Bitcoin Forum

Bitcoin => Bitcoin Technical Support => Topic started by: Snowpea on May 09, 2012, 02:00:43 PM



Title: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Snowpea on May 09, 2012, 02:00:43 PM
So i wake up this morning, and shortly after, i start receiving multiple emails from my gmail account from suspicious attempted sign ins.  Then i start seeing password recovery messages from my GLBSE and MtGox accounts.
My account uses a strong password that i only use in one other place(a pool).  

I'm not going to say what until i'm a bit more clear as to where the security issue is for the sake of the pool.  

Anyway, gmail tells me that the IP is: 68.230.94.23 based in Tucson, Arizona.  The ISP is Cox Communications.  

Obviously, this attack was aimed at my BTC related accounts.  Does anyone have any ideas how i can track down this person? or perhaps whatever malicious site/software is attacking the BTC community?


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: bulanula on May 09, 2012, 02:04:14 PM
Same here.

187.113.24.162 from Brazil ???

WTF !



Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: bulanula on May 09, 2012, 02:37:22 PM
You probably won't be able to get the attacker from the IP address alone, it's most likely a TOR exit node, public proxy, botnet or a hacked server.

The IP that the biggest scammer on the forums posted is running a mail server that is sending spam, and has tried to dictionary attack something before:
http://www.projecthoneypot.org/ip_187.113.24.162

Yeah. Looks like the Russians are doing it from looking at that site above and the content of the spam messages :

187.113.24.162.static.host.gvt.net.br

http://webcache.googleusercontent.com/search?q=cache:E9qKWrLYArgJ:kadastr.perm.ru:8080/pflogsumm/current/13-11-2011+&cd=3&hl=en&ct=clnk

BTC-E exchange anything to do with this ???


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Snowpea on May 09, 2012, 02:42:01 PM
dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: REF on May 09, 2012, 02:54:09 PM
Your password was definitely phished, caught by spyware, or taken from the database of another site (by site owner or hackers). Most mail providers have strong captchas & usually stop allowing attempts after 3-5 failed ones.

Try entering your passwrod into Google and see if anything comes up, I once done that when my email address got hacked and found a hacker forum where a hacker had posted a list of email addresses + md5 hashes of passwords that were used to signup to a site, and people were trying to crack them and posting the passwords they cracked.

interesting. If that ever happens to I will be trying that in the future.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Maged on May 09, 2012, 05:01:48 PM
Passwords at mining pools seem to get leaked on a daily basis. Few of these guys are any good at security.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Stephen Gornick on May 09, 2012, 08:00:39 PM
So i wake up this morning, and shortly after, i start receiving multiple emails from my gmail account from suspicious attempted sign ins.  Then i start seeing password recovery messages from my GLBSE and MtGox accounts.

Out of curiosity, was your e-mail address in the list of leaked passwords from the June 2011 hack at Mt. Gox (or similar list from one of the many breaches since)

Do you use the same username as is in your e-mail? 
  e.g.  snowpea@gmail.com    and then the same username at Mt. Gox / GLBSE of "snowpea"?


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Andrew Bitcoiner on May 09, 2012, 08:03:23 PM
dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words

10 characters is not enough.  Brute forcing that is easy on todays hardware, you need to be 15 characters or longer.  I know some people who choose 30 characters in length.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Uncurlhalo on May 09, 2012, 08:04:47 PM
Yeah I had an attempted login from somewhere in Sweden on my gmail.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: EuSouBitcoin on May 09, 2012, 08:15:58 PM
dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words

10 characters is not long enough. According to
https://www.grc.com/haystack.htm
such a password can be cracked in less than 2 hours with a Massive Cracking Array Scenario. Personally, I like DiceWare for making long passwords that are easy to remember. See
http://world.std.com/~reinhold/diceware.html


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Snowpea on May 10, 2012, 03:09:05 AM
i tested my password, and with the online scenario it's: 1.20 thousand centuries... i really doubt anyone with the ability to do 1 trillion a second would be targeting BTC.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: arby on May 11, 2012, 06:16:40 AM
As the other posters said, it is almost impossible to track down the person, law enforcement could track it down, but if it was just a proxy used by the attacker, it will be again harder, anyway I do not think anyone will bother to track anyone down because of a cracked password or what happened.

About the password, well a bit hard to crack a password that is 10 random characters, including digits, etc. There are a lot of protection mechanisms in place at reputable websites.

The most common way to steal passwords nowadays is using trojans that hook into browser functions.

But also in some cases, the websites that you use the same passwords at, small websites such as this pool, are vulnerable and attackers may phish the passwords from there, so it is better to use a different
password for each account, and well maybe keep them in an encrypted txt or something on your computer, but that depends on your situation.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: check_status on May 13, 2012, 05:29:00 PM
such a password can be cracked in less than 2 hours with a Massive Cracking Array Scenario.

Do pools count as 'Massive Cracking Arrays'? Maybe blocks aren't being found as often as they could be because some pools are cracking juicy passwords and then statistically attributing the artificial BTC drought to "Luck". ;)

If you only used a duplicate password on Google and the Pool then either you or the pool is suspect. Does your pool keep IP address sign in logs that you can view? If any BTC is missing you can trace it via the blockchain. Someone has done this for a few high profile thefts.
http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html
Figure 2 shows how the thief used the blockchain for command and control during the theft by monitoring a LulSec BTC address.


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: flaxceed on May 17, 2012, 11:30:12 AM
As the other posters said, it is almost impossible to track down the person, law enforcement could track it down

how?


Title: Re: SECURITY ISSUES - anyone interested in a manhunt?
Post by: Blazr on May 17, 2012, 02:16:45 PM
As the other posters said, it is almost impossible to track down the person, law enforcement could track it down

how?

LE can contact the ISP of the IP where the attack originally came from and get details on that person, however, it'll likely be a TOR exit node or a proxy, and if the owner hasn't kept proper logs it can be very difficult/impossible to trace it back to the actual hackers IP. Even then, when there are TOR + proxies involved, getting a conviction in court can be quite difficult as it can be hard to prove that it wasn't just the exit node owner who initiated the attack, or somebody else along the chain.