19 June 2018

BLOCKCHAIN ALL THE RAGE — BUT, IT COMES WITH NUMEROUS RISKS


The title above is from Kelly Sheridan’s June 13, 2018 article she posted on the security and technology website, DarkReading.com. And, she’s right, as being associated with blockchain has become a cottage industry on Wall Street. “If you haven’t jumped into the blockchain frenzy, chances are – you at least know about it,” Ms.Sheridan begins. “The Internet is flooded with talk about the up-and-coming technology….though little of it mentions security.” Sound familiar? Sounds like the early days of the Internet, when ease of use and access were paramount and security was an after-thought.


“But, as with all new technology, security risks can be found beneath the hype,” Ms. Sheridan wrote. “Indeed, threat actors are finding new targets amid the rise of blockchain, as they serve up social-engineering attacks, malware, and exploits to businesses and consumers,” according to a recently published report by McAfee’s Advanced Threat Research Team (see attachment/link). 

“It’s the [digital] Wild West,” said Raj Samani, Chief Scientist at McAfree. “You’re talking about an industry that’s basically worth hundreds of millions of dollars, being run by organizations, that are quite frankly, small businesses.”

“Crypto-currency is the first, and most prominent [well-known] implementation [use] for blockchain [technology], which was first used for bitcoin in 2009,” Ms. Sheridan explained. “Since then,” she adds, “the technology has skyrocketed, with people across all organizations and industries learning about what it is, and how they can use [and exploit] it.”

“One of the reasons [security] hasn’t been covered, is there’s been a lot of movement around blockchain,” said Steve Povony, Head of Advanced Threat Research at McAfee. “Every major company and industry is buying and implementing some form of blockchain.”

“The problem,” he continues, “is a lack of understanding among users,” Ms. Sheridan wrote. “This, combined with blockchain’s myriad security complications, has created a rapidly growing technology that’s misunderstood from a security perspective. Sure, blockchain is fundamentally secure,” she adds; “but, it’s also a deregulated, decentralized, and unmanaged platform. The power goes to end users, who are responsible for transactions being done right.”

“We’re now seeing new iterations, or something fundamentally different about the way blockchain is being attacked; and, the way it’s being used mzaliciously,” Mr. Povony told DarkReading. “The same problems that plague us with every security issue — are present in the blockchain as well.”


Cyber Criminals & Others, Are Targeting Blockchain – New Threats Emerging

Ms. Sheridan highlights a number of new and emerging threats in the blockchain space, including “brain wallets,” which she notes “were designed to help people manage private keys. Brian wallets have keys generated by a word, or easy-to-remember seed — which makes them susceptible to attacks,” hacks.

McAfee broke blockchain threats into four buckets: 1) Phishing – the most common; 2) Malware; 3) Implementation Exploits; and 4) Technical Vulnerabilities, or Gaps.

“Phishing attacks are the most common threat with respect to blockchain,” Ms. Sheridan wrote, primarily because of their high success rate. Malware attacks were used, at least in-part, to steal crypto-currencies such as Monero, and Dash.

“Malware targeting blockchain takes several forms, one of which is crypto-jacking, in which hackers target a browser to mine currency,” Ms. Sheridan wrote. “Malicious coin mining on the endpoint, had an “explosive resurgence,” in 2017 and early 2018,” McAfee reported, “as new miners appeared, and old miners were reformatted with mining capabilities. While [nefarious] miners mainly target personal computers, they’ve also been known to hit smartphones,” McAfee warned.

“The third attack vector is blockchain implementation and its supporting tools,” McAfee reported. “These threats are more like exploits of traditional software and Web applications,” McAfee researchers explained, “and, attackers are less likely to succeed the closer they get to the blockchain. The threats go back to the root of a common problem: people using blockchain without fully understanding its purpose and how it can be targeted.

“Similar to any complex technology, if a person implementing or using blockchain or crypto-currency, doesn’t fundamentally understand the technology., you have inherent weaknesses there,” Mr. Povony told Dark Reading. “When you don’t think about the details, you end up with a widened attack base,”

“The last class of attacks is on how blockchain operates,” Ms. Sheridan wrote. “Much of the security focus on blockchain, relates to the integrity of the ledger and the technology supporting it. However, it’s on users to adopt secure practices for this to work.” McAfee researchers cite the example of “dictionary attacks, which try to break a victim’s password, or other means of authentication.”

Just as the Internet and Worldwide Web have enriched our lives, blockchain holds tremendous promise across a number of domains: personal/private, academia, government (defense, intelligence, environmental, etc.), entertainment, and so on. But, just as the Internet and Worldwide Web has also brought us a panoply of assorted cyber hackers and digital threats — the same holds true for blockchain. The advance in the technology is moving faster than those concerned about the threat and vulnerabilities — can cope with. Artificial intelligence (AI) and machine learning will most certainly help us deal with those problems; but, AI and machine learning can and will be used by the darker digital angels of our nature to steal money and data, or worse. Alas, there are no digital silver bullets. Implementing and adhering to best cyber hygiene practices can help mitigate or diminish that threat — but, not eliminate it. Remember, the best cyber thieves haven’t been caught yet…….and, it is the second digital mouse that ‘always’ gets the cheese. RCP, fortunascorner.com.

No comments: