Bitcoin Forum
June 16, 2024, 11:11:56 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Economy / Scam Accusations / Re: How I believe Crytpostocks.com accounts are being hacked on: April 01, 2014, 03:34:52 AM
How do you suppose it was hacked?  Did the criminal just guess your password on Cryptostocks.com?  Did you share an account with someone else?  You did state that you did not have 2FA on the account.

Check out this web site: https://howsecureismypassword.net/   Enter the password you had on the account at the time and see how secure it was or wasn't.

Danny
2  Economy / Scam Accusations / How I believe Crytpostocks.com accounts are being hacked on: March 31, 2014, 01:32:41 AM
I am an investor on Cryptostocks.com.  I do not have a listing there nor do I intend to start one; however, I do have several BTC invested in several stocks. Over the last couple months I have read multiple "ANNOUNCEMENTS" concerning accounts being compromised and prices of stocks manipulated and funds stolen.  

The basic situation is that someone compromises an issuer's email account and then once they have access to that account request a password reset on Cryptostocks.com.  The reset link is sent to the email address and now the criminal has access to anything and everything related to the fund account.  The claim made by the fund issuer is that there is a serious security flaw in Crytpostocks.com system.  I beg to differ. While there is a problem with the way Cryptostocks.com sets up accounts, it is easily overcome with some very basic security precautions.

In order for a "hacker" to compromise a system, all they need is a username and password. Unfortunately, the first part is easy to discern about any issuer of stock on the site.  Cryptostocks requires an email address on each listing.  That is a good requirement (for investors to be able to contact the issuer) except that they require the email address to be on the domain of the issuer's web site that is also required.  If I start ABCMiningCo and want to issue on CS I have to set up ABCMiningCo.com (or org or io or whatever) and then have an address @ABCMiningCo.com.  I've just given a prospective thief a username for my email.

Next step is to use a brute force attack (http://en.wikipedia.org/wiki/Brute-force_attack) on the email account.  This is the weakness in the system. The very same GPU's we use for mining are exceptionally good at this type of hack.  Looking at the domains created by most companies on CS they are leasing hosting on someone else's server (for example, GoDaddy.com).  The mail feature on most of these domains do not lock out accounts that have multiple failed attempts, so my brute force software can take it's sweet time trying every single combination of keys that the software will use (whether dictionary or simply going through every combination of keys.)  

The first security issue is the password itself. I believe this is the biggest threat in this system.  The fix is to have longer passwords that include upper and lowercase letters, numbers, and symbols.  If you use all three types you have 255 possible characters for each character in your password.  This makes the chance of guessing each character correctly 1 in 255 for each character.  If you have an 8 character password that's 255^35th power (1.6939723419747636865968422807304e+84) which seems like a lot, but a desktop computer can figure that out in 275 days and that's if it's not using a R9290 GPU to do the processing, then the time comes down to weeks instead of months.

Check this out....any standard windows password in 6 hours. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/  I imagine a professional criminal organization or government that has an interest in stealing or destabilizing a cryptocurrency would have the resources to acquire a device that can hack passwords in short order.

Make your passwords 16 characters.  Use 4 four letter words that together have no meaning (not a sentence).  Use symbols and numbers and upper and lowercase letters.  For example:

L0ngL3g5H()53hot!  (Long Legs Hose Hot!) would take 931 Trillion Years for a desktop computer to hack. The aforementioned super password hacking computer listed above would still take 83, 885, 760,000 years to hack this password (formula is to convert the 931 trillion years to seconds and then divide by the 350 billion guesses per second the hacking computer is capable of doing).  This is far longer than a hacker is going to work on your account before moving on to easier prey.

The second security issue is the lack of a lock out feature on the leased domain's email server.  The fix for this weakness is to have email hosted by a service that will provide this feature (a redirect to the mail server can be configured in the domain set up).

Finally, a couple more things to consider. First, 2 factor authorization on your email account is an added layer of security. Even if the account password is cracked, a second password is now required.  Both the Google Authenticator and YubiCo Key offer one time passwords. Second, under no circumstances use the same password for your email account as you use for your financial instruments.  If you do, the thief doesn't even have to request a password reset first!

This is intended for issuer's of stock but is also applicable to stock holders since if the issuer's account gets compromised, the hacker now has your email address and has some idea of how invested in stocks you are.  Protect yourself!

Danny
1Kqn7t29wSsxhwvLyBEnKHRPX6mWPCatvW
3  Economy / Reputation / Re: Feedback on CFBTC - Crypto Fund BTCless - btcless.com acitivty on: March 31, 2014, 12:01:06 AM
I have shown a lack of interest in your stock because nothing in any of your materials either on Cryptostocks.com or your web site or in the email you sent me in response to your request for feedback on Cryptostocks tells potential investors why we want to put any money in your stock.  Before I put any BTC in a project I want to know how that money will be used and how I personally will benefit from it.  As I told you in my email, your materials tell me a lot about how you intend to sell stock, just nothing about what the company is planning on doing with the profits.

Danny
4  Bitcoin / Hardware / Re: PhotonicMining having pretty big claims, 125 TH/s for 10,000 USD on: March 23, 2014, 08:02:06 PM
Reminds me of Steorn. They were shopping for investors for their "Perpetual motion machine" a few years ago. Lots of claims, lots of technical jargon. While reading the IPO on cryptostocks I immediately thought of them.

http://en.wikipedia.org/wiki/Steorn
5  Other / Beginners & Help / Re: Alt-Coins on: September 30, 2013, 02:09:17 AM
Quote from: wuyulou on June 29, 2013, 02:37:02 AM
Hi everyone! Can abybody tell me how to see the current difficulty of alt-coin through the client or any other way?

On the qt client there is a green check mark in the lower right corner when your wallet is sync'd to the network. Hover your pointer over it and the current block and difficulty will display.

Grapemon
6  Other / Beginners & Help / Re: Hey Nubies! What is your favorite coin and why!? on: September 29, 2013, 11:04:07 PM
TODAY my favorite is Stable Coin. I mine them to satisfy my inner geek. The difficulty is low enough that I am able to solo mine them. Last week I was mining Digital Coins with a pool and before that I was mining Lite Coins.

I also cash out all my mined coins once a month and it doesn't hurt that SBC has tripled in value (SBC/BTC) since I started.  I take my earnings and buy more or better hardware.

Grapemon1611
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!