O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

ICO and Cyber security - How to protect from hackers during ICOs


Since January 2017, it does not happen a week without a new ICO is launched (more than 200 to date with $ 3Mds raised),
but also without an ICO facing attacks of all kinds (Parity Multi-sig wallet bug with $ 30Mln stolen and
Scam slack/twitter posts and phishing attacks with DNS spoofing, phishing link ...)
During this talk, we will discuss the security principles of an ICO and see how and which elements to protect
in order to secure both IT aspects (server hardening, web application firewall, multi-factor ...) and
processes aspects (governance, mutli-signature procedure, smart-contract ownership, hot / cold keys storage, secret management ...)
Also we will try to give an overview on how to use/secure smart-contract for Token sales and TGE process.

  • Entre para ver os comentários

ICO and Cyber security - How to protect from hackers during ICOs

  1. 1. 1
  2. 2. Agenda ― ICO timeline and cyber threats ― Best practices for securing token sales during ICO ― Q & A 1 2 3
  3. 3. ©copyright 2017 ICO timeline ICO and Cyber Security - ICOChain 2 - 01.11.17 3 • Hacker follows ICO listing via API • Attacks can be automated via CC dashboard Attack(s) start here Attack(s) continue … http://bitcoinchaser.com/ico-hub/ico-timeline-components
  4. 4. ©copyright 2017 ICO actors and cyber threats ICO and Cyber Security - ICOChain 2 - 01.11.17 4 • Hijack DNS ownership • Usurpate identity to to change phone operator • Social engineering attacks • Social media hijack • Impersonate CEO and founding team • Target phishing email • Attacking wallets with malware http://bitcoinchaser.com/ico-hub/ico-timeline-components • Steal mailing list • Send phishing emails • Scam on slack and social networks (telegram, forum ..) • Fake website re-direct
  5. 5. ©copyright 2017 ICO timeline and cyber threats ICO and Cyber Security - ICOChain 2 - 01.11.17 5 Posting fake URL and fake token sales page, fake blog. Phishing links Register fake DNS domain ABC … Duplicate website / Spider Scam slack with slackbots and hacking Twitter account (even 2FA set with SMS) http://bitcoinchaser.com/ico-hub/ico-timeline-components Direct email message to investors to divert them in scam ETH address. Hacking password and 2FA (don’t use SMS) Direct attacks on ICO team (social engineering, malware email attachement, linkedin …)
  6. 6. ©copyright 2017 ICO hack stories ICO and Cyber Security - ICOChain 2 - 01.11.17 6
  7. 7. ©copyright 2017 ICO hack stories ICO and Cyber Security - ICOChain 2 - 01.11.17 7 a hacker was able to change the Ethereum address posted on the ICO’s website a hacker exploit a bug in parity wallet and steal 32Mln$ a white hacker group has also secured 270Mln$ Slackbot send fake MyEtherWallet URL
  8. 8. ©copyright 2017 Are you sure you want to use Slack for your ICO ? ICO and Cyber Security - ICOChain 2 - 01.11.17 8 1.Direct Message in Slack 2. Remind task by using Slack Bot 3. Scam ICO site with using False Advertising 4. Duplicate/Clone Site.
  9. 9. ©copyright 2017 Do you think this is secured way to receive funds ? ICO and Cyber Security - ICOChain 2 - 01.11.17 9 ETH address Receive ICO token Receive ICO token Receive ICO token ETH address ETH address
  10. 10. 1 Securing your ICO ICO and Cyber Security - ICOChain 2 - 01.11.1710
  11. 11. What is a Smart Contract Smart contracts are computer protocols that facilitate, verify, or enforce the negotiation or performance of a contract, or that make a contractual clause unnecessary. Smart contracts often emulate the logic of contractual clauses Source : Wikipedia
  12. 12. ©copyright 2017 But smart-contracts are difficult to secure ICO and Cyber Security - ICOChain 2 - 01.11.17 12 Source: “A Survey Of Attacks On Ethereum Smart Contracts”, Atzei N., et al, 2017
  13. 13. ©copyright 2017 Securing funds 13 Software wallets / Mobile https://99bitcoins.com/best-bitcoin-wallet-comparison-review/ Paper Wallet / Cold Wallet , Hardware wallet ICO and Cyber Security - ICOChain 2 - 01.11.17 Which one you think is the most secured ?
  14. 14. ©copyright 2017 Cold / Hot storage ICO and Cyber Security - ICOChain 2 - 01.11.17 14 https://blog-archive.bitgo.com/bitgo-release-open-source-key-recovery-service/
  15. 15. ©copyright 2017 ICO secured token sales architecture 15 Registration KYC check Wallet Management User Management Peak Traffic Management MyEthWallet Bitcoin Wallet Tokensales.ABC.com Blockchain (Bitcoin / ETH) ICO smart-contract(s) ICO and Cyber Security - ICOChain 2 - 01.11.17
  16. 16. ©copyright 2017 Top 10 – ICO Security Check-list ICO and Cyber Security - ICOChain 2 - 01.11.17 16 Secure password storage and rotation (SSH, FTP creds, admin account, social media …)  2FA for accessing ALL admin console : AWS, Twitter, Mailchimp, Web, Wallet …. And also to your investors !  Community management and “Angel” guardian(s) that clean and delete SCAM posts. Run a bounty program. Don’t use Slack  Rate Limiting & Throttling on ICO Token Sales page (use www.peakprotect..com or other queue service)  Audit of ALL your smart-contract by specialist (zeppelin , ValidityLabs, ELCA ….)  Hardening and securing all your token sales system (registration, contract address management, users …)  Move funds accross cold-storage and use multi-signature waller with strong access control and governance  Test and validate ALL your smart-contracts before usage (avoid mistake like Blocktix end date)  KYC/AML compliance check in pre-registration ICO process 
  17. 17. ©copyright 2017 ICO and Cyber Security - ICOChain 2 - 01.11.17 17
  18. 18. Mr Nagib Aouini Head of Cyber Security Nagib.aouini@elca.ch Tel : 021 613 2136 Confidential do not distribute 18

×