This weekend I went to my first Bitcoin Expo here in Raleigh NC. It was pretty exciting. I got to meet a bunch of local enthusiasts, discovered I had a few friends from other circles that overlapped into Bitcoin. I also got to meet face to face with some of the Mastercoin team and network: Sam Yilmaz , Brian Deery from the NotaryChains.com team & the entire Merchantcoin team.
One of the reasons I was attending the Cryptolina Bitcoin expo was to present a talk about security. Security is important to me and the entire Mastercoin group. Many of our decisions come from thinking about security early in the requirements and design phase of development. I followed CrowdCurity CEO Jacob Hansen who spoke also on security. I would like to point out that here at Mastercoin we utilize the services of CrowdCurity to offer ongoing crowd based security audits on Mastercoin products.
I’d like to offer a condensed version of my security talk for you today:
Security in the Blockchain: Past, Present and Future
One early mistake discovered was the use of an un-random source of entropy to generate key pairs for wallets or sign transactions. Attackers were able to scan the blockchain looking for collisions of public keys. Details of this heist can be seen here.
Another exploit as seen on Blockchain.info was when an an XSS was placed into a transaction by running hex on the outputs of the transaction potentially resulting in code execution on user’s browsers. Details can be read about here
This next story is a warning to anyone who is thinking about using a brain wallet: Don’t
When I decided to get back into bitcoin ~8 months ago I decided I’d buy some bitcoin and transfer it to a wallet, I had read about brain wallets and liked the idea, I used the following string because for some strange reason I still remember it from high school “IWentToTheWoodsBecauseIWishedToLiveDeliberately“. Within seconds of my transfer into the generated wallet my coin was transferred out. I was hooked. After researching and testing with a few other transfers I discovered a huge network of brain generated addresses that were being monitored. It’s fair to assume that if it’s been written down in any language, ever it’s not safe to derive a wallet address from.
The most common vulnerability seen by Bitcoin heists these days is the old fashioned SQLInjection attack, Un-sanitized inputs result in the ability for bad guys to modify the sql statements used to display custom information on a page. This type of attack is easily mitigated through testing and crowdsourced security testing.
The ideas of meta layers on top of the Blockchain, self generated assets & decentralized applications, while not new are only now becoming technologically possible, experimented with and deeply thought through. Because of the fast movement of the technology and the rate at which new features are developed, often security is forgotten. An issue I have seen is bestowing some incorrect level of trust to things within the Blockchain. We have to remember things are in the blockchain because someone asked and ultimately paid a miner to persist it there. That being said, with meta coins they will most often include things like a description, name, more information url. This information is delivered to users in their wallets, exchanges, explorers, often as sanitized strings.
A potential attack that I made known to the Bitmain representative at Cryptolina describes how, using a search engine that indexes hardware or “The internet of things” one can find over 550 AntMiner Bitcoin miners publicly available on the internet. It’s probably the case that some of these devices did not change their default username and password.
Bitcoind instances should always be upgraded, I showed another query that identified over 2000 Bitcoind instances vulnerable to the HeartBleed vulnerability.