New Malware Targets Bitcoins To Steal
from the if-your-money-needs-malware-protection dept
It’s been fascinating to watch the back and forth discussions about Bitcoin. The big story recently was the supposed “theft” of $500,000 worth of Bitcoins. But, perhaps a lot more interesting is the report of new malware specifically targeting Bitcoins. The malware specifically looks for a Bitcoin wallet, which it then looks to email to a specific server. Among the many concerns people have raised about Bitcoins, this one hadn’t received that much attention earlier, but could potentially scare a lot of people. The lack of traceability is one of the selling points, but it also has a downside in these types of situations.
Comments on “New Malware Targets Bitcoins To Steal”
Just like cash
Your BitCoin wallet holding your BitCoins is no different than a physical wallet stuffed with cash. That’s made abundantly clear if you read the FAQs on the BitCoin website. If you leave either wallet sitting out in the open (physically or digitally), you’re gonna lose it, and recovering cash – good luck with that.
So, if you take precautions with cash, and your online bank account and credit card info, you need to take them with your BitCoins, too. A significant difference between an online bank account and your BitCoins is that you are in 100% control of all the information related to your BitCoins. You don’t have to worry that after buying something from a merchant, that they’ll save or leak your credit card number and its out in the wild.
Say you mine BitCoins on a Windows box that’s connected up to the Internet. When you mine one, it goes to the wallet file on that machine. Get a non-networked Linux box for your “real” wallet, and transfer any mined coins from one to the other.
Re: Just like cash
That’s pretty much what I do for online banking. I found myself a cheap netbook, wiped it clean, installed ubuntu on it, and the only thing I use that netbook for is online banking. It is otherwise disconnected; even the battery is removed, although not for security reasons…it just helps prolong battery life.
well,
Obviously they got what they deserved for not using a secure Linux system.
Re: well,
Win7 was harder to remotely hack than OSX or Linux at all the recent conventions.
If people want to be safe with their coins, make a separate account for BC and put deny access to everyone else on the BC wallet file. Then you can run BC as that user and no malware you randomly decide to install will get your wallet.
If people didn’t randomly install crap on their machines, they would get malware.
Re: Re: well,
“conventions” ! = real life.
Not saying 7 or Linux is easier to “hack” than the other, I’m saying that neither’s security should be ranked based on conventions where vendors’ interests are at stake more than those that wish to breach them.
Re: Re: well,
“Win7 was harder to remotely hack than OSX or Linux at all the recent conventions.”
Would have been easier if they had connected to the network.
Re: Re: well,
Win7 was harder to remotely hack than OSX or Linux at all the recent conventions.
Citation needed.
Re: Re: Re: well,
Not my fault you don’t read news. Look it up yourself.
Re: Re: Re:2 well,
Not my fault you don’t read news. Look it up yourself.
The news said you were a liar. Look it up yourself.
Well, if you keep 1/2 million dollars in cash in your house, and somebody breaks in and takes the money, you can’t magically wave your hand and get it back. Security is one of the reasons why we put our money in banks and it’s the same thing with bitcoins.
COINcidence? I don't think so.
First the government targets Bitcoins, then all of a sudden this malware springs up. Hmmmm…
Re: COINcidence? I don't think so.
It was only a matter of dime before this happened naturally.
Tracibility
> The lack of traceability is one of the selling points,
The lack of traceability is a myth. People can follow the stolen bitcoins through the network as each transaction is public. It’s going to be pretty hard for the thief to cash it out somewhere.
Re: Tracibility
The ‘traceability’ refers to the physical ‘owner’ of the BitCoins, not the BitCoins themselves. As you note, the transactions are public and distributed.
Only if someone validates the BitCoins they are receiving against this list will they be stopped. Just like serial numbers on paper money. Unless you’re looking for it, the ‘cash’ is just ‘cash’.
Re: Re: Tracibility
That’s my understanding as well – that the bitcoin block is untraceable once it leaves a person’s wallet – but you can track who is sending/receiving them.
That does little good if 25,000 people receive a bitcoin from this thief – it doesn’t mean that those 25,000 people become thieves, just as a store clerk receiving a stolen $20 bill in return for groceries doesn’t make them a thief.
(A non-patentable idea)
Bitcoin should require a password after selecting an ‘account number’.
So you have all these bitcoin account numbers and you select one. You shouldn’t just willy nilly be able to select an account number and then suddenly transfer bitcoins from one account to another. A password should be required and that password should be the password required to decrypt the necessary information to transfer bitcoins.
Sure, most people will likely choose easily crakable passwords, and bitcoin should give some advice on recommended password parameters, but at least it slows down the process of malicious bitcoin transfers by third party software, which could give a later alerted user time to transfer his bitcoins to an uncompromised account before the password is cracked.
