Bitcoin Ops & Security Primer

Transcript

1. rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage

   attacks

2. @rainforestqa rainforest Rainforest Human powered QA SaaS Designed for ‘Continuous

   QA’ Built for PMs and Developers

3. @rainforestqa rainforest Us Team of 6 in SoMa All developers

   YC S12

4. @rainforestqa rainforest Understanding risk

5. rainforest @rainforestqa Understand the trade off More secure generally means

   more effort

6. @rainforestqa rainforest Risk vs Exposure

7. @rainforestqa rainforest High Risks Hot wallets / key storage Outgoing

   payments Physically shipped items Reversible payments (e.g. chargebacks)

8. @rainforestqa rainforest …more risks Shared hosting / VPS / “physical”

   security Staff

9. @rainforestqa rainforest Limiting Exposure Storing keys Hot wallets -> Cold

   wallets, where poss Principle of least privilege

10. @rainforestqa rainforest What risks?

11. rainforest @rainforestqa Internet connected = hackable (Though, the NSA can

    spy on you, even if you're not connected to the Internet)

12. @rainforestqa rainforest Top 5 >1k BTC hacks 46k / Linode

    (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area

13. @rainforestqa rainforest Top 3 reasons:

14. @rainforestqa rainforest Badly configured servers / services

15. @rainforestqa rainforest Poorly written software

16. @rainforestqa rainforest Exploits

17. @rainforestqa rainforest Attack vectors Your service Your customers You &

    your team

18. @rainforestqa rainforest Your service Domain Email Servers (app, db, etc)

    Network External services Backups

19. @rainforestqa rainforest Domain DNS hijacking MITM attacks Doppelganger domains /

    Typo-squatting Renewals

20. @rainforestqa rainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall +

    IDS

21. @rainforestqa rainforest Email DKIM / SPF Account state Clear email

    policies Lockout policy

22. @rainforestqa rainforest Servers Shared / VPS / AWS Dedicated Co-lo

    >

23. @rainforestqa rainforest OS + software updates Automate provisioning Hire pen-testing

    Have a security program

24. @rainforestqa rainforest Transactions & locking (see Flexcoin / Poloniex)

25. @rainforestqa rainforest Network IDS / IDPS / HIDS Firewall (both

    ways) -complex-

26. @rainforestqa rainforest External services Verify SSL certs Limit IPs Work

    out what + who you can trust

27. @rainforestqa rainforest Backups Major security issue Encrypt them Test them

28. @rainforestqa rainforest Your customers Understand their behavior (Progressive) Account limits

    Policies KYC

29. @rainforestqa rainforest Primer

30. @rainforestqa rainforest Educate yourself

31. @rainforestqa rainforest Pick secure by default tech

32. @rainforestqa rainforest 2FA

33. @rainforestqa rainforest Avoid shared servers

34. @rainforestqa rainforest Honey pots

35. @rainforestqa rainforest Automate deployment

36. @rainforestqa rainforest Use SSH keys, rotate them

37. @rainforestqa rainforest Use a Firewall

38. @rainforestqa rainforest Use an IDS

39. @rainforestqa rainforest Encrypt (and take!) backups

40. @rainforestqa rainforest Subscribe to security lists

41. @rainforestqa rainforest Do as little as possible

42. @rainforestqa rainforest Staff opsec

43. @rainforestqa rainforest Principle of least privilege

44. @rainforestqa rainforest Split your servers

45. @rainforestqa rainforest Or consider LXC / KVM

46. @rainforestqa rainforest Split your app

47. @rainforestqa rainforest Server: partitions + noexec + nosuid split running

    users disable root remove packages SELinux

48. @rainforestqa rainforest Starting points Figure out your risk + exposure

    Implement low hanging fruit Reduce surface Plan the rest

49. @rainforestqa rainforest Conclusions Simpler = better Understand your exposure and

    limit it

50. @rainforestqa rainforest Further reading Hacks: https://bitcointalk.org/index.php?topic=83794.0 Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust- flexcoin/ Docker:

    http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and- security CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1

51. rainforest @rainforestqa Questions? @rainforestqa @rhs