The Binance Hack shows us once again that simply by moving the world to blockchain, it will not remove the risks associated with two major areas: Users and Basic Best Practice Hygiene. It’s frustrating to me as a 20-year practitioner that we continue to make the same mistakes as 20-years ago, just in a different programming language.
Risk Area 1: End Users
First, systems are only as weak as the users. No matter how good the system is, any loss of information, compromise, virus, misunderstanding, or exploit of an end user or their ‘key’ to your system WILL result in a compromise to their account. Sometimes a backend system will catch a transaction that is unexpected but often ‘insurance’ just pays back the user because most financial institutions still will not accuse their users of being stupid or provide help to make an end-user computer system better, it’s better PR to just make them whole. Good on Binance … they just made the users whole. From a prevention standpoint though, until there are more measures directly aimed at proving the intent and identity of the user, with backend detection, AI, behavior, signal detection, instrumentation, incidents will continue to happen within #blockchain infrastructures just as in any traditional system.
Risk Area 2: Lack of Basic Hygiene
Second, companies have to stop Skipping basic cybersecurity hygiene! I’m very happy to read that Binance had back-end systems that noticed something, but I’m guessing that they do not have a fully functional managed security provider, SIEM, behavior tool, systems instrumentation, etc. I have not talked to Binance specifically but have tried reaching out to exchanges to ask about their cybersecurity abilities, and without fail get “We take care of all of that internally.” Unless these exchanges have all built a fully operational staff of cyber experts (haha) these breaches will continue to happen. Please do not believe that your expert developers understand cybersecurity like the actual cyber experts. 90% of a blockchain system is the same application risks as a traditional data center system. Don’t forget what we have learned from NIST, PCI, HIPAA, etc.
If you run a crypto project or an exchange, I would love the opportunity to have my team run a short cybersecurity assessment on your environment and start to make some headway in improving architecture, monitoring, or response so that we can get your detection and response time to near zero.
This new service could address the lack of security in applications, processes, and systems associated with blockchain, which itself, is mathematically protected.
Kudelski Security, the Kudelski Group’s Cybersecurity division (SIX: KUD.S), is launching its Blockchain Security Center (BSC), which targets the blockchain-based developer community.
While transactions on a blockchain are protected by proven mathematical principles, security is not necessarily integrated into applications, technologies, processes, and associated systems. That’s where Kudelski Security’s new expert cryptography service, grouped at its Blockchain Security Center that was launched today, come into play.
Blockchain technology has the potential to revolutionize business capabilities by creating new opportunities for optimizing efficiencies and improving the performance of technology applications in all industries.
Gartner predicts that the blockchain technology market will account for $ 3.1 billion in 2030 as Blockchain technology expands, bringing new opportunities for optimization in all industries.
A roadmap has been developed by Kudelski Security for its BSC, to develop fundamental technologies, enabling the integration of security in and around blockchain solutions destined for the public and private sector. Interview with Kudelski Security Global Chief Technology Officer Andrew Howard and Scott Carlson, Kudelski Security’s new Head of Blockchain.
What are the main security risks related to blockchain? Blockchain is an algorithmic program, created by people who we may assume have a different logic. It only takes a small human error to – despite the exceptional level of the mathematics – cause the collapse of the system. The academics of mathematics will hold, but not the layers of technology assembled around blockchain, such as hardware, cloud, associated application, website, which are targeted by hackers every second. The risk is huge to companies of losing the trust of their customers.
Intrinsically, the blockchain is not safe? While blockchain transactions are protected by proven mathematical principles, security is often overlooked and not necessarily integrated into applications, processes, systems and associated technologies. That’s where we come in. We help companies active in digital finance, communications, and IoT to secure their products using proven methodologies and common sense approaches in order to deliver superior performance and instill end-user confidence. We are not just satisfied with looking at the code; we work with all the components present within an ecosystem of manufacturers, end-users, companies and code creators. ”
What do centralized solutions bring to your new Blockchain Security Center (BSC)? The BSC is developing a suite of extended cryptographic solutions, security recommendations for enterprise blockchains, and development tools intended to address the entire blockchain ecosystem. Leaders, investors, engineers and developers of blockchains will be able to confidently design, develop and run secure applications that implement this new technology.
