|
As far as i am concerned, malicious actor were able to obtain API keys, 2FA codes, etc.. from the victims, correct ?
Why does binance even cover those losses which obviously happened due to people who have no idea how to secure sensitive information ?
There was no security breach at all (correct me if i'm wrong). What has binance to do with this ? Why reimbursing the customer for something which is not their fault ?
It is not like the developer of core now reimburse anyone who gets his funds stolen because he publicly posts his private keys.
Or shall ThomasV now reimburse everyone who publicly posts his seed which results in funds getting stolen ? I don't think so.
So.. i see 3 possibilities:
1) Binance indeed head a security breach and feels responsible
2) This is some sort of 'hackers stole money' - tax fraud from binance
3) Binance is just plain stupid for covering the losses caused by the victims
|
|
|
|
I only keep my private key in a usd flash drive and only put it on my trusted computer.
Does this mean.. your only backup is a file on your usb flash drive ? That's not recommendable. Flash memory chips can break, bits can flip (corrupting your data) or they can simply die due to environmental influences. You shouldn't rely on electronic devices only. You just need to make sure that your flash drive or computer is safe from any virus.
And how can you guarantee that? |
|
|
|
Ok then how is it possible for hackers or law enforcement to gain access to your coins on the nano s if that is the case? I did hear stories hackers getting access to coins on ledger nano s hardware and regular upcoming firmware updates means old version is not secure and can be hacked. I never heard stories about law enforcement "hacking" their way into a Ledger device. If that was possible the devices would be worthless. Maybe law enforcement got court orders and received the necessary access details from the device owners. 'Hacking' into the nano s is indeed not possible without some high level 0-day exploits. What i can think of, is that law enforcement agencies had a warrant, and were able to seize all necessary things (e.g. nano s + pin somewhere written o paper or mnemonic code). I can't imagine them technically hacking into the nano s to gain access to the BTC. |
|
|
|
Yeah its about some upper/lower case letter something like this - TodayIsTuesday2019 so I'm missing upper case letter or variation - IsItTuesdayToday2019...
Which app you are recommending for brute force? And is it possible to brute force second password on MultiBit/Blockchain.info with that app?
Thanks.
In this case, btcrecover should find the correct passphrase in a very short amount of time. For x letter in your password, it needs to check 2 x variations. With 10 letter, there are 1024 possibilities (which is a really low number for bruteforcing). This would probably run through in less than 5 seconds. You just need to properly configure the token file. If you need further help in configuring it, feel free to ask for assistance. Also.. please do not talk to 'helpful newbies'. Most of them (if not all) are scammer: Let me know if you need guidance
Koch44
|
|
|
|
1. Pretty much money were stolen due to such hacks. Does any one got any compensation from the side of devs that allowed such things to happen? I know that the question is naive and everyone probably got nothing but anyway...
It depends on the point of view. There were no hacks. There was a (low severity) vulnerability which allowed malicious server to show a message. Nothing more. Multiple people have fallen for this (very bad) phishing attempt and downloaded malware. This happens quite often (less often through a message from the electrum server, more often from some phishing sites). The devs have nothing to do with it. If you visit any phishing site which has electrum in its name and download malware.. shall they compensate you for this mistake too ? It is the users responsibility to use their common sense and to not fall for phishing attempts. 2. Is it safe to use old versions of Electrum? Considering that some errors, asking to update wallet might be a malware is it safe just to stick to one wallet?
I'd always try to stay up-to-date. While a specific version might be safe today, there could be some dangerous vulnerabilities or bugs found tomorrow. You should always aim for an up-to-date system. You just need to make sure to download electrum from the original site ( https://electrum.org/#home) and from nowhere else. Then you are safe. |
|
|
|
Ok I was thinking of taking the ledger nano s to a friend computer with windows 10 however I don't know how secure is computer is so my only option on my friends windows 10 computer is safe mode with networking?
It doesn’t matter if his PC is secure. That’s the beauty of a hardware wallel.
This applies to using the wallet, not to updating the wallet.
If the firmware updates aren't signed (which i think they aren't, because people already have been able to flash their own firmware onto the nano s), his friend could (if he wanted to be malicious) have a malicious version of ledger live installed on his computer and a malicious firmware update prepared.
OP would then 'update' his nano s with a malicious firmware.
Of course, the next time OP would access the nano s with a non-malicious version of ledger live, he would get a message stating that the firmware is not genuine.
But at the computer of his friend, all would look normal.
I know, that's quite a stretch. And one shouldn't have such friends. But updating a hardware wallet is not always secure. You need a clean / trustworthy computer to do so.Edit: It seems, the nano s does indeed check whether the firmware (to be installed) is signed by ledger. Somehow weird, i thought people were able to flash own firmware onto the nano s... Oh well.. hence, my theoretical attack is not possible. And currently i can't think of why updating the nano s on an compromised computer could pose a risk. |
|
|
|
Bottom line, Always update the browsers you use very often. No app is 100% security proof. Always, the hackers somehow exploit a certain vulnerability. A few days back, we had this too 4-May-2019 FireFox USERS READ THISThere was no security issue or whatsoever in firefox. Mozilla just didn't update their SSL certificate properly in time. Therefore the warning appeared that the add-ons couldn't be verified (because certificate invalid). But there hasn't been any vulnerabilities or anything else security-related. |
|
|
|
[...] disabled every single tracking and telemetry features in the operating system [...] Eight hours later, he found that the idle Windows 10 box had tried over 5,500 connections to 93 different IP addresses, out of which almost 4,000 were made to 51 different IP addresses belonging to Microsoft.
That's insane. Microsoft is slowly on their way being a bigger data kraken than google.. And to achieve that, you really have work for it.. Long story short: Stop using Windows.
+1 for this. The only reliable way. |
|
|
|
So where are your bitcoins now! are they considered burned?
No. He send BCH to a BTC address (owned by coinbase). Coinbase is able to gain access to these BCH, but doesn't want to recover them for OP (which is understandable). or will somebody one day generate a new bitcoin wallet and find your bitcoins there?
Even if the coins would have been sent to a different valid address no one has the keys of, the chances of generating a private-/public key pair which results in given address is close to zero. |
|
|
|
I wanted to ask if we need to check the hardware as well as Ledger has given instructions to do so but I don't want to tamper with the device as it may break. Is it necessary to check the hardware as well?
Well, this depends on how safe you want to be. Since the firmware will be checked once you access your nano s via ledger live, the only option which could pose a risk would be tampering with the hardware. Do you trust the person who gifted you the nano s ? Was it a friend / relative ? Or some stranger ? Does the case of the nano s look untouched ? It requires quite some technical know-how to get and set up the required hardware and build it into the nano s to compromise the device. Usually (if you got it from a friend / relative), are not paranoid and don't want to store a massive amount of BTC on it, it should be fine without checking the hardware (my personal opinion). But if you want to be 100% sure or got it gifted from an unknown / not that trustworthy person, i'd check it. |
|
|
|
There is no need to correct something, this is your opinion and I have my own.
Unfortunately this is not a matter of opinion. Windows 7 is missing quite a few security features, which are present in windows 10. While it might be true that windows 10 has some 'features' which collect data for 'enhancing user experience', all of them can be turned off. Turning off the data collection in windows 10 is way easier than getting win7 to be as secure as win10 is. |
|
|
|
Hi everyone,
im not new in any way i just dumped the Bitcoin Core software today because i found out that bitcoin.org took over the whole Transaction verifying andf Centralized it while stating they want decentralized verifikation.
First for you all as Info:
I was running a Full node for Years now, could pay my costs for the node by the income of the Core software, not much costs at all, but it was capped by the income for transaction ver4ifying ad so on.
since a few weeks my balance in the Core Wallet was first not moving at all, then went negative, then stopped at zero while still Transactions running through my Node, i didnt get a Cent for that anymore, they overtook it silently and without warning.
