You shall not (leak your) pass!

in #steem7 years ago (edited)

Another account was (almost) hacked and three accounts were vulnerable for weeks. 167 valid private keys are still publicly available.
Why?
Because people are putting weird things into memo fields.

Well... "weird things" are not a problem, but when you put there your private active or owner key (or other types of sensitive information), you might end up regretting this until the end of the blockchain.
That means: FOREVER.

passwords

Have you entered your key in a wrong place?
Be sure to remember that this is when you lose control over your account.

A few seconds later, a malicious user will take your key and replace it with his own.

If that was your owner key or master password, all you can do is start the account recovery process, which can take days or weeks, but ** it has to be completed within 30 days** or your account is lost forever.
It might or might not work and you might or might not be eligible to use it.
After all, you have just lost your account, so don’t expect miracles.

It that was your active key, you can still use your owner key or master password to quickly change the leaked key but...

The clock is ticking

  • Within the next three seconds, you will lose all your STEEM and SBD that were not frozen in savings accounts. (Are you that fast?)
  • Three days after your failure, you will lose all the funds you have in your savings accounts too, if you haven’t been able to regain access to your account yet (How about not losing it in the first place?)
  • Also, Power Down was initiated right away, so week after your failure and every week from now on you will lose 1/13 of your Steem Power until your account becomes an empty shell. (Oh, my mistake, it's not "your account" anymore.)

Scary, isn't it?

Such thing happened almost happened to one of the users: @photo-trail
(not to mention three others - more details later on)

Fortunately, while monitoring the blockchain I was alerted in time and I've changed that key myself.
(special thanks to @almost-digital for the useful tools he provided)

I sent a message to the user:

"You have leaked your active private key to the public putting your account at risk. Your key was changed to prevent stealing your funds. Please change your active key using your owner key or master password. Be safe."

What was at stake in that particular account?
$30 worth of liquid assets (almost all in SBD)
and almost 2800 Steem Power
Estimated Account Value: $4,355.64

Extraordinary? No. Not at all.
Not long ago, @noisy & @lukmarcus gained access to 11 accounts with $21,749 on them
Their post call the attention of users to the issue, earned thousands of dollars, received thousands of upvotes, hundreds of comments and tens of thousands views. Their story was even featured on a popular Polish site - Niebezpiecznik

So what? Nothing. It just happened again.

Even though it was much less likely, because many nodes are now checking memos after #1181 was implemented.

"Transfers with the sender's private key information will be rejected with a soft fork. The error message recommends the sender change their keys in such an event. The CLI wallet does a similar check against the sender's keys and the keys in the wallet."

So what about other keys that are available publicly and still valid?
I made a quick scan that revealed another 170 keys.
167 memo private keys. There's no imminent or direct risk, at least not now, but if someone used their memo key in a wrong way, there's a good chance that they are putting their assets at risk by improperly handling their secrets.
Unfortunately, there were also two active keys and one master password.
@amrsaeed - the key was leaked 56 days ago during a transfer to poloniex, @noisy has already included this case in his post, 34 days ago this user was warned by @lukmarcus about the leak
@gary911 - the key was leaked 41 days ago during a transfer to poloniex, 34 days ago the user was warned by @lukmarcus about the leak
@savagem13 - the master password was leaked 26 days ago during a transfer to bittrex, 5 days ago someone used their password to change account properties to:

"{"profile":{"name":"Savage Money","about":"This Account Has Been Hacked! Please Change Your Password. Your Money is Safe"}}"

(which is not true, because after you have leaked your password/key, your money is not safe)

Surprisingly, none of those keys were changed yet (until today, of course, by me), but that doesn't guarantee that the keys were not under control of any malicious third parties or that the actions made after those leaks and before the keys were changed were made by their original owners. Maybe the malicious users were just waiting for a bigger amount of liquid assets to be available on those accounts. You never know.

Estimated Total "Secured" Assets: $12,000

Another case, another lesson.
This time, again, everything ended (relatively) well.
Who was paying attention?
Are we safer now?
Are you?

No.

It will happen again, one way or another.
Please make sure that it will not happen to you.

TL;DR:

You will lose your funds if you disclose your private key.

(Try to guess: Why is it called PRIVATE?)

Do not learn from your own mistakes, learn from the mistakes of other users.

