Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bitcoin Ops & Security Primer

Avatar for Russell Smith Russell Smith
April 07, 2014
Technology
1
150

Bitcoin Ops & Security Primer

Avatar for Russell Smith

Russell Smith

April 07, 2014
Tweet

More Decks by Russell Smith

See All by Russell Smith
Ops Skills and Tools for Beginners [MongoDB World 2014]
Avatar for Russell Smith ukd1
0
100
3 Infrastructure + workflow lessons from an early stage startup
Avatar for Russell Smith ukd1
0
92
Gearman & Kohana
Avatar for Russell Smith ukd1
2
930
Geo & capped collections with MongoDB
Avatar for Russell Smith ukd1
1
120
Cassandra London UG July 2011 - Riak vs Cassandra
Avatar for Russell Smith ukd1
1
270
MongoDB - Map Reduce
Avatar for Russell Smith ukd1
2
190
MongoDB London UG, April 2011 - MongoDB Introduction
Avatar for Russell Smith ukd1
1
84
MongoDB London 2011 - MongoDB Command Line Tools
Avatar for Russell Smith ukd1
1
160
Seedhack 2011 - Introducing MongoDB
Avatar for Russell Smith ukd1
1
100

Other Decks in Technology

See All in Technology
10ヶ月かけてstyled-components v4からv5にアップデートした話
Avatar for uhyo uhyo
5
460
今日からはじめるプラットフォームエンジニアリング
Avatar for Kazuto Kusama jacopen
8
2k
ペアーズにおける評価ドリブンな AI Agent 開発のご紹介
Avatar for fukubaka0825 fukubaka0825
9
2.3k
AI駆動で進化する開発プロセス ~クラスメソッドでの実践と成功事例~ / aidd-in-classmethod
Avatar for tomoki10 tomoki10
1
940
MCPが変えるAIとの協働
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
1
140
LINE 購物幕後推手
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
400
非root化Androidスマホでも動く仮想マシンアプリを試してみた
Avatar for Sora Arakawa arkw
0
110
ガバクラのAWS長期継続割引 ~次の4/1に慌てないために~
Avatar for ひよこインフラエンジニア hamijay_cloud
1
590
コードや知識を組み込む / Incorporating Codes and Knowledge
Avatar for Kenji Saito ks91
PRO
0
170
グループ ポリシー再確認 (2)
Avatar for Murachi Akira murachiakira
0
230
更新系と状態
Avatar for uhyo uhyo
8
2.2k
Microsoft の SSE の現在地
Avatar for skmkzyk skmkzyk
0
300

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
34
2.2k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
54
13k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
137
33k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
420
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
34
2.9k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
179
53k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
120
52k

Transcript

  1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

    attacks

  2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

    QA’ Built for PMs and Developers

  3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

    YC S12

  4. @rainforestqa rainforest Understanding risk

  5. rainforest @rainforestqa Understand the trade off More secure generally means

    more effort

  6. @rainforestqa rainforest Risk vs Exposure

  7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

    payments Physically shipped items Reversible payments (e.g. chargebacks)

  8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

    security Staff

  9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

    wallets, where poss Principle of least privilege

  10. @rainforestqa rainforest What risks?

  11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

  12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

  13. @rainforestqa rainforest Top 3 reasons:

  14. @rainforestqa rainforest Badly configured servers / services

  15. @rainforestqa rainforest Poorly written software

  16. @rainforestqa rainforest Exploits

  17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

  18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

  19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

  20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

  21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

  22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

  23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

  24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

  25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

  26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

  27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

  28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

  29. @rainforestqa rainforest Primer

  30. @rainforestqa rainforest Educate yourself

  31. @rainforestqa rainforest Pick secure by default tech

  32. @rainforestqa rainforest 2FA

  33. @rainforestqa rainforest Avoid shared servers

  34. @rainforestqa rainforest Honey pots

  35. @rainforestqa rainforest Automate deployment

  36. @rainforestqa rainforest Use SSH keys, rotate them

  37. @rainforestqa rainforest Use a Firewall

  38. @rainforestqa rainforest Use an IDS

  39. @rainforestqa rainforest Encrypt (and take!) backups

  40. @rainforestqa rainforest Subscribe to security lists

  41. @rainforestqa rainforest Do as little as possible

  42. @rainforestqa rainforest Staff opsec

  43. @rainforestqa rainforest Principle of least privilege

  44. @rainforestqa rainforest Split your servers

  45. @rainforestqa rainforest Or consider LXC / KVM

  46. @rainforestqa rainforest Split your app

  47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

  48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

  49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

  50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

  51. rainforest @rainforestqa Questions? @rainforestqa @rhs