addons trigger a security response?

None. Im using ubuntu, no sudo popup, meaning anyone with user access to my machine could install it. Makes sense since the browser addons are stored in the user's home folder, so there is nothing to prompt for root. Feel free to try on windows, but even if the windows GUI would popup some security question, I suspect in windows its fundamentally no different, and only user privileges are required if you do it by accessing the file system directly, as any hacker would.
full member
Activity: 154
Merit: 100
Allright, I tried it. I installed greasemonkey and then some random greasemonkey script that switches gmail to minimal layout.
To get there, Ive never entered my root password, so root isnt even needed (in contrast to a keylogger!). Gmail address bar shows everything okey dokey, and there is no obvious way to see greasemonkey is even running. There is a greasemonkey button added to the toolbar that I didnt even notice at first, but I can remove it, without needing any root privilege.  Mind you, the attacker wouldnt even have to use greasemonkey as such, just trying to show how "easy" it can be.

Isn't installing addons trigger a security response?
Pages:
Jump to: