In November 2017 Rise.Global rated Michael Terpin as number 59 on the list of 100 most influential people in blockchain. Three months later he had what was likely one of the worst days in his blockchain career. Hackers grabbed 23.4 million dollars out of his crypto accounts.
Using a new hacking technique called SIM swapping, thieves were able to transfer his phone number to a new SIM card. From there they could reset his passwords and access the blockchain.
But the blockchain is still secure. The security risk comes from vulnerabilities in identification and access management.
“In many cases, a good, aggressive hacker can find a way to become your fingerprint,” explained blockchain security expert Vincent Romney. “Hacking the blockchain itself isn’t necessary. The hack happens before getting onto the blockchain.”
Where You’re Vulnerable
As CEO of SK2Tech, Romney has provided blockchain security services to a wide spectrum of companies in industries such as healthcare and finance. The two main areas of cyber security his firm focuses on are identification and access management and data at rest encryption.
“If you’re going to use blockchain, you should realize that IT security is the foundation of blockchain security.” he advised. He’s been doing IT security since 1998, and was trained by the US Air Force as a cyber warfare operator in 2006.
Romney was part of the first cyber warfare cell stood up in the Air National Guard. He saw not only what the defender sees but also the attacker point of view. After retiring from the military in 2013, he was inspired to specialize in blockchain after seeing major hacks like the Mt. Gox exchange which lost 450 million.
“Attackers are not going to attack the blockchain but the onboarding and offboarding processes. These are where your vulnerabilities lie,” he emphasized.
Implementing Blockchain Security Correctly
While assessing a new client’s security, Romney discovered they were passing their encryption keys along with the encrypted data. “Anybody could pull their keys and decrypt everything,” he stated. Since their business was promising to provide secure transmission of their customer’s data, this would’ve put them out of business.
Romney continued, “every one of the hacks I’ve investigated in the blockchain environment has come down to a flaw in basic I.T. security.”
In the above example, he re-architected their security over a two-week period and bulletproofed their encryption. “We took them back to a proper implementation of advanced encryption standard (AES),” he elaborated. But he warns, you must implement blockchain security correctly or you’ll be as exposed as if you didn’t do it at all. Romney offers three tips for assessing your blockchain risk.
1. Use Third-party Evaluation
It’s dangerous to only have the developers of a system do the evaluation. “You should use a qualified third party.” he asserted. This could be a security expert from inside your organization who hasn’t seen the code.
Romney explained that in a true SecDevOps environment you have a Red Team that assumes an adversarial role. He pointed out, “I’ve never been in a company where I haven’t found massive issues if they aren’t using a third party for security evaluation.”
2. Keep Re-evaluating Your System
“Don’t look at it as if you’re going to push an easy button and it’s fixed,” he stressed. This is especially true for established firms with baked in vulnerabilities. He gave the example of an organization he’s been helping for the past 18 months with a variety of issues.
APIs are a common security problem. Many APIs are public and unsecured even though they’re transmitting sensitive data. The most unskilled hacker could access them. By manipulating one of your URLs in a browser they could start stealing your data.
Further, he advised that once you’ve addressed your current security problem you shouldn’t stop there. You must keep reassessing your system because there will always be more flaws introduced.
3. Bring in an Outside Specialist
“It’s wise to bring in an outside specialist because they don’t have a stake,” cautioned Romney. When you contract someone to develop software they’re not motivated to tell you what’s broken. An outside specialist can give you facts about your security you can take back to the software team.
When you hire a security specialist they should at least have a CISSP (Certified Information Systems Security Professional) and an OSCP (Offensive Security Certified Professional) on staff. The first lets you understand security architecture across domains while the other prepares you to hack them.
Romney himself is CISSP certified and one of his team members holds an OSCP. Together they assess their client’s vulnerabilities.
Bulletproof Your Blockchain
Cyber warfare is the new battleground for business. But the front lines aren’t blockchain. It’s your IT security that’s the weak link in the chain. Stay on the cutting edge of blockchain by staying ahead of the hackers. The survival of your business could be at stake.
To ensure your system’s security Vince Romney recommends you get a third-party evaluation for fresh eyes on the code. Keep re-evaluating to find new vulnerabilities because you’re sure to have them. And use an outside expert to get a more reliable assessment of your situation.
To help you understand your risks, SK2Tech offers a free 30-minute preliminary security assessment over the phone.