I'm back, 1 Week without Steemit, The hack, Social engineering gone wrong and where to next..
I'm back :) - its been tough.
So i have been absent from the steemit party for the last week because my posting key was compromised!; sad story but true.. it has been a tough week watching all the new users coming to the platform and great posts coming in thick and fast; there was also some very sad moments when users such as @katecloud put a huge amount of effort creating a great post regarding her hiking trip and then watching it be defaced by the attacker :( .. Don't worry Kate has recovered her keys and is back in action!
I'm sure you were all aware that some JavaScript was hidden inside a HTML IMG tag that leaked the keys from your browser; thankfully i had some good practices in place and the only effect of the stolen key was the hack could post or comment with my account; seemed like he was too busy to even bother; he was busy trying to drive a truck load of STEEM and SBD out the steemit gate and off to freedom.
Social engineering gone wrong; the hack was discovered
I first noticed something suspicious when Ned left me a comment under the compromised post saying "Dan was having issues transferring between Steem and Steem dollars, are you having this issue?"... sus!!
Little did i know at the time, my posting key was already compromised and this was just a ploy to have me login with my active/owner key so that the hacker could hijack them. sneaky bugger!. Lucky enough Ned was on slack; i questioned his comment as it seemed out a character and his response was "what comment?"; to which i provide a copy and paste of the comment and pointed him to the post in which it was left... Ned went silent; dead silent....
At that stage i knew something was wrong; really wrong; i got that impression from his first response given the comment had only just been made..but his silence said more than enough. it was 2am in my local time and i had gotten out of bed to question Ned regarding this comment; i was freezing but could not take my eyes off the screen. after 10 minutes of nothing i went to bed knowing that something was a miss but comforted by the fact that Ned was aware and if needs be the full development team would be on board and working till all hours of the night to get it fixed.
The Recovery process
Sure enough the next day i started as i do every morning (with Steemit + Cup of coffee) and found red 'Security Warning' banners plastered all over Steemit. i finished my coffee and booted up my pc to change my posting key and found that my account had been locked!! Damn!; This was due to the great work by the Steemit team having the issue diagnosed and damage contained sometime while i was sleeping. I contacted support as instructed by the warning message and began pressing F5 like a mad man; what would i do without Steemit!.
I gave Ned and the team some space as i could see from the security update that they had their hands full minimising damage, contacting exchanges, creating restore plans and tracking down the attacker. At 5pm my time, Ned was surprisingly still on slack; this is very unusual. i sent him a quick message and he responded within minutes; in regards plans of restoring my account going forward. i checked his profile when he mentioned he need to get some rest and start fresh tomorrow.... IT WAS 5AM!! that's why he is never online; the sun would have been starting to rise and he has been up all night; no doubt with the rest of the Steemit team resolving the issue..
His account went dark, then a few hours later he was back online and the team was hard at work; i can only imagine the hours that the team has put in over the last week. That is dedication for you!!
Going forward
So with the recovery system in place we now have some recourse if this sort of occurrence should happen in the future but the effect's could still be devastating if your active or owner keys are compromised; even your posting key could be used to tarnish your account and it's reputation if the hacker was to deface your posts; or act in an unsociable way towards the community.
I have decided going forward i will be using the following security practises (first three i am already practising):
- Login at all times with posting key unless active authority is required - this is paramount!!
- Login using the keys for each roles (username/posting, username/active and owner) and not the master password
- When using my active key, i will not be using the 'keep me logged in' checkbox. i will login, do action, then log out.
- I will have a separate browser (completely separate installation - not a new windows) for use when logging in with Active or Owner keys; this browser will not be used for any other purpose what so ever; it will also not browse posts or clicks links.
- Second web browser will be configured in privacy mode and not retain any temporary files once closed.
- i will be using a script blocker such as ScriptSafe browser extension for chrome or noscript for firefox; configured to block scripts in my active/owner browser. note -Steemit requires scripts to function so i have Steemit allowed. Given this browser will not browse any other content of even Steemit posts this step is not be required but will make me feel better.
I am very excited to be back in the Steemaction!!
Will this be possible in the new interface? I have a feeling the interface has been over-simplified and does not allow you any more to set a separate password for the active/owner key.
This is a great question; and one that i have actually asked the dev team as well (only a few hours ago); before being locked out i had a different password on every role; to my surprise today when i logged in that did not seem possible from the WebUI. for the time being i am using the private keys of each role as the 'password' which allows me to login without using my master password.
i'm sure the method we know and loved is available within the CLI wallet as you would just need to use a password to derive a set of keys and set the public key to the particular role; but hoping this feature will come back into the WebUI.
For the time being i am using the following format for my username : username/role
along with the private key which is available from within the permissions tab.
free secrets sell?)
Welcome back steempower! You survived the hack, and have come out stronger, I'm sure. Loved your posts about Steem and cryptocurrencies. Look forward to seeing more great content from you. :)
Any I'm going to follow your security advice right away. Thanks!
it did take a while to to fix everything and was frustrating know how you feel
okay all look good, welcome back @steempower !!!
say something to the team steemit
@steempower
WELL, stick me in a box and call me a sandwich!
WELCOME BACK!
Thanks for ALL you do!
Damn the OG steempower back in action. Welcome back you beautiful bastard!
Hello Steempower!
Welcome Back and thank you for sharing your experiences. I'm going to improve my security over here as well. You are a great teacher. I just made a post talking about how people are going to make millions teaching other people about Steemit. https://steemit.com/steem/@brianphobos/millionaires-will-be-minted-by-just-teaching-steemit-to-new-users-proof-inside-and-discussion-on-the-problems-of-teaching