Vulnerabilities "deadly" life hacks Bitcoin virtual

SUBMITTED BY: Guest

DATE: April 16, 2015, 2:26 a.m.

FORMAT: Text only

SIZE: 13.1 kB

Raw Download

HITS: 718

Report
  1. Partap a man named Davis took $ 3,600. He just went to sleep when the clock 2 pm in the house in the state of New Mexico, the United States after World of Tanks official game.
  2. hacker, Bitcoin, virtual life
  3. While he slept, someone has intervened in all security mechanisms that Davis set online. And when you wake up, most things related to life on your network are under attack: 2 email accounts, phone number, your Twitter account, the service provides two layers of security mechanisms, and important rather, his Bitcoin wallet money.
  4. Davis very careful in terms of information security. He selected a password and do not hit hard on the link suspect. He uses two layers of security for Gmail, so each time you log Gmail from a new computer, then you must enter the 6 numbers in his phone message to ensure that this is Davis.
  5. He also earns money from the rise of Bitcoin currency and the amount of their holdings in the 3 "for" separate is managed by three different services are Coinbase, Bitstamp and BTC-E. In it, he activated the security of two layers with Coinbase and BTC-E. Every time you want to access your account, you must login authentication via Authy, an application installed on the phone.
  6. In addition to playing Bitcoin out the rest of Davis is very similar to a normal web users. He earned a living programming, he split time between the development of software used in educational video with other work. On weekends, he enjoys skiing, exploring the surrounding area. This is his 10th year here, and he stepped over the age of 40.
  7. Once hacked, Davis spent weeks watching to see how this can happen, puzzle pieces pieces of a picture through the access log file as well as customer support representative of the services that you use. Besides, you also have access to The Verge page for the help. By now, they still do not know everything - and also do not know who did it - but Davis and his supporters have said enough to explain the way that hackers had attacked his accounts, and indicate the weaknesses "dead" in the lives of not only virtual but also our Davis, who is spending the Internet daily.
  8. hacker, Bitcoin, virtual life
  9. Mail.com
  10. Everything started with an email from Davis. When you first create an email account, Davis found that the account user Partap@gmail.com had already, so he switched to the service of the page and set Mail.com Partap @ mail address. com to facilitate the exchange of work. He also set automatically forward email from one address to another gmail address difficult to remember.
  11. At about 2 pm the day 21/10, the connection was broken. Someone progress is made on account of Davis Partap@mail.com forward and stop the aforementioned letter, in addition to this the link a new phone number into account that at the end mail.com Florida. Email backup Davis also been changed suddenly swagger@mailinator.com. This is the closest clue that Davis and his colleagues have been investigating the suspects, and for simplicity we shall from now on be called after the suspect was Eve.
  12. hacker, Bitcoin, virtual life
  13. So how Eve can break into some of Davis Mail.com account? We can not be sure, but Eve was more likely to use a code in order to weakness lies in Mail.com password reset page. Davis and colleagues know that this code exists. For months, users on the forum Hackforum sold a script with this feature, and it will reset the password of an account designated Mail.com. The selling price is very cheap, only $ 5 for an account. It is not clear which code to exploit security vulnerabilities and whether it has been patched or not, but that's all that's required Eve. Eve can spend this code to reset your password Davis and converted into a string of characters that only he knows.
  14. AT & T Phone Number
  15. The next step is that Eve took control of Davis telephone number. He does not have a password AT & T (a US network, which provides mobile services for Davis), but he pretended to forget passwords and site requirements ATT.com send a link to reset it. This link was sent to? Partap@mail.com into account, and because he has captured the email account should always reset the password AT & T is no longer a complicated story.
  16. When already in hand accounts AT & T, he requested service customer care operator's forward calls to any number of Davis into his phone number in Florida. Essentially speaking, the setup steps forward will require more security, and need more than one email address. But when faced with a client (seem) angry customer care staff often facile to pass and put the satisfaction of the client's confidentiality.
  17. When call forwarding setup is complete, all calls will be hours of Davis's Eve. Davis still receive SMS and email to normal, but the call was diverted to hackers. Davis did not realize this until forever 2 days after the attack occurred when his boss complaining why do not you pick up the phone when he called.
  18. Google and Authy
  19. Next, Eve wanted to take account of Davis Google. Experts often tell us that security is the most secure against attacks. A hacker could have a password and a thief can get your phone, but it's hard to have both at the same time. As long phone is a tangible object, the system will work well. However, people often change the phone, especially for those who love technology, and they also want to replace their services are.
  20. hacker, Bitcoin, virtual life
  21. Davis does not use the Google Authenticator app to create a login script when logged in 2 layers - which is safer option, but he has 2 layers by setting message. That is when Davis wants Gmail login on a new device, Google will send him a confirmation code to your phone. This message is not transferred to Eve, but he had other way.
  22. Google has the option to make a call to the phone number of the customer to read this code (in case you are visually impaired, or for whatever reason that messaging on your phone does not work). And because every call has been forwarded to Eve, he could hear a confirmation code of second security layer. And so "go life" Davis Gmail account.
  23. hacker, Bitcoin, virtual life
  24. Authy it more difficult to break. It is an application, like Google Authenticator, and never leave your phone Davis. But Eve could simply set the phone Authy on his own account by mail.com above and a new confirmation code (also sent through the call). A few minutes after the clock struck 3 pm, account Authy transferred control to Eve.
