SlideShare ist ein Scribd-Unternehmen logo

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

Als PPTX, PDF herunterladen
B
Beau Bullock

This presentation covers the basics of what cryptocurrencies are, some major hacks, and a walk through of vulnerabilities emerging from cryptocurrency ecosystems.

Technologie
1 von 34
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems Beau Bullock Mike Felch
Overview • Brief background on what cryptocurrencies are • Various elements of the cryptocurrency ecosystem • A history of some major hacks • Some general vulnerabilities • Some blockchain-specific vulnerabilities
About Us • Mike Felch - @ustayready • Pentest / Red team at BHIS • Involved w/ OWASP Orlando and BSides Orlando • Beau Bullock - @dafthack • Pentest / Red team at BHIS • Podcaster, blogger, and guitarist • Tradecraft Security Weekly hosts • CoinSec Podcast hosts
What Are Cryptocurrencies? • Digital currencies that typically utilize a blockchain to regulate the generation of the currency, and verify the transfer of funds, usually in a decentralized manner. • There are over 1500 coins/tokens listed on coinmarketcap.com • Some of these have unique blockchains • Others are tokens built on top of blockchains using smart contracts.
The Cryptocurrency Ecosystem
Ecosystem: Blockchain • A digitized, decentralized, public ledger of all transactions • A combination of: • Private key cryptography • Peer-To-Peer (P2P) Network • Protocol governing incentivization • Records cannot be retroactively altered • Every node has a copy of the blockchain
Ecosystem: Blockchain Image source: https://dzone.com/articles/adopting-blockchain-how-a-devops-approach-can-help
Ecosystem: Nodes & Miners • Full Nodes • Download every block and transaction and check them against the protocol’s consensus rules • Maintain the decentralized “backup” • Miners • Verify transactions into a block • Solve a Proof-of-Work problem • Add block to the blockchain • Get rewarded
Ecosystem: Wallets • Wallets hold your private keys • Anyone that has your private keys can control your wallet • If you lose your private keys your coins are gone • Web/Mobile Wallets • Third-party hosted wallet using a web- based application for a user interface • Might be convenient but you don’t control your private keys
Ecosystem: Wallets • Desktop Wallets • Wallets are local to your computer • Full nodes require the full blockchain to be downloaded • At risk of hackers compromising your system • Hardware Wallets • Private keys are encrypted on a hardware device usually protected by a PIN • The software for interacting with the device can be prone to MiTM attacks • Paper Wallets • Private keys are printed and never stored digitally • If destroyed coins are lost
Ecosystem: Exchanges • Websites that facilitate the ability to exchange fiat currency for cryptocurrency • $, €, £, ¥, etc.  BTC, ETH, LTC, etc. • …or cryptocurrency for other cryptocurrency • BTC, ETH, LTC, etc.  BTC, ETH, LTC, etc. • Extremely high targets for attackers
Ecosystem: Smart Contracts • Code that sits on the blockchain • Can be self-executing and self-enforcing • Exchange of currency, data, shares, etc • Polls/elections (commit-reveal) • Removes the third-party from deals • Anyone can see (and execute) unless secured • Can’t be reversed • Not for EVERYTHING!
Ecosystem: ICOs • Initial Coin Offering (ICO) • A fundraising mechanism in which projects sell their underlying tokens • Ethereum raised $19 million in 2014 • The DAO raised over $150 million in 2016 • Most of the ICO world is ridden with scams • Some Ponzi schemes, some have no working platform, some take the money then disappear • Participants are highly targeted by phishers
Ecosystem: ICOs
Ecosystem: Malware • Ransomware • Generally requests payment in Bitcoin to decrypt files held ransom • WannaCry – Estimated to have infected more than 200,000 systems • Mining Malware • Coinhive – A JavaScript-based miner embedded in websites • WannaMine – Similar to WannaCry – Uses EternalBlue to infect, then mines
Some Major Cryptocurrency Security Events
Some Major Events • Mt. Gox - Feb. 2014 - 850,000 bitcoins went “missing” ($450 million at the time) • The DAO Hack - June 2016 - 3.6 million Ethereum stolen ($50 million at the time) • Parity Hack - Nov 2017 - $155 million of Ethereum “locked” forever • Coincheck - 2 weeks ago - $533 million of NEM stolen from a hot wallet • …Oh and $1.5 million is stolen from ICO’s every month
General Vulnerabilities
