Hacking Bitcoin and the Blockchain

Turn on the TV or read a tech blog, and you will inevitably be flooded with news about Bitcoin or blockchain. The biggest reason why Bitcoin is so popular is that its price soared 2,000% last year. The doubling of Bitcoin's value has also sparked attention to its supporting technology, blockchain, although blockchain may be a better choice for long-term investment.

Blockchain technology is poised to dramatically impact our world. In early 2017, Harvard Business Review argued that blockchain has the potential to create a new foundation for economic and social systems. A January 2017 World Economic Forum report predicted that by 2025, 10% of global GDP will be stored on blockchain or blockchain-related technologies. If you don’t know enough about the technology that will carry 10% of GDP in a decade, you really should start learning.

[[214573]]

What is blockchain?

Blockchain is a digital log file that uses encryption to protect online transaction data. The idea of ​​blockchain technology was formed in 1991, and Bitcoin was the first application to put a distributed public blockchain into practice. Blockchain is a digital archive of transaction records, and transactions require the consent of blockchain participants to establish transactions. Usually, blocks contain transaction data such as price, action (buy, sell, transfer, etc.), and a timestamp. Each transaction (or series of transactions) creates a block. Each newly added block contains a cryptographic hash of the previous block (today this hash is usually SHA-256). In this way, each transaction block is cryptographically locked to the previous block.

If the blockchain is publicly distributed, as Bitcoin is, then every participant can verify any transaction in the blockchain. You may not be able to see the amount or value of money held by a participant unless that information is included in the transaction record; but you can see the value of a transaction between two participants and verify its validity. Any participant can prove their ownership of a specific blockchain account by presenting a cryptographic proof that is difficult to forge but easy to verify by all participants.

The mechanism of blockchain can be compared to the public/private key cryptography system, in which each participant can use a private key to create signature content, and all other participants can use the associated public key to easily verify the signature content.

Just as cloud computing has public, private, and hybrid cloud, blockchain also has three models: public, private, and hybrid. You can create your own blockchain, use other blockchains provided by a larger group with common interests, or even participate in global public chains such as Bitcoin. Although it is still a relatively new feature, private and public blockchains can still join each other.

From Bitcoin to Blockchain

Most people’s knowledge of blockchain comes from Bitcoin, the popular cryptocurrency created in 2008 by a person/team nicknamed “Satoshi Nakamoto.” Satoshi Nakamoto did not invent the concept of blockchain, but he did introduce the concept of distributed blockchain for decentralized ledgers and verification of digital currency transactions. This concept solves the “duplicate payment” problem inherent in decentralized digital currencies without a trusted third party.

In October 2008, Satoshi Nakamoto published an article titled "Bitcoin: A Peer-to-Peer Electronic Cash System" on the cryptographic mailing list of metzdowd.com. In 2009, he generated the first block of the blockchain and created software that anyone could download to mine bitcoins. Some people who downloaded the software within a few days of the article's release quickly generated 3 bitcoins.

Although Bitcoin’s promise and ultimate value were evident from the beginning, the first “official” transaction was for 10,000 Bitcoins for a $20 pizza. Today, Bitcoin’s value has grown significantly, hitting an all-time high of $17,428.42 on December 12, but the volatility is frequent and large. The huge and rapid price increase has attracted the attention of investors and financial company CEOs, although not necessarily positively. Many investors have compared the rise in Bitcoin’s price to the Dutch tulip bubble in the 17th century—some investors became rich overnight, while skeptics could only watch their friends rise to the wealthy class.

The way Bitcoin, mining software, and distributed networks are built, a series of newly generated Bitcoins make it increasingly difficult to generate the next Bitcoin. As a result, Bitcoins that used to be generated by a single computer in a few hours now require thousands of specialized "miner" computers with specific hardware to form a network, which takes weeks to months to generate. Today, the electricity used to generate Bitcoin is comparable to the total daily electricity consumption of the world.

