Minimum Viable Security

Mason
12 min readAug 15, 2018

--

The least you can do to frustrate would-be hackers.

2018 is on track to being the busiest year ever for crypto hacks. As of June of this year, losses from crypto attacks were estimated to total around $2.3 billion, and hackers have shown no signs of slowing down. If you hold or use cryptocurrency in any capacity, it’s worth taking extra precautions to protect your funds from would-be thieves.

Taking protective measures does not need to be difficult or stressful — the best way to shield yourself from these attacks is to understand the means by which hackers are entering private systems, understand the entry-points that the hackers may target, and explore simple solutions that can protect against their go-to attack vectors.

Attack Vectors — Types of Attacks

The majority of hacks come in three forms:

Phishing — A social engineering attack where the hacker will masquerade as a known service in order to harvest email credentials or payment.

Example: The Bitpay Phishing Attack

In December 2014, executives of BitPay, a popular payment service for Bitcoin, were tricked into giving away $1.8 million to hackers through a deceptively simple phishing attack. The hack began when the attacker gained unauthorized access to the email account of David Bailey, CEO of BTC Media — a cryptocurrency media company that worked closely with all of the major Bitcoin companies at the time. After gaining access to Bailey’s email, the hacker used it to send an email to the CFO of BitPay, Bryan Krohn, which contained a link to a Google Doc that Krohn clicked.

The image to the left is likely what the CFO saw once he clicked the link — a login page which looks just like the Google Login page but with a different URL not affiliated with Google. Krohn then attempted to log in through the fake login portal, allowing the hacker to capture the CFO’s credentials. The hacker then used those credentials to log in and monitor Krohn’s email, taking time to understand the internal operations of the company — including how its executives interacted, the vendors they worked with, and most importantly, how they moved money.

The hacker then sent an email to Bailey from Krohn’s account, requesting a 3,000 BTC payment to BTC Media. The payment address the hacker provided was his own, and Bailey sent the requested Bitcoin directly to the hacker’s account. The funds were never recovered.

Data Breach — An attack where a hacker manages to penetrate the servers of an enterprise and harvest a list of users’ login credentials.

Example: Enigma MPC Database Breach

When popular services like Facebook, Dropbox, or Adobe have their services breached, hackers typically can — and often do — steal a list of their users’ emails and passwords. Hackers will then attempt to use those logins on other popular services, to try and gain access to the accounts of users who use the same credentials across multiple platforms. In August of 2017, hackers were able to find an email and password belonging to the CEO of Enigma MPC, a popular blockchain platform, in the hacked database of Ashley Madison, a discreet dating website. The hacker took the Ashley Madison credentials and was able to access the CEO’s Github account, Slack channels, and emails servers. The hacker was able to use these channels to convince prospective investors, token buyers and others to send funds to his private wallet — making off with about $500,000 in funds.

Phone PortingA social engineering attack where the hacker will use personal information from the account holder at a cell phone carrier for the purpose of redirecting the calls and messages to a phone number they manage.

Explanation: Phone Porting Hacks

Phone porting attacks are relatively simple, but can be the most compromising. To execute one of these attacks, a hacker typically only needs the last four digits of your social security number and your home address. Acquiring this information is easier than most people realize — both pieces of information are likely readily available in breached databases or are for sale on the dark web. With these two items in hand, the hacker can walk into any major phone carrier and request that all correspondence be directed to a phone number owned by the hacker. The hacker then has the power to take over any account that is associated with the previous phone number, whether it is a Gmail account, Twitter, or Facebook.

With this level of access, the hacker will begin contacting personal and professional contacts. The most common claim is that an accident has occurred that necessitates a cryptocurrency payment. The fabricated accident can range from a close relative going to the hospital to the kidnapping of a child.

Public examples of phone porting hacks are hard to come by, as these attacks tend to target individual’s personal crypto holdings. However, anecdotally, we have heard of multiple $10 million+ heists as a result of such attacks.