General AppSec Vulns • Overstock.com Payment Vulnerability • They accept Bitcoin for payments but users could pay with Bitcoin Cash instead (which is valued way lower) • Buy a $78 item for $12 • Refunds were in Bitcoin • EtherDelta Cross-Site Scripting • XSS injected into custom contract • Tricked user into adding the malicious token • Stole private keys Image source: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
Weak or No Encryption • BitPay/Copay apps wrote new wallet’s private keys to disk prior to encryption • Jaxx wallet – 12 word backup phrase stored with hardcoded encryption key • Coinomi wallet – Sent data in plaintext to Electrum servers leaking addresses • Blockfolio app – Unauthenticated and unencrypted retrieval of crypto holdings
DNS Hijacking • DNS Hijacking – An attacker compromises a site’s DNS server and redirects user traffic to a malicious site • Blackwallet Hack • Hijacked DNS and injected code to drain accounts with more than 20 Lumens • $400,000 worth of Stellar Lumens stolen • EtherDelta Hack • $250,000 worth of Ether stolen Image Source: http://resources.infosecinstitute.com/attacks-over-dns
Insecure JSON-RPC • Electrum Wallet • For over 2 years the JSON-RPC interface could be communicated with via JavaScript • Simply having the wallet open and surfing the web could allow for private keys to be stolen • Even with a password it still allows for potential brute force attacks • Reported on Github Nov. 2017, then again by Tavis Ormandy in Jan 2018
Blockchain Vulnerabilities
A Majority Attack • Also known as the 51% attack • Potentially allows the attacker to “double-spend” their own coins • Can prevent some transactions from gaining confirmations • Can prevent some or all of other miners from mining any valid blocks
Implementation Vulns • Short Addresses • In Lisk, addresses are 64-bit numbers, such as: 3040783849904107057L • Derived deterministically from a passphrase • SEED = SHA-256(passphrase)  ED25519 KEYPAIR = SHA-512(seed) & scalar multiplication  ADDRESS = Last 8 bytes of SHA-256(public key) • Preimage can be derived in approximately 264 evaluations • No Address-Key Binding • In Lisk, addresses aren’t bound to a keypair until it has sent tokens to another address • Attacker can derive preimage and hijack the account Source: https://research.kudelskisecurity.com/2018/01/16/blockchains-how-to-steal-millions-in-264-operations/
Ethereum Smart Contracts
EVM: Virtual Machine • Run-time environment for smart contracts • Minimal instruction set (256 bit words) • Arithmetic, bit, logical, comparisons • Stack machine (not a register machine) • Contracts have storage, memory and stack • Isolated sandbox from network/fs/procs • Reusable code using delegate calls • Contracts can be made to self-destruct • Language, compilers and bytecode *oh my*
Ethereum Smart Contracts Source: http://www.gjermundbjaanes.com/understanding-ethereum-smart-contracts/
Exploiting Smart Contracts • Re-entrancy (The DAO Hack) • PRNG Predictability (Blockchain problem) • Delegated Fallback Calls (Parity Hack #1) • Schizophrenic Functions (Parity Hack #2) • Integer Underflows (The DAO Hack) • Unpredictable State (GovernMental DoS) • … more!
Recursion Problems
Securing Smart Contracts • Truffle: Develop, test, audit and deploy • Solium: Do code reviews • Mythril: Vulnerability scan contracts • OpenZeppelin: Use security libraries • Manticore: Fuzz, Crash and Taint analysis • Ethernaut: Hack contracts CTF style • Ropsten: Deploy to Ethereum test networks -Pentest all the things-
Conclusion • Don’t let the negative stigma around “blockchain” stifle your involvement • “Blockchain” has become a buzzword but some extremely innovative technologies have already, and will continue to be developed • Many companies are looking to integrate blockchain blindly • Vulnerabilities are surfacing in all aspects of the ecosystem including the wallets, exchanges, smart contracts, even blockchains themselves • New attack surfaces are forming • There’s much more research to be done around securing the cryptocurrency ecosystem
Resources • NIST – Guidance on Blockchain - https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nisti r8202-draft.pdf • DEF CON 25 – Hacking Smart Contracts by Konstantinos Karagiannis - https://www.youtube.com/watch?v=WIEessi3ntk • OpenZeppelin – https://openzeppelin.org/ • Ethernaut - https://ethernaut.zeppelin.solutions/ • Trail of Bits Blog - https://blog.trailofbits.com/ • Solidity - http://solidity.readthedocs.io/en/develop/ • Whitepaper on attacks https://eprint.iacr.org/2016/1007.pdf
Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • Beau - @dafthack • Mike - @ustayready • CoinSec Podcast - @coinsecpodcast • https://www.coinsecpodcast.com

Empfohlen

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysisinder_barara
 
Seattle Bitcoin Meetup
Seattle Bitcoin MeetupSeattle Bitcoin Meetup
Seattle Bitcoin MeetupEric Voskuil
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101Hu Kenneth
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
Weaponization of IoT
Weaponization of IoTWeaponization of IoT
Weaponization of IoTJose L. Quiñones-Borrero
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 

Empfohlen

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysisinder_barara
 
Seattle Bitcoin Meetup
Seattle Bitcoin MeetupSeattle Bitcoin Meetup
Seattle Bitcoin MeetupEric Voskuil
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...Codemotion
 
20190606 blockchain101
20190606 blockchain10120190606 blockchain101
20190606 blockchain101Hu Kenneth
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
Weaponization of IoT
Weaponization of IoTWeaponization of IoT
Weaponization of IoTJose L. Quiñones-Borrero
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask Hu Kenneth
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCUJose L. Quiñones-Borrero
 
Pa or die
Pa or diePa or die
Pa or dieSetia Juli Irzal Ismail
 
2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite 2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite Hu Kenneth
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
Block chain
Block chainBlock chain
Block chainS.M.Zahidul Islam sumon
 
Welcome to Ethereum
Welcome to EthereumWelcome to Ethereum
Welcome to EthereumAll Things Open
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?Global Knowledge Training
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackBryan Becker
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-uploadSetia Juli Irzal Ismail
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
What is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesWhat is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesKlaus Drosch
 
Darknet
DarknetDarknet
DarknetShubham Dwivedi
 
Crytomining hacking
Crytomining hackingCrytomining hacking
Crytomining hackingCis siva
 
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...Pascal Van Hecke
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesRSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisInderjeet Singh
 
Hacking blockchain
Hacking blockchainHacking blockchain
Hacking blockchainJose L. Quiñones-Borrero
 

Weitere ähnliche Inhalte

Was ist angesagt?

20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask Hu Kenneth
 
2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite 2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite Hu Kenneth
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?Global Knowledge Training
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackBryan Becker
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingAPNIC
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
What is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesWhat is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesKlaus Drosch
 
Crytomining hacking
Crytomining hackingCrytomining hacking
Crytomining hackingCis siva
 
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...Pascal Van Hecke
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesRSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesWayne Huang
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 

Was ist angesagt? (20)

20180711 Metamask
20180711 Metamask 20180711 Metamask
20180711 Metamask
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Pa or die
Pa or diePa or die
Pa or die
 
2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite 2019 03 18_kenneth_simplebitcoinwebsite
2019 03 18_kenneth_simplebitcoinwebsite
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
Block chain
Block chainBlock chain
Block chain
 
Welcome to Ethereum
Welcome to EthereumWelcome to Ethereum
Welcome to Ethereum
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?What is Cryptojacking and How Can I Protect Myself?
What is Cryptojacking and How Can I Protect Myself?
 
CryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a HackCryptoJacking and Security: Evolution of a Hack
CryptoJacking and Security: Evolution of a Hack
 
Aes jul-upload
Aes jul-uploadAes jul-upload
Aes jul-upload
 
PacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto JackingPacNOG 23: Introduction to Crypto Jacking
PacNOG 23: Introduction to Crypto Jacking
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
What is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniquesWhat is a Hacker (part 1): Types, tools and techniques
What is a Hacker (part 1): Types, tools and techniques
 
Darknet
DarknetDarknet
Darknet
 
Crytomining hacking
Crytomining hackingCrytomining hacking
Crytomining hacking
 
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case StudiesRSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 

Ähnlich wie A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisInderjeet Singh
 
FreeGeek -Cryptocurrency and Blockchain
FreeGeek -Cryptocurrency and BlockchainFreeGeek -Cryptocurrency and Blockchain
FreeGeek -Cryptocurrency and BlockchainJoshua Johnston
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding BlockchainTony Willenberg
 