 I dont want them to verify Transactions remote controlled on my PC, thats a Security issue i can not accept,
? Every node verifies the transaction it receives. There is no remote control going on  My port 8333 was open the whole time, made me vulnerable and i had to add additional Security features on my PC to keep the Roamers away who frequently visited my PC, opened every Textfile for Private Keys or worse. I have proof it hapened.
Opening a port itself does not necessarily create a security risk. If you have remote access on your computer, it is infected with malware. This has nothing to do with core. I'd also love to see the proof. But for the Beginning i would be happy to know they dont connect to my PC again for verifying anything.
Are you talking about incoming connections from the bitcoin network ? That's how the network works. Noone has access to any files or similar on your computer. You are just exchanging block data. That's all. |
|
|
|
This is not possible.
In order to access the system files, you need to have root access. Trying to access the system files without rooting is impossible even you are using ADB you can't access these folders because it still requires the mobile phone to be rooted.
It is possible. It is correct that you need a rooted device to access all information on your mobile or to access information from a different context. But.. as i have mentioned, IF the application allows to be run in debug mode, you can enter the user context of this specific application via adb. Then, you can access all data from its context (meaning all data stored by this particular application). This can be done with the adb command: run-asApplication developer can disable the option to be run in debug-mode. And in fact, security orientated applications should do that, but a lot of those still allow to be run in debug mode. |
|
|
|
But what if you've imported a bunch of keys prior to encrypting? Then each individual key is contained unencrypted in the wallet.dat file, no?
Does importing keys into an already encrypted wallet prevent the unencrypted keys from betting written to the drive?
No, imported keys are also encrypted. There is no unencrypted (sensitive) information anywhere on your harddrive left after encrypting your wallet file. Just make sure to backup your wallet file after encrypting / importing keys. Sensitive information is just accessible unencrypted when your wallet is unlocked (master key stored in RAM). |
|
|
|
I have a wallet.aes.json file backup from blockchain.info (from 2013), I know first password, but I forgot second, I know about which might be but I do not know the exact variation, 12 phrase word is lost too.
If you know how it should look like, but just don't know the exact variation, bruteforcing should be doable in a reasonable amount of time. What exactly are you missing in your variation ? Do you know the amount of character ? Are you just missing a few one ? Is it about upper / lower case letters ? Are you looking for a permutation of your characters ? |
|
|
|
It is still a fully operational and secure very unsecure operating system
I fixed that for you. Honestly, windows 7 is far away from being a secure OS. If you compare it to windows 10, it is basically an open barn door screaming 'i am vulnerable'. Windows 10 has a superior concept with less flaws and more security tools / features (e.g. EMET). Almost every windows 7 computer which is connected to the internet can be compromised with a quite low amount of effort. |
|
|
|
All those were mostly fishing type of attack that has potential to affect exclusively transactions signed by "hot" Electrum while trx signed by "cold" one remain immune.
No attack is targeting 'signed transactions' in any way. That's not a surface for an attack. You either target the key storage or the signing process. But not the transaction itself. If the transaction is signed, there is nothing which can be changed anymore. The transaction has to be manipulated before signing, which can happen either on an online computer or offline computer (e.g. through compromised USB). Another curiosity that is driving me crazy is the secure element that is put into the specialized chips of hardware wallets. What makes the secure element so secure and makes it stand exceptional from others?
A hardware wallet contains a hardened microcontroller with less interfaces than a normal microcontroller and a smaller attack surface. The private keys are stored inside of (and never leave) the secure element. Upon booting, it verifies the firmware (whether it has been tampered with) and only proceeds if the software running on the nano s is genuine. The private keys can not be extracted out of the nano s, the only way to 'access' the private keys is to give it a transaction to be signed (which requires a verification on the device itself). Extracting the private keys itself, is not possible. NOT Kali, this is a VERY UNSAFE distro (runs as root). It is meant for attacks not protection, like a bunch of tools you take to a place for penetration testing on commission, not intended for installs or continued use.
