Bitcoin Forum
October 21, 2017, 06:57:59 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 »  All
  Print  
Author Topic: Bitcoin cold storage - HACKED easily  (Read 12051 times)
mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 01:20:11 PM
 #1

Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf  

or

http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Only few people knew about this exploit. Now, any russian or ukrainian kid will try to hack the cold storages and guess what?! THEY WILL DO IT !    Grin
1508569079
Hero Member
*
Offline Offline

Posts: 1508569079

View Profile Personal Message (Offline)

Ignore
1508569079
Reply with quote  #2

1508569079
Report to moderator
1508569079
Hero Member
*
Offline Offline

Posts: 1508569079

View Profile Personal Message (Offline)

Ignore
1508569079
Reply with quote  #2

1508569079
Report to moderator
1508569079
Hero Member
*
Offline Offline

Posts: 1508569079

View Profile Personal Message (Offline)

Ignore
1508569079
Reply with quote  #2

1508569079
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508569079
Hero Member
*
Offline Offline

Posts: 1508569079

View Profile Personal Message (Offline)

Ignore
1508569079
Reply with quote  #2

1508569079
Report to moderator
Madness
Hero Member
*****
Offline Offline

Activity: 658


My goal is becaming a billionaire.


View Profile WWW
January 16, 2015, 01:23:43 PM
 #2


Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Blazr
Hero Member
*****
Offline Offline

Activity: 882



View Profile
January 16, 2015, 01:26:39 PM
 #3

Old news. This attack (bugged ECDSA implementation) has been known about for a long long time, before Bitcoin even existed.

Quote
The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection', which was first described in a 1997 paper by Adam Young and Moti Yung.

One of the weaknesses of cold storage is if your cold storage machine is compromised, you're fucked and there is almost nothing you can do to prevent that. There are many many ways an attacker can exfiltrate the private keys from a compromised cold storage machine, including as used in this case a bugged ECDSA implementation.

Busy ATM.
mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 01:26:55 PM
 #4


Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too)   haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me"  EVEN so there are many hacking reports daily.
qwk
Donator
Legendary
*
Offline Offline

Activity: 1568


Bitcoin Foundation Member


View Profile WWW
January 16, 2015, 01:27:31 PM
 #5

TL;DR of the news:
if you're able to install software on someone else's computer or modify the code he compiles, you can steal his coins.
Duh.


You should read the news before you post something like:
Your funds are not safe neither in "cold storage". Read:

Yeah, well... I'm gonna go build my own blockchain, with blackjack and hookers. In fact, forget the blockchain!
Kazimir
Legendary
*
Offline Offline

Activity: 1134



View Profile
January 16, 2015, 01:30:07 PM
 #6

many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley
Complete nonsense. This requires a backdoor being built into the software you're using to sign your transactions. I.e. using a compromised wallet.

Well duh, if I'm using compromised wallet software, then obviously my coins aren't safe to begin with.

FUD.

In theory, there's no difference between theory and practice. In practice, there is.
Insert coin(s): 1KazimirL9MNcnFnoosGrEkmMsbYLxPPob
ChuckBuck
Hero Member
*****
Offline Offline

Activity: 560



View Profile
January 16, 2015, 01:30:54 PM
 #7

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

██
█║█
║║║
║║║
█║█
██

                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
e i d o o
██


                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
██
█║█
║║║
║║║
█║█
██
Madness
Hero Member
*****
Offline Offline

Activity: 658


My goal is becaming a billionaire.


View Profile WWW
January 16, 2015, 01:32:26 PM
 #8


Your funds are not safe neither in "cold storage". Read:

https://www2.informatik.hu-berlin.de/~verbuech/klepto-ecdsa/klepto-ecdsa.pdf


many of you said "cold storage is the best". well. it is not. that explains many hacks in Bitcoin which some of the bitcoiners considered to be very safe. Smiley

What's next? Mass withdrawals from Bitcoin. What can you do when you KNOW that your cold storage is exposed to be stolen? You must be stupid to keep your earnings there.

Are you a mind reader or something , haha.
I was just reading the same thing on Coindesk and planning to share it here => http://www.coindesk.com/research-hackers-install-backdoor-bitcoin-cold-storage/
Anyway , to be honest . that's really dosen't make me comfortable , those hackers always find a way to screw things up.

"The attacker only has to watch the blockchain until two [compromised] signatures appear ... the affected signatures are not detectable by anyone other than the attacker."

Sorry, I was faster. It happens to me so often(I am modest too)   haha

Well, of course it is not comfortable to know that your funds can disappear any time. You wanna bet that some people will say:

"neah, it cannot happen to me"  EVEN so there are many hacking reports daily.


Rofl Shocked I don't wanna bet because I just said the same thing to my self to be honest . I never got hacked in my life and planning to stay that way  Roll Eyes but Everything have a first  Cry

Puppet
Legendary
*
Offline Offline

Activity: 966


View Profile
January 16, 2015, 01:33:17 PM
 #9

Yeah, title is nonsensical and sensationalist. If you created the cold wallet on a compromised PC, of course its not going to be secure and there are 100x easier ways to steal the coins from such wallet.
mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 01:33:21 PM
 #10

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.
ChuckBuck
Hero Member
*****
Offline Offline

Activity: 560



View Profile
January 16, 2015, 01:40:22 PM
 #11

Read the article just now also.  This is in theory only, and hasn't actually been executed on any wallets.

The attacker would have to install the backdoor software on your PC or offline wallet device to extract the private keys.

