How Someone TRIED To Hack the SMOKE.NETWORK 🔥

smokenetwork (60)in #cannabis • 7 years ago (edited)

This morning we got a surprise knock on the door from the mailman, earlier than we would all like at the Smoke.Network HQ, with a small package. This time from Dollar High Club supplying us with our monthly package of glass, papers and smoking gear. :) Thanks bros!

After packing a few bowls a couple of us started booting up the laptops and reading what the daily crypto news has brought upon us. Our attention was caught by Enigma, the recent high profile ICO, that got hacked for $500k. . .

How can this be...?

The article stated " Enigma said the thieves had carried out the scam after taking over the company's web domain, mailing lists and Slack messaging service account. "

Perhaps this is worth checking out...

A website that plans to host an ICO should only be building static sites using industry standard HTML, CSS and JS. Now I am pretty sure Enigma's site is built like this (We have not checked), there is no excuse for building a website of this nature on anything else or using any server side code. (For those of you that are planning out a project in future.. ) Using PHP for your mailing list? Bad Idea. Wordpress? Even worse Idea. Keep your page simple, using only HTML, CSS and JS. Any SQL is going to be a nightmare and easy access to hackers in this space.

We decided on plain old HTML, CSS, and JS with our only form control (The mailing list) being handled by our static host. This allowed us to build the website with absolutely no server side code, but with all the functionality, of a modern and functional website that displays our product in an easily digestible manner, responsive to any device. This makes sure our landing, contribute, terms and other pages are secure and only deployed via a Github account secured by two factor authentication and can only be done by one of two core Smoke.Network team members.

This created an environment whereby our site is as secure as most Github accounts, the email names and addresses are stored in a encrypted file and the form control is handled far away from any of our servers, leaving SQL attacks such as this one that started on our website 2 days ago, utterly useless and a waste of time for the attacker (He soon gave up after realizing his injections where not doing anything)...

The Take Away: Do not use server side code on your projects ICO websites.

I repeat, DO NOT USE SERVER SIDE CODE ON YOUR PROJECTS ICO WEBSITES!

There are simpler ways to handle form control then slapping some half arsed code in there, or allowing hackers a free pass to your server. If us stoners can do it, you can too! :P

Slack. . .

What more is there to say then stop using it. Slack was designed for organizations of trusted and paid employees that sign contracts before having access. Slack is not meant to be a public discussion board, handling messages from the founders of high value cryptocurrencies. Use Discord, Telegram or another more secure channel. This has been discussed numerous times before and yet some projects still insist on creating official slack channels. If you thinking about it. Just don't.

For everything else, keep it simple stupid!

Make sure you use secure password managers and hardware wallets where you can. Never click dodgy links in emails and get into a habit of double checking addresses with marketing companies and the likes over more than one channel. . . Pretty sure we left out a ton more things that can and will keep your sites safe, such as SSL.. but that is for another day, and another bag of weed later.