“Oh, the things you can find, if you don’t stay behind!”
Those words, uttered by Theodor Seuss Geisel, or as we know him, Dr. Seuss, still has the power to change the world, even with cybersecurity and blockchain technology. That’s right, I’ve brought the good ‘ole doctor into the house.
For those technology and blockchain enthusiasts, keep pushing forward, because this space is opening up a whole new world worth exploring. Granted, the path ahead may be blocked with silos, but nevertheless, it’s time to push them aside.
“And will you succeed? Yes, you will indeed! (98 and ¾ percent guaranteed).” —Dr. Seuss
National Cybersecurity Awareness Month
With October’s 15th anniversary of “National Cybersecurity Awareness” period at an end, our digital hygiene must remain top notch. Initiated by the U.S. Department of Homeland Security, October has now served for 15 years, as a time for everyone to educate themselves on new cybersecurity tips for the season.
I asked Robert Herjavec, Founder and CEO of Herjavec Group, how he would describe the period:
“Supporters of this great initiative engage in activities to raise awareness around the importance of cybersecurity by educating businesses and consumers on industry trends, cybersecurity threats, and best practices.”
Yet, both Herjavec and I agreed that the industry currently reflects a vital need to monitor the strength of our digital infrastructure on a daily basis; not just yearly. But, with all of this blockchain talk, how can the technology help to strengthen our infrastructure?
If Dr. Seuss was still around today, the lessons he would teach, could help reduce a breach! So, I went to the experts at DLA Piper, and spoke with its Partners, Deborah Meshulam and Mark Radcliffe, also the head of the company’s new blockchain division. According to both Radcliffe and Meshulam, blockchain technology can help restore the integrity into the space.
Unfortunately, as Radcliffe pointed out to me, “the issue of data integrity is rarely discussed, and this new technology can help prevent attacks by detecting and deterring the unauthorized, undetected tampering of data.”
“The Blockchain can provide improved confidence about ‘identity’ of humans, such as Civic and Estonia’s citizen’s registry, as well as provenance of items and information, particularly in the supply chain and high-value assets,” Radcliffe explained.
“This technology has the ability to help reduce the risk of certain cyberattacks, because there is no one central repository to be hacked,” added Meshulam.
By implementing this technology, we are helping to protect the integrity of data by making alteration very difficult, and by rejecting data that is false or altered, without permission, in real-time.”
Radcliffe identified five real-world incidents where the utilization of blockchain technology could have helped significantly reduce and/or prevent them from occuring:
- An athlete’s “doping” data that was altered by “Fancy Bears”, and then released;
- Oil rigs drilling in the wrong place because location data was hacked;
- Counterfeit drugs passing as valid prescriptions with doctored tracking data;
- Corporate IT departments installing hacked software; and
- Patches that introduce security holes.
In essence, this technology helps reduce the risk of certain attacks like phishing, theft, and other unauthorized access crimes. With the Blockchain, a hacker’s ability to conduct an efficient attack, according to Meshulam, is “much harder, expensive, and time-consuming to achieve.”
#1—”One Phish, Two Phish, Red Phish, Run!”
Unlike Dr. Seuss’ “One fish, two fish, red fish, blue fish”, this story does not have a happy ending for its victim.
“Phishing” scams are the most prevalent, and often successful forms of cyber-theft in the space, specifically for the crypto-community. “Phishing”, is a cyber-attack that started in the early days of America Online (AOL), where a hacker would use a “disguised email” as a weapon to obtain login information. The goal is to ultimately trick the email recipient into believing that the message is something they want, need, or have seen before. Examples include an “email” from their “bank”, “friend/relative”, “office”, or even a familiar “vendor.”
But, instead of these hackers going after login information, they go after the crypto-community’s holdings, specifically targeting the keys to their cryptocurrency wallets. By implementing similar techniques of replacing a letter with something similar (replacing an “i” with an “i” with an accent), hackers make it seem as if a user or HODLr, is accessing the same destination they would as if they typed it in themselves. And, before they know it, the hacker now has control over their entire wallet. So, bookmark your site, and only visit it through that bookmarked link.
Another common attack, is the 51% Attack, that essentially overpowers the validators required to run a blockchain network. The Blockchain is difficult to alter because no single miner owns the majority of the network validation power, or hashrate.
