Category Archives: Security

The next step in the evolution of Bitcoin exchange security?

Via Luke Parker @ bravenewcoin.com

  • KeepKey and ShapeShift recently announced a partnership to create the first fully trustless and highly secure process for trading cryptocurrencies. According to KeepKey, beta testing will begin next week”
  • “According to ShapeShift, the integration is the first time users can store and trade digital assets without ever having to expose their private keys to the internet. “This is a HUGE step forward in security for traders,” the exchange wrote”

Read more here..

BITCOIN PAPER WALLETS ARE NOT SAFER THAN HARDWARE WALLETS

Via Bitcoinnewsmagazine.com

[Editors note: A recent Bitcoin exchange hack has pushed personal Bitcoin security back onto centre stage and rightly so:

  • If you are new to Bitcoin make sure you do your research and learn  ‘Cold Storage’ techniques for safe long term storage of Bitcoin. (Even more so if you are investing a lot of money into Bitcoin)
  • For online Hot wallets and accounts,  always enable Two Factor Authentification (2FA) for added security.
  • If you are not actively trading , do not leave Bitcoins on centralised exchanges for extended periods]

Also Note One of the golden rules of Paper wallet usage:

  • “When you need to use bitcoin in a paper wallet all the bitcoin should be swept into a wallet like Electrum or blockchain.info from where you can then spend bitcoin. Never try to spend directly from your paper wallet, and after emptying your paper wallet and making your purchases create a new paper wallet for storage”

Bitcoin Paper Wallets Are Not Safer Than Hardware Wallets

What can we learn from the multiple ShapeShift.io hacks

Guest Post By Vitor Jesus,  (Cyber Security Expert) – 04-09-2016.

Originally posted @ vitorjesusicsnetwcybersec.blogspot.co.uk,

Shapeshift.io is a startup evolving around Bitcoin (one of my lateral interests and a movement I follow quite closely). Last week they reported a coins having been stolen. More than that, Eric Voorhees writes a fascinating report of how it happened. It is a story I will be using in many talks

My first reaction, shared in a reddit post, is that they actually didn’t do anything fundamentally wrong. They’re a startup so getting the business up and running is the goal. This means they have no cybersecurity office and, worst of all, they are all tech people which unfortunately gives a stronger sense of “we don’t need a cybersecurity programme because we have firewalls”.

I have been working with tech startups with an immensely skilled army of developers and managers; but that show quite an alarming unawareness of many basic concepts of cybersecurity.

As I often say, cybersecurity is 20% about firewalls and 80% about organisational processes. In this case, what failed was the human element:

  • Do not leave computers unlocked
  • Do extensive background checks on new starts 

But who has never left a laptop open and logged in? I keep doing it even on public places. And how thorough and reassuring can background checks be?

There are, of course, many tactical improvements possible: secured critical operations, segregation and air gaps of critical assets, much clearer/crisper separation of duties, much much better auditing, much much much better accounting, etc. Beyond making the system harder to exploit, above all they would make it easier to understand what happened and much faster.

Sharing the story, with care not to reveal too much, was a good thing to do in my opinion. I do have a few unanswered questions but I also feel it was an honest report. It assured customers: everyone will be hacked at some point and cybersecurity is mostly about minimising damage to the least (reasonable) extent when it happens and not preventing it.

The fact that their source code is on the lose is alarming though. They should subject it to a thorough analysis (by a 3rd party!) and setup a bug bounty programme. They are a business that relies on exposure to the public internet and I can only imagine how many people are trying to exploit it.

Finally, in the words of Eric Vorhees, there is also this valuable lesson so well formulated:

“Though it sounds cliché, (…), do yourself a favor and bring in 3rd party professional help very early. We hadn’t needed it at first, because we were small. But growth creeps up on you, and before you know it you are securing significant assets with sub-standard methods”