March 19, 2019 at 19:07 #2132
This document is applicable to anyone running their own network, thought the content was built around security testing multiple entities running crypto currency “farming” operations.
Network Security Basics for Crypto Currency Farms and other Connected Networks
Following the meteoric rise of Bitcoin to over $20,000 droves of new players entered the blockchain scene. Joining the crypto adventure required a leap of faith, and the crypto winter turned many of these initiates back to the industries from whence they came. The survivors and HODL’ers have weathered shrinking margins and rising power costs as the community waited on the coming crypto spring. Those who remain come from a diverse set of backgrounds requiring rapid learning and boundless studies to stay competitive and keep the lights on.
We are now a space ripe with knowledge in crypto operations, basic networking and data center build out, airflow and cooling, fluid dynamics, and well versed in the nuances of power delivery and cost. The community voraciously consumes forums, social media, news, and any other information that can impact the price of the currencies they chose to build their operations around. It is a unique group of newly minted niche experts, more than a few with critical gaps in networking and security basics.
Unfortunately, the technical knowledge gaps will leave some miners with significant damages – when their facilities networks are compromised, and their hardware cranks through power and sends all the profits to some malicious actor’s wallet, or worse, fails altogether. Prevention does not have to be reactive, appropriate steps can be taken to make your facilities a much harder target for the opposition.
First steps to reduce your risk
I have spent years studying cyber-security, learning to think like the bad guys, and how to harden your systems and facilities against attack. These are some simple first steps I have noted that are often overlooked by an overwhelming number of small businesses, tech companies, and in particular: miners.
Ports, remote access, and services oh my! In every single one of the networks I have surveyed there has been a host of unnecessary, often unknown to the the operator – ports on machines inside the network, and on their public facing routers and modems. Many times I’ve asked a facility operator on why they need X service running and exposed the response ends up as shrugged shoulders. A lot of the services are over plain HTTP, with no security label and no white listing to say only IP XXX.XXX.XXX.XXX can access the port and service. While some of these services offer a great convenience in remote management for someone trying to manage their hardware while globetrotting and attending the myriad crypto conventions – this also is leaving signposts to the adversary on where to start if they want to break in to your operation.
Facility IT managers need to know every service running on their network, what they are for, and steps to mitigate damages if something is compromised. Better still is to ask if there is a way to achieve the same result with much greater security and reduction in risk.
Any farm that does not have on site 24/7 IT crews and needs remote management should seriously consider a properly set up and maintained VPN suite. When done correctly, this is a much better option than the standard fare SSH port forwarding that is common in the community. A lot of operations likely have a hardware router sitting at the nexus between their crypto miner network and the wilds of the internet that has the capability to host a VPN. If you absolutely must use SSH forwarding then it is imperative that password logins are disabled and public key authentication is set up appropriately – this includes appropriate set up of your crypto currency miners!
The security of your network is only as strong as the weakest link! A nice inventory of systems along with their current firmware version and last update should be maintained. The best firewall, modem, router, VPN, any hardware can potentially be bypassed entirely if a vulnerability is disclosed that circumvents the protections the device is designed to provide. So if you are using that second rate, low cost foreign hardware that never releases updates to their firmware you may be stuck with an insecure infrastructure until you upgrade critical components. Know your systems and follow news about vulnerabilities, especially ones that correlate the systems you choose to implement.
What about physical attacks, insider threats, and careless staff members? The best hardware with a top of the line firewall and routine remote penetration testing is all for nothing if you can walk through the office and see a sticky note with a password clinging to the side of a monitor or on the desk next to the keyboard. The same goes for who has access to any hardware anywhere on your network – it is a trivial task for a malicious actor to plug a device into an empty port on a network switch and gain full remote access inside your network. Does your production network allow WiFi access? If it is not absolutely required for your facility then you shouldn’t have it. Is it configured correctly, and is the router properly updated and screened to ensure you are not running unnecessary services? Rogue USB devices, a CD-ROM disk left behind filled with trojans, malicious PDF files and other documents, or a simpler email phishing attack – the opposition studies every day to be better than the best security systems available, if you make little to no effort to protect your systems you may as well hand over the private keys to all your wallets.
A layered defense is the best way to minimize risk, but, how do you know if your defenses have been breached? There are some consumer products that claim to be all in one solutions that serve as a firewall, intrusion detection system(IDS), and alerting service. They are better than doing nothing for your security, but learning and implementing what corporate networks employ
to monitor the health and security of their systems will dramatically reduce damages in the event of a breach.
Snort IDS is a great solution, but to use effectively, not for the faint of heart. Installation is not particularly difficult, but creating, implementing, managing, and understanding the rules you configure to make Snort IDS worthwhile is an art and profession unto itself. For those wanting to try their hand with snort, this is a good place to start: https://blog.rapid7.com/2016/12/09/understanding-and-configuring-snort-rules/
Countless attempts to breach your systems may occur daily, but it only takes one success to open the doors to mischief. Even the best administrators and IT teams can overlook holes.
Independent reviews are a big part of corporate cyber security improvement, employee awareness and training, and identifying your risks. Initial and periodic testing should be a part of every operation.
Bottom line, if your facility lacks the expertise to implement strong security controls – hire someone to help you implement them. Prevention, education, and incident response planning are often far less costly than damages from a breach.
March 21, 2019 at 10:28 #2220
- This topic was modified 7 months, 3 weeks ago by John.
Very informative article
The article reminds me that the security of our networks starts with ourselves. We should understand all the activities running on the network and differentiate bad from good. I agree with the writer, John when he points out that layered defense is the best way to minimize the risk. I applied this and is working well for my company.October 15, 2019 at 19:27 #5646