Your friend didnt turn off his computer when webcam starts, or disconnect it from internet, because you said "Bitcoin QT asked for a new password".
Trojan just open new dialog where it asking for password. But no password changed, or changed, but sent to hacker.
Or key-logged, because webcam start's as you said
Topic: PC hacked, QT robbed, MtGox account hacked on the same time- how? (Read 2029 times)
February 04, 2014, 06:17:51 PM
February 04, 2014, 09:37:57 AM
100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
Only if you're a moron and go browsing on dodgy sites with shitty or outdated antivirus, or a moron and using IE.
Personally I have a 'working' wallet on my PC, and my 'cold storage' wallet is on a Windows 7 install in a VM, which has it's virtual drive on an external hard-drive. No way in hell that's ever being accessed unless I'm there to plug it in, fire it up, sync the wallet and shut it down again.
February 04, 2014, 09:01:48 AM
I remembered hearing a really great presentation where the person, I forgot his name but he was very knowledgeable about IT security said that 2fa is useless if you have an infected PC - Man in the Middle attack will login with your 2fa and initiate a withdrawal in the same execution timeframe with the same 2fa key - I think that laymans explanation of what he had stated. It was basically that, if you're using a malware device on either end, the MITM attack would exploit your key like an elaborate phishing attempt of sorts.
Your QT was emptied because of of the new password request. which was obviously a spoof - it could have been tied to the other mitm attack that caused the mt gox withdrawals - if someone else has the correct or a better explanation, I am all ears.
Your QT was emptied because of of the new password request. which was obviously a spoof - it could have been tied to the other mitm attack that caused the mt gox withdrawals - if someone else has the correct or a better explanation, I am all ears.
2FA is useless if your computer is compromised, that is if all the 2FA does is provide an ephemeral auth token to 'authorise' an action. Since there's no way to know what it is that you are in fact authenticating - it could be the withdrawal that you're seeing on the screen, or it could be that the attacker is manipulating web page content and doing something else with the token you provide.
For 2FA to be secure (assuming the 2FA device is secure), it needs to sign some data that'll only authorize the very specific withdrawal that you wish to make, so:
- destination address
for convenience this could be just the first 10 characters for example, just enough so that it is inpractical to brute force it in a reasonable time frame using vanitygen
- number of coins
in case the attacker is able to both infect your machine AND socially engineer a scenario in which you willingly send money to an address he controls, except he'll adjust the number of coins once the victim authorises the tx and destination address.
February 04, 2014, 07:38:13 AM
I remembered hearing a really great presentation where the person, I forgot his name but he was very knowledgeable about IT security said that 2fa is useless if you have an infected PC - Man in the Middle attack will login with your 2fa and initiate a withdrawal in the same execution timeframe with the same 2fa key - I think that laymans explanation of what he had stated. It was basically that, if you're using a malware device on either end, the MITM attack would exploit your key like an elaborate phishing attempt of sorts.
Your QT was emptied because of of the new password request. which was obviously a spoof - it could have been tied to the other mitm attack that caused the mt gox withdrawals - if someone else has the correct or a better explanation, I am all ears.
Your QT was emptied because of of the new password request. which was obviously a spoof - it could have been tied to the other mitm attack that caused the mt gox withdrawals - if someone else has the correct or a better explanation, I am all ears.
February 04, 2014, 05:43:01 AM
This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
Very good point.
Standard issue malware won't steal your bitcoins, and a targeted attack (which seems to be the case here) is just as likely to happen on Windows as it is on Linux.
Besides, nothing can save someone who willingly runs malicious software on his computer, Linux, OSX, Windows or whatnot.
You saying there isn't more malware / viruses / keyloggers on an average Windows machine than an average OXS or Linux machine? Joking right???
February 03, 2014, 01:33:00 PM
This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
Very good point.
Standard issue malware won't steal your bitcoins, and a targeted attack (which seems to be the case here) is just as likely to happen on Windows as it is on Linux.
Besides, nothing can save someone who willingly runs malicious software on his computer, Linux, OSX, Windows or whatnot.
February 03, 2014, 10:07:50 AM
Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.
You've obviously not tried Gox support recently ... they don't even spend time doing normal stuff they should do, like processing withdrawals.
USD withdrawal delays are considered normal in mtgox lol
February 02, 2014, 11:33:17 PM
Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.
You've obviously not tried Gox support recently ... they don't even spend time doing normal stuff they should do, like processing withdrawals.
February 02, 2014, 03:59:14 PM
Almost seems like some sort of RDP or VNC type remote access...Could you ask Mt.Gox support if they can trace IP address matching that particular withdrawal transaction? I just wonder if IP address will match public IP of your friend's router or it's an external IP.
January 31, 2014, 10:53:15 PM
I am not sure about mtgox 's security but 2factor authentication can be bypassed via session hijacking.
Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being logged in on mtgox ) for some time and hacker took advantage of it.
Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being logged in on mtgox ) for some time and hacker took advantage of it.
Yep. Good point. Always log out of accounts after using them. Personally I run sites I know and trust in one browser (chrome) and anything "new" in Safari. Not sure if it helps against attacks but I feel safer
January 31, 2014, 08:33:34 PM
This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
Very good point.
January 31, 2014, 06:59:50 PM
Not so long ago 2factor authentication was bypassed by by same session hijacking aka cookie stealing attack. http://iandunn.name/security-reward-for-new-google-authenticator-plugin/
January 31, 2014, 06:56:10 PM
I am not sure about mtgox 's security but 2factor authentication can be bypassed via session hijacking.
Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being logged in on mtgox ) for some time and hacker took advantage of it.
Ps: withdrawal can be done via api too probably or It's also possible that OP's friend left his pc open (while being logged in on mtgox ) for some time and hacker took advantage of it.
January 31, 2014, 09:18:33 AM
Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
Gox had 2FA last time I used Gox - which was when I got all my BTC out in December
Gox does 2FA via OAuth as well as YubiKeys
January 31, 2014, 09:16:06 AM
Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
Gox had 2FA last time I used Gox - which was when I got all my BTC out in December
January 31, 2014, 08:51:10 AM
This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
I personally prefer never to use a PC, if by PC you mean Windows. 100x more malware / trojans on Windows systems than Linux, or even OSX for that matter.
January 31, 2014, 08:49:51 AM
Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
Gox had 2FA last time I used Gox - which was when I got all my BTC out in December
January 31, 2014, 08:49:07 AM
This is why it is important to have a dedicated secure PC for your wallet. I personally keep the PC with my wallet offline and do not browse the internet with it, its too risky.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
When I do go online with it, it is a hard wired connection, never wi-fi. Sounds like paranoia but it will safeguard you.
January 31, 2014, 08:42:17 AM
Breaking 2FA is difficult to determine the cause of, and it's pretty rare. Is the phone rooted (assuming you use a phone)? What protects it from unauthorized access? Was it connected to the PC in the past few weeks? Is the phone connected on the same WiFi network as the PC? Is the WiFi connection protected with a strong password?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
How long ago did he see the QR code or key for the Gox 2FA? Did he save it anywhere?
ETA: Oh - now that I think about it... Doesn't Gox use Yubikeys exclusively?
January 31, 2014, 08:18:25 AM
Sorry to hear that. Check for unknown processes running in the background, your virus software should've prompted when a process tried to establish a connection.
Once Windows has been taken over to that extent, you need to start again, right from the beginning, wipe the drive, clean install.
Jump to: