Follow us on facebook and instagram @blackrypto and twitter @blackryptosoc

Crypto 101: Lesson 4 - Securing Your Coins

Now that you've built some bags of crypto, you don't want them just out here in these streets vulnerable to getting jacked, so let's secure your coins!  Some of these suggestions are taking security to the extreme, so if you aren't planning on having significant amounts of crypto, some of these measures might be unnecessary, but at least you'll know how far you can take this!  If you’re doing heavy crypto investing/development, you probably want to get a computer that you use solely for that purpose and not use your personal computer.

Hardware

Yubikey

USB Drives

No-Wifi Printer

Ledger Nano S or TREZOR .

These are the most popular hardware wallets in the industry (we discussed these in Lesson 1).  Links below where you can learn more about each and buy:

Best Practices

If you have a clipboard manager, get rid of it

If you have an auto-upload screenshot app (e.g. Cloud App), get rid of it

  • And never, ever install one again.
  • Rationale: uploading every screenshot you take, intentional or unintentional, to the web is stupid and puts your security in the security of a random, insecure, screenshot app.

If you have a remote viewer (e.g.Teamviewer), get rid of it

  • And never, ever install one again.
  • Rationale: putting in a door to your entire, unlocked computer is stupid and puts everything you store, access, decrypt, encrypt, or otherwise have or sometimes have at risk.

Install a password manager (e.g. 1Password, LastPass)

  • Do NOT use your browser’s built in password manager to manage passwords, credit card details, or other information
  • Set it up properly on all devices.
  • Protect your password manager itself with 2FA via Yubikey or Google Authenticator.
  • Do NOT store MFA codes in your password manager.
  • Do NOT store crypto private keys in your password manager.
  • Do NOT store super high security things in your password manager. (e.g. SSH keys, hosting/registrar accounts, etc.)

Audit your Chrome Extensions

  • Remove extensions you don’t use, don’t need, don’t trust
  • Frequently disable ones you don’t actively use on a daily basis.
  • Don’t install new ones willy-nilly
  • Turn off automatic updates
  • Use incognito mode more often than not (especially when accessing super-secure things like hosting/registrar/banking/crypto)
  • Don’t ever enter secrets into websites using a browser you use for daily use / that has extensions

Audit your Software

  • If you have an old computer that you’ve used for a while, do a brand-new install, or think about getting a new computer
  • Audit the software that starts on launch. Disable applications that start on launch that you don’t absolutely need.
  • Remove unnecessary software completely.

Be especially mindful about installing little “helper” tools and avoid like the plague. These include apps like…

  • Clipboard managers.
  • Auto-upload screenshot apps.
  • Apps that control system-level things.
  • Remote desktop apps like Teamviewer.
  • Applets that show you the cryptocurrency price in your toolbar.
  • Fun little shit to modify your desktop / icons.
  • Stuff from untrusted developers.

Do not install software gratuitously.

  • Only install what you need and keep it up to date with patches.
  • Don’t torrent or think about downloading and application from a non-legit site.
  • Don’t install any application via a link in an email or deep in Google, but instead use the App Store or products’ official website.

Audit your Cloud Storage Software (Dropbox, iCloud, OneDrive)

What is uploading automatically?

  • Disable features like “auto upload all screenshots”
  • Disable automatic snapshots/backups of your entire system. Opt for a offline external hard drive instead.
  • Disable syncing of high-level system folders that you may inadvertently place secret information in at some point without realizing it.
  • Be mindful where you EVER put secret information when using your computer if folders are sync’d.
  • Don’t sync your downloads or desktop or home directory; it’s too easy to accidentally have secret stuff sync’d there.

What is already saved there?

  • Remove anything sensitive. Realize that things that have been uploaded once are there for life, even if you “delete” it.
  • If you discover a password or private key in your Dropbox, start by deleting it.
  • Then, immediately change the password or move your funds.

Make sure it is secure.

