Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Blockchain Can Suffer from the Same Vulnerabilities as Any Other Application

August 13, 2018

  • Blog
  • Archive

blog-blockchain-can-suffer-from-the-same-vulnerabilities.jpg

Earlier this year, The Hacker News reported on a wicked vulnerability within the EOS Blockchain Platform. While the vulnerability is considered critical, and the method of exploitation fairly basic (a maliciously crafted file), the ramifications are truly astounding. After the vulnerable parser reads the file, it forces an exploit on the node, which could then be leveraged against the supernode on the EOS platform. The supernode is responsible for collecting transaction information and packing it into blocks. Once the threat actor owns the supernode, they can modify or create malicious blocks that would control the entire EOS network. This includes everything the EOS Blockchain Platform has been implemented to perform – from cryptocurrency, supply chain management, to identity storage – whatever the EOS Platform has been implemented to support as a solution.

The uncrackable Blockchain (as it is advertised) can be owned by the fundamental technology designed to protect it; WASM files (smart contracts) and a simple file upload.

My point in this blog, however, is not to beat up the EOS Blockchain Platform, but rather to point out that every technology is vulnerable. Blockchain has been advertised as an ultra-secure database ledger technology, but the operating system, web service, and other components to make it a viable platform can suffer from the same risks as any other application or technology. People making coding mistakes and technology can have flaws, and thus every system is potentially vulnerable in some way. Blockchain is not different, and if you implement it for such things as cryptocurrency, a critical flaw could jeopardize all the data in the ledger; in this case, all the money being stored and processed via transactions.

Let that sink in for a minute. This one risk could have left all the cryptocurrency in the system vulnerable to theft. This perfectly “secure” technology is not perfectly secure after all. That alone should be a reminder to everyone that we cannot forgo cybersecurity basics just for the hype of a new technology.

So, what are cybersecurity basics?

  • Asset Inventory – The identification and lifecycle of all software, code, applications, nodes, and operating systems used in the Blockchain.
  • Change Control – Changes to the operating system, application, and resources are documented and go through a formal change control process.
  • Configuration Management – The hardening and removal of default settings that are a liability for the operating system, application, or network are mitigated.
  • Vulnerability Management – The operating system, application, web application, and source code are reviewed for vulnerabilities, and risks are prioritized accordingly.
  • Log Management – The centralized management and parsing of log files from all resources in the environment, including transaction logs.
  • Patch Management – The systematic and predictable methodology for deploying maintenance and security patches to all systems in the environment – from firmware to web applications and everything in between.
  • Identity and Access Management – The predictable workflow management of identities, roles, and entitlements for all users that have access to the resources of the system.
  • Privileged Access Management – The management of all privileged access into the Blockchain environment – from operating system to web applications, including password management, least privilege access, session management, keystroke logging, and application to application key and password management.

Theoretically, if the EOS Platform followed these cybersecurity basics correctly, even for an open source project and deployed solution, the file upload vulnerability may have been identified (I say “may” because there is always a chance commercial and open source tools could have missed it too). My point is that no system is perfect. All technologies – regardless of the hype, especially when they are new – need extra scrutiny before deployment. Blockchain technology is no different.

For more information on how BeyondTrust can help with cybersecurity basics, contact us today.

Morey J. Haber

Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.