Cryptocurrencies and Security

welcome to my talk about cryptocurrency in security uh my name is Michael Perkin I've been involved in the Bitcoin scene for about four years maybe four and a half years now uh I'm the president of Bitcoin sultants we are a Bitcoin security firm we do thank you uh we do Bitcoin security audits so we take uh classical information security knowledge which I'm sure many of you if not all of you have and we take Bitcoin experience and we sort of merge the two when we uh when we do security audits of Bitcoin exchanges and Bitcoin gambling sites and other Bitcoin companies I'm also director of the Bitcoin Alliance of Canada we are a nonprofit organization that tries to

educate Canadians about Bitcoin uh I've had the the pleasure to speak to our our senate about Bitcoin to help explain cryptocurrencies to them so that they as they craft the new laws which will allow cryptocurrencies in Canada um they are doing that in a well-informed way and I'm the president of C4 which I'll talk to you in about in a second it's been a second so cryptocurrency certification Consortium is C4 and just um can you guys hear me back there I know there's a lot of noise back there I don't know if any of you can hear me you can that's excellent so uh I I'll get into what C4 is about uh later on in the presentation uh but

for today's 20 minutes I'm going to rant a little bit about the state of security in the cryptocurrency space uh that rant will eventually become relevant you'll it'll sort of evolve and then I'll I'll talk to you a little bit about C4 so the cryptocurrency landscape the way the cryptocurrencies work right now is that everything old is New Again people are sort of bringing back the bell bottoms They're bringing back the plaid and the thick Rim glasses it's it's sort of hipster all over again uh we have companies out there that are building invoicing systems with Bitcoin well invoicing systems have existed for a long time we have other companies that are building currency exchange systems

with Bitcoin well again currency exchange systems have been have existed for a long time there are even some companies that are doing uh certifications in the cryptocurrency space but I digress everything old is new again and when you start Reinventing uh things that have been uh existing for a while you can run into some problems uh and I'm sure you guys know what happens when you start to reinvent the cryptographic algorithms you know if you try to make your own hash algorithm if you try to make your own uh cryptography algorithms obviously it's not going to work out that well because you're not a math wiz you're not a you don't necessarily know how to do all these

things but that doesn't stop people when it comes to the cryptocurrency space people are rebuilding the things that they use every day and that has led to a lot of problems how many have heard of the Mt gaau bankruptcy that happened in in February this year I imagine pretty much everybody has their hands up in the air so when Mt gaws went insolvent and they announced to the world that sorry we don't have the money that everybody is has given us to hold for them in in safekeeping a lot of people heralded that as the end of Bitcoin the Bitcoin protocol is now useless because one company went bankrupt and of course that isn't exactly accurate because Bitcoin is just

a protocol it instead of you know let's say you're sending an email that's a letter over IP the SMTP protocol allows you to send letters over the Internet well Bitcoin allows you to send money over the Internet it's just a protocol and because it's a protocol just because one company that dealt with that protocol went under doesn't necessarily mean that the whole protocol is dead uh what's the most recognizable name and email right now Gmail Google that's right well what would happen if Gmail went bankrupt would email suddenly become useless does that make any sense absolutely not email is still useful if I I need to send a letter over IP I'm going to do it regardless of whether

Gmail exists or not and that's the exact same thing that happened with empty GA they just had really really crappy security Now on the on the surface on the front they had so many security features they had uh requirements for passwords you need to have so many characters you need to have so many different character sets they even had these two Factor authentic a tokens you could either use Google Authenticator or one of these fancy Ubbi keys I don't know if you guys have ever seen a yub key before they're they're awesome um these little devices are amazing just a second Factor so on the front door they had all this amazing security with all

these different things they had Cloud flare to to block um uh their server IPs from being found by by people who are trying to hack them all this amazing Security on the front but that didn't stop anybody from get walking around it all and taking all of their money money it doesn't matter how secure your front door is when people are just going to walk around it and take everything as we all know as security researchers security is as strong as as the weakest link in the chain you every single Link in the chain needs to be secure together for the whole chain to be secure because if you have one weak Link Link in the

