In recent months there has been a flood of different ICOs. Startups collect millions of dollars through this innovative fundraising mechanism. Businesses try to do everything they can to run a successful and secure ICO. Something that can really kill their reputation if not their business is a big hack and stolen money in their usually first big appearance in the community.

With growing demand and growing number of coin offerings there is also growing number of attacks. When considering hacks you usually think about code breaches, server vulnerability, or application flaws. Recent incidents showed this is not the most common case. Instead, the root cause can sometimes be something as trivial as a simple stolen password or a stolen social media account, leading to a huge mess.

I’m not going to focus on securing code or infrastructure here. That’s the part where everybody should either know what they’re doing or at least hire a specialist to do it — this might also be the most difficult part to secure. There are some obvious general guidelines though, so just to name a few:

keep your systems up to date with the most recent security patches

split access and zones (DMZ, frontend, backend, etc.)

use firewalls and VPNs

allow only required services

encrypt communication

limit access for admins only where needed

manage your secrets

use authorization keys instead of passwords

use continuous integration and automation to avoid mistakes

create and keep backups — in separate locations

manage access to your hosting provider account (IP filtering, 2FA everywhere where possible)

code audit

code management

perform tests

and many, many more…

Many people forget to even take care of some of the points from the list above. Taking shortcuts and rushing with implementations might lead to terrible results.

I have already mentioned social media and communication channels. Over the last few months in the crypto space we’ve seen a lot of attempts and actually successful phishing attacks through companies’ Slacks, Twitter accounts, and other paths of attack. When approaching our Neufund ICO as a person responsible for our IT Infrastructure I was not focusing on social channels. Observing what was going on we thought about means of protecting ourselves from such risks and here is what we found.

Slack

Most crypto companies started to use Slack as a medium to communicate with the community, and at first it seems like a great idea. Communication-wise it definitely is. But unfortunately security is not Slack’s strong suit. It’s been designed as an email replacement for teams, so it’s quite easy to manage within the team where you know people and can more or less trust everybody. It’s a completely different situation when you end up having to manage relationships with thousands of users many of which you don’t know. It can quickly become really complicated.

Who, with at least some experience in crypto, hasn’t seen a message like this:

Phishing attempt on Slack

Of course, the link doesn’t direct you to the real myetherwallet website but to a website that looks almost exactly the same (always check if you have valid address, use bookmarks). Recently, this type of attack has become a real plague, so some companies have decided to ditch Slack and move to different platforms like the messenger app Telegram or gaming platform Discord.

I also considered those options seriously, but thought it would be simpler to block users from sending reminders, DMs to users, and block certain types of messages altogether. Unfortunately, upon completion of our research I found out it’s virtually impossible.

The only options you have on Slack are:

block communication from users other than admins and site owners on the general channel (that might be a good idea during ICOs — I’ve seen channels flooded with fake ETH addresses during an ICO when the website was down due to DDoS attack)

make sure that channels can be archived only by admin users

remove Slackbot reminders before they reach end users

enable two factor authentication for company members to make sure that nobody will impersonate well known users

remove unnecessary third party applications

That’s not much, and as a result we were also considering leaving Slack. But then we found that this company called MetaCert was working on an application designed specifically for crypto-community channels.

Today, we have installed the latest version of the bot which is working quite well. It is monitoring communication on channels for links and reports if something might be wrong. The current version is unable to monitor DMs or slackbot reminders, but it’s already implemented in the beta version we are testing. We also created two additional channels #check-url, where everybody can paste links and make sure they’re safe to click and #report-url where users can report phishing or spam urls to MetaCert employees. Also MetaCert will help us during the whole ICO process by monitoring and securing our Slack against possible scammers. Paul Walsh who is a CEO of MetaCert is always there to help.

Facebook

Make sure that only valid users are listed as site admins. Not everybody who posts as your company profile has to be an admin. Give lower permissions and remove everybody who is not needed. Remember to verify that users you removed are actually gone from admin list. For a few days I had a huge problem (FB was giving an error) and finally had to submit ticket to FB. Also all users should use two factor authentication for Facebook.

Make sure that third party apps that you are adding to your website are not some kind of scam. Make sure you know what you add.

Moderate posts that are published by guests. Enable the post approval option before it’s published on your website by any guest.

Educate employees not to click any random links that they may receive on their personal accounts. It’s really easy to get one of those chain messages or viruses through Facebook Messenger.

Facebook virus link

Twitter

First of all, create a team that would be able to share one account. In Twitter it’s not obvious how to share one account among many editors. Use the Tweetdeck application from your company account, then go to accounts and team. Add additional users that can post under company profile. In this case you don’t have to share the password and it’s much easier to manage If somebody leaves your company.

Remember to enable two factor authentication for all users. It’s one of those things that should be enabled wherever it’s possible.

And then what?

Above all, educate users, constantly remind about possible security measures, use password managers, use different passwords for different accounts. You can organise periodic workshops to talk about latest observations, different types of hacking (like social engineering). Security is a constant process which has to be taken under consideration with every new implementation, with every new system or every new medium your company plans to use. Don’t forget about it.

Is it possible to be fully secure? You can’t be always sure, but at least you can do your best and follow common rules of security, just like these basic ones already described.

Some historical information about security breaches in blockchain related projects can be found at blockchain graveyard…