The 0.4.0 encrypted wallet has been exploited - for sure

[piotr_n]

Since I encrypted my wallet with 0.4.0 I have been doing daily backups to my dropbox account, simply by coping wallet.dat to a dropbox folder.

Then after 0.5.0 was released and the security issue was announced:

The wallet encryption feature introduced in Bitcoin version 0.4.0 did not sufficiently secure the private keys. An attacker who managed to get a copy of your encrypted wallet.dat file might be able to recover some or all of the unencrypted keys and steal the associated coins.

... I did what it said: generated new addresses and moved all my funds there.
Nothing had been stolen.

But today I was withdrawing funds from some service...
As it turned out later, I had an old withdrawal address configured in there (a one generated/encrypted by the 0.4.0).
Since the amount was insignificant I didn't bother to re-check this address - just pressed "withdraw" and went to my bitcoin client to see the unconfirmed transaction.
Imagine how surprised I was seeing not one, but two unconfirmed transactions; first one going to my wallet, the other one going from it...

And then I realized what happened:
Obviously someone (either a dropbox hacker or a dropbox employee) got my encrypted wallet.dat which I backed up there (it wasn't hard to find it since I didn't even rename it)
Then he managed to recover the private key from it.
And he obviously also has a software that is monitoring all the transactions to the stolen addresses he has and forwarding each of them immediately to his own wallet.

So be careful - with both; wallets encrypted by 0.4.0 and with Dropbox.

This post is only to warn you - no comments necessary.

[1715204164]

1715204164

[1715204164]

1715204164

[notme]

Since I encrypted my wallet with 0.4.0 I have been doing daily backups to my dropbox account, simply by coping wallet.dat to a dropbox folder.

Then after 0.5.0 was released and the security issue was announced:

The wallet encryption feature introduced in Bitcoin version 0.4.0 did not sufficiently secure the private keys. An attacker who managed to get a copy of your encrypted wallet.dat file might be able to recover some or all of the unencrypted keys and steal the associated coins.

... I did what it said: generated new addresses and moved all my funds there.
Nothing had been stolen.

But today I was withdrawing funds from some service...
As it turned out later, I had an old withdrawal address configured in there (a one generated/encrypted by the 0.4.0).
Since the amount was insignificant I didn't bother to re-check this address - just pressed "withdraw" and went to my bitcoin client to see the unconfirmed transaction.
Imagine how surprised I was seeing not one, but two unconfirmed transactions; first one going to my wallet, the other one going from it...

And then I realized what happened:
Obviously someone (either a dropbox hacker or a dropbox employee) got my encrypted wallet.dat which I backed up there (it wasn't hard to find it since I didn't even rename it)
Then he managed to recover the private key from it.
And he obviously also has a software that is monitoring all the transactions to the stolen addresses he has and forwarding each of them immediately to his own wallet.

So be careful - with both; wallets encrypted by 0.4.0 and with Dropbox.

This post is only to warn you - no comments necessary.

My dropbox backup is wrapped in a trucrypt volume.  I recommend doing the same with any sensitive information you are thinking about uploading anywhere.

[piotr_n]

My dropbox backup is wrapped in a trucrypt volume.  I recommend doing the same with any sensitive information you are thinking about uploading anywhere.

Oh, I don't think I will be using dropbox anymore, for anything.
I don't like people sniffing into my pants - even if they were encrypted

I have 2 PCs running 24/7, with 3 different disks at home, plus my phone accessible via ssh - this should be enough for a backup.
Screw dropbox if it screws you!

[Stephen Gornick]

Obviously someone (either a dropbox hacker or a dropbox employee) got my encrypted wallet.dat which I backed up there (it wasn't hard to find it since I didn't even rename it)

Easy for that to have happened.  Hard to prove though,

But yes, reusing old keys either from before encryption or when the encryption was still flawed is something of a concern and was brought up here:
 - http://bitcoin.stackexchange.com/questions/1243/can-i-force-my-wallet-to-only-have-news-keys-post-encryption

And if you'ld rather not have all your funds joined together when transferring to a new wallet, there's this method:
- http://bitcoin.stackexchange.com/questions/1272/how-can-i-transfer-all-funds-to-new-keys

[piotr_n]

Easy for that to have happened.  Hard to prove though

Indeed - I cannot prove it.

