Hurts so good: Hacked for $30,000 USD

in #cybersecurity7 years ago (edited)

This post was written by a community member. ADSactly was not hacked. The post is purely educational in value and to let the crypto community know the importance of their privacy, cyber security and serves as a reminder of how vulnerable we are to nefarious individuals.
100% of this post payout will go to the user who was victim of this hack!

Let's get straight to The Cryptocurrency Carnage

Here is a rundown of the $30,000 (that's right: thirty-thousand dollars) that the hacker relieved me of:

.25 BTC Stolen from my 1Broker account ($1,250 USD)

ouch
was sent to
1Km6Q7BuW6R42XKDJrCyTcqo2wrfh5m3hx

20 BCC Stolen ($1,600 USD)

the agony
was sent to:
8GrJvV8pjp6CuqakoosGejHKjQERdGg55D

10,990 Pura Stolen ($5,000 USD)

I cant take it anymore
was sent to:
PVGA6ZuBM4uGyE59AY5DkMtH21M6TzL2kb

Exodus wallet for 1 BTC, 187 Salt, and 45 LTC (USD 8,000)

I am unable to get into my Windows VPS and take this screenshot. The
hacker removed RDP access for the account.

Say Sayonara to 117,000 OKCash (USD 16,000)

Man this hurts
was sent to PTY47KXWfcJisiJwMuacGUSc4pwKPY9sLg
and losing the OKCash was the most painful. Because I had been buying OKCash for the last 2 years.

How was I found?

I still recall logging into my Windows VPS and seeing someone moving the mouse around and then I began to move the mouse around as well... imagine that - almost like walking in on a thief who has robbed your home, virtual-style.

I don't know how the hacker did his dirty deed. I can only guess.

The hack occurred a few hours after I sent this message sent to a Discord channel:

I sent bitcoin from my Exodus wallet 2 hours ago and it still has not arrived at Bittrex. It shows as pending with 0/2 confirmations there... why is it taking so long... here is the transaction - https://blockchain.info/tx/a18f06e5f59b5b3840c208e22c5007a7ecc643ccb58ab865166498a2d8810876
(i'm trying to get into this IOP trade and good ol' bitcoin is taking it's jolly sweet time going from point A to point B)

Monosnap?

By default, the screenshot tool Monosnap lists the title of the window. And I have taken plenty of screenshots that advertised the IP of my Windows VPS such as this one and posted them publicly.

Since this hack, I altered the default settings of Monosnap to remove the option of showing the window title.

Exodus? Jaxx?

In preparation for the 2 coming hard forks, and only 1 day before this hack, I downloaded a few desktop
wallets. Exodus was kind enough to prompt me to back up my wallet. But oddly enough, it did not prompt me to "encrypt my wallet" - which is a fancy term for requiring a password before making any transactions.

Random port scanning?

While IP addresses are not stored in the blockchain, there are some
ways to locate the IP that a transaction originated from
. This, and/or random port scanning was a definite part of the hack, because I changed my password for my Windows VPS to something very simple about 3 days ago:

money1

That's right. Once someone had my IP, all they had to do was guess a username of "Administrator" and a password of "money1" and they had access to $30,000 in funds. No, I don't enjoy looking like an idiot in public, but if it will snap even one person out of the delusion that this is all fun-and-games, then I have done my job.

Reflections

Centralized security isnt so bad

I have all the addresses that my coins were sent to. But
because crypto can be sent anonymously and there is no central
authority, there is no registry connecting identities to addresses.

I guess if you want total freedom and autonomy you better be ready to
defend against those who want to misuse it.

Back up your wallet frequently

Apparently when you restore from a wallet file, the wallet needs to
reply the blockchain from that point to present. So, presumably, the
more recent your wallet backup, the less time it takes to recover your
funds? Please correct me if I'm wrong here.

Suggestions for Security

Diversification

I'm a firm believer in not putting all your eggs in one basket. But I
did get caught with quite a few of my funds in one place in the
interest in having all of my desktop wallets in one place.... and
saving on monthly server costs.

If I had used 4 remote servers and distributed my wallets to those 4
places, then I would be reporting a loss of just 6 or 7 grand
instead of this major setback.

