Senior Director, Technical Cyber Threat Intelligence
Ken Dunham brings more than 27 years of business, technical and leadership experience in cyber security, incident response and cyber threat intelligence to his position as senior director of technical cyber threat intelligence for Optiv. In this role, he is responsible for the strategy and technical leadership to mature Optiv’s data integration and innovation of intelligence-based security solutions.
Will Blockchain Change the World? (Part 2)
In the previous post of this two-part series, we introduced the concept of blockchain and its possible use cases. Blockchain innovation promises streamlined operations, immutable public ledgers and more. It also shows promise in applications where there is a lot of red tape, inefficient operations, and challenges such as transnational currencies and transactions in the financial market. But there are also a variety of threats and risks associated with adoption of blockchain technology.
Human Error & Manipulation
Blockchain is a trusted ledger but it cannot verify if something was mistakenly or fraudulently entered by humans. As a simple example, a crate of goods may weight 2.5 tons but an employee enters 5.2 tons instead. This information is then added to the blockchain. From that point going forward, everyone will trust that this event took place as it says in the ledger. Worse, what if substantial funds are accidentally sent to the wrong wallet? There is little recourse to recover such funds which will surely result in a new wave of phishing style attacks prompting and/or tricking users to send money to a remote anonymous wallet using an anonymous cryptocurrency for payment. Checks and balances must be in place, especially related to verification before something is added to a blockchain.
Privacy is an ongoing area of concern in this information age. Imagine all your transactions being added to blockchain. Supermarket store purchases, liquor store, online purchases, and so on. This information could all be linked to your unique identity rather easily, depending on how blockchain is implemented. From a retail perspective, all this information is an immutable ledger, such as always having your receipt tied to you proving you purchased item(s) from them. From a privacy perspective, everyone has access to information in blockchain and could use it for data mining and reconnaissance on any individual with such information within such a system. Even if the blockchain system designed and implemented is a “private” system for just members, one breach and it becomes public unless it is more anonymous system like Monero and Zcash which use “stealth” addresses for wallets. Immutable ledgers revealing you purchase history could cause significant consequences, such as proving purchases on a certain date or time correlated to a crime or profiling of your personal preferences and choices.
Lost or Stolen Keys
Blockchain, when used with a digital currency like that of bitcoin, is tied back to your specific “wallet.” This wallet is encrypted because it contains very sensitive information used to authenticate your identity as well as use within the bitcoin blockchain system. If a user loses their private keys or forgets their pin it cannot be recovered. Examples of this have already been documented such as in Wired5. This is very different from normal means of financial transactions and verification in real space, where you can provide a fingerprint, get a copy of a birth certificate, or something else physical as a backup for authentication.
Like that of PGP and other public key cryptosystems, organizations are wise to make use of multi-signature keys where multiple private keys are used to authorize transactions to mitigate the risk of a single key lost or tied to a malicious insider.
If a wallet and private keys are compromised, then funds may be stolen without any hope of recovery. If the funds have transferred there is no recourse in this new digital economy – and it’s anonymous – a perfect playground for financial fraudsters. This may change the face of some crimes, such as more physical based threats such as breaking into a home to steal USB drives containing keys, attacking individuals with substantial cryptofunds, and so forth.
Endpoint is where the majority of the action takes place from a breach standpoint. A user clicks on a phishing email which contains an exploit or Trojan resulting in compromise of the endpoint. If the user has stored their private keys on that computer, instead of redundant removable drives, the intruder now has access to their identity within systems using that key and/or blockchain solution, such as bitcoin. Now the intruder can perform transactions, such as selling and transferring funds out of bitcoin into money mule accounts to steal funds. Some users don’t fully understand bitcoin let alone blockchain, let alone security practices for these emergent solutions, leaving them vulnerable to such attacks.
Old frauds have a new vector in cryptocurrencies. Multiple reports of users being tricked into transferring bitcoins to a user that convinced them of an investment opportunity or way to leverage their funds, have already emerged. Humans can be easily manipulated, immutable ledger or not, with digital assets quickly gone before they can do a thing about it. This type of fraud will likely mature, because it is so easy to perform and so profitable, with enhancements to protect the identity of fraudsters involved in such schemes.