  • Change the password now.
  • Enable 2FA now.
  • If 2FA is already enabled, disable it and re-enable it freshly.
  • If you can use a hardware wallet / U2F / Yubikey on the service, set that up.
  • Remove your phone number from a 2FA option.
  • Generate new backup codes and remove the old ones. Ensure the new backup codes are hand-written or printed via your no-wifi printer and securely removed from your device afterwards.
  • Ensure nothing sensitive is ever saved there again.
  • Audit yourself and what is stored there frequently.

Audit your Chrome Settings

Visit chrome://settings/content and ensure the following settings:

  • [x] Unsandboxed plugin access: Ask when a site wants to use a plugin to access your computer.
  • [x] Location: Ask before accessing
  • [x] Camera: Ask before accessing
  • [x] Microphone: Ask before accessing
  • [x] Flash: Block sites from running Flash
  • [x] Popups: Blocked
  • Clear your cache, settings, history, etc.
  • Be mindful when you give a website or extension permission to access things like your camera, location, plugins, etc. in the future.

Encrypt Your Shit

Encrypt your Computer / Laptop

  • Click Apple menu, System Preferences, then select Security & Privacy.
  • Select the FileVault tab.
  • Click the Lock button, it will ask for an administrator name and password.
  • Click Turn On FileVault. (this will take a while, so don’t do this when you’re in a hurry)
  • I believe it gives you like a backup key or something. Pretend this is a private key protecting millions of dollars. Do not copy it. Do not save it. Write it down on a piece of paper and keep it somewhere safe.

Encrypt your USB Drives

  • Go to finder
  • Select USB drive under devices
  • Right-click
  • Select: encrypt

Change your passwords to new, unique, strong passwords

  • This is what a good password looks like: 3o*awM#A^9x&r61v.
  • Use your password manager generate function with upper, lower, symbols.
  • Do not use the password above. It is an example.
  • Change all your passwords, even those for stupid random forums, Skype, Twitter, Instagram (see below for big list).
  • Never reuse passwords.

2FA all the things!

If you are using Authy, stop using Authy

If you must use Authy:

  • Make sure “multi-device” is OFF under settings.
  • Change it to a new Google Voice number that no one knows.
  • Ensure that this Google Voice number is in a Google Account that no one knows.
  • Ensure that this Google account is 2FA’d with your Yubikey.
  • Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
  • Do not give this number to anyone, ever.
  • Do not give this email to anyone, ever.

Enable 2FA on all the things via Google Authenticator

Remove your phone number and email as a backup option

  • Print backup codes via no-wifi printer or hand-write them.
  • You will not recover via SMS.
  • You will not use Authy.
  • For any services that do not allow you to remove your phone number, change it to a new Google Voice number that no one knows.
  • Ensure that this Google Voice number is in a Google Account that no one knows.
  • Ensure that this Google account is 2FA’d with your Yubikey.
  • Ensure that this new Google account doesn’t have your phone number linked to it for 2FA.
  • Do not give this number to anyone, ever.
  • Do not give this email to anyone, ever.
  • Check on all your services (Dropbox, Apple, Skype, Amazon, Facebook, Amazon) and make sure you cannot log in, recover access, reset your password, 2FA, or bypass 2FA with your phone number.
  • Seriously, a stupid amount of services now allow you to login with your phone number. Do not do this.

