Bitcoin Forum
December 10, 2016, 07:01:18 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 »  All
  Print  
Author Topic: Hacker got to my MTGOX account, he converted the USD I had......  (Read 12668 times)
Nythain
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 14, 2011, 09:28:14 AM
 #21

Yes, Linux should be more secure ...
Depends on the security. While windows might technically be more prone to malware and infections due to market share and stupid users, given the broad market of linux as server software on the internet, it contains much much much more known exploits and hacks than Windows.
Also, stupid users are gonna be stupid no matter what OS they run. I'm just sayin.
If you avoid things like installing suspicious software, toolbars, and running every exe you get in the emails, keep up to date with malware scanners and to an extent, antivirus... Windows can in fact be more secure than linux. Or at the very least, just as secure.

1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
1481396478
Hero Member
*
Offline Offline

Posts: 1481396478

View Profile Personal Message (Offline)

Ignore
1481396478
Reply with quote  #2

1481396478
Report to moderator
Nescio
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 14, 2011, 02:02:23 PM
 #22

Depends on the security. While windows might technically be more prone to malware and infections due to market share and stupid users, given the broad market of linux as server software on the internet, it contains much much much more known exploits and hacks than Windows.

That's a misconception commonly propagated by Microsoft advocates. The fallacy lies in that since Linux has an open development model, bugs and security issues are quickly and widely published on purpose, while Microsoft often sits on these for months if not years, sometimes refusing to acknowledge them altogether (going as far as rolling patches secretly into other updates), i.e. you never hear about the majority. So the perception arises that Windows has few bugs, while Linux has a lot. Also, Linux is strictly speaking the kernel only, you are talking about distros with a lot of auxiliary software.

In reality open source sofware in general has less bugs and higher code quality due to many eyes looking at it and simple availability of the source code (even if you know there are bugs in Windows, you can't fix them and have to wait for MS). Do a search on Coverity and errors per line of code. I'm not talking about usability/UI design, there is some stupid sh*t going on in 'Linux' at any given time there Smiley

Quote from: Nythain
Also, stupid users are gonna be stupid no matter what OS they run. I'm just sayin.

True, but the argument can be made that stupid users are more likely to use Windows than Linux Smiley

Quote from: Nythain
If you avoid things like installing suspicious software, toolbars, and running every exe you get in the emails, keep up to date with malware scanners and to an extent, antivirus... Windows can in fact be more secure than linux. Or at the very least, just as secure.

By that logic, Linux can in fact be more secure than Windows. Or at the very least, just as secure.
Djao
Full Member
***
Offline Offline

Activity: 150


View Profile
June 14, 2011, 02:19:46 PM
 #23

This exact same thing happened to me earlier.
I think my password was brute-forced.

Lesson learned is, use complex alphanumeric+symbols passwords, and change them frequently.

Mt. Gox also really needs to add some sort of secondary verification.

Could you please provide some more details? Like strength of hacked pw, were you using it on other sites too and so on ... thx!
Gregers
Newbie
*
Offline Offline

Activity: 24


View Profile
June 14, 2011, 02:20:51 PM
 #24

If you really want secure, maybe Linux enhanced by the NSA would be the way to go?
rikur
Full Member
***
Offline Offline

Activity: 214


View Profile
June 14, 2011, 02:23:14 PM
 #25

If you really want secure, maybe Linux enhanced by the NSA would be the way to go?

a Linux with backdoors for NSA is the last thing I'd store my bitcoins. Smiley
Nescio
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 15, 2011, 10:36:09 AM
 #26

SELinux is open source, and has received some scrutiny Smiley Not everything government does is evil, neither is everyone in government evil (see Thomas Drake for example).

It's an extra layer of privilege separation but is unlikely to help significantly against your typical (spear)phishing attack. E.g. it may make it harder for an unprivileged local user or process to access system files, but will not help if the same user has the privilege to become root (e.g. occasional uses of sudo), without further configuration at least.
mewantsbitcoins
Full Member
***
Offline Offline

Activity: 126


View Profile
June 15, 2011, 10:49:09 AM
 #27

This exact same thing happened to me earlier.
I think my password was brute-forced.