chain it really doesn't matter now when it comes to cryptocurrencies when it comes to any cryp cryptography for that matter there's really only one way to keep things secure and that's to protect the keepy there's a concept in cryptocurrencies called cold storage and that is when you have what is this say so these are all the uh servers right here that are running a a system they're online they're connected you can see all these lines look at all those lines it's totally connected that's online on the internet but then you have this other machine over here that has no network no Wi-fi it is absolutely disconnected with such a system you cannot hack it remotely there's no way that a Trojan

can somehow land on that system because it is not talking to a network this is how empty gaau was set up they had maybe 95% of all of their users funds all the millions of dollars that everyone from around the world who has given Mt gaau their money they secured 95% of it in an offline system that was not connected to the internet only 5% was actually online and accessible by all their company systems so that they could process withdrawals this is how it is uh this is how most normal people do security but then mty got hacked they lost millions of dollars of all of their customers funds and when they had a press release

the next day to explain what had happened they said the cold storage has been wiped out due to a leak in the hot wallet let that sink in for a second the cold storage has been wiped out due to a leak in the hot wallet what does that even mean you've got your your online systems connected to the internet where you have maybe only 5% of your users funds connected a leak there somehow depleted funds here how what the hell were they doing that that led to this this doesn't make any sense when it comes to any kind of cryptography you need to make sure that all your keys are created securely they need to be stored securely they have to

be used securely hell when you're when you're making an account don't just use one key why don't you use three keys or five keys or seven keys and all the keys need to work together in order to do this when it comes to cryptography you really only have one job you have to keep your keys safe any kind of cryptography is useless when someone else finds out what your key is you really only have one thing to do keep keep your keys safe it's the most basic thing to do why weren't they following standards every industry has some kind of a standard whether you're the payment card industry and you're dealing with credit cards or you're

dealing with the food safety and the your hup certified if you're having really anything there's there's industry standards that govern absolutely everything and why weren't these guys following standards like it doesn't make any sense what the hell were they doing then I realized oh yeah they're they're are no standards in cryptocurrencies cryptocurrencies are so new that everything is so new in the cryptocurrency world that everything old is new again so I looked at this and I said why can't I solve that and why can't my partner solve that why can't we form a group to solve that and that's exactly what we did we created the cryptocurrency security standard it's well it's ccss for short um our

designers still make our logo so please excuse the fact that it has a generic logo but we took this this the the standard things that everybody should be doing with a crypto system and we basically turn that into a standard there's really only three things you need to worry about creating Keys securely storing them securely after they're created and then using them securely once you have them uh and when you're creating a an account that's going to hold all of your funds make sure that you string together multiple keys in an mfn setup and maybe three of five people need to agree that funds have to be spent or five of seven or seven of nine if you like the Borg or

whatever um so for these three things we broke it down even more secure creation what does that mean well when you create a key securely it should be created on an air gap machine this prevents unauthorized access from malware and viruses remote access Trojans and all those other things that can get out your computer when it's plugged into a network you need to make sure that the key is created by the key holder thems this prevents uh copies from being created by authorized Personnel I mean if I work with you we're in the same organization and I'm going to create everybody's keys and here I'll give you this key and I'll give you that key and

I'll give you that key where is the security risk right here each person needs to create their own key and make sure that they're the only person who has ever seen that key and they're the only person who has access to that key and finally create it using a secure prng or a secure trng a pseudo random number generator or a true random number generator this prevents keys from being created in a deterministic way that can allow somebody else to create a duplicate key from what you have now a quick sidebar this actually happened in the Bitcoin World a few times so um some people made an Android wallet it's just a a piece of software you can download

from the Google Play Store install on your Android device and it allows you to create Bitcoin keys so so you can in you can send received Bitcoin the problem was whenever this uh software was creating a brand new wallet it was using the Androids random number generator so Dev random or Dev Ur random from the Android device what they didn't realize and what nobody realized at the time was that Android itself had a vulnerability that every single Android device when you first turn it on uses the exact same seed to start the random number generator this means that millions of people people around the world all launched their Bitcoin program at the same time hit create key at the same