Research and development (R&D) are always an expensive, challenging component of a business to manage. Companies looking to develop proprietary blockchain solutions may not fully understand the technology and potential pitfalls of implementation. In most R&D cases, this author has seen a significant need to shore up existing people, processes, and technologies before orchestration and automation can take place properly with desired outcomes. Adding blockchain to the mix, especially before core people, processes, and technological solutions are in place related to the blockchain solution set, is risky.
Wild West Regulations
Not unlike that of malware at the turn of the century, and a lack of regulations and laws to address it in each country and across borders, blockchain has similar challenges. During the lag period, when countries attempt to catch up, there will be room for abuse, rapid adoption without oversight, and lack of accountability. Where there is wiggle room for legal abuse, you can be sure to find those that exploit it especially when the return on investment is very high.
Initial Coin Offering (ICO Scams)
Initial coin offerings (ICOs) are a fundraising mechanism within the cryptocurrency market similar to that of initial public offerings (IPOs) when a company seeks funding by going public in the stock market. Unfortunately, a majority of ICO offerings are scams, pyramid schemes, or pump-n-dump operations according to a “Cryptocurrency and Blockchain” report by the National Cyber-Forensics and Training Alliance, Aug. 15, 2018.
ICOs attract fraudsters for a variety of reasons. There is a lack of regulatory control and accountability, which is now starting to be addressed. The cost of investment for a fraudster is very low, and return high, for ICO scams. In an emergent market with lots of hype ICO scams are a natural venue of fraud in 2018.
In early 2018, one source reported that 480 ICOs raised an approximate $1.66B in funds. $317M of this was due to fraud with an estimated 80% of ICOs considered scams according to research published by Bloomberg. Blockchain or not, the desire to get-rich-quick is powerful as many seek to cash in on the current bitcoin craze with many losing all their funds to fraudsters.
With all the hype regarding blockchain, the world will likely see a shortage of experienced, skilled, developers to fill the roles. Scale and speed of production will be introduced into challenges for organizations, especially smaller organizations that need to outsource such operations. Abuse from fly by night developers and those that are not truly qualified to develop such solutions will certainly follow such as the New Jersey-based Long Blockchain Inc. being delisted by Nasdaq.
Attacks like “double-spend” and “51% Attack” already exist. “Double-spend” involves a fraudster attempting to perform two transactions at the same time but only the second transaction is accepted to the benefit of the attacker. This often uses the same token for multiple different transactions. Bitcoin has already helped to provide mitigation for this type of attack. The “51% Attack” requires significant resources in order to hijack processing power of a cryptocurrency network. But well-funded actors operating in small, less powerful cryptocurrency networks are capable of such attacks. An example of this was seen in 2018 when an estimated $18M was stolen via Bitcoin Gold.
Over time, scale also becomes an issue in larger networks where, if all data is required to retained, storage becomes very challenging and expensive. There are solutions that only involving tracking more recent blocks or those later in a chain, much like that of only looking at transactions performed in the past six months or a year instead of all time, to mitigate such performance and cost impact. Large scale operations also consume a large amount of electricity and heat emissions.
Loss of Jobs
While the hype for blockchain is large, it will become dampened over time as real-world implementation takes place. Jobs will be lost to blockchain, especially where solutions exist today for burdensome paper work linked to operations such as shipping and transnational transactions. This is not necessarily a bad thing, as developers will be hired to develop and maintain such solutions, but the lower skill positions of audits, paper trails, and similar solutions will be lost creating an impact for some organizations and individuals that currently hold such positions.
Threats always follow assets. As rapid adoption of blockchain takes place, via cryptocurrencies, transnational financial transactions, improvements in shipping and similar industries, there is room for abuse as introduced in this article. Security is not about an endpoint but about managing the risk of a bouncing ball that is dynamic, constantly moving and changing. Blockchain will be adopted and will have an amazing impact on some applications. In others, it will be ripe for abuse and fraud. We have the responsibility of understanding the technology and managing the risk as we seek to introduce it into production.