Author Topic: All Bitshares, Protoshares, and DNS stolen from my wallet -- at the same time  (Read 10571 times)

0 Members and 1 Guest are viewing this topic.

Offline werneo

  • Sr. Member
  • ****
  • Posts: 305
    • View Profile
    • chronicle of the precession of simulacra
  • BitShares: werneo
item: ordinary windows bts wallet vulnerable to attack

It seems to me everyone in this thread (even the victim) seem remarkably calm. I see this event as a major threat to any future marketing effort.

It seems to me that all the appropriate brains of this community should be aimed at discovering all the forensic evidence necessary to identify the profile and source of the attack.

At the very least there should be an investigation and then a recommended course of action for other ordinary windows bts/x wallet users.

This is an extremely serious matter. Where's the emergency response?  :o

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
Re: All Bitshares and Protoshares stolen from my wallet -- at the same time
« Reply #31 on: November 03, 2014, 02:31:07 am »
So.. have you formatted yet?

Nothing else was stolen?

Hi roadkill, thanks for asking.   I created new account "codeblooded" to accept donations and nothing else has been stolen.   However, I'm still having issues making transfers from on wallet to another... error posted above.
« Last Edit: November 03, 2014, 04:14:14 am by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
item: ordinary windows bts wallet vulnerable to attack

It seems to me everyone in this thread (even the victim) seem remarkably calm. I see this event as a major threat to any future marketing effort.

It seems to me that all the appropriate brains of this community should be aimed at discovering all the forensic evidence necessary to identify the profile and source of the attack.

At the very least there should be an investigation and then a recommended course of action for other ordinary windows bts/x wallet users.

This is an extremely serious matter. Where's the emergency response?  :o

I'm trying my best to remain calm and control emotions to keep my thinking intact; I don't know what else I can do at this point ... I feel so helpless.  I do agree if there isn't any processes in place to mitigate issues like this, mainstream adoption is going to be challenging.  I was recommending Bitshares to people and offering to get them set up, but now .. looks like I need some education myself before I can be a warrior on the streets to increase adoption.  I have to have a good testimony.
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline roadscape

Re: All Bitshares and Protoshares stolen from my wallet -- at the same time
« Reply #33 on: November 03, 2014, 02:46:34 am »
So.. have you formatted yet?

Nothing else was stolen?

Hi roadkill, thanks for asking.   I created new account "delegate.educatedwarrior" to accept donations and nothing else has been stolen.   However, I'm still having issues making transfers from on wallet to another... error posted above.

Your other coins are safe? Do you suspect BTS was the sole target?
http://cryptofresh.com  |  witness: roadscape

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
Re: All Bitshares and Protoshares stolen from my wallet -- at the same time
« Reply #34 on: November 03, 2014, 03:21:52 am »
So.. have you formatted yet?

Nothing else was stolen?

Hi roadkill, thanks for asking.   I created new account "codeblooded" to accept donations and nothing else has been stolen.   However, I'm still having issues making transfers from on wallet to another... error posted above.

Your other coins are safe? Do you suspect BTS was the sole target?

Roadkill, they wipe out my PTS, BTS, and DNS.  Probably have control of  my AGS now too.   These bastards knew what the hell they were doing.

I think a "BTS" Armory software and a hardware wallet would go a long way in the future.
« Last Edit: November 03, 2014, 04:14:48 am by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline werneo

  • Sr. Member
  • ****
  • Posts: 305
    • View Profile
    • chronicle of the precession of simulacra
  • BitShares: werneo
Re: All Bitshares and Protoshares stolen from my wallet -- at the same time
« Reply #35 on: November 03, 2014, 03:31:17 am »
So.. have you formatted yet?

Nothing else was stolen?

Hi roadkill, thanks for asking.   I created new account "delegate.educatedwarrior" to accept donations and nothing else has been stolen.   However, I'm still having issues making transfers from on wallet to another... error posted above.

Your other coins are safe? Do you suspect BTS was the sole target?

Roadkill, they wipe out my PTS, BTS, and DNS.  Probably have control of  my AGS now too.   These bastards knew what the hell they were doing.

I think a "BTS" Armory software and a hardware wallet would go a long way in the future.

educatedwarrior: exactly how and when was your desktop computer infected in the first place? I'm not clear that Armory was the attack vector.

Did you use a password manager or did you type in your password each time you loaded the wallet?

Have you identified any sort of keylogging malware that would explain how your pwd was stolen?

You mentioned the funds were extracted to a particular address. Have the funds moved from that address?

Have you made an inventory of your wallet change addresses and compared them with the suspect address?

Has bytemaster or anyone else with technical expertise contacted you to start a forensic investigation?
« Last Edit: November 03, 2014, 03:39:52 am by werneo »

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
werneo , those are some great questions.  I'm working on getting those answers to you.
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
Here are a couple questions I can answer now.


Did you use a password manager or did you type in your password each time you loaded the wallet?   No ... any suggestions

Have you made an inventory of your wallet change addresses and compared them with the suspect address?   I'm sorry, I'm unfamiliar with what you mean by change addresses..   Could you explain?