Re: Re:
(assuming the malicious software didn’t destroy the necessary transfer data or that the user has backups if the software did).
Re: Re: Re:
(also, people on slashdot suggested that people should be diligent and separately encrypt the necessary transfer data with a secure password. No, Bitcoin should have the technology that allows users to encrypt their transfer data built in).
Re: Re:
We’re talking about a file on your hard drive here… it doesn’t matter if you password protect the file – once malware is in place, you just throw a keylogger on to watch everything the user types.
You can always encrypt the wallet file, store it offline, or send your bitcoin to a website that “stores” them for you (mybitcoin.com for example)… but that doesn’t stop the fact that stored bitcoin can be taken from your machine if you don’t protect it somehow.
Re: Re: Re:
“We’re talking about a file on your hard drive here… it doesn’t matter if you password protect the file – once malware is in place, you just throw a keylogger on to watch everything the user types.”
Of course, but you assume that all cases of malware intrusion are succeeded by someone typing in all of their bitcoin passwords before discovering the intrusion.
Also, a password can deter someone with physical access to the computer from simply copying the file over and getting easy access to that information. It gives time for users who periodically transfer money from account to account for security reasons to do so or to discover the intrusion and transfer the money before anything gets cracked. More work is needed to gain access to those coins, that extra work will act as a thief deterrent, and people will weigh the work necessary to steal those coins with the work necessary to earn them.
Also, malware creators will need to extend more work creating an appropriate keylogger to work with the data transfer software (or if it’s a general keylogger they have to spend lots of time looking through the logs, especially if they are looking through the logs of hundreds of users, and by then many of those users could discover the intrusion and transfer the money to another safer account).
It’s like a lock on a door. It won’t keep a determined criminal out by any stretch of the imagination, but it’s enough to deter many criminals.
Re: Re: Re: Re:
Bah, keyloggers are a dime a dozen these days.
It’s important to note that the bitcoin software is not necessarily a single program – anyone can create their own “secure” bitcoin program if they want (it’s open source)… so this problem is likely to solve itself as people actually care enough to do it.
There’s no central authority involved here, so trying to say what they “should do” is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed.
Re: Re: Re:2 Re:
“It’s important to note that the bitcoin software is not necessarily a single program – anyone can create their own “secure” bitcoin program if they want (it’s open source)… so this problem is likely to solve itself as people actually care enough to do it.”
I know.
“There’s no central authority involved here, so trying to say what they “should do” is sort of pointless, as no one person, or group of people is necessarily responsible for how bitcoin is stored or managed.”
‘They’ refer to the bitcoin client developers, and there is a point, to point out the need to create such security features. Yes, they will likely be created anyways, but I was just making a suggestion for discussion purposes since such a suggestion is relevant to the OP.
Re: Re: Re:2 Re:
“Bah, keyloggers are a dime a dozen these days.”
Yes, but general key logs are a time consuming pain to analyze, especially when you have hundreds of them, such extra needed work acts as a deterrent and gives alerted users time to transfer the money to other accounts before it gets stolen.
Re: Re: Re:
“You can always encrypt the wallet file, store it offline, or send your bitcoin to a website that “stores” them for you”
Yeah, but in order to transfer data, at some time that file needs to be decrypted, and a keylogger can monitor the password necessary to decrypt it. So your ‘solution’ suffers the same shortcoming just as well.
Re: Re: Re: Re:
If it was me, I’d store large quantities of bitcoin offline in multiple wallets (which the guy with 25,000 of them apparently did not bother to do), and then only as much as I need when I’m certain my machine is clean.
I don’t know about you, but I keep my money in multiple locations – some easy to get to (my actual wallet), some in a safe (locked in my house), and some in my bank account (obviously protected by the institution itself).
That way if someone mugs me in the street, they only get what’s in my wallet at the time. If someone breaks into my house (and somehow figures out my safe combination – perhaps because they somehow saw me use it through a window or something), they still don’t get what’s in my savings account.
Anyone can do the same with bitcoin, they just tend to be lazy because it’s “convenient” to just keep it all in one place, on their trusty, secure computer.
Re: Re: Re:2 Re:
“If it was me, I’d store large quantities of bitcoin offline in multiple wallets (which the guy with 25,000 of them apparently did not bother to do), and then only as much as I need when I’m certain my machine is clean.”
Implementing client based password protection and the above aren’t two mutually exclusive possibilities.
The protocol for the bitcoin system is pretty much unbreakable
The problem lies in the wallet file being clear text, and the client apps being unsecure. What someone needs to do is come up with a client side protocol document like (pdf warning) Satoshi Nakamoto’s paper Bitcoin: A Peer-to-Peer Electronic Cash System. This has caused the price of bitcoins to fall by $3 USD, they were at $19 USD three days ago. (Here is a current price chart)
Just use Ukash…