Protecting the Web Assets of Cryptocurrency Exchanges
This article was created in partnership with Incapsula. Thank you for supporting the partners who make SitePoint possible.
The rise of bitcoin is grabbing the attention of hackers who could get rich with a single successful raid. If exchanges are not employing a DDoS solution from companies like Incapsula, they are sitting ducks for highly skilled and highly motivated hackers.
Where the Money Is
Willie Sutton, the notorious bank robber was asked by a reported why he robbed banks and Sutton replied simply, “Because that’s where the money is.” Sutton died in 1976 and if he were robbing today, it wouldn’t be banks because that’s where the money isn’t. Today banks (the physical ones) really only have a few thousand dollars on hand for small transactions. Banks keep their customers’ money centralized in digital form surrounded by layers of security, which is governed by state and federal regulations and compliance laws.
Today bank branches really only have a few thousand dollars on hand for small transactions. Banks keep their customers’ money centralized in digital form surrounded by layers of security, which is governed by state and federal regulations and compliance laws.
And even with all this protection, banks are still successfully robbed online. It’s not easy. Hacking a bank typically requires a large syndicate with deep pockets such as nation state. Banks don’t publicize successful attacks because it’s bad for business. One well-documented attack which occurred in 2015 was a slow bleed by many institutions in over 30 nations.
Because banks are so well protected, the next logical frontier for hackers going ‘where the money is’ are coin exchanges, which manage digital currencies and business with initial coin offerings (ICOs). It doesn’t matter that financial experts like Warren Buffet label cryptocurrencies as ponzi schemes that will end badly, they are minting millionaires and billionaires. Bitcoin, litecoin, ethereum and dozens of ICOs have exploded with real value which can be exchanged for real goods and services. When bitcoin shot through the roof in 2018, the Winklevosses became billionaires and 50 CENT went from rags to riches.
Early adopters were drawn to bitcoin not to get rich as much as to use it as an online monetary exchange absent a central authority governing online transactions. A secure transaction without a governing authority afforded the buyers and sellers the same anonymity that paying with cash has in the real world. In the real world, a cash transaction can occur without a government, bank or anyone’s knowledge. Cryptocurrency is essentially internet cash.
The late adopters to bitcoin are drawn to bitcoin to get rich in the same way people try to get rich on pork bellies. Bitcoin futures began trading in late February 2018. This speculation is causing the cryptocurrency to inflate the price never before imagined, gaining the attention of hackers.
It was even happening before February. Late last year, mining marketplace NiceHash suspended operations while it co-operates with authorities over ‘professional attack.’ The hack was “a highly professional attack with sophisticated social engineering” that resulted in the theft of approximately 4,700 bitcoin. Mt. Gox was hit in 2014.
Cash is King
Robbing coin exchanges is much easier than robbing online banks because the hackers don’t need to constantly obfuscating their actions to withdraw the cash. A Cryptocurrency has the anonymity built in Hackers only need to break into the online wallets and pilfer strings of numbers.
The irony is that without a regulatory authority or an escrow, the strength of bitcoin is also its weakness. Just as the strength of cash is also its weakness. If your wallet is stolen, there is no means to get it back.
Sitting in comparatively underprotected domains, exchanges and are the new targets for hackers because they are as vulnerable as anyone to a DDoS attack. Eli Feldman at Incapsula points out, that while blockchain technology is resistant to DDoS abuse just by its distributed nature, the crypto wallets and initial coin ICOs are still centralized and vulnerable.
“Even companies with core business on blockchain require web servers,” wrote Feldman. “These servers are not necessarily used for websites that are accessed via browsers. They can be used for business transactions, client–server APIs, mobile apps APIs and other applications.”
Any business attempting an ICO or that has services which manage cryptocurrencies are vulnerable to hackers who are well prepared to exploit any vulnerabilities. For example, last year Coindash hosted a Token Generating Event that had two phases. The first phase was private where “whitelisted” users were invited to exchange a CDT (CoinDash Token) for an ETH. That was 30 minutes. The second phase was then opened to the public where anyone could do the exchange. But when the public phase started, a malicious attacker switched the official contribution address to a different address. That went on for seven minutes where 43,000 ETH were siphoned to a malicious address.
That kind of attack could have been prevented with a web application firewall (WAF), which would have caught the switch well ahead of time. A WAF protects not only the service from being attacked through weak spots, but also improve availability for highly-distributed services. It secures the service and frees up many resources to reduce development timelines.
Without adequate protection, the coin exchange site is also vulnerable to a variety of DDoS attacks. From a convention layer 3 attack that shuts the site down completely to a more discrete layer 7 attack that only disrupts the service.
On first blush, a DDoS attack would be counterintuitive to a successful attack because if the service down than the hackers can’t exploit it. Still DDoS mitigation experts are seeing an increasing number of DDoS attacks for various reasons. One like reason is to cause a distraction. In a scenario where hackers have already gained a foothold into the network weeks or months earlier, a DDoS attack will tie up the IT team that does have enough staff to notice or prevent the theft of their digital assets.
For example, late last year, cryptocurrency exchange Bitfinex was slammed with two DDoS attacks. In between the attacks was a ‘flash crash’ that reportedly prompted some traders to report severe losses after the prices of cryptocurrencies NEO, OMG and ETP plummeted by as much as 90 percent.
Coin exchanges and any site looking to make a CTO that does not incorporate a DDoS mitigation strategy in their security profile like the one provided by Incapsula are inviting failure. The service will be attacked. It’s just a matter of when.
Willie Sutton would do well as a cyber criminal. Sutton was an early pioneer of social engineering. He would dress as a janitor or delivery man to gain the trust of a jewelry store owner before robbing him. Later, Sutton escaped Eastern State Penitentiary by dressing as a guard, getting a ladder and climbing over the prison wall.