A “Bit” Insecure: IT Security Expert Leonhard Weese Weighs In
Amid cryptocurrency’s rise in prominence, a major threat to its advancement looms. The relentless rate in which security attacks are occurring. In 2016 alone, these breaches appear to be occurring at an unprecedented rate, many of which are documented here at BTCManager.
Arguably, The DAO attack has been the most high profile with subsequent assaults on the Ethereum network continuing in an unabated manner. The breach to the global asset exchange Shapeshift earlier this year also generated a great deal of media buzz. And in a lower profile, yet still significant breach, the Krypton attack raised some eyebrows as Krypton founder Stephanie Kent threatened to move away from the Ethereum due to suspected code vulnerabilities.
Many of these breaches have been in the form of Distributed Denial of Service (DDoS) attacks, a trend that is on the rise across the world. According to a threat intelligence report released by the Cybersecurity firm Imperva, this upsurge is attributed largely to the rise of Dark Web activity.
In measuring threats over the course of a one-year period, Imperva found a 211 percent increase in attacks. These attacks which are intended to flood servers with fake internet traffic leading to website and network system interruptions are having a somewhat chilling effect on the perception and advancement of the cryptocurrency movement.
Then there is ransomware, another malicious type of attack that is reaping havoc among growing numbers of unsuspecting businesses. In these cases, hackers hold files in return for a ransom. What is most notable here is that bitcoin has now become the go-to payment method, allowing nefarious hackers to send and receive money from anywhere in the world, with a significantly reduced risk of detection.
Ransomware attacks are not new, dating back to the late eighties. What is different is the bitcoin-centric method being employed amid recognition of growing utility of this cryptocurrency. According to the U.S. Department of Justice, ransomware attacks have seen a significant uptick from a year ago, averaging 4,000 cases a day.
Corporations with tepid security protocol and deep profits are often targets. For this reason, ransomware attacks, at least in the short term, are likely to continue with regularity as it has proven to be a highly profitable form of cybercrime. Case in point, in January 2016, Hollywood Presbyterian Medical Center in California was subjected to a breach by cyber attackers, one with a huge demand; fork over $17,000 in bitcoin with seven days or be subjected to destroyed hospital data systems.
For more on the ongoing vulnerabilities associated with this cybercrime landscape, we here at BTCManager turned to Hong Kong-based, IT security expert Leonhard Weese. In addition to his work as a FinTech and Blockchain advisor, Weese is the President of the Bitcoin Association of Hong Kong. Here are a few questions we posed to him along with his responses:
DDoS and other sorts of malicious attacks seem to be on an upward climb in the Cryptocurrency/Blockchain space? What sort of factors are driving this? And how is this impacting the pace of innovation in this space?
The biggest factor is that it has only recently become profitable to take out DDoS attacks. Bitcoin makes demanding ransoms much more attractive, and global, than previous forms of payment such as gift cards, credit cards or cash.
The second factor is that with the increased number of cheap devices online (Internet of Things, cheap routers & computers) along with expanded bandwidth capacity, carrying out an attack has become a lot easier.
There has been a bit cluelessness in terms of as how to react to this. In other words, is it best to identify vulnerable devices and cut them off from the internet? Or would it be best to invest in infrastructure such as those being built by Akamai and Cloudflare, even if it comes at the cost of centralizing the internet? Along this front, the fact that Cloudflare holds the SSL keys to countless Bitcoin services is already a big concern .
Could it be argued that in the case of some startups, their rush to market is a major factor in these security vulnerabilities?
It’s not just the rush to market, it is also a developer culture that does not put security first. Systems are not being designed with adversarial actors in mind. So when these systems grow they remain vulnerable, and therefore often becomes really difficult to change at a later point.
What sort of security protocols should companies be employing in order to mitigate the potential for breaches?
The most well-known are HSTS, which prompts a site to only connect via a valid TLS connection, password hashing and salting, and a well locked down server infrastructure. I think the most important thing however is to gather as little information from users as possible while allowing them control over their information. This makes an infrastructure less valuable to a hacker therefore less vulnerable. Sadly, startups are very data hungry, particularly well established companies, which is very problematic.
How can consumers determine which crypto exchanges are the most secure for transactions?
I don’t think consumers should have to put too much thought into this, it shouldn’t be their burden. Consumers should treat online Bitcoin exchanges like they treat brick and mortar currency exchanges. They should pay attention to the features of a website (bugs, https, design,) as well as whether the names of the founders and the business address. Another red flag is if the exchange is in a far away, obscure jurisdiction, or if the account details change frequently or it is not in the name of the company, without explanation in the terms of service.
Growing numbers of companies have experienced ransomware attacks for bitcoin. What sort of protections need to be in place in order to prevent these?
Software updates are obviously important. This should be limited to necessary software (uninstall Java, Flash, etc.) Also, regular backups need to occur and the installation of random software on critical infrastructure, including individual laptops should be avoided. At the end of the day, ransomware is not as sophisticated as we think.
What sort of new security concerns do you believe will emerge in the days ahead as the world of FinTech innovation continues to take shape?
I expect identity theft to become a huge unmanageable pain. Personal identity is not at all made for a digital age, and as a result we can be easily impersonated online. Some jurisdictions tolerate identity fraud as a necessary side effect of Fintech, recognizing that mitigating it is too costly. Other jurisdictions limit what Fintech can do, for example by forcing companies to open branches and vet people in person. These companies will miss out on the full potential of Fintech.
Solutions will need to be much more radical. Easily revocable and rotating public/private key pairs is an example of this. That may or may not be politically feasible, but if we cannot solve the issue of online identity, Bitcoin (and the likes) will overcome most security concerns.