Bitcoin Ops & Security Primer
Upcoming SlideShare
Loading in...5

Bitcoin Ops & Security Primer



This is a primer for people that are running apps using bitcoin - what are the common things that get attacked, how do you you understand your risk. Originally presented at ...

This is a primer for people that are running apps using bitcoin - what are the common things that get attacked, how do you you understand your risk. Originally presented at



Total Views
Views on SlideShare
Embed Views



1 Embed 2 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Bitcoin Ops & Security Primer Bitcoin Ops & Security Primer Presentation Transcript

  • rainforest @rainforestqa Bitcoin + Ops Primer:! Understand your risk Manage attacks
  • @rainforestqarainforest Rainforest Human powered QA SaaS Designed for ‘Continuous QA’ Built for PMs and Developers
  • @rainforestqarainforest Us Team of 6 in SoMa All developers YC S12
  • @rainforestqarainforest Understanding risk
  • rainforest @rainforestqa Understand the trade off More secure generally means more effort
  • @rainforestqarainforest Risk vs Exposure
  • @rainforestqarainforest High Risks Hot wallets / key storage Outgoing payments Physically shipped items Reversible payments (e.g. chargebacks)
  • @rainforestqarainforest …more risks Shared hosting / VPS / “physical” security Staff
  • @rainforestqarainforest Limiting Exposure Storing keys Hot wallets -> Cold wallets, where poss Principle of least privilege
  • @rainforestqarainforest What risks?
  • rainforest @rainforestqa Internet connected = hackable (Though, the NSA can spy on you, even if you're not connected to the Internet)
  • @rainforestqarainforest Top 5 >1k BTC hacks 46k / Linode (Bitcoinica): exploit in admin area / staff —> hotwallet 11k / Bitcoin7: “hacked” 4.5k / BTC-E: Insecure external API key 4k / Kronos: self hack / backdoor 2.6k / Gox 2011: exploit in admin area
  • @rainforestqarainforest Top 3 reasons:
  • @rainforestqarainforest Badly configured servers / services
  • @rainforestqarainforest Poorly written software
  • @rainforestqarainforest Exploits
  • @rainforestqarainforest Attack vectors Your service Your customers You & your team
  • @rainforestqarainforest Your service Domain Email Servers (app, db, etc) Network External services Backups
  • @rainforestqarainforest Domain DNS hijacking MITM attacks Doppelganger domains / Typo-squatting Renewals
  • @rainforestqarainforest HSTS Pinning / force-ssl Cloudflare, imho Firewall + IDS
  • @rainforestqarainforest Email DKIM / SPF Account state Clear email policies Lockout policy
  • @rainforestqarainforest Servers Shared / VPS / AWS Dedicated Co-lo >
  • @rainforestqarainforest OS + software updates Automate provisioning Hire pen-testing Have a security program
  • @rainforestqarainforest Transactions & locking (see Flexcoin / Poloniex)
  • @rainforestqarainforest Network IDS / IDPS / HIDS Firewall (both ways) -complex-
  • @rainforestqarainforest External services Verify SSL certs Limit IPs Work out what + who you can trust
  • @rainforestqarainforest Backups Major security issue Encrypt them Test them
  • @rainforestqarainforest Your customers Understand their behavior (Progressive) Account limits Policies KYC
  • @rainforestqarainforest Primer
  • @rainforestqarainforest Educate yourself
  • @rainforestqarainforest Pick secure by default tech
  • @rainforestqarainforest 2FA
  • @rainforestqarainforest Avoid shared servers
  • @rainforestqarainforest Honey pots
  • @rainforestqarainforest Automate deployment
  • @rainforestqarainforest Use SSH keys, rotate them
  • @rainforestqarainforest Use a Firewall
  • @rainforestqarainforest Use an IDS
  • @rainforestqarainforest Encrypt (and take!) backups
  • @rainforestqarainforest Subscribe to security lists
  • @rainforestqarainforest Do as little as possible
  • @rainforestqarainforest Staff opsec
  • @rainforestqarainforest Principle of least privilege
  • @rainforestqarainforest Split your servers
  • @rainforestqarainforest Or consider LXC / KVM
  • @rainforestqarainforest Split your app
  • @rainforestqarainforest Server: partitions + noexec + nosuid split running users disable root remove packages SELinux
  • @rainforestqarainforest Starting points Figure out your risk + exposure Implement low hanging fruit Reduce surface Plan the rest
  • @rainforestqarainforest Conclusions Simpler = better Understand your exposure and limit it
  • @rainforestqarainforest Further reading Hacks: Flexcoin: flexcoin/ Docker: security CVE:
  • rainforest @rainforestqa Questions? @rainforestqa @rhs