ENCRYPT YOUR WALLET

If you take nothing else from this post remember to encrypt your
wallet
... don't be intimidated by that term. It simply means that a
password is needed before you can access funds or see the transaction
overview.

None of these wallets require a passcode to withdraw funds. No bank or
ATM on this planet would allow funds to move without verifying the
identity of the mover in at least 2 ways.

Don't wait for the crypto-world to upgrade to bank-level security. Do
as much as you can TODAY!

Harden your Windows remote server

I had all my funds on a Windows VPS (Virtual Private Server). I am
lucky that the server farm that I use has 24/7 customer support. They
were very responsive via live chat. That being said, I will never use them for cryptobanking because they dont have an an easy way for me to harden my VPS server in the ways I discuss below.

Idle Timeout Screen Lock

Do you want to wake up in the morning to all your funds gone? Me
either. Having to enter your password every time you see an idle
screen timeout may be a pain, but I can tell you: waking up to losing
$27,000 is way more painful.

2-Factor Authentication is a MUST

2-Factor Authentication, 2FA for short, just means that there are additional layers of security besides just your username and password. Notice how you have to have a debit card AND your PIN before you can withdraw money from an ATM? Just having your debit card is not enough. Unfortuntely, my windows server did not have 2FA enabled.

Once the hacker guessed username/password combination of
Administrator/money1, he (or she!) was in. No need to enter a code from my cell phone, nothing. And this drag-ass security model that is what you need to change if you do decide to use a remote windows server to store your funds. Speaking of drag-ass, why was Windows Server 2012 so adamant that it was time to change my password yet not so adamant about enforcing some rigor on the difficulty of the password?

While it does seem tortuous to setup 2-Factor Authentication on Windows certain
VPS providers have made it easy. For instance, you can be done with the process in
a few easy steps at ServerIntellect. And if I return to using a remote Windows server for cryptobanking, I will require at the very least what ServerIntellect is offering and will never accept anything less as legitimate for cryptobanking.

Restrict IP access

If you are the only one accessing your machine, do not allow any and all IP addresses to access your machine

Change the administrator username

On a daily basis, my wordpress site receives about 5-10 attempts to break-in using the admin username.

That's right. A measly wordpress site with a bunch of meaningless posts. So if there is that much interest in wrongdoing for a measly wordpress site, imagine how many more bad guys must be out for my money! Actually they are out for my currency, not my money, but we dont need to get into the differences now.

So yes, change the username from Administrator.

Conclusion

  • You are running your own bank. Treat it like one. Seriously. Whenever you login to your online banking service, take note of the hoops of fire they require you to burn your ass on before you get access to your funds. And then make sure you have just as many hoops of fire on your funds. Either that or you may be the next guest star on "Cryptocurrency Carnage: How Much Money Did The Next Fool Lose and How?!".

  • There are no mistakes in this universe. Everyone gets what they deserve. At least I would like to think so. What do you feel? Do you think this is karmic retribution for something I did in the past? Please share in the comments whether I am a poor innocent victim of a ruthless thief. Or whether I am getting what I deserve for past violations of The Golden Rule.

Sort:  

Sorry to hear about this @adsactly. I think you have a very healthy response and appreciate your efforts to educate others. I hope that your mindset and attitude even in bad situations will help you earn much more than was stolen from you in the long run!

This type of thing is one of the main reasons I think that Steem has really big potential to become a mainstream cryptocurrency. It's the only one I know of that has both a vesting option where you can effectively lock up your tokens and an account recovery system which allows you to regain control of your account if your owner keys are stolen.

These things will be absolutely necessary for mainstream adoption of any cryptocurrency.

damn - that sounds painful...

The last time I "nearly" f*ed up was when I reseted my browser cache before realising that this would also clear my BitShares Wallet. Thankfully I've downloaded the backup. But still... mistakes happen..

I was in pain reading this, I am sorry for what this hacker did.

I profoundly appreciate the empathy @abcasper. It does lessen my burden. Thank you for your kind thoughts.