But, with these attacks, once the attacker achieves the majority of the network hashrate (51%), the Blockchain becomes theirs, in some respect, allowing them to rewrite data however they see fit. This results in changing transaction history and re-routing transactions to their own personal wallets.
#2 – “How The Grinch Stole Your Funds”
It may not be Christmas yet, but having your cryptocurrency or wallet compromised by “black-hat” grinches can surely ruin your Christmas holidays.
This year alone, black hat hackers have already absconded with over $1 billion in stolen cryptocurrency funds. For an asset that doesn’t “physically” exist, this seems to be quite the diamond in the rough.
The crypto industry has been hit hard by a persistent number of attacks on centralized exchanges (CEXs), decentralized exchanges (DEXs), and exploits in smart contract vulnerabilities.
Most recently, Bancor, a popular, semi-DEX, was hacked, but was able to implement an incident response measure that allowed the company to freeze some, but not all of the stolen funds.
According to Bancor, a wallet used to upgrade some smart-contracts, was compromised, which was then utilized to withdraw Ether (ETH) from the BNT smart contract, totaling 24,984 ETH—equivalent to $12.5 million USD.
Due to a built-in protocol functionality in the smart contract, Bancor was able to freeze the 3.2 million dollars’ worth of BNT, its native token, that were stolen. However, the stolen ETH, could not be frozen, causing Bancor to work conjunctively with dozens of exchanges to help identify the stolen funds, making it difficult for hackers to liquidate them. Additionally, another 230 million NPXS
(PundiX) tokens were also stolen in the breach, which ultimately, shared the same fate as the stolen ETH.
This hack revealed a more centralized nature of Bancor, leading to controversy throughout the cryptocurrency community.
The infamous DAO exploit, led to roughly $150 million in stolen funds, and eventual splitting of Ethereum into “Ethereum” and “Ethereum Classic.” The attack was attributed to a technical problem at the smart contract coding level—a bug that DAO developers had ironically “fixed” prior to the breach.
Mt. Gox Hack
The crypto-breach heard ‘round the world. Back in 2014, the cryptocurrency community was introduced to what was considered to be the largest hack of an exchange, up and until the $500 million Coincheck hack, which matched its impact. The hacking of the Mt. Gox exchange, resulted in the theft of over 740,000 bitcoins, which translated to over $530 million of lost funds.
These attacks are demonstrating that an essential defense mechanism to guard against such threats are often overlooked—particularly, real-time monitoring. Currently, many of the security solutions on the markets, specifically pertaining to DEXs tend not to focus on “on-chain analytics, alert systems, or real-time data feeds” that can quickly identify and propagate information to necessary parties about a potential threat.
Largely attributed to their novel, complicated nature, smart contracts have become extremely vulnerable and prone to security breaches. These exploits come about primarily because:
- A lack of technical expertise and resources of smaller exchanges;
- Vulnerabilities of token contracts for listed assets; and
- An overall inability to identify and prevent fraudulent behavior.
Consequently, these exploits have led to some of the most profound hacking schemes in the industry, as we have witnessed. But, rising from the ashes, are new programming and auditing solutions such as StellarX and MonitorChain. The recently launched, StellarX front-end marketplace, takes a unique approach by plugging into the Stellar Blockchain’s universal order book. StellarX addresses tokenization at the protocol level, rather than burying this information deep within the coding of the smart contract.
For auditing purposes, Zenchain recently launched its MonitorChain product, in efforts to monitor, alert, and protect various participating entities from suspicious and fraudulent activity on the Ethereum blockchain. The product is an on-chain “Ethereum Oracle,” serving as a universal monitoring hub for real-time threat detection.
I was able to reach out to Zenchain about its newly released service.
“MonitorChain was built out of necessity,” Seth Hornby, CEO of Zenchain told me.
“We began creating this security platform months ago to protect our own decentralized applications from being the dumping ground of hacked or fraudulent tokens. This allows for the internal warning system and its associated smart contracts, to notify users, so they can block incoming or outgoing transactions from compromised accounts.”
The CEO told me that if the market were to utilize a product similar to MonitorChain, companies like Bancor, would have been able to track and identify the suspicious addresses, in real-time, as well as notifying all the necessary exchanges as to the incident.
