UPDATE Blackmoon Security MeasuresWe at Blackmoon take all the aspects of our platform’s development seriously. Recently we received a number of requests from our community regarding our security policies.
It is no news, that some blockchain crowdsale projects have faced hackers’ attacks. These attacks resulted in temporary disruption of the fundraisings and sometimes in stolen money. The goal of these attacks was to change the project’s wallet addresses to the those in possession of the intruders. This could be achieved by:
- DNS phishing or ownership transfer. The operation when hacker funnels the users to the website under her control.
- Content phishing. Hacking the project’s server to substitute the website contents.
- DDoS (distributed denial of service). Inability to access target website.
We address these challenges by investing time and money into proper infrastructure because we don’t think that this is the area to cut corners and pinch pennies.
High-end Amazon infrastructureWe use industry-grade high-performance Amazon DNS servers. It is highly unlikely that hackers would be capable to perform a successful DDoS attack on the Amazon infrastructure. The cost for such an attack would be prohibitively high.
All our domains have explicitly switched off transfers what makes it impossible for domain ownership transfer.
The access to the administrative tool is well protected. Firstly only the limited number of users is privileged to have access. To access it, one needs to have a unique URL-address and know the machine-generated user name. On top of we apply two-factor authentication.
In fact, two-factor authentication is mandatory for every team-member at Blackmoon for every application, including email and slack clients.
This functionality is built into your account at Blackmoon Crypto. We encourage you to opt-in two-factor authentication (2FA) as well.
Server securityOur servers are placed to dedicated and isolated VPCs (virtual private cloud) and have no direct access from the Internet. The servers communicate exclusively with trusted nodes and balancers. There is no direct SSH access to the servers. VPC’s service discovery uses private DNS zone, so there is no chance to fake internal endpoint to external networks.
In the case of the penetration attack, i.e. increased failed login attempts on the server, the automated monitoring system will block such clients and shall inform devops. If the attack is confirmed, the access point to the infrastructure will be temporarily terminated and replaced. There will be no impact on the functionality of the running services.
In the normal course of business, we routinely apply autoscale mechanics to boost productivity when the load increases and scale down, when needed.
Every single service is protected by Amazon Shield™ anti-DDoS filter and WAF (web application firewall).
No Blackmoon developer has direct access to production servers. We are using automated deployment system and infrastructure orchestration solutions: CI & IaaC (Continuous Integration and Infrastructure as a Code).
Disaster recoveryWe have a contingency plan for unlikely scenario of such an attack that brings down Amazon security. It would take us about minutes to set up from scratch a new AWS infrastructure and switch to it. Data loss in the worst case scenario will be less than a minute.
Thanks to the distributed ledger of the blockchain, we will download the history of the transactions.
All the necessary backups are stored offline under gpg encryption in three copies.
Security of fundsNo server stores private keys of the wallets in either text, or photo, or any other format. We use Trezor hardware for multi-signature wallets. The backups are securely stored in bank vaults. Yes, sometimes it’s good to be fiat-guys.
As a result, should the wallets be compromised, intruders won’t be able to transfer funds.
Personal security tipsKeep your wallet’s private keys safe, check the “lock sign” in browser address field that means trusted SSL connection and correct SSL-certificate to a website. Check return-addresses in emails (“From” and “Reply-to” fields). Check personality in Telegram or Slack channels conversations. Do not send passwords. Enable 2FA in your account.
This list of actions is not exhaustive, it is always good to have an ace up in your sleeve. Should you have any questions on security measures in place, welcome to our telegram chat.
Source -
https://medium.com/blackmoon-crypto/blackmoon-security-measures-519aa028b0c0