Bitcoin Forum
November 08, 2024, 03:46:07 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Bitcoin Rise  (Read 2467 times)
ChrisKoss
Full Member
***
Offline Offline

Activity: 169
Merit: 100



View Profile WWW
June 05, 2012, 11:02:31 PM
 #21

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

Google authenticator is a free yubi-key-like application which you can download for free on any android phone.  Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you. 

I am a consultant providing services to CoinLab, Inc.
deepceleron
Legendary
*
Offline Offline

Activity: 1512
Merit: 1036



View Profile WWW
June 05, 2012, 11:16:08 PM
 #22

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

Google authenticator is a free yubi-key-like application which you can download for free on any android phone.  Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you.  

<L_CLK:84,332><APPOPEN:C:\Program Files\Mozilla Firefox\firefox.exe>
<L_CLK:642,66>mtgox.com<ENTER><L_CLK:888,124>deepceleron<L_CLK:918,127><CTRL+>v<L_CLK:959,123>

Here's some help for you if your keylogger didn't work, I deleted 1 character:

RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m
Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 571
Merit: 504


I still <3 u Satoshi


View Profile
June 06, 2012, 02:32:02 AM
 #23

keyloggers also record the clipboard I believe, if thats what you are getting at...
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

Google authenticator is a free yubi-key-like application which you can download for free on any android phone.  Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you.  

<L_CLK:84,332><APPOPEN:C:\Program Files\Mozilla Firefox\firefox.exe>
<L_CLK:642,66>mtgox.com<ENTER><L_CLK:888,124>deepceleron<L_CLK:918,127><CTRL+>v<L_CLK:959,123>

Here's some help for you if your keylogger didn't work, I deleted 1 character:

RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m


I'm 99% certain keyloggers also record your clipboard, if that's what you are getting at...

I was unaware that google had a authenticator thats free to use... I'll look into that.
Doesn't mt.gox require a yubi key explicitly? Will the google authenticator work on mt.gox?...
Bitcoin Oz
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500


Wat


View Profile WWW
June 06, 2012, 02:44:36 AM
 #24

I wonder if the bitcoin client will ever have 2 factor auth  Smiley

Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 571
Merit: 504


I still <3 u Satoshi


View Profile
June 06, 2012, 02:47:33 AM
 #25

I wonder if the bitcoin client will ever have 2 factor auth  Smiley

I think its called multi-sig. I don't think its fully implemented yet, but www.blockchain.info can pair their your online wallet with your desktop/smartphone wallet for 2 factor auth.
Dabs
Legendary
*
Offline Offline

Activity: 3416
Merit: 1912


The Concierge of Crypto


View Profile
June 06, 2012, 06:31:41 AM
 #26

I think what he's saying is that his password is RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m

But that he deleted 1 character from this long string. Which character is that? What position? Also, it's highly likely that this string is no where close to what his actual password is, so he is merely suggesting that his password is

1. very long (200 characters)
2. alphanumeric
3. case sensitive (uppercase and lowercase)

Incidentally, how long can a Mt. Gox password be? And for those of you curious, my username or userid to log into Mt. Gox looks like a password more than a username. (Really, I just generated a 16 character username, so essentially it's like a password with a password.)

Unacceptable
Legendary
*
Offline Offline

Activity: 2212
Merit: 1001



View Profile
June 06, 2012, 06:42:53 AM
 #27

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper.

My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself  Angry

Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community Roll Eyes

If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions.

Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now.

Again,thanks for caring.........................................

"If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day long, you are the asshole."  -Raylan Givens
Got GOXXED ?? https://www.youtube.com/watch?v=9KiqRpPiJAU&feature=youtu.be
"An ASIC being late is perfectly normal, predictable, and legal..."Hashfast & BFL slogan Smiley
Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 571
Merit: 504


I still <3 u Satoshi


View Profile
June 06, 2012, 07:02:33 AM
 #28

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper.

My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself  Angry

Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community Roll Eyes

If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions.

Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now.

Again,thanks for caring.........................................

You would never know if you were key logged. AV is not 100% effective and any IT specialist will tell you its easier to re-install a system than remove a root-kit.

edit: Bottom line is, you need to take ownership of your own security and your own mistakes rather than trying to pass it off on mt.gox.
Of course your not alone, lots of people make dumb mistakes, and this is how you learn. Just like I did when my WoW account was hacked via key-logger.

I had anti-virus too  Wink

Mt.gox by the way are now offering free authenticator service via google authenticator. So I imagine they're trying a wee bit harder than you to protect your account.

John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1227


Away on an extended break


View Profile
June 06, 2012, 07:07:42 AM
 #29

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper.

My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself  Angry

Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community Roll Eyes

If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions.

Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now.

Again,thanks for caring.........................................

You would never know if you were key logged. AV is not 100% effective and any IT specialist will tell you its easier to re-install a system than remove a root-kit.

