Bitcoin and Security: An Interview with Bitcomsec

 

2013 was a very successful year for Bitcoin in terms of price and adoption. As has been said, though, as far as we have come, the road ahead is still tremendously long and there is still lots to do. The upside of Bitcoin is enormous.

2013 was also a year that saw some damaging hacks and heists. I was personally involved in Coinlenders/Inputs.io which had its hot wallet hacked at the end of October. After several weeks of watching, wrangling, and worrying, I was one of the ones who got a partial refund of my investment, but there are many more who haven’t gotten anything back. Bitcoin is an at-your-own-risk venture. There is tremendous opportunity, but not all of the kinks have been worked out yet either, and there are plenty of people out there who are willing to take advantage of that.

Coinlenders is an instructive case: it was an innovative investment company with a workable business model run by a guy known for exposing scammers. The site had lots of security, including 2 factor authentication. The site also claimed that a ‘small’ amount of bitcoins were kept in a hot wallet so that investors trying to withdraw large amounts might need to wait until funds were transferred.

The hackers were able to use an old administrator email account and a weakness in the server to breach the site and access the hot wallet. Unfortunately for investors, contrary to what the website said about the hot wallet holding a ‘small’ amount of bitcoins, it actually held most of them. In the aftermath it was pointed out that the site’s owner had left a large open door for the hackers to walk in.

In 2014, security, as much as price or adoption, are going to be Bitcoin’s big issues. As more people become aware of Bitcoin, set up wallets on their home computers or on the net, they are also going to become targets. News stories of exchanges and business getting hacked, or of a retiree losing his retirement fund, will work against Bitcoin just as much as any government action.

**Get started with Bitcoin at Coinbase.**

I was lucky enough to be in touch with Mike at bitcomsec to talk about Bitcoin and security.

What is your background in cyber security?

My name is Mike and I’ve been doing security research well over 12 years. I began by researching firewall issues and malware then gradually moved onto CGI (perl) security issues. This got me interested in web application security and then I got involved with forensic, proactive security measures, preemptive security, network security, IDS evasion, network infiltration, and source code auditing. Pretty much, I am interested in anything related to security. It’s something I love doing.

What got you interested in Bitcoin?

I first became interested in Bitcoin several years ago but didn’t have the time to get involved as a security guy, a miner, or even as a user. The past few months I’ve had the time and motivation to get involved with Bitcoin and so far so good.

I think that Bitcoin is a powerful idea and has the potential to change history. No longer do we have to compartmentalize the way we thing about money. We are so often abused by banks that, until now, had complete control over our finances. They charge outrageous fees and get away with it because the next bank is no better. With Bitcoin, we are the bank. The banks will have to come to us and deal with our outrageous fees, if that’s what we decide to do. In reality, Bitcoin is a way for us to take the power back.

You had a project to create a security auditing business up on BitcoinStarter.com. It seems that it didn’t get funded. What are your plans now?

Firstly, I think that BitcoinStarter is a great and wonderful tool. I hope people will use it as much ask Kickstarter because there are a lot great ideas out there that need funding to get started. Even though bitcomsec didn’t reach its funding goals, my team and I were able to do research and auditing for clients and earned rewards in bitcoins to fund ourselves. So, in the end, even without the funding, BitcoinStarter gave us a chance to market our idea and spread it.

There have been a lot of hacks of some prominent operations in the last year. It seems that a month doesn’t go by without a major theft or hack. Of course the recent hack of Target shows that this isn’t limited to Bitcoin, but it does make people skittish. If Bitcoin is going to be successful, it’s going to need to feel safe to people who don’t fully understand it. Do you see any developments with Bitcoin that may get it to a point where my grandmother can use it?

Honestly, Bitcoin will have to go through the same phase of security issues as banks did in the 1800s and early to mid 1900s in America. In those days there were a lot of bank robberies and heists in much the same way as Bitcoin is experiencing now. Banks eventually stepped up their game and learned how to protect their money with vaults and security guards, cameras, etc. With Bitcoin, people are going to have to get better with cold storage, or better storage systems will have to be developed. Also, security auditors, security researchers, and internal security departments will have to be used by companies to ensure the safety of their clients’ funds.

There has been a lot of talk about taint analysis as a means of tracking where stolen bitcoins go. What do you think is the reality of being able to track people who commit these big thefts down? Do you know of any cases where this has been successfully done?

As far as I know, there hasn’t been anyone specifically who has been tracked down due to taint analysis, but it is possible. It all depends on how far the thief is willing to go and how long they’re willing to sit. If a thief is lazy, he’ll be caught. In order to do this successfully, it will require the help of exchanges which would have to look at large sums of incoming Bitcoins and go backwards in time to figure out where they came from – and the way things are going now, I don’t think any exchanges would go this far… yet.

There is lots of advice about there about how to protect your bitcoins. What do you think is the real risk to the average user? What do you think is the riskiest behavior average users can engage in that will make them a target for theft?

Unfortunately most of the big heists have to do with security issues on the wallet/exchange/merchant side. There isn’t much users can do in these cases.

Users are at risk from client side attacks, which is where a hacker can attack a user directly using weakness in applications on the users’ computer, like the browser. Users can protect themselves by keeping their wallets by taking a few precautions:

  • If possible, keep your wallet separate from the computer you use for browsing.
  • Have updated antivirus, antispyware, and antimalware programs running or run regular checks.
  • If you can’t keep your wallet on a separate computer, at least make sure that it is updated, secure, and clean. Many software updates include patches or fixes to weaknesses that can be exploited by hackers.
  • Make sure your browser is updated.
  • Don’t install software you don’t trust – including wallets for new altcoins!
  • Make sure you don’t click on suspicious looking websites.
  • Watch out for phishing sites – they are made to look like sites you trust, but are really there to steal your user information and password. When you visit websites that require your user information and password, pay attention to the address bar. If it doesn’t say exactly what is it’s supposed to say, find the site’s main page and report the other page. (One tip is that sites that require security will often have an ‘s’ after the initial ‘http.’ Does the site you’re logging into have ‘https://”? If it does and you’re still suspicious, click the little lock about who owns the certificate for that site. This can be faked too, but attackers are often lazy and leave obvious clues.)
  • Also, consider disabling JavaScript by using NoScript and only allow sites you trust to use Java.
  • Disable flash and Java plugins.

What are your favorite altcoins and why?

I am a security guy, so naturally I fell in love with Namecoin which hosts domains in the blockchain and Datacoin which hosts files through the blockchain and can be used for torrents, encrypted files, etc. I also like Primecoin because it’s working on a goal – to discover prime numbers for the scientific community.

I want to thank Mike of bitcomsec for taking the time talk with me and for advising me about how to make my site more secure. You can visit the bitcomsec website here.