Regarding the recent theft of Burst accounts
-
@nixxda i use keepass but it didnt stop me from getting infected by this bad boy.
luckily antilogger encrypted all my key-presses so the majority of the shit they got was nonsense.
below is an example of what i saw when i opened the files that was logging all my shit
:: dclogs (22:36:10) :: @MikeMike - Discord (22:36:13) :: @Focus - Discord (22:36:29) :: Clipboard Change : size = 18 Bytes (22:36:29) sadasadasdadasdasd :: Sign in to your account - Google Chrome (22:37:13) :: Clipboard Change : size = 16 Bytes (22:37:13) 54d56s4da65s5d :: (22:37:27) :: Discord Notifications (22:37:36) :: New Tab - Google Chrome (22:37:52) [<-][<-] :: OTC OldTimer's Clean-It Download - Geeks to Go Forum - Google Chrome (22:39:02) :: Untitled - Google Chrome (22:39:05)with this virus. it can easily steal your keepass passwords from your clipboard.
-
Now I am freaking out.
I just created a new wallet with a presumed more stronger passphrase.
Visited a faucet for free activation coin.
Named it and transferred my burst to it but nothing is showing in my Recent transaction talk less of coins in the new wallet.
Help me out.
-
@delords Please tell us your Account IDs to help you.
-
lol
What a day!? Finally showed up.
-
Sorry for your loss.
Once you get your security back fully let us know so we can send some bits and that goes for others as well.
Appreciate all the work you and those who helped you get to the bottom of this and your further reporting important facts we all could benefit from.
-
I recently started using KeePass and I love it. I ordered some cheap flash drives from newegg and I will be creating separate Burst accounts to be stored in a KeePass encrypted database, then duplicating those databases onto the flash drives to be stored in multiple safe locations. These passwords will never touch a cloud and all transactions will be handled by my own local wallet.
In my opinion, the password should be encrypted anywhere and everywhere it can be encrypted - even when doing local wallet transactions, even when storing it in a properties file for the miners. Security is all about taking precautions you don't necessarily HAVE to take and since attacks can come from places you can't think of, I take the philosophy of plug every hole you can even if you don't think you need to.
For me, it's important to note that both of these successful attacks circumvented the encrypted password by gaining access to the password at a point where it was not encrypted. Neither attack was able to break or compromise the encryption of the Burst network itself in any way.
-
This post is deleted!
-
This post is deleted!
-
@Focus The topic here: "Regarding the recent theft of Burst accounts "
Discussion about "court data technologies" here: https://forums.burst-team.us/topic/3853/court-data-technologies
-
@croydan1 I missed this post earlier, but having the dictionary words listed is not a problem.
There are from memory 1664 words in the list it uses, the number of permutations of 12 of those words ( Permutation = ordered list ) is 433,086,275,460,543,172,562,465,902,777,223,577,600 (4.3 x 10 ^ 37).
Testing 100,000 pass phrases per second would take on average 6,817,605,276,509,386,098,427,194.3176053 Years to find a specific pass phrase.
You'd need to be able to test 100 Quadrillion (10 ^ 15) passphrases/second to get it down to the 6 Billion years range .....
Adding numbers, upper case and symbols increases that exponentially as you can no longer test just the 1664 words.
-
@haitch and to @all I know that this is correct but i was very tired I had a rough day and the theft just set me off into a poor mood, with that said yes I agree that with that many words it makes it almost impossible I was in some way just trying to get across to just take more precaution and I did not convey that thought in a logical written way so I do truly apologize I want all of you to know that I am not here to create or cause panic in anyway shape or form.
Apologies,
Croydan
-
@croydan1 Nothing to apologize for.
-
@Lexicon
I sent a little New silver over to you, get you back on track again so to speak. :)
-
the auto generate pass phrase is secure , it's tec not impossible to be brutforce hacked but the luck factor of a prog hiting the right combo of words would be like going out and buying a million lotto tickets and all million of them being winner's. no one would ever try to use this method to traget a single account as that is even more difficult by a huge factor. anyone who would attempt it would only be leting it run in the hopes of hitting the lotto.
for our wallets security they are far more at risk from leaving info as word doc's on your comp and open to key logger's virus's or people who you personaly know that may see it as a fact buck.
if you do want even more security like i do follow the guide lines of the auto generator but use words not in the list and give it some complexity with number's cap's symbols , just never use a shorter pass phrase than recomended
-
@Mr_Purple thanks buddy thats much appreciated. im hoping to get back up there again and it might happen eventually.
it might even happen faster than the it took me over the previous 5 months. and to prevent something happening like this agan ill probably spread out my portfolio across multiple accounts for damage control.
-
@rds said in Regarding the recent theft of Burst accounts:
Right now, the only way I know how to generate a Burstwallet address is to use the AIO wallet software.
If the algorithm for address generation was public knowledge, then I could write a program to generate that address on an air gapped computer and either store that passphrase on that air gapped machine (hardware wallet) or a piece of paper (paper wallet).
I wrote a 30 line python program to do just that. To generate Bitcoin and Ether paper wallet addresses. I use them exclusively to store the bulk of my BTC and ETH. I use online wallets for small amounts, shopping money etc., but the bulk amounts are stored in addresses that have never touched the internet.
https://github.com/damncourier/burst-address.py
not exactly 30 lines but well commented and includes RS address encoding (which is not commented at all)note that accounts with out public keys on the blockchain can be accessed if there is a collision with another key pair.
transaction signing on air gapped machine should be possible using
https://nxtwiki.org/wiki/The_Nxt_API#Sign_Transactionfollowed by broadcasting on network
https://nxtwiki.org/wiki/The_Nxt_API#Broadcast_Transactionnot an easy solution right now, but seems possibility is there.
-
@damncourier yes it is possible :) you would still need at some point to enter your passphrase, so if that system is compromised your screwed :D




