Google “blockchain” and “greatest invention” and you will discover headlines that suggest that “the blockchain is the most important invention since the Internet.” Of course, you might also observe that proponents of this idea are mainly coming from the crypto community – the people with a vested economic interest in making this so. And with the escalating concerns about privacy and information security on the Internet, there are those who would be happy to infer that the blockchain is secure because of its nature – immutable, tamper-proof and democratic. It achieves this status because it is distributed, uses cryptography and requires consensus as part of the process of recording the information into the blockchain.
Nothing is 100% secure – get over it!
But having such attributes don’t necessarily mean the data is secure. Indeed because information stored on the blockchain and is publicly available implies that it is accessible. Maybe you can’t tamper with it with 100% success rate but surely if the 79-year history of electronic technology has taught us one thing, it is that nothing is 100% secure – just ask Adam Philpott, director of Cybersecurity at Cisco.
He concedes, however, that security is there to reduce risk.
So is the blockchain secure? John Kirch, chief evangelist, Uppsala Security, doesn’t think so. At the Icon Foundation Annual Summit in 2018, he conceded that while the core of blockchain is secure, distributed applications are not! And this is causing problems.
The hacking of wallets – Mt Gox (Japan, 2014), Bitfinex ( 2016), Gatecoin (Hong Kong, 2016), Youbit (Russia, 2017), Liqui (Ukraine, 2017) and Coincheck (Japan, 2018) – validate this assertion. Just recently, Singapore’s DragonEx was added to the roster of victims. But wallets and exchanges are not the only ones vulnerable to attacks.
The blockchain network itself can be attacked through distributed denial of service, transaction malleability attacks by altering the transaction ID and causing a transaction to be done more than once, time jacking, routing attack, and Sybil attack.
Smart contracts are also vulnerable to attacks via weaknesses in the code itself – consider the case of the attack on the DAO or Decentralized Autonomous Organization. A hacker found a loophole in the coding on the DAO that allowed him to drain funds from The DAO – just a month after its inception. As a general rule, smart contracts are also subject to DDoS, eclipse, and various low-level attacks.
Finally, virtual machines, as in the case of the Ethereum Virtual Machine, are also at risk from things like bugs in access control, cryptocurrency lost in the transfer, immutable defects, and short-address attack.
Wisdom of the crowd
It is this consensus bit that is the subject of discussion here. Uppsala Foundation, to be renamed Sentinel Protocol, was created on the recognition that security of the blockchain remains underdeveloped. The company utilizes what it refers to as collective intelligence system to perform threat analysis.
Information is stored in what it calls a Threat Reputation Data (TRDB), security experts and vendors are compensated when they contribute to building the TRDB. It adds on preventive security measures such as machine learning for behavior modeling and cost-effective distributed sandboxing.
Narong Chong, head of operations at Uppsala Security, says the term collective threat intelligence is because contributors provide intelligence, they build a reputation, and are rewarded for contributing to the intelligence.
Chong acknowledges that most of today’s security information is stored in proprietary databases kept by vendors and endusers. And while there is some sharing in some communities, what is shared is often a limited subset of the total stored, and more important, it is not subject to governance – no audit is conducted to check for validity.
By putting the information on the blockchain, Uppsala is making the information open and accessible to everyone, meaning it is auditable by any third party organization. Chong implies that by making it available to the public, anyone can “make sure that we ourselves are doing the right thing.”
Will it work?
One can only hope. From a business perspective, there is plenty of opportunity for Uppsala as long as cryptocurrency exchanges operate – and get hacked – there is a market for services similar to Uppsala’s.
In addition interests around smart contracts and distributed ledger technologies, a.k.a. the blockchain, continues unabated with financial institutions putting serious monies into investigating if and how the technology can support the business – be it to power a new business model or maybe as a way to make processes more secure.
In the meantime, proofs-of-concept, pilots and scaled down application runs via sandboxes will continue to be the norm, until such time as when the blockchain technology is sufficiently mature, or financial institutions are confident the risks are manageable.