Being the smart investor that you are and having seen the astonishing rise in both popularity and price of crypto assets, you have diligently acquired some of this newfangled internet money.
Congratulations, you are already ahead of the herd! Now comes the hard part- how do you store and transact with it securely?
Hacks, (Spear)Phishing, Malware and other potentially devastating malicious attacks are a daily occurrence in this sphere and unlike similar events in the traditional banking industry there is often no avenue for recourse due to the decentralized nature of the assets involved.
Defining Your Threat Model
The first thing you should do to improve your security posture and create/deploy an adequate and effective set of countermeasures and mitigations is simple: define a Threat Model on which to base your hardening efforts.
A Threat Model is basically a set of assumptions under which your entire defense approach is going to operate.
Declaring a Threat Model that fits your situation and requirements is not as easy as it seems because in InfoSec every action you undertake is a balancing act and you often end up having to compromise between usability and security.
The feasibility of a hack is determined by 3 simple factors:
- Resources/Capabilities at the disposal of the attacker
Be reasonable when declaring your threat model, for example you are unlikely to be specifically targeted by a nation state /APT(Advanced Persistent threat) and it’s therefore not useful to devote a lot of time and resources to plan for such an event. By covering fringe cases you divert precious time and resources that could be better spent securing yourself against more broad and likely to occur attack vectors.
Different Types of Attacks
There are two main types of attacks and they are substantially different in nature:
- Opportunistic Attacks
- Targeted Attacks
Opportunistic attacks are as the name suggest; they are opportunistic in nature and the most prevalent. The attacker is simply casting a net and picking up the fish unlucky enough to have been trapped.
A typical attack of this type is a mass phishing campaign, a phishing website posing as a widely used service or a compromised website serving malware.
Targeted attacks are more rare but often pose additional risk because of the fact that they are specifically tailored to compromise a particular victim, be it an organization, a group of users with common interests or a specific person.
An example of this type of attack is a Spear Phishing campaign or a hack targeting a crypto investor’s poorly secured devices/accounts:
Here’s a brief and non-exhaustive list of different attack vectors:
- Compromise due to password reuse
- Watering Hole attacks
- Generic Malware
- Spear Phishing
Introducing an important concept: Defense In Depth
A good defensive strategy should take a layered approach to securing digital property and devices to maximize the cost of mounting a successful attack for an adversary.
By deploying multiple layers of countermeasures you can both significantly enhance your chances of avoiding compromise due to opportunistic attacks and make you a far less attractive target for Targeted Attacks.
Remember, you don’t necessarily have to outrun the predator – often it’s enough to just run faster than the rest of the herd.
Another term that is often used in InfoSec circles is ASR(Attack Surface Reduction). It’s a term used to define the practice of limiting the exposure of something (be it a service, a device or something else entirely) to the external world, reducing its exploitability.
To summarize, a well crafted defense plan should make it significantly harder for an attacker to advance and gain a foothold in the resource they want to compromise, be it a network, a device or an account.
Now that you have a grasp on basic security concepts and terminology we can finally get to the meat of things, no more boring theoretical stuff I promise!
In this section I will illustrate some extremely simple tips, countermeasures and best practices to harden your digital footprint.
Some of the tools & techniques illustrated are platform agnostic and some are only applicable to specific OSes or devices.
As the most widely used Operating System, Windows is a prime target for malicious actors but fortunately due to its ubiquitous presence there are a myriad of security solutions we can adopt.
Harden Your Environment
Keep your OS & software up to date!
This simple but often neglected bit of advice is worth repeating as a lot of successful exploits leading to compromise are due to security bugs that have been patched by the vendor but not applied by the end-user.
If the program you use habitually offer an auto updater/reminder feature take advantage of it!
Never ever use the DNS servers provided by your ISP.
DNS Hijacking/Poisoning attacks while not extremely common are difficult to detect and can cause huge losses.
ISPs generally have poor security practices in place as offering DNS Service is certainly not their core business and as a result of this they often have poorly maintained systems with lax security servicing a large number of users – a recipe for disaster!
Use Recursive DNS services from a competent provider like OpenDNS or, even better OpenNIC, and always prioritize resolvers offering DNSSEC. This has the added advantage of significantly increasing your privacy as the your ISP can’t easily see your lookup request and therefore what websites you are visiting.
