Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Bitcoin Ops & Security Primer
Search
Russell Smith
April 07, 2014
Technology
1
130
Bitcoin Ops & Security Primer
Russell Smith
April 07, 2014
Tweet
Share
More Decks by Russell Smith
See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
ukd1
0
92
3 Infrastructure + workflow lessons from an early stage startup
ukd1
0
77
Gearman & Kohana
ukd1
2
860
Geo & capped collections with MongoDB
ukd1
1
97
Cassandra London UG July 2011 - Riak vs Cassandra
ukd1
1
230
MongoDB - Map Reduce
ukd1
2
170
MongoDB London UG, April 2011 - MongoDB Introduction
ukd1
1
66
MongoDB London 2011 - MongoDB Command Line Tools
ukd1
1
140
Seedhack 2011 - Introducing MongoDB
ukd1
1
85
Other Decks in Technology
See All in Technology
楽しくGoを学び合う、LayerXの勉強会文化 / LayerX's study culture of having fun and learning Go together
ar_tama
2
350
ACRiルーム最新情報とAMD GPUサーバーのご紹介
anjn
0
150
Azure AI ことはじめ
tsubakimoto_s
0
130
ゆめみのアクセシビリティの現在地と今後
ryokatsuse
3
290
エンジニア向け会社紹介資料
caddi_eng
14
220k
さらに高品質・高速化を目指すAI時代のテスト設計支援と、めざす先 / AI Test Lab vol.1
shift_evolve
0
190
エンジニアの生存戦略 〜クラウド潮流の経験から紐解く技術トレンドのメカニズムと乗りこなし方〜
shimy
9
1.9k
コミュニティサービスに「あなたへ」フィードを リリースするまでの試行錯誤
takapy
1
140
dxd2024-生成AIに振り回された3か月間の成功と失敗/dxd2024-link-and-motivation
lmi
2
260
スタートアップにおける組織設計とスクラムの長期戦略 / Scrum Fest Kanazawa 2024
yoshikiiida
13
3.6k
AWSで”最小権限の原則”を実現するための考え方 /20240722-ssmjp-aws-least-privilege
opelab
10
4.3k
ペパボのオブザーバビリティ研修2024 説明資料
kesompochy
0
1.1k
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
423
64k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
90
47k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
18
1.2k
Large-scale JavaScript Application Architecture
addyosmani
506
110k
Bash Introduction
62gerente
607
210k
Scaling GitHub
holman
458
140k
Atom: Resistance is Futile
akmur
261
25k
Build The Right Thing And Hit Your Dates
maggiecrowley
28
2.2k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
26
2.1k
4 Signs Your Business is Dying
shpigford
178
21k
The Brand Is Dead. Long Live the Brand.
mthomps
52
36k
Transcript
rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage
attacks
@rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous
QA’ Built for PMs and Developers
@rainforestqa rainforest Us Team of 6 in SoMa All developers
YC S12
@rainforestqa rainforest Understanding risk
rainforest @rainforestqa Understand the trade off More secure generally means
more effort
@rainforestqa rainforest Risk vs Exposure
@rainforestqa rainforest High Risks Hot wallets / key storage Outgoing
payments Physically shipped items Reversible payments (e.g. chargebacks)
@rainforestqa rainforest …more risks Shared hosting / VPS / “physical”
security Staff
@rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold
wallets, where poss Principle of least privilege
@rainforestqa rainforest What risks?
rainforest @rainforestqa Internet connected = hackable (Though, the NSA can
spy on you, even if you're not connected to the Internet)
@rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode
(Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area
@rainforestqa rainforest Top 3 reasons:
@rainforestqa rainforest Badly configured servers / services
@rainforestqa rainforest Poorly written software
@rainforestqa rainforest Exploits
@rainforestqa rainforest Attack vectors Your service Your customers You &
your team
@rainforestqa rainforest Your service Domain Email Servers (app, db, etc)
Network External services Backups
@rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /
Typo-squatting Renewals
@rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +
IDS
@rainforestqa rainforest Email DKIM / SPF Account state Clear email
policies Lockout policy
@rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo
>
@rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing
Have a security program
@rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)
@rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both
ways) -complex-
@rainforestqa rainforest External services Verify SSL certs Limit IPs Work
out what + who you can trust
@rainforestqa rainforest Backups Major security issue Encrypt them Test them
@rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits
Policies KYC
@rainforestqa rainforest Primer
@rainforestqa rainforest Educate yourself
@rainforestqa rainforest Pick secure by default tech
@rainforestqa rainforest 2FA
@rainforestqa rainforest Avoid shared servers
@rainforestqa rainforest Honey pots
@rainforestqa rainforest Automate deployment
@rainforestqa rainforest Use SSH keys, rotate them
@rainforestqa rainforest Use a Firewall
@rainforestqa rainforest Use an IDS
@rainforestqa rainforest Encrypt (and take!) backups
@rainforestqa rainforest Subscribe to security lists
@rainforestqa rainforest Do as little as possible
@rainforestqa rainforest Staff opsec
@rainforestqa rainforest Principle of least privilege
@rainforestqa rainforest Split your servers
@rainforestqa rainforest Or consider LXC / KVM
@rainforestqa rainforest Split your app
@rainforestqa rainforest Server: partitions + noexec + nosuid split running
users disable root remove packages SELinux
@rainforestqa rainforest Starting points Figure out your risk + exposure
Implement low hanging fruit Reduce surface Plan the rest
@rainforestqa rainforest Conclusions Simpler = better Understand your exposure and
limit it
@rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:
http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
rainforest @rainforestqa Questions? @rainforestqa @rhs