Does running Bitcoin QT make you a target for hackers?

[go1111111]

I don't fully understand the Bitcoin network, but wouldn't running QT leave you vulnerable to the below scenario?

Step 1: I decide to become an evil hacker, so I learn how to hack.
Step 2: I run a modified version of the QT client, which prints out a list of all the other nodes on the bitcoin network that are visible to me.
Step 3: I take my big list of IP addresses, and using my logical skills I deduce that a lot of those IPs correspond to machines with bitcoin wallets on them.
Step 4: I try to penetrate as many of the machines with those IPs as possible, install keyloggers on any that I can break into, and grab any wallets that I can find.
Step 5: Profit?

What's the flaw in my plan? Is step 4 just extremely hard?

 

[Elwar]

Logging into bitcointalk and allowing images to be viewed makes you a target for hackers.

[go1111111]

Logging into bitcointalk and allowing images to be viewed makes you a target for hackers.

Ah, good point.

Anyone know a good resource to get answers to the following questions then? (maybe a more security-focused forum)

Assume you're given an IP,

(1) the IP belongs to a windows 8 machine, the admin password is very simple, and remote desktop is enabled. How easy is it to break in? I assume it's just a matter of guessing passwords as fast as you can. Anyone know the practical limit to how many remote desktop password attempts a win8 machine will allow per unit of time?
(2) If remote desktop is disabled, then it's very unlikely that even a dedicated hacker could get into your machine even if your admin password is super simple, right? I assume this is the kind of vulnerability that would make a huge news splash if found.

[adamstgBit]

Logging into bitcointalk and allowing images to be viewed makes you a target for hackers.

Ah, good point.

Anyone know a good resource to get answers to the following questions then? (maybe a more security-focused forum)

Assume you're given an IP,

(1) the IP belongs to a windows 8 machine, the admin password is very simple, and remote desktop is enabled. How easy is it to break in? I assume it's just a matter of guessing passwords as fast as you can. Anyone know the practical limit to how many remote desktop password attempts a win8 machine will allow per unit of time?
(2) If remote desktop is disabled, then it's very unlikely that even a dedicated hacker could get into your machine even if your admin password is super simple, right? I assume this is the kind of vulnerability that would make a huge news splash if found.

i'm not a hacker but i don't think guessing passwords is the way to go.

best to make users install your trojan which gives you a back door to their computer. the trojan can read the wallet.dat file and report its contents, which can do a lot of damage if you did not encrypted your wallet with a strong password.


if you just don't install shit off the web,
disable java!
and encrypted your wallet

I would imagine hackers won't be able to get to you.

[Ecurb123]

I think your logic is generally correct. That's why a lot of people will suggest keeping larger value wallets off-line.

I don't fully understand the Bitcoin network, but wouldn't running QT leave you vulnerable to the below scenario?

Step 1: I decide to become an evil hacker, so I learn how to hack.
Step 2: I run a modified version of the QT client, which prints out a list of all the other nodes on the bitcoin network that are visible to me.
Step 3: I take my big list of IP addresses, and using my logical skills I deduce that a lot of those IPs correspond to machines with bitcoin wallets on them.
Step 4: I try to penetrate as many of the machines with those IPs as possible, install keyloggers on any that I can break into, and grab any wallets that I can find.
Step 5: Profit?

What's the flaw in my plan? Is step 4 just extremely hard?

 

[Rannasha]

Logging into bitcointalk and allowing images to be viewed makes you a target for hackers.

Ah, good point.

Anyone know a good resource to get answers to the following questions then? (maybe a more security-focused forum)

Assume you're given an IP,

(1) the IP belongs to a windows 8 machine, the admin password is very simple, and remote desktop is enabled. How easy is it to break in? I assume it's just a matter of guessing passwords as fast as you can. Anyone know the practical limit to how many remote desktop password attempts a win8 machine will allow per unit of time?
(2) If remote desktop is disabled, then it's very unlikely that even a dedicated hacker could get into your machine even if your admin password is super simple, right? I assume this is the kind of vulnerability that would make a huge news splash if found.

Almost all consumer internet modems/routers use NAT and don't directly expose the connected computer(s) to the internet. The IP address that you obtain will lead you to a router, not a computer, and unless said router has some really glaring security holes, there won't be an easy way to get to the actual computer(s) behind the router.

While in principle there is a potential security risk in having your IP address connected to bitcoin-related acitivities, in practice this risk is negligible compared to keyloggers, weak passwords, phishing, etc...

[Buffer Overflow]

Logging into bitcointalk and allowing images to be viewed makes you a target for hackers.

Someone could place an image in an PM, when you open the message your IP would be revealed to be sender.

[go1111111]

Judging by your logic, visiting random site could make you a target for hackers..sigh.

Not quite. A hacker would rather gain access to the computer of someone who uses bitcoin than just a random Internet user.


Rannasha: thanks for the description.

[DodoB]

Probably yes. the best solution is not to keep large amounts of bitcoin in a single computer.

[ArticMine]

i'm not a hacker but i don't think guessing passwords is the way to go.

best to make users install your trojan which gives you a back door to their computer. the trojan can read the wallet.dat file and report its contents, which can do a lot of damage if you did not encrypted your wallet with a strong password.


if you just don't install shit off the web,
disable java!
and encrypted your wallet

I would imagine hackers won't be able to get to you.

The best anti hacker advice here, which is excellent by the way, is in the poster's avatar. Say no to Microsoft Windows and yes to GNU/Linux

[mb300sd]

Its pretty easy to notice someone guessing passwords at your remote desktop, set an account lockout after 3-10 incorrect attempts... depending on how often you try to log in drunk