I was hacked @MTGOX #bitcoin – 3 reasons I am not worried

I have been violated. It is a sobering experience. Username, email, hashed password available on the Internet in a prime database for script kiddies Lulzsec et al. I now have some sympathy for RSA. Actually, hang on a sec. No I don’t. I actually did what I preached. Read on for three simple strategies that game me comfort after having my details compromised as part of the MTGOX bitcoin hack.


Aside: why Bitcoin? I will let you Google the augments for and against. Certainly been enough coverage lately even on Techmeme and Hackernews. For me it boils down to:

  • I am an infosec geek and the idea of a non fiat virtual currency, that has built in inflation controls, less vulnerable to manipulation by special interests central governments and rooted in good crypto appeals to me
  • I am a disciple of Peter Schiff and Nassim Taleb, so for the same reasons I am long gold and short the US dollar. I was not in a position to exploit Y2K, neither the dot com boom nor the 2008 housing bubble. The potential for a mass return any of gold, short USD or bitcoin in the next few years is too good an opportunity to miss out. Bitcoin could work. It could fail completely. However, for a very limited capped downside and very little effort there is the potential for a very large gain. I hope that all three provide exposure to positive black swans with a capped loss in case of a blowout.

So what about all the hacking? MTGox, Trojans, individuals having their machines stolen for bitcoins. Well remember why people rob banks. That is where the money is. This is the equivalent of Ned Kelly (showing my roots) or Jessy James Wild West days. Banks were not very good at protecting themselves back then. After hundreds of years, billions of dollars invested you could argue they still suck. Unfortunately, for bitcoin, in the Twitter age, you have to secure at lightening speed and any failure is broadcast to the world instantly. But you know what? If you want to take a punt and potentially be the next Rothschild, start a bitcoin bank and/or trading exchange. Put the security in place, hire your sheriffs, and guarantee deposits and holdings.

So the three strategies that gave me piece of mind when my username, email, and MTGOX password was exposed:

  • 1. Long complex password. Yes size does matter. It is simple but like SQL injection and Cross Site Request Forgery (CSRF) and the rest of the OWASP top 10 that led to compromises like this, hardly anyone does the simple things well and do them consistently. My strategy is to use a phrase I can remember, which has upper case, lower case, numbers, and symbols, about 10 characters long. Then I add a salt or unique random value per site / service. This salt is stored in Laspass and 1Password. I do this because even password vaults can be comprised and have security vulnerabilities and this reduces the centralized risk. Practically for those I use frequently I can remember the salt, so for apps that do not let you switch to a password manager and back on the iPhone or iPad, this is particularly handy. Total password length is about 15 characters and complex. Even with a botnet of GPU’s this would be a challenge to bruteforce, rainbow table or dictionary attack. If I ever need to update the password because of silly password expiry rules, I just need to change the random salt.
  • 2. Unique password for each site. With the above system, I have unique password on each site but using the common phrase, I get less of a usability trade-off. Using the salt first, so you allow the password manager to auto-fill, then entering the phrase makes it work practically. Therefore, even if point 1 above fails and the password is discovered in clear text, the attacker does not automatically gain access to every other site. In situations like this, I also do not have the headache of changing hundreds of passwords; worrying about if one or more is compromised in the time interval. The recent hacks have demonstrated even your “do not care” sites should have unique passwords unless you absolutely do not care if they and other “do not care” sites are compromised. Where the site allows I also try to register with the additional plus e.g. rakkhi.s+mtgox@gmail.com . This little trick still gets email delivered to my inbox and allows for easy identification of spam and illegal sale of information. There was a idea on HCanaryN a while back, which is also good if you can live with having one unread email
  • 3. Two factor authentication. Google in their awesomeness locked my account and informed me there was suspicious activity detected. I also had the piece of mind knowing that I had the two-step verification enabled on Gmail. So again, even if they got my password it is not automatic entry into my email. I use two factor wherever it is offered. E.g. Paypal (both Yubikey and mobile SMS), Laspass (Yubikey), my business banking (RSA for now).

Summary:
  • Make a large number of small bets on things that have a caped downside and low effort but a extremely high potential upside
  • Use a long complex password and store all or part in a password manager
  • Use unique passwords per site even the low priority ones
  • Use two factor authentication where possible

Related posts:

Good tool to see if your email account has been hacked in recent events from : http://shouldichangemypassword.com/


Like this post? Get updates via RSS or follow me on Twitter:


No comments:

Post a Comment

Author

Written by