I'm back, 1 Week without Steemit, The hack, Social engineering gone wrong and where to next..

I'm back :) - its been tough.

So i have been absent from the steemit party for the last week because my posting key was compromised!; sad story but true.. it has been a tough week watching all the new users coming to the platform and great posts coming in thick and fast; there was also some very sad moments when users such as @katecloud put a huge amount of effort creating a great post regarding her hiking trip and then watching it be defaced by the attacker :( .. Don't worry Kate has recovered her keys and is back in action!

I'm sure you were all aware that some JavaScript was hidden inside a HTML IMG tag that leaked the keys from your browser; thankfully i had some good practices in place and the only effect of the stolen key was the hack could post or comment with my account; seemed like he was too busy to even bother; he was busy trying to drive a truck load of STEEM and SBD out the steemit gate and off to freedom.

Social engineering gone wrong; the hack was discovered

I first noticed something suspicious when Ned left me a comment under the compromised post saying "Dan was having issues transferring between Steem and Steem dollars, are you having this issue?"... sus!!

Little did i know at the time, my posting key was already compromised and this was just a ploy to have me login with my active/owner key so that the hacker could hijack them. sneaky bugger!. Lucky enough Ned was on slack; i questioned his comment as it seemed out a character and his response was "what comment?"; to which i provide a copy and paste of the comment and pointed him to the post in which it was left... Ned went silent; dead silent....
At that stage i knew something was wrong; really wrong; i got that impression from his first response given the comment had only just been made..but his silence said more than enough. it was 2am in my local time and i had gotten out of bed to question Ned regarding this comment; i was freezing but could not take my eyes off the screen. after 10 minutes of nothing i went to bed knowing that something was a miss but comforted by the fact that Ned was aware and if needs be the full development team would be on board and working till all hours of the night to get it fixed.

The Recovery process

Sure enough the next day i started as i do every morning (with Steemit + Cup of coffee) and found red 'Security Warning' banners plastered all over Steemit. i finished my coffee and booted up my pc to change my posting key and found that my account had been locked!! Damn!; This was due to the great work by the Steemit team having the issue diagnosed and damage contained sometime while i was sleeping. I contacted support as instructed by the warning message and began pressing F5 like a mad man; what would i do without Steemit!.

I gave Ned and the team some space as i could see from the security update that they had their hands full minimising damage, contacting exchanges, creating restore plans and tracking down the attacker. At 5pm my time, Ned was surprisingly still on slack; this is very unusual. i sent him a quick message and he responded within minutes; in regards plans of restoring my account going forward. i checked his profile when he mentioned he need to get some rest and start fresh tomorrow.... IT WAS 5AM!! that's why he is never online; the sun would have been starting to rise and he has been up all night; no doubt with the rest of the Steemit team resolving the issue..
His account went dark, then a few hours later he was back online and the team was hard at work; i can only imagine the hours that the team has put in over the last week. That is dedication for you!!

Going forward

So with the recovery system in place we now have some recourse if this sort of occurrence should happen in the future but the effect's could still be devastating if your active or owner keys are compromised; even your posting key could be used to tarnish your account and it's reputation if the hacker was to deface your posts; or act in an unsociable way towards the community.

I have decided going forward i will be using the following security practises (first three i am already practising):

• Login at all times with posting key unless active authority is required - this is paramount!!
• Login using the keys for each roles (username/posting, username/active and owner) and not the master password
• When using my active key, i will not be using the 'keep me logged in' checkbox. i will login, do action, then log out.
• I will have a separate browser (completely separate installation - not a new windows) for use when logging in with Active or Owner keys; this browser will not be used for any other purpose what so ever; it will also not browse posts or clicks links.
• Second web browser will be configured in privacy mode and not retain any temporary files once closed.
• i will be using a script blocker such as ScriptSafe browser extension for chrome or noscript for firefox; configured to block scripts in my active/owner browser. note -Steemit requires scripts to function so i have Steemit allowed. Given this browser will not browse any other content of even Steemit posts this step is not be required but will make me feel better.

I am very excited to be back in the Steemaction!!