Basically, if you don't take the proper precautions on your PC or network, then yes you can get hacked.

According to article, this attack is unable to be performed at scale, so only one wallet at a time could be targeted.

How do you know that it was not hacked?

Hacking reports are daily including with the exchangers.

What the article wants to say is that the cold storage is not safe at all.

Only reports of hacks are of the online, hot wallet variety.

Cold storage is perfectly safe if you take the proper precautions.  From the article:

Quote
Conventional wisdom has it that coins in cold storage are safe from attacks because the private keys never come in contact with the Internet or any other network.

In general, this is true. Even if the cold storage device could be compromised by malware, stolen private keys would fail to be transmitted to a thief because it isn't connected to the Internet.

██
█║█
║║║
║║║
█║█
██

                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
e i d o o
██


                    ▄██▄
                  ▄██████▄
                ▄██████████
              ▄██████████▀   ▄▄
            ▄██████████▀   ▄████▄
          ▄██████████▀    ████████▄
         ██████████▀      ▀████████
         ▀███████▀   ▄███▄  ▀████▀   ▄█▄
    ▄███▄  ▀███▀   ▄███████▄  ▀▀   ▄█████▄
  ▄███████▄      ▄██████████     ▄█████████
  █████████    ▄██████████▀    ▄██████████▀
   ▀█████▀   ▄██████████▀    ▄██████████▀
     ▀▀▀   ▄██████████▀    ▄██████████▀
          ██████████▀    ▄██████████▀
          ▀███████▀      █████████▀
            ▀███▀   ▄██▄  ▀█████▀
                  ▄██████▄  ▀▀▀
                  █████████
                   ▀█████▀
                     ▀▀▀
██
█║█
║║║
║║║
█║█
██
BaselessBitcoin
Newbie
*
Offline Offline

Activity: 14


View Profile
January 16, 2015, 01:51:25 PM
 #12

Until we see this theorized exploit in action you have no reason to believe cold storage wasn't as safe it was yesterday.
lucasjkr
Hero Member
*****
Offline Offline

Activity: 644


View Profile
January 16, 2015, 02:06:04 PM
 #13

If cold storage is vulnerable, then it would stand to reason that every wallet is vulnerable?

But my reading of the coinbase article leads me to believe that the attacker would need to have installed a compromised version of Bitcoin on the airgapped machine? Or else the upstream version of Bitcoin would need to be compromised? Or Armory, Electrum, etc, whichever wallet software the user is using. Am I wrong?

So, yes, if malicious actors gain commit privileges on the Bitcoin source, then offline wallets are compromisable, as are every other wallet. And if a malicious actor gains access to your airgapped machine in order to replace your binaries, you're also vulnerable. That's my interpretation. Doesn't seem like it's too much a worry, honestly. I mean, if an attacker gains such access, then it's game over regardless of which method of attack they use.

Or am I missing something?
Meuh6879
Legendary
*
Offline Offline

Activity: 1400



View Profile
January 16, 2015, 02:10:26 PM
 #14

Quote
The attacker must first create a compromised version of ECDSA. This is achieved with a kleptographic 'SETUP', or 'Secretly Embedded Trapdoor with Embedded Protection',

are you release what you say ... ?
you ONLY can do that when you install corrupted version of bitcoin core highly modified with this.
even in P2P file sharing client ... this sort of thing don't exist.


or for dumb people : DON'T DOWNLOAD official client from others places than https://bitcoin.org/bin
Guido
Legendary
*
Offline Offline

Activity: 995


FASTCOIN $FST


View Profile WWW
January 16, 2015, 02:12:11 PM
 #15

media do a horrible job on stories so if they get hold of this (when), price will dump

mayax
Legendary
*
Offline Offline

Activity: 1008


View Profile
January 16, 2015, 02:23:56 PM
 #16

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

in other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley
R2D221
Hero Member
*****
Offline Offline

Activity: 658



View Profile
January 16, 2015, 02:26:33 PM
 #17

what you it seems that you do not understand or you do not want to say is that :

"Even if the manufacturer (https://bitcoin.org/) claims that it runs open-source code, how do you tell whether it is actually running what you compiled?" Verbücheln said.

with other words: MANY developers worldwide are working in their free time to a project, in this case, Bitcoin. That's why it's called OPEN SOURCE.

These developers can put anything they want INTO  the source code: ".... that some pieces of open-source code are so large and complex that even a dedicated community of developers may not detect a malicious addition."


So, COLD Storage can be easily hacked. Smiley

That is true for any open source project, even the Linux kernel.

An economy based on endless growth is unsustainable.
RadBrad
Newbie
*
Offline Offline

Activity: 2


View Profile
January 16, 2015, 02:27:55 PM
 #18

Misleading title this has always been known....cold storage is safe if you take the correct precautions.
1Referee
Legendary
*
Offline Offline

Activity: 1302

BitKorn!


View Profile
January 16, 2015, 02:28:18 PM
 #19

media do a horrible job on stories so if they get hold of this (when), price will dump

Nothing new...

If people read that article, and I mean READ that article, then it's more funny than being informative.

Average joe might think Bitcoin is hacked, broken, exploded, killed, etc. That's the sort of group of people who do believe these articles.

In a nutshell : Nothing is 100% safe.

RainVein
Newbie
*
Offline Offline

Activity: 4


View Profile
January 16, 2015, 02:29:28 PM
 #20

What if your base os is compromised and you use a livecd whilst being offline to store the coins.....can this make you unsafe?
Pages: [1] 2 3 4 5 6 7 8 9 10 11 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!