  25. Both Authy and Gmail are fooled by Eve: as long as he can get email and phone number Davis, two-layer security system no longer active. At this time, Eve is holding more control over the life of Davis online rather than what you have on hand. In addition to SMS, now all other avenues have come at the hands of Eve.
  26. Coinbase
  27. At minute 3:19 in the morning, Eve reset account of Davis Coinbase using mail.com Authy and his address. By 3:55, he moved all in some Bitcoin account to an account litter because he owns, and that the value of Bitcoin equivalent to $ 3,600 at the time.
  28. From here, Eve carried out 3 times a withdrawal: the first about 30 minutes after your account is open trash, while the second took place in 20 minutes, and the last time in 5 minutes. Since this time, the money was not in the account of his junk and spam accounts of course it did not reveal anything about the identity of Eve. Only less than 90 minutes after the Davis Mail.com account hacked, a large sum of money which he owns has no wings that fly.
  29. hacker, Bitcoin, virtual life
  30. Authy can know what is happening. The service monitor all suspicious behavior, and though Authy very quiet about what they track, but it seems a midnight reset the account from a remote phone number is shaking can cause some alarm that. However, this number is not in the "center scam" as Russia or Ukraine (although there may Eve true). Perhaps even more suspicious when Coinbase Eve log in from an IP address in Canada.
  31. In that situation, whether Authy can prevent the attack or not? The modern security systems, such as Google ReCAPTCHA, may do so by analyzing complex data related to users and their behavior, but also Coinbase and Authy only "see half the picture, "they did not have enough reasons to prevent this.
  32. BTC-E and Bitstamp
  33. When Davis woke up, the first thing he noticed that his Gmail account was logged off mysteriously. Password has been changed, and you can not log in again. When he was on the account, he realized how big damage. There are dozens of emails relating to the account reset, and he knew what he was being. When he found a way into your account Coinbase, he found it empty. Eve had escaped with 10 co Bitcoin worth about $ 3,000 at the time. He then spent hours calling the customer care staff of the service, which is attached to the fax driver's license to convince the company that he was the true Partap Davis.
  34. What about money in the remaining two Bitcoin wallet, why? They contain the amount of $ 2,500 account value, and full ownership of the security features that can Coinbase. However, when Davis checked the two accounts BTC-E and BitStamp not lose money (but still lost password). BTC-E has stopped dealing with his account within 48 hours after the password was changed so lucky you have the time to fix the problem. BitStamp there are security mechanisms are simple: when Eve reset email to request account Davis, staff BitStamp claim on your driver's license picture of Davis. This is the only thing that he did not have on hand, despite trying to hack how to go online again. Therefore, $ 2,500 of Davis is still safe.
  35. Twitter
  36. For many months have passed since the attack and now Davis has stabilized. The last sign that Davis found that the intrusion on his Twitter account, which has been hacked several weeks later. The namePartap quite short, so Eve wanted to capture it, instead the new image and delete the tweet Davis. A few days later, Eve was even posted a picture of a certain Xfinity account hacked into and tag others. This account does not belong to Davis that of another person. Eve just wantPartap used as a temporary account to perform the next case, like stealing a car to escape it.
  37. Who was right after this attack? Davis spent several weeks in order to find the hackers but was not achieved significant progress. According to the records of the account login, Eve's computer IP addresses from Canada, but he could easily assume this address from anywhere in the world through services like Tor or spend VPN. His phone number is registered to a phone in the state of California, but more likely it was just a stolen phone. Although Eve was, he had escaped.
  38. Why he chose Partap Davis? We can assume that he knew about his Bitcoin wallet. Or perhaps during the "disruptive" Mail.com account of Davis, he saw the email from his Bitcoin services. Currently a list of usernames Coinbase also leaked on the Internet (but then again no name Davis on it), or you can name comes from a producer or someone that we do not know are.
  39. Davis now become more careful with your Bitcoin wallet, and he did not even use anymore Mail.com account. But most of the rest, there is nothing to change. Coinbase each customer a refund for hacked but this time they refused because they said that this is not the company's fault. Davis also sent a report to the FBI, but it seems there is not much local interest in a single Bitcoin theft. Phone, he can not give up, Twitter or Gmail too. In the security world, we call this the "attack surface" (roughly translated: attack surface). The more accounts (ie "surface" wider), the more difficult to defend.
  40. More importantly, the password reset is still too easy, which is why Eve could turn out to reset the account to another account without significant difficulty. As a service to stop him, then theoretically, the customer must wait 48 hours before you can be issued a new password.
  41. Technical point of view, this is not difficult, but it makes the customer feel uncomfortable normal, and it affects their satisfaction with the company. Internet companies must constantly balance between the convenience of the users with the security. If they do security practice too hard, no one used the product, even if doing so is simple users vulnerable to attack. Some people can take control of your account, but millions of other people feel more comfortable and loved. It's a tradeoff, and companies often give more priority to usability ...
  42. Through this story we see that our life is full of online dangers. Your use 2 layers of security can be attacked as often, it is important to level where hackers. With the valuable accounts related to business and money, you have to be careful as more and priority should enable the security mode as possible. Do not sacrifice security and usability with the account important because someday he lost then you would have hardly managed to regain control, or even never.
  43. By Duy Luan / Tinhte / The Verge
  44. Tags: hacker, Bitcoin, virtual life
  45. Forum signup http://goo.gl/MTVtNE
comments powered by Disqus