How I Could Have Prevented My Account From Being Hacked

in #the-hack8 years ago (edited)

The Paranoid are Secure

I like to consider myself as very security conscious. I mean, com' on. I'm a mathematician. By definition, that means I am paranoid. So, when this hack occurred, I didn't know if my account was compromised. In fact, there were several mentions of hacks going on in slack. As such, I began the process of changing my keys when that happened. Alas, I was too late, and the hacker had managed to take over my account.

Mea Culpa, Mea Culpa, Mea Maxima Culpa

Now, first off, I had no one but myself to blame. I should have updated my key authorities ages ago. I did at some point but had some issues with voting (probably user error) after a change, and so I put everything back to one common key. BIG mistake.

If my account had been properly secure, I would have had all 5 keys to be different.

What Went Down

From the best that I could understand, I was logged into steemit using my owner key (which is a very poor operational security choice, since that is your MASTER key and is probably best kept OFFLINE) and stumbled across one of the pages with the XSS exploit. At this point, there was no hope, and my owner key (and active, posting, and memo keys) were compromised.

I had a power down scheduled on Thursday and sure enough the attacker managed to move my powered down Steem.

Who you going to call?

Developer Superheros

Fortunately, your neighborhood friendly blockchain developers at Steem and the team at Steemit had a solution in place in relatively short amount of time (some may call it too short and others not short enough). I confirmed that I had my account hack to Ned via voice (didn't answer, as he had more important business to attend to, but left a message), and then sent steemit an instructional email on transferring my account by giving them the corresponding public keys of some newly generated private keys. The email I sent was signed with my GPG key as a means of identity verification.

Steemit then transferred my account

1 Key to Rule Them All

Each account has 5 keys:

  1. Owner
  2. Active
  3. Posting
  4. Memo
  5. Signing

Now, the first 4 are in a hierarchy with Owner at the top. This means that anything that 4 can do, 3 can do and so on.

Owner

Your main key. Keep this offline. Secure in a vault. Dig a pit. Put it in a time capsule for your kids.

Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors.

Active

2nd in the hierarchy of keys. Useful for power users and if your posting key is compromised.

Posting

For most accounts out there, this is the key you are using to post and upvote content. Guard it wisely.

Memo

You can, if you are so inclined, send encrypted messages on the blockchain to another user. Your memo public key and the person whom you are sending a message to are used in a shared secret scheme to encrypt your message.

Signing

This is used for signing blocks if you are a witness or a proof of work miner. If you mine an account, all keys default to this.

Conclusion

I could have saved myself a lot of headache if I would've swapped my keys early on! Here I am, supposedly security conscious, and I failed to do that.

Since the attack, I have since exerted complete control over my account. Wazoo.

You can save yourself a lot of trouble with the following cli_wallet command:

update_account YOURACCOUNT "{}" OWNER_PUBKEY ACTIVE_PUBKEY POSTING_PUBKEY MEMO_PUBKEY true

Keep it steemy.

Sort:  
There are 2 pages
Pages

This is great advice for anyone, even if it is just a reminder. The remedy to this situation is a testimate to the team, my hat is off to all who worked together in resolving this.

I agree, the response time, transparency, and overall professionalism of the team during this time has been phenomenal!

What are we supposed to do if we registered via facebook? How can I generate these different keys please and obtain my current private keys?

The devs have a solution on the way. The latest version, which has been reviewed and passes all unit tests, allows for account recovery and gives various authorities to either the top witness or to Steemit's main account. You'll see more details from the Steem team soon!

There will be additional UI changes to separate out user posted content and voting from the other roles. These could be separate site entirely. I would like to see Steemit use separate domains for these two sites.

Sounds like there could be additional security implications in giving more authority to witnesses or Steemit itself. Do you have any thoughts on that?

I think the 30 day rule for making transfers irreversible helps a lot. Also, steemit has an incentive to try to be fair and maintain account security, while doing so in a decentralized manner in the spirit of the blockchain. Not an easy feat.

Thank you for the info, I know the steemit devs will come up with a secure solution. Everyone is going to be happy, especially all of us who have been a part of this so early on.

good question

Can you explain the cli wallet command and how it's used?

You need access to a server to compile the code and run a full node of the Steem blockchain. When connected properly, the cli_wallet is a tool for communicating the commands that you want broadcasted onto the blockchain.

Definitely a tool for power users, but it's possible to learn! There are some good guides by @steemd and many others that exist to help the newbie understand more.

Thanks for this. The hacker has powered down my account so my question is, is there any way for me to stop that? I don't yet have control of my account yet as I was in the second round of hacks. In fact I was in process of securing it when I noticed I was too late!!!!!!! Great info.

You should be safe @stellabelle. All compromised accounts are in the hands of Steemit. In addition, some additional security measures are being put into place with respect towards transfers.

Since power downs take a week, I expect you to have your account in control way before then.

Agree with complexring above, it sounds like any account changes/transfers made in the hands of the attackers are going to be reversed by the devs, so all should be well for you soon!

Thanks. I was rattled bc I've never been hacked ever before.

Sure thing! being hacked is always scary, whether it's your first time or hundredth time :P

A lot of time you're on your own and the damages are basically gone without any hope. But it seems here the Steemit creators and devs are watching your back like a hawk which is really lucky in a high-stakes environment like steemit can be.

Thanks ...I like this one most ;-) "Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors."

You learned the hard way - thanks for sharing what you would have done differently. I have no idea about CLI so I'm not sure how to update passwords just yet.

I've been trying to get this done for 8 days now !