Kali itself is not unsafe. Upon installation it doesn't create a normal user account, but this can be done with an one-liner. The reason kali is not suitable for everyday-use is because it requires quite some configuration if you want to use it as your daily OS. Tails OS comes with Electrum client built into the OS
It does, but it is outdated. You won't be able to connect to an electrum server with the outdated version. So, you'll need to download it anyway, which lets you also choose any other distro. |
|
|
|
[...] because it is a fact that over 63% of viruses are never found.
I know that quite a lot of malware stays undetected.. but where do you got the 63% from ? Do you have any source for this ? This seems to be a very precise number. [...] and almost all malware also comes encrypted through malware encrypters or normal encrypters that are advertised as normal file encrypters but is almost solely used for malware encryption that encrypts the virus [...]
Holy moly.. that's a lot of encryption here  Almost encryptception. How to be secure?
What you want to do is do malware scans with different malware engines to check, because often they are very different and work in a very different way.
You mentioned yourself, that malware can hide itself (i.a. polymorphic, encryption, ..). Therefore relying on AV's too much, won't help (not saying that it's not good to have one!). And since checking all applications accessing some online services is not really an option on windows (for a not that techy user), the best weapon against malware is common sense IMO. You should definitely include common sense in your small guide. |
|
|
|
If it is not air-gapped all the time, you again have the problem with the rootkit scenario.
Rootkit (and any other malware) on online machine has no chance to compromise transaction signed by correct private key on air-gapped one, to be correct it can change but, such compromised trx will not be broadcasted. Once more, read carefully all my previous post and try to comprehend them before arguing. Compromise a transaction ?  Your whole thinking is wrong. If you are using the same machine for signing offline and online stuff, it is not air-gapped. You seem to not understand the scenario at all. I will briefly explain it to you (once. if you don't understand it afterwards.. your problem): - You have your computer which is used to be connected to the internet which you 'air-gap' for signing transactions offline (according to you)
- This computer is infected with a rootkit
- You boot from your live USB, because you want to sign a transaction
- The rootkit gains access to all of your seed / private keys (because there are not protected by a secure element, they are just on your USB and if your live OS can access it, the rootkit can too)
- You sign your transaction
- You shut your PC down completely
- You boot your main OS and go online to broadcast the transaction
- The rootkit already has your private keys, and now with internet access, has the ability to send the private keys to the attacker
- -> You know lose all coins associated with the seed / private keys which are stored on your USB
- -> Your so-called 'mimiced hardware wallet' is proven to be not as secure as a real hardware wallet because it lacks the components which define a hardware wallet.
I hope you do understand this. Maybe read that carefully a few times, if you don't  So, instead of posting wrong information.. try to understand the things you are talking about. For the future: If you want to post something, log off, research for 1 or 2 hours, if still necessary to post -> post. Your misinformation are not needed here. And if you get disabused from a misconception, accept it. not a stupid bootable USB.. that idea is not even close to being as secure as a hardware wallet), but lacks lots of convenience.
u're wrong. that's all I can tell u. Yes.. thats 'all you can tell me'.. simply because you don't know what you are talking about. |
|
|
|
Ok can I download and use Recovery Check App on old firmware 1.3.1 before I update firmware just to make sure?
Unfortunately i don't know whether it works with 1.3.1. But you could simply try it out. Open the ledger manager and browse the available Apps, search for 'recovery check'. If it doesn't work (e.g. because the app is not available for your firmware version), you could download the site https://iancoleman.io/bip39/, then burn a live linux ISO on a bootable USB, boot from the USB and enter your seed into the downloaded site. Then check whether the address produced matches with yours from ledger live. The first option (recovery check app) is obviously easier. But definitely make sure you have the correct backup of your seed before proceeding with updating the firmware. |
|
|
|
|
Show Posts
