Blockchain Security

Episode Highlights & Discussion

A Lengthy History of Cyber Security Experience (00:40)

Michael: I started the cyber security about 20 years ago in the Israeli cyber command, basically the corresponding unit to the American NSA. About nine years ago, I started my previous company…doing mobile security for enterprise customers. Basically, protecting their mobile devices from being hacked; malware attacks over WIFI, phishing and so on. We had folks like Intel, Samsung, and Geico as part of our customer base.

About three years ago I sort of stepped into the Bitcoin & blockchain space – we actually were investigating a fairly big hack that happened South Korea. That was sort of the first time that I stepped into this asset class and then realized that there is work to be done here to increase the security.

Fireblocks Aims To Solve An Age-Old Cyber Security Issue (03:30)

Michael: A lot of trading related activities and setups were being established from hedge funds to exchanges, to proprietary trading groups, to a lot of different brokers, OTCs, lending providers – generally speaking they need a very different infrastructure. You clearly have a lot of both external cybersecurity risks, but also internal cyber security risks inside the institutional environments. Our average transaction size is north of $100,000 – you have zero room to make a mistake because the nature of public blockchains is that there is no recourse.

Because there were so many mistakes or hacks…most organizations had a lot of operational constraints in terms of how they were actually sending the transactions: they will do all the tests transfers, they will have multiple people approve and sign those transactions to make sure that there are no errors…you are only able to do those transactions incidents during certain windows during the day…A lot of different constraints, anxiety, and operational deficiency. It’s not a good return on capital.

You are still susceptible to the human factor. You actually need to do 100 transactions per day, and you have three, four people in your operations team. At some point they will make an error, right? That’s just a numbers game over there.

Basically, what we’ve created is a solution that solves all those issues. First, we provide our customers with a high secure, high SLA storage that is institutional grade. Second, is basically what we call the Fireblocks Network is essentially an authentication network for settlements between counter parties. We currently have integration to about 30 exchanges. We have over 60 market participants on our platform. Overall, 90 organizations that are on our platform, transferring coins between them with a click of a button without actually being susceptible to making a human error or susceptible to any of those hacks.

Three Critical Attack Vectors Exploited by Hackers to Steal Digital Assets (Text From Fireblocks WhitePaper; Discussion @ 12:25)

Wallet Compromise
Access to your wallet is powered by private keys which control your funds stored on the blockchain. This means that as soon as a malicious actor acquires your private key they too have control and can transfer the funds from the wallet. The most common methods for compromising private keys are:
• Infecting a server with malware that steals the private key.
• Stealing the HSM authentication token and forcing the HSM to sign a withdraw transaction.
• An authorized internal employee steals the private key.
Deposit Address Spoofing
Derived from the public key, deposit addresses are long strings of alphanumeric values that designate the public address of a wallet to which funds are sent. In order for two parties to facilitate a transaction, they need to exchange the deposit address. However, as there is no current end-to-end security protocol for the address exchange, hackers can target the procedure at any number of points along the way. Such methods include:
• Spoofing the address while copy and pasting between the web browser and the wallet’s app.
• Hijacking javascript(s) on the exchange’s website and spoofing the address at the origin.
• Malicious chrome plugins that hijack the web browser (man-in-the-browser).
• Malware that hijacks the wallet interface or driver.
Credentials and API Keys
Currently, each exchange and liquidity provider requires a set of credentials (username and password) in order to gain access. In addition, API-keys can be generated for automated access to the platforms. These credentials are particularly vulnerable to many traditional forms of malware such as keylogging and phishing. API-keys stored in trading software can be harvested if the server or code repository is compromised. Once a hacker obtains elevated credentials or API-keys they could:
• Instruct unauthorized withdrawal of funds from an exchange.
• Manipulate the market using pre-funded assets on a compromised account.