*MY* Mt Gox Account was Hacked - lost it all today... now what!?

[twolifeinexile]

How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?

That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)

And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.

[1713254669]

1713254669

[1713254669]

1713254669

[1713254669]

1713254669

[1713254669]

1713254669

[1713254669]

1713254669

[Puppet]

How much security does Yubi key really add if your PC is compromised?

Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.

Im no expert, never used mtgox or yubi key,  but what am I missing?

That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)

And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.

Really doesnt seem that complicated to me, doesnt require a custom browser or even a key logger. Heck, you can probably pull it off with  something as simple as a greasemonkey script.  And yeah, someone knowledgeable might notice that, but those are the people that dont get infected very often in the first place.

[twolifeinexile]

How much security does Yubi key really add if your PC is compromised?
Im not sure I fully understand this; if the attacker has root access to my PC, he can show me whatever he wants, and send something else to Mt Gox. All he would have to do is wait for me to do whatever transaction that requires the yubi key, provide Mt gox with a different transaction instead, show me the challenge for that fraudulent transaction and make me confirm it.
Im no expert, never used mtgox or yubi key,  but what am I missing?

That is man in the middle attack, which attacker need a full implenmentation to a specific website to mimic the behavior, and at the same time, not only gaining admin right of your computer, install key logger. , but also change your browser in a very specific way ( for spoofing that specific website, they either install fake certificate authority or disable the function at the same time make the browser behave like normal.)
And doing all these without any infected syndrome.
If the attacker have this capability, thy should start their own business rather than stealing money, way more profitable.

Really doesnt seem that complicated to me, doesnt require a custom browser or even a key logger. Heck, you can probably pull it off with  something as simple as a greasemonkey script.  And yeah, someone knowledgeable might notice that, but those are the people that dont get infected very often in the first place.

They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Seems a lot of job to me. Of course doable,but way more secure than just have your online password stolen and you are f*cked.

[Puppet]

They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

Thats not a problem. The attack would happen in realtime anyway. Basically all the attacker has to do is send a different bitcoin address to MtGox compared to whats shown on the screen.

And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

You dont have to! Im not sure anything would need to be changed on the client side, but if so, greasemonkey will do that for you without any impact on security certificates whatsoever. It basically alters the HTML after its been received. Im not a coder, but it cant take make than a few lines of code to modify one address in to another.

Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Again, I dont think so. Ill give it a try by running some greasemonkey script on eg gmail, but Im fairly certain I will still see a green padlock icon and no other warnings. That said, even if you would have to spoof everything, its not rocket science for a decent script kiddy. HTML5 fullscreen FTW.  This seriously sounds easier to me than writing a key logger. As illlustration: http://feross.org/html5-fullscreen-api-attack/

[Puppet]

Allright, I tried it. I installed greasemonkey and then some random greasemonkey script that switches gmail to minimal layout.
To get there, Ive never entered my root password, so root isnt even needed (in contrast to a keylogger!). Gmail address bar shows everything okey dokey, and there is no obvious way to see greasemonkey is even running. There is a greasemonkey button added to the toolbar that I didnt even notice at first, but I can remove it, without needing any root privilege.  Mind you, the attacker wouldnt even have to use greasemonkey as such, just trying to show how "easy" it can be.

[Puppet]

One more comment; with my homebanking, I have a card reader in which I have to insert my ATM card, and enter the challenge presented by my homebanking website. This challenge always includes the amount and some significant digits of the account Im transferring to. If someone were to use a "greasemonkey in the middle" attack on me, at least I might notice the amount/and or account number dont match what Im trying to send. As I understand, Yubi key doesnt have anything like that, you just plug it in, and thats it. I hate to say it, but that sounds like security theatre to me. Having a unique and decently safe password would give the exact same security AFAICT. If your PC is compromised, not even rooted (!), you are SOL with or without yubi.

[twolifeinexile]

They also have a very short term window(in case of Google authenticator) to attack. ( I believe in case of MtGox, once you disable your 2 factor , then you are disallowed to withdraw for some period, so by tricking you enter a one time password could not used to disable the whole 2-factor authentication, they need to immediately use your one time password and send a withdraw request).

