BLOCKCHAIN

KNOWN SECURITY CHALLENGES

 2
INTRODUCTION #1

07/11/2021
 3
How Safe?

 BLOCKCHAIN, the distributed ledger technology which are underlying

cryptocurrencies, may prove to be far more valuable than the currency it supports. But
it’s only as valuable as it is secure.
 The initial conditions aren’t setting us up for security issues later on.
 It is important to understand the inherent security risks in BLOCKCHAIN technology
and the difference between public/private BLOCKCHAINS.

07/11/2021
 4
Public BLOCKCHAIN

 A system of recording transactions that allows anyone to read or write transactions. Anyone
can aggregate and publish those transactions, provided they can show that a sufficient
amount of effort went into doing so, which can demonstrate by solving a difficult
cryptographic puzzle. The process by which a network of nodes confirms the record of
previously verified transactions, and by which it verifies new transactions, is known as a
consensus protocol.
 In the bitcoin system, because no user is implicitly trusted to verify transactions, all users
follow an algorithm that verifies transactions by committing software and hardware
resources to solving a problem by brute force (i.e., by solving the cryptographic puzzle). The
user who reaches the solution first is rewarded, and each new solution, along with the
transactions that were used to verify it, forms the basis for the next problem to be solved.
This what called mining.

07/11/2021
 5
Unexpected Consequences

 Decentralization, relative freedom of access in the public BLOCKCHAIN system causes

widespread fraud, black market trading, illegal transaction.
 Because the consensus protocol is energy consuming, majority of users operate in
countries with cheap electricity or stealing computing power by compromising weak
computer system in other countries with subsidies policy on electricity. This effort often
combined with social engineering.
 Or simply hijack computing process through random malware infection.

07/11/2021
 6
Private BLOCKCHAIN

 Give their operators control over who can read the ledger of verified transactions, who
can submit transactions, and who can verify them.
 The applications for private BLOCKCHAINS include a variety of markets in which
multiple parties wish to participate simultaneously but do not fully trust one another. For
example, private BLOCKCHAIN systems supporting land and physical asset registries,
commodities trading, and private equity distribution are all being tested. And
theoretically it is also promising as the digital ID retention and transaction (passports, e-
residency, birth/wedding certificates, other IDs like digital fingerprints) and securing
digital contract.
 Private BLOCKCHAIN can also be used as a security enhancement for ID theft
prevention, critical infrastructure and sensitive data protection.

07/11/2021
 7
Still has Unexpected Consequences

 As these systems develop and evolve, some will have repercussions for the security of
the system and the assets it manages or stores.
 As in software and product development, considering security at an early stage alleviates
difficulty of making fundamental changes to a product to address a security flaw later on.
Hacker can easily figure out exploitation.

07/11/2021
 8
Network Architecture

 BLOCKCHAINS achieve consensus on their ledger, the list of verified transactions,

through communication, is required to write and approve new transactions. This
communication occurs between nodes, each of which maintains a copy of the ledger and
informs the other nodes of new information: newly submitted or newly verified
transactions.
 Private BLOCKCHAIN operators can control who is allowed to operate a node, as well
as how those nodes are connected; a node with more connections will receive
information faster. Nodes may be required to maintain a certain number of connections to
be considered active. A node that restricts the transmission of information, or transmits
incorrect information, must be identifiable and circumvent able to maintain the integrity
of the system and operators ensure it behaves as expected.

07/11/2021
 9
Offline Nodes Concern

 Another security concern in the establishment of network architecture is how to treat

uncommunicative or intermittently active nodes. Nodes may go offline for innocuous
reasons, but the network must be structured to function (to obtain consensus on
previously verified transactions and to correctly verify new transactions) without the
offline nodes, and it must be able to quickly bring these nodes back up to speed if they
return.

07/11/2021
 10
Downside: Transaction Delay

 The process used to get consensus (verifying transactions through problem solving) is
purposely designed to take time, currently around 10 minutes. Transactions are not
considered fully verified for about one to two hours, after which point they are
sufficiently “deep” enough in the ledger that introducing a competing version of the
ledger, known as a fork, would be computationally expensive.
 This delay is both a vulnerability of the system, in that a transaction that initially
seems to be verified may later lose that status, and a significant obstacle to the use of
cryptocurrencies-based systems for fast-paced transactions, such as financial trading.

