CrowdCurity Co-founder Discusses Crypto-Industry Security Concerns

by Ron Finberg
  • The crypto world has been particularly susceptible to security breaches due to its very nature.
CrowdCurity Co-founder Discusses Crypto-Industry Security Concerns
Photo: Bloomberg
Join our Telegram channel
esben

As much as we’re making advances in security technology, the cryptocurrency industry included, it seems that hackers have had no problem keeping pace. Within the past couple of weeks, there have been major incidents at JPMorgan, Home Depot and the iCloud. Heartbleed still hasn’t been properly addressed in many firms. And judging by recent trends, there’s likely more going on yet to be discovered.

Since its inception, the crypto world has been particularly susceptible due to its very nature: there is no third party supervising transactions, which cannot be reversed.

With a focus on the crypto industry, CrowdCurity aims to give firms that extra confidence by crowd-connecting them to experts and researchers capable of uncovering vulnerabilities they weren’t aware of. Through one of several CrowdCurity’s programs, they are rewarded with bounties offered by the participating firm. Of particular importance are products moving from a public beta to stage to full scale launch.

Participating companies include Vault of Satoshi, ANXBTC and BitGo- one of the industry’s pioneering leaders in enterprise-grade security and multisignature technology.

DC Magnates spoke with CrowdCurity co-founder Esben Friis-Jensen to see what’s trending. The original interview can be read in full by accessing the following link.

1. Did you receive a lot of Heartbleed related activity?

Yes, we saw that around 75% of our clients within 24 hours had patched and updated their SSL certificates. Businesses which did not patch quickly received numerous reports from the security community and patched subsequently within 72 hours – so overall pretty quick response from both businesses and security researchers.

2. What were the core vulnerabilities behind some of the recent major cryptocurrency hackings and thefts (e.g. Nxt on BTER)?

Many businesses do not release information on how a given hack was done. In the BTER case the information disclosed was that the access to a server which was yet to be protected with two-factor auth was bypassed. In general many hacks are done exploiting vulnerabilities which could easily have been patched if proper security testing was done.

What was interesting specifically for this attack was the discussions going on afterwards where Nxt core developers were suddenly involved in whether to do a hard fork and try rolling back the Blockchain . What is fascinating is that these type of responses to hacks are now possible and one can actually “revert the past” / “rewrite history” which puts a new twist on when something has been hacked and raises a 1000 other questions. It would have been a massive move if they had rolled back the blockchain, however in the end developers and Nxt community decided on the right thing (in our view) and did not do it.

3. Can the operation one day evolve to one where the researcher/business interact entirely on a p2p basis, without a middleman? For example, a decentralized platform integrating trust/reputation management and protection against counterparty default, as seen with some emerging Cryptocurrencies .

Yes, this is something very interesting and we are following closely the p2p technologies coming and thinking about how we can integrate those in our offering. In particular we have been looking at both BitMessage and BitAuth. A technology like BitAuth could for example mitigate the impact of servers being hacked and thousands of username and passwords lost, so I think web apps are going to move in this direction. But so far these technologies are still at an early stage so we are monitoring and will implement when the timing is right. OpenBazaar is also an extremely interesting case for a decentralised marketplace.

4. Has CrowdCurity offered any bounties for those checking out its own security?

With the recent ICloud hack, attacks on personal accounts are definitely a hot topic and personal bounties is something which we find interesting. But at the moment we are focusing all our efforts on really killing it on the web app security, and this is going to be our focus in the near future. We want to do one thing very good and that requires focus.

5. It appears the focus is on security. Can the same program be leveraged for general bugs?

Yes and there do exist other sites using the bounty model for other than security issues. One example is bountysource.com, which delivers a bounty based model for fixing bugs and adding features for open source projects. At CrowdCurity we have decided to focus purely on security and the crowd we attract are people who are skilled within this particular space.

