If you want to extends this documentation, pull requests are always welcomed
Your Assets values
- Less than a few $: don't bother
- More than 200$: use hardware wallet!
- More than 10'000$ and up: continue reading ;-)
- QubeOS www.qubes-os.org
- QubesOS project, which strives to provide a “reasonably secure” workstation environment via compartmentalizing your applications into separate fully isolated VMs
- with 6% of market share not a real target, but malware exist
- macos sandbox all applications from appstore
- less than 6% desktop market, not a real target, but malware exist
- windows 10
- with 86% market share, heavily targeted
Shared computer May be/is compromised!
- family computer used for all tasks
- you're on the go, by friends
- Use a hardware wallet
- Use tails linux on a USB stick
- Attention tails use TOR for all traffic, some provider may detect this as a suspicious login activities
Install ONLY what you need
- no sharewares
- no games
- no flash
- no pdf viewer (chrome/firefox can do it, Adobe is well known for having zero day exploit)
- keep your computer’s operating system and software up to date.
if computer get stolen you don't want anybody to access anything confidential
- chrome: more resistant to malware
- Visit only service you use
- Check URL for mispelling
- Browse only in anonymous mode
- Only use HTTPS so nobody can eavesdrop your activities
- Always check the URL bar and make sure you’re on the website you think you are before you enter in any information
- Check certificate to avoid DNS poisoning
- DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.
- Install ANY browser extensions
On dedicated computer you dont need them
- even adblock
- even ghostery
- run any exe downloaded from browser, if its legitimate, check PGP signature FIRST
- one username (not obvious name) per service/exchanges
- One per service, no reuse
- Use a password manager
##security questions Always LIE!
- You may have leak this answer somewhere
- Hackers "may" found the response in google
- Don’t use an obvious answer to obvious question: favorite Town: Paris/New York
- gmail.com (prefered)
- use 2FA
- more powerful
- use 2FA
- can not log off existing sessions across devices!
###Adapt your behavior
you receive a link or an attachment from someone you KNOW, don’t click or open it
If you receive a link or an attachment from someone you don’t know and aren’t expecting, don’t click or open it
use extreme caution when clicking on any links or opening any attachments in emails that you receive
A hacker can build a social attack:
- identifying your friends
- infecting them / impersonating your friend
- do NOT keep any confidential emails in your mailbox, if it get compromised...
###use PGP for any confidential email
- flowcrypt in chrome
- mailvelope in chrome
- TOTP stands for "Time-based One Time Password" every 60s
- HOTP password may be valid for an unknown amount of time (until your next login)
- Check the 2FA list to see if your providers are supported.
- dedicated phone
- nano ledger S support 2FA
- get a yubikey USB security key with NFC for Mobile
golden rules: do not re-use password
- activate 2FA for login, refuse online service not using it
- secure master keys / recovery keys on a non computer medium
- Against hardware failure, human mistakes, flood, theft, fire
- In an external location,
- On multiple medium type: usb, dvd
- ALWAYS encrypted with a well known and secure encryption scheme
Test your backup regularly
Secure document using encrypted container
- veracrypt https://veracrypt.codeplex.com/
do not save them unencrypted on any medium
do not save in any cloud
- provider: they can also
- be hacked there
do not take any picture
- with ios/android camera: apps can read your photos!
keep them in an hardware wallet
Hardware wallet type
- portable devices designed specifically for storing cryptocurrency
- slow access compare to hot wallet for trading
- Ledger Nano S
How it works
- you can buy coins anywhere & then transfer to your hardware wallet's address.
- your private keys stay in device & only you have access to it.
- If you lose the device or it gets stolen, nobody can access your private keys without PIN code
- You can buy a new one & restore your private keys by entering some of the 24 secret words in the correct order
###Cold storage wallet a device that is never connected to the Internet, like an old offline laptop or a USB stick
###Software wallet As secure as the computer they run on...
- light wallet
- Jaxx, Myetherwallet, Electrum, ...
- full node
- Mist, Parity, Bitcoin Core, ...
- hot wallet
- online wallet on exchanges for day to day transactions
- fast access but vulnerable
- paper wallet
- safe only if in safes and safe deposit boxes
- can be loss and stolen
- can be splitted ex: requiring X of Y shares
The rule of thumb
- Select one convenient but also reliable / secure / trusted / reputable
- don't keep online what you're not ready to loose!
- keep online only what you want to trade: no middle/long term storage
Securing exchange access
- try to restrict access, whitelist your IP if you use VPN
- use 2FA
- Spread investments among different exchanges
- Use a private email per service use nowhere else
Avoiding exchanges bankruptcy
Keep your eye on them
- Read press for signals
- CIO/CTO step down
- Celebrities disengage: read their twitter
- listen to rumors
- slow response to user tickets
- frequent technical issues may lead to
- introduced questionable administration policies?
- crash during high trade, but execute still at disadvantageous price.
Remember they are not regulated!
- Exchange control the keys to your wallet.
- When exploits are found, we often don’t know until it happens.
- Dedicated: a phone number none of your family, friends, relatives, or social networks know that you use
- Get a burner phone
- Google Voice number
- your regular phone
- bad known everywhere
DO NOT paint a target on you
- Do not publish your emails in forums that you also use for exchanges
- Do not reveal your REAL timezone: hacker like to act when you're sleeping
- Do not link publicly your email to telephone number
- Do not disclose WHERE you trade
- Do not disclose how much you trade
- Do not post a picture of your new sport car in specialized group
- Keep your router up to date, if has not update: change for a new one!
- Use WPA-2 Personal AES for Wifi
- Do not connect from a public unencrypted WIFI hotspot
- Use a VPN