As of March 2018, there are more than 1,000 cryptocurrencies in circulation, with a total market value of more than US$400 billion, compared with only US$19 billion a year ago. Although the underlying blockchain technology of cryptocurrencies is inherently safe in most cases, with the rapid increase in adoption, understanding the vulnerability of cryptocurrencies to attack and how different participants in the ecosystem protect their investments has become Very urgent.
This article will help participants understand the vulnerabilities of cryptocurrencies and improve security, including:
· ICO issuers, investors send their currencies on their website.
· Operators of cryptocurrency exchanges that usually hold and trade millions of dollars in assets.
· Choose the cryptocurrency owner of the exchange to protect their cryptocurrency wallet.
Weaknesses in the emerging cryptocurrency industry
The following are some of the key stages of security risks in the life cycle of cryptocurrency:
· The website of the ICO issuer (where the ICO was issued and the currency remitted by the investor) may be attacked, thereby interfering with the issuance and subsequent support for cryptocurrencies. In one case, the issuing website was attacked by a hacker and the address for sending the investment was changed, thereby transferring part of the issued assets. The ICOs website has been under DDoS attacks, rendering it unusable and causing ICO destruction.
· Cryptocurrency exchanges holding millions of dollars in assets at any point in time, trading large amounts of assets in real time. These sites may be overwhelmed by transactions or attacked. In some cases, DDoS attacks can cause exchanges to become unavailable for a period of time.
· Cryptocurrency wallet: You must choose the owner of the cryptocurrency of an exchange and the wallet that protects them. Hackers use stolen certificates or certificate filling techniques for phishing attacks to steal funds from private and online wallets.
Initial token issuance
Websites or mobile applications that serve cryptocurrencies are just as vulnerable as ordinary websites, and they are a particularly attractive target for attackers. The ICO website was attacked, the issuance was postponed, and even some of the issued cryptocurrencies were taken away. In one case, the attacker uses a defacing attack to convert the official contribution address to the attacker’s anonymous address. As a result, Ether was redirected to the wrong address for a few minutes.
ICOs are also frequently subject to large-volume network or application layer DDoS attacks.
Due to the huge transaction volume, ICO websites need to take the following measures to provide a high level of protection:
· Authentication: By requiring strong passwords and two-factor authentication, it prevents unauthorized visitors from entering. In failed login attempts, do not disclose more information than necessary, such as which part of the login is incorrect.
· Update software and operating system: Many software applications that run sites may have vulnerabilities. Maintain the latest versions and patches of all software to prevent loopholes.
· Verify client input and all input on the server. Prevent the injection of malicious content, such as SQL injection and cross-site scripting. For more information about web vulnerabilities, please refer to OWASP Top 10.
· Encryption: The entire website uses HTTPS.
· Restrict access to the management page: Allow only selected management users to access the site management url.
Most importantly, use an enterprise-grade web application firewall to protect the site. WAF will prevent all web application attacks and control access to sites and applications.
Currency exchange
There are many exchanges for people who want to buy or trade cryptocurrencies. The security measures and availability of exchanges must be considered to ensure that the stored assets are protected, and potential transactions are not affected by the unexpected delay of exchanges. This delay can be caused by:
· DDoS attack, which caused the exchange to be unable to trade for a period of time.
· The site cannot handle a large number of clean transactions, such as database overload or server resource overload, which leads to service degradation.
According to the latest “Global DDoS Threat Report” released by the Incapsula website, the cryptocurrency websites that use its services rank among the top ten industries most vulnerable to DDoS attacks. Although the Incapsula website successfully circumvented these attacks, there are also reports of destructive attacks on cryptocurrency exchanges.
In the past few months, the above two situations have occurred, and as the demand for cryptocurrencies continues to grow, this situation may continue. In addition, exchanges are also a key target of attacks, because they act as wallets and may deposit hundreds of millions of dollars worth of cryptocurrencies at any point in time. Therefore, please select an exchange with available and secure records.
APIs are often the weakness of cryptocurrency exchange websites because their payload structure is often proprietary, which makes it difficult to identify malicious rates or payloads. Therefore, they often become carriers of DDoS or other attacks.
To provide the expected service level, the exchange must consider the following measures to reduce the risk of service degradation:
· Provide enough bandwidth to meet demand. In a rapidly growing market, increasing bandwidth may be an ongoing challenge. In addition to this challenge, it is unlikely to mitigate the large-scale DDoS attacks we are witnessing.
· Monitor traffic and detect when a website is under DDoS attack.
· Identify and filter traffic, such as traffic from known attack addresses, known bot agents, or known major attack sources, to detect and block malicious users.
· Protect your account against attacks, such as using certificate padding to provide strong network protection as described on the ICO website.
· Identify and filter excessive requests from a single source or user session, known application signatures, and traffic that does not conform to the known HTTP protocol, and detect and block malicious application layer requests.
Protect your API (usually a weakness in website protection) because it is difficult to check the legality of its payload. They may be invalid due to false positives, or on the contrary, support carrier attacks.
Since it is difficult to effectively implement these measures, the exchange can provide services that provide the required service level and prevent these attacks.
Money wallet
After purchasing cryptocurrency, it will be stored in your Crypto wallet. In this way, you can receive and send your favorite cryptocurrency. The wallet stores the private key, which represents ownership of the public key of a certain amount of currency in the blockchain. Since the private key cannot be recreated, losing the key is equivalent to losing the crypto currency. If someone obtains the key, he can access the cryptocurrency.
