Securing your site

Here are the slides for my talk Securing your site in Pycon Sweden 2014. The presentation was not recorded. The slides themselves do not provide much narrative, so they are mostly useful for those who were present at the conference. The talk discussed about how building security for your service, company and users.

The slide text is available as <img> ALT text.

Also read SSH keys basics.

Exported slides by PDF to HTML.

Securing your site Mikko Ohtamaa Pycon Sweden 2014

opensourcehacker.com moo9000

Agenda Protecting yourself User authentication Two-factor authentication Third factor Protecting the servers

Person-to-person Bitcoin exchange Bitcoin users are high value targets  Few friends and many problem parties: hosting providers, banks, criminals, intelligence agencies

Protect yourself

Physical access Encrypt employees computers Encrypt phones Two-factor authentication on email inbox  Two-factor authentication on site admin

User authentication

Passwords are dead Most successful attacks by password stealing malware Strong password gives only limited additional protection

Throttle login attempts CAPTCHA threshold logins per IP (leaked credentials black market) CAPTCHA threshold per username (spearhead brute force) recaptcha.net

Two-factor authentication

Lack of two-factor scenario: US                        0.90%   scenario: Great-Britain             0.90% scenario: Australia              7.58% www.schneier.com/blog/archives/2006/11/Þghting_fraudu.html

TOTP - time-based HOTP - one-time pad SMS USB (YubiKey) ÒCalculatorsÓ

Time-Based One-Time Password Algorithm TOTP a.k.a Google Authenticator RFC 6238  Google apps on Android, iOS,  Other platforms and OSS implementations

HMAC-Based One-Time Password Algorithm HOTP, RFC 4226  a.k.a. paper codes Common in Nordic internet banking, unheard in many countries

https://github.com/LocalBitcoins/django-twofactor  http://django-two-factor-auth.readthedocs.org/  twofactorauth.org  authy.com  (É you donÕt want to depend on a service)

Third factor

Users lose their credentials Recycled passwords Phishing (Google Adwords attack) Stolen two-factor codes

Third factor parameters Unknown web browser (identiÞed by cookie) The of country of IP address The reputation of IP address (botnet, Tor, VPS) IP address whitelist ConÞrm by email or by SMS Òis it really youÓ

Session hijacking Tie session cookie to an IP address Protection against cookie stealing malware Pain for the users, especially mobile

Mad general problem ÒIf your local computer is compromised by malware or anything else, it is just like a mad general Ó We have seen: malicious browser add-on modifying Bitcoin sites in ßy, Android and iOS malware, SMS capture attacks http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/

Protecting your server

fail2ban  !!! Python Helsinki hangout broadcast tomorrow by Yaroslav Halchenko

Known bad IPs: projecthoneypot.org  Attack mitigation as a service: cloudßare.net   Phishing site reporting:  google.com/safebrowsing/report_phish/   mywot.com   phishtank.com

Flood attacks Mostly harmless / reputation hit Have throttling and banning per IP  Flood actions: password reset email, invite email, anonymous forms, user messaging One approach: let fail2ban take care of this with custom Þles

Encrypted servers Encrypt your server content - Òmad hosting providerÓ Encrypt backups: GPG, duplicity Encrypt server-to-server connections: AutoSSH, VPN Virtual machines (VPS) are always unsafe http://blog.bitly.com/#85169217199

Django weaknesses No POST logout CSRF and session token recycling Unsafe ImageField uploads Password reset email expiration

TACK ! S† ! MYCKET opensourcehacker.com Open Source Hacker mikko@opensourcehacker.com moo9000 ALSO IN IRC!

\"\" Subscribe to RSS feed Follow me on Twitter Follow me on Facebook Follow me Google+