Blockchain and Cryptocurrencies
Blockchain and CryptocurrenciesBlockchain and Cryptocurrencies
Blockchain and CryptocurrenciesnimeshQ
 
Introduction to Bitcoin and Crypto-currency
Introduction to Bitcoin and Crypto-currency Introduction to Bitcoin and Crypto-currency
Introduction to Bitcoin and Crypto-currency Justin Denton
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related questionLin Lin (Wendy)
 
Indjic fintech module 6
Indjic fintech module 6Indjic fintech module 6
Indjic fintech module 6Drago Indjic
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Bitcoin, Banking and the Blockchain
Bitcoin, Banking and the BlockchainBitcoin, Banking and the Blockchain
Bitcoin, Banking and the Blockchainseancarmody
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Blockchain - Presentacion Betabeers Galicia 10/12/2014
Blockchain - Presentacion Betabeers Galicia 10/12/2014Blockchain - Presentacion Betabeers Galicia 10/12/2014
Blockchain - Presentacion Betabeers Galicia 10/12/2014WeKCo Coworking
 
Blockchain, DLT, Tokens and ICO Introduction Course
Blockchain, DLT, Tokens and ICO Introduction CourseBlockchain, DLT, Tokens and ICO Introduction Course
Blockchain, DLT, Tokens and ICO Introduction CourseJean-Marc Seigneur
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchainsDmitry Meshkov
 
Introduction to Blockchain and Cryptocurrencies
Introduction to Blockchain and CryptocurrenciesIntroduction to Blockchain and Cryptocurrencies
Introduction to Blockchain and CryptocurrenciesNikhil D Prince
 

Ähnlich wie A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems (20)

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysis
 
Hacking blockchain
Hacking blockchainHacking blockchain
Hacking blockchain
 
FreeGeek -Cryptocurrency and Blockchain
FreeGeek -Cryptocurrency and BlockchainFreeGeek -Cryptocurrency and Blockchain
FreeGeek -Cryptocurrency and Blockchain
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract Auditing
 
Understanding Blockchain
Understanding BlockchainUnderstanding Blockchain
Understanding Blockchain
 
Blockchain and Cryptocurrencies
Blockchain and CryptocurrenciesBlockchain and Cryptocurrencies
Blockchain and Cryptocurrencies
 
Introduction to Bitcoin and Crypto-currency
Introduction to Bitcoin and Crypto-currency Introduction to Bitcoin and Crypto-currency
Introduction to Bitcoin and Crypto-currency
 
Resource slides for blockchain related question
Resource slides for blockchain related questionResource slides for blockchain related question
Resource slides for blockchain related question
 
Indjic fintech module 6
Indjic fintech module 6Indjic fintech module 6
Indjic fintech module 6
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Bitcoin, Banking and the Blockchain
Bitcoin, Banking and the BlockchainBitcoin, Banking and the Blockchain
Bitcoin, Banking and the Blockchain
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Blockchain - Presentacion Betabeers Galicia 10/12/2014
Blockchain - Presentacion Betabeers Galicia 10/12/2014Blockchain - Presentacion Betabeers Galicia 10/12/2014
Blockchain - Presentacion Betabeers Galicia 10/12/2014
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Blockchain, DLT, Tokens and ICO Introduction Course
Blockchain, DLT, Tokens and ICO Introduction CourseBlockchain, DLT, Tokens and ICO Introduction Course
Blockchain, DLT, Tokens and ICO Introduction Course
 
Real world blockchains
Real world blockchainsReal world blockchains
Real world blockchains
 
Cryptocurrency101
Cryptocurrency101Cryptocurrency101
Cryptocurrency101
 
Introduction to Blockchain and Cryptocurrencies
Introduction to Blockchain and CryptocurrenciesIntroduction to Blockchain and Cryptocurrencies
Introduction to Blockchain and Cryptocurrencies
 
Block chain
Block chainBlock chain
Block chain
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

