Why your personal security sometimes just isn't good enough.

in steem •  8 years ago  (edited)

Why passwords or 2FA have little to no sense at all on a large scale attack.

Image

Just upvoted post #7251 about making a strong password for your Steemit account? Let me give you some lessons in cyber security first.

Security is only as strong as the weakest link in the chain. What most people seem to forget is that often the weakest link is the platform, aka the server where the services are being hosted.

I'll be using some analogy to make it more readable to everyone.

Passwords are like your frontdoor key; It will prevent thiefs from entering trough the door, but won't stop them from having a look if your windows or backdoor are properly closed.

Did you closed and locked all doors and windows using the keylock (password) and an additional alarm system (2FA security) ? Well bravo to you! But still, your vault inside your home isn't safe yet.

You see, most large scaled attacks happen trough the roof of your house (the server). One could reinforce it's entire house (computer), but the roof will always remain a sensitive spot since it exists only of some rooftiles that could be lifted off and plywood underneath. If you've lost me in my analogy, i'm talking about the server your favorite services are hosted on.

So unless there's a really easy way of exploiting single users, like the XSS attack this platform has sufferd (and still posing a threat today, read this post), evil burglars will most likely prefer to just attack the servers once the value of whatever they're looking for is worth the trouble.

Hacking a server? Sounds like a tough specialist job!

Well, it depends. Sometimes it can be, but i've known and investigated hacks that any kid could've done at school.

A well known Bitcoin exchange lost it's servers root access to a teenager who called the exchange's hosting provider claiming he lost access. While he did the effort of gathering as much data possible on the legitimate owner of the server, he's efforts payed off and the hosting provider resetted the passwords. Even tough the attack didn't lasted longer than 40 minutes before being detected, harm was done and over 3000 BTC was stolen.

Then there was this mining pool who ran a mirror pool for developing and maintenance. Little did they know some 17 year old russian kid would fuzz the servers and discover the /admin/ hidden folder. I know for a fact, when testing an enviroment, it's hard and difficult to always login with a super secret password. So was the case here. A default login of "admin/admin" led him to the configuration files holding the plaintext passwords to the wallets and the servers. Guess what happened.

Many heists and hacks are similar; hiding in plain sight. To small to see or notice until it's to late. All developers are only human, and it's human nature to focus on bigger things than what we can see.

I see... So with server access, my passwords and 2FA are useless?

Yes and no. If your passwords are well hashed and encrypted, it should be relatively safe not to be readable. Your 2FA key itself is always plaintext stored in a database, so it's more like a false sense of security on server level.

But why would anyone care about your password or 2FA secret when they have access to the server itself?

The things a burglar would do when the cops are already on their way is just take what they can and leave. Anyone accessing a remote server knows those actions are logged and most likely will trigger an alarm. So they just go straight for the configuration files, grab the passwords, and empty the main wallet. One way or another, the passwords and IP servers to the wallets will be written somewhere.

If you've studied your target, it should not take more than just 15 minutes to complete this cycle.

Ok i'm scared now. What would you advice me to protect my vault and money?

Digital assets or coins should be treated like the money you carry in your pockets.

Will you take a walk trough a dark, creepy park in the middle of a criminal hood with thousands of people in this park looking like they want to rob you?

No. You simply won't. So why are you doing this with your digital assets then? Use the same principle as you would do in the real world. Deposit most of your cash money in the bank! Our secured banks are paper wallets, or local wallets.

But why would you leave your money just sitting here, blaming everyone but yourself if this beta version (it's beta for god's sake!) should have some errors resulting in an empty wallet?

Paper wallet generator by @xeroc can be found here

If however your account got hacked, it's most likely that you didn't obey by the rules of online security. Did you find yourself clicking blindly on any of the URL's i've posted?

Touché. I just told you this platform is still vulnerable to XSS exploits.

Even a small, innocent URL may hide evil things. Try clicking on this page

https://steemit.com/ / http://www.google.com
and see where it leads you. Get my point? Before clicking any URL hover on it to see it's real destination.

TL;DR Can you sum this down please? It's to much to read!

Sure. Never blindly trust your platform provider. Anyone could make a mistake, it's just a matter of time before someone exploits it.

Keep your money secured offline or on your local computer, not online at a third party. Steemit for example is not your local bank account, your local or paper wallet is.

No matter how strong your password is, it won't protect you against server based attacks.

Keep on Steeming in a secure enviroment! Remember, thiefs will follow the money and STEEM is becoming popular! Expect scams and hacks to pop up by the dozens soon enough.

Thank you all for reading my article and a BIG, HUGE, MASSIVE thanks to everyone who upvoted my previous story that you can read here!

Keep on Steeming!

PS: Did you clicked that last URL blindly again?
PS2: This post is intended for awareness. I'm not looking to make hundreds of dollars on it :)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

see other posts on steve-walschot's blog

Trying to fool people heh :)

Steve, this info is priceless, but since can cause a bit of hysteria, it will probably not be whale voted. Sorry ;(
Here we try our best to build this wonderful utopian society, where everyone gives their best to help others, no matter what will happen.
It is great we have an expert like you here, you are one of our most precious citizens!

P.s.: We wait for part 3, just continue to be yourself!
Thank you!

Thank you!

Interesting post and Good advice. I like your style. You use daily examples to explain some technical concepts.

Thanks, that's what i intend :)

Thanks for the article.

Just curious what plan of action can we take in regards to Steemit.com? As far as I know we can't make a paper wallet as there is only one set of keys involved with our account and we can't put Steem related currency in cold storage (most of all SP). Using a posting key for signing on and changing our password is effective but I'm not quite sure what extra steps can be taken to secure a steemit.com account?

Thanks for your advices!

Paranoid people are my favorite people. Keep writing!