Regarding the recent theft of Burst accounts



  • as I am reading this thread I am on one hand appalled that within our own programming the words used to Generate a random password are right there all the words are all one case, they are all dictionary words but with that said it wouldn't matter they have all the info to right there that they need to do with what they want. The person most likely persons that did this are very smart this info would be ran thru several bot computers to figure out passphrases in probably less than a week. So when I was talking earlier about back doors not closed well here is a huge gapping hole you can drive a truck thru. hell go to 4chan and start poking around and ask around if someone had all the words needed to create random passphrases how long would it take to get in they would tell you the same thing. There are people out there for hire that do this stuff for fun got the TOR network you will be cringing at the amount of info you can get. I not trying to say this to be funny this is all fact. there is money here and a lot of it. The more people look at us the more unsavory types will too. And while on the subject of this site generates actual money so I wonder who in their right mind would use Java to base this on. 2K games is here in vegas they make almost all the espn sports games and some other very popular games They wont use Java on any of there primary coding why because it is not secure. oh and lets look at the "rich" list it has every single burst account listed so now you have the persons burst account then if you look thru just a few of the asset accounts some give even more info like account id numeric number ( i probably spelled numeric wrong ) again just a little bit more info. We are ripe with info personally I don't like the fact that peeps can see how much I have that is like opening my bank account and saying here have a look oh buy the way here is a snippet of my account number but dont worry about that just get your own account then look here in this file which is the same for everyone and with a little effort you can figure out my passphrase and anyone else's. If you really want to put things into reallity here is this tidbit of info everyday just here in the U.S. every branch of the service every 3 letter agency to the Pentagon to every useless celebrity is getting probed and hacked. First get rid of the words used they should not be visible at all. second get a real could generator with upper and lower case letters no and i cant stress this enough no dictionary words there needs to be numbers and random ( the word escapes me ) but stuff like !`~$%^&*()_-+= I would not be the one to make the generator you all would be waiting till next Christmas LOL. the faucet is off so that little hole is plugged. Secure your computers and stop using that K9 what ever it is that figures out captcha for you again it is another way in that company is not going to reimburse you they have 0 liability if you lose your money.

    Croydan



  • hi guys. ive just set up a new account. the address is in my signature.

    i strongly doubt ill ever get my funds back.

    as for the word list. theirs 1626 words in that data-set. so to dictionary brute-force would yield the following amount of guesses to crack

    • 1 word 1626
    • 2 word 2,643,876
    • 3 word 4,298,942,376
    • 4 word 6,990,080,303,376
    • 5 word 11,365,870,573,289,376
    • 6 word 18,480,905,552,168,525,376
    • 7 word 30,049,952,427,826,022,261,376
    • 8 word 48,861,222,647,645,112,196,997,376
    • 9 word 79,448,348,025,070,952,432,317,733,376
    • 10 word 1.2918301388876536865494863446938e+32


  • @Lexicon will send you some goodies tomorrow


  • admin

    @ZapbuzZ The guys that run my co-location site are Court Data Technologies. Their company provides a database of searchable data on Wisconsin, US, court cases. They have no access to my servers, they just own the public IP's associated with my servers.



  • Above all, how safe are we? After all the stress, sleepless nights and all? Only to lose it all just like that isn't palatable.


  • admin

    @delords Using a 12 word passphrase out of 1600+ possible words would require more time than the universe has existed to crack. Throw in some uppercase letters, numbers, symbols and the task become exponentially harder. If you use a secure passphrase you're safe. I had a test account with an unsecure passphrase, and it got hacked - lesson learned. I take the system generated passphrase and tweak it a little - it's basically uncrackable.



  • @haitch Is it possible to somehow change the passphrase of an account? Or do I have to make a new one and transfer all the assets and all my burstcoin to a new one?



  • @theoneandonely It's not possible to change your passphrase, because your address is generated from your passphrase. You'd need to create a new account and transfer your Burst and assets to it.



  • Remember that hacking comes from an external system to burst, but hey as we should know all the total security on the internet does not exist unfortunately, but if you apply a little common sense will complicate things a lot these bastards.

    The bad thing is that as humans we are we make a lot of mistakes and I say it from my own experience ;)



  • btw. you can also use Keepass2 or similar to store your passwords and generate them! And make them however long you want! (I think!)



  • @haitch Thanks and noted. I will open another account and tweak the phrase asap.



  • @nixxda i use keepass but it didnt stop me from getting infected by this bad boy.

    luckily antilogger encrypted all my key-presses so the majority of the shit they got was nonsense.

    below is an example of what i saw when i opened the files that was logging all my shit

    
    :: dclogs (22:36:10)
    
    
    :: @MikeMike - Discord (22:36:13)
    
    
    :: @Focus - Discord (22:36:29)
    
    
    :: Clipboard Change : size = 18 Bytes (22:36:29)
    sadasadasdadasdasd
    
    :: Sign in to your account - Google Chrome (22:37:13)
    
    
    :: Clipboard Change : size = 16 Bytes (22:37:13)
    54d56s4da65s5d
    
    ::  (22:37:27)
    
    
    :: Discord Notifications (22:37:36)
    
    
    :: New Tab - Google Chrome (22:37:52)
     [<-][<-] 
    
    
    :: OTC OldTimer's Clean-It Download - Geeks to Go Forum - Google Chrome (22:39:02)
    
    
    :: Untitled - Google Chrome (22:39:05)
    

    with this virus. it can easily steal your keepass passwords from your clipboard.



  • Now I am freaking out.
    I just created a new wallet with a presumed more stronger passphrase.
    Visited a faucet for free activation coin.
    Named it and transferred my burst to it but nothing is showing in my Recent transaction talk less of coins in the new wallet.
    Help me out.


  • admin

    @delords Please tell us your Account IDs to help you.



  • lol
    What a day!? Finally showed up.



  • @Lexicon

    Sorry for your loss.
    Once you get your security back fully let us know so we can send some bits and that goes for others as well.
    Appreciate all the work you and those who helped you get to the bottom of this and your further reporting important facts we all could benefit from.



  • I recently started using KeePass and I love it. I ordered some cheap flash drives from newegg and I will be creating separate Burst accounts to be stored in a KeePass encrypted database, then duplicating those databases onto the flash drives to be stored in multiple safe locations. These passwords will never touch a cloud and all transactions will be handled by my own local wallet.

    In my opinion, the password should be encrypted anywhere and everywhere it can be encrypted - even when doing local wallet transactions, even when storing it in a properties file for the miners. Security is all about taking precautions you don't necessarily HAVE to take and since attacks can come from places you can't think of, I take the philosophy of plug every hole you can even if you don't think you need to.

    For me, it's important to note that both of these successful attacks circumvented the encrypted password by gaining access to the password at a point where it was not encrypted. Neither attack was able to break or compromise the encryption of the Burst network itself in any way.


  • admin

    This post is deleted!

  • admin

    This post is deleted!

  • admin

    @Focus The topic here: "Regarding the recent theft of Burst accounts "
    Discussion about "court data technologies" here: https://forums.burst-team.us/topic/3853/court-data-technologies


Log in to reply
 

Looks like your connection to Burst - Efficient HDD Mining was lost, please wait while we try to reconnect.