ChrisKoss
|
|
June 05, 2012, 11:02:31 PM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
Google authenticator is a free yubi-key-like application which you can download for free on any android phone. Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you.
|
I am a consultant providing services to CoinLab, Inc.
|
|
|
deepceleron
Legendary
Offline
Activity: 1512
Merit: 1036
|
|
June 05, 2012, 11:16:08 PM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
Google authenticator is a free yubi-key-like application which you can download for free on any android phone. Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you. <L_CLK:84,332><APPOPEN:C:\Program Files\Mozilla Firefox\firefox.exe> <L_CLK:642,66>mtgox.com<ENTER><L_CLK:888,124>deepceleron<L_CLK:918,127><CTRL+>v<L_CLK:959,123> Here's some help for you if your keylogger didn't work, I deleted 1 character: RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m
|
|
|
|
Hexadecibel
Human Intranet Liason
VIP
Hero Member
Offline
Activity: 571
Merit: 504
I still <3 u Satoshi
|
|
June 06, 2012, 02:32:02 AM |
|
keyloggers also record the clipboard I believe, if thats what you are getting at... my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
Google authenticator is a free yubi-key-like application which you can download for free on any android phone. Anything you really want secure should be two factor auth-ed, or you are completely vulnerable to someone to keylogging you. <L_CLK:84,332><APPOPEN:C:\Program Files\Mozilla Firefox\firefox.exe> <L_CLK:642,66>mtgox.com<ENTER><L_CLK:888,124>deepceleron<L_CLK:918,127><CTRL+>v<L_CLK:959,123> Here's some help for you if your keylogger didn't work, I deleted 1 character: RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m I'm 99% certain keyloggers also record your clipboard, if that's what you are getting at... I was unaware that google had a authenticator thats free to use... I'll look into that. Doesn't mt.gox require a yubi key explicitly? Will the google authenticator work on mt.gox?...
|
|
|
|
Bitcoin Oz
|
|
June 06, 2012, 02:44:36 AM |
|
I wonder if the bitcoin client will ever have 2 factor auth
|
|
|
|
Hexadecibel
Human Intranet Liason
VIP
Hero Member
Offline
Activity: 571
Merit: 504
I still <3 u Satoshi
|
|
June 06, 2012, 02:47:33 AM |
|
I wonder if the bitcoin client will ever have 2 factor auth I think its called multi-sig. I don't think its fully implemented yet, but www.blockchain.info can pair their your online wallet with your desktop/smartphone wallet for 2 factor auth.
|
|
|
|
Dabs
Legendary
Offline
Activity: 3416
Merit: 1912
The Concierge of Crypto
|
|
June 06, 2012, 06:31:41 AM |
|
I think what he's saying is that his password is RqQsxaHGWDzP7fweKDsx0wj4gyLPHRrPrJMurBMPq2MRltwEgQ6rcCTN2i7qjPKOmbu4IgHFdjFu9pQ 9v1vrjzYT3tjP9Pa1CncuR7epkiC3PvCuBJ5pNasvMziwktQTQMYLscyqZDj20cOvxZ5WmF8HcIqPOE n0MR96CSMTvMME4tB37lsEmPA5GSON1lST3ZuxN16m
But that he deleted 1 character from this long string. Which character is that? What position? Also, it's highly likely that this string is no where close to what his actual password is, so he is merely suggesting that his password is
1. very long (200 characters) 2. alphanumeric 3. case sensitive (uppercase and lowercase)
Incidentally, how long can a Mt. Gox password be? And for those of you curious, my username or userid to log into Mt. Gox looks like a password more than a username. (Really, I just generated a 16 character username, so essentially it's like a password with a password.)
|
|
|
|
Unacceptable
Legendary
Offline
Activity: 2212
Merit: 1001
|
|
June 06, 2012, 06:42:53 AM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper. My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions. Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now. Again,thanks for caring.........................................
