Bitcoin Forum
December 10, 2016, 01:00:58 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4] 5 6 »  All
  Print  
Author Topic: ALL of my bitcoins stolen (Around 60) . What the F*CK.  (Read 15646 times)
Grouver (BtcBalance)
Hero Member
*****
Offline Offline

Activity: 530



View Profile WWW
June 27, 2011, 08:19:52 AM
 #61

http://forum.bitcoin.org/index.php?topic=18238.msg256221#msg256221

+

http://forum.bitcoin.org/index.php?topic=18238.msg259458#msg259458

= Not getting robbed.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 27, 2011, 08:21:18 AM
 #62

I like how one of the others current posts on here is "...secure bitcoin savings account in 14 easy steps".

LOL

I only need 7 steps to unlimited financial wealth: http://7stepstounlimitedwealth.com/


Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
allinvain
Legendary
*
Offline Offline

Activity: 2002



View Profile
June 27, 2011, 08:28:36 AM
 #63

But then the virus would have to just wait longer until you type your password. I favor a "secure keypad" that you input your password via mouse clicks. Next question is how to trick viruses that may take screenshots?

Make the layout of the keyboard different each time, so if the SS it, they cant auto click it in again based on its presumed location.

Hmm, what if the layout changed every 5 seconds or some predetermined time. It would make it a pain in the ass to input your password but hey it's worth it.

None of this can help.  Trojans can take screenshots at every mouse click so it knows what the password is because it knows where you clicked.  This is already a standard feature in bank theft trojans.

Dang. How about if when the bitcoin client boots up for the first time it gives you the option to print out a crypto pad. This is akin to a cheap form of two factor authentication. Each crypto pad is of course different.

bitcoinBull
Legendary
*
Offline Offline

Activity: 826


rippleFanatic


View Profile
June 27, 2011, 08:35:26 AM
 #64

Dang. How about if when the bitcoin client boots up for the first time it gives you the option to print out a crypto pad. This is akin to a cheap form of two factor authentication. Each crypto pad is of course different.

The crypto pad will have to remain in memory so the bitcoin client can use it to decrypt the wallet.  Again, the trojan can get the wallet from memory after decryption by the bitcoin client or it can get the crypto pad from memory and use it decrypt the wallet itself.

Similar strategies to defeat other two-factor authentication methods.  If there's a malicious piece of software on the OS, you've already lost the war. 

Spend the energy keeping trojans from getting in your base in the first place.

College of Bucking Bulls Knowledge
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 27, 2011, 08:42:42 AM
 #65

if any secure password or pad 'lives in memory', well thats fail right there.

It should only be stored in memory for the fraction of a second that its needed.

Further, different languages have best practices to store such values, for example in java store this data as a byte[] rather than String so that you can fill it out with rubbish onced used without waiting for the GC, which may never happen.

You can also do alot of other stuff to make memory dumps harder.

The reason why we focus here, as WELL as on protecting your os from trojans, is because its more efficient to put this stuff in the client. E.g., a safer client makes it safer for everyone, while a safer os only makes it safer for one person. everyone > one person. Its more efficient security.

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
qualia8
Full Member
***
Offline Offline

Activity: 140


View Profile
June 27, 2011, 08:47:42 AM
 #66

Hey you should really use this cool new currency, Granny.  All you have to do is buy a new computer -- heck, just throw it together from cheapo parts on newegg, it's not like you're going to be gaming on it -- install linux, along with the bitcoin client, all from a single boot cd -- right, you need to make this first, dont' connect to the internet from your new machine, use the old virus-infected one -- find, encrypt (just use truecrypt, granny) and backup your wallet.dat file to multiple media and, through your regular machine -- not the new one, keep it pristine! -- upload to the cloud, go the blockchain explorer to see you're getting your deposits, and if you ever want to access those funds, just boot your new machine -- don't use it for anything else! -- decrypt and reload your saved wallet file, run the client just long enough to send your other, totally vulnerable, spending account some BTC, and... use that account to make purchases on the interwebs!

See? Bitcoin security is simple and totally convenient.  Money has basically never been so easy.  
doublec
Legendary
*
Offline Offline

Activity: 1078


View Profile
June 27, 2011, 08:52:38 AM
 #67

Regarding the namecoin connection, did either of you who lost coins but also used a namecoin client try any of the 'Namecoin GUI' programs that people posted about in some of the forums? At least one was a trojan of some sort IIRC. Note that these GUI programs weren't namecoin official programs, they were developed and distributed by third party forum members.
GeniuSxBoY
Hero Member
*****
Offline Offline

Activity: 546



View Profile
June 27, 2011, 08:54:13 AM
 #68

From the leaked data that's floating around, I know your email address is d***n_kn*t**n@*****.com and your password is p*nd*ra.