6. What are the biggest security threats trending now- for Bitcoin and elsewhere?

There are both technical threats and threats exploiting the human factor. From a technical standpoint many sites still lack protection against the typical XSS, CSRF, SQL injection and Denial of Service attacks. On the human side you have the issues of social engineering due to lack of proper security training e.g. phishing is an example of this. For Bitcoin in particular one of the biggest issues is improper storage of private keys. Which is both a problem for exchanges/wallets and individuals.

esben

As much as we’re making advances in security technology, the cryptocurrency industry included, it seems that hackers have had no problem keeping pace. Within the past couple of weeks, there have been major incidents at JPMorgan, Home Depot and the iCloud. Heartbleed still hasn’t been properly addressed in many firms. And judging by recent trends, there’s likely more going on yet to be discovered.

Since its inception, the crypto world has been particularly susceptible due to its very nature: there is no third party supervising transactions, which cannot be reversed.

With a focus on the crypto industry, CrowdCurity aims to give firms that extra confidence by crowd-connecting them to experts and researchers capable of uncovering vulnerabilities they weren’t aware of. Through one of several CrowdCurity’s programs, they are rewarded with bounties offered by the participating firm. Of particular importance are products moving from a public beta to stage to full scale launch.

Participating companies include Vault of Satoshi, ANXBTC and BitGo- one of the industry’s pioneering leaders in enterprise-grade security and multisignature technology.

DC Magnates spoke with CrowdCurity co-founder Esben Friis-Jensen to see what’s trending. The original interview can be read in full by accessing the following link.

1. Did you receive a lot of Heartbleed related activity?

Yes, we saw that around 75% of our clients within 24 hours had patched and updated their SSL certificates. Businesses which did not patch quickly received numerous reports from the security community and patched subsequently within 72 hours – so overall pretty quick response from both businesses and security researchers.

2. What were the core vulnerabilities behind some of the recent major cryptocurrency hackings and thefts (e.g. Nxt on BTER)?

Many businesses do not release information on how a given hack was done. In the BTER case the information disclosed was that the access to a server which was yet to be protected with two-factor auth was bypassed. In general many hacks are done exploiting vulnerabilities which could easily have been patched if proper security testing was done.

What was interesting specifically for this attack was the discussions going on afterwards where Nxt core developers were suddenly involved in whether to do a hard fork and try rolling back the Blockchain . What is fascinating is that these type of responses to hacks are now possible and one can actually “revert the past” / “rewrite history” which puts a new twist on when something has been hacked and raises a 1000 other questions. It would have been a massive move if they had rolled back the blockchain, however in the end developers and Nxt community decided on the right thing (in our view) and did not do it.

3. Can the operation one day evolve to one where the researcher/business interact entirely on a p2p basis, without a middleman? For example, a decentralized platform integrating trust/reputation management and protection against counterparty default, as seen with some emerging Cryptocurrencies .

Yes, this is something very interesting and we are following closely the p2p technologies coming and thinking about how we can integrate those in our offering. In particular we have been looking at both BitMessage and BitAuth. A technology like BitAuth could for example mitigate the impact of servers being hacked and thousands of username and passwords lost, so I think web apps are going to move in this direction. But so far these technologies are still at an early stage so we are monitoring and will implement when the timing is right. OpenBazaar is also an extremely interesting case for a decentralised marketplace.

4. Has CrowdCurity offered any bounties for those checking out its own security?

With the recent ICloud hack, attacks on personal accounts are definitely a hot topic and personal bounties is something which we find interesting. But at the moment we are focusing all our efforts on really killing it on the web app security, and this is going to be our focus in the near future. We want to do one thing very good and that requires focus.

5. It appears the focus is on security. Can the same program be leveraged for general bugs?

Yes and there do exist other sites using the bounty model for other than security issues. One example is bountysource.com, which delivers a bounty based model for fixing bugs and adding features for open source projects. At CrowdCurity we have decided to focus purely on security and the crowd we attract are people who are skilled within this particular space.

6. What are the biggest security threats trending now- for Bitcoin and elsewhere?

There are both technical threats and threats exploiting the human factor. From a technical standpoint many sites still lack protection against the typical XSS, CSRF, SQL injection and Denial of Service attacks. On the human side you have the issues of social engineering due to lack of proper security training e.g. phishing is an example of this. For Bitcoin in particular one of the biggest issues is improper storage of private keys. Which is both a problem for exchanges/wallets and individuals.

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}