|
"If you run into an asshole in the morning, you ran into an asshole. If you run into assholes all day long, you are the asshole." -Raylan Givens Got GOXXED ?? https://www.youtube.com/watch?v=9KiqRpPiJAU&feature=youtu.be"An ASIC being late is perfectly normal, predictable, and legal..."Hashfast & BFL slogan
|
|
|
Hexadecibel
Human Intranet Liason
VIP
Hero Member
Offline
Activity: 571
Merit: 504
I still <3 u Satoshi
|
|
June 06, 2012, 07:02:33 AM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
I don't believe my PC was ever compromised, I've checked it with several AV's & have a network pro coming over soon to dig deeper. My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions. Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now. Again,thanks for caring......................................... You would never know if you were key logged. AV is not 100% effective and any IT specialist will tell you its easier to re-install a system than remove a root-kit. edit: Bottom line is, you need to take ownership of your own security and your own mistakes rather than trying to pass it off on mt.gox. Of course your not alone, lots of people make dumb mistakes, and this is how you learn. Just like I did when my WoW account was hacked via key-logger. I had anti-virus too Mt.gox by the way are now offering free authenticator service via google authenticator. So I imagine they're trying a wee bit harder than you to protect your account.
|
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
June 06, 2012, 07:07:42 AM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
I don't believe my PC was ever compromised, I've checked it with several AV's & have a network pro coming over soon to dig deeper. My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions. Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now. Again,thanks for caring......................................... You would never know if you were key logged. AV is not 100% effective and any IT specialist will tell you its easier to re-install a system than remove a root-kit. Heck, just run the keylogger through some obfuscation software and most AV's won't throw a hint. Use only 2 factor auth and/or Linux for any financially related activities, and check your keyboard's connector for a hardware keylogger before even typing in your userid.
|
|
|
|
|
smyl
Newbie
Offline
Activity: 31
Merit: 0
|
|
June 06, 2012, 05:26:42 PM |
|
buy a yubi key (same thing as a blizzard authenticator)
Do you know if you could use a bizzard authenticator? (or the other way around...)
|
|
|
|
jbcmine
Member
Offline
Activity: 209
Merit: 10
|
|
June 06, 2012, 06:30:32 PM |
|
my.gox could have world leading security, but it wouldn't matter because people will still get key logged because THEY DON'T TAKE PERSONAL RESPONSIBILITY FOR THEIR OWN SECURITY.
8 characters is too few for a password in my opinion.
use clean systems to access my.gox. easy as booting a live session of Ubuntu.
buy a yubi key (same thing as a blizzard authenticator)
use a more secure password.
change your passwords regularly.
don't whine and moan when your own negligence rob's you of your money. you are basically handing the hackers your bitcoins .
Edit: Oh, and your gox account is only as secure as your email. keep that in mind.
I don't believe my PC was ever compromised,I've checked it with several AV's & have a network pro coming over soon to dig deeper. My email is untouched,PW was never changed,nothing altered.So,before you assume I'm an idiot,check yourself Notice I'm not alone in getting my account hacked recently,so all of us are whiners & piss & moaners,gee thanks for your support.What a caring community If BTC is ever to get to the general public,where there are people dumber than even me,security needs to be more automated,more checks & balances so to speak on the exchange's & for general transactions. Otherwise money launderers,drug dealers & hackers will be the majority using BTC,as it is now. Again,thanks for caring......................................... As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics. For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc. Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV. For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file. If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind.
|
|
|
|
Hexadecibel
Human Intranet Liason
VIP
Hero Member
Offline
Activity: 571
Merit: 504
I still <3 u Satoshi
|
|
June 06, 2012, 08:05:22 PM |
|
buy a yubi key (same thing as a blizzard authenticator)
Do you know if you could use a bizzard authenticator? (or the other way around...) no you can not. you need to buy a yubi key or use google authenticator. google authenticator is free.
|
|
|
|
Hexadecibel
Human Intranet Liason
VIP
Hero Member
Offline
Activity: 571
Merit: 504
I still <3 u Satoshi
|
|
June 06, 2012, 09:11:24 PM |
|
As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics.
For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc. Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV.
For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file.
