Bitcoin Ops & Security Primer

Bitcoin Ops & Security Primer

Ab5cdb1357fae38ad51cc03947b377a5?s=128

Russell Smith

April 07, 2014
Tweet

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks
  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers
  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12
  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort
  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)
  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff
  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege
  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)
  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area
  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team
  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups
  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals
  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS
  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy
  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >
  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program
  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-
  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust
  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC
  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux
  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest
  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it
  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
  51. rainforest @rainforestqa Questions? @rainforestqa @rhs