It is hard not to be an alarmist if you are a regular consumer of Bitcoin news. A brief search on the Internet, the impression one is likely to get is scam, hack and exchange blowups- all feeding one’s paranoia, justified to some extent, that the space is an unpoliced jungle where beasts lurking in the dark are predating the innocent and gullible.
What you may be unaware is that while the bad guys are working around the clock on their next exploits, there are the good ones out there acting as your guardians.
This week, I talked with Jacob Hansen, a web security expert from Denmark, who cofunded Crowdcurity, a crowdsourced web security platform.
Jacob told me that the inspiration came from the first Mt. Gox hack. On 19 June 2011, a hacker allegedly used credentials from a Mt. Gox auditor's compromised computer and transferED a large number of bitcoins to himself. He subsequently sold the stolen coins on the exchange, causing the nominal price of a bitcoin to drop to one cent.
This led to what Jacob described a crowdsourced platform that “connects thousands of security researchers with businesses all around the world”. He specially stressed the global magnitude of the security issue that the industry faces. “In order for bitcoin businesses to fight this global threat they need a global defence. By crowdsourcing good security researchers to find the bugs before the bad guys exploit them, we are able to provide this global defence.”
A key proposition of such a business is that it cuts cost for small businesses. “We work with a pay-per-bug model so businesses don’t have to pay for expensive security consultants who are typically paid by the hour and not based on the value created. One of our key focus areas is the security of bitcoin web applications and we have done security testing of the largest bitcoin exchanges and wallets in the industry.”
Crowdcurity is currently working with some of the Chinese exchanges including OkCoin and BTCChina.
Here are some other questions that I asked Jacob:
What are some common types of problems that Crowdcurity has identified?
There are both technical threats and threats exploiting the human factor.
From a technical standpoint many sites lack protection against the typical XSS, CSRF, SQL injection and Denial of Service attacks. If a bitcoin wallet or exchange are not properly secured against, for example, a XSS attacks, it can lead to individual users losing bitcoin. This can happen for example if an attacker is able to inject some javascript into the application and use that to steal other users' cookies which he then can use to login as that user and steal the bitcoin.
On the human side you have the issues of social engineering due to lack of proper security training. For Bitcoin in particular one of the biggest issues is improper storage of private keys (No multisig or cold storage scheme). Which is both a problem for exchanges/wallets and individuals.
Can you explain what is a XSS attack?
Sure. XSS, or Cross site scripting, is a common attack in web applications.
If an application is vulnerable to cross site scripting an attacker can basically inject javascript code of their choice into the application. This code will be run when innocent users are visiting the application and can be used to steal everything from bitcoin to user credentials. Therefore in a XSS attack one can say that the attacker is exploiting the trust a user has to a web application because the user thinks the application is secure - which in reality it isn't.
How did you find your researchers?
Big businesses like
How secure / technologically advanced are the Chinese exchanges compared with the overseas ones such as Bitstamp and Kraken?
In general we cannot say that Chinese bitcoin exchanges are less or more secure than oversea exchanges. There are exchanges in both China, EU and US who have better security practices than other exchanges and wallets within the same region. Below are some rules of thumb, which consumers can look for when evaluating bitcoin exchanges and wallets.
What is the process like? You spot a bug and go to an exchange asking them to pay?
No. We would never start testing on a website without the consent of the businesses. The exchange or wallet basically agrees to letting the security researchers examine the web app for potential security bugs before testing starts. We also do social verification of the identity of the bitcoin exchange or wallet to avoid that we start the testing of applications without consent from the site owners first. Below is outlined the overall steps during a test.
Are you allowed to disclose the details of some of the bugs that you spotted?
We cannot disclose specific security bugs without the consent of the business and security tester.
However one of the web app security bugs we have seen a couple of times which can lead to account takeover of individual users and site admins relates to improper implementation of e.g. password reset function in the web app. Often the web application will generate a password reset token once a user request a password reset. This token functions as kind of a temporary new password and is often being sent to the user via mail.
However if not implemented correctly an attacker can either guess this token or sniff it from the application if sent over unencrypted network. Once the attacker has the token he can impersonate the targeted user and achieve all the same privileges. This specific attack outlined above can be mitigated by for example requiring two-factor authentication.
Where do you draw the line between white hat hacking and more ethically dubious practices such as ransomware?
Bug bounty programs (white hat hacking) are with the consent of the business. Ransomware targets end users without their consent and extort them to pay fees for their service.
If there is a bug that can potentially lead to users’ loss of funds, but the exchange refuses to pay, will you caution the users even without being paid or just walk away?
In general bitcoin businesses are happy to pay if a bug is found and documented by the researcher. This is even more the case where more serious issues are found: The reason is that it might be very damaging to the business’ reputation if they do not pay a fair bounty to the security researcher.
Furthermore on our platform we allow both the business and security researcher to provide feedback and ratings on each other. This means that we quickly can find the good researchers in the crowd and also potentially spot if there is a business who consistently receives bad ratings from the researchers. By facilitating this open communication we avoid an escalation of a potential issue.
There will always be a limit to how much you can know from outside. If you time traveled to January this year, would you have been able to tell that Mt. Gox was having serious trouble?
I think there were several red flags about Mt.Gox and their security. Just the fact that their public communication was horrible and they often did not respond publicly to security concerns raised by the community.
However I agree that there is an information discrepancy between the exchange and the consumers. One way to limit this information asymmetry is to put you your money where your mouth is by running a bug bounty program and leverage the security community.
