|
> In that sense I think the scary bit isn't that he accessed the 8 accounts, it is the fact that he identified them in the first place. This isn't all that surprising. There are basically two reasons why you would have a Bitcoin wallet on a server: if you are mining using the CPU power of that machine, or if you need to send Bitcoins from an online application. For example, one of the people who mentioned having coins stolen was from a mining pool; you need some automated system to pay out the earnings to the people who have been doing mining, and so the wallet for that automated system was on the server, and was stolen. I suppose one further reason might be as a backup, but in that case, I dearly hope that it's an encrypted backup without the encryption keys in the sever. Given these reasons for having your wallet on the server, it's not surprising that people found them. These require network-facing services, that are easy to trace back to the server in question. The mining pool is a public service; anyone can join, and find the address of the server. Furthermore, when you make payments, you announce them to the full Bitcoin network. Someone sniffing transactions can watch where transactions originate, and target that. If they already had a compromised customer service account on Linode, they probably watched the Bitcoin network for a while, made note of transactions originating from IP addresses in the Linode range, and then targeted those accounts. One way to protect yourself from this would be to proxy your Bitcoin transactions through a host other than the one that has the wallet, obfuscating where the transactions are actually coming from. You could even go so far as to make all of your transactions via Tor, which would probably make it fairly difficult to find where your Bitcoin wallet actually lives. > Perhaps a better approach is to keep a BitCoin wallet encrypted, since that's pretty simple to do in day-to-day life. This is something that you can't do with your wallet -- you cannot turn your wallet into a steel vault with two-foot-thick walls. The problem is, if you need to make payouts from your wallet, then the machine that does that needs to be able to decrypt the wallet. That machine can then be compromised to be able to steal your keys. Encryption doesn't buy you all that much, unless you are just doing a backup and don't need the machine to be able to do online transactions at all. Perhaps another solution would be to encrypt each key in your wallet separately using a k-out-of-n encryption scheme (where produce n keys, any k of which can decrypt the wallet). You can then distribute those keys to independent hosts, which hopefully should not all be subject to the same vulnerabilities. Then any time you do a transaction, k of those hosts will need to produce their key to decrypt the key in your wallet and perform the transaction. That way you would have to compromise several different, independent hosts in order to steal the wallet. Of course, this would drastically increase the cost and complexity of the system; and you would need to ensure that whatever system that authorized payments was likewise distributed, which if you had, say, a web-facing service would be difficult. The easiest thing to do to reduce the risk is to only leave enough value in the wallets that are on the servers for a couple days worth of transactions. Then you transfer Bitcoins from a more secure location once a day to keep the coffers full. This is not much different than a physical store; yes, you are at risk of being robbed, but if you only have one days worth of cash there, with the rest somewhere more secure, you reduce how much risk you have. |
Your more general solutions would protect from an attack that rooted a live system rather than just resetting the root password while the machine was offline.