"Keep it secret, keep it safe"



If you believe I can be of value to steem, please vote for me (gtg) as a witness on Steemit's Witnesses List or set (gtg) as a proxy that will vote for witnesses for you.
Your vote does matter!
You can contact me directly on steemit.chat, as Gandalf



Steem On
Be Safe

Sort:  
There are 3 pages
Pages

Glad to see that Gandalf the Grey has a white hat! :)

Thanks for custom stuff staff ;-)

Hi @gtg I've written an article about you, check it out if you can, thanks.

21 Best Steemians Of The Day To Follow 6th August 2017

https://steemit.com/steemit/@jzeek/21-best-steemians-of-the-day-to-follow-6th-august-2017

Thank you :-)

Exactly on point sir.

(TheGreat)

Was thinking the same :P Thanks for putting some real world examples out @gtg Steemit hackers be like "aint no rest for the wicked, money don't grow in steem" ohh wait...

Hi sorry for interruption, why i cannot vote witness? Your name are not available. Thanks!

Why what means witness?

This post received a 3.8% upvote from @randowhale thanks to @vysmek! For more information, click here!

Better be safe than sorry.
Very useful post for the Steemit and the entire Crypto community!!!

Thank you dude!

This is a good story. I even go through some of the comments. I wish stories like that spread all over steemit to educate and keep on reminding all steemians how to protect their keys.

It is imperative to continue acquire knowledge on how to saveguard your valuable assets.
Constant reminders are needed to keep new and old steemians aware of this beautiful way of keeping the account safe.
I am still learning about steemit. I definitely still trying to understand the multiple need for our account.
Point I want to make. Keep learning.
I wish to see more posts about what keys to use and it could be multiple posts.
It is important.
Thanks guys

Well it's quite unclear.... I don't understand why anyones surprised. Why do you need a memo key? Why are you told to keep your private keys safe but not told explicitly what keys you definitely want to immediately note down and never show anyone ever again unless you have to,

OH and it would really solve so many problems if there was a 2 factor authorisation. How hard can it be if so many others have it? I think someone needs to remind the devs that it's meant to be a platform for people that are used to facebook and reddit not nerdy crypto complexities that they have to pay attention to.

The thing is that steemit is how some people are being introduced in the cryptocurrency and I don't think many people know what to do regarding transferring things to exchanges and what the memo field is for.

Private keys is what we should all hold close to us and not let anyone know. It is great that everything on the steemit blockchain is known and nothing is hidden. A great transparent system but it also leads to some easy theft of keys from people who don't know what they are doing.

Hopefully this will cause some people to be more cautious and maybe you will be able to help some people save some money @gtg

Thank you for spreading the word! :)

This is kind of the thing that might as well prevent Steemit from being truly mainstream as a social media platform. Even though it tries to be safe, it's a lot easier to make a crucial mistake here than on instagram or facebook. A short look on the tag that we both use fairly frequently, #polish, is a good reminder that a big chunk of steemit userbase has literally no clue about how it works and how to protect oneself and they don't mind, they just want to blog a bit.

Nonetheless, great work, glad your username isn't saruman as things would get dark quickly.

I think, that we as a community <specially polish part, where english can be a barrier> should do everything to keep steemit as a blockchaing safe, but what's in my opinion equally important to make it as accessible and simple for user as possible.
I know, how confused new, non-technical user can be on the beginning of his journey - it was quite hard to understand for me, programmer so what can total crypto-newbie say? We should be for him someone who can follow and learn from... Someone like who Gandalf was for Frodo :) - although it was Frodo's own journey, Gandalf helped him to take the first, most important step.

Flip this made me scared enough to check more than I already am, I am always too scared to push the OK button before I am 100% sure everything is in order. Thanks for the great post, very informative :) I am learning a lot on Steemit!

This is a great reminder. I think people get so used to copy/pasting they don't realize they might have pasted their password to the public. Be safe and diversify!

This comment has received a 6.67 % upvote from @lovejuice thanks to: @theabsolute. They have officially sprayed their dank amps all over your post rewards. GOOD TIMES! Vote for Aggroed!

Hello Friend ! You have an interesting blog, I will follow him and tell my friends! Good luck in your development 👍 I hope you will answer my message and do not miss it) a good day

Good luck friend !

Thank you :-)

Hi! I am new here and I do not know very well how this works... I have started to follow you and given you a vote too because I think you are very interesting. I hope I have done it rightly and I hope you can understand me because my English is not perfect. Thanks.

It is so easy to make a mistake. Make some simple rules for yourself when handling transactions:

  1. Make sure you are awake
  2. Make sure you are not distracted
  3. If you are uncertain what you are doing, don't. Or do a test if it's working beforehand.