Not only does it take a lot of computing power to create Bitcoin, but the computational work required to create and verify Bitcoin transactions is also significant, although not in the same field. Moreover, each transaction increases the size of the blockchain - which continues to grow over time (Bitcoin's blockchain is over 100GB) and must be generated and distributed to all participants to remain valid. Ultimately, by 2140, a maximum of 21 million Bitcoins will be mined. This self-induced cryptographic scarcity is one of the driving forces behind Bitcoin's skyrocketing price.

Bitcoin may be a bubble, but blockchain is not

Investors and financial experts debate the value of Bitcoin, but no one questions the value and legitimacy of blockchain. Some of the world's largest companies have created teams, sometimes even entire departments, to study blockchain. You can create and use blockchain in the cloud or in your private business.

Companies that promote blockchain see a future where almost every financial transaction is supported by blockchain. Blockchain can enable very complex financial transactions to be resolved in seconds. One of the leaders of multinational bank blockchain said that it takes an average of one month for financing and merger transactions to be financially clear. With blockchain, it can be done in seconds. Regulatory reviewers should really consider the huge driving force of blockchain to improve the efficiency of complex transactions, freeing up personnel and capital to invest in more productive and constructive matters.

Almost every industry that is intensive in financial transactions is eager to find ways to implement blockchain in their respective companies and industries. Blockchain is a hot topic in any industry. Computer industry cloud giants, such as Microsoft and Amazon, have now launched numerous blockchain services.

If you search for blockchain on the Internet, you will be shocked by the tens of millions of information links and services that have emerged since 2016. Bitcoin may be a bubble, but blockchain is emerging and will continue to develop.

Hacking Bitcoin and the Blockchain

In the early days, many Bitcoin and blockchain enthusiasts wondered if the inherent encryption of the two was enough to resist the constant hacking attacks. It didn't take long for the answer to emerge. Like everything valuable that relies on computers, Bitcoin and other cryptocurrencies, as well as blockchains, have been under frequent attacks. Hundreds of millions of dollars have been stolen, people have been scammed, and blockchains have been looted. Here are a few examples of Bitcoin and blockchain hacks.

1. Bitcoin Mining Malware

Every bitcoin that is mined makes future bitcoins harder to create. A lot of electricity is needed to run and cool the specialized "miner" computers. Electricity is the number one operating cost for Bitcoin miners. As a result, many Bitcoin miners "borrow" resources to mine Bitcoin, either within their employer's properties or by spreading Bitcoin mining malware. Today, many of the largest malware botnets are used to mine Bitcoin. While the intentions aren't particularly bad, it's still unauthorized use of a computer or device (often hijacking online cameras and routers) and costs the victim money. These malware also slow down the hijacked computer. Bitcoin mining programs should be stopped like any other malware program.

2. Stolen Store of Value

Cryptocurrencies usually store their value in files called wallets. Wallets can be hacked, tampered with, stolen, and moved, just like any other store of value on a computer. Worse, people often forget their protective password/PIN or lose the hard drive that holds the store of value, which often means that the store of value can never be recovered. Ransomware can cause this problem. If it's a normal bank account, you can still access your online banking from another computer, and the money in it will remain intact. But a cryptocurrency wallet? You're overthinking it. If it's lost, it's lost. If it can't be opened, it can't be opened. No one can help you recover it.

Most experts recommend keeping your cryptocurrency in an offline wallet to prevent it from being accessed by malware or hackers. But this also makes it difficult to use the value. The offline nature can make it take days longer to use and update the value. If you use an online wallet, protect it with multi-factor authentication if possible.

3. Money transfer Trojan

Cryptocurrency Trojans monitor your computer, waiting for something that looks like a cryptocurrency account number. Once it finds a target, the Trojan replaces the account number you're about to pass the value to with its own. Unless you're particularly sensitive to this switch, the moment you press the "Send" button, everything is over.