Lesson learned is, use complex alphanumeric+symbols passwords, and change them frequently.

Mt. Gox also really needs to add some sort of secondary verification.

This is impossible unless you consider 5 tries a bruteforce attack
Mt.Gox has all the security it needs.

What REALLY needs to happen is stupid people starting to use adequate passwords.
Nythain
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 15, 2011, 10:57:50 AM
 #28

What REALLY needs to happen is stupid people starting to use adequate passwords.
This ^^

caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
June 15, 2011, 11:42:25 AM
 #29

Just use a Linux OS when it comes to Bitcoin, gentlemen. Windows is not for finances.

Actually, I think one should avoid using what mostly every body else uses. That's the problem with Windows.

Now, I wonder if the majority of bitcoiners store their wallets on linux or windows machines... it wouldn't surprise me if more than half of us were on linux, making it more vulnerable than windows on that matter.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
June 15, 2011, 11:46:06 AM
 #30

I saw mentioned a user dedicating a non networked laptop for anything relating to BTC. Well worth the sacrifice of a laptop turned into a wallet.

This would probably be the ideal solution, a dedicated device which is only used for bitcoin, never to surf the web. The annoyance would be getting addresses from your web-access machine to your bitcoin machine easily. It is so simple to just copy and paste it in the bitcoin client. Smiley

But yeah, I intend to do that with my old laptop, as soon as I buy another computer.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
Capitan
Member
**
Offline Offline

Activity: 112


View Profile
June 15, 2011, 07:17:28 PM
 #31

I saw mentioned a user dedicating a non networked laptop for anything relating to BTC. Well worth the sacrifice of a laptop turned into a wallet.

This would probably be the ideal solution, a dedicated device which is only used for bitcoin, never to surf the web. The annoyance would be getting addresses from your web-access machine to your bitcoin machine easily. It is so simple to just copy and paste it in the bitcoin client. Smiley

But yeah, I intend to do that with my old laptop, as soon as I buy another computer.

To make that process easier:
You point your phone at the screen of the non-networked wallet machine and it reads the wallet address from the screen. There could be an app or software tool on the secure machine that displays the address full screen to make that process easier. QR code would work too. The phone forwards the address to a networked computer/email address of your choice so you don't have to type it in.

The part i don't understand, mainly because I haven't read about it yet, is how an address "receives" bitcoins. Is there a private key inside wallet.dat that allows the wallet owner to be the only one to unlock/use bitcoins that are transferred to one of his/her addresses?
Dude65535
Full Member
***
Offline Offline

Activity: 126


View Profile
June 15, 2011, 07:25:02 PM
 #32

Yes all the wallet.dat file contains is public/private key pairs for all of your bitcoin addresses.

1DCj8ZwGZXQqQhgv6eUEnWgsxo8BTMj3mT
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
June 16, 2011, 12:18:35 AM
 #33

I've had the exact same happen to me.

A few days ago I exchanged 10BTC for USD, and when I wanted to withdraw it to my bank account I couldn't reach Mt. Gox anymore (either through Mt. Gox being DDoSed or my own IP getting attacked, not sure). When I was able to reach it again yesterday, I logged on and found that a few hours before that (I'm not sure of Mt. Gox' timezone) someone had converted the USD in my account back into BTC, and transfered it away.

Screenshot below:


My password was a KeePass-generated password of 20 randomly generated alphanumerical characters (mixed case). Needless to say the password has been changed.

I've done a full antivirus scan of my system which found nothing. I've also used various tools such as TCPView, Wireshark, and Security Task Manager (as well as the Windows Task Manager) to see if any suspicious services or processes were running, and it seems my system is clean. I'm not sure what happened here, but it seems unlikely that the issue was on my end.

I've submitted a ticket to Mt. Gox but haven't had a response yet.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Nescio
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 16, 2011, 04:56:18 AM
 #34

My password was a KeePass-generated password of 20 randomly generated alphanumerical characters (mixed case). Needless to say the password has been changed.

