"Brain Wallet" - a reliable way to transfer your bitcoin to crackers
"Society of active intruders" often devastates virtual wallets within a few minutes after their activation
Photo: NoHoDamon
Hackers pulled out about $ 103 thousand from Bitcoin accounts protected by alternative security measures. Researchers who have tracked transactions in the Bitcoin network for several years are talking about this amount. And this is only a small fraction - that which was recorded. The problem relates to those accounts that are protected by easy-to-remember passwords instead of the long cryptographic keys that are commonly used. We are talking about the so-called "brain wallets": the user comes up with a password, drives it through a hash function, and gets its cryptographic key at the output. In this case, you only need to remember your secret word, password, and not the key itself. Conveniently? Yes. Safely? It turns out no.
')
Approximately 900 accounts have been devastated by digital burglars, users of which used “brain passwords” to create the private encryption keys required for withdrawing funds. In many cases, vulnerable accounts were devastated within minutes or even seconds after activating and leaving the account online. At the same time, for many years Bitcoin users have tried to remember passwords, instead of using crypto keys, considering such a method to be safe and convenient. Experts warned that this was a mistake, but warnings did not help much.
There is no problem for an attacker to crack an account with a “brain wallet”. At Defcon, not so long ago, the technology of hacking wallets was demonstrated, which clearly showed the unreliability of passwords. Accounts without salt , but with memorized passwords were cracked in a split second. The attackers hacked entire groups of accounts at one time. It should be remembered that hashed passwords are stored in blockchains, providing information to hackers.
The problem with this method of protection is its predictability. So, the researchers talk about frequent use of phrases like “say hello to my little friend” (“say hello to my little friend”), “to be or not to be”, “Walk Into This Room” (“Enter This Room”), “party like it's 1999” (“Amuse yourself, like it's like 1999”), “yohohoandabottleofrum” (“yohoho-folder”) and quite simple phrase “Arnold Schwarzenegger” (“Arnold Schwarzenegger”).
During the observation period of 6 years, network security researchers were able to identify 884 successful hacker attacks, which allowed intruders to divert 1806 bitcoins. The total cost of crypto coins at the rate at the time of the theft was $ 103,000. Most of the amount was stolen from the 10 richest wallets. According to the results of their work, experts published a detailed analysis of the situation, the work of the Bitcoin Brain Wallets .
For the detection of brain wallets and their hacking, researchers tested around 300 billion passwords that were taken from 20 sources, including the Urban Dictionary, the English-language Wikipedia, the leaked passwords from the game resource RockYou, and others.
All these passwords were run through the hash function (SHA256) to get a list that was already tested on real wallets. We used a method such as cryptography on elliptic curves . This method was used to find the public key corresponding to each of the private keys. Since the blockchains contain information about any wallet in the network, specialists managed to find out when the intended password was used by the real user of the system.
Interestingly, among the burglars were those who returned the stolen funds. So, users of Reddit Robin Hood b Little John returned the funds to people if they could prove that the hacked wallet belongs to them.
Conclusion? A person cannot come up with a sufficiently strong password, a “brain wallet” is a vulnerable scheme for protecting his Bitcoin account. On their vulnerability, some information security experts have warned before, and more than once. But this led to nothing. Perhaps now the situation will change for the better.
Photo: NoHoDamon
Hackers pulled out about $ 103 thousand from Bitcoin accounts protected by alternative security measures. Researchers who have tracked transactions in the Bitcoin network for several years are talking about this amount. And this is only a small fraction - that which was recorded. The problem relates to those accounts that are protected by easy-to-remember passwords instead of the long cryptographic keys that are commonly used. We are talking about the so-called "brain wallets": the user comes up with a password, drives it through a hash function, and gets its cryptographic key at the output. In this case, you only need to remember your secret word, password, and not the key itself. Conveniently? Yes. Safely? It turns out no.
')
Approximately 900 accounts have been devastated by digital burglars, users of which used “brain passwords” to create the private encryption keys required for withdrawing funds. In many cases, vulnerable accounts were devastated within minutes or even seconds after activating and leaving the account online. At the same time, for many years Bitcoin users have tried to remember passwords, instead of using crypto keys, considering such a method to be safe and convenient. Experts warned that this was a mistake, but warnings did not help much.
There is no problem for an attacker to crack an account with a “brain wallet”. At Defcon, not so long ago, the technology of hacking wallets was demonstrated, which clearly showed the unreliability of passwords. Accounts without salt , but with memorized passwords were cracked in a split second. The attackers hacked entire groups of accounts at one time. It should be remembered that hashed passwords are stored in blockchains, providing information to hackers.
The problem with this method of protection is its predictability. So, the researchers talk about frequent use of phrases like “say hello to my little friend” (“say hello to my little friend”), “to be or not to be”, “Walk Into This Room” (“Enter This Room”), “party like it's 1999” (“Amuse yourself, like it's like 1999”), “yohohoandabottleofrum” (“yohoho-folder”) and quite simple phrase “Arnold Schwarzenegger” (“Arnold Schwarzenegger”).
During the observation period of 6 years, network security researchers were able to identify 884 successful hacker attacks, which allowed intruders to divert 1806 bitcoins. The total cost of crypto coins at the rate at the time of the theft was $ 103,000. Most of the amount was stolen from the 10 richest wallets. According to the results of their work, experts published a detailed analysis of the situation, the work of the Bitcoin Brain Wallets .
For the detection of brain wallets and their hacking, researchers tested around 300 billion passwords that were taken from 20 sources, including the Urban Dictionary, the English-language Wikipedia, the leaked passwords from the game resource RockYou, and others.
All these passwords were run through the hash function (SHA256) to get a list that was already tested on real wallets. We used a method such as cryptography on elliptic curves . This method was used to find the public key corresponding to each of the private keys. Since the blockchains contain information about any wallet in the network, specialists managed to find out when the intended password was used by the real user of the system.
Interestingly, among the burglars were those who returned the stolen funds. So, users of Reddit Robin Hood b Little John returned the funds to people if they could prove that the hacked wallet belongs to them.
Conclusion? A person cannot come up with a sufficiently strong password, a “brain wallet” is a vulnerable scheme for protecting his Bitcoin account. On their vulnerability, some information security experts have warned before, and more than once. But this led to nothing. Perhaps now the situation will change for the better.
Source: https://habr.com/ru/post/390487/
All Articles