Category Archives: blockchain

Is there a weak link in blockchain security?

Recent research revealed that blockchain is set to become ubiquitous by 2025, entering mainstream business and underpinning supply chains worldwide. This technology is set to provide greater transparency, traceability and immutability, allowing people and organizations to share data without having to be concerned about security. However, blockchain is only as strong as its weakest link. Despite the hails surrounding blockchain’s immutable security, there are still risks surrounding it that organizations must be aware of – … More

The post Is there a weak link in blockchain security? appeared first on Help Net Security.

Tackling The Weaknesses Outside The Blockchain System To Protect Your Cryptocurrency

protect cryptocurrency blockchain

There’s a general consensus in the crypto industry that blockchain cannot be hacked. This is because blockchain transactions listed on the distributed ledgers are immutable meaning they cannot be erased, changed or configured.

The distributed general system also has accountability in place so that all transactions distributed across each node must be the same in order to achieve consensus.

The blockchain so far have proven to be impossible to hack, but organizations are using blockchain in ways that involve elements outside the blockchain itself, such as crypto wallets.   

Because these elements exist outside the scope of the blockchain, they are susceptible to common web vulnerabilities, hackings, and other human errors. Therefore, if a transaction is handled improperly, it can be unintentionally listed as an official transaction.

For example, tokens stored in a wallet or an exchange whose website isn’t secure can lead to hacking episode and ultimately the withdrawal of tokens, which will be recorded on the distributed ledgers as valid transactions when they are not.

So what are companies and users left to do in protecting crypto assets?

While blockchain technology offers interesting security alternatives to cybersecurity in general, that does not mean traditional cybersecurity solutions and other cyber practices are obsolete in protecting against attacks that ultimately target cryptocurrency.

Check out our tips in protecting against some of the most common cyber hacks in the crypto world.

Web Attacks

Wallets don’t actually contain any crypto; instead they hold a private key, which is needed to access, withdraw, or trade it. Wallets are not protected by the same technology that makes blockchain essentially “unhackable.”

The same goes for crypto exchanges which is why we advise users to avoid holding significant amounts of coins on any exchange. Wallets and exchanges are also vulnerable to web attacks such as SQL injection and Cross-Site Scripting (XSS) attacks.

Hackers, for example, can launch SQL attacks to exploit a vulnerability in data input forms by inputting a malicious code into the login pages of a website or web app, thus revealing sensitive data like the private keys of wallets.

XSS attacks can be used by hackers to intercept information including login details between a client and server by executing a malicious code.

While these attacks can easily be thwarted off with a WAF, which monitors web traffic at the web application layer in the background and blocks malicious agents automatically, there are other ways end users can protect themselves.

As an end user, we highly recommend you to utilize “cold” wallets such as a ledger so that your private keys are stored offline unlike “hot” wallets which are always connected to the internet and are prone to hacking.

We also recommend users to write down their private keys in a safe location since anyone that gets hold of your mnemonic phrases can access your wallets.

Malware

Wallet addresses contain a long string of both numbers and letters (up to 21 characters) and are difficult to memorize. When users want to transfer funds to another wallet, most opt to copy and paste wallet addresses, but this shortcut creates an opportunity for certain malware to exploit it.

Though not entirely new in its execution, a trojan has been discovered that monitors over 2.3 million different crypto addresses and works by exploiting the clipboard function. It replaces the intended recipient wallet address with that of the attacker’s.

A similar malicious software called CryptoShuffler follows this trend and is known to also manipulate wallet addresses.

Unfortunately, these actions often go unnoticed by users, which puts them at risk when transferring funds. To protect against such malware, it’s important for users to keep their antivirus software and operating systems up to date, perform regular malware scans, and avoid installing untrusted software.

We also recommend users to always double check the intended recipient address prior to transferring any funds. A good tip is checking the first and last characters to see if they match the rightful wallet address.

Smart contracts

Smart contracts are commonly used to facilitate and conduct credible transactions on the blockchain without intermediaries.

Because they are directly tied to these transactions, they can hold massive amounts of digital currencies, making them a lucrative target for hackers.

Error codes or bugs in the smart contract can result in crypto being frozen or stolen by hackers.

In some rare occasions, hackers can also gain direct access to a smart contract by obtaining the private key to steal funds and then replacing addresses with fraudulent ones.

Utilizing external auditors can help to inspect the code for any vulnerabilities. For organizations, we recommend finding reputable auditors who have a track record in protecting against such attacks or errors.

Fake Apps and Classic Phishing

Phishing takes all kinds of forms in the crypto world. Most phishing scams aim to either steal credentials to access wallets or trick users into sending crypto directly to addresses of scammers or hackers.

The ways in which hackers “phish” for new victims are many.

This includes hackers cloning websites that mimic legitimate exchange sites or malicious crypto apps to steal personal information including wallet credentials.

There are also bots that notify users about issues with their crypto but are actually malicious and used to steal crypto, and not to mention the usage of Telegram to pose as ICO team members and then asking users to invest and send crypo to fraudulent addresses.

Another rising trend among scammers is figuring out how to bypass 2FA by duping telecom companies into sending verification codes to the phone numbers of scammers. This grants them access to authentication on crypto accounts and exchanges.

These types of social engineering tactics are highly prevalent. Taking extra precaution while whether it’s discussing, investing, or transferring crypto is absolutely necessary as anyone can fall victim to classic phishing scams.

Conclusion

Unlike banks which offer standard protections and insurances for customers, the blockchain cannot offer the same luxury to crypto holders.

Elements outside the blockchain make it difficult for companies and users using blockchain to remain entirely protected. Protecting these elements, namely crypto wallets and exchanges, is one of the biggest challenges in blockchain security .

A proper cyber defense strategy will seek to incorporate traditional solutions like using antivirus software and running malware scans, but it’s also equally important to use common sense when dealing with anything crypto.

 


Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post Tackling The Weaknesses Outside The Blockchain System To Protect Your Cryptocurrency appeared first on Cloudbric.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.