Resteemed

just voted for you as a witness,based on a good referral

Thank you :-)

Hi @gtg, just to let you know, I am following you and voted you as my WITNESS. I am quite new here and I would also appreciate if you could comment on what you think of my last post :)

Thank you :-)

Upvoted and resteemed, it's a hard lesson to learn, and a lot harder for those not used to the crypto asset world and how blockchains function. With Steem attracting so many non technical users, it's important to educate as much as possible about how this technology actually works behind the scene.

Honestly, I hope that this post will hit as many vulnerable people and their accounts as possible- maybe it'll give them courage to replace their credentials with secure versions.
You can also add to the story other common mistakes:

  • not remembering passwords and depending on browser's auto-fill,
  • legendary 'one note for all passwords',
  • and the most dangerous - one password for all services. I think losing main e-mail account, bank account, social media and every other at the same time is more scary, then losing only blockchain wallet.

Terrific article, and a special feeling towards this post after watching that scene from LoTR; what a classic it is.

Regards,
Ashton Kutcher

Indeed.
Please note that if you are claiming to be "the guy" (Ashton Kutcher) you need to verify your identity, otherwise it would be treated as an identity theft.

Woooooo

hi, I voted you as my witness, just wanted to let you know

Thank you :-)

Thanks for making us aware of the seriousness of hackers on steemit

Steem On
Be Safe

Good slogan for situacion :)

well said.better to learn from others mistake

our world will never peace if they is a scammer and bad hacker why not they steal from bank more money and they steal from us small amount dammit very hard to solve this problem i think block chain need to find out solution to counter this problem

Stealing is always stealing. If you add relativity to this, you risk being in a wrong set of entities, because from thief's subjective point of view you might be the one, bigger, that it is ok to steal from.

i know they never care about that as long they got something sometimes this world unfair for us as a victim for me they are the worse human being because steal from other and make our life miserable​ as i experience​ already happen to me

A few seconds later, a malicious user will take your key and replace it with his own. @naz722

Is that you doing that @gtg? It really does go to show how important it is to keep our keys safe and secured.

Losing one's steemit account is a scary thought and also very real, thanks for the reminder about the security of one's private keys.

I must go and look The Lord of the Ring now .....

And good info.. Thank you!!

People are so careless about their private keys. Just get it tattooed on your arm so you won't lose it lol

How can I know that my account is been exposed to security breach?

What do you mean exactly? This is very broad subject to discuss.

You wrote that you discovered some account are exposed, so I ask, how would I know my account is not secure? Just scared!

If you are asking about this particular case, then don't worry, you didn't exposed your private keys to the public. I've just checked your wallet, you've made few transfers to blocktrades and each time you've used memo key just as you should.

Thanks for looking out for people. To have access and choose to safeguard peoples money is extremely commendable.

But this key in the memo thing, was it part of a bug? or just people who didn't double check what they write where?

some time people careless and not check properly

Not a bug. It was a human error each time.

But I saw on the original post, a fix was proposed, what do they mean by that?

Both cli_wallet and nodes are going to reject transactions that contains private key material in their memo field
I'm not a big fan of solving it at nodes, because it is already too late. Best solution is to keep an eye on users' memo field (it has to be implemented in 3rd party every application that allows transfers) and refuse to put there any key material.
So it's not a fix that gets rid of some software bug. It is a change that would try to stop users that are willing to hurt themselves.

Oh yeah okay like that. It's pretty good that they try to prevent people from hurting them selves.

But why can't they just have an automated system that detect when an key is written in the memo, and the system would give a pop up message like: 'be careful, you're master key is written in the memo field" or something.

Or is this already what they are doing?

That's pretty much like this currently, but of course pop up message is application based while we need to take care about whole platform (i.e. variety of applications) so it's on nodes. It might be good for temporary solution, however, if someone sent that already then notifying is already too late.

This is crazy. Good to know alot of this info for sure

Great Key points... We should all be vigilant in corresponding to safe our stuff...

Is a bit surprising

This is insane. I agree with @ackrai when he states that a lot of steemit users aren't familiar with crypto. I hope there's a way to improve security on Steemit and prevent things like this from happening down the road!

