Looks like the same thing happened to a vendor on one of the many dark markets.
xxxxx Forums
General Category => Security Discussion => Topic started by: xxxxxxxx on November 02, 2014, 07:09:44 PM
Title: WARNING to all Blockchain wallet users!
Post by: xxxxx on November 02, 2014, 07:09:44 PM
We just got robbed a really huge amount of BTC straight out of our wallet from blockchain.info
We dont know how they got access to our wallet and the pw is also really hard, so keep your eyes open if you have coins on a blochchain wallet!!!
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxxx on November 02, 2014, 07:24:18 PM
yeah it's a security issue with tor. they can steal your info if they operate a malicous tor exit node. forces you to http instead of https and they get the login and take your coins.
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 03, 2014, 07:46:40 AM
Quote from: xxxx on November 03, 2014, 01:44:24 AM
Wtf this is crazy how can you protect yourself from this?
Sorry for your coin loss OP, xxxxxx is correct about the method. Tor ships with "HTTPS Everywhere" installed, I don't know how that could be subverted though.
Regardless, the way to avoid it is by only using Blockchain with a normal clearnet browser.
But again, ideally you shouldn't be storing any bitcoins on 3rd-party websites to begin with. You're a vendor. Why use blockchain.info at all? Tumble your coins from xxxxx to a private wallet that you control. Electrum, Armory, MultiBit, whatever. Then either hold them there indefinitely, or cash them out in small chunks. When a website like blockchain has your private key, at the end of the day, you don't own those coins, the website does.
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 03, 2014, 06:35:34 PM
We used this wallet since years now without any problem (for sure we changed it every 3-4 weeks to a new one), so we had no clue that it is possible to catch our login data. We are now using electrum, really nice, just bad that we discovered it that late.
So to all other peops who are using this BC wallet, be careful, especially when you have a load of coins on it!
Is there any good and safe way to tumble the coins when sending them out of our electrum wallet? Until now we have done this over the send shared function from BC, but now we are really scared to load up just one penny on the BC site.
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxxxx on November 03, 2014, 07:20:06 PM
Quote from: xxxxx on November 03, 2014, 07:46:40 AM
Quote from: xxxxx on November 03, 2014, 01:44:24 AM
Wtf this is crazy how can you protect yourself from this?
Sorry for your coin loss OP, xxxxx is correct about the method. Tor ships with "HTTPS Everywhere" installed, I don't know how that could be subverted though.
Regardless, the way to avoid it is by only using Blockchain with a normal clearnet browser.
But again, ideally you shouldn't be storing any bitcoins on 3rd-party websites to begin with. You're a vendor. Why use blockchain.info at all? Tumble your coins from xxxxx to a private wallet that you control. Electrum, Armory, MultiBit, whatever. Then either hold them there indefinitely, or cash them out in small chunks. When a website like blockchain has your private key, at the end of the day, you don't own those coins, the website does.
maybe it's a javascript expoit and steals the info like that somehow. I know blockchain.info doesn't work without javascript so that would open him up to all kinds of attacks
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 05:05:52 AM
Thanks for that info even though I don't trust them except for maybe a one time throw away wallet rarely. STRANGE that a financial company that deals with the most popular and valuable digital currency....wouldn't re-direct you to the HTTPS site before loading any user data. I believe Firefox has started warning blockchain.info users that the site is trying to permanently store info on your computer...NO THANKS! One of the worst things I've seen that they don't seem to care to fix is you can backup your wallet to Google Drive, Dropbox, or a paper wallet that downloads:
1. Via un-secured connection
2. In .PDF format with wallet recovery phrase and QR code that you can print out and scan for quick and easy exit node stealing...I mean backing up.
What's your preferred wallet? Electrum actually seems good, it only loads a short [recent] history of the blockchain for "current" transactions. I can't imagine having to do a fresh install of the official BTC client with a 30GB blockchain file to download. I think Electrum might be a good BTC client to squeeze into a future [beta?] release of TAILS as long as you always keep your wallet backup in your persistence volume or other storage device.
