Topic: security concern (Read 2269 times)

preventing viruses is very important and we really have to provide anti-virus security, and for security we can also use 2FA and it will be able to help more.

I think there are more possibility of stealing. So for security purposes. I think the best way to avoid stealing and stay secured is don't be open and sign up to the something authomatically open when you are browsing specially in your wallet or do not comply to the fake email who are asking for your private keys or password because you may be a victim of stealing  like me.

The is no mechanism that is put in place to prevent virus files that steal our personal information which is use by scammers to steal our tokens and other valuable from our system. The only way to prevent fraud from happening is by being careful and always watch out before you install anything on your system.

You know, nothing is bulletproof. I compare strategies to protect yourself against hackers, to the old public telephone hacks back in the day. From coins on a string to magnets and needles... people just found new ways to phone for free and this is also applicable to this scenario. No matter what developers do, hackers will find a way to out smart it. 

The hardware wallets and Paper wallets are not immune to hacks, but they are more secure. In any way, a wallet.dat without a password is worthless. 

Along with the development of technologies hackers improve their arms and tools for attacks. That's why we should apply all security measures accessible to us to protect the crypto funds. In addition to recommended ones, I’d add the encryption of the password and all the vulnerable information. However, there is no way to fully secure the computers from viruses and attacks, but maximize the level of security. 

Security is the main concern in the crypto market and that is why P2P Global Network's top priority is security and the application of P2P Global Network is secured by SHA 512 Algorithm. Your data and privacy are secure with P2P Global Network.
The P2P Global Network also holding a Bounty Program, participate here

It is impossible to fully secure modern computers because they are too complex to fully understand (top-to-bottom) yet are not formally proven correct at each abstraction layer. In fact, since at least 1996, the trend has been to hide implementation details from the end-user. I personally think that the computer industry won't be mature enough to sustain a stable crypto-currency for another 150 years.

There are two competing security concerns when talking about the wallet.dat:

• Security from attackers who want to spend your wallet
• Security from data destruction

Encrypting the wallet.dat by default will help protect against the first security concern, while making the second one worse.

I plan on using full drive encryption, as well as an encrypted back-up. The passphrase would be written down in two locations. The back-up would be stored in a safety-deposit box and never move with the decryption key, though I may store it with the decryption key (in the safety deposit box).

BTW: for secure encryption, the term is passphrase, not password. Passwords are simply not long enough. A passwords made up of random ASCII numbers, letters, and symbols has about 6 bits of entropy per character. I have seen it reported that a 12 character password is "enough." That works out to about 72 bits of entropy. 64 bits of entropy can likely be cracked by a fast computer within a year. 72 bits increases the difficulty by a factor of 256. 128bits is believed to be computationally infeasible to even count during the lifetime of the universe (energy constraints). If your password was ever published at any time during human history, the entropy is probably less than 64 bits (I don't think more than 1.84x10^19 words/phrases have ever been published, even on the Internet).

It is impossible to fully secure anything involving computers. There are just different levels of it.

This would at least raise the bar. Security is all about raising the bar. Don't take an all or nothing approach. Don't wait for the perfect solution before closing the holes. Having the wallet.dat file completely open is asking for trouble. It's an easy way for a critic to ruin the reputation of bitcoins.

The solution to a keylogger is to have the client present an image of the keyboard with the position of the keys jumbled differently each time and let the user enter the keys based on this layout.

+1. It's great for us "in the know" types (although I can talk, typing this from Win 7 but whatever) but bitcoin is exploding in popularity. The easier and safer we can make this for Joe Public, the more people can be brought into the market. They don't necessarily want to discuss the minutiae of the blockchain, or have to worry about security all the time: they just need bitcoin to be a viable, low-fee based currency that is trivial to use.

Do you want BTC to be a currency for geeks or one for the masses?

If you want the latter you have keep in mind that most people like cheese... 

It seems to me that loading a version of bitcoin on a computer, disconnecting it from the net, deleting the first wallet.dat file, then generating a new one which is then encrypted is fairly secure. If you then generate a list of addresses, and securely overwrite the wallet.dat file after making an encrypted copy, you can just mine or accept transactions on one wallet.dat file, then when you build up a decent sum deposit it in your secure address for saving. If you only open it to send payments out it seems reasonably secure to me. If some one was really determined of course they could still get it, but there are ways to mitigate that risk such as storing it on a USB drive, or spreading out your savings to several wallet.dat files.

Yeah then we can make them steal the password to the encryption container and the key instead of the key. Encryption is not enough to solve this problem. It solves it is someone randomly steals your computer physically if the container isn't mounted, but if a worm gains access to your machine or you are targeted for an attack to steal your bitcoins in meatspace (keyloggers etc) putting it in a wallet like that wont help. Need to find a way to add air gaps so that the wallet is not on a machine with internet access, and you can still send coins from it. The only sure way to protect from hackers is to have no internet connection on a machine and nothing that has been on the internet ever going from the machine back to the internet.

That will only help if the virus doesn't include a keylogger.

+1
fully agree

I was also very concerned about this. This is a major security flaw in the bitcoin client. As more non-tech people start using bitcoin, they are not going to know how to secure the wallet.

The bitcoin client should use a password to encrypt the wallet.dat file. This should be done ASAP.

Do not wait for such a virus program to come out before fixing this. Can you imagine what would happen to the reputation of bitcoin if this happened.

I was thinking earlier that it doesn't even have to be a widespread attack.

For example, I have seen threads here about specific users who claim to have a lot of coins. In some cases you can find enough out about a person to design an attack specifically for that person. Be it tricking them into visiting a web page with an exploit that gives you access to their computer, or even just finding out their address and stealing the whole computer.

In the meantime. I am looking forward to seeing what good solutions people come up with for making the wallet less vulnerable to being stolen or lost.

No straightforward mechanism to prevent it.  Crimeware writers are definitely winning the arms race against the AV companies.

Growing opportunities to encourage it:  Zeus trojan source leaked - bitcoin wallet and mtgox pw stealing trojans coming soon

Is there any mechanism currently in place which would prevent someone from writing a worm or virus who's purpose is to seek out and steal your banking password?

Seems like if someone gets that password you're completely fucked...

I got it set up.. it took all of 5 minutes

after you create your truecrypt volume, move your .bitcoin folder into it then make a symlink back to the folder

make sure and back that .bitcoin folder up before doing this incase you screw something up and overwrite the wrong data.

I guess it doesn't protect against hijacking my data when the program is running but at least if someone steals my computer they will not be getting the coins.