When blockchain technology was first brought to the public’s attention, it was lauded on many fronts as “unhackable.” While there are many benefits to blockchain worth noting already, we probably still haven’t seen what its ultimate potential will be. One thing is certain though: It is not unhackable. That reality has been illustrated with increasing clarity to the tune of around $2 billion in cryptocurrency stolen by hackers since 2017.
Recent attacks have seen a shift in focus from public networks, such as the Bitcoin and Ethereum blockchains, to private networks built for the use of large corporations. In theory, the latter should be a more difficult target for a hacker due to their nature as smaller ecosystems where everyone knows one another and intruders have a harder time hiding.
Related: Crypto Exchange Hacks in Review
The reality has been a different matter. As more private enterprise blockchain networks come online, cybercriminals have focused intently on proving that the technology is, in fact, quite hackable. Here’s what they’re doing and how to keep them from getting into yours.
Before we dive into the particulars of recent attacks on private blockchain networks, let’s make sure our terminology is straight. A blockchain simply means a decentralized cryptographic database that exists on linked computers called nodes. Each node keeps an up-to-date copy of the entire database. All nodes have to verify and approve a transaction before it is added to the database.
Thanks to a design based on cryptography, economics and game theory, node owners have a financial incentive through a process called mining to play a straight game rather than try to subvert the system. A correctly designed blockchain database is easy to verify and add transactions to but hard and, more importantly, expensive in computing resources to defraud.
Companies engaged in a variety of activities such as cross-border transactions, digital record storage, and tracking goods and information have had their eye on blockchain for a while now. Blockchain application-building has been a high priority project for some truly massive operations, such as Fidelity Investments and the New York Stock Exchange to name a couple.
What sometimes goes overlooked in the rush to take advantage of the allure of blockchain security and ease of use is that they are essentially trying to tame a Wild West technology and make it play nice in the most corporate of environments.
Easing into the real world
While it is true that one would be hard pressed to recall a single private blockchain network hack that resulted in a real loss, there are reasons for this, and these reasons are in the process of changing. First of all, enterprise-level blockchain apps have been under feverish development the past few years, and only now are a few starting to be rolled out for public use.
In some cases, blockchain has allowed developers to put a new twist on an old idea. The Ethereum-backed security app called Orchid is in the process of taking the traditional idea of a virtual private network, throwing it on top of a blockchain and presto, you’re looking at the next generation of privacy technology.
Expect to see an increasing pace of familiar products and services receiving a similar blockchain boost.
To the average hacker, there was previously nothing on these networks worth stealing, but that is changing. New apps are moving from the research and development stage into production, which means there is now a profit motive. Like detestable flies, hackers are attracted to this new prey. They see it as both a challenge to their skills and an opportunity for easy money.
As time has passed, a few strategies have arisen that allow the unhackable blockchain protocol to be penetrated.
Control 51% and you control the game
The 51% Rule is an inherent drawback to most blockchain networks. The feature that allows this kind of attack is based on the proof-of-work concept in which a transaction must be approved by a majority of nodes, or 51%, in order to be approved and added to the database. If a single entity, in this case an entity with a propensity toward fraud, could somehow summon the computing resources that gave it control of 51% of the nodes, then it’s simply a matter of sending payments and then creating an alternate version of the database in which the payments did not happen.
This type of divergence is called a “fork” in blockchain terminology. Continuing with our assumption that a single hacker controls a majority of the nodes, they could designate the fork as the legitimate database version and continue to spend the same cryptocurrency again and again. As mentioned, collecting together the computing power needed to take over a major currency such as Bitcoin (BTC) or Ether (ETC) works out to a cost of thousands of dollars per hour, according to the site Crypto51.
However, if a hacker decides to go after a smaller, more lightly traded coin, the cost to take over the network drops considerably.
Corporate insider attacks
When it comes to private networks of the kind currently being deployed by major corporations, the most severe danger posed is from those already within the system. In other words, employees, vendors or others that have been invited to the network immediately have access to all the confidential data stored there. This is one design flaw when compared with public networks that needs to change.
On the public side, such as with Bitcoin, developers deploy zero-trust and other security tools to keep sensitive data from falling into the wrong hands and often off the chain entirely. As with traditional private networks, too many companies delving into their first blockchain project think that the main threat is from the outside. Their energy and focus go toward keeping outsiders on the outside, forgetting that insiders can be a threat too.