07/11/2021
 11
Benefit of Private BLOCKCHAIN: Faster!

 In a private BLOCKCHAIN, by contrast, operators can choose to permit only certain

nodes to perform the verification process, and these trusted parties would be
responsible for communicating all of the newly verified transactions to the rest of the
network. So, it will work FASTER.
 The responsibility for securing access to these nodes, and for determining when and for
whom to expand the set of trusted parties, would be a tight security decision made by
the BLOCKCHAIN system operator.

07/11/2021
 12
Private Key Thefts

 Each bitcoin transaction includes unique text strings that are associated with the bitcoins
being exchanged. Similarly, other BLOCKCHAIN systems record the possession of assets or
shares involved in a transaction. The users then kept this information on a virtual wallet
account.
 In the bitcoin system, ownership is demonstrated through the use of a private key (a long
number generated by an algorithm to provide a random and unique output) that is linked to a
payment and a virtual wallet, and like any others data or account, they can be stolen or lost.
 These thefts are not a failure of the security of bitcoin, but of personal security; the thefts
are the result of storing a private key insecurely.
 Some estimates put the value of lost bitcoins at $950 million.

07/11/2021
 13
Transaction Reversal

 In a public BLOCKCHAIN it is impossible to resolve the problem of lost identification

credentials, it provides no recourse for those who have lost their private keys, then stolen
bitcoins are nearly impossible to recover, transactions submitted with stolen keys
appear to a verifying node to be indistinguishable from legitimate transactions.
 Private BLOCKCHAIN owners (operator) will have to make decisions about whether,
and under what circumstances, to reverse a verified transaction, particularly if that
transaction can be shown to be a theft. Transaction reversal can undermine confidence
in the fairness and impartiality of the system, but a system that permits extensive losses
as a result of the exploitation of bugs will lose users and trust.

07/11/2021
 14
GENERAL ISSUES #2

07/11/2021
 15
End Point Vulnerabilities

 The spaces where humans and BLOCKCHAINS meet. Endpoints are the computers that
individuals and businesses use to access BLOCKCHAIN-based services (financial
institutions, industries, or cryptocurrencies).
 It begins with information being inputted into a computer and ends with information
being outputted from a computer. It is during the process of accessing the
BLOCKCHAIN that the data is in the most vulnerable state.
 This includes Public and Private Key Security and Virtual Wallet Credentials
 The prevention still rely on the same known identity theft countermeasures like using top
of the list AV/malware, regular updates and scan policy and the use of encryption
techniques to protect data and communications.

07/11/2021
 16
Vendors Risk

 The growth of Distributed Ledger Technology (DLT) adoption, emerge 3 rd party solution
as services providers or vendors :
 BLOCKCHAIN integration platforms
 Payment processors and Wallets providers
 Fintech and BLOCKCHAIN payment platforms
 Smart contracts (digital notaries etc.)
 Weak security on their own systems, flawed code, and even personnel vulnerabilities
can expose their clients’ BLOCKCHAIN credentials and data to unauthorized persons.

07/11/2021
 17
Full-Scale Threat

 Since the BLOCKCHAINS growth, we are approaching unknown territory with every
gigabyte of expansion. Limited experience of the DLT industry means lack of capability
to identify and respond problems. As with every technology, airplanes to autonomous
cars, experience comes at a price. The price for a BLOCKCHAIN security failure has
not yet been high enough to require a major change to the system, which is both good
and bad.
 BLOCKCHAINS could be susceptible to fraud, if a significant number of participants
conspire against the rest of the participants. Known as a majority attack, or as the 51%
problem, this theoretical threat could materialize, considering that a large number of
mining farms are built in nations where electrical power is cheap, and oversight
questionable.

07/11/2021
 18
Lack of Regulation

 BLOCKCHAIN is the antithesis of governance and compliance. That depends.

