The blockchain is not secure, we should deal with that...

In 2009, a white paper written by an unknown author(s) using the pseudonym Satoshi Nakamoto, started a tsunami-like phenomenon by launching the concept of the digital “cryptocurrency”. This was the first Blockchain conceptualization on the first theory built to create a secured chain of blocks in 1991 by Stuart Haber and W. Scott Stornetta. This technology has the potential to transform the world we know.

At its core, the Blockchain is a technology that permanently records transactions in a way that cannot be later erased but can only be sequentially updated, in essence keeping a never-ending historical trail. Frankly, it’s the second significant overlay on top of the internet, this new layer is mostly about trust, that’s why Blockchains are secure by design and exemplify a distributed computing system with high Byzantine fault tolerance.

As a result, the commonly held view of Blockchain is that it's inherently secure, while Blockchain has some trappings of security, it’s far from complete and ironclad. Security is a blend of confidentiality, availability, and integrity, or "C-I-A". Blockchain offers lots of "A" and "C" (though the confidentiality is fragile). But its integrity comes with fine print. Once committed to the Blockchain, transactions are indeed immutable, but the veracity of each entry rests on who controls the private key of each account. That’s why bad actors have already targeted many Blockchain implementations using different tools such as social engineering, malware, and exploits resulting in stolen financials, or shutdown of the product.

In January 2018, Coincheck, the leading Japanese Exchange, suffered a loss of US $ 532 Million in NEM coins that has affected over 260,000 investors. In February 2018, over US $ 187 Million lost by BitGrail, an Italian Cryptocurrency exchange platform, when cyber criminal managed to steal the private key of the hot wallet. To know more about cases of cyber criminal attacks i would recommend you to visit Blockchain Graveyard that list over 57 different cases.

The human factor, still, is the weakest eliminate in the security chain, as well as the consumers of Blockchain technology, are the easiest to target. Due to a widespread start-up mentality, in which security often takes a backseat to growth, cryptocurrency companies often fall into this category. This category includes those in the business of large, well-adopted Blockchain implementations such as Bitcoin and Ethereum. Attackers have adopted several methods to target consumers and businesses using well-established techniques. Different attack vectors are used to target the ecosystem. This would include the following vectors:

1) Phishing:

Phishing scams are the most familiar Blockchain attacks due to their prevalence and success rate. It involves emails or communications sent from someone disguised as a company in order to gain access to personal information from victims. Over US $115 Million has been lost to ICO phishing scam during a period of H1 2017. This represents over 56% of money lost in ICO scams.

Consider the Iota cryptocurrency. Victims lost $4 million in a phishing scam that lasted several months. The attacker registered iotaseed[.]io, providing a working seed generator for an Iota wallet. The service worked as advertised and enabled victims to successfully create and use their wallets as expected, providing a false sense of security and trust. The attacker then waited, patiently taking advantage of the building trust. For six months, the attacker collected logs, which included secret seeds, and then began the attack. In January, using the information previously stolen, the attacker transferred all funds from the victims’ wallets.

2) Malware:

There has been a different mechanism the cyber criminal used to target Blockchain ecosystem with a malicious application, and here is some information about a sample of it:

Cryptojacking: is the method of hijacking a browser to mine cryptocurrency and has surprisingly shown a resurgence. It's proving increasingly lucrative for the cyber criminal. Smominru botnet is an example of that. Other Cryptjacking bots are available in the dark web for as little as US $ 30.

Ransomware: it is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. Most of the cybercriminal groups used cryptocurrencies as a payment method to share the encryption key with victims if they want to get their data back. An example of that would be XiaoBa, it infects a PC, encrypts its files, and holds those files hostage until the victim delivers a payment to hackers

Crypto miners malware: cyber criminal infect victims computer or smartphone with a malware, which uses the CPU power of the device to mine currency, with the profits being directed back into the wallet of the attacker. An example would be ADB.Miner that infected android phones in China to mine Monero coin.