But if someone would have hacked into my PC, he would obviously install a trojan there to steal much more. I have Windows XP using Administrator account - wouldn't be too hard.

I was also doing backups to my gmail account, but that file in the email was PGP encrypted with a key stored at dropbox.

So dropbox is pretty much most likely.

[notme]

My dropbox backup is wrapped in a trucrypt volume.  I recommend doing the same with any sensitive information you are thinking about uploading anywhere.

Oh, I don't think I will be using dropbox anymore, for anything.
I don't like people sniffing into my pants - even if they were encrypted

I have 2 PCs running 24/7, with 3 different disks at home, plus my phone accessible via ssh - this should be enough for a backup.
Screw dropbox if it screws you!

Meh... I still prefer an offsite backup.  You know, in case of meteor strike.

[piotr_n]

Meh... I still prefer an offsite backup.  You know, in case of meteor strike.

I don't leave my home, without a phone, that often - in such case I'd probably die together with my bitcoins

[HostFat]

www.wuala.com
It encrypts everything before leaving your computer

[zer0]

https://www.cyphertite.com/why-cyphertite.php

they also do free encrypted backup storage and is run by two openbsd developers
still wouldn't trust any cloud backup, just encrypt it yourself in harmless looking container and backup

[MysteryMiner]

I was thinking about providing dropbox-like services on my servers. The obvious pros over Dropbox are that I'm the only one who can access your files excluding yourself! And I will never ever cooperate with any 3 letter agency under any circumstances, so your CP collection or plans to attack Pentagon with exploding camels will be kept confidential.

[vampire]

I use trucrypt with 30 chars password and store the file on dropbxOx. Also monthly dumps to an usb key.

[piotr_n]

I agree that encrypting the data stored is the best way.

But I should say that I was never assuming that the wallet I store at dropbox is not going to be looked at.
Maybe I just didn't expect to discover it actually happening so quickly
There are probably hundreds of people out there who can look and browse through the actual users data.
Employers, window cleaners, hackers, gov agencies - each of them doing a lazy job, dreaming about doing a profitable private project...
Of course they are going to look into all the wallet.dat files - the first, the better.

What surprises me though is that someone actually finds it profitable enough to invest into a software that:
1) extracts private keys from stolen wallets
2) steals in a real time each transaction going to such a compromised address.
And btw, good job!

[Inaba]

Use Boxcryptor on top of DropBox.

[zer0]

Dropbox has had plenty of problems
http://nakedsecurity.sophos.com/2011/06/21/dropbox-lets-anyone-log-in-as-anyone/

[ribuck]

2) steals in a real time each transaction going to such a compromised address.

Why not send a few Satoshis to that address to see whether it really is being emptied out automatically, or whether something else is happening.

[conspirosphere.tk]

A point in favor of Wuala, who does automatic encryption on your side, so no one on their side can steal you anything.

[piotr_n]

2) steals in a real time each transaction going to such a compromised address.

Why not send a few Satoshis to that address to see whether it really is being emptied out automatically, or whether something else is happening.

I'm not spending any more money on it, but feel free to try it.

The address is: 1LQYFx7cHQcrmMHTQo8jwv4K6PE5zc7mFt
And the private key: 5JTxrzfhgNqx7XhMiZz26EyYstQ8dMCHgBDRzFsbFTjMgmDqqvw

Try to beat him by sending some money there and getting it forwarded to your wallet first
I'm pretty sure you will see his transaction anyway.
Id'd suggest leaving some fee - he was mean, so minders should prefer your transaction. But we never know until someone tries

[Inaba]

Wuala is a major pain in the ass to use.  I wanted to like it, but it's a) Java based, so it's a piece of shit from the start, b) A resource hog, C) kind of flakey, D) Slow as dirt.

Using Truecrypt or BoxCryptor on top of DropBox is perfectly safe, and if there's one thing Dropbox does better than anyone else, is the convenience factor of their sync software.  Wuala can't match it, SpiderOak can't match it... both are more secure, but far more cumbersome to use.  Anything that forces someone to install a Java VM to run already has a really huge uphill battle to become a useful piece of software.  