I hope you didn't use the same redundant info for something like dwolla or paypal.

lacedwithkerosene
Member
**
Offline Offline

Activity: 112


View Profile WWW
June 27, 2011, 08:56:40 AM
 #69

Hey you should really use this cool new currency, Granny.  All you have to do is buy a new computer -- heck, just throw it together from cheapo parts on newegg, it's not like you're going to be gaming on it -- install linux, along with the bitcoin client, all from a single boot cd -- right, you need to make this first, dont' connect to the internet from your new machine, use the old virus-infected one -- find, encrypt (just use truecrypt, granny) and backup your wallet.dat file to multiple media and, through your regular machine -- not the new one, keep it pristine! -- upload to the cloud, go the blockchain explorer to see you're getting your deposits, and if you ever want to access those funds, just boot your new machine -- don't use it for anything else! -- decrypt and reload your saved wallet file, run the client just long enough to send your other, totally vulnerable, spending account some BTC, and... use that account to make purchases on the interwebs!

See? Bitcoin security is simple and totally convenient.  Money has basically never been so easy.  

Honestly, this is exactly why I stopped developing a site called Bitcoin For Beginners ... it turns out it really isn't. I wrote a lot until I realized it is basically an impossible task to leverage clarity and completeness needed to understand and use this shit securely with the brevity and simplicity expected in a tutorial to get someone's feet wet. It actually felt like an ethical dilemma so I just opted to stop development entirely.

I found I wanted to just recommend an online wallet only, but that would have to come with a long disclaimer about trusting a third party to A) Not get broken into and pillaged and B) Not be scumbag thieves themselves.

Grouver (BtcBalance)
Hero Member
*****
Offline Offline

Activity: 530



View Profile WWW
June 27, 2011, 09:06:23 AM
 #70

I also want to add to my last post that this is only a way to prevent getting robbed from alot of bitcoins.
If you do not secure your computer by scanning before you send then you will take the risk there will be a trojan on your computer that is gonna compromise your wallet.dat

To send you need to connect to the Bitcoin network, what opens the gate to the internet.
And not always the gatekeeper (anti-virus software) can keep out these trojans.

So right now the only way to prevent getting robbed big time is just by backing up your big wallets and putting them offline.
Just create  a small account with a couple of BTC wich you can use to spend or send.

wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
June 27, 2011, 09:08:22 AM
 #71

The future of Bitcoin for the masses will be online wallet services like mybitcoin.com IMHO.
Not only because of security, but also because running a bitcoind instance will be a major resource hog once Bitcoin goes mainstream.

I really wouldn't recommend any non-geek to even download the client...
FlipPro
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
June 27, 2011, 09:08:44 AM
 #72

Does your Windows 7 have the latest updates.

Is it genuine ?

Do you have a strong account password.

What kind of Security are you running?

Please let me know everything in detail.

Tweet For Coins http://uptweet.com
FlipPro
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
June 27, 2011, 09:11:19 AM
 #73

The future of Bitcoin for the masses will be online wallet services like mybitcoin.com IMHO.
Not only because of security, but also because running a bitcoind instance will be a major resource hog once Bitcoin goes mainstream.

I really wouldn't recommend any non-geek to even download the client...
This site would have to be American ran, and willing to fight a NASTY fight with Paypal. Right now the community is divided. We can't seem to get anything off the ground here  Cry. Who the hells motivated to make new currency solutions when they see informational forums getting hacked, where there's virtually 0 money to be gained. I don't get people.. I really don't SMH.

Tweet For Coins http://uptweet.com
Anonymous
Guest

June 27, 2011, 09:24:19 AM
 #74

Nobody here can create a decent business plan much less organize a decent client, haha.
mouse
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 27, 2011, 09:39:22 AM
 #75

Nobody here can create a decent business plan much less organize a decent client, haha.

I am very tempted to start work on a user friendly client, merging bitcoinj and open transactions, with a corresponding bitcash bank to issue the open transactions currency. The bitcoins will be presented as the 'savings' account, and the bitcash the 'daily account'. It sounds complicated, but all the complexity will be hidden behind simple metaphors. The UI will be very easy. The client would be open source.

very tempted.

I just cant decide whether client apps should be abandoned altogether, in favor of a web app. At least for the average user. Perhaps we can integrate both.

Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction.
khal
Hero Member
*****
Offline Offline

Activity: 538


NamecoinID: id/khal


View Profile WWW
June 27, 2011, 10:27:30 AM
 #76

To the people who had their bitcoin/namecoin stolen, have you looked into the debug.log file to find RPC commands or SelectCoins ?
Search for the first 10 letters of the transaction hashs.

Here is a GUI send :
Code:
SelectCoins() best subset: 1.23 1.06 ... total 22.01
keypool reserve 126
CommitTransaction:
CTransaction(hash=098965f2b9, ver=1, vin.size=25, vout.size=2, nLockTime=0)
    CTxIn(COutPoint(6554c9ecaa, 0), scriptSig=304402203c8f52bf2c25a8ce)
    CTxIn(COutPoint(a0b776cee1, 0), scriptSig=3046022100c4b95389985809)
...
    CTxOut(nValue=0.01000000, scriptPubKey=OP_DUP OP_HASH160 b3a0ff9fa3f2)
    CTxOut(nValue=22.00000000, scriptPubKey=OP_DUP OP_HASH160 4701dd3e06ec)
keypool keep 126
AddToWallet 098965f2b9  new
MainFrameRepaint
AcceptToMemoryPool(): accepted 098965f2b9

Here is a RPC sendtoaddress :
Code:
ThreadRPCServer method=sendtoaddress
keypool added key 128231, size=101
keypool reserve 128131
CommitTransaction:
CTransaction(hash=710438e56f, ver=1, vin.size=1, vout.size=2, nLockTime=0)
    CTxIn(COutPoint(3098238868, 0), scriptSig=304502202acb7a569d9c32f0)
    CTxOut(nValue=4.68010990, scriptPubKey=OP_DUP OP_HASH160 d1ec6c940e5b)
    CTxOut(nValue=0.29989010, scriptPubKey=OP_DUP OP_HASH160 33fe2eae2657)
keypool keep 128131
AddToWallet 710438e56f  new
AcceptToMemoryPool(): accepted 710438e56f

Receiving your own tx or crafted by someone else :
Code:
AddToWallet 710438e56f  update
SetBestChain: new best=000000000000673663b7  height=14910  work=402279768606933255
ProcessBlock: ACCEPTED

There is several ways to steal money :
1. Copying the wallet
Requires a physical access to the wallet. This can be a trojan (or an infected bitcoin/namecoin binary) that sent your wallet.
No trace in logs, except you receive "your" transactions (like any others) that are created on another computer...

2. Using the RPC command : sendtoaddress
Requires a local or remote access with an infected binary (bitcoin/namecoin/trojan/remote flaw/hole/etc)
You should find "method=sendtoaddress" in your logs.

3. Using the internal send functions
Requires a local or remote infected bitcoin/namecoin binary.
You should find a SelectCoins with a tx hash matching.

4. You put a backup of your wallet on dropbox (with the same login/pass as mtgox, or you wallet was stolen during the "no password" bug of dropbox)


We have a first response here :
http://forum.bitcoin.org/index.php?topic=22937.msg288852#msg288852
All my bitcoins to 15Afx45asCysyNd9HE7xeZTkzLgDq2JCEx. Sad Nothing to be done?

My Bitcoin client shows a number of transactions to that address overnight while my computer was asleep and the current balance in the Bitcoin client is now zero.
This prove the full wallet file was stolen. Coins are sent to the same address as yours, so, we can deduce this is the same case...
=> never use that wallet again, because it contains a lot of other pre-generated and currently unused keys.


There is another case, for namecoin :
http://dot-bit.org/forum/viewtopic.php?p=715#p715
Wallet file was stored on a secured linux box, and accessed remotely with a windows.


Edit :
Binary releases on dot-bit are compiled by :
- linux 32/64 : myself (all versions)
- windows : grue (all versions) - http://forum.bitcoin.org/index.php?topic=6017.msg251017#msg251017
- mac osx : lebish (first mac release) - http://forum.bitcoin.org/index.php?topic=6017.msg268981#msg268981

NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9 | NamecoinID: id/khal | Register .bit domain
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T | My bitcoin Identity: send messages to bitcoin users
Free bitcoins: Surf4Bitcoin.com | Charity Ad: Make a good deed without paying a cent
FlipPro
Legendary
*
Offline Offline

Activity: 1372



View Profile WWW
June 27, 2011, 11:13:42 AM
 #77

Nobody here can create a decent business plan much less organize a decent client, haha.
If some of my projects go successful, and there isn't a solid platform in 3 months, me and my team will develop it. Obviously it is alot more than just a technical challenge, it is a trust issue as well. Part of it is we have to prove ourselves to people that we are 100% dead serious about this crypto currency, and that we're not going away no matter how much they keep trolling, the harder they troll, the harder we work.