3) Exploits:

An exploit is taking advantage of a vulnerability in a system to gain information. Like any crypto implementation, the cryptologic algorithm is almost always far more sound than the program that implements it. In general, Blockchain suffers from any vulnerability or weakness that you might subscribe to any cryptographic solution. These vulnerability can be as a result of the technology used, you can find a list of it here, or as a result of bad programming

That’s why its very important to continuously check smart contracts for known vulnerabilities as well as scan contracts using specialized tools such as Oyente. However, its not the coding only that needs review, but the software and infrastructure used. That's why it's important to keep your software up-to-date, perform secure code auditing and keep following the news to know what cyber criminal techniques are.

4) Hash Rate:

One of the primary assumptions for a Blockchain is that the contribution to the network, the “hash rate” for Bitcoin, is distributed. Specifically, no one entity or collaborative group processes more than 50% of the network at any time. A majority attack occurs when an actor owns more than 50% of the network. If they exceed 50%, they essentially can process blocks faster than everyone else—creating their own chains at will. This ability leads to or simplifies other attacks, such as double spending, in which the same coin can be spent multiple times and leave one receiver empty-handed.

A majority attack has never been implemented successfully against Bitcoin due to its large base, but it has been successfully implemented against Verge and other coins. Much smaller coins are acutely at risk. Soon after Krypton was proven susceptible to such an attack, the group 51 Crew targeted other small coins and held them for ransom. This risk also applies to internally developed Blockchains. Many organizations are examining Blockchain technologies to manage inventory, data, and other assets. If the contributing base, or hash rate, of these custom networks, is not large enough, an attacker could use cloud technology, botnets, or pools to attack the system.

5) The old way:

Cyber criminal are going back to their old playbook to be able to achieve results. Dictionary attack is one of the attacks they are using. Cyber criminal attempt to break a victim’s password or other authentication mechanisms to access their wallets, accounts, admin writes, etc.

Replacing the wallet address is also a very common way cyber criminal use when they get access to the domain, or webpage of the company. Enigma has lost over US $500,000 as a result of that. Cyber criminal did a simple password attack that helped them to gain access to the Enigma website and replaced the wallet address to the group wallet address.

6) The Team:

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. This can both be intentionally or unintentionally. Examples of unintentional threats would be weak passwords.

And not to mention, the traditional bribe that criminal use to get an insider inside the organization to be able to get access to an organization during their Blockchain project. That’s why each stage of the project is at high risk of cyber attacks.

7) Ponzi Schemes

Ponzi schemes are financial frauds where user enter the scheme by investing some money and in order to redeem their investment, new users have to enter the scheme or lunching fake ICO to trick investors to invest in unreliable and fake projects. We have seen such cases, although it's very small in size but it exist. Cyber criminal tend to focuses more on more lucrative transactions and quick wins.

So in this article i tried to explain some of the myths that is common around Blockchain. as lots of people believe Blockchain is Bitcoin, Bitcoin is just one cryptocurrency application of it. However, Blockchain technology can be used and configured for many other applications. its the same myth that Blockchain is 100% secure, which we explained here that Blocchain can be tampered as well as the secuirty of the system depends on the adjacent application which have been attached and breached.

As industries research and implement their own blockchains, we can expect cybercriminals to deploy a combination of known and yet-unknown techniques to compromise them. Without a clear understanding of where the risks are you may place undue trust in your blockchain implementations. As we’ve seen, mistakes are easy to make. Users are even harder to control and can negatively contribute to the risk. We need to learn from recent events to make better decisions for securing our technologies for tomorrow. 

#Dubai #MiddleEast #ArabWorld #intelligence #Future #Business #Networking #Partnerships #Consultants #Hacking #ComputerSecurity #ArtificialIntelligence #Management #ComputerSoftware #SocialMedia #Education #OperationsManagement #Technology #InformationSecurity #Cyberwarfare #