Skip to main content

Blockchain Security—Moving Beyond the Hype

By: Morey Haber, Chief Technology Officer, BeyondTrust

I am simply amazed at all the buzz around Bitcoin, Blockchain, and cryptocurrency. However, the truth is that blockchain has a limited place in business and needs to be secured just like any other application; with some twists.

The Why

Blockchains are not a database replacement, nor will future applications that utilize them. They are a multi-node distributed ledger system that secures entries based on volume and verification. Natively, blockchain can only process a limited number of transactions per second and cannot store complex records or blobs—only ledger-style information that has a finite start date, like shipping information.

As such, historical records, pictures, complex indexes, and other large datasets are just not good for blockchain technology. This is one of the problems security teams need to understand. Think of a blockchain implementation like an old school peer to peer network technology from Napster or bearshare. Each node contains a database of all records and any new entries need to propagate to all other nodes for validity. While a peer-to-peer network queries its peers for entries, blockchain actually contains a duplicate of all entries compared to its peers. This means tampering with one node does not invalidate the entire blockchain. As a consequence, every entry has to be properly validated to be accepted as a ledger entry and propagated to other nodes.

This is where security is so critical. Entries into the blockchain ledger need to be validated for fraudulent activity, and more importantly, the hosts containing blockchain implementations need to be secured against vulnerabilities and privileged attacks that could compromise or tamper with blockchain insertions. There is no concept of blockchain ledger modifications—this is key to protect the integrity of the data. Once an entry is accepted, it is permanent. Therefore, if you can attack the server, application, and ledger processes, you can tamper with the blockchain. This is how some of the recent cryptocurrency attacks have been occurring.

To cite a recent example, on Monday, May 28th 2018, The Hacker News reported on a wicked vulnerability within the EOS Blockchain Platform. While the vulnerability is considered critical, and the method of exploitation fairly basic (a maliciously crafted file), the ramifications are truly astounding. After the vulnerable parser reads the file, it forces an exploit on the node which could then be leveraged against the supernode on the EOS platform. The supernode is responsible for collecting transaction information and packing it into blocks. Once the threat actor owns the supernode, he/she can modify or create malicious blocks that would control the entire EOS network. This includes everything the EOS Blockchain Platform has been implemented to perform—from cryptocurrency, supply chain management, to identity storage. Let this sink in—the uncrackable Blockchain (as it is advertised) can be owned by the fundamental technology designed to protect it; WASM files (smart contracts) and a simple file upload.

The How 

So how do we secure blockchain implementations? We first start with cyber security basic hygiene:

Asset Inventory – Identifying and managing the lifecycle of all software, code, applications, nodes, and operating system used in the Blockchain.
Change Control – Ensuring changes to the operating system, application, and resources are documented and go through a formal change control process.
Configuration Management – The hardening and removal of default settings that are a liability for the operating system, application, or network.
Vulnerability Management – Ensuring that the operating system, application, web application, and source code are reviewed for vulnerabilities and risks are prioritized accordingly.
Log Management – Centrally managing and parsing log files from all resources in the environment including transaction logs.
Patch Management – Using a systematic and predictable methodology for deploying maintenance and security patches to all systems in the environment—from firmware to web applications and everything in between.
Identity and Access Management – The predicable workflow management of identities, roles, and entitlements for all users that have access to resources of the system.
Privileged Access Management – The management of all privileged access into the Blockchain environment—from operating system to web applications including password management, least privilege access, session management, keystroke logging, and application to application key and password management.

And now the twist:

New entries into the blockchain should be secured with dynamic privileges and only valid for one-time usage. This can be done with privileged password access solutions and keys or passwords using an API. An insecure insertion path into the blockchain can lead to devastating results.
Reads from the blockchain should be secured in a similar fashion to ensure the retrieval is not tampered with (like a man in the middle attack) before processing by the application.
Since modifications and deletions of blockchain records are not permitted, all entries must be 100% valid or the entire model (ledger) could be compromised. Think of blockchains as just another application for data storage. It has limited data storage capabilities, is not very fast, but is designed to be highly distributed and 100% reliable. If your application or host can be tampered with, so can you blockchain. The goal—securing both during their design and implementation so this can never occur.

- Ends -


Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…