We are doing our best (witnesses, developers, community members, etc) but it's very hard to fight with human errors like this.

better safe than sorry is always great advice

many hackers are tryng to hack be aware and keep your password and all in safe dont expose any where

This is a very good post, for me this is a post worth posting. This post gives or rescues hundreds or thousands of people from theft of their code or passwords respectively. This alternative is very good at wear and very safe in my opinion. Thank you for sharing to us all that we may still not understand and will do a good action for the future. Hopefully this news can be spread all over and be able to take appropriate action.buat @gtg , I and maybe others are very grateful for your valuable information.

Three variants of Steem currency plus the password plus a whole bunch of public keys coupled with their private keys mean there’s a lot of room for error on the part of the less tech-savvy users.

thanks alot for the awareness! @extramoney @gtg

@gtg thank you for the firm reminder.

I almost put a private key instead of my post URL where the public memo is for transferring SBD to randowhale but fortunately the system warned me so I stopped in time... Thank God for the warning!

Curious... Is it good practice to change our keys periodically? Do you? And if so, how often?

Depends on how they are used and where they are used.
It is good to not use your master password or owner password at all, having them securely stored somewhere offline.
Use active key only when it is explicitly needed making sure that you are on a trusted site. For most users it means steemit and steemit only.
Your key would not be guessed during your lifetime unless quantum computing become a reality. So the only risk is in their usage. If you used public place (internet cafe or shared PC) then change your key. Being unsure is also quite good reason to change it but you have to make sure that you would not lose your new keys.
Nobody can help with password recovery if you lose it.

Wow. Great info here. Thank you. Resteemed.

@gtg I put a question in Steemchat for you under @gandalf.

All is good. I updated you in chat. Thanks a bunch for this post.

Sorry for a lack of quick reply, it usually take me some time before I'm able to respond.

🤣 that's no problem! I changed my keys. Curious, am I correct in saying that in Bittrex, their memo field is for a memo now, not for a private memo key? Yikes!

Yes, memo field is for tagging your transaction to help you memorize details on what it was made for, etc.
That's when you are sending your transaction from bittrex, poloniex, blocktrades, etc.
You might notice that when you are sending to such exchanges they require you to put some special id there (never your key / secret). It's for the same reason, so they would know what they should do with such incoming transaction (match it to your account / request on that service)

Thank you very much for this important reminder. I hope I have not opened that door by mistake.

Fortunately, you are not among those who leaked their keys through memo field.

Thank you for sharing that. I try to be careful but one never knows. Upvoted and followed.

Very important information. Also, I stored my keys everywhere as when you lose them there is also no way of going back !! So save save save in sensible places to have at hand (except across your forehead and , in memo , of course!) :D

Thanks you for this. I don't know much about cryptocurrency. Please help post more articles on this subject matter

Thanks for the reminder... serious stuff !!

Thank you... I will do my verry best to secure my password, and ceep my self safe!

I have shared my private posting key with the Steemvoter, that is safe right?

That is a good question.

As long as you trust Steemvoter. That means not only trusting that authors of such site are not malicious, but also that their code and deployment procedures are secure enough so it won't be abused by bad actors.

Private posting key has no access to funds on your account, so in worst case, malicious user who steal it would be able to make/edit posts and comments, reblog and upvote on your behalf, possibly affecting your reputation both as number as the real one.
You can change your posting key at any time using your active key.

ok, that was a good explanation.
I think I trust them, because I see many people using steemvoter.
Thank you so much!

Beberapa detik kemudian, pengguna jahat akan mengambil kunci Anda dan menggantinya dengan miliknya sendiri.
Jika itu adalah kunci pemilik atau kata kunci utama Anda, yang dapat Anda lakukan hanyalah memulai proses pemulihan akun, yang bisa memakan waktu berhari-hari atau berminggu-minggu, namun itu harus selesai dalam 30 hari atau akun Anda hilang selamanya.

Mungkin atau mungkin tidak bekerja dan Anda mungkin atau mungkin tidak memenuhi syarat untuk menggunakannya.

Lagi pula, Anda baru saja kehilangan akun Anda, jadi jangan mengharapkan keajaiban.
Itu adalah kunci aktif Anda, Anda masih bisa menggunakan kunci pemilik atau kata kunci utama Anda untuk segera mengubah kunci bocor itu

I fear a lot of the people I am getting to join will not heed my warnings about security and will run into these issues. A lot of people new to blockchain are jumping into steemit and don't know about how important account security is. These will be non-issues in 20 years but right now we're the pioneers of digital security

Thank you @gtg for the great reminder to be safe and also for the tale of helpfulness to others
LMAN.GIF

There are 3 pages
Pages