For those of you who have a significant amount of money on blockchain.info I would HIGHLY reccomend that you add an email address as it will send you an authorization link to your email every time you login. Use an email provider that not only forces SSL connections for login info but session data as well since you would be downloading the email via the web. Choose an email provider wisely...It's tricky because you NEED anonymity/privacy AND reliability/security. You don't want a brand new anonymous email service for this type of account management. I believe a lot of tormail.net users lost access to a lot of accounts because their verification emails were going nowhere...or worse data forensics. email company preventing you from accessing your money because you forgot to backup and can't authorize yourself via email. That being said I believe you can also setup 2-factor auth with SMS text messages, Google Authentication, and YubiKey. Alerts when sending and/or receiving or when your transaction has reached X (1-6) confirmations.
They offer the ability to have a second password, both of which are required to login, but this will double the encryption on your wallet. If you were going to be using it with a cheap VPN provider then it would resolve a lot of the security issues because there wouldn't be any TOR exit nodes sniffing any data that might be unknowingly transfered in the clear. After taking a deeper look at blockchain.info's site now I see that the data they want to permanently store in your browser is wallet backups. I can't begin to tell you how much it terrifies me of what goes on in the background processes (especially Windows)...Windows so you can have a fully searchable index of everything on your computer. There is a decent computer that I just use for testing stuff and I like to test beta software to see what's ahead...never any personal info & its even on its own network. Installed Windows 10 beta and one of the first things that I notice is all the logging & indexing services and "features" or should I say inconveniences. Basically a lot of Windows 10's features and services won't work without the file/data logging and indexing that THEN must be uploaded to Microsoft's cloud service. You can disable it which made a few inconveniences but nothing I would really get pissed off over. MS like Apple wants you to stay in their eco-system which is closed source, government cooperation....I don't need to go on...They are all really just data miners now but their reasoning is to provide a better experience across multiple platforms. I could choose to sign into each [online] application/service separate but instead you are required for all this data to be on Microsoft servers.
And now back to blockchain.info's breaking security update...honestly with 2-factor auth working great, and the ability to create an alias blockchain.info/wallet/HackMeIamPoor but you won't be able to add the alias until you have completed registration and manage your account settings.
I have a tendency to say a lot because I have strong opinions, so I'll make the summary short.
Blockchain.info has a good/reliable track record and having an online wallet can have many benefits if you have multiple devices. Since it seems that some data is being sent in the clear I WOULDN'T use them to store/save your bitcoins. While two-factor auth, option to require 2 passwords + have an additional Account Recovery Phrase which can be one word or 255 characters long regardless...we all use TOR and if blockchain doesn't force SSL on everything then they can add every security feature in the world but they'll be the next MT Gox. Never trust Mt Gox myself. The only thing BC's wallet service is IDEAL for is someone who is either connecting directly or connecting via VPN in addition to the additional pass phrases and 2-factor auth. I didn't mention if you were lets say just a bitcoin trader then you could change your BC.info account settings to block any connections from TOR network and you can also block or allow specific IP addresses or IP ranges if you have a dynamic IP address.
I won't go into personal setup details, but keep the majority of your coins on a local machine...on the machine of your choice and back up any time there any any transactions for your addresses. "Offline" wallets are a really good option for the BULK of your coins that you don't plan on spending soon...like a savings account it's your bitcoin vault basicly. Then you may use one or two online wallet services that are reputable and reliable, it's easy to just create a whole new account a month or two later and "start over" on another wallet, I don't know many people who keep more than a few coins stored in an online wallet. It's main advantage...SPEED and CONVENIENCE the two biggest pitfalls in security. It's quick and easy to login to the website and make a payment from anywhere on virtually any device.
Wow that was more than I thought I'd have to say, sorry if I wasted time in anyone's life if i repeated myself....I do it sometimes because it must be important.
What online/offline wallets do you use? How do you use them? Of course, leave out any specific or personal info.
This also reminds me that using Microsoft's Bitlocker, Apple's FileVault, and [somewhat surprised] TrueCrypt is not safe for archiving your data anymore. YES USE IT, it's better than nothing, but there are people and organizations that have the resources to get every ***BIT*** of data off any device and create a clone of the storage that has to meet specific legal specifications for the court...now thats scary. Most of us as we learned from SR is that most 90-95% of users here would never be targets or persued it's the admins, developers?, moderators and LARGE SCALE vendors that past events have shown us.
