OPSEC - operations security Mikko Ohtamaa SyPy / Sydney / Dec 2014 opensourcehacker.com moo9000
Jul 09, 2015
OPSEC - operations security
Mikko Ohtamaa SyPy / Sydney / Dec 2014
opensourcehacker.com
moo9000
Agenda
Background Team security User security Infrastructure security
Person-to-person Bitcoin exchange
Bitcoin users are high value targets
Team security
Encrypt devices: computers AND phones !
Two-factor authentication on inbox and site admin !
Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
Password manager (KeePassX) SSH keys, tied to your computer login
User security
Passwords are dead
Password stealing attacks by keylogging and cache reading malware
Strong passwords give only limited additional protection
Login attempt throttling
Threshold logins per IP: script kiddie
Threshold per username: spearhead brute force
Threshold all logins per minute: botnet attack
recaptcha.net
http://opensourcehacker.com/2014/07/09/rolling-time-window-counters-with-redis-and-mitigating-botnet-driven-login-attacks/
Two-factor authentication for your users
Time-Based One-Time Password Algorithm
TOTP a.k.a Google Authenticator, RFC 6238 Does not require Google account.!OSS apps available
Tic toc keycodes generated by a mobile app
HMAC-Based One-Time Password Algorithm
HOTP, RFC 4226 a.k.a. paper codes, one time pad
Common in EU banking, unheard in some countries
SMS Yubikey
As a service: authy.org
For Django: https://github.com/miohtama/
django-twofactor
Third factor
Users accidentally give out their credentials
Recycled passwords (blackmarket) Phishing (Google Adwords first link stealing) !
Phishers may get two-factor codes too
Third factor parameters
Identify web browser (permacookie)
Identify the country of IP address
The reputation of IP address (botnet, Tor, VPS)
IP address whitelist
!
"Tinfoil never too tight" attacks
Trojan kits with Bitcoin sites "autosteal"
Browser add-ons modifying payment data in-fly
Android and iOS malware
SMS capture attacks
Malicious Tor exit nodes
!http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed-93764
http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
Infrastructure security
fail2banDaemon blocking IPs by continuous log file analysis
(e.g. Apache, SSH, custom application logs)
Attack mitigation as a service proxies: cloudflare.net Whitehat bounty programs: crowdcurity.com Known bad IPs: projecthoneypot.org !
Hosting provider and physical attacks
Store databases and logs on encrypted partition (LUKS)
Backups as encrypted only: duplicity, GPG
Server-to-server connections: SSH, VPN
Virtual machines are always unsafe
http://blog.bitly.com/#85169217199
Server security monitoring
Log server, FSS (forward secure sealed) logs Intrusion detection (OSSEC)
Firewalling !
http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.html
THANK YOU
opensourcehacker.com Open Source Hacker
linkedin.com/in/ohtis