Update passwords & turn on 2FA for every service. Things like…

  • Amazon (shopping) — Remove old credit cards, addresses, etc. while you are there.
  • Apple
  • Asana
  • Atlassian
  • AWS
  • Bitbucket
  • Box
  • Calendar Apps
  • Coinbase, Gemini, Bittrex, Kraken, Polo, all exchanges.
  • Dropbox
  • Evernote
  • Facebook
  • Github
  • Google
  • All your Googles
  • Even your old Google’s
  • And your yahoo’s or hotmail’s or whatever
  • AOL, too?
  • Heroku
  • Email services
  • Support services (Zendesk, Groove)
  • HR services (Gusto, Zenefits)
  • Banking services (Chase, Bank of America, Amex)
  • Investment services (401k, Vanguard, Charles Schwab)
  • Hosts / Registrars (GoDaddy, Bluehost, Cloudflare, whatever)
  • LastPass / 1Password
  • Skype (Install Microsoft’s Authenticator, see below)
  • Slack
  • Stack Exchange
  • Telegram
  • Keybase
  • Every messaging app ever
  • TransferWise
  • Twitter
  • Paypal
  • Venmo
  • Random forums
  • Shit forums
  • That old reddit account
  • Gaming accounts
  • Websites or applications that you haven’t re-logged into ages because your already logged in.
  • Places you buy stuff. (Best Buy, Wayfair, etc.)
  • Places you order food from (Uber, Uber Eats, Grubhub) — remove addresses, cc’s while you are in there.

Audit your Google, Github, Facebook, Skype, Twitter

For all of the above, check for authorized apps, logged in devices, and others.

Authorized apps:

  • “Apps” where you use a different service like Google or Twitter to sign into that service, or is otherwise linked (e.g. Fantastical Calendar app manages your Google Calendar).
  • Remove all apps that you don’t recognize, haven’t used in a while, or are unsure about. It’s easy to re-auth later when you need it, so go to town!
  • Whenever using this sign in / auth feature in the future, be very careful about what permissions you accept and who you give access to things.
  • A throwaway email address is usually a better choice than “Sign in with Twitter”.
  • Document somewhere what things sign in with what accounts. This will be needed if an account is ever compromised as it sheds light on what else an attacker may have access to.
  • Twitter: https://twitter.com/settings/applications
  • Facebook: https://www.facebook.com/settings?tab=security
  • See below for more

Log out of all devices:

  • Yes it’s annoying.
  • Yes, you will have to re-log in on your current phone.
  • Don’t be lazy.

Review forwarding and filters that are pushing data externally.

Remove any “Application Specific Passwords” that will bypass auth.

  • This feature is especially damaging in an account takeover scenario, because app specific passwords rarely, if ever, are destroyed in a password reset. This leaves simple access behind for an attacker pretty easily if they’ve created one.

Google: Remove your phone number & email as a backup option

For all your Google Accounts!

  • Go to https://myaccount.google.com/security
  • Scroll down
  • Change your password.
  • Click “2 Step Verification”
  • Set up: Security key (Yubikey), Authenticator app, Backup codes.
  • Remove and/or do NOT set up: recovery phone or email, google prompt, voice or text message
  • Print or write the backup codes. Do NOT store in password manager. Do NOT store on computer.
  • Do not turn on recovery email. If there is a recovery email there, remove it.
  • Do not turn on recovery phone. If there is a recovery phone there, remove it.
  • Do not turn on “Google Prompt”
  • Do not turn on “Voice or Text Message”
  • At the very bottom, click “Revoke all” for “Devices you trust”
  • Return to https://myaccount.google.com/security
  • Under “Recently used devices” remove anything that isn’t your primary phone and computer.
  • Return to https://myaccount.google.com/security
  • Review “Apps with access to your account”. Remove anything you aren’t actively using.

Github: Audit your auth’d apps, turn on 2FA

  • https://github.com/settings/applications
  • Audit Install Github Apps => Remove anything you aren’t actively using.
  • Authorized GitHub Apps => Remove anything you aren’t actively using.
  • Authorized OAuth Apps => Remove anything you aren’t actively using.
  • 2FA via hardware device

Facebook

Some of these are best-practices and related to privacy and not security.

Must Do! https://www.facebook.com/settings?tab=security

  • Turn on “Get alerts about unrecognized logins”
  • Change your password if you didn’t do it before
  • Turn on 2FA via Yubikey or Google Auth if you didn’t do it before

Must Do! https://www.facebook.com/settings?tab=privacy

  • Future posts: Friends
  • Review all posts and things you’re tagged in: On
  • Limit past posts: Friends
  • Who can see your friends list: Friends
  • Who can look you up using email / phone number: Friends
  • Do you want search engines…: NO!

