A moment of silence, prayer for the dead (Terrorist attack on the streets attack near U.K. Parliament 22nd Mar 2017)
A moment of silence, prayer for the dead Tragedy in Russia - Explosion in the St. Petersburg metro 3rd Apr 2017
Part 2: Blockchain technology situation – Malware join to bitcoin mining
We continuous the discussion topic on blockchain technology situation. Part 1:Blockchain technology situation – A Tales of Two Cities The discussion on part 2 mainly focus on malware threats to bitcoin industry. We understand that Bitcoin was designed to be uncensorable digital cash that could operate outside the existing financial system. As mentioned last time, it looks that the blockchain technology contained weakness on end point device (bitcoin owner workstation or mobile phone). Even though you deploy a proprietary wallet, the overall setup will become weakness once malware compromise your end point device. Below picture diagram bring an idea to reader of bitcoin wallet architecture, see whether you have different idea in this regard?
Bitfinex incident wakes up concern on endpoint security
More than US$60m worth of bitcoin was stolen from one of the world’s largest digital currency exchanges (Bitfinex) on 2nd Aug 2017. Nearly 120,000 units of digital currency bitcoin worth about US$72 million was stolen from the exchange platform Bitfinex in Hong Kong, said Reuters Technology News. Director of Community & Product Development for Bitfinex stated that the bitcoin was stolen from users’ segregated wallets. The investigation has found no evidence of a breach to any BitGo servers, said the representative of BitGo.
Since no evidence proof that security breach happened in that place but what is the possible cause?
An announcement posted by official group (Bitfinex), the company informed that there are going to secure the environment and bring down the web site and the maintenance page will be left up. From technical point of view, if API and signing keys reside on servers. Hacker might have access with legitemate credential once a bitcoin wallet user workstation compromised.As a matter of fact if the webservice is hacked, bitcoin owner will lost the money (see above bitcoin wallet architecture comparison diagram for reference).
The weakness of Node.J.S trading API Framework.
The java script contain security weakness. It benefits hacker to understand the operation path. For instance
Client send his payload, his key, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac. (see below program syntax for reference).
From technical point of view, malware which contains steal private key or digital certificate function, they have capability transform to bitcoin malware. As usual, the infection technique relies on Spear phishing. The emails contained a malicious attachment with the file which contained a zero-day exploit. The exploit attacked multimedia software platform used for production of animations especially Adobe Flash to install a malware onto the victim’s computer.
Then malware obtained bitfinex private key and one of the following item.
i) bitgo’s private key
ii) bitfinex bitgo’s username and password and authy’s credentials (that allows the hacker to create new api access tokens and remove daily limits)
iii) bitfinex bitgo’s api access token
Or apply new keys gave to bitgo as new 2-3 internal bitfinex address. signed tx with bfx key, and “new key” that was just given. Meanwhile bypassing bitgo’s security checks.
Above information detail is one of the example. It looks that quote a real incident can increase the visibility of the understanding. Apart from that, discussion looks never ending. I believed that part 3 will be coming soon.