enterprisesecuritymag

Blockchain Possibilities and Pitfalls

By Thomas Gresham, Assistant Director, Information & Communications Technology, County of Santa Barbara

Thomas Gresham, Assistant Director, Information & Communications Technology, County of Santa Barbara

Blockchain technology is a rapidly growing topic of interest. Companies are racing to embrace the trend but should take into account the many pitfalls that could arise.

Blockchain Technology Overview

Blockchain at a basic concept is a technology that allows for the creation and sharing of a trusted record of information. When a record is initially created, a digital thumbprint is generated. Think of this as unique as a human fingerprint. That digital thumbprint is then shared to trusted nodes across a network. Subsequent changes to that record are then processed using the original thumbprint as an input. Then, with the help of trusted network nodes, a new thumbprint is mathematically generated with the new information added to the record, thus creating a chain of edits, each with their own unique thumbprint. All trusted nodes then have the same copy of all thumbprints for that one record. This is the foundation technology that allows the digital currency, Bitcoin, to operate a trusted system of monetary transactions. All authentic transactions to a record are performed using a single trusted key or thumbprint maintained by the owner.

The Possibilities

Many applications of blockchain technology exist beyond Bitcoin. Financial institutions may use the underlying blockchain technology to track ledgers or accounts in a more efficient manner rather than a transactional database. Items requiring signatures such as deeds, wills, and power of attorney documents may leverage blockchain to create a verifiable sequence of signatures on a single record. Logistic operations such as freight or parcel service can make use of blockchain technology to trace the movement of goods from the source through checkpoints to the eventual destination. Even the Internet of Things (IoT) can benefit from blockchain by allowing trusted devices to perform automated billing such as daily tallying of people viewing an advertisement board via a camera, directly depositing funds into a bank account.

The Pitfalls

Blockchain technology guarantees integrity, meaning if a record is modified by an unauthorized party, the record will then be distrusted by the verifying network nodes. However, the network nodes themselves are not under direct control of any individual entity. The model for Bitcoin relies on a financial incentive to mathematically create or “mine” new thumbprints. Nodes can be created in any country by anyone. According to a 2018 statement by Ripple’s CEO Brad Garlinghouse, China controls over 50 percent of the Bitcoin nodes used to create new Bitcoin thumbprints. If for any reason China decided to manipulate the integrity of the Bitcoin market, it could as the majority of nodes, dictate any new thumbprint value on a Bitcoin record. This is commonly known as the “51 percent” attack.

It is also important to note that while blockchain may guarantee record integrity, it does not protect against unauthorized transactions at the authorized user level. For example, malware has been identified that targets Bitcoin wallets to input the wrong destination account for sending payments. This mistake is easy to make as destination Bitcoin addresses take the form of a cryptic string such as this example, “z12766de3b8b9532c0cca09a146c8a8 7e176ef39ec3823f1ea263401c77c465e.” There are several variations of cryptocurrency, of which malicious actors will try to copy. Fake software disguised as legitimate digital wallets may be downloaded by unsuspecting users only to have their bank accounts drained as they try to fund these malicious wallet applications.

Securing the Blockchain

As stated earlier, blockchain relies on a system of distributed trust. Reputable banking institutions could establish an internally trusted set of nodes to process blockchain transactions, relying on the controls limited to the banking sector rather than unknown overseas entities who may not have the best of intentions. Credit card companies could also employ a similar model to validate account transactions if the information on the card itself is secured with an appropriate level of protection.

On the user side, the blockchain private key or private thumbprint can be hijacked by any number of malicious activities. Securing this private key is critical as any compromise would allow an attacker to perform financial transactions under the identity of the owner. To this end, the use of hardware security modules (HSMs) may be leveraged. An HSM is a hardware device that is purpose-built with security elements that resist theft and tampering. The HSM could be a stand-alone device for a credit card transaction or even a security hardware module built into a laptop/workstation for online transactions. These devices are currently marketed as ledger key wallets and are gaining popularity among cryptocurrency users.

Final Thoughts

While the technology behind blockchain offers many opportunities, the implementation of blockchain needs to take into consideration the many looming security issues. Bitcoin is the first successful large-scale application of the technology and security experts are now pointing out the overlooked risks. Exploits are actively targeting blockchain technology at the user level and trust at network node level must be strengthened to move blockchain into a more mature phase that reduces dependence on an uncontrolled distributed infrastructure.

Read Also

Augmenting Cybersecurity in Healthcare Industry

Augmenting Cybersecurity in Healthcare Industry

Robert Napoli, CIO, Planned Parenthood of the Great Northwest and the Hawaiian Islands
Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Creative Solutions for Developing the Public Sector Cybersecurity Workforce

Gregory Crabb, CISO, VP, United States Postal Service
Information Security: Your People, Your First Line of Defense

Information Security: Your People, Your First Line of Defense

Eddie Borrero, CISO, Robert Half [NYSE:RHI]

Weekly Brief