operations security - sf bitcoin hackday march 2015
TRANSCRIPT
OPSEC - operations security
Mikko Ohtamaa SF Bitcoin Devs HackDay / March 2015
opensourcehacker.com
moo9000
Agenda
Lessons learnt presentation Discussion and hacking Updating OPSEC Gitbook
Team security
Encrypt devices: computers AND phones !
Two-factor authentication on inbox and site admin !
Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
Password manager (KeePassX) SSH keys, tied to your computer login
User security
Passwords are dead
Password stealing attacks by keylogging and cache reading malware
Strong passwords give only limited additional protection
Login attempt throttling
Threshold logins per IP: script kiddie
Threshold per username: spearhead brute force
Threshold all logins per minute: botnet attack
recaptcha.net
http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and-mitigating-botnet-driven-login-attacks/
Two-factor authentication for your users
Time-Based One-Time Password Algorithm
TOTP a.k.a Google Authenticator, RFC 6238 Does not require Google account.!OSS apps available
Tic toc keycodes generated by a mobile app
HMAC-Based One-Time Password Algorithm
HOTP, RFC 4226 a.k.a. paper codes, one time pad
Common in EU banking, unheard in some countries
SMS Yubikey
As a service: authy.org
For Django: https://github.com/miohtama/
django-twofactor
Third factor
Users accidentally give out their credentials
Recycled passwords (blackmarket) Phishing (Google Adwords first link stealing) !
Phishers may get two-factor codes too
Third factor parameters
Identify web browser (permacookie)
Identify the country of IP address
The reputation of IP address (botnet, Tor, VPS)
IP address whitelist
!
Mad general problem
“If your local computer is compromised by malware or anything else, it is just like a mad general”
http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
"Tinfoil never too tight" attacks
Trojan kits with Bitcoin sites "autosteal"
Browser add-ons modifying payment data in-fly
Android and iOS malware
SMS capture attacks
Malicious Tor exit nodes
!http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed-93764
http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
Infrastructure security
fail2banDaemon blocking IPs by continuous log file analysis
(e.g. Apache, SSH, custom application logs)
Attack mitigation as a service proxies: cloudflare.net Whitehat bounty programs: crowdcurity.com Known bad IPs: projecthoneypot.org !
Flood attacksFlood actions and anonymous forms: password reset email, invite email, user messaging
Mostly harmless / reputation hit
Have throttling and banning per IP
Throttle email actions with a custom log file and fail2ban
https://shubh.am/full-disclosure-coinbase-security/
Hosting provider and physical attacks
Store databases and logs on encrypted partition (LUKS)
Backups as encrypted only: duplicity, GPG
Server-to-server connections: SSH, VPN
Virtual machines are always unsafe
http://blog.bitly.com/#85169217199
Server security monitoring
Log server, FSS (forward secure sealed) logs Intrusion detection (OSSEC)
Firewalling !
http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.html
THANK YOU
opensourcehacker.com Open Source Hacker
linkedin.com/in/ohtis