Heck, just run the keylogger through some obfuscation software and most AV's won't throw a hint. Use only 2 factor auth and/or Linux for any financially related activities, and check your keyboard's connector for a hardware keylogger before even typing in your userid.
vssa
Full Member
***
Offline Offline

Activity: 207
Merit: 100


View Profile
June 06, 2012, 11:44:01 AM
 #30

Here is technical analysis of BTC chart long term:

http://www.btcwallet.org/wp-content/uploads/2012/05/bitcoinb30.png

for more technical analysis charts you can visit my website at: BTCwallet.org
smyl
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
June 06, 2012, 05:26:42 PM
 #31


 buy a yubi key (same thing as a blizzard authenticator)


Do you know if you could use a bizzard authenticator?
(or the other way around...)
jbcmine
Member
**
Offline Offline

Activity: 209
Merit: 10



View Profile
June 06, 2012, 06:30:32 PM
 #32

my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.

8 characters is too few for a password in my opinion.


use clean systems to access my.gox. easy as booting a live session of Ubuntu.

 buy a yubi key (same thing as a blizzard authenticator)

use a more secure password.

change your passwords regularly.

don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .

Edit: Oh, and your gox account is only as secure as your email. keep that in mind.

I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper.

My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself  Angry

Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community Roll Eyes

If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions.

Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now.

Again,thanks for caring.........................................

As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics.

For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc.  Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV.

For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file.

If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind.



Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 571
Merit: 504


I still <3 u Satoshi


View Profile
June 06, 2012, 08:05:22 PM
 #33


 buy a yubi key (same thing as a blizzard authenticator)


Do you know if you could use a bizzard authenticator?
(or the other way around...)

no you can not.  you need to buy a yubi key or use google authenticator. google authenticator is free.
Hexadecibel
Human Intranet Liason
VIP
Hero Member
*
Offline Offline

Activity: 571
Merit: 504


I still <3 u Satoshi


View Profile
June 06, 2012, 09:11:24 PM
 #34

Quote
As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics.

For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc.  Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV.

For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file.

If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind

thats really interesting, thanks for your insight.

it just goes to show how important it  is to practice safe browsing and really be aware of what the threats are out there.

Seeing as how dealing with malware is your profession can you offer any tips that may benefit newbies and the rest of us? Maybe make a new thread if its indepth.

I believe knowing what exactly the threats are and how they work make them seem more real and make newcomers to bitcoin take security more seriously
jbcmine
Member
**
Offline Offline

Activity: 209
Merit: 10



View Profile
June 06, 2012, 10:03:18 PM
Last edit: June 06, 2012, 10:15:22 PM by jbcmine
 #35

Quote
As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics.

For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc.  Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV.

For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file.

If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind

thats really interesting, thanks for your insight.

it just goes to show how important it  is to practice safe browsing and really be aware of what the threats are out there.

Seeing as how dealing with malware is your profession can you offer any tips that may benefit newbies and the rest of us? Maybe make a new thread if its indepth.

I believe knowing what exactly the threats are and how they work make them seem more real and make newcomers to bitcoin take security more seriously

Analyzing malware is a hobby of mine, my day-to-day job is as a software engineer. A great tip would be to download Sandboxie and do all your browsing and run all downloaded applications (if you must download them from not-well-known sites ) inside a sandboxed environment. This way if you do happen to download malware it will have little chance at actually infecting your system.

The fact is , 0-day exploits exist as well . Take a look at MS08-067 :

http://technet.microsoft.com/en-us/security/bulletin/ms08-067

This was a well-known exploit that went unprotected for quite a while and even today in "lab" test one can find machines still vulnerable. It allowed for hackers to upload their infected payloads without any user interaction. Things you hear over and over again like "install the latest updates " are repeated for a reason.

A second tip would be to "Know Thy Enemy" . Do research on commonly used malware such as "DarkComet RAT", "CyberGate RAT", and "BlackShades". Fact is, there are plenty of custom-made backdoor programs that can go undetected for years.

Using a firewall one can set a Deny All rule for all incoming & outgoing connections and allow on a case-by-case basis.

MD5 and SHA-1 hashes are extremely helpful in verifying the validity of downloaded software. If you are an extremely paranoid person like myself , I'd suggest downloading a Live CD of Ubuntu or your preferred Linux distro, verifying the MD5 signature, and booting from that CD . Create a new wallet and transfer all your funds to that wallet. Encrypt it, and then copy to USB which has been formatted (even better , zeroed out w/ Eraser or equivalent. Your USB device could have been previously infected to where it autoruns malware from a hidden area. )

Lastly, make sure your wireless network is using WPA/WPA2 with a unique password of at least 12+ alphanumeric characters with a few special symbols as well.

Tools like Ettercap, Arpspoof , and SSLStrip can be run on a cracked WEP network and regardless of how safe you are with your local machine, everything transmitted over your wireless can be intercepted. Use wired connections where possible.

To simplify and be more practical: don't download software from unknown sources, stay up-to-date on patches and antivirus definitions, and use a different password or 2-factor authentication for sites which hold sensitive information.



mash
Newbie
*
Offline Offline

Activity: 9
Merit: 0


View Profile
June 08, 2012, 01:01:08 PM
 #36

See the piercing bars? Breakout from the sideways range? This will be at 30 USD again in no time.

j/k

Yes I agree Cheesy
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!