time a brand new key was created that equaled every single person all around the world everybody created the exact same key people started loading their wallets with funds other people were looking at their phone and saying wow somehow I just got 10 Bitcoin on my wallet I didn't even send that but I'm going to quickly send that away so that I have control of that and people's funds are being stolen all around the world all because because they were not created with a secure random number generator yeah I heard you say that sucks that really does suck especially when Bitcoin was you know $1,200 a pop so so that's secure creation Secure Storage once you've created this key you

need to store it securely you have to store it in a lockable container that will prevent unauthorized access when it is in that lockable container you should store it encrypted that helps so that even if somebody does get access to that lockable container and they do get that key there it's useless to them because they don't know the password to decrypt it uh and of course the encryption key for that don't put it on a Post-It note on the thing keep that stored in some other place uh and finally have key backups for recovery but the key back backups you keep should be at least as secure if not more secure than the primary one that you're using every day

um and that's just Secure Storage the the Third piece was Secure use of course the key should only ever be used by the key holder only there should be no circumstances when somebody gives their key to somebody else to use um when the key is used to sign when it's used to generate a digital signature the random number that's being used inside that digital signature also needs to come from a cryptographically secure random number generator and this is yet another attack that has happened in the uh cryptocurrency space people have scanned all through the blockchain looking at every sing transaction that has ever been sent by anyone around the world and they've identified weak signatures a

weak signature is a signature that has a random number that is deterministic a random number that you know because if you take the private key and a completely random number those with math get scrambled to make a signature that nobody can undo but if you have a signature that has a random number that you do know and a private number that you don't it's just simp simple math to figure out what that private key was along with that random number that you know uh so uh people found private keys and stole a lot of money because of poor signatures or dirty signatures um and finally only use them offline where possible and as you're as

you're signing them if you're using your key and you're signing one of these signatures you should think about it and say do I actually need to send this this prevents a leak in the hot wallet depleting the cold wallet which is what happened at mty gaau so in summary the ccss the cryptocurrency security standard that we've uh drafted it's about 30 pages so far and that's mostly because like any standard that you've ever read it you we have to go through all the minutia of defining every single little term every single little Concept in excruciating detail but this is what we have to do and this draft has already been peer-reviewed by Chief information security officers and chief uh chief

executive officers at various Bitcoin companies by Security Professionals and we're hoping to release this in one or two weeks and one last thing before I I let you guys go um I mentioned C4 so C4 we actually do two things standards is one of them because we're looking at this saying that somebody needs to make a standard and well why can't that be us the other one is Personnel certification and this is because my other company Bitcoin Sant where we do Bitcoin security we were trying to hire Bitcoin professionals Bitcoin Security Professionals people who had your knowledge as Security Professionals and people who had Bitcoin Knowledge from the Bitcoin world and we found we can

only really find people with Bitcoin or with security but we couldn't find that overlap so we we would and and people would be interviewing them and they'd say yeah I know Bitcoin it's that Anonymous untraceable currency isn't it and you're like no Bitcoin is not Anonymous and it definitely isn't untraceable have you ever tried clicking through the blockchain you can trace every single payment that's how we detect counterfeit that's how Bitcoin works so we said well we need a way to differentiate between somebody who actually knows Bitcoin and somebody who doesn't so we created this the Bitcoin the certified Bitcoin professional or a CBP it's just like um the cisp or the cisa uh it's someone who knows how to

use Bitcoin this is for accountants or lawyers or sales professionals um and anyone who needs to prove that they know and understand Bitcoin uh and one more the certified Bitcoin expert this is for developers who code with it every day programmers software Engineers security Auditors Security Consultants people who actually need to know how it works on the wire level so why do I love Bitcoin because everything old is new again uh all the old attacks all the old things need to be recreated for this new economy and they're doing it all in a decentralized way and I love it so if you have any questions come find me thank you