Has bytemaster or anyone else with technical expertise contacted you to start a forensic investigation?    No
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline bytemaster

Did you use the password more than one p lace?

Did you leave your wallet open? 

For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline BitcoinJesus2.O

  • Newbie
  • *
  • Posts: 15
    • View Profile
This could just as easily have happened to btstv because our BitShares client, account, and address is located on a windows computer that visits countless gomorragraphic websites for hours.

Therefore, we pledge to give all excess donations from now until Cyber Monday to:

BTS:codeblooded

By Cyber Monday, all our promotions will be finished, and after we finish paying out the winning contestants, all remaining balance will go towards helping recoup some of educatedwarrior's stolen BTS.

Our heart and BTS go out to you warrior, please accept our humble token of financial support.

We feel for you, because it could just as easily have been us because not only do we not have any adblock or updated antivirus software to speak of, we have brutal day jobs that make computer security learning a low priority to us.

If someone can show us how to remove the titan features, then we can have a public display of who is donating what to our injured brother.
« Last Edit: November 03, 2014, 02:02:19 pm by btstv »

Offline Riverhead

Have you made an inventory of your wallet change addresses and compared them with the suspect address?   I'm sorry, I'm unfamiliar with what you mean by change addresses..   Could you explain?

When you send a partial balance from an address (say 1 PTS from an address that has 2000 PTS) ALL PTS leaves the sending address. 1PTS goes to whomever you sent it to and 1999 PTS (minus fee) goes to a third address your wallet either has already or creates (it starts with a pool of about 100). The wallet software masks this somewhat as it shows total balance.

So if it is an old copy  of your wallet that you're trying to use it's possible it doesn't have the change addresses of the post-backup wallet. As for the BTS it works in a similar way but the money can be found again be regenerating the keys for an account and then rescanning the blockchain.
« Last Edit: November 03, 2014, 02:05:09 pm by Riverhead »

Offline werneo

  • Sr. Member
  • ****
  • Posts: 305
    • View Profile
    • chronicle of the precession of simulacra
  • BitShares: werneo
Here are a couple questions I can answer now.


Did you use a password manager or did you type in your password each time you loaded the wallet?   No ... any suggestions

Have you made an inventory of your wallet change addresses and compared them with the suspect address?   I'm sorry, I'm unfamiliar with what you mean by change addresses..   Could you explain?

Has bytemaster or anyone else with technical expertise contacted you to start a forensic investigation?    No

Here is a FAQ on the concept of the CHANGE ADDRESS:

http://www1.agsexplorer.com/ags101


In short, a change address is generated automatically in your wallet.

To find the change addresses in your wallet, in debug console of PTS, type:   listaddressgroupings

This will show all the change addresses. Compare these addresses with the suspect address. Is there a match?

And to confirm: I presume the funds are missing from your PTS (not BTSX) wallet. True?


Offline roadscape

.
« Last Edit: July 03, 2015, 03:34:53 am by roadscape »
http://cryptofresh.com  |  witness: roadscape

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
This could just as easily have happened to btstv because our BitShares client, account, and address is located on a windows computer that visits countless gomorragraphic websites for hours.

Therefore, we pledge to give all excess donations from now until Cyber Monday to:

BTS:codeblooded

By Cyber Monday, all our promotions will be finished, and after we finish paying out the winning contestants, all remaining balance will go towards helping recoup some of educatedwarrior's stolen BTS.

Our heart and BTS go out to you warrior, please accept our humble token of financial support.

We feel for you, because it could just as easily have been us because not only do we not have any adblock or updated antivirus software to speak of, we have brutal day jobs that make computer security learning a low priority to us.

If someone can show us how to remove the titan features, then we can have a public display of who is donating what to our injured brother.

btstv , this would be much appreciated.   I don't know how much I can thank you ... and all our other brothers lending support.   I hope the entire community can learn from this experience and establish better protocols for the future.       

Anyone planning to put together a "best practices" document for securing your bts wallet, or does one already exist?    Someone or I can start a thread if you guys think it may be beneficial.
« Last Edit: November 03, 2014, 11:21:57 pm by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true

Offline educatedwarrior

  • Full Member
  • ***
  • Posts: 78
    • View Profile
Did you use the password more than one p lace?

Did you leave your wallet open?

Bytemaster, are you suggesting if a person uses their password in more than one place ... if a hacker can get their wallet file and password, mission complete for hacking?  Just want to make sure I'm clear what you are suggesting.

Also if a person gets the wallet file, they could do a bruteforce to discover the password, no?


Question1: Is it possible to derive the private key if a user has the public address and wallet password?   (I'm assuming not and thinking the password is only used to encrypt the json contents of the wallet file.)

Question2: Anyway to do an address substition so I can regain control of my AGS?
« Last Edit: November 03, 2014, 11:41:49 pm by educatedwarrior »
BTSX: codeblooded   |   PTS: PiiQ6ZECCRYawcZFc8ZGbvjuCjCnBVuPjA
BTSX delegate: wallet_approve_delegate codeblooded true