Wallet Hack on 4/25 | Bitcointalksearch.org

FatMagic

full member

Activity: 224

Merit: 100

Quote from: scooter on June 05, 2013, 05:32:45 AM

Sort of relevant.
This article at ARS shows how hackers are increasingly able to crack passwords that we would think are strong.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

I hope in the near future someone comes up with a viable solution for the authentication problems we face.
2 factor authentication is a big help. But, getting services to offer it is a challenge, and then an even bigger challenge to get users to adopt it.

Excellent article, thanks for this.

scooter

member

Activity: 100

Merit: 10

Sort of relevant.
This article at ARS shows how hackers are increasingly able to crack passwords that we would think are strong.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

I hope in the near future someone comes up with a viable solution for the authentication problems we face.
2 factor authentication is a big help. But, getting services to offer it is a challenge, and then an even bigger challenge to get users to adopt it.

LuaKT

member

Activity: 162

Merit: 10

The World’s First Blockchain Core

Was there any more progress on what caused this? Only noticed today that the small amount I keep on Blockchain was taken.

tolsetty

newbie

Activity: 9

Merit: 0

Quote

Oh -- is this that BTC-e (hope I'm remembering this right -- sorry if I didn't) chatroom javascript hack we saw a week or two ago, anyone? IIRC, it used a keylogger, too.

javascript or java?

bozak

full member

Activity: 120

Merit: 100

Yet again, 2-factor authentication would have saved the day. It really should be standard for on-line wallets forcing users to turn it off instead of requiring them to turn it on.

coastermonger

sr. member

Activity: 367

Merit: 250

Find me at Bitrated

Timeout, strong password or not, wouldn't complete 2 factor authentication have saved him here?

Anenome5

sr. member

Activity: 252

Merit: 250

Quote from: silvereagle on April 28, 2013, 09:30:01 PM

Quote from: Meni Rosenfeld on April 28, 2013, 09:51:17 AM

Update - after speaking some more with my affected customer I am no longer convinced his password was indeed strong enough.

Maybe passwords were brute-forced after all? silvereagle - just how strong was your password?

Will be happy to hear about any progress in figuring this out.

Alias was very short so may have been hackable. Password was 15 characters long but made up of multiple words that may have been found in dictionary. Possible but permutations to put that many words together would still be extremely high.

Still, imagine that they have downloaded every wallet on Blockchain or at least very many. They can run each password against each wallet in turn, which may make for a viable / profitable attack.

glitch003

full member

Activity: 219

Merit: 101

Quote from: Kaiji on April 29, 2013, 10:32:22 AM

For storing large numbers of bitcoins an online bitcoin bank is needed. Unfortunately it will only be a matter of time before it is hacked or the owner of the site absconds with users bitcoins.

Why? If you're really that worried about losing your coins, do a paper wallet and put it in a safe deposit box.

Luckybit

hero member

Activity: 714

Merit: 510

Quote from: elrodvoss on April 25, 2013, 07:08:32 PM

I posted same thing couple topics down.

Second time in two weeks. One coin each time. Changed pw on every account and activated logging.

No log of withdraw.

Now getting freaked little.

Create a new account from a Linux liveCD and consider your computer compromised. Use someone elses computer. Set up two factor authentication. Perhaps consider investing in a Yubikey.

Newar

legendary

Activity: 1358

Merit: 1001

https://gliph.me/hUF

Quote from: Aseras on April 29, 2013, 04:18:57 PM

it would probably help if blockchain's iphone and android app didnt store the main password in plaintext.

There's an update available for Android that fixes this. https://bitcointalksearch.org/topic/m.1966450

shawshankinmate37927

hero member

Activity: 854

Merit: 1000

Bitcoin: The People's Bailout

Quote from: Remember remember the 5th of November on April 29, 2013, 03:46:32 AM

Also having a feature to block other IPs from entering the account would be nice, with the ability to add exceptions(home,work,phone).

Blockchain.info's My Wallet service already offers this ability. It can be found under the Security menu option on the Account Settings page. (Of course, this won't help if a hacker already has copies of your private keys.)

Aseras

hero member

Activity: 658

Merit: 500

it would probably help if blockchain's iphone and android app didnt store the main password in plaintext.

jubalix

legendary

Activity: 2618

Merit: 1022

Quote from: Dabs on April 29, 2013, 10:53:21 AM

Quote from: jubalix on April 29, 2013, 03:16:14 AM

but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???

The keylogger trojan or malware is surely going to be capturing your screen. They can know which file is your keyfile. I'm not saying that this is being done now, I am saying this is possible.

Quote from: Meni Rosenfeld on April 29, 2013, 03:30:50 AM

Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?

I don't use block chain, so I am not a victim, merely showing how to properly choose good passwords.

no key loggers don't usually do screen captures....you would soon notice this as your hard-rive would be full or your bandwidth consumed or always slow....

Dabs

legendary

Activity: 3416

Merit: 1912

The Concierge of Crypto

Quote from: jubalix on April 29, 2013, 03:16:14 AM

but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???

The keylogger trojan or malware is surely going to be capturing your screen. They can know which file is your keyfile. I'm not saying that this is being done now, I am saying this is possible.

Quote from: Meni Rosenfeld on April 29, 2013, 03:30:50 AM

Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?

I don't use block chain, so I am not a victim, merely showing how to properly choose good passwords.

Kaiji

full member

Activity: 140

Merit: 100

Hoist the Colours

For storing large numbers of bitcoins an online bitcoin bank is needed. Unfortunately it will only be a matter of time before it is hacked or the owner of the site absconds with users bitcoins.

Amph

legendary

Activity: 3206

Merit: 1069

best user and password is= empty wallet

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Also having a feature to block other IPs from entering the account would be nice, with the ability to add exceptions(home,work,phone).

willphase

hero member

Activity: 767

Merit: 500

Just a friendly PSA that if you ever had a weak password or a weak alias on your blockchain.info account, then someone could be running bruteforce on your wallet as we speak, regardless of whether you later upgraded the security (e.g. added 2FA or added an IP block, or deleted/changed your alias)

So, if you upgrade your security, I recommend you move your bitcoins off the keys that might have been previously compromised. It's not like changing your password on blockchain.info changes your keys.

If in doubt, generate a new blockchain.info wallet, set up 2FA and secure passwords, IP blocks etc etc, then move your bitcoins from your old potentially compromised wallet to your new one. I personally would consider any keys stored under an 'insecure blockchain.info wallet' compromised (but not perhaps until some time in the future).

Will

Meni Rosenfeld

donator

Activity: 2058

Merit: 1054

Quote from: Dabs on April 28, 2013, 10:09:19 PM

Here is an example of my logins for banks and Mt. Gox:

Username: kl2uggsyf3yue9g4e2
Password: t#nocq2*l4c*b1yibxf%tazzh0^$)^ft0

Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?

jubalix

legendary

Activity: 2618

Merit: 1022

Quote from: Dabs on April 29, 2013, 02:11:08 AM

Keyfiles stored on your computer would have to be uploaded to their servers for hashing, OR your client side browser will have to perform the hashing offline, and submit your result online.

In either case, MITM or eavesdroppers can intercept the keyfiles. There would have to be some sort of public key or SSL encryption going on for this to work, so no one else can grab your keyfile or the hash of that keyfile.

If your computer is compromised, they can get your keyfile.

but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???

Topic: Wallet Hack on 4/25 (Read 11212 times)