Philosophical action tip for blockchain design: Trust no one, especially those on the inside. A disgruntled ex-employee with an ax to grind and knowledge of where the nodes are could sell out your network to the highest dark web bidder. One denial-of-service attack and it’s all over. Design for safety from the outside and inside.
Perhaps the biggest danger posed to private blockchain networks is the fact that they don’t have a dedicated community full of members from all over the world that spend their days and nights testing, tweaking and improving the network. By its very nature of being smaller and private, there is no equivalent process in place for vigorous testing. There’s no easy solution here. It’s hard for a single company to generate the same kind of enthusiasm and support as a massively popular cryptocurrency such as Bitcoin.
One current approach is to take advantage of a company such as Kaspersky, which has developed a process for conducting blockchain security audits. Since Kaspersky is Russian-owned, some companies are understandably cautious about letting it take a look behind the curtain, but the idea is still sound. As time goes on and more corporate blockchains come online, expect the auditing and support industry to become more robust.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Sam Bocetta is a freelance journalist specializing in United States diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense and cryptography. Previously, Sam was a contractor for the U.S. Department of Defense, working in partnership with architects and developers to mitigate controls for vulnerabilities identified across applications.
Congress Fears US Is Losing Battle to Malware and Darkweb Cyberweapons
In a May 28 virtual roundtable before the congressional Subcommittee on National Security, International Development and Monetary Policy, witnesses and congresspeople alike feared that they are not keeping up with criminals hacking the financial system.
Criminals have better resumes than government agents
One witness, Guillermo Christensen, a partner at law firm Ice Miller, admired the cyber talent operating illegally:
“We are always playing catch up with the criminals. […] It’s very hard to find people who are as qualified as some of these criminal hackers, frankly, to take apart their schemes and trace them.”
Another issue is the overclassification of government information, presenting a barrier to private-sector security efforts. “The information sharing between the private sector and the public sector is very valuable but it could be better,” saft Naftali Harris, co-founder and CEO of SentiLink, an anti-fraud software company.
Fintech’s vulnerability during the pandemic
In response to a question from subcommittee chairman Emanuel Cleaver (D-MO) as to the vulnerability of fintech to hacking, cybersecurity strategist Tom Kellermann warned that the current system is vulnerable to new developments and increasingly remote workflows:
“Financial institutions have the best security in the world, but because of telework and because of the customized malware or weaponry that are being developed in the darkweb, primarily the Russian-speaking darkweb. […] They’ve learned ways around the perimeter defense of the network security espoused by the standards of regulators around the world.”
Kellerman continued to explain that telework allows hackers easy access to well-defended financial networks via the worse-defended home systems of executives. He further called out APIs as adding another element of risk:
“The greatest vulnerability of fintech is they build out these APIs that allow them to connect to other financial institutions as well as other fintech vendors. Those APIs themselves are being exploited left and right.”
During the hearing, Chairman Cleaver commented that “It seems that we are losing this battle.” His closing remarks were no more optimistic. “Your comments were very informative but also very scary,” the chairman said.
JPMorgan Chase Settles Crypto Credit Card Lawsuit for $2.5M
Banking giant JPMorgan Chase settled a 2018 lawsuit recently, with a $2.5 total payout — the result of unclear fees charged when using credit cards for crypto purchases.
A May 26 court document detailed:
“The Court notes that Defendant JPMorgan Chase Bank, N.A., f/k/a Chase Bank USA, N.A. (“Chase” or “Defendant”) has agreed to provide a Cash Settlement Amount of an aggregate of $2,500,000 in cash.”
The lawsuit stemmed from lack of clarity
The legal action took flight later in 2018, seeing Brady Tucker, Ryan Hilton, and Stanton Smith press charges against the banking entity.
Reuters said in a May 27, 2020 brief:
“In a motion filed Tuesday in Manhattan federal court, plaintiffs said the settlement would result in class members getting about 95% of the fees they said they were unlawfully charged.”
March news settled in May
The plaintiffs’ legal action requested compensation for the deceptively-charged fees, as well as $1 million for damages, with a 75-day window for settlement detail submission, as of Cointelegraph’s March 2020 article.
The movement was unopposed, according the May 26 court document.
“JPMorgan is not admitting wrongdoing as part of the deal, according to the motion,” Reuters noted in the brief.
Emin Gün Sirer’s AVA Labs to Distribute 2M Tokens Ahead of Full Launch
AVA Labs, a blockchain protocol founded by Cornell’s Emin Gün Sirer, is planning to distribute 2 million tokens in its final testnet before the project’s full launch in summer.