I've done a full antivirus scan of my system which found nothing. I've also used various tools such as TCPView, Wireshark, and Security Task Manager (as well as the Windows Task Manager) to see if any suspicious services or processes were running, and it seems my system is clean. I'm not sure what happened here, but it seems unlikely that the issue was on my end.

You are assuming your system is OK after *something* got compromised? Any password is useless against a keylogger (that includes a future Bitcoin cient offering wallet encryption).

Today crimeware kits are sold with a nice GUI for the thump your head variety criminal who barely knows left from right mouse button. A Bitcoin tailored kit will have some kind of exploit to get in, a module for uploading wallet.dat, keylogger/VNC etc. functionality if needed, a module for cleaning up after itself as if it had never existed and one for hiding itself from the usual suspects (all antiviruses, Spybot S&D, Wireshark, process explorer etc.) until such time that your wallet contains enough coin. Hell, the specialists already own a sizable number of machines and the crimeware might function as a search engine for interesting data on the botnet. They may even fix other vulnerabilities to keep the competition out and keep your system in shape to guarantee uptime (a dead zombie is worthless, heh).

The only way to be sure is to start completely fresh. Including BIOS flashes and viewing old backups as compromised too. And changing Bitcoin addresses, obviously.
bitcoinminer
Sr. Member
****
Offline Offline

Activity: 322



View Profile
June 16, 2011, 04:59:03 AM
 #35

What does KeePass do, is that one of those things that saves your passwords so you don't have to type them in?  Sort of defeats the point, no?

I would say good thing you learned your lesson at 10 BTC instead of 100 BTC or 1000 BTC.

Be fearful when others are greedy, and greedy when others are fearful.

-Warren Buffett
imperi
Full Member
***
Offline Offline

Activity: 196


View Profile
June 16, 2011, 05:42:56 AM
 #36

I keep all my web-browsers behind sandboxie, and got my parents doing this too. Seems to have been working great. Started using this months before I even heard of bitcoin, because I was mad that clicking on the wrong website somehow put a rootkit on my computer. (and I'm FAR from being a computer noob)

Link: http://www.sandboxie.com/

Sandboxie - Sandbox security software for Windows. Install and run programs in a virtual sandbox environment without writing to the hard drive.
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
June 16, 2011, 05:48:39 AM
 #37

Mt. Gox also really needs to add some sort of secondary verification.
Yes, a two-factor auth would be nice. Otherwise it suffers from the same problems as storing the wallet simply on your PC; after all,  everyone with a keylogger can get into your account.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
lemonginger
Full Member
***
Offline Offline

Activity: 210


firstbits: 121vnq


View Profile
June 16, 2011, 06:00:20 AM
 #38

What does KeePass do, is that one of those things that saves your passwords so you don't have to type them in?  Sort of defeats the point, no?

I would say good thing you learned your lesson at 10 BTC instead of 100 BTC or 1000 BTC.

You have no idea how a password safe works I see. It actually makes you less vulnerable to keyloggers and certainly less vulnerable than reusing passwords or using passwords that can be cracked with a dictionary attack. But keep on with that smug attitude.
bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
June 16, 2011, 08:51:03 AM
 #39

The only way to be sure is to start completely fresh. Including BIOS flashes and viewing old backups as compromised too. And changing Bitcoin addresses, obviously.

Wow, flashing your BIOS? Are there actual cases of BIOS malware being used in the wild by hackers/fraudsters?
Djao
Full Member
***
Offline Offline

Activity: 150


View Profile
June 16, 2011, 09:34:04 AM
 #40

@joepie91: would be interesting to hear what MtGox has to say about this, please do not forget to post it here, thank you!

So, MtGox seems to be under heavy DDoS fire all the time and also have some security issues, bitcoin7 is an unstable alpha-version at best not to mention CSS-vulnerabilities ... any bad news about TradeHill that I may have missed?
Pages: « 1 [2] 3 4 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!