Thats not a problem. The attack would happen in realtime anyway. Basically all the attacker has to do is send a different bitcoin address to MtGox compared to whats shown on the screen.

And they need to change the browser behavior, since you can not just spoof a website without security warning if browser certificate infrastructure is unchanged.

You dont have to! Im not sure anything would need to be changed on the client side, but if so, greasemonkey will do that for you without any impact on security certificates whatsoever. It basically alters the HTML after its been received. Im not a coder, but it cant take make than a few lines of code to modify one address in to another.

Adding certificate authority should trigger a security warning in most operation systems and ask for admin password on the fly. So the attacker need to disable these features as well.

Again, I dont think so. Ill give it a try by running some greasemonkey script on eg gmail, but Im fairly certain I will still see a green padlock icon and no other warnings. That said, even if you would have to spoof everything, its not rocket science for a decent script kiddy. HTML5 fullscreen FTW.  This seriously sounds easier to me than writing a key logger. As illlustration: http://feross.org/html5-fullscreen-api-attack/

I checked with your illustration, I definitely agree it is possible to attack this way, but as I said, they need to implement a full browser functionality and specific website functionality to get this working, otherwise, a little savvy will help you quickly realize something is wrong. At least when I press the button, I got two address bars, mine and the fake one. And the "website" is not reactive to normal operations. (Checking certificate, for example, and my address bar did show it is not BOA.)

And this is why when I setup two-factor authentication, I usually not make it default for login, but only for withdraws or change security settings, since this way, they at least need some work to make website specific behavior.


Thanks for pointing this possibility out though.

[twolifeinexile]

Allright, I tried it. I installed greasemonkey and then some random greasemonkey script that switches gmail to minimal layout.
To get there, Ive never entered my root password, so root isnt even needed (in contrast to a keylogger!). Gmail address bar shows everything okey dokey, and there is no obvious way to see greasemonkey is even running. There is a greasemonkey button added to the toolbar that I didnt even notice at first, but I can remove it, without needing any root privilege.  Mind you, the attacker wouldnt even have to use greasemonkey as such, just trying to show how "easy" it can be.

Isn't installing addons trigger a security response?

[Puppet]

I checked with your illustration, I definitely agree it is possible to attack this way, but as I said, they need to implement a full browser functionality and specific website functionality to get this working

?
Website specific, yeah sure, but the website specific code would be like a few dozen lines of javascript that just changes the bitcoin address. And there is no need to implement a full browser, your victim already has a perfectly capable browser, you only need to enable an addon with functionality like greasemonkey and the "10 line" script. Thats not harder than copying a few readily available files to your victims mozilla folder. No root needed. Greasemonkey is opensource, so it would also be trivial to make a few changes that even the button doesnt appear. Honestly, i think even I could even pull this off, and I cant really code.

, otherwise, a little savvy will help you quickly realize something is wrong. At least when I press the button, I got two address bars, mine and the fake one. And the "website" is not reactive to normal operations. (Checking certificate, for example, and my address bar did show it is not BOA.)

Ah, you mean the HTML5 spoof? Okay. Well, obviously you can spoof the certificate checking just as well (Im a little surprised the author didnt), because you arent even looking at a real address bar.  And the site is not responsive because the author didnt want to steal your money. Its a proof of concept.

Isn't installing addons trigger a security response?

None. Im using ubuntu, no sudo popup, meaning anyone with user access to my machine could install it. Makes sense since the browser addons are stored in the user's home folder, so there is nothing to prompt for root. Feel free to try on windows, but even if the windows GUI would popup some security question, I suspect in windows its fundamentally no different, and only user privileges are required if you do it by accessing the file system directly, as any hacker would.

