Enrico Rubboli


Software Engineer and Enterpreneur
Playing with bitcoin - machine learning - go-lang - ruby - python


Security for cryptocurrency businesses

|

I’ve spent the last few weeks working very hard but with a thought stuck in my head and it’s about security. Many people compare bitcoin to gold, and that’s true if you think of the scarcity of the currency. But the similarities don’t stop here.

When you think about gold, I’m sure you immagine a vault full of shining ingots.

Vault

This is the weakest point of a bank, its reserve, if it get robbed the bank is in huge troubles. When the US left Bretton Woods things slightly changed but the vault remains the place criminals will try to get into. That’s the reason why they’re protected 247 by guards and sophisticated security systems. Vaults are also important for Hollywood film-makers, but that’s another story.

I doubt there will ever be an action movie of a group of gangsters stealing bitcoins, in this case the equivalent of a vault is the so called cold storage (or in the case of the Bitfinex hack the multisig wallet of the users, protected by BitGo). It would make a really boring movie.

What makes Bitcoin similar to a vault full of gold is that once they’re stolen there’s no way to reverse the transaction and get the money back. While a credit card transaction or a wire transfer are ‘traceable’ and eventually reversible, bitcoin are not. This means that the security measure needed when you run a bitcoin business are the same as a bank vault, with the difference that you’re not facing a single local threat but multiple online world-wide attacks all the time.

What to do

A bitcoin exchange is constantly under attack, and not just from script kiddies but from criminals and organizations that are often hidden in obscure home grounds. To give a better understanding imagine you have a bank, and its vault is out in the street and can be seen from every criminal in the world. You would have to defend the vault 247 and just one failure means that your business is gone. This gives an idea of the security needed in the bitcoin field. It’s like playing a football game just defending, you have no way to win, you can only draw - making sure no balls get over the crossbar.

It’s a hard task but here are 13 security steps you should implement with your bitcoin business:

  1. The first is absolutely about your company staff. They must be educated to use all precautions: good passwords, multi factor authentication, how to deal with social engineering attacks, how to keep their local machines/data safe, etc.
  2. Infrastructure and authorizations should be engineered in order to minimize the authorizations needed for every aspect of your business. Staff members should follow a strict protocol.
  3. The third point is about your customers, who also need to be educated. Multi-factor authentication should be encouraged, strong enough passwords should be enforced, and they should be aware of phishing attacks and other common dangerous situations.
  4. Your infrastructure should keep logs of every action from any software running. It should be auditable, traceable and with high integrity (see OWASP, Error Handling, Auditing and Logging).
  5. When you design your architecture you should follow CCSS guidelines
  6. You should audit your software from any well known kind of attack, for example adding brakeman for your rails application to your Continuous Integration system is a good idea to start with. You should use private keys instead of passwords for SSH, and avoid keeping keys or private tokens anywhere in the servers, etc.
  7. You should keep monitoring 0day and disclosures for any software you have installed in your machines, and automated software that can scan several sources and notify you is a good extra.
  8. You should implement tools like OSSEC and GrSecurity and consider your server’s infrastructure immutable with an automated build system.
  9. Good software engineering practice are also part of the security process, such as pull-request discussion or pair programming, automated tests and continuous integration.
  10. Software quality and security should never be negotiable. Any technical debt should be repaid immediately in order to act quickly when needed.
  11. You should periodically PenTest your business from a security firm.
  12. You should limit the potential losses keeping as many coins as you can offline and implementing an alarm system in case something wrong is detected.
  13. Consider hardware wallets for your cold storage.

All of these precautions mean that starting a business in the bitcoin/cryptocurrency field is expensive. You should think twice if you are a startup and be aware of the involved risks. As far as I know no exchange running today has been safe enough to avoid any loss. Another thing to say is that the Bitcoin protocol itself has demonstrated to be rock solid by protecting 9 Billion dollars from thieves for years. The weak points are outside the bitcoin protocol but still, we should monitor any core vulnerability.