4. Implementation flaws

"In theory, there is no difference between theory and practice. In practice, there is a difference." No one knows who first said this, but it was first published in a book, Pascal: The Art and Science of Programming, published by Walter J. Savage in 1986.

As with any cryptographic implementation, the algorithm is always much more sane than the program that implements it. Basically, blockchains come with the same vulnerabilities or flaws that any cryptographic solution would have. Programming vulnerabilities or lack of good private key security (or Bitcoin wallets) can bring down the entire implementation. While it may not be immediately obvious, before using cryptocurrency or participating in a blockchain project, make sure the software developer has applied a Security Development Lifecycle (SDL) process to minimize vulnerabilities.

It’s not uncommon for hackers to tamper with cryptocurrency software to steal value. In a recent case, the hackers made a programming error that not only prevented them from stealing any value, but also destroyed everyone’s wallets, making it impossible to recover. A classic case of harming others while not benefiting yourself.

5. Known Plaintext Capture Attack

Good encryption makes ciphertext look like random gibberish. In theory, a crypto attacker should not be able to parse out the original plaintext. However, in blockchain technology, the block format is well known or easily parseable. Specific letters, characters, or numbers always exist in fixed positions in each block. This makes it easy for a crypto attacker to "grab" a portion of the plaintext representation from each encrypted block. In addition, each block is linked to the previous block. As a result, the overall protection of the underlying encryption code is weakened. If the code is not weak, this is not a huge problem, but it does give the attacker a certain advantage.

6. Weak SHA-256?

Many security experts have wondered if SHA-256, the Secure Hash Algorithm that shares the same mathematical weaknesses as its shorter predecessor, SHA-1, is a concern for Bitcoin and blockchains (both of which typically use SHA-256). The answer is: not yet. SHA-256 is robust enough for the foreseeable future. What’s more, given that most of the world’s financial transactions and HTTPS transactions are secured by SHA-256, if someone were to break the algorithm, we’d have far more to worry about than just Bitcoin and blockchains. Even so, if you’re planning on getting into cryptocurrency or blockchain, start planning for “crypto-agility” — the ability to keep the supporting code and just replace the passwords.

7. Hacked Websites

The most common hack around Bitcoin, and one that can be applied to any blockchain project, is the hacking of the central website that controls Bitcoin or the blockchain. This is so common that it happened last week, allowing hackers to make $70 million worth of Bitcoin. Too many sites that manage hundreds of millions of dollars in cryptocurrency have been successfully hacked. Once the control website is hacked, the value of the Bitcoin created by people is often dissipated on the Internet. Keeping a backup of the value offline is a good precaution.

Some of the biggest hacks have involved unscrupulous hackers getting away with millions of ill-gotten gains. If you do business with a cryptocurrency site, make sure it is secure and trustworthy. The FDIC won’t pay for your money to disappear, at least not yet.

8. Large public blockchains are more secure

A conceptual concept to understand blockchain security is that public distributed blockchains are more secure than private blockchains. To hack a blockchain, an attacker must control more than 50% of the participants or blocks, and this action must be faster than the creation of new blocks.

Therefore, large public blockchains are inherently more secure than small private blockchains. It is faster and easier to take control of a small blockchain, especially if all the relevant "secrets" are stored in one place or company. In fact, many security experts are questioning the need for a single corporate blockchain. They believe that the benefits of blockchain only appear when it is distributed across a single security boundary. However, you will still see a lot of private small blockchains because of the potential of blockchain to settle complex financial transactions in seconds, and because small blockchains have the potential to become components of large hybrid/public blockchains.

Every security professional should understand blockchain and what it means for their current and future careers. Even if blockchain is built on very secure cryptography, it can be hacked like anything else.

[This article is an original article by 51CTO columnist "Li Shaopeng". Please obtain authorization through Anquanniu (WeChat public account id: gooann-sectv) for reprinting]

Click here to read more articles by this author