Q&A Securing a computer in an ultra secure situation?

ncage

Level 2
May 20, 2017
90
Hi Everyone. I want to get everyone's opinion. Say you have an ultra secure type of situation where you want to store very sensitive information. I will use crypto as a perfect example.

So if everyone is not aware there has been bitcoin exchanges compromised in the past (mt gox). With the way bitcoin works if it's stolen from an exchange there is no FDIC insurance. Honestly i haven’t read up on it that much but i’m not sure if they are sure if it was an inside job or not but anyways best practice is to take it off the exchange ASAP (especially if it's a significant amount).

So say you want to secure $2,000,000 of crypto on your own system. Probably best practice dictates you don’t do it on the computer you use everyday. Realize with crypto if they get your keys they don’t need to have access to any of your computers. Its all in the blockchain and everything you have would be lost in seconds.

So unless you have the money to buy a separate computer for it a good idea might be to setup a VM.

Best practices would dictate you install the least amount of software on this vm as possible. Say made the decision to use Windows 10. What security software would you use? I think the least # of vendors you have to trust the better. While Kaspersky, Bitdefender, Eset, ect are IMO better than Windows Defender all it takes is one rogue employee at one of these organizations to compromise your keys and steal all your money for any place in the world. If it did happen it's pretty unlikely that you would ever be able to track it down. So if you think you would load up this computer with different security software then you better trust every single vendor and they systems in place for tracking every employee. So what would you do? You might even thinking about turning the screws up on windows defender with something like configuredefender. While i agree Andy is a great guy and probably would never do anything nefarious but we are talking about $2,000,000. You probably should never trust that much to anyone over the internet (or in person). So would you rather just trust Microsoft at this point have to trust other companies.

Then you have to choose where to store these golden keys. There are local only password managers like keypass or cloud based ones like 1password, bitwarden, lastpass, roboform, dashlane, ect.. I’m a big proponent of open source but everyone thinks they are safe if they use open source. There has been big vulnerabilities in open source software that wasn’t found for more than 10 years (openssl). The pro for open source is that everyone can review the code the con is everyone can review the code :). If someone finds a vulnerability they might disclose it responsibly, keep it for their own malicious purpose, or sell it. Also how comfortable are you with the binaries that you are downloading? Who built them and how sure are you they didn’t add something a little something extra extra :)? Unless you download the source and build them manually and you're smart enough to review the source yourself.

Some of you might be saying I would never store this info in the cloud but i see major issues with using the (local only) solution. If you use something like keypass (local only) you would have to have it backed up somehow. Are you going to stick it on a file server? Well you can no longer DMZ the vm and if you are then you might be opening Pandora’s box for anything on your network. If they can grab the file then they could do an offline brute force attack. Even if you are going to store it on a file server how are you going to back it up? Then what attack service does that open (cloud or software based).

Some of you might say why not linux? While I agree that linux is much more secure for general computing we generally do run secure software (how many AV vendors run on linux other than crappy ones like clamav)? There has been back doors in linux because someone stuck something extra in (AUR in Arch for example).

I wanted to get your guys thoughts on this? I think this is a very hard security problem.
 

Minimalist

Level 4
Oct 2, 2020
193
I would go with separate HW, connected to internet through separate mobile access and would not connect that machine to my network.
I would only use that computer to perform transactions and similar - no other activity.
Update that system and browsers and don't install anything else. If you don't trust AV vendors don't install AV and even disable WD if you feel more safe.
Install Sandboxie and run your browser in it. Close Sandboxie and purge all data after each session.
Store password in Keepass, but not exact password - switch first two or last two characters or do something else to it, so that only you know what is correct password even if it gets exposed.
Backup important data to encrypted USB.

That's my few ideas.

EDIT: and try not to lock yourself out of your money, which can sometimes happen if you try to be "too secure".
 

SpiderWeb

Level 4
Aug 21, 2020
170
Air gap everything. Didn't you watch Star Wars? lol

I would be paranoid if I had $2 million worth of crypto. I would probably convert it into real money asap and spread it to multiple accounts.
 

TairikuOkami

Level 30
Verified
Content Creator
May 13, 2017
1,935
I would use Live OS and I would encrypt and store info on an encrypted USB (waterproof, etc) and maybe online, but additionally encrypted and separated into parts and each part stored using a different provider. Maybe I would tattoo a password hint on my skin, since loosing an access would mean loosing everything.
I would be paranoid if I had $2 million worth of crypto. I would probably convert it into real money asap and spread it to multiple accounts.
Great reset is coming. Anyway a bank or a government can lock your accounts, unless you create private ones in Swiss or elsewhere, but it is not as easy as it sounds.
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,241
For crypto you can/ should use hardware token(s).
Also combine that with a Windows Secured Core PC or Chromebook - or if that doesn't matter: switch to mobile phones which even more secure.
a Pixel 3+ with GrapheneOS or currently iPhone is best choice as both provide real verified boot, strong hardware isolation, Titan M/ Secure Enclave chip and more.

I wouldn't trust in Linux nor a a simple VM.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
20,832
Hi Everyone. I want to get everyone's opinion. Say you have an ultra secure type of situation where you want to store very sensitive information. I will use crypto as a perfect example.

So if everyone is not aware there has been bitcoin exchanges compromised in the past (mt gox). With the way bitcoin works if it's stolen from an exchange there is no FDIC insurance.

So say you want to secure $2,000,000 of crypto on your own system. Probably best practice dictates you don’t do it on the computer you use everyday. Realize with crypto if they get your keys they don’t need to have access to any of your computers. Its all in the blockchain and everything you have would be lost in seconds.

So unless you have the money to buy a separate computer for it a good idea might be to setup a VM.

So what would you do? You might even thinking about turning the screws up on windows defender with something like configuredefender. While i agree Andy is a great guy and probably would never do anything nefarious but we are talking about $2,000,000. You probably should never trust that much to anyone over the internet (or in person). So would you rather just trust Microsoft at this point have to trust other companies.

Then you have to choose where to store these golden keys. There are local only password managers like keypass or cloud based ones like 1password, bitwarden, lastpass, roboform, dashlane, ect..

Some of you might be saying I would never store this info in the cloud but i see major issues with using the (local only) solution. If you use something like keypass (local only) you would have to have it backed up somehow.

I wanted to get your guys thoughts on this? I think this is a very hard security problem.
There's a ton of guides out there, don't over-complicate a simple situation.

There's a saying that goes something like this: "not your keys – not your coins".

Informative guides on securing crypto-assets:

Hardware Wallet (recommended for high value assets).
Edit: removed Ledger due improper storage and breach of personal data. Read more - Why Ledger Kept All That Customer Data in the First Place - CoinDesk

Install Sandboxie and run your browser in it. Close Sandboxie and purge all data after each session.
SBIE is BS protection. It does not provide any advantages over using a normal browser. All it does, it erases the written content. Better off using Incognito mode.
 
Last edited:

pablozi

Level 26
Verified
Trusted
Jun 14, 2011
1,581
Storing large value of crypto's on the hardware wallet (like Trezor model T) is the only sensible solution.
 
  • Like
Reactions: venustus
Top