Pages:
Author

Topic: Wallet Hack on 4/25 (Read 11267 times)

full member
Activity: 224
Merit: 100
June 05, 2013, 11:27:39 AM
Sort of relevant.
This article at ARS shows how hackers are increasingly able to crack passwords that we would think are strong.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

I hope in the near future someone comes up with a viable solution for the authentication problems we face.
2 factor authentication is a big help. But, getting services to offer it is a challenge, and then an even bigger challenge to get users to adopt it.



Excellent article, thanks for this.
member
Activity: 100
Merit: 10
June 05, 2013, 04:32:45 AM
Sort of relevant.
This article at ARS shows how hackers are increasingly able to crack passwords that we would think are strong.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

I hope in the near future someone comes up with a viable solution for the authentication problems we face.
2 factor authentication is a big help. But, getting services to offer it is a challenge, and then an even bigger challenge to get users to adopt it.

member
Activity: 162
Merit: 10
The World’s First Blockchain Core
June 04, 2013, 06:02:29 PM
Was there any more progress on what caused this? Only noticed today that the small amount I keep on Blockchain was taken.
newbie
Activity: 9
Merit: 0
May 03, 2013, 10:04:47 AM
Quote
Oh -- is this that BTC-e (hope I'm remembering this right -- sorry if I didn't) chatroom javascript hack we saw a week or two ago, anyone? IIRC, it used a keylogger, too.

javascript or java?
full member
Activity: 120
Merit: 100
May 02, 2013, 10:38:23 PM
Yet again, 2-factor authentication would have saved the day.  It really should be standard for on-line wallets forcing users to turn it off instead of requiring them to turn it on. 
sr. member
Activity: 367
Merit: 250
Find me at Bitrated
May 02, 2013, 10:01:42 PM
Timeout, strong password or not, wouldn't complete 2 factor authentication have saved him here?
sr. member
Activity: 252
Merit: 250
May 02, 2013, 06:05:56 PM
Update - after speaking some more with my affected customer I am no longer convinced his password was indeed strong enough.

Maybe passwords were brute-forced after all? silvereagle - just how strong was your password?

Will be happy to hear about any progress in figuring this out.

Alias was very short so may have been hackable.  Password was 15 characters long but made up of multiple words that may have been found in dictionary.  Possible but permutations to put that many words together would still be extremely high.
Still, imagine that they have downloaded every wallet on Blockchain or at least very many. They can run each password against each wallet in turn, which may make for a viable / profitable attack.
full member
Activity: 219
Merit: 101
April 30, 2013, 03:01:13 AM

For storing large numbers of bitcoins an online bitcoin bank is needed. Unfortunately it will only be a matter of time before it is hacked or the owner of the site absconds with users bitcoins.

Why?  If you're really that worried about losing your coins, do a paper wallet and put it in a safe deposit box.
hero member
Activity: 714
Merit: 510
April 29, 2013, 10:07:53 PM
I posted same thing couple topics down.

Second time in two weeks.  One coin each time. Changed pw on every account and activated logging.

No log of withdraw.

Now getting freaked little.

Create a new account from a Linux liveCD and consider your computer compromised. Use someone elses computer. Set up two factor authentication. Perhaps consider investing in a Yubikey.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
April 29, 2013, 09:44:20 PM
#99
it would probably help if blockchain's iphone and android app didnt store the main password in plaintext.
There's an update available for Android that fixes this. https://bitcointalksearch.org/topic/m.1966450
hero member
Activity: 854
Merit: 1000
Bitcoin: The People's Bailout
April 29, 2013, 08:27:02 PM
#98
Also having a feature to block other IPs from entering the account would be nice, with the ability to add exceptions(home,work,phone).

Blockchain.info's My Wallet service already offers this ability.  It can be found under the Security menu option on the Account Settings page.  (Of course, this won't help if a hacker already has copies of your private keys.)
hero member
Activity: 658
Merit: 500
April 29, 2013, 03:18:57 PM
#97
it would probably help if blockchain's iphone and android app didnt store the main password in plaintext.
legendary
Activity: 2632
Merit: 1023
April 29, 2013, 12:49:03 PM
#96
but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???

The keylogger trojan or malware is surely going to be capturing your screen. They can know which file is your keyfile. I'm not saying that this is being done now, I am saying this is possible.

Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?

I don't use block chain, so I am not a victim, merely showing how to properly choose good passwords.

no key loggers don't usually do screen captures....you would soon notice this as your hard-rive would be full or your bandwidth consumed or always slow....
legendary
Activity: 3416
Merit: 1912
The Concierge of Crypto
April 29, 2013, 09:53:21 AM
#95
but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???

The keylogger trojan or malware is surely going to be capturing your screen. They can know which file is your keyfile. I'm not saying that this is being done now, I am saying this is possible.

Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?

I don't use block chain, so I am not a victim, merely showing how to properly choose good passwords.
full member
Activity: 140
Merit: 100
Hoist the Colours
April 29, 2013, 09:32:22 AM
#94

For storing large numbers of bitcoins an online bitcoin bank is needed. Unfortunately it will only be a matter of time before it is hacked or the owner of the site absconds with users bitcoins.
legendary
Activity: 3248
Merit: 1070
April 29, 2013, 03:17:37 AM
#93
best user and password is= empty wallet
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
April 29, 2013, 02:46:32 AM
#92
Also having a feature to block other IPs from entering the account would be nice, with the ability to add exceptions(home,work,phone).
hero member
Activity: 767
Merit: 500
April 29, 2013, 02:42:09 AM
#91
Just a friendly PSA that if you ever had a weak password or a weak alias on your blockchain.info account, then someone could be running bruteforce on your wallet as we speak, regardless of whether you later upgraded the security (e.g. added 2FA or added an IP block, or deleted/changed your alias)

So, if you upgrade your security, I recommend you move your bitcoins off the keys that might have been previously compromised.  It's not like changing your password on blockchain.info changes your keys.

If in doubt, generate a new blockchain.info wallet, set up 2FA and secure passwords, IP blocks etc etc, then move your bitcoins from your old potentially compromised wallet to your new one.  I personally would consider any keys stored under an 'insecure blockchain.info wallet' compromised (but not perhaps until some time in the future).

Will
donator
Activity: 2058
Merit: 1054
April 29, 2013, 02:30:50 AM
#90
Here is an example of my logins for banks and Mt. Gox:

Username: kl2uggsyf3yue9g4e2
Password: t#nocq2*l4c*b1yibxf%tazzh0^$)^ft0
Were you a victim of this? Are you providing evidence that this was not brute-force, or simply explaining how to properly choose passwords?
legendary
Activity: 2632
Merit: 1023
April 29, 2013, 02:16:14 AM
#89
Keyfiles stored on your computer would have to be uploaded to their servers for hashing, OR your client side browser will have to perform the hashing offline, and submit your result online.

In either case, MITM or eavesdroppers can intercept the keyfiles. There would have to be some sort of public key or SSL encryption going on for this to work, so no one else can grab your keyfile or the hash of that keyfile.

If your computer is compromised, they can get your keyfile.

but how would they know which out of 1x10e6 files is my key file, or which combination of 2, 3 or more key files is are my key files?

how do they even know i use a key file???
Pages:
Jump to: