HACKMOAR: Hindering Attackers Coming and Kidnapping My Outrageously Armored Resources

in steem •  8 years ago 

As someone with a background in computer systems, networks, and computer security, I am not at all surprised by the recent attacks on the platform.

There are those who curl into the fetal position and cry about bad people wanting to destroy the community are missing the bigger picture.

It reminds me of how at some point in the evolution of the internet, even a simple port scan became an activity of unclear legality.

The people who come up with this sort of nonsense legislation don't understand much about the technology, of course.

How do you think we IT security guys became good at what we do? Maybe it took breaking into some systems.

Today, that would be a crime. Cybercrime! So cyber, very digital, wow.

Anyway - see the recent attacks for what they are - necessary growing pains, which are improving the security of the platform.

Some perspective

I always considered myself an ethical kind of attacker. I broke in not to steal, but to see what was possible, to outdo the security someone else set up. So that I could learn to set my own stuff to a higher standard.

Not to tell myself how much better than them I was, but to understand, really understand what was happening.. and how it was possible to tear it down, so that it could be rebuilt stronger.

Also.. hmm. It was fun sometimes!

Not everyone is like this, however. Some attack and penetrate to benefit themselves and to steal from others, with little care about the ensuing chaos that usually follows (rings a bell?).

And you can be sure this kind of person will be attracted to places like steemit.

It's unavoidable!

Keep calm and .. keep calm

If the attacks were done right, there will be little to no trace left.

This should not mean that the platform "evolves" into banning anonymity tools like Tor and VPNs. Such a measure will hurt the users who need such tools the most - political activists who may 'disappear' for voicing their opinions, groups of people who are uncomfortable with speaking out if it can be traced back to them.

And more importantly - do you really think that will stop a dedicated attacker?

It's this simple

If he wants to get in, he rents a server, proxies to the server, and attacks steemit.com from the server. Then he shuts it down after collecting the money.

It was all paid for using stolen credit cards with a fake name. He'll never be found, if he played the game right.

Or he'll hack someone else's computer, again using proxies (which obfuscate where the attacker is located physically), and then use this innocent person's computer to launch the attack.. guess who gets the SWAT team at home!

Or drive to another city, find a quiet cafe without cameras, change his mac address and begin the hostilities.

I could go on. There are literally hundreds of ways!

You get the point.

Back to basics

If you have not read it yet, pause everything you are doing (except breathing) and go read this.

After that, glue the following to the wall behind your screen:

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

I WILL NOT USE MY OWNER OR ACTIVE KEY IN DAY TO DAY USE.

Great! That's it, you think! Back to writing and drinking coffee 10 hours a day!

Not so fast!

If you have been following the reasoning, then you will have asked yourself by now.. "but when I DO use the owner/active key, how do I KNOW it was not captured?"

Well, you don't.

That's the problem. The model is F-U-N-D-A-M-E-N-T-A-L-L-Y broken.

For as long as you EVER have to type in your owner/active key on steemit.com, you will NEVER be sure that your machine has not just shipped your password somewhere else.

Understand this

The wallet code which underpins the whole security of your account is sent to you by the server(s) belonging to steemit.

If the server has been compromised, an attacker can modify the code said server is sending to your browser.

Guess what happens next?

This is but one way, there are a few others.

For other stuff like email, facebook, etc, depending exactly on what it is you use it for, the problem may be tough but it is usually solvable.

On the blockchain (remember, the underlying technology that makes steemit very different from other social media platforms), not so much.

Things tend to be permanent, unless they are rolled back with consensus.
But every time that happens, trust in the platform decreases.

Right now, paradoxically, you see the opposite, as users who were separated from their funds through no fault of their own are reimbursed by steemit. I believe it was the right thing to do - at this point in the game.

Understand that it was only by subverting the core rules of the game that the people who were hacked were able to get their funds back. This should not be a common occurrence.

Steemit is in beta. Bugs are expected.

They do not want people to leave because they lost to the tune of $10000+.

Fair enough - understandable, and I can even agree with it.

But it cannot be the way forward over the longer term.

A proposed solution

Introduction

It's all good being your own bank, having your funds secured by/on the blockchain.

But also understand this: It is the weakest link in the chain that will get attacked.

In this context, that would be .. your machine!.

If you are not a security-conscious technical person, this should make you worry - just a little bit.

I do not want to go in depth about other ways to defend yourself in this post, but do let me know in the comments if this is something the wider community is interested in learning more about..

Standalone management app

I wrote a small post as a reply to address this initially, but then realized it would not reach enough people that way, hence the longer post before your eyes.

To sum it up: I believe the way forward to be an out-of-band account management app for the steemit blockchain.

WHAT?!

OK, OK. Simpler: just another program you install on your computer, and which you use solely for steemit-related account-management operations (send funds, change keys, and so on).