Attack Surface — Points of Entry

Now that we have a sense of what types of attacks we are protecting against, the next step is to consider what services may be targeted or affected by these attacks. Ideally, the safeguards we put in place would protect all of the services you use, but this is not always practical. As a pragmatic first step, we can look at the following:

  • Email service providers: Gmail, Yahoo, Hotmail
  • Cloud data storage: Box, Dropbox
  • Social Media Services: Facebook, Twitter

These are typically the highest value accounts to a hacker. They are looking for any platforms that might contain sensitive data or through which they can reach out to your professional or personal contacts, pretending to be you.

Minimum Viable Security — The Tools You’ll Need

We’ll use three tools to directly defend against the attacks we’ve discussed so far by integrating them with our use of the high-risk services listed above:

Password Manager

A password manager can be used to protect against any attacks that may result from third-party database breaches. While it won’t directly protect against an attack on the platform where the database was compromised — as a hacker will have your login information for that specific service — it will mitigate the potential fallout and ensure that login will not give them access to your other sensitive accounts.

With a password manager, a single password unlocks an application which manages the passwords for all of the services you use on the internet. When properly configured, the password manager should “autofill” your username and password when you go to log in to a service, such that you only need to press enter and (ideally) enter a two-factor authentication code — which I’ll explain further in just a moment.

It is important to remember that if you can memorize your password, it’s not a good password. The password manager can also generate unique, hard-to-crack passwords for all of the services you use, the goal being that if a single service has their database compromised, only your password for that specific service is compromised.

Yubikey

Adopting a Two Factor Authentication mechanism that is not tied to your cell phone carrier is a good next step. Two Factor Authentication, also known as 2FA, requires you to input not only a password and username when logging in, but also something that only the user physically has on their person that can verify their identity. To implement 2FA in your daily life, we recommend using Yubikey, which is a small and portable 2FA hardware device specifically designed to protect against potential phishing attacks. You simply carry the Yubikey with you, and tap it when a service requests your two-factor authentication code.

Google Authenticator is another good 2FA solution that can be easily setup on your phone, but it does not have the same level of phishing safeguards — so for our purposes we would recommend using Yubikey’s platform over Google’s.

Project Fi

Project Fi is a full-service cell phone carrier operated by Google that has no physical stores, offers rates that are highly competitive to the major incumbents, and is compatible with both Apple and Android phones. What makes it ideal for our purposes is the fact that it requires no human interaction to set up and manage a Project Fi account. Since phone porting requires a hacker to do some social engineering — i.e., manipulating the emotions and sympathies of a human staff member to gain access to your phone — Project Fi is the perfect defense against this type of attack.

Implementing Our Tools

Password Manager — Initial Set-Up

  • We recommend using either Lastpass or 1Password, which can be downloaded and installed from their respective websites — here and here. For our purposes, we will be demonstrating how to set up Lastpass Enterprise. If using Lastpass, it’s recommended that you only use the browser plug-in and avoid setting it up on the device itself.
  • First, let’s download the Lastpass Chrome app. In your Google Chrome browser, go to the link found here. Next, click Add to Chrome to install the application.
  • In your Google Chrome browser, go to the Lastpass website here. We’ll be using the enterprise account, because it enables Yubikey integration. On the signup page, you’ll be prompted to provide a bit of generic information as shown below. Once you’ve entered all your information click “Create Enterprise Trial.”
  • Next, click Set Password, and you should be prompted to set your master password. Select a master password — something that is unique to your other passwords and at least twelve characters. If your password is a bit too long, its ok to write it down on a piece of paper until you have it memorized.

Two-Factor Authentication — Initial Set Up and Integration with Lastpass

  • Next, we want to integrate Yubikey with your Lastpass account.
  • Open the Lastpass application and select Account Settings, on the left hand side.
  • Under Multifactor Options, scroll to the Yubico row. Click the pencil on the right side of the Yubico row.
  • After the Yubikey options load, select the Value under the Enabled option and set it to Yes.
  • On the YubiKey #1 row, click into the empty box, insert your Yubikey and touch the metal tab on your Yubikey. The empty box should now be populated. Click Update. Your password manager and Lastpass are now integrated.
  • Log out and Log in to test your integration.