[piotr_n]

I read google is coming with some online drive solution soon.
If they want to win the market, the best move would be to encrypt the data on the client side, with a locally stored password.
Like LastPass does.
Also for the company - by this they get rid of any liabilities.
Unless they have an actual interest in looking into the content of this data - then they wouldn't do it

[Stephen Gornick]

There are probably hundreds of people out there who can look and browse through the actual users data.
Employers, window cleaners, hackers, gov agencies - each of them doing a lazy job, dreaming about doing a profitable private project...
Of course they are going to look into all the wallet.dat files - the first, the better.

Privacy: Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). However, they may have  a small number of employees who must be able to access user data. Dropbox has strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, they employ a number of physical and electronic security measures to protect user information from unauthorized access. You should also note that Dropbox will cooperate with law enforcement if needed and will release your data in unencrypted form in these cases.

 - http://www.kimpl.com/1297/secure-online-backup-file-sync-service

Discussed here as well:
 - http://bitcointalk.org/index.php?topic=1679.msg29488#msg29488
 - https://www.dropbox.com/help/27

Incidentally, that Kimpl review stated that Spider Oak was more secure than Wuala (2nd place), Dropbox, and SugarSync.
 - http://www.spideroak.com

But that also says "for even better security you should encrypt" using TrueCrypt.

[piotr_n]

There are probably hundreds of people out there who can look and browse through the actual users data.
Employers, window cleaners, hackers, gov agencies - each of them doing a lazy job, dreaming about doing a profitable private project...
Of course they are going to look into all the wallet.dat files - the first, the better.

Privacy: Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). However, they may have  a small number of employees who must be able to access user data. Dropbox has strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, they employ a number of physical and electronic security measures to protect user information from unauthorized access. You should also note that Dropbox will cooperate with law enforcement if needed and will release your data in unencrypted form in these cases.

 - http://www.kimpl.com/1297/secure-online-backup-file-sync-service

Discussed here as well:
 - http://bitcointalk.org/index.php?topic=1679.msg29488#msg29488
 - https://www.dropbox.com/help/27

Incidentally, that Kimpl review stated that Spider Oak was more secure than Wuala (2nd place), Dropbox, and SugarSync.
 - http://www.spideroak.com

But that also says "for even better security you should encrypt" using TrueCrypt.

all true

though the quote that "employees are prohibited from viewing the content of files" may be a bit misleading.
being prohibited doesn't actually stop people from doing the prohibited things. at least there hasn't been a reliably proven correlation

[etotheipi]

Not to discourage finding good file-encryption solutions, but this is exactly why I made deterministic wallets with paper backups in Armory. 

• Print off a couple copies of your wallet
• Put one in a safety-deposit box
• Hide another in a book on your bookshelf
• Never make another backup again!  (unless you import addresses)
• Never let your wallet touch anyone else's computer except your own!

I would never scatter my wallet all over the interwebs, encrypted or not.  And now you don't have to.  And if you're really paranoid, use Armory's cold-storage, too.  (P.S -- I was the one that found that 0.4.0 bug and was part of the justification for my wallet file format ).  P.S. - Electrum uses deterministic wallets, too, and the Satoshi client will have them implemented in 0.7.0+.

In case anyone is interested: I started an announcement thread reserved only for major releases.   It no longer requires so much RAM, and tons of new features since crowdfunding.
</spam>

[localhost]

Wuala is a major pain in the ass to use.  I wanted to like it, but it's a) Java based, so it's a piece of shit from the start, b) A resource hog, C) kind of flakey, D) Slow as dirt.

Definitely agreed for a), but otherwise I find it rather convenient to use. And, notably (and surprisingly) not slow on my below average computer.

[EhVedadoOAnonimato]

Those who mentioned Wuala forgot an important advantage of this service: they accept bitcoin.

Plus, I don't find it a pain in the ass as somebody said above. I always have a working java VM anyway. I don't find it particularly slow either.

But, just in case, I manually encrypt my wallet before sending it to Wuala... AFAIK, the code that does the encryption in the client side is closed, so it has not been publicly inspected.

[deepceleron]

Something to do for fun and luls - add the private key to the mtgox "redeem private key" feature. This is likely what was done to all the unencrypted keys discovered in the wallet by a thief. This might give some kind of error if the address is already being scraped, indicating to you mtgox knows who the hacker is, or if mtgox doesn't check and notify upon duplicates, you may or may not beat the other person that is "redeeming" depending on how mtgox processes their list of private keys. Improperly implemented, MtGox could send two transactions for the same coins, and you might see what looks like a double-spend from two auto-empties when coins are sent to the address.
(edit: looks like the scam scum re-sent the coins in the same block, so he is faster than gox).


