The Blockchain Train: Get On Board—With Caution

The Blockchain Train: Get On Board—With Caution

A giant display of the key word at the Blockchain centre, which aims to boost start-ups, in Lithuania’s capital Vilnius. Credit: PETRAS MALUKAS/

AFP/Getty Images

All aboard the Blockchain train. Just proceed with caution—it’s not yet as safe and secure as it needs to be.

No, we’re not talking Cryptocurrency here. This isn’t about Bitcoin, Ethereum or any of the other 1,500 or so versions of digital currency. This is about enterprise Blockchain—using the distributed ledger technology for just about anything involving transactions, storing records and tracking the flow of goods and information. Which are, of course, among the major things any business does. 

And which is probably why most enterprises are indeed getting aboard the train. According to Deloitte’s 2018 global blockchain survey, 95% of companies across multiple industries planned to invest in Blockchain during 2019—39% said $5 million or more and another 26% said at least $1 million. IDC estimates that investment in enterprise Blockchain platforms in 2019 will be nearly $3 billion.

The government is taking notice as well. The federal Department of Energy (DoE) is putting a $200,000 grant into a trial of the technology to see if it can help protect the national power grid.

Overall, that’s good, according to Stark Riedesel, associate principal at Synopsys. While cryptocurrencies have been demonstrably shown to be a risky playground, Riedesel said when it comes to enterprise uses, “the risk is to the 5% of companies not investigating Blockchain in their industries.” 

“Not to say Blockchain is a silver bullet—it’s not,” he said, “but understanding its strengths and weaknesses prevents you from being blindsided by the ‘disruptors.’ At a minimum, companies should be identifying areas that Blockchain may have an impact on their bottom line and keeping an ear to the ground for potential new applications.”

The attraction to Blockchain technology makes sense, given its superior ability to protect data. Its distributed nature makes it difficult to impossible for attackers to corrupt the data. As has been said numerous times by its advocates, an attacker would have to attack every “node” or system that processes the data, and there would likely be thousands of them. 

Still hackable

Unfortunately, that doesn’t mean Blockchain platforms can’t be hacked, which has been apparent for a long time in the world of Cryptocurrency. The now-defunct Japan-based Mt. Gox, then the biggest bitcoin exchange in the world, went under in 2014 after an attack drained it of about $400 million.

And while that remains the biggest theft, they keep happening. Just this past May, hackers were able to steal about $40 million from the popular exchange Binance.

That doesn’t mean basic Blockchain technology is insecure—its fundamentals are sound, and its cryptography is rigorous. But much of the technology surrounding it involves software code. And code can be hacked.

Travis Biehn, technical strategist at Synopsys, notes that “when proponents say ‘Blockchain is ultra-secure’ they mean the protocols, the platform, the algorithms—those are all secure.”

“Whether an organization’s peripheral infrastructure is secure is another question altogether,” he said.

Beyond that, the “private, permissioned” blockchains used by enterprises are a somewhat different animal from the public blockchains used by Cryptocurrency exchanges. You might think that “private” means more secure than “public.” But you would be wrong, at least so far. 

Riedesel said that while enterprise blockchains deliver much better performance than the crypto exchanges—some of which take minutes to clear transactions while the major enterprise platforms handle hundreds per second—they were not designed to be as secure as the public ones. 

“Public networks are operated entirely by antagonists, so they were built to withstand attacks by design—there is no single point of authority and everyone can see and do anything,” he said. “Private networks can make assumptions about their participants—how many, who they are and what they are allowed to do.”

But that doesn’t make enterprise blockchains digital islands. They are used to link together companies that have different incentives, such as a vendor who wants to charge more, while a customer wants to pay less. Different companies also have different security budgets. “Banks have lots of money for security, but their partners may be on much smaller budgets with higher risk tolerance,” Riedesel said.

Still plenty of security holes

And so far, there are plenty of holes in Blockchain peripherals. The Synopsys Cybersecurity Research Center (CyRC) demonstrated as much when it anonymously coordinated the Chain Heist Blockchain capture-the-flag (CTF) challenge in August at the 2019 DEF CON conference. 

In a blog post about the event, Riedesel noted that the contest, which offered about $2,500 in awards, presented 23 challenges based on real-world vulnerabilities in both public and enterprise Blockchain applications. The participants “claimed 22 of the 23 Chain Heist bounties,” he wrote.

A year earlier, at the 2018 DEF CON, Riedesel and Synopsys colleague Parsia Hakimian, a senior security consultant, demonstrated an open source tool they had helped create called Tineola, designed to attack Hyperledger Fabric, the most popular enterprise Blockchain platform.

“Tineola” is the scientific name of a species of moth that eats clothes, as in fabric—get it? “It’s happily munching away on your Blockchain fabric,” Biehn said.

In their demo, they showed how vulnerabilities in an insurance application could be used to commit insurance fraud. 

“It’s important to note that part of this [responsibility for security] is on the developers using the platform—using it correctly,” Biehn said, “and the other part is on the platform authors to make it defensively designed and easy to write secure code.”

So the advice to organizations is to proceed, but proceed with caution. “Going to production with the PoCs [proof of concepts] we’ve seen today may be too risky,” Riedesel said. “Security teams haven’t been properly trained on these new tech platforms, and Blockchain vendors are overpromising the security benefits.”

Biehn agrees. “A cautious approach here is good,” he said. “Security teams and operations teams need time to gain experience operating the components that make up a Blockchain-dri

Read More

Leave a reply