In that regard the name of the site and not having a bunch of mods/admins/staff etc makes it harder to locate. You don't see much for xxxxx in search engines, as there are too many existing clearnet sites that are about Greece's assemblies and markets that were open freely to anyone. "Open" markets like this may dissapear for security reasons or worse being raided. But I've seen that we all learn something each time that has happened, and with an entire customer base with no store to go to it's easy to attract vendors/buyers to your site. But it takes a lot of knowledge and thinking that you at some point won't want to be featured in WIRED magazine or on CNN or even BBC. To me "DPR" made a crucial mistake by having an identity even if its his nick name, book collection listed in a post then that it SOMETHING that they will try to follow in hopes it will lead to something.
This may seem silly, but I think that each market has to reach a limit considering the limited resources and new technical challenges that have to be solved for growth to continue. I would like to have seen Twitter as an .onion service.....scalability HA. One thought is to have an anonymous/secure communication sent to any of the sites that mention xxxxx as the new SR but bigger to please remove the article or at some point just close down registration. But I am certainly impressed by xxxxx's setup....but at some point as I said before it would be a good idea to let some categories go and focus more on where it's best vendors do biz...in this case drugs....duh. I KNOW the armory was a mistake when I read about it, they gained loads of international media attention. Sure they closed the armory way before SR was raided but it didn't help that the site was described to the US Drug Czar as the Amazon or eBay of illegal drugs and illegal weapons. That's when SR could have some serious vulnerabilities with constant downtime media attention, posting on Dice.com that you are looking to hire web developers that know php, can manage large databases, and be familiar enough with Bitcoin (at it's early stages) that you can develop a wallet, escrow, and mixing systems and services for a large user base using very limited resources....posted via a local ISP IP address and personal account on Dice, or was it LinkedIn? Anyways I have more than caught up on rambling so I believe I'm just going to respond to a few other topics now and see if anyone would like me to post my referral link in that forum lol.
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 07:13:20 AM
Quote from: xxxxxx on November 05, 2014, 05:05:52 AM
What's your preferred wallet? Electrum actually seems good, it only loads a short [recent] history of the blockchain for "current" transactions.
I've always used MultiBit, which does the same thing (no full blockchain download). I've never used Electrum, but it's actually probably the better client from what I've read, since you can store wallets deterministically and re-generate them from a 12-word seed. On MultiBit, you have to back up the wallets offline just in case, though I've never had any issues or had to use the backups.
If a vendor is comfortable enough with the protocol behind bitcoin wallets, generate a bunch of paper wallets and steadily send all your xxxxx/DNM coins to them. No bitcoin client required at all. Then, when you want to cash out a little, pick one of the paper wallets, import the private key into Electrum (or MultiBit), send it through a tumbler, and you're done. For paper wallets, I have an unhealthy fascination with VanityGen (to make wallets like 1oooooDsdWofTUAp5bhveefdfdQFHFGiR or the raffle wallet 1xxxxxZAfLdY3csCcyXC7QJxGB1QgwGjDX), but random-letter paper wallets work just the same.
"Blockchain.info" never even comes into it. If using paper wallets, just be wary of the notion of change wallet addresses (
http://bitzuma.com/posts/five-ways-to-lose-money-with-bitcoin-change-addresses/).
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 05, 2014, 09:16:12 AM
Great info guys.
" I would like to have seen Twitter as an .onion service...."
Facebook created a hidden service on our little dark web in past few days. details at tor blog.
Title: Re: WARNING to all Blockchain wallet users!
Post by: xxxxxx on November 06, 2014, 06:23:22 PM
Quote from: xxxxxx on November 03, 2014, 01:44:24 AM
Wtf this is crazy how can you protect yourself from this?
just check for https?
I
You must use two factor authentication otherwise a malicious exit node operator can sniff out your password.
SMF 2.0.6 | SMF © 2013, Simple Machines