Blockchain has become the new buzzword of choice across a wide spectrum of industries, such as finance, tech, and the information security industry. However, what blockchain is and what its applications are still seem to be unclear. For this article, we spoke to Cesar Cerrudo, CTO of IOActive Labs for a breakdown of blockchain and why it’s important for information security professionals.
What is blockchain?
To put it simply, a blockchain is a digital ledger that stores all transactions chronologically in a secure way using cryptography. Each transaction is considered a ‘block’ and as additional blocks are added, the ledger expands, hence the name ‘blockchain.’ Unlike un-assorted points in a regular database, these transactions are unalterable. This is why Cerrudo considers blockchain to be “immutable”, one of its defining distinctions.
This ‘immutability’ is due to the decentralized nature of the blockchain infrastructure. As Cerrudo explained, a blockchain relies on any number of different computers who have copies of a given ledger to validate transactions. This prevents changes and edits to the blockchain.
Given the context provided, we can expand the definition and consider a blockchain as a decentralized set of unalterable chronological transactions that rely on multiple computers to verify the blockchain’s validity.
Why is blockchain useful or important? Some real-world applications
Because a blockchain essentially ‘locks in’ information, blockchain can be used for ownership records, asset management, recording transactions, verifying date stamps and developing immutable signatures.
However, its decentralized aspect is why it has been such an impactful technology, especially in the financial world. Decentralization forgoes the need for a third-party verifier (such as a bank), making transactions faster and more efficient.
The use of blockchain is best exemplified by the use of smart contracts - unalterable code that represents and executes contracts between parties. Cerrudo sums it up.
“[Smart contracts are] autonomously enforced - you don’t need a third party to execute the contract. With the blockchain, a smart contract is automatically executed when its qualities are met.”
For any contracts that can be defined and executed upon specific conditions, a smart contract is cheaper, faster, and safer.
ICOs (Initial Coin Offerings)
If you’re familiar with ICOs, you’re seeing smart contracts in play. ICOs are an increasingly common way raising capital for startups without having to resort to traditional funding methods such as VC fundraising or taking out loans. Using smart contracts, companies will offer their ‘coins’ (a form of cryptocurrency, covered later in this article) to investors and release them to investors once a set of conditions are met.
However, given some recent news about ICOs, you might find yourself a little wary. When it comes to ICOs, Cesar has some practical advice.
“There are many scammers running ICOs and making easy money, but there are legitimate business and honest people running ICOs. If you’re going to invest in ICOs, you have to do research, just like if you were investing in a stock market. Look at the company, the leadership, the company’s background, where you think it’ll be. If you don’t [do your research], you’re at risk to get hit by scammers.”
A Brief Aside on Bitcoin and Cryptocurrency: While blockchain and cryptocurrency are often discussed along the same conversations, they aren’t the same. While cryptocurrency relies on blockchain infrastructure, blockchain applications can stretch much farther. However, it’s important to note that because cryptocurrencies are built using blockchain infrastructure, it has allowed for a mass proliferation of cryptocurrencies for a wide variety of uses, some legitimate and some non-legitimate.
Why is the blockchain important to the information security industry?
The underlying principles, features, and functions of blockchain are helpful to both information security experts as well as hackers and malicious actors.
Because there’s no need for a third-party to verify transactions, hackers can hide better than before while they conduct their business. And because some cryptocurrencies are built for anonymity, criminals can keep their identities hidden while handling cryptocurrency. This is why most ransomware ransoms ask for payment in forms of cryptocurrency.
The increased speed of transactions facilitated by blockchain also helps hackers. Cryptocurrency is stored in digital wallets and in order to obfuscate movement and minimize the risk of being traced, hackers can move their cryptocurrency across wallets in a fraction of the time previously required. Cesar offers an example.
“[If a hacker] is asking for money and specifies a bank account to receive that money, law enforcement can trace that easily. But for anonymous cryptocurrencies and other blockchain activity, the hacker can receive that money and quickly move it through 5 different digital wallets, making tracing complicated. While all the transactions are transparent because the blockchain is public, you can’t see who’s behind the movements.”
For Infosec Professionals
Fortunately, the blockchain doesn’t bring all bad news. Leveraging the blockchain in information security efforts can be a huge boon for companies.
Blockchain’s decentralized nature not only makes it difficult for hackers to completely take down a network or company, it also offers a significant amount of resiliency to a company’s network.
In a decentralized system or network, there are blockchain copies of the system or network across a number of devices and computers. “If”, Cesar explains, “your device or network [running on blockchain infrastructure] is hacked, you can easily detect and recover from that.”
Because there are so many copies running around, you can identify the difference in the hacked system or network and you can also recover the network to its original, uncompromised state using one of the copies that wasn’t compromised.
The speed that blockchain facilitates, either through smart contracts, cryptocurrency, or uses, also allows security practitioners to conduct their work faster than usual. However, the blockchain isn’t a perfect system.
Blockchain’s shortcomings - what to know
Cesar mentioned that a common misconception is that ‘blockchain can’t be hacked.’ While blockchain provides resiliency and facilitates network recovery, it isn’t invincible. For example, a company’s blockchain network is still vulnerable to DOS (denial of service) attacks, and while it’s easier (and faster) to recover, a hacker can still take advantage of that short window of downtime in order to execute their attack.
On the other side, however, blockchain doesn’t offer absolute anonymity. Cesar points out that “bitcoin isn’t actually anonymous. Everyone has a wallet and you know who that wallet belongs to and can track that.” While a criminal may move quickly to try and stay hidden, they are still traceable, so don’t consider it a futile effort if you’re hit by a hacker asking for BTC.
Lastly, if smart contracts aren’t set up properly, they can also be exploited. The DAO, a well-known organization, raised funds using a cryptocurrency-based smart contract, and was famously hacked after a vulnerability was discovered. The hacker stole millions exploiting the vulnerability.
Ultimately, knowledge is half the battle when it comes to blockchain. By understanding what it is and knowing how it can be utilized by both halves of the information security/hacker dynamic, you’re able to make better, more informed decisions for your organization.