What about the competition? As far as we know, there are no tailor-made products available other than those of giants, such as IBM, Amazon and Oracle, and white-papers, which cover some 85% of process change needs. But nobody is really ready to address the remaining 15% of needs, which are the most pertinent.
Our 30 years expertise, in the field of cryptography, from chip to software, allows us to warn our customers tempted by the adoption of standard technical, plug & play, fast and cheap, solutions, which do not address the whole problem. We are concentrating on the remaining 15%, which means that security must be the main focus of our customers’ concerns. What we observe in this intense phase of digitalization of our economy in all sectors of activity is that security is often relegated to the background. The hackers spot classic errors at the speed of light, and by infiltrating them, that can cause the collapse of the system in place. Think about the transfer of payment allowed by blockchain technology and that contains flaws. It’s like fixing an old problem, but in a new way, avoiding the generation of new vulnerabilities.
What are the early-adopter sectors? Mostly VC-funded start-ups and cryptocurrency companies in their Initial Coin Offering (ICO) project. But we are seeing a major shift in the market in the manufacturing sector (to optimize their value chain); financial and insurance, health. In Switzerland, the financial services industry and insurance companies are among the “spearheads”
In Switzerland, the Federal Council adopted a report in December on the legal framework governing blockchain and distributed ledger technology (DLT) in the financial sector. Swiss legislation lends itself well to the use of new technologies, including blockchain.
Original article by Elsa Floret appeared in L’Agefti translated from French to English.
Today, we are announcing the launch of our new Blockchain Security Center, a full-service practice that represents the culmination of decades of experience securing our clients’ businesses. The Center’s goal is to enable our clients to securely transform their enterprises using the power of blockchain and other Digital Ledger Technologies (DLT).
We believe that Kudelski Security is well-positioned to serve enterprises as they venture into the world of blockchain and DLT. Our 30 years of leadership in cryptography, data protection, and secure system design prepare us to partner with clients on their most innovative endeavors.
Why Blockchain? Why Now?
Blockchain is exiting its honeymoon phase. The unprecedented boom of 2017 followed by the Great Crypto Crash of 2018 has shifted much of the mainstream opinion from “miraculous” to “frivolous”. This opinion shift is valid to an extent; blockchain is not the solution to every problem. The bubble surrounding the boom, much like the technology bubble of the early 2000s, was destined to pop at some point. However, not all is lost. While the starry-eyed optimism of technology enthusiasts coupled with the “get rich quick mentality” of the ill-informed got us here, robust and sensible solutions for the enterprise will lead the way on.
Looking beyond cryptocurrency, we believe that enterprises are the future of blockchain. Blockchain and related DLT allow business leaders to disrupt old processes in a way that will impact bottom-line results and shape future markets. We have seen blockchain enable our clients to rethink their businesses far beyond the typical cryptocurrency scenarios, and we are confident that the long-term impact of the technology will be great enough to one day be immortalized in textbooks.
There are plenty of known scenarios where blockchain can enable disruption and thousands yet to be conceived, especially in areas where provability of source, monitoring of transport, or assertion of delivery is essential.
* Blockchain can save lives by bringing much-needed trust and transparency to the pharmaceutical industry. For decades, the industry has been beset by fraud and errors throughout its supply chain. Raw materials flow through a series of unrelated players on their way to becoming consumable remedies. Once completed, these remedies are distributed through yet another series of unrelated parties before making it to patients. Smart contracts supported by closed consortium-based or private permissioned blockchains could serve as a reliable and efficient mechanism for tracking the flow of information, financial capital and materials throughout the entire supply chain. This implementation of the technology could ultimately improve the quality of medications given it to patients around the world and slow illegal trafficking.