If you want to security your wallet, you may to write your password in secret note and save it! If you forget your password, you can to be are one of unfamiliar for your own wallet!

Thanks for not only the detailed original post but also the follow-ups with all the users here. It's invaluable.

Just doing what I can to help make this an awesome community. There were many before me who paved the way and who did amazing posts on how to do things! Most of the answers people are asking for have been around since the early days. It's just tough to find the info now without a good search mechanism.

I have changed my owner key and my active key. i'm logged in just with posting but because i signed with fb am I still at risk?!

For some reason I cannot log into my owner account to change my password. I originally setup a unique strong password for each of my keys. I had not logged in to them since except to test the passwords I have documented. So after the hack everyone is warned to change their password. Today I try to log into my owner account to change my password and it says my password is wrong. Would it be better if I had changed my password while the exploit was actively running? It was a XSS vulnerability so logging into your owner account would have been a bad idea so I refrained from changing my password until today. Is my account hacked?

I have the same issue. Cannot log-in with owner credentials, only posting credentials!

Same here...can only log in with posting key and all my Steem is gone...only thing left in the wallet is 'steem power'.

Yeah that facebook/reddit solution is going to be righteous.

Can we have 2FA ?

As mentioned in at least one of the announcements, it sounds like this is in the works!

so just to confirm, are you saying that we should only log in to our accounts with our posting key and that should help make our accounts safer?

The general idea is that you have 5 different keys. Owner outranks active, active outranks posting, posting outranks memo. If posting is compromised, but you still have owner or active, then you can always change your posting key back under your control.

So, yes, if you only login with your posting key AND your active / owner key is different, you are much safer.

An advisory good post!

Most probably a silly question but is there a way to change passwords and keys if connected via facebook?
My account is new and not much can be done with whats on board, but i would like to be sure instead of taking a huge risk in the future...

I can not on this site to find a search, if someone is a problem, unsubscribe

Wait so you're saying that I can recover my account by writing that command somewhere?:

update_account YOURACCOUNT "{}" OWNER_PUBKEY ACTIVE_PUBKEY POSTING_PUBKEY MEMO_PUBKEY true

Where and how exactly? Do I need to be running a node? Thanks!

Good post. Nice tutorial)

This is great post, hope more and more peaple get this. I would recomend it to every one that are afraid of hacking. Lets se how devs handle it.

In my wallet appears: "Transfers are temporary disabled"

What does this mean?

perhaps this is a temporary thing until the hacking thing is fully resolved.

very useful post for me

Thank you!

Very informative post. Glad to hear the developers are working on a workaround for those that are registered through facebook as well. I just posted about the lack of 2FA on here, and how at least having the ability to secure transfers with 2FA is something that seems to have been grossly overlooked.

Thanks for the explanation and heads up.

Great simple & concise explanation @complexring. I'm sure a lot of users will find value in this as it can be a bit difficult to explain especially to those unfamiliar with crypto.

Can you tell me the best way to get up and running with a local full node? I did some browsing around earlier but all I could find was the github repo. Do I need to build it from source right now?

Thanks for the info next time you can pun a link to a tutorial for changing the keys oh and i think as we still using beta steem it stuff like this could happen again so there must be a tutorial beside this post i mean this could be useful on steampage.

Nigga I just created an account through reddit. What do I have? Shit if I know. I've just been commenting and shit...not really caring. Do I have all 5 accounts or whatever?

I've been wondering the same thing problem, and have been worrying about the security @complexring, can you help us?

Thank you for taking the time to put this together, hopefully the masses will be helped from this info

Полезно

The idea is to look up information in the posts of others..very helpful this post

good story dude
better save than sorry but i hope everything went well for you, you have not been hacked??

I was hacked but in the maintenance period that occurred, Steemit took control of (most) of the accounts that were compromised. I verified my identity with them and they transferred control back to me. I have since updated the authority keys I have. All are now unique.

How did you go about verifying your identity?

I sent contact at steemit.com a signed GPG message.

So if I'm seeing an "incorrect password" message when trying to login with my owner key, can I assume I was affected by this? My posting key works luckily, so I can ask these kinds of questions :)

Yes. I am guessing that they disabled logging in with an owner key. Not exactly sure what the Steemit interface is doing.

Thanks a million for all the help on making people like me more aware of such security precautions. Can you please elaborate more to newbies like myself on how to execute the cli_wallet command?

@complexring I've been wondering the same thing, thank you very much for the tutorial :D

Полезная статья. Спасибо

Would really like Google authenticator type 2fa or hardware wallet integration!

Really nice post dude... proud to have a reliable community!

do not worry, I think the team steemit will always keep their communities stay safe from hacker attacks

Good info!

so so complicated ...need more time to learn this math ....good info ! Thanks for your time to teach

Very well written post, thank you!
• I think as a whole, we don't take cyber security as serious as we should. Especially password security, but I cannot stress enough how important they both are. Stay safe and be secure out there fellow Steemy Steemers!!

I also made a post last night about password security in the aftermath of this Steemit attack. Be safe with your accounts Steemers! :)

https://steemit.com/steemit/@decryptson/in-wake-of-steemit-hack-important

Very useful information! Thank you!

I am newbee ..just signed up today ;-) . I figured we can login to steemit using the private keys (public keys for rest of the world) and perhaps get rights on what you can do depending on what private key one used to login. Well this is new type of security feature .. i guess many of us has no clue.... or am I the only one ;-)

Still wish there was a good tutorial detailing how to set up a new account with the cli wallet.

Thanks for the informative post.

There are 2 pages
Pages