Therefore, the safe storage performance of the wallet is very important, and the choice of the wallet is also very important. Just like you can store cash in different places, such as a wallet or your pocket, bank or safe. The following are several types of wallets that store cryptocurrencies:
· Software wallet: Provide desktop or mobile applications to access cryptocurrency. Since the wallet can only be accessed from the device where the wallet is installed, the software wallet has a high level of security. However, if there is a problem with the device, you may not be able to retrieve your private key and lose money.
· Online wallet: The online wallet is stored on a website, and like other data stored in the cloud, the wallet can be accessed from any device. However, this may be more vulnerable to attacks, depending on the security provided by third parties. Asset theft is often the result of certificate filling. Usernames and passwords stolen from well-known or unknown websites are sold on the “dark web”, usually filled by botnets on the login page until the username/password combination takes effect.
· Hardware wallet: refers to a dedicated physical device used to store keys locally with the highest security. To use this wallet, users only need to insert the hardware wallet into a device with Internet access, enter the pin of the wallet, and then make a transaction.
We recommend the following steps to protect your cryptocurrency:
· Online small amount: Just like you usually don’t put thousands of dollars in your pocket, try to reduce the amount of cryptocurrency you save on your computer or mobile device. Maintain the amount needed for daily use so that funds can be easily accessed and the remaining funds can be maintained in a more secure environment (such as a hardware wallet).
· Backup: No matter what type of wallet you use, make sure that all backups are safe. Remember, if you lose your wallet private key, you lose your cryptocurrency. Make multiple backups of different types of devices (such as USB and paper) in different safe locations, adding various recovery paths.
· Encryption: Encrypt your wallet with a password that you will never forget. Consider keeping a copy of the password in a safe place, such as a vault.
· In your environment, use an additional layer of security, such as login and transaction for two-factor authentication. Prevent malware and use virus protection to protect the environment.
· Use the recommended wallet: If you are using an online wallet, be careful when choosing a wallet that has a reputation for security services. Consider using a wallet integrated with your exchange.
· Use a unique password and do not use it on other websites. Otherwise, unreported certificates may be stolen.
Incapsula protection
Creating a new currency and establishing an exchange is a complex business. Incapsula website protection and DDoS mitigation can protect your website from the most advanced website attacks, DDoS and account takeover attacks. Incapsula can provide you with additional cloud-based load balancing and failover or delivery rule solutions to maximize the availability of your website with easy operation.
Web application firewall
Incapsula’s web application firewall has been rated by Gartner as the leading WAF for four consecutive years. It can analyze all users’ access to your web applications, protect your applications from cyber attacks, and ensure specific technologies, such as Network sockets will not be destroyed. It can prevent all web application attacks, including OWASP top ten threats, and block malicious programs. Incapsula can also filter traffic based on various factors to control which visitors can access your application.
WAF analyzes all aspects of web applications and detects attacks, such as preventing site damage attacks that rely on cross-site scripting. With this protection, your site can avoid annoying verification requests, such as verification codes, email confirmations, or the two-factor authentication that is popular on many sites.
DDoS protection
In order to protect cryptocurrency exchanges and basic websites, the DDoS protection of Incapsula website will automatically detect and mitigate attacks against websites and web applications. The Incapsula website is the only website that provides SLA (Service Level Agreement) guarantees and can detect and stop attacks within 10 seconds. Our new Behemoth 2 platform prevents 650 Gbps (Gigabits per second) DDoS from flooding, with traffic exceeding 150 Mpps (million packets per second) and remaining capacity. We expect that as the scale of the attack continues to expand, the capacity will be tested further.
In addition to handling high-volume attacks, the Incapsula website also provides protection against these types of DDoS attacks.
· Complex applications, or layer 7, attack applications on the web server. These attacks require a smaller capacity to take effect, measured in packets per second, but are more difficult to detect. Forrester Wave reports that Imperva is second to none in detecting and mitigating application layer attacks.
· A large-scale attack composed of a large number of requests, which are organized through APIs provided by many sites. API traffic is filtered with minimal false positives. Check these practices to protect your API.
CDN service
The content distribution network effectively solved the exponential growth of cryptocurrency exchanges and expanded their business scale. In addition to DDoS service protection, the Incapsula CDN website also provides the following services to help improve the stability of cryptocurrency exchanges under heavy loads.
· The Global Content Distribution Network (CDN) uses its intelligent caching and high-speed storage and optimization tools to improve the speed and performance of websites. After more than 40 pops were deployed on the Incapsula website, the page load time was greatly improved.
· Incapsula cloud load balancing allows exchanges to easily scale, add servers and failover data centers, and add transmission and forwarding rules from the cloud without downtime.
· Use the definition rule function to protect certificate filling and account takeover, and provide additional protection for the login page to prevent bots from performing certificate filling. To circumvent the threat of takeover of major accounts in the cryptocurrency domain, hackers used the stolen certificates to defraud in the domain.
· Traditional security measures against brute force attacks to prevent high rate requests from a given IP/login page. However, some recent attacks have bypassed such filters, sending thousands of bots on infected computers at a very low speed. Even at low rates, Incapsula CDN can prevent attacks because it can prevent or increase the difficulty of any non-human access to the landing/login page without slowing down the page load speed.
· Advanced robot classification and avoid using advanced rules
· API protection, extremely low false alarm rate, while maintaining a high level of protection, including DDoS attacks against API
With these services, you can ensure that the site is always available.
Conclusion
The types and numbers of cryptocurrencies are increasing, and attacks against cryptocurrencies are increasing in scale, complexity, and frequency. Relevant agencies must understand the need for dedicated and advanced WAF and DDoS protection services to minimize financial, operational, and reputation risks.
The best practices outlined in this article will help agencies establish sound evasion strategies. These measures include monitoring application and network traffic, detecting and filtering malicious users, and identifying and blocking malicious requests.