Yubikey Two-Factor Authentication — Example Integration with Gmail

  • To demonstrate how to use these tools in a real-world application, we are going to set them up to work with our Gmail account.
  • Log into your Gmail account. Then, click on your account picture in the upper right hand corner, and click Google Account.
  • Select Sign-in & Security.
  • Scroll down to the Password & sign-in method section and click 2-Step Verification.
  • Click Get Started and enter your password to continue.
  • You’ll need to setup your phone initially as a two-factor method. This is a requirement by Google, we’ll need to make sure to remove it later. If you don’t see the prompt to enter your phone number, simply continue to the next step. Enter your number, click Next, and enter the code when you receive it on your phone.
  • Scroll down and select Choose another option near the bottom. Select Security Key. Make sure your Yubikey is plugged in and select Next.
  • Touch the metal tab on your Yubikey. Next, enter a name for your Yubikey and select Done.
  • You should see the following once you’ve setup the Yubikey.
  • Next, we’ll need to remove our phone. Scroll to the Voice or text message section, click the pencil on the right.
A pencil
  • Once the phone settings appear, click Remove Phone.
  • IMPORTANT: If you have a recovery email or phone number for any of your high-profile accounts, it is recommended that you remove them. A recovery phone number opens your account up to the phone porting attacks and a recovery email that has weaker security provisions than your current account will open it up to risk. For your Gmail account, you can ensure your phone is no longer linked by checking that your Account recovery options — below your Sign-in and security page — appears as shown below.

Password Manager — Example Integration with Gmail

  • First, we will want to reset your Gmail password.
  • Go to log into your Gmail account. When you do so, in addition to being asked for your password, you should now be prompted to use your Yubikey as a second step. Enter your password, connect your Yubikey to your computer and touch the metal tab. This should allow you to log in.
  • Then, click on your account picture in the upper right hand corner, and click Google Account.
  • Select Sign-in & Security.
  • Scroll down to the Signing in to Google section and click Password. Enter your current password to continue.
  • At this point, you should have the Lastpass browser plugin installed and be logged into Lastpass. Under New Password, click the lock with the circle around it. This will generate a new, complex and unique password for you to use for your Gmail account.
  • Click More Options and click Copy to copy your new password to your clipboard.
  • Paste your new password into the corresponding New Password boxes on Gmail and click Change Password.
  • You should see a pop-up on the top right hand corner of your browser asking if you’d like to add your Gmail username and password to Lastpass. You may want to hover over and click Edit to confirm that the username and password are correct. Otherwise, just click Add.
  • To test your LastPass integration, log out of your Gmail account. Go to log in again, and you should see your password automatically entered for you, as shown below. This should now occur every time you visit Gmail. If your password manager does not autofill the password box, in this instance or in any other instance going forward, it means you are not on the real Gmail site, and are being phished. This goes for any service or site that you use a password manager for.
  • Click next, and you should still be prompted to connect your Yubikey. Do so, and then tap the metal tab.
  • If successful, your account is now protected by your password manager and Yubikey.
  • Reset the passwords on all of your high-risk accounts following the same general steps.

Project Fi

  • Sign up for service at https://fi.google.com/. Once you get through the sign-up process, Project Fi will ship you a SIM card that you can plug right into your phone to get started.
  • If you prefer Android phones, you can use any of them found on this list with Project Fi https://fi.google.com/about/phones/.
  • If you prefer the iPhone, you can get setup on an unlocked iPhone by following the instructions here.

Keeping Your Protections Up to Date

In order to ensure your protections are always up to date, it is important to regularly review what the latest and most common attack vectors are. When you do come across a new threat you’d like to protect against, you should determine which services could potentially be affected, and then do some online research to determine the best way to update your defenses to protect against it.

If you have any questions about any of the material covered in this post, or any attack vectors or entry points that were not covered or which you come across in the future, please do not hesitate to contact me on Twitter at @masonic_tweets.

--

--