5. Encrypt devices: computers AND phones
!
Two-factor authentication on inbox and site admin
!
Google 2FA account incidents: https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
6. Password manager (KeePassX)
SSH keys, tied to your computer login
http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
11. Time-Based One-Time
Password Algorithm
Tic toc keycodes generated by a mobile app
TOTP a.k.a Google
Authenticator, RFC
6238
Does not require
Google account.!
OSS apps available
12. HMAC-Based One-Time
Password Algorithm
HOTP, RFC 4226 a.k.a.
paper codes, one time
pad
Common in EU banking,
unheard in some
countries
13. SMS
Yubikey
As a service: authy.org
For Django:
https://github.com/miohtama/
django-twofactor
15. Users accidentally give out
their credentials
Recycled passwords (blackmarket)
Phishing (Google Adwords first link stealing)
!
Phishers may get two-factor codes too
16. Third factor parameters
Identify web browser (permacookie)
Identify the country of IP address
The reputation of IP address (botnet, Tor, VPS)
IP address whitelist
!
17. "Tinfoil never too tight" attacks
Trojan kits with Bitcoin sites "autosteal"
Browser add-ons modifying payment data in-fly
Android and iOS malware
SMS capture attacks
Malicious Tor exit nodes
! http://thedroidguy.com/2014/06/popular-chinese-android-smartphone-malware-pre-installed-
93764
http://www.reddit.com/r/Bitcoin/comments/2573rw/bitcoin_is_secure_because_it_solves_the_byzantine/
20. Attack mitigation as a service proxies:
cloudflare.net
Whitehat bounty programs: crowdcurity.com
Known bad IPs: projecthoneypot.org
!
21. Hosting provider and physical attacks
Store databases and logs on encrypted partition (LUKS)
Backups as encrypted only: duplicity, GPG
Server-to-server connections: SSH, VPN
Virtual machines are always unsafe
http://blog.bitly.com/#85169217199
22. Server security monitoring
Log server, FSS (forward secure sealed) logs
Intrusion detection (OSSEC)
Firewalling
!
http://louwrentius.com/systemd-forward-secure-sealing-of-system-logs-makes-little-sense.
html