Remember that when using a VPN you are shifting trust from the local network to the remote one under the control of the VPN provider and that a VPN is NOT a shield against everything. A malicious VPN node you are connected to is able to potentially perform a wide range of nasty stuff, so be careful who you trust. I will mention the following two VPN providers purely as a reference for what to look for in a trustworthy VPN provider, and keep in mind there definitely are some other reputable providers:
Use Widows 10 Build 16299 or later if at all possible!
Microsoft introduced several Exploit Mitigation features in the Fall Creator Update, you can access them by going to Options→Updates & Security→ Windows Defender→ Open Windows Defender Security Center→App & Browser Control→ Exploit Prevention Settings.
Make sure everything is set to “On”
Both HMP And Zemana are very effective solutions tailored for consumer users, they don’t require the user to fiddle with complex settings, they mostly “just work”by discovering installed applications, grouping them in a specific category using pre-defined templates and hooking them into the exploit mitigation engine.
Use complex(longer than 16 chars, containing numbers, letters both lower and uppercase and symbols) AND unique passwords created and managed using an offline Password manager.
Never reuse a password on different accounts as a DB from a compromised service containing your password, even if stored in hashed form could lead an attacker to gain access to additional resources using the same password.
I recommend using either KeePass or the excellent alternative developed by renowned cryptographer Bruce Schneier, Password Safe. If you are paranoid you can required both a password AND a keyfile to unlock the credentials database in KeePass.
Install the excellent HashTab utility to quickly compute hashes to attest the integrity of files you download, it integrates seamlessly with windows file explorer, no fiddling with the command line required!
Secure your Browser
Use ASR techniques to harden your browser as it’s one of the most common and easily exploited entry points to gain access to a system. No browser offers perfect Security but Chrome and FireFox are both strong contenders to the title of most secure. Chrome is regarded as the most secure browser but it’s a rapidly changing environment and you should not base your choice on browsers solely on this.
Use the following extensions:
Useful to eliminate virtually all ads from your browsing experience, decreasing both data usage and the time needed to render pages further reducing your attack surface and negating the possibility of being infected by malware delivered by malvertising.
Extremely useful to take advantage of SSL secured websites, works by enforcing requests to webpages and the returned content to be served on an encrypted connection.
Useful to eliminate tracking scripts and miscellaneous privacy eroding stuff.
Basic blacklist to avoid falling victim to scripts using your system resources to mine CryptoCurrencies(usually Monero)
Consider using a firewall to prevent data exfiltration an unwanted connections both inbound and outbound. I suggest using the excellent TinyWall, a minimalist and lightweight firewall GUI using the default Windows firewall engine. Another good choice offering comprehensive data reporting and analytics about the status of your network is GlassWire.
Use proactive security measures specific to crypto to safeguard your funds
Chose carefully what wallets you trust with your funds.
The best Software Wallets from a security(not privacy!) standpoint are in my opinion: MyCrypto/MyEtherWallet and Metamask on a desktop platform and Trust Wallet and Walleth on iOS and Android respectively. Walleth has the added bonus of being the only wallet on android supporting a hardware wallet(Trezor) through an OTG cable.
The Bitcoin platform is more mature and Electrum, Armory and Mycelium stand out as full featured sw wallets with an eye for security, offering several advanced options and support for multisig wallets.
Always enable 2FA where possible.
The vast majority of Exchanges offer support for 2 second factor authentication methods, TOTP and SMS based.
- SMS Based 2FA suffers from some obvious vulnerabilities, such as the possibility for a skilled attacker to initiate a portability request on your phone number, rerouting the code to a device controlled by him or even intercepting the data in transit.
- TOTP auth is to be preferred when possible and Google Authenticator is more secure than Authy provided you save the 2FA Secret used to derive the TOTP codes so you are able to migrate to another device in case of loss or theft or your primary one.
An even better solution would be to use a hardware specific 2FA Token supporting the newly ratified FIDO U2F standard such as a Yubikey series 4. Unfortunately support for this authentication method is still lacking.
Generally speaking Hardware Wallets are a far superior choice compared to software solutions, being designed with security in mind from the ground up and not as an afterthought. By relegating the keys and the signing process to an isolated and trusted environment they are impervious to almost all attack vectors, specifically affording a high degree of protection against remote attacks.
I personally prefer the Ledger Nano S to the Trezor both original and T model from a security point of view, thanks to Ledger using a Secure Element rated EAL 5+ compliant storing the keys and handling all crypto operations instead of a generic ARM MCU like the Trezor.