* Blockchain-based identity verification systems will enable trust, provide transparency and reduce friction across business ecosystems, driving huge resource savings for enterprises. These trust-based mechanisms have the potential to reduce the burden of complying with know-your-client (KYC) and anti-money laundering (AML) regulations, making onboarding new clients cheaper and less time-consuming.
* The fine foods industry is ripe for disruption from blockchain, as counterfeit goods dilute brands, endanger consumers, and ultimately strain profits. Often these fine foods are traded
between unrelated parties on a low-trust basis. By the time the products make it to the shelves, consumers are left guessing about the legitimacy of the food they intend to purchase. Tracking the movement of these goods on an immutable ledger allows the entire value chain to justify higher prices by restoring the product’s credibility to the end consumer.
The Blockchain Security Center: Up Close
The Blockchain Security Center will deliver advisory, design, and development services for enterprises internationally and later on in 2019, we anticipate launching a suite of enterprise-focused solutions. Through our experience over the past several years we have noted that the most vulnerable point of most blockchain applications is on their periphery. Though the blockchains themselves may be secure, the architecture around them is typically susceptible to intrusion. The secure-by-design mentality of blockchain must transcend the ledger itself into the development of the full stack.
For the past two years, we have assisted start-ups and enterprises in their quest to validate their blockchain applications, build ecosystems around their existing blockchains, and craft their business models based on the promise of blockchain. Taking our program forward is Scott J. Carlson, the Head of Blockchain Security. Scott will be leading the new Center, bringing decades of experience in emerging technologies, enterprise architecture, and, most recently, blockchain security for the enterprise.
We look forward to working with you.
Ledgers of transactions have existed for millennia, mostly validated by some centralized authority to vouch for their accuracy. Although centralized authorities have done an excellent job; there are times when it might not be in your best interest to trust any centralized authority to validate the authenticity or accuracy of information or to prove transactional validity. In cases where this is true, Digital Ledger Technology (DLT) can come to the rescue. For a DLT to work, lots of participants must agree to participate in proving that the information or transactions are accurate. Each of these participants are given a copy of the data and then they all execute specialized computer programs, each proving that the integrity and availability of the information is factually accurate. When enough participants agree that the accuracy is there, the transaction is confirmed, thus affirming TRUTH without relying on a single third party.
If you are an enterprise level officer reading this article, you are likely to be called upon to increase the trust level or PROVE to your customers, clients, patients, or constituents that you can still be trusted. In 2019, building solutions based on an enterprise DLT are likely to be part of your technology solution to this business ask.
I’m hoping terms like Bitcoin, Ethereum, and Blockchain aren’t crossing your eyes for the first time. These, the technology that backs them, and conversations surrounding them have been the talk of major news publications and the internet-at-large for a year or more now, driven primarily by the price fluctuations of the crypto-currency value. What you may not have realized, is that the technology foundation underneath cryptocurrencies is DLT.
As you probably saw on the news or experienced first-hand, the value of the cryptocurrencies plummeted in the last half of 2018 and many startups in the ecosystem have declared the equivalent of bankruptcy. To some, this is a sign that the world is just not ready AT ALL for digital currency or shows that it was not ready for new types of funding models, as seen with the ICO craze. To others, like me, this is a time to review the ecosystem of products that were (or were not) developed for these cryptocurrencies, see which technologies stuck, and then see which solutions are bordering on becoming enterprise ready so that we can realize the benefits.
As I look into what is coming in 2019, I see that we are ready as an industry to drop the word “blockchain” for enterprise-level conversations and instead focus on DLT.
Although most enterprises do not need a monetary cryptocurrency, some may want a utility token in which to exchange value between corporate entities, or reward employees for good deeds (PayPal Employee Reward Token), but often enterprises just want to prove the truth instead of exchanging value. Enterprises likely will focus on building trust with this technology because there is a large trust gap in the world today.
The area of focus I see in 2019 is Trust Delivery.
