Cryptocurrency User Security Tips

in crypto •  7 years ago  (edited)
The following is not financial advice.

Welcome to back The Scoop!

In this post, we're going to switch it up a bit. Everyone knows security is important, but not many people actually use strategies to keep their coins safe from trivial bugs and compromise. Let's talk about not only what you shouldn't do, but how to do it better. It's not about being completely safe, that's not how it works. It's about reducing your risk and being safe from attacks can be easily prevented and then one can build up from there.

I'll keep this as a running post, so check back from time to time for updates!

Note: this guide is for users of wallets, exchanges and platforms. There will be a separate guide for devs and ICOs.

DO NOT RUN WALLETS ON YOUR PERSONAL COMPUTER

At the end of the day, you're downloading and running code from the Internet. You might know who wrote it (legit website) and that it's the right file (hash checking), but you're at the end of the chain and don't have many validation tools at your disposal. Your computer will do what the program tells it to, no matter how much or how little you trust the source.

It's not necessary to take on that risk. Just download visualization software, many free ones exist like VirtualBox or pay for Parallels (Mac) or VMware Workstation (Windows). It's worth the cost to reduce your risk and keep your coins much safer.

Then, try not to run multiple wallets on the same VM, or at least group them like '5 risky wallets on this RISK vm' and '3 big name coin wallet on the NORMAL vm', etc. Read a tutorial if you've never used a VM before, it's not hard. Even register an AWS account if you don't have the extra cycles on your current PC or another PC and do it all in the cloud.

How to install Windows on a virtual machine:
https://www.extremetech.com/computing/198427-how-to-install-windows-10-in-a-virtual-machine

Only install a fresh, new copy of the OS, unmolested by any vendors or malware. Once installed, password (passphrase!) protect the VM login and DO NOT USE A WEB BROWSER ON THE VM. Remove the icon so you don't accidentally click on it. Turn off networking if you want to lock it down further. Pause it or shut it down when you're not using it to save memory.

Also, AWS has a free tier option where you can literally setup a Windows box in the cloud and run it for free:
https://aws.amazon.com/free/

DO NOT RUN A WEB BROWSER ON THE SAME PC AS YOUR WALLETS

Fact: websites, through the web browser, can talk to other programs on your computer. That means wallets too.

Critical bugs like this happen (too) often and don't expect developers to start writing secure code anytime soon:
https://github.com/spesmilo/electrum/issues/3374

It's going to take a while before wallet code meets a minimal baseline for security. All the encryption in the world doesn't save you from getting compromised due to a bug in the authentication or parsing code.

IS IT RISKY TO BROWSE FORUMS?

It is quite risky and only going to get riskier as crypto becomes more popular. No one seems to realize this, but the web browser is one of the most buggy, complicated and therefore vulnerable and exploited applications of all time. Chrome, Firefox, IE/Edge, Safari, it doesn't matter: it's constantly loading and parsing untrusted data from whichever site you intentionally or unintentionally click on.

Just google if you don't (want) to believe it:
https://www.google.com/search?&q=browser+exploit

~9m results, from how to exploit web browsers to frameworks to build exploits to why it's the number one avenue of malware infection. Yeah.

Now think about ransomware. 'Bad guys' are already using malware to lock machines until they get crypto from the owners. But they're just targeting random people, some may have crypto already but most already don't. Some care about unlocking their computer today and some would just assume it's time to throw it away and get an upgrade. Let's say there was a place where one knew FOR SURE just about everyone who gathered there had crypto and probably a lot of it. It makes perfect sense if you're that kind of person to target that place and consequently those people. So how would one do that?

All it takes is one compromise of Bitcointalk, Bitcoingarden, or the other 100 popular coin-specific forums or subreddits to attack anyone who visits there.

Multiple ways to do this:

  • Compromise the web server itself and insert an exploit that silently compromises anyone who visits the site
  • Compromise the web site's code (PHP is especially buggy) and insert malicious code that loads on click
  • Compromise the DNS server and point the website to one they control with malware instead of the real site

All of these attacks are well documented and work.

https://www.exploit-db.com/webapps/
https://en.wikipedia.org/wiki/DNS_spoofing

What are the folks running these sites doing to protect themselves and their users from these attacks? Who knows, they very likely don't have expertise to do it themselves or are concerned enough to hire outside parties to help. That's why it's important to know there's risk here and just reduce it as much as you can on your side.