If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind thats really interesting, thanks for your insight. it just goes to show how important it is to practice safe browsing and really be aware of what the threats are out there. Seeing as how dealing with malware is your profession can you offer any tips that may benefit newbies and the rest of us? Maybe make a new thread if its indepth. I believe knowing what exactly the threats are and how they work make them seem more real and make newcomers to bitcoin take security more seriously
|
|
|
|
jbcmine
Member
Offline
Activity: 209
Merit: 10
|
|
June 06, 2012, 10:03:18 PM Last edit: June 06, 2012, 10:15:22 PM by jbcmine |
|
As a malware analyst , I can tell you it is entirely possible to get in, get out and leave no signs. Take a keylogger for example. Anti-virus applications are based primarily on signatures & heuristics.
For the signature , executable packers known as "crypters" are available which basically use a form of encryption RC4, XOR, etc. and attach those to a "Stub" . The stub loads the encrypted "payload" into memory , which is able to sneak past the antivirus as it can't decrypt the payload and an attempt would cost too many CPU cycles, rendering their product slow, etc. etc. Once the encrypted data is in memory , the stub decrypts it , and resumes the "frozen" process. This effectively bypasses AV.
For defeating heuristics simple time puzzles or pointless API calls or any process that eats CPU can effectively "time out" the AV engine causing it to abort analyzing the file.
If the payload is created correctly, it is possible to steal wallet.dat , or ONLY start the "server" process when bitcoind.exe is running. After either recording your passphrase or uploading your wallet.dat file, the file "melts" and leaves no evidence behind thats really interesting, thanks for your insight. it just goes to show how important it is to practice safe browsing and really be aware of what the threats are out there. Seeing as how dealing with malware is your profession can you offer any tips that may benefit newbies and the rest of us? Maybe make a new thread if its indepth. I believe knowing what exactly the threats are and how they work make them seem more real and make newcomers to bitcoin take security more seriously Analyzing malware is a hobby of mine, my day-to-day job is as a software engineer. A great tip would be to download Sandboxie and do all your browsing and run all downloaded applications (if you must download them from not-well-known sites ) inside a sandboxed environment. This way if you do happen to download malware it will have little chance at actually infecting your system. The fact is , 0-day exploits exist as well . Take a look at MS08-067 : http://technet.microsoft.com/en-us/security/bulletin/ms08-067This was a well-known exploit that went unprotected for quite a while and even today in "lab" test one can find machines still vulnerable. It allowed for hackers to upload their infected payloads without any user interaction. Things you hear over and over again like "install the latest updates " are repeated for a reason. A second tip would be to "Know Thy Enemy" . Do research on commonly used malware such as "DarkComet RAT", "CyberGate RAT", and "BlackShades". Fact is, there are plenty of custom-made backdoor programs that can go undetected for years. Using a firewall one can set a Deny All rule for all incoming & outgoing connections and allow on a case-by-case basis. MD5 and SHA-1 hashes are extremely helpful in verifying the validity of downloaded software. If you are an extremely paranoid person like myself , I'd suggest downloading a Live CD of Ubuntu or your preferred Linux distro, verifying the MD5 signature, and booting from that CD . Create a new wallet and transfer all your funds to that wallet. Encrypt it, and then copy to USB which has been formatted (even better , zeroed out w/ Eraser or equivalent. Your USB device could have been previously infected to where it autoruns malware from a hidden area. ) Lastly, make sure your wireless network is using WPA/WPA2 with a unique password of at least 12+ alphanumeric characters with a few special symbols as well. Tools like Ettercap, Arpspoof , and SSLStrip can be run on a cracked WEP network and regardless of how safe you are with your local machine, everything transmitted over your wireless can be intercepted. Use wired connections where possible. To simplify and be more practical: don't download software from unknown sources, stay up-to-date on patches and antivirus definitions, and use a different password or 2-factor authentication for sites which hold sensitive information.
|
|
|
|
mash
Newbie
Offline
Activity: 9
Merit: 0
|
|
June 08, 2012, 01:01:08 PM |
|
See the piercing bars? Breakout from the sideways range? This will be at 30 USD again in no time.
j/k
Yes I agree
|
|
|
|
|