Trust is delivered with DLT because you can ensure the data has not been modified. In many cases, you can ensure that the integrity is present, that privacy is preserved, and that the centralized entity has not taken steps to leak the data, access the data, or modify the data to suit their own needs. I believe people in the world want to see transparent proof that enterprises are moving to the next level to protect them. In fact, consumers are likely to move toward a model where they start with distrust and enterprises must build that trust back up. There have been far too many data breaches for consumers to believe otherwise.
In 2019, a number of uses cases will likely be focused on by enterprises, all of which will need services, tools, and foundational infrastructures to appropriately deliver them:
- Proof that data is private, and that privacy is preserved as data is transferred
- Proof that data has been written as intended, preserves its integrity, and can only be updated and accessed by the intended owner
- Proof that no third party has accessed the data
- Proof that entities have monitored all of the above
All of the above need tools, infrastructures, blueprints, and expertise. Enterprises are looking to be fast or slow followers in the area of DLT, which means many of them are lacking the internal skill to deliver a quick technology solution when asked by their management. I don’t want to focus on the skills gap in the world of DLT or encryption, but I instead want to just point-out that expertise will need to be externalized in this space. This is one of the few areas which I would personally recommend going outside of your company to initially or permanently build your expertise.
If I were to give three pieces of advice to start 2019, it’s this:
- Never invent your own cryptography: One of the top sins of information security is to invent your own cryptography – which in the world of DLT is the number one rule. Enterprises should bring in trusted builders, libraries, and methods to ensure that the foundation of their trust infrastructure is sound.
- Always get a second opinion if you are delivering a trust solution: There is a reason international standard recommendations like SANS, PCI, NIST, and HIPAA require third-party audits. These are required because no matter how good YOUR experts are, humans are fallible and you’ll always want to bring in one or many external parties to ensure your code is reviewed, tested, audited, pen tested, attacked, monitored, etc. Your level of diligence should match the importance of your application and the data within. Plus, your customers will appreciate it.
- Do not forget the basics: DLT (Blockchain) is simply application code and really strong math. This means that you need all of the common enterprise architecture components WITH IT to deliver a comprehensive solution. Do not forget things like the SANS TOP 20 when you look to build an architecture. People do not first attack the difficult cryptography – they first attack the common easy vectors like password reuse, unpatched infrastructure, or administrative interfaces that you accidentally left exposed to the internet. Please don’t let your DLT solution be compromised because you forgot one of the basics.
As we move quickly into the world of trust in 2019 and your organization looks to speed ahead or just dip their toes into the world of “Enterprise DLT” (aka Blockchain), keep in mind that not only do you have to use trusted and proven math solutions, apply your historic security practices and audit your built product – but you need to have a solid business case to enhance or improve something useful within your company.
To me, in 2019, the number one blockchain business case is Trust building.
Blockchain is full of superlatives. The most verifiable, most immutable, most 21st century way to transfer value.
But one of the most widely used superlatives to describe this technology is “most secure.” The idea that blockchain technology finally has a resolute answer to the age-old challenge of secure transactions has an eager audience.
So, Ryan Spanier’s interview with Eléanor Payró of CNN Money Switzerland is timely as he unpacks some of the issues around blockchain security.
- Blockchain networks are hackable. Beyond standard software vulnerabilities, the trust model of a blockchain network can be attacked through a “51% attack.” The goal of this attack is to control the majority of the resources/stake on a blockchain network. If you control the majority, you can define what truth is on the network. For cryptocurrencies, this can result in double spend attacks. Large blockchain networks, such as Bitcoin, are less vulnerable because they require the co-option of significant resources, which soundly outweigh the rewards earned from mining. Check out crypto51.org to see how expensive it would be to acquire 51% of the top cryptocurrency networks. However, other alt-coin networks could be attacked with less than $1,000.
- Blockchain networks also rely on the security of the users. For example, a user needs to secure their private key themselves. If this key is exposed, then an attacker assumes the identity of the user to e.g. spend money from their wallet.
- Secure smart contracts are extremely complex and difficult to develop.
Pressure to shrink time-to-market, the complexity of technology and the lack of a mature blockchain software development library and SDKs as a reference, all contribute to the introduction of vulnerabilities.