  • Use Chrome (it has a huge security team at Google backing it) and enable site isolation
  • Run Chrome inside a virtual machine
  • Don't click on random links on Slack/Discord/Telegram or via email

No defensive approach can be competent without understanding the offensive side of how these things actually work.

ENCRYPT YOUR WALLETS

This ensures even if the .dat is stolen, no one can access the funds without the (strong) password associated with it.

Then backup your encrypted wallet, ideally to more than one other place. Don't be lazy. Don't lose your wallets. Your coins are on the chain, but your wallet and private key are how to access them.

ENCRYPT YOUR BACKUPS

First, make backups: no one wants to accidentally lose coins if your computer dies. Think about how many times your hard drive has failed and you had to start over. Hard drives didn't suddenly get really good lately, so be prepared.

Then, don't get your backups stolen. Well, at least unencrypted. Stolen hardware sucks, but stolen keys suck much more.

You can easily use Bitlocker to encrypt USB drives on Windows:
http://www.tomsguide.com/faq/id-2318734/encrypt-portable-hard-drive.html

USE CHROME AND TURN ON SITE ISOLATION

Chrome is great both at security and many other areas. What's really set it apart from other browsers lately is this useful new feature called site isolation. It basically hardens the browser to make sure in case one website tries to exploit a bug in Chrome, even if it succeeds, it's hard for them to mess with any of your other open sites or your apps on your computer either.

Easy to reduce your risk by flipping it on:
http://osxdaily.com/2018/01/06/enable-strict-site-isolation-chrome/

If you don't have Chrome, download it from here first and then enable site isolation:
https://www.google.com/chrome/browser/desktop/index.html

LOOK BEFORE YOU CLICK ON LINKS

Phishing is the number one way accounts get compromised today. Always check the address bar before logging it or transferring anything to make sure you are on the right website.

Browsers try to help with this with the lock and "Secure" green or broken lock and red warning, but they aren't perfect.

SANDBOXES, CONTAINERS, VIRTUAL MACHINES?

Yes, sure and please.

They all try to isolate apps from other apps, or machines from other machines as an example for the latter. But they do it in different ways.

  • Sandboxes say "you're only allowed to do these things"
  • Containers say "you can only do stuff in this space"
  • VMs say "i'm a real computer, seriously, you can do whatever you want ;-)" while actually being separate from the host computer

Notice a theme? Restriction. So what's the difference?

Sandboxes and containers are generally a software restriction. Apps with higher privilege telling other apps what they can and cannot do. VMs on the other hand often have hardware support and therefore are able to speak at the bits and bytes level, one of the highest privileges on a computer. So when they speak, apps are more often than not going to have to listen and there's less holes to find and take advantage of at that level.

So which should you use? All if you can, but now you know what's the strongest and why.

BUT CHROME ALREADY HAS A SANDBOX

Sure, it does. And like all other sandboxes, apps telling other apps what to do, it has a history of bugs that let apps bypass it and do what they want.

Just google for it...
https://www.google.com/search?&q=chrome+sandbox+bypass

So use Chrome inside a VM, it's much better.

DON'T KEEP A LOT ON EXCHANGES

Unless you're a day trader, then it's impractical not to. If you're not, don't risk it. Nobody likes paying more, but it's better to just pay the withdrawal fees than lose funds.

DON'T USE EASY PASSWORDS

Easy passwords are 99% the same as no passwords. Trying all the 6-8 characters combinations in the world is cheap these days with modern computing power.

Don't use 'passwords' at all. Use passphrases, like ThisExampleIsOneOfThem!55. It's an easy to remember, 25 character passphrase with basic complexity. That beats the crap out of any 6-10 random stuff you can come up with because not only is it longer, but you can actually remember it.

Reducing your risk in this area is literally a no brainer.

HOW ABOUT PASSWORD MANAGERS

Sure, but use a local one and not a web browser based one. Those have huge attack surface and there's so many examples of trivial compromises...