This should be a security-conscious program, encrypting its local storage, clearing keys from memory as soon as they are not needed anymore .. but let's not get too deep into that here.

The key point is that the program code is not served from the outside to you whenever you access it (like the built-in steemit.com wallet).

You download once, verify the program authenticity, and that's that.

But how about 2FA ? Will that not save me?

In my opinion, it will decrease the chances of a compromise, sure, but the fundamental flaw is still there: it just takes triggering it from two different devices now.

I fear it might lull users into a false sense of security.

Imagine: steemit.com servers were compromised, and an attacker modifies the javascript being sent to your browser - you are being served a backdoored wallet now.

As it happens, the stuff you posted yesterday just netted you $10k, and aren't you excited!

So there you go, attempt to withdraw .. and yes, of course, now you need the second device as well.

So you login on the second device, there goes your second key as well..

And not much changed.

It gets worse

In my (possibly incorrect) understanding, the style of 2FA being deployed on steemit is 2-of-2.

That simply means that you need two sets of keys (from different accounts under your control) in order to sign a transfer.

What do you think will happen when the next XSS/javascript attack hits the platform (and it will), and your signing key happens to be stolen?

Correct. You can no longer move any funds, because an attacker now controls one of your keys.

Conclusion

For as long as you need to type an owner or active key on steemit.com, you can never really be sure that your password has not just been shipped away to an external server - this is the nature of javascript, the dark side of what makes it so powerful for programming the web.

Stuff happens in the background, and you have no idea!

.. unless you want to have the browser inspector and wireshark running 24/7.

Did you get that? No? Exactly my point.


I believe 2FA will not be enough to secure accounts, although it is a useful tool in the arsenal.

But it cannot bypass the fundamental issue that is typing owner/active keys in the browser.

To bring steemit security to the next level, then, I propose the creation of the standalone management program.

In this case, it seems to me that the extra overhead is necessary.

You want to be your own bank, you have to take some precautions!.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thanks for this great post @karnal. Today we will be providing more details about our solution. While everything you have stated above regarding security of web wallets (in bitcoin space) is accurate, your understanding of the solution we are deploying is off.

I will be providing a more detailed post explaining how we are solving permanent hacking of accounts once and for all while still keeping everything trustless.

Thank YOU for providing the platform, your intellect and energy!

Very interested (and curious!) to read about the new solution.

This is why I believe Steemit/Steem will make it far. Because we are definitely in good hands. https://steemit.com/steemit/@easteagle13/why-is-the-recent-steemit-hack-will-actually-raise-steem-value-and-make-steemit-more-popular. Keep up the good work @dan. /o

Hey welcome here! I'm in contact with www.bitcointrezor.com to add/port/write STEEM on TREZOR. What do you think about hardware wallets? Same like 2FA?

Cool post, man. You write with a fluidity rarely found in IT people a.k.a without treating us like fucking monkey just because we don't code...looking forward to your next posts.

Excellent post, mate. You're very clearly passionate about security.

I'd be interested in hearing some of your crazier war stories from whitehat hacking, if you've got 'em.

damn. this was good. you're my new teacher apparently. is that ok with you?

The new posts are a bit delayed, but in the mean time I have this for you.

Given your recent retreat to wild-horse-island, I think you will know what I am talking about :-)

Glad you liked it!

It is more than ok - if anything, I am honored.

Tomorrow if I have free time I would like to write a bunch about bitshares for steemers again, but if you let me know your main concerns and doubts, I will craft another post mid-week!

my main concern is cyber security. i'm now browsing in incognito mode. what should i be doing to protect myself, my accounts and my computer from hackers?

I am working on something (will be ready in a couple of days).

Trying to make it not too technical, but as surely you can appreciate, it is next to impossible to avoid the subject entirely.

Frankly I think it is counterproductive to do so as well - at some point learning at least a little bit about how to leverage the technology to accomplish goals becomes mandatory.

I am still looking for the right balance (not going too deeply into the technical stuff) and format.

At the moment I am undecided about writing a giant post with all the information, or breaking it down to make it more digestible and hopefully easier to memorize / apply / make sense of.

Which format do you think makes more sense? All this technical stuff is pretty much second nature to me, so it can be hard to put myself in a less-technically-inclined readers' shoes sometimes.

Lastly, would it be inappropriate to ask that you review my latest posts and leave reviews as appropriate? It seems you have been doing this writing thing for far longer than me.

i have some too.

Go on!

What would you like to see addressed?

great stuff!

This post is very nice to remind

I'm also curious how this will be addressed in the future. Although the blockchain is decentralized, the steemit webservers are not and are subject to attacks.

  ·  8 years ago Reveal Comment

good idea for all of us

@ned and @dantheman this is a helpful read. Please take a look at it.

Nice call @stellabelle.

This is one of the best posts ive seen on here yet regarding the issue.

  ·  8 years ago Reveal Comment
  ·  8 years ago Reveal Comment