Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bitcoin Ops & Security Primer

Avatar for Russell Smith Russell Smith
April 07, 2014
Technology
1
160

Bitcoin Ops & Security Primer

Avatar for Russell Smith

Russell Smith

April 07, 2014
Tweet

More Decks by Russell Smith

See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
Avatar for Russell Smith ukd1
0
120
3 Infrastructure + workflow lessons from an early stage startup
Avatar for Russell Smith ukd1
0
110
Gearman & Kohana
Avatar for Russell Smith ukd1
2
960
Geo & capped collections with MongoDB
Avatar for Russell Smith ukd1
1
140
Cassandra London UG July 2011 - Riak vs Cassandra
Avatar for Russell Smith ukd1
1
290
MongoDB - Map Reduce
Avatar for Russell Smith ukd1
2
210
MongoDB London UG, April 2011 - MongoDB Introduction
Avatar for Russell Smith ukd1
1
99
MongoDB London 2011 - MongoDB Command Line Tools
Avatar for Russell Smith ukd1
1
180
Seedhack 2011 - Introducing MongoDB
Avatar for Russell Smith ukd1
1
120

Other Decks in Technology

See All in Technology
Why Governance Matters: The Key to Reducing Risk Without Slowing Down
Avatar for Sarah Wells sarahjwells
0
110
Trust as Infrastructure
Avatar for Bryan Cantrill bcantrill
0
350
バイブコーディングと継続的デプロイメント
Avatar for nwiizo nwiizo
2
440
Optuna DashboardにおけるPLaMo2連携機能の紹介 / PFN LLM セミナー
Avatar for Preferred Networks pfn
PRO
2
900
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
Avatar for Sansan R&D sansan_randd
0
110
ユニットテストに対する考え方の変遷 / Everyone should watch his live coding
Avatar for mdstoy mdstoy
0
130
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
20k
多野優介
Avatar for 多野優介 tanoyusuke
1
460
英語は話せません!それでも海外チームと信頼関係を作るため、対話を重ねた2ヶ月間のまなび
Avatar for ニイオカ niioka_97
0
130
多様な事業ドメインのクリエイターへ 価値を届けるための営みについて
Avatar for massyuu massyuu
1
390
E2Eテスト設計_自動化のリアル___Playwrightでの実践とMCPの試み__AIによるテスト観点作成_.pdf
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
1
490
組織観点から IAM Identity CenterとIAMの設計を考える
Avatar for NRI Netcom nrinetcom
PRO
1
190

Featured

See All Featured
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
5.8k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
25k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
347
40k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
890
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.5k
Fireside Chat
Avatar for paigeccino paigeccino
40
3.7k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4k

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks

  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers

  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12

  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort

  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)

  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff

  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege

  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

  51. rainforest @rainforestqa Questions? @rainforestqa @rhs