Password Safe was actually designed by a famous security guy named Bruce Schneier:
https://pwsafe.org

TURN ON TWO OR MULTI-FACTOR AUTHENTICATION

It just makes sense. Looking forward to the day when all exchanges require it.

Would you rather...

  • Someone guess or steal your exchange password and have access to all your funds

or

  • Someone must guess or steal your exchange password AND steal your phone OR email account to get access to your funds

Option 2 reduces your risk significantly by simply flipping a switch and spending a few more seconds when you login.

More details here:
https://uit.stanford.edu/service/webauth/twostep/how

WHAT ABOUT HARDWARE WALLETS

Good idea! But eh, their security hasn't even begun to be tested.

Do you think Microsoft, Amazon, Intel, all the major tech companies who spend millions of dollars and have fully staffed security teams, and still get their products (often quietly) compromised all the time, are going to take a backseat to the folks at a start-up who are working hard, but respectively have little security experience or most importantly the resources to design security from the ground up into their product? And have their assumptions checked by third parties (penetration testing) who specialize in the area? And can maintain integrity of the devices in the factories where they are made against those with even more money? Unlikely.

More on security consulting and pen-testing:
https://www.ioactive.com/services/

A hardware wallet is just a mini computer with a minimal OS, which significantly reduces the attack surface at the software level, but there's a whole other area they have to protect against which is hardware attacks.

One example is when the Trezor got trivially glitched last year:
https://medium.com/@Zero404Cool/trezor-security-glitches-reveal-your-private-keys-761eeab03ff8

Sure, Trezor fixed 'that bug'... but how many more bugs haven't been discovered yet?

Not eager to be an early adopter here. Not saying you shouldn't be, but now you have better data to make the decision.

DON'T TELL PEOPLE YOU HAVE CRYPTO

Maintaining minimal opsec is easy if you just don't blabber to people about it. Would you tell someone how much money you have in your bank account? Of course not. Start linking these things in your mind.

If they ask if you're into crypto, you could brush it off but say it looks like a good investment. Do not say which coins you have or especially how many. Take more control over the memories people have of you and your private business. Think 'need to know' basis.

CREATE ALTERNATE CONTACT INFO

You don't need to use the same email address and phone number for crypto stuff as you use for personal or business life. Keep them separate where possible, it reduces the chance of one leading to the compromise of another and it gives you options.

It's easy to create a new gmail or protonmail (encrypted mail) account, and disposable, proxy phone numbers are valuable for keeping telemarketers and other annoyances away as well:
https://www.wikihow.com/Get-a-Google-Voice-Phone-Number

DOES MINING EQUIPMENT HAVE BUGS TOO

Yes. The industry is going to have a lot of lessons to learn about both software and hardware security.

Such fun, many wow.

WHAT'S THE DEAL WITH VPNS

VPNs allow you to encapsulate your traffic and send it over encrypted an network instead of just using the one you're on. They basically "make all the things SSL", but keep in mind you're still at the mercy of the company providing the VPN to not be malicious. If they are bad, or get compromised, someone now has a front row seat to your traffic. They still can't see your HTTPS traffic, for example, unless they try to MITM it and you blatantly click through the "This site is not secure" or "Bad certificate" warnings, which then they can. So don't do that.

The point is VPNs have a purpose, but know the risks with them. Only use a highly trusted VPN company. Be especially careful with the free ones, they are not recommended: if you're not paying for the product, you are the product. A random VPN provider is 99% as good as no VPN as you're taking a coin flip on them messing with your traffic.

But, VPNs are useful and they have their place, especially if you travel and use wifi whenever you can.

Decent mobile device VPN:
https://www.f-secure.com/en_US/web/home_us/freedome

And that's your scoop!

Nobody is perfect. See anything I didn't quite get right, or needs correction? Please let me know!
Remember, absolutely NOTHING you read on this blog, twitter or otherwise content anywhere on the Internet by the authors is financial advice, so DYOR and be responsible!
One more time in case you didn't see the first two: this is NOT financial advice! Also, The Scoop authors may hold coins discussed here which may creates some bias, but we try to be fair.
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thank you for posting this-- I wrote a crypto security guide last year and was hoping to update it this year. Your article turned me on to some new techniques and explanations... thank you!

Glad you found it useful, the more info out there the better!

Looking forward to your updated guide as well.