We are a generation that is obsessed with cryptocurrencies. We immediately labelled them as the future of money! But wait, has anyone of us thought deeply about the Blockchain Security? Does anyone acknowledge the basic hygiene for cyber security?
Let us explore the Initial Steps:
- Asset Inventory: Identifying and managing the life cycle of all software, code, applications, nodes, and operating system used in the Blockchain.
- Change Control: Ensuring changes to the operating system, application, and resources are documented and go through a formal change control process.
- Configuration Management: The hardening and removal of default settings that are a liability for the operating system, application, or network.
- Vulnerability Management: Ensuring that the operating system, application, web application, and source code are reviewed for vulnerabilities and risks are prioritized accordingly.
- Log Management: Centrally managing and parsing log files from all resources in the environment including transaction logs.
- Patch Management: Using a systematic and predictable methodology for deploying maintenance and security patches to all systems in the environment—from firmware to web applications and everything in between.
- Identity and Access Management: The predicable workflow management of identities, roles, and entitlements for all users that have access to resources of the system.
- Privileged Access Management: The management of all privileged access into the Blockchain environment—from operating system to web applications including password management, least privilege access, session management, keystroke logging, and application to application key and password management.
On Monday, May 28th 2018, The Hacker News reported on a wicked vulnerability within the EOS Blockchain Platform. While the vulnerability is considered critical, and the method of exploitation fairly basic (a maliciously crafted file), the ramifications are truly astounding. After the vulnerable parser reads the file, it forces an exploit on the node which could then be leveraged against the supernode on the EOS platform. The super node is responsible for collecting transaction information and packing it into blocks. Once the threat actor owns the supernode, the cybercriminal can modify or create malicious blocks that would control the entire EOS network.
This includes everything the EOS Blockchain Platform has been implemented to perform from cryptocurrency, supply chain management, to identity storage.
So, the unbreakable Blockchain is a myth since it be owned by the fundamental technology designed to protect it; WASM files and a simple file upload.
In other words, Blockchains are a multi-node distributed ledger system that secures entries based on volume and verification. Natively, blockchain can only process a limited number of transactions per second and cannot store complex records or blobs—only ledger-style information that has a finite start date, for example: shipping information.
Historical records, pictures, complex indexes, and other large data sets are just not good for blockchain technology. This is one of the problems security teams and people need to understand.
Let us think of a blockchain implementation like an old school peer to peer network technology from Napster or bearshare: each node contains a database of all records and any new entries need to propagate to all other nodes for validity. Blockchain actually contains a duplicate of all entries compared to its peers. This means tampering with one node does not invalidate the entire blockchain. As a consequence, every entry has to be properly validated to be accepted as a ledger entry and propagated to other nodes.