On Nov 3rd & 4th the Nairobi Law Institute in conjunction with Icons Security, KCSFA and other partners facilitated Kenya Cyber Crime Conference 2016 with an excellent theme -‘Rethinking Cyber Crime in a Dynamic Economy in achieving vision 2030’. I was privilege to moderate a session on emerging trends on fintech and more so blockchain technology. We have a great conversation with the panel as well as other delegates; it’s interesting to note the country has lots of opportunities in the fintech sector. A week after one of the block chain gurus I know around –Cedric Kiama posted something interesting on security of block chain. He comes from a school of thought that it’s impossible to compromise blockchain technology. ‘Impossible’ is overated in the eyes of a malicious actor.
Block chain is a type of distributed ledger, compromising of digital ledgers (blocks) that can be shared among a distributed network of nodes. Using cryptography to keep exchanges secure, blockchain provides a decentralized database of transactions that everyone on the network can see. Participants in the distributed network must all approve an exchange before it can be verified and recorded.
The application of blockchain technology shows a great promise across a broad range of business applications. For example cash in form of bitcoins can be transferred in minutes and directly to recipient without having to go through a central point of control i.e bank. Its usage can be utilized in other sectors including education – where the Ministry of Education has been fighting to curb exam cheating. The exams can be generated as a block and be distributed amongst stakeholder in the sector. This will cut down incidents of exams leaking as any participants who want to share the exams must get approval from other nodes in the network.
There is a notion/theorem that block chain is very secure and can’t be compromised. Of course the nature of how the blocks are exchanged creates some level of trust. However, trust should never be confused with security.
Absence of evidence is not the evidence of absence
Bitfinex, a Hong Kong-based digital currency exchange lost approximately $65 million in a cyber related attack in August 2016. Not much detail have been released relating to how the breach occurred but what is known is that the adversary gained access to Bitfinex client bitcoin wallets and was able to override the company’s preset withdrawal limits. Blockchain is the backbone that bitcoin rides on and from the breach its clear the technology isn’t tamper proof as we are meant to believe.
Blockchain technology rides on 3 layer :
Blockchain layer/foundation – This is where the rubber meets the road. Every block starts with the foundation layer which establishes the basic ledger and validation system. Digital ledgers (blocks) are generated on this layer and shared on the distributed network to the participating nodes. Just like a members club, participants trust when a ledger is shared it only accessible by the club members only.
Data store layer – At this stage key management becomes very essential. Each ledger is stored securely by the participating nodes and the participants manage storage of keys. For the case of a cryptocurrency exchange storage of the digital wallets is managed by the exchange. In the case of Bitfinex, the client bitcoin wallets were compromised and funds transferred to other entities.
Application Layer – This is the connector into and out of the block chain platform. At this stage device’s (computers, mobile phones, IOT) and software’s (proprietary & open source) leverage on the platform.
Blockchain isn’t the thing. It’s the thing that enables the thing (Bart Suichies)
Blockchain runs on existing infrastructure – internet, computers, servers etc and the platform carries with it weaknesses of those systems. Despite the gospel that blockchain is the answer to security, it still has the bargain on the infrastructure it runs on. An adversary can take advantage of existing vulnerabilities to gain access to the ledgers . Assuming one uses mobile device that has an app installed to access a blockchain platform. The device is then infected with a malware that sniffs for services running on the device it can then harvest the keys and blockchain wallet ID’s stored on the device. Once the ID and the keys are with the malicious actor they can then initiate transactions within the ‘trusted’ network.
There are known knowns and there are known unknowns. But there are also unknown unknowns; things we don’t know that we don’t know.
Blockchain technology is relatively new to both users and developers and security issues will be identified as application of the technology gains foot. Developers are getting their hands on cryto technology infrastructure and architecture and using new programming codes to support the technology. On the flip side, the adversary is spending time doing the same but focusing on vulnerabilities that they can take advantage. As it’s said that the attacker knows your network better than you do so will be the case with blockchain. The attacker will in most cases perfect their knowledge on the technology and compromise before the developers get to even understand the vulnerability that was exploited.
Security of ledgers, keys & digital wallets is still a challenge given that the responsibility is passed down to users. It’s the same user who will replicate their social media simple password onto the blockchain platform. Users will use simple passwords which the malicious actor can easily compromise gaining access to the digital wallets or keys used to authenticate access to the blockchain platform. Despite all security measures and trust created in the block of chains the point of entry is weak and provides an easy entry.
Any new technology will always have a hype created around it. Back in the day when email went commercial there was lots of excitement that the problems of letters getting lost were now a thing of the past. Email security and the wonderful protocols developed guaranteed secure delivery of emails. With time those protocols were breached and the emails intercepted and even manipulated.
Lets embrace blockchain technology given the opportunity but let’s not assume trust translates to security.
‘The first generation of the digital revolution brought us the Internet of information. The second generation — powered by blockchain technology — is bringing us the Internet of value: a new platform to reshape the world of business and transform the old order of human affairs for the better.’ Don Tapscott
2018 © Villbo Group Limited.