  • 1. A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems Beau Bullock Mike Felch
  • 2. Overview • Brief background on what cryptocurrencies are • Various elements of the cryptocurrency ecosystem • A history of some major hacks • Some general vulnerabilities • Some blockchain-specific vulnerabilities
  • 3. About Us • Mike Felch - @ustayready • Pentest / Red team at BHIS • Involved w/ OWASP Orlando and BSides Orlando • Beau Bullock - @dafthack • Pentest / Red team at BHIS • Podcaster, blogger, and guitarist • Tradecraft Security Weekly hosts • CoinSec Podcast hosts
  • 4. What Are Cryptocurrencies? • Digital currencies that typically utilize a blockchain to regulate the generation of the currency, and verify the transfer of funds, usually in a decentralized manner. • There are over 1500 coins/tokens listed on coinmarketcap.com • Some of these have unique blockchains • Others are tokens built on top of blockchains using smart contracts.
  • 6. Ecosystem: Blockchain • A digitized, decentralized, public ledger of all transactions • A combination of: • Private key cryptography • Peer-To-Peer (P2P) Network • Protocol governing incentivization • Records cannot be retroactively altered • Every node has a copy of the blockchain
  • 7. Ecosystem: Blockchain Image source: https://dzone.com/articles/adopting-blockchain-how-a-devops-approach-can-help
  • 8. Ecosystem: Nodes & Miners • Full Nodes • Download every block and transaction and check them against the protocol’s consensus rules • Maintain the decentralized “backup” • Miners • Verify transactions into a block • Solve a Proof-of-Work problem • Add block to the blockchain • Get rewarded
  • 9. Ecosystem: Wallets • Wallets hold your private keys • Anyone that has your private keys can control your wallet • If you lose your private keys your coins are gone • Web/Mobile Wallets • Third-party hosted wallet using a web- based application for a user interface • Might be convenient but you don’t control your private keys
  • 10. Ecosystem: Wallets • Desktop Wallets • Wallets are local to your computer • Full nodes require the full blockchain to be downloaded • At risk of hackers compromising your system • Hardware Wallets • Private keys are encrypted on a hardware device usually protected by a PIN • The software for interacting with the device can be prone to MiTM attacks • Paper Wallets • Private keys are printed and never stored digitally • If destroyed coins are lost
  • 11. Ecosystem: Exchanges • Websites that facilitate the ability to exchange fiat currency for cryptocurrency • $, €, £, ¥, etc.  BTC, ETH, LTC, etc. • …or cryptocurrency for other cryptocurrency • BTC, ETH, LTC, etc.  BTC, ETH, LTC, etc. • Extremely high targets for attackers
  • 12. Ecosystem: Smart Contracts • Code that sits on the blockchain • Can be self-executing and self-enforcing • Exchange of currency, data, shares, etc • Polls/elections (commit-reveal) • Removes the third-party from deals • Anyone can see (and execute) unless secured • Can’t be reversed • Not for EVERYTHING!
  • 13. Ecosystem: ICOs • Initial Coin Offering (ICO) • A fundraising mechanism in which projects sell their underlying tokens • Ethereum raised $19 million in 2014 • The DAO raised over $150 million in 2016 • Most of the ICO world is ridden with scams • Some Ponzi schemes, some have no working platform, some take the money then disappear • Participants are highly targeted by phishers
  • 15. Ecosystem: Malware • Ransomware • Generally requests payment in Bitcoin to decrypt files held ransom • WannaCry – Estimated to have infected more than 200,000 systems • Mining Malware • Coinhive – A JavaScript-based miner embedded in websites • WannaMine – Similar to WannaCry – Uses EternalBlue to infect, then mines
  • 17. Some Major Events • Mt. Gox - Feb. 2014 - 850,000 bitcoins went “missing” ($450 million at the time) • The DAO Hack - June 2016 - 3.6 million Ethereum stolen ($50 million at the time) • Parity Hack - Nov 2017 - $155 million of Ethereum “locked” forever • Coincheck - 2 weeks ago - $533 million of NEM stolen from a hot wallet • …Oh and $1.5 million is stolen from ICO’s every month
  • 19. General AppSec Vulns • Overstock.com Payment Vulnerability • They accept Bitcoin for payments but users could pay with Bitcoin Cash instead (which is valued way lower) • Buy a $78 item for $12 • Refunds were in Bitcoin • EtherDelta Cross-Site Scripting • XSS injected into custom contract • Tricked user into adding the malicious token • Stole private keys Image source: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