 If you are talking about Bitcoin and cryptocurrencies, a valid argument can be made that
they should continue to enjoy the anonymity that fueled the very growth of
BLOCKCHAIN. While some —government regulators and legacy financial institutions
— argued that even cryptocurrencies must be regulated, a sizeable number of participants
will staunchly oppose such notions.
 However, the anti-authoritarian approach has no place in most of the sectors where
BLOCKCHAIN innovation is the greatest.

07/11/2021
 19
Lack of Standards

 Refer back to the Vendor Risks (page 15), how any of the applications could not benefit from
some level of standardization, if not regulation?
 The lack of standard protocols means BLOCKCHAIN developers cannot easily benefit from
the mistakes of others. With each company, each consortium, and each product operating by
a different set of rules, the risks that come from nonstandard technology of any sort are
present.
 At some point, chains may need to be integrated. Lack of standardization can mean new
security risks as diverse technologies are merged.
 The solution to the question of standards and regulations is more complex than of most of
the technical issues. However, these questions naturally will eventually resolve themselves,
through market or vendors driven.

07/11/2021
 20
Regulation and Standard Resolution

 Similar to many other technologies, evolution will ultimately bring about the following
arrangements:
 Forced regulation and standards where it makes sense.
 Self-imposed regulation and standardization among consortiums, vendors or providers, user
groups in areas where innovation is necessary.
 No regulation or standardization for BLOCKCHAINS built in-house and only used internally
within the organization as proprietary solutions.

07/11/2021
 21
Untested Code

 Despite the nearly 8-year history of Bitcoin, BLOCKCHAINS not dedicated to

cryptocurrencies are still heavily experimental. As such, some DLT creators are tempted
to deploy insufficiently-tested code on live BLOCKCHAINS. One now-infamous
example is that of The DAO attack.
 There are at least two good solutions to this type of exploit:
 Heavy peer-review of code before deployment.
 Smart contract testing performed by independent testing facilities.
 Either of these actions would have identified the flaws that resulted in The DAO hack. It
will prevent similar or worse scenarios of future innovators.

07/11/2021
 22
Others Attack

 Another popular BLOCKCHAIN exploit aims to infect mobile wallet apps and online
exchanges where cryptocurrency is stored.
 Fraudsters have also been known to take over unsuspecting endpoint PC or mobile
devices and use them to mine or create new crypto coins.
 Scams, like initial coin offering, a funding event similar to an initial public offering
(IPO), but using new cryptocurrencies that could hold value if the STARTUP gains any
traction.
 The Slovenian bitcoin trading marketplace enables customers to mine for
cryptocurrencies by leveraging unused CPU cycles.

07/11/2021
 23
WRAP UP #3

07/11/2021
 24
Brief Summary

 In the future, in terms of authorities, performance, trust, security: private BLOCKCHAIN

will be more preferable, predictable and achievable.
 Key benefit includes: faster transaction verification (near real-time) and network
communication, the ability to fix errors and reverse transactions, the ability to restrict
access and reduce the likelihood of outsider attacks.
 The weakest link: HUMAN, security exploitation through social engineering, including
well-known scam, phishing, click jacking, drive-by download.
 Above of all, POLITICS will still be the GREATEST (SECURITY) CHALLENGES.
 But, some of standards and regulation will still be needed at some points.

07/11/2021
 25
References

 Issues With BLOCKCHAIN Security by Peter Daisyme

 How Safe Are BLOCKCHAINS? It Depends by Allison Berke
 5 Blockchain Security Risks and How to Reduce Them by Aviram Eisenberg
 Security and Privacy in BLOCKCHAIN Environments by Matteo Cagnazzo and Chris
Wojzechowski, researchers at the Institute for Internet Security

07/11/2021
 26
Thank You!

 PERKUMPULAN INTERNET DEVELOPMENT INSTITUTE

 JALAN MERPATI RAYA NO. 99 SAWAH LAMA
 CIPUTAT, TANGERANG SELATAN 15413
 Email: info@institute.id
 Website: www.institute.id

07/11/2021