If you have a pre-encryption copy of the wallet.dat, the private key for an address can easily be obtained with pywallet in hex form. Get the earliest copy you have uploaded, and use a hex editor to search for the bitcoin address. Look for 6B 65 79 41 04, "KeyA" + 0x04, somewhere before that. The KeyA is an indicator of a leaked unencrypted private key; the 0x04 is the first digit of a 66 digit hex private key. If it is in the uploaded file, that's probably what happened.

[deepceleron]

I wonder if blockchain.info logs transactions in addition to new blocks? With their currently 2841 connected nodes, the first-seen peer broadcasting the tx could easily be the IP address of the thief if he accept inbounds or doesn't discriminate who he connects to. We could contact Ben to see if he does, and send several payments to the address to see if it will reveal it's auto-scraping IP. If not, that's something for the Bitcoin Police to set up - a privacy-busting every-node connecting transaction logging bit monster.

[doobadoo]

Has anyone confirmed this?  Try loading a trivial amount on a wallet.dat, then upload it to dropbox.  Dropbox is a pretty big system and if some one inside have processes running it as a honeypot i'm sure Dropbox mgmt would love to know.  As any one contacted a sysadmin at DB?

[deepceleron]

Has anyone confirmed this?  Try loading a trivial amount on a wallet.dat, then upload it to dropbox.  Dropbox is a pretty big system and if some one inside have processes running it as a honeypot i'm sure Dropbox mgmt would love to know.  As any one contacted a sysadmin at DB?

A honeypot is a system designed to catch an evildoer, such as http://www.projecthoneypot.org/, where various systems are put up on the web as "hacker bait" with complete IP and access logging, so attack attempts and successful attacks can be documented and reported. Unauthorized access to your files hosted on dropbox by staff with elevated priviledges is not this.

You should consider any file you upload to the "cloud" as essentially equivalent as posting it publicly for all to see - because when security fails at the company hosting your data (see: http://technorati.com/technology/article/major-dropbox-security-flaw-let-users/) that is is essentially what you have done. These companies don't have to provide you any security or service level whatsoever, their interest is profit, and they have terms of service that disclaims all liability.

Anyone that has access to your computer via trojan or remote exploit has all the information needed to compromise your account (http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/), and even malicious apps on your phone can steal your dropbox credentials (http://www.cultofandroid.com/8177/facebook-dropbox-apps-have-serious-security-flaw-that-puts-your-personal-data-at-risk/). If you have used the same password anywhere else and that gets hacked, there's a good chance that the stolen credentials will be tried against all major cloud services.

Unless you specifically contact dropbox and tell them of suspicious activity and they agree to set up a secretly logged account, if you test this theory by uploading another wallet and the coins get stolen, all you will likely get is denials or non-responses from dropbox. Even the most obvious security feature to discover if you have been hacked - showing you a log of IP addresses that have accessed your account - they have not implemented.

[doobadoo]

Has anyone confirmed this?  Try loading a trivial amount on a wallet.dat, then upload it to dropbox.  Dropbox is a pretty big system and if some one inside have processes running it as a honeypot i'm sure Dropbox mgmt would love to know.  As any one contacted a sysadmin at DB?

A honeypot is a system designed to catch an evildoer, such as http://www.projecthoneypot.org/, where various systems are put up on the web as "hacker bait" with complete IP and access logging, so attack attempts and successful attacks can be documented and reported. Unauthorized access to your files hosted on dropbox by staff with elevated priviledges is not this. [/quote

Maybe i used the wrong word.  Black hole exploit or whatever it is.  The OP suggested that he thought the hack happen inside DB, i guess b/c he's technologically adept and knows his box ain't been rooted.

You should consider any file you upload to the "cloud" as essentially equivalent as posting it publicly for all to see - because when security fails at the company hosting your data (see: http://technorati.com/technology/article/major-dropbox-security-flaw-let-users/) that is is essentially what you have done. These companies don't have to provide you any security or service level whatsoever, their interest is profit, and they have terms of service that disclaims all liability.

I already assume these services are in the clear anyhow.  But it really sounds like piss poor business sense to risk the credibility of their company by being so lax about security.  But I guess this whole cloud thing is so new its like the wild west.