Looking for Pentesters and Developers

c4n10

sr. member

Activity: 294

Merit: 250

Quote from: gbx on September 08, 2012, 06:11:05 PM

Naw, you didn't recommend *nix - it was in a post on how to secure your wallet on this subforum. I didn't read all the responses, but there were tons of them.

I actually thought about perhaps storing the encrypted wallet in KeePass as an attachment, and use its multi-factor authentication (key file+password or AD account+keepass password). I guess what's daunting is that the more backups you make in alternate locations, the more places you need to worry about security. Being relatively new to BTC, I thought that BTC wallet backups were a point in time (BTC amount at the time of backup), but they're not AFAIU.

I think the best thing to do is keep your wallet on a removable flash drive that you plug and remove as necessary and keep a couple of backups offline on 2 or 3 other removable flash drives which you NEVER touch other than to update your back up (while offline of course) maybe once a week to once a month depending on how much volume you send and receive...

But again, I am also VERY new to BTC (about 3 days old now, lol) and there may be better methods I am not currently aware of.

gbx

full member

Activity: 226

Merit: 100

Naw, you didn't recommend *nix - it was in a post on how to secure your wallet on this subforum. I didn't read all the responses, but there were tons of them.

I actually thought about perhaps storing the encrypted wallet in KeePass as an attachment, and use its multi-factor authentication (key file+password or AD account+keepass password). I guess what's daunting is that the more backups you make in alternate locations, the more places you need to worry about security. Being relatively new to BTC, I thought that BTC wallet backups were a point in time (BTC amount at the time of backup), but they're not AFAIU.

c4n10

sr. member

Activity: 294

Merit: 250

Quote from: gbx on September 08, 2012, 05:44:27 PM

Yeah, it's a good idea!

I've uesd Nexpose, metasploit, nmap, packet captures, aircrack, and a bunch of other utilities (ala BT5). What gets me, is that sometimes the most obvious holes in security are ignored and it doesn't take big fancy tools to tell you that. Just a hex editor and some time...

I'm not an infosec professional by day, and wouldn't feel good about presenting as one. Part of me wonders why Pool owners and other businesses using bitcoins wouldn't simply hire a reputable security company for an assessment. 10-30k can get you some very good information to get started after interviews and the internal/external pen test.

Ultimately, I think best practices surrounding wallet files is needed for the community. The idea of recommending *nix as a way to secure the wallet seems inherently flawed. I say that because I'm not so sure the platform provides the security, but the security practies (e.g. not using a box where you send/receive coins from for any other purpose, and other practices).

Well, consider this: How many reputable security companies accept BTC for payment...? The idea is that we would be the first and we would be doing it for better prices.

Also, I wasn't recommending *nix systems as a way to secure the wallet, but more than 90% of users' boxes are going to be either Windows or *nix based systems which is why would be implementing security testing/fixing on those systems. And I'm sure that nearly 100% of mining pool servers WILL be *nix based as well.

I agree, the BEST way to keep your BTC safe is to keep them in offline storage media but your BTC HAVE to cross the internet to reach you in the first place which means you WILL at some point in time have to place a box with a wallet online to receive BTC (unless you're storing your BTC somewhere online which is a REALLY bad idea), I would like to help protect those people as well as pool owners.

If you're interested, let me know and I will send you some info and I guess "interview" you through messaging.

gbx

full member

Activity: 226

Merit: 100

Yeah, it's a good idea!

I've uesd Nexpose, metasploit, nmap, packet captures, aircrack, and a bunch of other utilities (ala BT5). What gets me, is that sometimes the most obvious holes in security are ignored and it doesn't take big fancy tools to tell you that. Just a hex editor and some time...

I'm not an infosec professional by day, and wouldn't feel good about presenting as one. Part of me wonders why Pool owners and other businesses using bitcoins wouldn't simply hire a reputable security company for an assessment. 10-30k can get you some very good information to get started after interviews and the internal/external pen test.

Ultimately, I think best practices surrounding wallet files is needed for the community. The idea of recommending *nix as a way to secure the wallet seems inherently flawed. I say that because I'm not so sure the platform provides the security, but the security practies (e.g. not using a box where you send/receive coins from for any other purpose, and other practices). And my issue is that *nix seems more difficult to patch and secure for the average end-user.

c4n10

sr. member

Activity: 294

Merit: 250

So, I just had this idea while responding to another thread (https://bitcointalk.org/index.php?topic=18242.480)

I am looking for pentesters and developers to work with as a bitcoin "security team".

Basically, the idea is that we provide penetration/exploit testing for pool owners and maybe even individual users if they are so inclined and repair any security flaws and/or exploitable code.

If interested, please reply with your area of expertise, what tools you use and rate yourself on how knowledgeable you are in your field on a scale of 1 - 10 where 1 is "little to no experience" and 10 is "I can build a computer from the ground up and write all my own programs in Windows and *nix OS's".

Personally, my area of expertise is in penetration/exploit testing with some programming skill. The tools I use include but are not limited to: nmap, metasploit, wireshark, kismet, ettercap, hydra and MANY others. On a scale of 1 - 10 I rate myself as an 8 in my field.

What about you...?

Topic: Looking for Pentesters and Developers (Read 592 times)