Find out more about Kudelski Security’s crypto assessment services, algorithm design and implementation, and custom development.
As Black Hat continues to draw closer we wanted to take a moment to highlight some talks that we are excited about. There is a lot of great content, so picking just a few was difficult, but these are the presentations that I and some of my colleagues are looking forward to attending.
AI & ML in Cyber Security – Why Algorithms are Dangerous
By Raffael Marty
The topic of AI disciplines is one I spend quite a bit of time talking about myself. It seems you can’t turn anywhere these days without encountering some product claiming to use a subset of AI in some “advanced” way. A healthy dose of real-world challenges helps cut through the marketing hype and get to core issues. This talk is a much-welcomed reality check.
Blockchain Autopsies – Analyzing Ethereum Smart Contract Deaths
By Jay Little
Blockchain technologies aren’t just for cryptocurrencies. This technology is gaining more and more acceptance in the business world and being used or evaluated to solve a range of business challenges. Blockchain technologies aligned with business challenges, like Ethereum Smart Contracts, have a higher chance of success and longevity. Understanding how these contracts work as well as the various risks they present, is critical.
Applied Self-Driving Car Security
By Charlie Miller, Chris Valasek
Come on, who doesn’t love the thought of hacking self-driving cars? What’s even better is getting this information from the experts on the subject. In the not too distant future, we will share the road with people taking a nap, eating lunch, and texting. Okay, we do that now, but in the future people may not have control of their cars the way they do today. Highlighting these risks now helps us avoid running into them tomorrow. This presentation promises to be informative and entertaining.
Understanding and Exploiting Implanted Medical Devices
By Billy Rios, Jonathan Butts
Self-driving cars are one thing, but IoT gets scarier when it’s inside your body. Increased attack surface from a device inside your body is the stuff of nightmares and Hollywood movies. This presentation promises to shed light on these risks.
WebAssembly: A New World of Native Exploits on the Browser
By Justin Engler, Tyler Lukasiewicz
WebAssembly is a technology supported by all of the major browsers that allows for the compilation of languages like C, C++, and Rust for the web. WebAssembly makes a promise of better performance and increased security, but is it a lot of hot air? This talk highlights this technology and the security risks it introduces.
Squeezing a Key Through a Carry Bit
By Filippo Valsorda
Although this presentation isn’t some destruction-of-the-Internet-style vulnerability, it demonstrates a great example of why no small bug should be ignored. In an amazing feat of crypto engineering, by exploiting a single bit bug, the presenter shows how a cryptographer’s worse nightmare comes true. Secret keys can be recovered in about 500 submissions on average. Don’t miss this highly technical talk on the cryptography track that shows a small bug can yield a big result.
Kudelski Security Events
We also have a few events happening while we are out in Vegas.
Join us for our Kudelski Security Bash party Tuesday night from 6-9pm in the Foundation Room at Mandalay Bay.
We are also doing a couple of breakout debriefs from 4:30-6pm on Wednesday, August 8th, and Thursday, August 9th. Wednesday’s session is on IoT and Operational Technology security. Thursday’s session is on Blockchain. Use the following link to RSVP for these sessions.
If you are hanging out for Defcon as well, check out our presentation:
Reaping and Breaking Keys at Scale: When Crypto Meets Big Data
Presented by Yolan Romailler and Nils Amiet.
In this talk, we show how we collected over 300 million public keys leveraging our scanning infrastructure and our open source fingerprinting tool, Scannerl, and tested them for vulnerabilities such as the recent ROCA vulnerability or factorization using batch-GCD. We performed this analysis on a 280 vCPU cluster and are able to test new keys against our dataset in just a few minutes thanks to a novel in-house distributed implementation of the algorithm. As a result of our research, we could have impersonated hundreds of people, mimicked thousands of servers and performed MitM attacks on over 200k websites. Fun stuff.
If you see any of us around the week after next, say hello. See you at Black Hat and Defcon!