[ArticMine]

One more comment; with my homebanking, I have a card reader in which I have to insert my ATM card, and enter the challenge presented by my homebanking website. This challenge always includes the amount and some significant digits of the account Im transferring to. If someone were to use a "greasemonkey in the middle" attack on me, at least I might notice the amount/and or account number dont match what Im trying to send. As I understand, Yubi key doesnt have anything like that, you just plug it in, and thats it. I hate to say it, but that sounds like security theatre to me. Having a unique and decently safe password would give the exact same security AFAICT. If your PC is compromised, not even rooted (!), you are SOL with or without yubi.

Does the card reader work on GNU/Linux? Or does it require Microsoft Windows? If it requires Microsoft Windows or some other propriety OS then I suggest that the setup above is security theatre. Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated. For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

By the way the savings in unnecessary software licensing costs by switching form Microsoft Windows and proprietary applications to GNU/Linux and Free Software may be enough to replace a portion if not all of the OP's loss. 

[Puppet]

Does the card reader work on GNU/Linux? Or does it require Microsoft Windows?

Its standalone, it doesnt even connect to your PC, so you could be running OS/2 for all I care. It looks like a calculator, you insert your ATM card, enter your pin, enter the numbers (=challenge) from the website on the "calculator" and you retype the response on your PC. Tedious? Yeah, it is, but at least it does offer more real security then a USB dongle that will sign anything.

Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated.

Though Im a linux user, I cant agree. If windows were to be eliminated and replaced by linux, malware would just follow. If firefox has some vulnerability that can be exploited, running linux offers no help. As I demonstrated, for the kind of attack I described, no root access is even needed. Any dodgy user level software could open one up to such an attack, regardless if you run windows, os-x or linux. Regardless if you use a ubikey or use google authenticator.

For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

I guess you read nothing of what I wrote.

[ArticMine]

Does the card reader work on GNU/Linux? Or does it require Microsoft Windows?

Its standalone, it doesnt even connect to your PC, so you could be running OS/2 for all I care. It looks like a calculator, you insert your ATM card, enter your pin, enter the numbers (=challenge) from the website on the "calculator" and you retype the response on your PC. Tedious? Yeah, it is, but at least it does offer more real security then a USB dongle that will sign anything.

What you describe most certainly adds security because it does not require Microsoft Windows, it is actually very similar to what Google Authenticator or a Yubikey would do. I have come across situations where a bank has required the reader to be connected to the PC with a Windows only driver for the reader. In which case this actually makes the situation far worse by forcing the user to use Microsoft Windows

Let me guess the OP was running Microsoft Windows, the computer was compromised with malware and the MTGox password was captured by the attacker.

Once one accepts that fact that Microsoft Windows is a magnet for all sorts of malware and keyloggers and switches to GNU/Linux well over 99.999% of the risk is eliminated.

Though Im a linux user, I cant agree. If windows were to be eliminated and replaced by linux, malware would just follow. If firefox has some vulnerability that can be exploited, running linux offers no help. As I demonstrated, for the kind of attack I described, no root access is even needed. Any dodgy user level software could open one up to such an attack, regardless if you run windows, os-x or linux. Regardless if you use a ubikey or use google authenticator.

For extra security set up the MtGox account with both a YubiKey obtained from MtGox and Google Authenticator. One should use both in case the Yubikey fails or is lost or the Google Authenticator private key becomes un obtainable or is lost.

I guess you read nothing of what I wrote.

I have and while it is theoretically possible to compromise a GNU/Linux system it is way way harder than with Microsoft Windows. One of the reasons is cultural. How do you get the malware software on to the end user system in the first place? With GNU/Linux say Ubuntu the end user is encouraged to use trusted repositories, with the alternative being downloading the source code and compiling the software. The latter deters those users that are not technically savvy, who are precisely the most vulnerable. With Microsoft Windows the vast majority of the software is not obtained from a centralized trusted source. Furthermore many otherwise legitimate vendors prompt for the installation of all sorts of adware and toolbars. This effectively blurs the line between legitimate software and malware. I have seen even very experienced Windows administrators get fooled by Windows malware. I know because I had to clean up the mess.