  • 20. Weak or No Encryption • BitPay/Copay apps wrote new wallet’s private keys to disk prior to encryption • Jaxx wallet – 12 word backup phrase stored with hardcoded encryption key • Coinomi wallet – Sent data in plaintext to Electrum servers leaking addresses • Blockfolio app – Unauthenticated and unencrypted retrieval of crypto holdings
  • 21. DNS Hijacking • DNS Hijacking – An attacker compromises a site’s DNS server and redirects user traffic to a malicious site • Blackwallet Hack • Hijacked DNS and injected code to drain accounts with more than 20 Lumens • $400,000 worth of Stellar Lumens stolen • EtherDelta Hack • $250,000 worth of Ether stolen Image Source: http://resources.infosecinstitute.com/attacks-over-dns
  • 22. Insecure JSON-RPC • Electrum Wallet • For over 2 years the JSON-RPC interface could be communicated with via JavaScript • Simply having the wallet open and surfing the web could allow for private keys to be stolen • Even with a password it still allows for potential brute force attacks • Reported on Github Nov. 2017, then again by Tavis Ormandy in Jan 2018
  • 24. A Majority Attack • Also known as the 51% attack • Potentially allows the attacker to “double-spend” their own coins • Can prevent some transactions from gaining confirmations • Can prevent some or all of other miners from mining any valid blocks
  • 25. Implementation Vulns • Short Addresses • In Lisk, addresses are 64-bit numbers, such as: 3040783849904107057L • Derived deterministically from a passphrase • SEED = SHA-256(passphrase)  ED25519 KEYPAIR = SHA-512(seed) & scalar multiplication  ADDRESS = Last 8 bytes of SHA-256(public key) • Preimage can be derived in approximately 264 evaluations • No Address-Key Binding • In Lisk, addresses aren’t bound to a keypair until it has sent tokens to another address • Attacker can derive preimage and hijack the account Source: https://research.kudelskisecurity.com/2018/01/16/blockchains-how-to-steal-millions-in-264-operations/
  • 27. EVM: Virtual Machine • Run-time environment for smart contracts • Minimal instruction set (256 bit words) • Arithmetic, bit, logical, comparisons • Stack machine (not a register machine) • Contracts have storage, memory and stack • Isolated sandbox from network/fs/procs • Reusable code using delegate calls • Contracts can be made to self-destruct • Language, compilers and bytecode *oh my*
  • 28. Ethereum Smart Contracts Source: http://www.gjermundbjaanes.com/understanding-ethereum-smart-contracts/
  • 29. Exploiting Smart Contracts • Re-entrancy (The DAO Hack) • PRNG Predictability (Blockchain problem) • Delegated Fallback Calls (Parity Hack #1) • Schizophrenic Functions (Parity Hack #2) • Integer Underflows (The DAO Hack) • Unpredictable State (GovernMental DoS) • … more!
  • 31. Securing Smart Contracts • Truffle: Develop, test, audit and deploy • Solium: Do code reviews • Mythril: Vulnerability scan contracts • OpenZeppelin: Use security libraries • Manticore: Fuzz, Crash and Taint analysis • Ethernaut: Hack contracts CTF style • Ropsten: Deploy to Ethereum test networks -Pentest all the things-
  • 32. Conclusion • Don’t let the negative stigma around “blockchain” stifle your involvement • “Blockchain” has become a buzzword but some extremely innovative technologies have already, and will continue to be developed • Many companies are looking to integrate blockchain blindly • Vulnerabilities are surfacing in all aspects of the ecosystem including the wallets, exchanges, smart contracts, even blockchains themselves • New attack surfaces are forming • There’s much more research to be done around securing the cryptocurrency ecosystem
  • 33. Resources • NIST – Guidance on Blockchain - https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nisti r8202-draft.pdf • DEF CON 25 – Hacking Smart Contracts by Konstantinos Karagiannis - https://www.youtube.com/watch?v=WIEessi3ntk • OpenZeppelin – https://openzeppelin.org/ • Ethernaut - https://ethernaut.zeppelin.solutions/ • Trail of Bits Blog - https://blog.trailofbits.com/ • Solidity - http://solidity.readthedocs.io/en/develop/ • Whitepaper on attacks https://eprint.iacr.org/2016/1007.pdf
  • 34. Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • Beau - @dafthack • Mike - @ustayready • CoinSec Podcast - @coinsecpodcast • https://www.coinsecpodcast.com