#3 –“What Pet Should I Get?”
In a recent article of mine, I outlined why it was important for millennial investors, as well as any other investor, to take note of the type of cryptocurrency exchange they are choosing to entrust their funds to, and why.
The differences between centralized (CEXs) and decentralized exchanges (DEXs) are clear, but as among the DEXs, understanding what factors to look at, are equally significant. Next, is finding the right crypto-wallet to store them in. Knowing the difference between a “hot wallet” and a “cold wallet” can perhaps save you from making a very costly and detrimental mistake.
Having recently read the book, “Blockchain 101: Fundamentals of a New Economy,” I reached out to its author, Monika Proffitt, a serial entrepreneur and blockchain influencer, for more information about some of these crypto-wallet threats.
This 24/7 internet-connected wallet, is a major susceptibility, which according to Proffitt, combined with the volume of funds they hold, makes these exchange wallets a prime target for hackers.
“The safety of funds in a hot wallet is only as good as the security habits of the individual or third-party controlling the wallet.” “Cold wallets,” on the other hand, are those not connected to the internet, making them a much more secure alternative. The most common form, according to Proffitt, is a paper wallet—a printed piece of paper that holds the private keys to a certain wallet address, usually in the form of a QR code. Until its scanned, the wallet remains completely shut off from all incoming network connections.
While many crypto-holders utilize both hot and cold wallets, knowing how much crypto allocate to a particular wallet for daily transactions and “savings” is important.
#4 – “If I Ran The Zoo”
When I asked DLA Piper’s Mark Radcliffe about what he believes to be the biggest threat in the cybersecurity space today, he pointed towards the regulatory agencies:
“One of the biggest threats, in my opinion, is government agencies depending on the Blockchain, but not properly protecting their systems from DDoS, consensus attacks, and losing total control over the ledger. However, these problems must be compared with the existing systems which are subject to fraud and tampering. When you combine blockchain technology with ‘hashes’, or digital fingerprints of data and documents, the company can create a tamper-proof chain-of-custody. Any interested and unauthorized party, can compare the fingerprint of the original data with a fingerprint of the current data, and confirm that they match, otherwise the data is suspect. Because blockchains are immutable, they provide the most secure storage of the ‘seals’ of the data without sharing the data publicly…in a world of increasing distrust, digital integrity is fundamental to doing business.”
But, the question of how the U.S. Securities and Exchange Commission (SEC) plans to regulate cryptocurrency is a question that remains to be answered.
Last month, more than a dozen members of the U.S. House of Representatives sent a letter to the SEC Chairman, Jay Clayton, urging him and the agency to provide clear guidance to investors on how it plans to regulate this newly created digital asset class.
But, in the eyes of the SEC, the law is clear, ever since the 1946 Howey decision. As of today, the “Howey Test” has been used to clarify whether or not an asset was considered to be a “security” versus a “commodity.”
In the U.S., laws have allowed for the birth of ventures like AngelList and its spinoff, Republic, Kickstarter, and Indiegogo. According to Greg Sparrow, Senior Vice President at CompliancePoint, businesses are taking a closer look at the changing trends within the marketplace, as well as the growing awareness from the public around how their data is being used.”
In Europe, there’s DESICO, a recently-launched platform for security token offerings (STO). I was able to reach out to the company on why it believes cooperating with these agencies is vital to the survival of the space.
“Evading SEC regulations
is illegal,” Laimonas Noreika, founder and CEO of DESICO explained. “With no one holding these companies accountable, there are a number of those who have acted irresponsibly with the investors’ money.”
The overall uncertainty concerning the regulatory environment is encased by a lack of trust in the crypto-ecosystem.
#5 –“Oh, the Places You’ll Go!”
Security concerns in the cryptocurrency space will continue to be a trending topic of debate as the prevalence of hacks reaches an unsustainable level.
Innovations at the coding level with formal verification and improved programming languages enable a new opportunity to reduce instances of smart contract exploits. By utilizing market-available tools, regulators, investors, and exchanges can help to provide a monitoring and alert structure that has been missing for the crypto ecosystem.
Watching how these projects and potentially, solutions, impact the evolution of our cybersecurity, will be a vital factor in the growth and mainstream acceptance of both blockchain technology and cryptocurrency.