rainforest @rainforestqa
Bitcoin + Ops Primer:!Understand your risk
Manage attacks
@rainforestqarainforest
Rainforest
Human powered QA SaaS
Designed for ‘Continuous QA’
Built for PMs and Developers
@rainforestqarainforest
Us
Team of 6 in SoMa
All developers
YC S12
@rainforestqarainforest
Understanding risk
rainforest @rainforestqa
Understand the trade offMore secure generally means more effort
@rainforestqarainforest
Risk vs Exposure
@rainforestqarainforest
High Risks
Hot wallets / key storage
Outgoing payments
Physically shipped items
Reversible payments (e.g. chargebacks)
@rainforestqarainforest
…more risks
Shared hosting / VPS / “physical” security
Staff
@rainforestqarainforest
Limiting Exposure
Storing keys
Hot wallets -> Cold wallets, where poss
Principle of least privilege
@rainforestqarainforest
What risks?
rainforest @rainforestqa
Internet connected = hackable(Though, the NSA can spy on you, even if you're not connected to the Internet)
@rainforestqarainforest
Top 5 >1k BTC hacks46k / Linode (Bitcoinica): exploit in admin area / staff
—> hotwallet
11k / Bitcoin7: “hacked”
4.5k / BTC-E: Insecure external API key
4k / Kronos: self hack / backdoor
2.6k / Gox 2011: exploit in admin area
@rainforestqarainforest
Top 3 reasons:
@rainforestqarainforest
Badly configured servers / services
@rainforestqarainforest
Poorly written software
@rainforestqarainforest
Exploits
@rainforestqarainforest
Attack vectors
Your service
Your customers
You & your team
@rainforestqarainforest
Your serviceDomain
Email
Servers (app, db, etc)
Network
External services
Backups
@rainforestqarainforest
Domain
DNS hijacking
MITM attacks
Doppelganger domains / Typo-squatting
Renewals
@rainforestqarainforest
HSTS
Pinning / force-ssl
Cloudflare, imho
Firewall + IDS
@rainforestqarainforest
Email
DKIM / SPF
Account state
Clear email policies
Lockout policy
@rainforestqarainforest
Servers
Shared / VPS / AWS
Dedicated
Co-lo
>
@rainforestqarainforest
OS + software updates
Automate provisioning
Hire pen-testing
Have a security program
@rainforestqarainforest
Transactions & locking
(see Flexcoin / Poloniex)
@rainforestqarainforest
Network
IDS / IDPS / HIDS
Firewall (both ways)
-complex-
@rainforestqarainforest
External services
Verify SSL certs
Limit IPs
Work out what + who you can trust
@rainforestqarainforest
Backups
Major security issue
Encrypt them
Test them
@rainforestqarainforest
Your customers
Understand their behavior
(Progressive) Account limits
Policies
KYC
@rainforestqarainforest
Primer
@rainforestqarainforest
Educate yourself
@rainforestqarainforest
Pick secure by default tech
@rainforestqarainforest
2FA
@rainforestqarainforest
Avoid shared servers
@rainforestqarainforest
Honey pots
@rainforestqarainforest
Automate deployment
@rainforestqarainforest
Use SSH keys, rotate them
@rainforestqarainforest
Use a Firewall
@rainforestqarainforest
Use an IDS
@rainforestqarainforest
Encrypt (and take!) backups
@rainforestqarainforest
Subscribe to security lists
@rainforestqarainforest
Do as little as possible
@rainforestqarainforest
Staff opsec
@rainforestqarainforest
Principle of least privilege
@rainforestqarainforest
Split your servers
@rainforestqarainforest
Or consider LXC / KVM
@rainforestqarainforest
Split your app
@rainforestqarainforest
Server:partitions + noexec + nosuid
split running users
disable root
remove packages
SELinux
@rainforestqarainforest
Starting points
Figure out your risk + exposure
Implement low hanging fruit
Reduce surface
Plan the rest
@rainforestqarainforest
Conclusions
Simpler = better
Understand your exposure and limit it
@rainforestqarainforest
Further reading
Hacks: https://bitcointalk.org/index.php?topic=83794.0
Flexcoin: http://hackingdistributed.com/2014/04/06/another-one-bites-the-dust-flexcoin/
Docker: http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security
CVE: http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
rainforest @rainforestqa
Questions?@rainforestqa
@rhs