Must Do! https://www.facebook.com/settings?tab=applications

  • Audit list, remove anything out of date or not actively in use.

Must Do! Turn off Profile Picture Login. Holy fucking shit what a security nightmare that “feature” is.

Recommended! Make sure “Trusted Contacts” was set up intentionally

  • This feature to allows you to regain access to your account via trusted friends. Make sure you use this feature very wisely.

Recommended! Make sure “Legacy Contact” was set up intentionally.

  • Similarly you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died). Make sure it is set up carefully.

Recommended! https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

  • Go to “Your Information” w/ green icon. Toggle all switches OFF
  • Go to “Ad settings” w/ blue icon. Select: No, No, No one
  • Click X’s in Your Interests & Advertisers until you get bored

Recommended! https://www.facebook.com/settings?tab=timeline

  • Who can post on your timeline? Friends
  • Who can see what others post on your Timeline? Friends
  • Who can see posts you’re tagged in on your timeline? Friends
  • When you’re tagged in a post, who do you want to add to the audience Friends
  • Who sees tag suggestions when photos that look like you are uploaded? No One
  • Review posts you’re tagged in before the post appears on your timeline? On
  • Review tags people add to your posts before they appear on Facebook? On

Dropbox / Cloud Storage

Call your cell-phone provider

  • Inform them that you work in an industry that has had a number of phone number hacks in the recent months. You are concerned about their ability to protect you and are thinking about moving to a different carrier due to this risk.
  • Ask them what protections they offer.
  • Ask them to put a note requiring you to be in-store with your photo-id in order to activate a new device or port your number.
  • Ask to put a pin on the account.
  • If you have the option, remove yourself as an authorized user (e.g. if you are on your parent’s plan).
  • If you have the option, insert “DO NOT PORT!” and “DO NOT ACTIVATE NEW DEVICE OVER PHONE!!!” in any fields you have access to (e.g. your “Phone name”, “Company” field, etc.
  • Don’t use that phone number for any 2FA anyways. Use a brand new Google voice number that no one knows.

Miscellaneous

Move any funds that have been created with an online computer to cold storage.

  • Use your hardware wallet or air-gapped computer + paper.
  • Do not keep funds on an exchange.

Sign up for https://keybase.io/

  • Verify a few profiles. Install the phone app.
  • follow @blackrypto
  • It’s not the ultimate source of truth, though and is not necessarily inherently more trustworthy than a phone call, video chat, message on other platforms, etc. It’s just another method we all can use if the need arises.

Never Use Public Wi-Fi

Google Yourself

  • Remove personal information, old forum links, etc.
  • Remove your Facebook profile indexed by Google in FB settings
  • Set up Google search alerts for your names, common usernames, etc.: https://www.google.com/alerts

Look yourself up on haveibeenpwned.com

  • For anything that has been pwned, ensure that you are not using the same password
  • Change specifically *that* password
  • If other data is breached (e.g. address or phone number or security questions), ensure that data doesn’t give anyone else access to an account (e.g. don’t protect your online banking with a security question that was revealed during the Adobe breach.)
  • Consider starting a new general email address to disconnect yourself from the past breaches

If you don’t use Chrome, install and use Chrome from now on.

Bookmark your sites.

  • Only use these bookmarks. Do not click links. Do not trust email. Do not trust links in emails. Do not trust attachments on emails.

If you ever encounter a malicious crypto site that isn’t blocked, report it immediately to https://etherscamdb.info/

Install an adblocker

Encrypt your laptop because it can be lost or stolen.

Do not leave your laptop, keys, USBs, phones unattended, even for a moment.

Do not travel to crypto-conferences with laptops, keys, USBs, phones that have all your secrets on them.

Do not store super-secret things on the laptop.

      Other Resources / Sources

      Have something to add? Find a typo?

      Leave us a comment