Nullary Sources

Awesome Tagline Goes Here

Posts tagged security

1 note

The Little White Box That Can Hack Your Network

Robert McMillan, reporting for Wired:

When Jayson E. Street broke into the branch office of a national bank in May of last year, the branch manager could not have been more helpful. Dressed like a technician, Street walked in and said he was there to measure “power fluctuations on the power circuit.” To do this, he’d need to plug a small white device that looked like a power adapter onto the wall.

The power fluctuation story was total bullshit, of course. Street had been hired by the bank to test out security at 10 of its West Coast branch offices. He was conducting what’s called a penetration test. This is where security experts pretend to be bad guys in order to spot problems.

Security is really cool but also really scary.

20 notes

Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL

Consumerist:

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.

So if the URL was something like citibank.com/user/12345, all you had to do was change it to citibank.com/user/123456 and you had access to all of their account information.

Oh for crying out loud. From the comments:

Well, actually more like when you unlocked your door, every other door on the street unlocked for you too

4 notes

$500,000 in Bitcoins stolen

I’m just going to go ahead and quote the OP in its entirety:

Hi everyone. I am totally devastated today. I just woke up to see a very large chunk of my bitcoin balance gone to the following address:

1KPTdMb6p7H3YCwsyFqrEmKGmsHqe1Q3jg

Transaction date: 6/13/2011 12:52 (EST)

I feel like killing myself now. This get me so f’ing pissed off. If only the wallet file was encrypted on the HD. I do feel like this is my fault somehow for now moving that money to a separate non windows computer. I backed up my wallet.dat file religiously and encrypted it but that does not do me much good when someone or some trojan or something has direct access to my computer somehow.

The transaction sent belongs rightfully to this address: 1J18yk7D353z3gRVcdbS7PV5Q8h5w6oWWG

Block explorer is down so I cannot even see where the funds went.

I tried restoring an earler backup of my wallet but naturally that does not work because the transaction has already been validated.

Needles to say I feel like I have lost faith in bitcoin.

Anyone have any ideas what I can do besides just jump off a bridge?!

Over the course of the thread it emerges that the victim was, allegedly, storing an unencrypted Bitcoin wallet1 on a Windows PC that had a bunch of malware on it, while idling on IRC in Bitcoin related channels. So not only is Bitcoin a tremendously bad idea, it appears that the implementation of it is uh… somewhat irresponsible in its approach to security.

Why would I say something like that? Doesn’t this seem to be his fault? And would an encrypted wallet file — not something supported by the Bitcoin client as far as I can tell — really have helped him? For example, there are a lot of people in the above thread saying that “oh it doesn’t matter if he had it encrypted or not, they could have just gotten his password with a keylogger”.

This all-or-nothing approach to security is an extremely dangerous game to play. When talking about systems security (rather than cryptography or something more abstract), it is an acknowledged fact that there are no perfectly secure systems. Every single computer system ever built has been hacked and exploited. This greatly informs the approach one should take when designing a system with security in mind. Once we discard the idea of security as a binary state, we must instead think of security as a continuum: thus, designing a secure system is a matter of getting to that “secure enough” for for whatever we’re doing with that system. Since Bitcoin is storing what amounts to literal money, that bar is should be pretty high.

With that in mind, let’s examine this situation again:

  • From the thread, it seems likely that the wallet was hacked via either malware running on his PC or via an exploit in the victim’s IRC client.
  • Since the wallet was unencrypted, all the attacker had to was copy the wallet to their machine and the execute the transaction.

It’s unclear exactly how the attacker gained access to the machine as of this writing (just after noon on Tuesday) so we don’t have a much more information than that. If the wallet file itself had been encrypted:

  • The attacker would have tried to copy the wallet and found that it was encrypted.
  • The attacker would then need to key log or screen scrape which may (I’m not a Windows security expert by any means) require more privilege than simply exploiting an IRC client would provide.
  • Furthermore, even if the attacker did, technically, have the privilege to perform key logging or screen scraping to obtain the victim’s password, they may not have had the expertise or time or even motivation to do.

I think it should be clear now that it’s a significant bump up in security just to have the Bitcoin wallet secured with a password. Even better would be to have the secured Bitcoin wallet itself stored somewhere the attacker could not easily access it, like on an encrypted volume. Or storing your Bitcoin wallet on a completely separate machine that has very little connection to the outside internet. There are a whole host of other things this guy could have done differently, but even the simplest steps can make a big, big difference — a $500,000 difference.2


  1. Yes, he says he encrypts it in the OP but it emerges later in the thread that he was storing the wallet unencrypted on the Windows PC. 

  2. Related reading: I recently answered a question on Quora about why you should have a password on your SSH private key file