Holy**** Thats really bad ... I'm thinking if all this had happened to me man I wouldn't have taken it like you did ... You really have the heart of a lion

The experience you wrote in this blog is very useful for us who just started in that field. so, thanks for sharing and I'm asking permission to reblog your posting

oh yes, RESTEEM to your heart's content and link far and wide!

you are very brave to share it, it is truly very nice of you to do so ! I will definitely make sure to get 2factor authentication. This can happen to just anyone so we should not be naive.

Like you say, if we want to be our own bank than we should also realize that we carry the responsibility ourselves to make sure that our money is safe.

Thanks for sharing and really so sorry to hear that this happened to you !

Thank you @dandesign86 - everything is a part of our evolution as a species. I firmly believe that everything is co-created, including this. Think how boring life would be without cops and robbers, cowboys and indians. The truly aware person is aware that: the world is in them. They are not in the world.

Very nice comment and I understand your point; there has to be this balance, this struggle, in order for further development!

No, I think that the truly true truth is that the world is outside us, and we are physical beings that exist inside reality.

The universe is outside us, and we are made of the universe, and our minds are like a computer.

The computer thinks thoughts inside of its CPU.

We think thoughts inside of our brain.

But outside our brain is true, raw reality. It is beyond our mortal senses often, thus we might think that the world is within us. But it is not.

There is not a matrix reality running inside our head.
We live in the real thing. The true reality is outside us, and we are part of it, but we do not create it.

We are mere animals, evolved chemical-reactions that have become intelligent, but not intelligent enough to truly comprehend the reality of reality.

Wow... so so sorry for your loss @adsactly this is truly eye opening. I'll begin to pay more attention to my own online security because these days, security can easily be breached.. this quite heart breaking, i dont even know what I'll do if this happens to me, thank you so much for sharing. All your security advice has been fully noted, take care

Thanks @evelynbelle, it was me, a Grand Founder and Overseer within ADSactly, that got hacked. Not ADSactly itself.

Oh... forgive my misinterpretation, but still its sad... i hope your able to completely recover from your loss soon... cheers!

Painful to say the least.
IMO, you should consider to setup a dedicated hardened computer just for that + cold wallet

yeah, $30,000 in crypto... devote $5,000 to a local computer instead of risking 30k out in the wild .. not a bad idea ;)

It's my understanding that you could live for 2 years or more in many parts of the world on that type of money.

30k is certainly a sizeable sum of money, but you cant live comfortably in the USA on that sort of bread for more than 3-6 months in general.

It's my understanding that you could live for 2 years or more in many parts of the world on that type of money.

Yes, you could. $5k would allow somebody to live for 2 years in the Philippines. They would need a room with shared internet though because that wouldn't fit in the budget.

$30k? A family could live for multiple years of that,.2 years? You must be kidding. ;)

Sorry to hear about your loss. It's a big price to pay for a #flearn (fail ∓ learn). But ultimately, it all makes us smarter.

Great article, cybersecurity cannot be taken lightly. I've been doing a much better job recently with storing my coins in hardware wallets. This article is really informative, and definitely should be read by everyone in crytpocurrency.

If you don't mind checking out my article I wrote yesterday, I covered the difference in SMS and App based 2FA:

https://steemit.com/cybersecurity/@investoranalysis/sms-two-factor-authentication-is-very-unsecure

Wow. That is a wake-up call for all of us. I am sorry you lost so much money. That really sucks.

Thank you for sharing this. Hopefully your purpose of sharing your misfortune will help the rest of us avert one.

Thank you @mgood. You made my day by saying that you received a wakeup call. I'm glad my efforts paid off. This is the article that I wish I had seen when I started in cryptocurrency seriously 1 year ago.

In my opinion, sometimes bad things happen, not because we are receiving payback for some undefined evil we did in our past but just so we may learn some valuable lessons that are essential for our further growth and development.

So while I don't think that this is a mistake, I also don't believe the universe is punishing you. I think you should embrace the lessons embedded in this event and see it as an opportunity for growth. All the best!

Too bad. I'm sure it hurts. I have learned a lot from this. Thank you.

