Page 2 of 3

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 2:14 am
by GregoryGHarding
AppleMiner wrote:When I went to the AUTHY site, it seems they only have 2FA for certain websites.
When I typed in prohashing it did not show that it knew what it was.
Perhaps you can add and scan in the code key into that program, if not, id just grab the google authenticator and use that.
incorrect, they provide authy as a 2fa client, and also as a service for websites to integrate 2fa easily

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 4:42 am
by Ewil
This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 9:15 am
by GregoryGHarding
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
there actually was a few waves of comprimised accounts. probably before your time as a member here.

authy has desktop software, although obiviously that option isnt as secure, what about tablet? no internet connection is needed for authy 2fa codes. also, may be an option for bros to look into adding text message two factor auth, but again, this option is less secure.

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 11:30 am
by mycide
If someone uses same passwords on several services in crypto world, u can expect to get buttf*cked sooner or later. Keep your email safe, and never have same password on two places specially not same as your email!! Another tip is to use different usernames, makes it harder to track same individuals down on different platforms.

Well yes please add sms verification, im not going to download extra software to put on my phone, i do not trust or want third parties involved.

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 1:10 pm
by coldstone
i got 3 different accounts as i use a different one for each type of miner (to be able to keep clean statistics on earnings)
not stating much but i can image people using more then 5 for the same reason.. just saying just to weaken your statement "There doesn't seem to be any legitimate reason why one address would need to log into so many accounts." a bit..

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 6:08 pm
by Steve Sokolowski
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 7:07 pm
by Ewil
Steve Sokolowski wrote:
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.

At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).

I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password :roll:

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 7:35 pm
by mycide
it's because users have passwords like that in the first place. Require of users to make a "hard" password. atleast 1 letter, atleast 1 number, atleast 1 lower case, atleast one upper cas, and atleast one sign like ยค or &. make the password 8-12 letters long. Keep limit per day low, and ban ip 24h. repeated offenders, perma ban.

Re: Policy changes coming this weekend

Posted: Fri Oct 27, 2017 8:25 pm
by Steve Sokolowski
Ewil wrote:
Steve Sokolowski wrote:
Ewil wrote:This is an issue for at least two people I know using this pool. For security reasons, they don't use a smart phone - only an old "dino/idiot" phone, as they call it. What is the solution for them?

Also, are people really being that dumb about their login security that there's THAT many violated accounts???
There were 238,144 invalid password attempts on October 13, from 18,123 attackers. Remember that IP addresses that try too many times are banned for the day - the number of people who received those errors is not counted.

This doesn't even count the number of successful password attempts that are followed by invalid two-factor authentication codes.

I was able to get the problem reduced to just 10,000 invalid attempts yesterday with prevention of Tor access and a reduction in the number of allowed tries to 7 per day. With these policy changes, I think we can probably get it down to 2,000, which is the lowest it can realistically be without inconveniencing customers. Then I can move on to other features.
Hmm. I had a similar thing I dealt with when I used to host game servers & associated forums. The biggest problem ended up being, people would have their login information the same as their display information - easily 'mined' at that point for brute force attempts.

At one point I ended up having to actually ban all IP access from China, India and Iran - cut the attacker volume by almost 90% (but this was before common VPN's lol).

I guess I shouldn't be surprised. The largest databreach in history showed that something like 12% of their users had "password123" as their password :roll:
I just figured it out. A user posted why there have been so many attacks in this thread: viewtopic.php?f=5&t=2369

The number of attacks was about 120,000 on October 19 (probably because the hacking software was finished halfway through the day), 260,000 on October 20, and similar numbers on October 21. On October 22, "prevent Tor access" was enabled and cut the number of attacks.

But on October 18, there were just 327 attacks. The criminals must have bought the database from the thieves, and then rushed to write software to use this database before their Tor access was going to be cut off by the new release.

The reason there were so many people who got money stolen is obviously because they used the same password in their Bitmain accounts as they did here. This is extremely frustrating. I don't know how many times I can repeat that there are no circumstances where you should ever use the same password as you do on another site.

Re: Policy changes coming this weekend

Posted: Sat Oct 28, 2017 2:11 am
by vinylwasp
Steve Sokolowski wrote:There will be a few policy changes coming this weekend, which will affect a large number of customers.

First, attempting to log into more than five accounts with invalid passwords will result in a permanent ban for that IP address. There doesn't seem to be any legitimate reason why one address would need to log into so many accounts. Even if you mistype your username, that would only result in two invalid account logins. The existing limit of 25 login attempts per day for any single account will also remain active.
Steve, as someone with almost 20 years working in Infosec, I'd to warn you that this sort of approach can be a bad idea if you aren't careful in the way you implement and manage the ban. It depends on the timespan over which you intend to measure the 5 failed logins, but with a large user community behind a NAT you could easily have 5 legitimate account login failures in a few hours, certainly less than 24.

You can run into problems with Universities, corporate networks, hosting environments, Cloud services, VPNs and any other reasonably large community that sits behind a NAT address so if you really need to implement some kind of control, I suggest you keep the 5 login attempt count window down to 2 minutes or less and implement a rate limiting algorithm, (i,e, don't ban it permanently), start with a 5 minute ban, then 10, etc, etc.

If the failed attempts stop for another arbitrary period (say 30 minutes) then have a timeout for the ban, just like an account lockout. You don't want to be forced to have to manually undo the ban when you can automate it.

Using IP addresses to make security decisions comes with some major issues. Plenty of organisations and companies will give or sell you IP Blacklists and services, but the value of them is entirely dependent on how they re-validate and age that data. Most don't, and the lists are therefore useless over the long term they just keep getting bigger and bigger as more IP addresses are added, and less and less accurate at the same time as the older entries are no longer hostile.
[edit]