Tweet For Coins http://uptweet.com
dukejer
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 27, 2011, 01:00:43 PM
 #78

Sounds very fishy.

If you had it encrypted, any ideas on how it was stolen?

If you're being honest, I'm terribly sorry for your loss. That stinks.

Yea, it does. I had /backups/ encrypted, I should have been clear. Any virus/trojan/person could have just coppied the wallet file from %appdata%/bitcoin.

Encryption cannot protect wallets in use, because your legitimate client has to decrypt it anyway. Encryption is good for backups only.

This is not true.  If the private keys are encrypted in the wallet and in memory and only unencrypted at the time of sending BTC to a different spot in memory each time and then promptly erased from memory.  This would be a reasonable amount of security and make it difficult for a Virus or Trojan to steal the private keys.  The only problem I see with this method is people losing their password to their private keys but I think that also Bitcoin Clients should mandate the user backing up their keys unencrypted to a removable device or print them out at time of key generation.

-Dukejer
xanatos
Jr. Member
*
Offline Offline

Activity: 41


View Profile
June 27, 2011, 02:44:49 PM
 #79

Quote
This is not true.  If the private keys are encrypted in the wallet and in memory and only unencrypted at the time of sending BTC to a different spot in memory each time and then promptly erased from memory.  This would be a reasonable amount of security and make it difficult for a Virus or Trojan to steal the private keys.  The only problem I see with this method is people losing their password to their private keys but I think that also Bitcoin Clients should mandate the user backing up their keys unencrypted to a removable device or print them out at time of key generation.
This would be a shitty security method that would protect you only from the most noob script kiddie.
Two ways to hack it:
* the simple: wait for the window asking the password to appear and take the password (keyloggers)
* the "a little harder": You know (by looking at the source, the client is open source, you know?) in which function the key is unencrypted, you wait for the exe of the client to be loaded (you are a trojan, you are resident in memory), put a breakpoint there and snoop the memory. Each time a new version of the client is created you lose half an hour to "expand" your library of possible breakpoints. Hackers do more complex things to games that are protected by latest generation protections. You think that an open source software that anyone can compile is more resistant? Encryption will only make the wallet.dat more resistant to "one shot" trojans that enter, steal and exit (or to trojans written by script kiddies that don't know assembly). This would steal one private key at a time, if the program is well written (but then, if you are already putting a bp in the code, you can directly steal the password).

The only "possible" way would be to make the program polymorphic, like the viruses, so it would be more difficult to put a breakpoint in memory, but it's quite complex... And it would protect only against the second method. And in the end the trojan would simply replace your exe with another one that would only ask you the password and send it to the hacker.
elggawf
Sr. Member
****
Offline Offline

Activity: 308



View Profile
June 27, 2011, 03:11:08 PM
 #80

This would be a shitty security method that would protect you only from the most noob script kiddie.
Two ways to hack it:
* the simple: wait for the window asking the password to appear and take the password (keyloggers)
* the "a little harder": You know (by looking at the source, the client is open source, you know?) in which function the key is unencrypted, you wait for the exe of the client to be loaded (you are a trojan, you are resident in memory), put a breakpoint there and snoop the memory. Each time a new version of the client is created you lose half an hour to "expand" your library of possible breakpoints. Hackers do more complex things to games that are protected by latest generation protections. You think that an open source software that anyone can compile is more resistant? Encryption will only make the wallet.dat more resistant to "one shot" trojans that enter, steal and exit (or to trojans written by script kiddies that don't know assembly). This would steal one private key at a time, if the program is well written (but then, if you are already putting a bp in the code, you can directly steal the password).

The only "possible" way would be to make the program polymorphic, like the viruses, so it would be more difficult to put a breakpoint in memory, but it's quite complex... And it would protect only against the second method. And in the end the trojan would simply replace your exe with another one that would only ask you the password and send it to the hacker.

This shit can't be emphasized enough... so many people get pwnt and then scream in anguish to the sky "why? why doesn't the client encrypt the wallet by default?" but the fact is that client sided crypto where you can't really trust the client is terribly hard to get right. If malicious processes can run on your machine, all bets are off... throwing more crypto at the problem just raises the bar for how hard the malicious person has to work to get a payoff.

Sure, right now there is very little work to be done to score a giant payoff - but if you think those people are going to stop trying just because your wallet is encrypted, particularly if the BTC does go to the levels people here seem to think it will, then you're delusional.

^_^
Pages: « 1 2 3 [4] 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!