Boy did it hurt. I would wake up in the middle of the night thinking about it. However, I was once at the Hare Krishna temple and heard a person say:

you know you are growing spiritually when someone does something wrong to you and you pray for them

Of course the person was right. Spiritually, I'm not there yet. I hope you heal soon.

sorry to hear this i use blockhain.info which sends me email to authenticate, also use lastpass, will be buying trezor cold wallet too

OH!! Man!!!

lol... i can feel the impact! Thanks for the comment :) On the bright side, ADSactly has made a heroic gesture of paying me all the funds for this post. Normally only a certain percentage goes to the writer and the rest to our growth fund.

In light of the God's words, there is no karma, there is no golden rule.
In His sovereignty, He said in Deuteronomy 31:6 -"Be strong and courageous. Do not be afraid or terrified because of them, for the Lord your God goes with you; he will never leave you nor forsake you."
His ways are higher than our ways my friend. Learn from your experience and thank you for sharing your life to us.

God bless you always @adsactly!

This is not so good, I do not know if we had any recovery options for the lost assets then it would be better.

yes, centralized security and AML/KYC requirements are not so bad in light of things like this.

I just hope they will realize it is not their right. and will give back to you. Hopefully there will be no further casualties. Because it's a very dirty way done by people who have no ethics, do not want to try hard, just want to live well without having to try hard. be patient my friend.

Hackers are sick savage, however I did hacking before but only pentest and for educational purpose only.

Oh dude that is shitty shitty luck. All I can say is I doff my cap to you for approaching it in a positive way and advising others how to minimise their own mistakes...I wish you good luck in regaining even more wealth as a result, everything happens for a reason. Patronising to hear sometimes but it is true!

Sorry to hear that.
Thanks for the advice.

About the wallet back up, you cant recover your funds. The backup, consist, in your private key and your password. The back up, it brings you a way to access to your wallet, in case you lost your private key or your password. But your funds are already gone to the hacker. The backup helps you in case your hardrive die for example. Good luck, and thanks for the post.

This post has received a 46.88 % upvote from @lovejuice thanks to: @sammarkjames. They love you, so does Aggroed. Please be sure to vote for Witnesses at https://steemit.com/~witnesses.

You should be wary of any service designed to store your money online. Many exchanges and online wallets suffered from security breaches in the past and such services generally still do not provide enough insurance and security to be used to store money like a bank. Accordingly, you might want to use other types of Bitcoin wallets. Otherwise, you should choose such services very carefully. Additionally, using two-factor authentication is recommended.

In general hot wallets are a bad idea for large amounts of money. Leaving it on a Windows VPS seems like an exceptionally bad idea...

yeah, I got sucked in the the proof-of-stake allure. Notice that 4 of the 5 coins that were taken were POS coins...

and why would the Exodus wallet, with all of its sleekness in reminding us to backup our wallet, be completely mum about reminding us to encrypt our wallet?

But, @yogi, what would you say is a better idea for securing large amounts of money?

Ah didn't realise those were POS coins. I use cold storage for large amounts and multisig hot wallets for small daily transactions...

Daily Learn some new from your post. Love to read it.

It's unfortunate that this occurred, however the summary of this boils down to what security professionals already know - people are your weakest link. I've been working in cyber security roles for almost a decade now and it amazes me when I read articles like this.

There was serious investment involved, you knew there were threats and vulnerabilities and therefore also knew there was risk. It does not appear that an impact assessment was even considered in this scenario. Risk = Threat * Vulnerability (this is Asset Value * Exposure Factor = SLE or Single Loss Expectancy * ARO or Annual Reoccurance ), these together are the formula for risk and provide the ALE or Annual Loss Expectancy. Things will happen, one must plan in advance for them and there is a cost associated with them, monetary or other means.

With all that mind, the simple answer here was - you had serious investments. Did you not think to invest anything to protect them?
Did you consider how or what threats might impact you and how you might mitigate them? What about auditing and accounting - not your digital assets but the access to them?

Example, if you accessed information from a VPS (I speculate for a concept of anonymity), you mentioned a form of identification and authentication (a password) but regardless of 2FA, what forms of authorization were in place and what was there to ensure that auditing and accounting could be done so that the confidentiality, integrity and availability were maintained?

Folks, simple answer here - think about what you have that you are attempting to secure, from whom and what can be done to address the risks remaining. It's simple, people do this daily and while I feel the "swans" playing their song in this thread - clearly this individual did not exercise either due care or due diligence - the only fault is their own.