The Ledger Nano S offers a fantastic feature allowing you to store funds in a hidden wallet controlled by a passphrase you set, acting like a 25th word in the recovery seed.
This feature is critical if you want to maintain plausible deniability if you are forced to disclose the content of your wallet, get familiar with it and practice its usage.
If you are interested in learning more about the way hardware wallets operate I urge you to read these fairly technical deep-dives:
Use a CryptoSteel to securely store your mnemonic recovery seed and if you have concerns about someone physically accessing the seed consider splitting it in half and storing each part in a different location to make it harder for an attacker to gain possession of the whole seed.
Mac OS X
Mac OS is an excellent choice if you are a security conscious user but don’t believe the “Macs don’t have viruses/can’t be compromised” myth. Mac OS X offers a straightforward way to properly encrypt your storage in the form of FileVault, take advantage of it! Generally speaking I’m not a big believer in Antivirus solutions on a Mac since most of the available signatures and definitions used to correctly identify and neutralize threats are created for strains of malware targeting windows.
I do recommend the excellent LittleSnitch network inspector/firewall, it’s extremely useful to prevent data exfiltration. For example, a piece of malware that has successfully installed itself on the system siphoning data (like a private key) back to a Command & Control server under the control of the attacker.
If you use linux to perform your day to day computing activities you are probably a power user and already feel strongly about privacy and security and there isn’t much advice I can give you other than using LUKS and applying the hardening techniques for browsers described in the Windows section of this guide. I won’t delve deep on the security vest practices that should be considered and implemented in a unix/linux environment as they are outside of the scope of this guide, but maybe I will cover them in a future article.
Mobile: iOS & Android
iOS offers better privacy and security by virtue of the more granular control and vertical integration Apple is able to offer as a result of its walled garden approach to both devices and the surrounding ecosystem. Yay Apple fans!
Always encrypt your iOS device using a complex passphrase and not a numeric PIN. The next step would be to disable iCloud integration to prevent sensitive data from being stored on Apple’s servers(even if in encrypted form).
The situation regarding android is far more complex as it’s a vast and fragmented ecosystem with countless different devices produced by a multitude of OEMs. Bummer.
As a first step you should only buy devices from vendors with an established track record of providing critical security and firmware updates in a timely manner. Currently this restricts your choice to devices manufactured by either Google, Samsung(only flagships),LG(only flagships) Nokia and Essential.
Do not fall for the countless AV solutions being pushed on the Play Store,most of them are misleading if not outright adware and even the ones produced by legitimate InfoSec firms like Sophos, Kasperky, ESET, Bitdefender etc are of limited use. What I recommend is to encrypt the phone using a strong passphrase and verify that it is storing the relevant key material in hardware, if it is, under the Security & Lock Screen→Credential Storage you should see “Hardware Backed”.
The vast majority of consumer grade networking/routing/wireless equipment is fraught with poorly secured web interfaces, hardcoded credentials and prone to security vulnerabilities that can often (due to non existent support from the OEMs in the form of security patches and new firmware revisions) lead to a compromised device, maybe even conscripted in a botnet.
Since these devices are for the most part always on, have high uptime and are fairly opaque to the user being embedded systems, malware infecting them can go undetected for very long periods and have high persistence. I highly recommend getting a cheap entry level Enterprise grade Router and Access Point. I usually recommend Ubiquiti with their EdgeRouter Lite and Unifi Lite being very popular and inexpensive choices.
Another good solution comes from an unlikely source, the mainly storage focused Synology, in the form of their RT2600AC Wireless AP. This will ensure your networking equipment gets the much needed firmware updates in a timely manner, patching CVEs and responding to the ever evolving threats identified by the InfoSec community.
Crypto holds enormous potential to disrupt and dis-intermediate several industries and if you are an investor in this space you owe it to yourself to take every possible step to ensure the safety of your assets! Hopefully by the time you have finished reading this article you will have a better grasp on how to effectively protect yourself but remember the following:
This little guide is at the intersection of two exciting, fast moving and ever evolving fields currently attracting some of the brightest minds of our generation, Information Security and Blockchain/Crypto.
Some of the information provided may become obsolete or no longer accurate rather quickly, keep in mind this is structured as an expository piece for people approaching the subject and every user needs to evaluate his specific situation to craft a comprehensive, tailored and effective security plan.
Neither the writer nor Globalhalo are affiliated with any of the companies providing the tools and products herein mentioned and have received no monetary compensation.