The so-called “Denali Testnet” will serve as the final stage of the AVA network testing before AVA’s mainnet launch. The new testnet will allow each validator to earn up to 2,000 AVA network’s native tokens, AVA Labs announced on May 29.
AVA Labs tokens are not yet listed on any cryptocurrency exchange and are not available for public purchase, a spokesperson at AVA Labs told Cointelegraph.
The testnet to run from June 1 to June 15
While testnet registration starts immediately on May 29, the first phase of the testnet launch will start on June 1. At that time, participants are expected to set up live nodes, an AVA Labs representative explained. The Denali testnet consists of three core challenges, which run until June 15. While AVA Labs expects to move to its mainnet in summer 2020, there is no specific date for the full launch of the project, an AVA Labs’ spokesperson said.
The Denali testnet follows AVA’s first successful testnet known as “Cascade.” Launched in mid-April 2020, AVA’s Cascade testnet amassed 300 developers setting up and running validator nodes.
AVA network is purportedly going to be the “Internet of blockchains” once launched
Initiated by Sirer in 2019, AVA Labs is an open-source platform and a layer 1 protocol for launching decentralized finance, or DeFi, applications and enterprise blockchain solutions. The platform is designed to unify DeFi applications and blockchain deployments in one scalable and interoperable ecosystem. According to AVA co-founder, Kevin Sekniqi, the best way to describe the new protocol is the “Internet of blockchains.”
In late April 2020, AVA Labs’ Sirer said that as much as 95% of all existing cryptocurrencies do not represent any tech advancement and should be regarded as nothing but scams.
AVA network’s token is not to be confused with Travala.com’s proprietary token, AVA. Backed by the world’s largest cryptocurrency exchange, Binance, Travala.com is a blockchain-based travel booking platform that features payments and loyalty rewards in its native crypto, AVA token.
Draper Goren Holm’s LA Blockchain Summit Celebrates Going Virtual With A $1 Million Bitcoin Giveaway
Video Director of Eminem’s ‘Without Me’ Wants To Buy Bitcoin’s Dip
Following Police Brutality and Riots, Hackers of Anonymous Attack Minneapolis Police
Crypto Confusion: Long-Legged Doji Across Altcoin Market Hints At Trend Change
FXSpotStream Reports Slight Rebound in May Volumes
MJardin aborts acquisition of Nevada cannabis edibles maker
Top Cryptocurrency Assets Trigger TD9 Sell On Weekly Price Charts
New Zealand to Consider Referendum on Legal Cannabis
5 Myths About Overdoses of Marijuana
Owner of looted LA dispensary defends George Floyd protesters
Another Magical Q2 for Bitcoin Ends in the Green, BTC Up Almost 50%
COVID Behind Bars: The Story of a Nonviolent Marijuana Offender
CySEC Suspends 24option, TradeATF, Magnum FX and F1Markets on FCA Request
Biden Accuser Tara Reade Under Investigation For Giving False Testimony In Court
LINK Surges To Three-Months High But Now Facing Important Resistance. Chainlink Price Analysis
Tesla (TSLA) Stock Up 5% after SpaceX Astronaut Launch, Is There Any Relation?
Bitcoin About To Enter A Full-Blown Bull Market Based On This Key Indicator – Analyst PlanB
Newsfeed | Project CBD
Want to beat quarantine boredom? Here are games to play while high.
Tips to BBQ in place with weed
Gaming1 week ago
Minecraft Dungeons has charm and potential, but needs lot more time in the furnace
Blockchain1 week ago
Mastercard Joins Accenture’s ID2020 Blockchain Alliance
Gaming1 week ago
‘Dragalia Lost’ 1.2.0 Is Now Live on iOS and Android Adding Shared Skills, The Royal Regimen, Onslaught Events, and More
Gaming1 week ago
TouchArcade Game of the Week: ‘High Rise – A Puzzle Cityscape’
Fintech1 week ago
Weekly Wrap: Plaid’s new platform and RBC’s ‘deep personalization’ efforts
Cyber Security1 week ago
unc0ver – Advanced jailbreak tool that works on all Recent iOS versions since 2014
Cannabis1 week ago
Trust Stamp Co-Founder Gareth Genner on the Impact of COVID-19
Fintech1 week ago
Looking for a Kyckr: fintech biz launches placement