How I Could Have Prevented My Account From Being Hacked

The Paranoid are Secure

I like to consider myself as very security conscious. I mean, com' on. I'm a mathematician. By definition, that means I am paranoid. So, when this hack occurred, I didn't know if my account was compromised. In fact, there were several mentions of hacks going on in slack. As such, I began the process of changing my keys when that happened. Alas, I was too late, and the hacker had managed to take over my account.

Mea Culpa, Mea Culpa, Mea Maxima Culpa

Now, first off, I had no one but myself to blame. I should have updated my key authorities ages ago. I did at some point but had some issues with voting (probably user error) after a change, and so I put everything back to one common key. BIG mistake.

If my account had been properly secure, I would have had all 5 keys to be different.

What Went Down

From the best that I could understand, I was logged into steemit using my owner key (which is a very poor operational security choice, since that is your MASTER key and is probably best kept OFFLINE) and stumbled across one of the pages with the XSS exploit. At this point, there was no hope, and my owner key (and active, posting, and memo keys) were compromised.

I had a power down scheduled on Thursday and sure enough the attacker managed to move my powered down Steem.

Who you going to call?

Developer Superheros

Fortunately, your neighborhood friendly blockchain developers at Steem and the team at Steemit had a solution in place in relatively short amount of time (some may call it too short and others not short enough). I confirmed that I had my account hack to Ned via voice (didn't answer, as he had more important business to attend to, but left a message), and then sent steemit an instructional email on transferring my account by giving them the corresponding public keys of some newly generated private keys. The email I sent was signed with my GPG key as a means of identity verification.

Steemit then transferred my account

1 Key to Rule Them All

Each account has 5 keys:

  1. Owner
  2. Active
  3. Posting
  4. Memo
  5. Signing

Now, the first 4 are in a hierarchy with Owner at the top. This means that anything that 4 can do, 3 can do and so on.

Owner

Your main key. Keep this offline. Secure in a vault. Dig a pit. Put it in a time capsule for your kids.

Don't put it in a safety deposit box at a bank though. They may be out of business soon with Steem knocking at their doors.

Active

2nd in the hierarchy of keys. Useful for power users and if your posting key is compromised.

Posting

For most accounts out there, this is the key you are using to post and upvote content. Guard it wisely.

Memo

You can, if you are so inclined, send encrypted messages on the blockchain to another user. Your memo public key and the person whom you are sending a message to are used in a shared secret scheme to encrypt your message.

Signing

This is used for signing blocks if you are a witness or a proof of work miner. If you mine an account, all keys default to this.

Conclusion

I could have saved myself a lot of headache if I would've swapped my keys early on! Here I am, supposedly security conscious, and I failed to do that.

Since the attack, I have since exerted complete control over my account. Wazoo.

You can save yourself a lot of trouble with the following cli_wallet command:

update_account YOURACCOUNT "{}" OWNER_PUBKEY ACTIVE_PUBKEY POSTING_PUBKEY MEMO_PUBKEY true

Keep it steemy.

H2
H3
H4
3 columns
2 columns
1 column
94 Comments