Ron Stoner is Head of Security at US-based crypto security specialist casa,
,
operational SecurityOPSEC, or OPSEC, is the process of managing risk by defining what information you are trying to protect, what is needed to achieve that goal, and then taking the necessary practical steps.
The philosophy behind OPSEC primarily focuses on thinking like your attacker, understanding who the attacker might be and what steps they might take to exploit you.
Good OPSEC performance is especially necessary for hardware such as cryptocurrency key-signing devices. Purse, Hardware wallets are considered “cold wallets” because they have no direct internet functionality and must be linked to another device, such as a smartphone or PC, to connect to the internet and conduct transactions.
These hardware devices and the bridges they connect to are the most critical points of failure when performing cryptocurrency transactions.
With 2022 becoming worst year on record For cryptocurrency hacks, OPSEC has never been more important, with $3.8 billion stolen. As the digital asset space becomes more mainstream, attackers are finding new ways to exploit users and platforms.
While the stakes and risk profiles will be different for each entity using digital assets, all users should follow best practices to protect their value.
Securing the Signing Environment
Before signing a transaction, check your surroundings to identify Anything Which can serve as an attack vector.
Assuming you’re in an otherwise private setting, such as your home, this includes things like cameras or microphones, which are present on nearly all modern laptops and mobile devices.
Don’t forget about the various Internet of Things (IoT) products like Smart TVs, Alexa, etc. Any of these can potentially be used spying on you when you transact.
Thus, it is necessary to “clean” your work space of anything that could potentially be tapped into – removing or completely removing these devices from the area of operation.
While this may sound a bit paranoid, it is an important aspect of protecting you from attackers if a large, significant amount of money is on the line.
Signing transactions from any public place, such as an office, library, or cafe, is generally not recommended, but sometimes you may have no other choice. If so, there are several steps that can be taken to maximize security.
Once again, you’ll want to account for any security cameras in the area. These days, CCTVs, especially HD and 4K resolution cameras, can easily read what is displayed on a computer or mobile phone screen.
Of course – and hopefully, this goes without saying – there shouldn’t be any other people in direct proximity. It’s best to find the most secluded spot possible, for example, an empty workroom.
Update all included devices
Perhaps most importantly, you’ll want to update all software and firmware on any devices involved in the signing process.
If you are not using a computer or mobile device directly, your hardware wallet will need to be connected to one in order to transmit transactions.
In theory, hardware wallets are designed in such a way that it doesn’t matter if the entity they connect to is compromised or not. All processes take place on the wallet itself; PC or smartphone is used only to transmit transactions.
However, some forms of malware can change various aspects of a transaction, including the amount and the recipient’s address. Even the changeover address – an address where the change from a transaction goes after the chosen amount has been sent to the recipient – can be manipulated, an area that is easy to overlook.
If you’re using a phone or computer, you’ll want to update your operating system with the latest security patches. Your wallet’s firmware must also be regulatory updated.
However unless the update contains a specific immediate security threat, it is better to wait a few days after a new release to upgrade. This is because it is common to have bugs present in the latest patches, which are quickly resolved but can cause headaches. For this reason, it’s a good idea to give non-critical updates some space to test.
One last thing to remember is to constantly update all software and firmware only from official sources, such as websites or repositories.
try to learn to use tools like gpg What are supposed to be file signatures is checked against the officially documented ones to confirm all data matches.
Never trust any link, even those that come from within a given software, as there are too many ways it can be used as a means of attack.
popular for example Bitcoin purse electrum faced one attack In 2020 it allowed malicious actors to deliver a message to all users through the app, claiming an update was needed with a link.
As it turned out, the link was a phishing attack that installed a corrupted version of Electrum on the victim’s machine. This gave attackers complete control over the wallets of those who installed the malicious software, resulting in the loss of millions of dollars in user funds.
Easily Overlooked OPSEC Procedures
One of the most obvious attack vectors to address is human error. Even if you think you have good security, humans develop a false sense of security when nothing is wrong, which leads to procrastination behavior.
The worst failure is when you let your guard down. Never rush a signing event; Make sure you have enough uninterrupted time.
Rushing or being distracted are great ways to overlook something like double-checking your transaction data before verifying a signature.
While we’ve mentioned several lines of defense, the latter should never be taken lightly. Double and triple check the amounts and addresses involved in any transaction as this can save you from making a big mistake.
Also, be extremely wary of using public charging stations or even unknown, third-party USB cables. Seemingly innocuous USB cables wander With tiny chips inside the head that can intercept and inject data – hijack a cryptocurrency transaction and wreak havoc.
Combined with some issues around compatibility and device wear, it’s always best to use the packaged USB cable with any external signing device.
Health check can provide instant trust in your keys
Finally, there is a technology that offers some signing tools that can be invaluable in increasing security. known as a “health check up,” This technique provides an easy way to verify that your keys are available to sign transactions.
If you perform a health check on a mobile phone, the check will first confirm that your key is available locally and that the device is working properly. It will also ensure that the same valid key is backed up securely on the cloud.
This can all be automated with a simple click, and the user will be alerted if anything goes wrong.
The same basic steps apply for hardware wallets, but the external device will need to be connected to a computer or mobile phone. Health checks can be performed for multiple keys even on a multi-signature wallet.
Importantly, if these keys are stored on different devices, health checks must be run on each relevant entity.
While the world of OPSEC is complex and ever-changing, securing the environment, keeping all tools up to date, and ensuring they account for easily overlooked problems are essential steps to stay ahead of attackers.
By combining these strategies with regular health checks every six months, users can significantly improve the security that protects their cryptocurrency funds.
,
learn more:
, Trezor issues security warning
, This Popular Hardware Wallet Was Hacked By A Cyber Security Firm – Should You Be Worried?
, Crypto hackers and fraudsters stole $1.62 billion in Q4 alone
, Web3 cost fraudsters nearly $4 billion last year – will things improve in 2023
, Crypto scammer gets away with $1.2M in ARB tokens via ‘address poisoning’ attack – here’s what happened
, Crypto wallet maker Ledger raises $109 million in latest round of funding – is the bull market back?
, MetaMask Offers More Payment Options For Buying Cryptocurrencies – Crypto Adoption On The Rise?
, Apple Approves Decentralized Exchange Uniswap iOS Wallet App – Here’s How It Works
, How to choose a bitcoin wallet?
, 3 Ways to Set Up an Ethereum Wallet