Bitcoin Forum
November 22, 2017, 05:09:56 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 [5]  All
  Print  
Author Topic: *MY* Mt Gox Account was Hacked - lost it all today... now what!?  (Read 9640 times)
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
February 03, 2013, 09:21:38 AM
 #81

The bottom line with Bitcoin is that if one wishes to use a currency whose entire security model is based on software and hardware freedom, it is only prudent to say the least to use an operating system based upon Free Software.

This is an excellent point.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
1511370596
Hero Member
*
Offline Offline

Posts: 1511370596

View Profile Personal Message (Offline)

Ignore
1511370596
Reply with quote  #2

1511370596
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511370596
Hero Member
*
Offline Offline

Posts: 1511370596

View Profile Personal Message (Offline)

Ignore
1511370596
Reply with quote  #2

1511370596
Report to moderator
1511370596
Hero Member
*
Offline Offline

Posts: 1511370596

View Profile Personal Message (Offline)

Ignore
1511370596
Reply with quote  #2

1511370596
Report to moderator
hardcore-fs
Full Member
***
Offline Offline

Activity: 196


View Profile WWW
February 03, 2013, 09:48:53 AM
 #82

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

That is not strictly true....
One example.. Oracle under linux.. oracle runs java inside the database, actually it does not... what it does is launch a JVM as ROOT!!!!! then links that back into the database and onto the user.
Back in 2006/2007 on 9i I found a number of exploits to leverage an attack via java in oracle.... I'm still waiting for oracle to reply back to me. and that was before the current bolox of oracle buying sun and making things 100x worse........

BTC:1PCTzvkZUFuUF7DA6aMEVjBUUp35wN5JtF
molecular
Donator
Legendary
*
Offline Offline

Activity: 2408



View Profile
February 03, 2013, 11:16:27 AM
 #83

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

That is not strictly true....
One example.. Oracle under linux.. oracle runs java inside the database, actually it does not... what it does is launch a JVM as ROOT!!!!! then links that back into the database and onto the user.
Back in 2006/2007 on 9i I found a number of exploits to leverage an attack via java in oracle.... I'm still waiting for oracle to reply back to me. and that was before the current bolox of oracle buying sun and making things 100x worse........

You nicely illustrate a point by using for an example a piece of software that is closed-source.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Puppet
Legendary
*
Offline Offline

Activity: 966


View Profile
February 03, 2013, 12:02:34 PM
 #84

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux.

I already showed that the man in the middle attack doesnt require root. Remember how this discussion started, someone who got his MtGox account emptied and someone else claiming that couldnt have happened when he used ubikey and/or linux. Clearly this is not true, it could have happened with yubikey and running an up to date linux with nothing but very common OSS software from the official repositories (in this case, OpenJDK).

I am in no way suggesting Linux is less safe than windows, Im just arguing against the mindset that a yubi key and Linux is all you need to be safe. Thats no less silly than thinking a windows antivirus program solves all problems.
twolifeinexile
Full Member
***
Offline Offline

Activity: 154



View Profile
February 04, 2013, 02:14:18 PM
 #85

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux.

I already showed that the man in the middle attack doesnt require root. Remember how this discussion started, someone who got his MtGox account emptied and someone else claiming that couldnt have happened when he used ubikey and/or linux. Clearly this is not true, it could have happened with yubikey and running an up to date linux with nothing but very common OSS software from the official repositories (in this case, OpenJDK).

I am in no way suggesting Linux is less safe than windows, Im just arguing against the mindset that a yubi key and Linux is all you need to be safe. Thats no less silly than thinking a windows antivirus program solves all problems.

Everyone would all agree no system is attack proof, but a two factor model and secured software/behavior practice do add up to the total difficulty of the attack, which shouldn't be put up as a "total security thertre", at least from my understanding.
bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
February 05, 2013, 05:34:27 PM
 #86

Let this be a reminder that keyloggers / trojans are far more common than most people suspect. Enable 2-factor, better safe than sorry.

How to use 2-factor auth on mtgox, even without a smartphone

College of Bucking Bulls Knowledge
SgtSpike
Legendary
*
Offline Offline

Activity: 1358



View Profile
February 05, 2013, 05:47:31 PM
 #87

Even just offering the option to assign one pre-determined bitcoin address would provide an equivalent level of security, even if you did no PGP automation whatsoever.  The pre-determined bitcoin address could either be a) withdrawn to directly, or b) for those who know how to sign messages, it could be used to sign a message that permits withdrawal to some other address.  All of this could be evaluated in any environment already accustomed to working with bitcoin keypairs.

We could easily add the "limit to one bitcoin address" thing, but there is a problem with the bitcoin message signature process that makes it difficult to implement (last time I checked the bitcoin message signature uses a different way of signing compared to transactions to make shorter signatures, but it's been an issue).

Add optional "withdraw to one address only".

Add 48 hour delay before changing the addresses, during which you'd get two emails, and see a giant warning when you log in.
This should really be an option.

In fact, a user should be able to specify their own time limit, in hours, that they want a withdrawal address change to be delayed.  They might set it to 1 hour, or 5 days.  A good default might be 48 hours.

The email should contain a link required to confirm the address change.

A person should be allowed to lock their account indefinitely in the event of it being compromised.  A "Freeze my account - it may be compromised" link.  Perhaps this could be a unique link existing in their original registration email (to prevent just anyone from locking other random people's accounts).  This lock could be undone by the person verifying their identification with MtGox support.

The yubikey is good, but not everyone uses it or has one.  Even with the yubikey, I am still afraid of a keylogger.  The above security procedures would largely mitigate risk even against keyloggers and other malware.
Pages: « 1 2 3 4 [5]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!