What you are describing is a malicious Firefox add on that is downloaded from an untrusted source. I suggest that between two users with the same level of expertise one on Microsoft Windows and one on GNU/Linux, the Windows user is far more likely to download malware for the cultural reasons above.

[Puppet]

The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of

Code:

java -version

[notme]

The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of

Code:

java -version

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

[Puppet]

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

[MPOE-PR]

The HTML5 phishing attack works on any OS, and for the monkey-in-the-middle attack, you wouldnt even have to download malware, just buggy software that opens an attack vector is enough. Vulnerabilities in eg Firefox tend to be crossplatform.
If you think you are so secure just because you run linux, tell me the output of

Code:

java -version

The program 'java' can be found in the following packages:
 * gcj-4.4-jre-headless
 * openjdk-6-jre-headless
 * cacao
 * gij-4.3
 * jamvm
Try: sudo apt-get install <selected package>

What nao?

[Puppet]

What nao?

Good for you. A windows user that doesnt have java installed isnt vulnerable to this exploit either.

But I think I made my point clear enough ; Yubi key doesnt protect you from much if anything other than easy to guess or non unique/stolen passwords. And running Linux doesnt change anything about that. The vast majority of linux users, even the ones that also use a ubi key will still be vulnerable to these kinds of attacks.

[MPOE-PR]

What nao?

Good for you. A windows user that doesnt have java installed isnt vulnerable to this exploit either.

But I think I made my point clear enough ; Yubi key doesnt protect you from much if anything other than easy to guess or non unique/stolen passwords. And running Linux doesnt change anything about that. The vast majority of linux users, even the ones that also use a ubi key will still be vulnerable to these kinds of attacks.

We certainly agree on that score: no "website" style interface is sufficiently secure or can be made sufficiently secure to handle bitcoins. As long as you see a "login" over http it's vulnerable. All the dongles and doohickeys in the world, be they yubikeys or whatever else, all the software solutions in the world, be they https or whatever else can't fix the simple fact that http is not a stateful protocol, and consequently the notion of "logged in" is irretrievably broken.

[Puppet]

Im not sure about that. For instance, it would help a whole lot if MtGox/yubi didnt only authenticate the user, but also the transaction. A more intelligent and versatile device (or a smartphone) could show you the transaction and let you authenticate that specific transaction, and nothing else. Hacking that would be orders of magnitude more difficult I think.

Im sure there are other ways, and perhaps what I describe isnt feasible or can be hacked in other ways, its just that this yubi key as is seems to add extremely little extra security (and using linux doesnt add all that much either).

[ArticMine]

java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (ArchLinux-6.b24_1.11.5-1-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

Congrats, your system is wide open.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. OpenJDK 7, and subsequently IcedTea, are also affected.
Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system
IcedTea   Affected   -   16 Jan 2013
OpenJDK   Affected   -   14 Jan 2013
http://www.kb.cert.org/vuls/id/625617

Please stop thinking just because you use linux your system is somehow invulnerable. It isnt.

Not unless the user is running as root is the system wide open on GNU/Linux. I will not say that GNU/Linux is invulnerable, it just has a way lower risk than Microsoft Windows by about six orders of magnitude. As for the Java vulnerability disabling the Java browser plugin addresses the vulnerability as per the link above. The latter link also shows how Microsoft Windows is vulnerable to additional attacks via Microsoft Office.

Phishing attacks by their very nature work on any OS, so one could in principle get a GNU/Linux user to provide a root password in order to install malware with the right temptation such as some good old Microsoft or propriety software bashing.

As for a man in the middle attack, this involves forging certificates and spoofing the DNS. Again GNU/Linux gives a powerful tool against a DNS spoofing attack namely running bind9 to set up one's own DNS on ones network. An attack on the ISP's DNS will fail not only on the GNU/Linux machine but also on Microsoft Windows Machines that use the DNS on the local GNU/linux machine.

The bottom line with Bitcoin is that if one wishes to use a currency whose entire security model is based on software and hardware freedom, it is only prudent to say the least to use an operating system based upon Free Software.