Earlier this year, The Hacker News reported on a wicked vulnerability within the EOS Blockchain Platform. While the vulnerability is considered critical, and the method of exploitation fairly basic (a maliciously crafted file), the ramifications are truly astounding. After the vulnerable parser reads the file, it forces an exploit on the node, which could then be leveraged against the supernode on the EOS platform. The supernode is responsible for collecting transaction information and packing it into blocks. Once the threat actor owns the supernode, they can modify or create malicious blocks that would control the entire EOS network. This includes everything the EOS Blockchain Platform has been implemented to perform – from cryptocurrency, supply chain management, to identity storage – whatever the EOS Platform has been implemented to support as a solution.
The uncrackable Blockchain (as it is advertised) can be owned by the fundamental technology designed to protect it; WASM files (smart contracts) and a simple file upload.
My point in this blog, however, is not to beat up the EOS Blockchain Platform, but rather to point out that every technology is vulnerable. Blockchain has been advertised as an ultra-secure database ledger technology, but the operating system, web service, and other components to make it a viable platform can suffer from the same risks as any other application or technology. People making coding mistakes and technology can have flaws, and thus every system is potentially vulnerable in some way. Blockchain is not different, and if you implement it for such things as cryptocurrency, a critical flaw could jeopardize all the data in the ledger; in this case, all the money being stored and processed via transactions.
Let that sink in for a minute. This one risk could have left all the cryptocurrency in the system vulnerable to theft. This perfectly “secure” technology is not perfectly secure after all. That alone should be a reminder to everyone that we cannot forgo cybersecurity basics just for the hype of a new technology.
So, what are cybersecurity basics?
- Asset Inventory – The identification and lifecycle of all software, code, applications, nodes, and operating systems used in the Blockchain.
- Change Control – Changes to the operating system, application, and resources are documented and go through a formal change control process.
- Configuration Management – The hardening and removal of default settings that are a liability for the operating system, application, or network are mitigated.
- Vulnerability Management – The operating system, application, web application, and source code are reviewed for vulnerabilities, and risks are prioritized accordingly.
- Log Management – The centralized management and parsing of log files from all resources in the environment, including transaction logs.
- Patch Management – The systematic and predictable methodology for deploying maintenance and security patches to all systems in the environment – from firmware to web applications and everything in between.
- Identity and Access Management – The predictable workflow management of identities, roles, and entitlements for all users that have access to the resources of the system.
- Privileged Access Management – The management of all privileged access into the Blockchain environment – from operating system to web applications, including password management, least privilege access, session management, keystroke logging, and application to application key and password management.
Theoretically, if the EOS Platform followed these cybersecurity basics correctly, even for an open source project and deployed solution, the file upload vulnerability may have been identified (I say “may” because there is always a chance commercial and open source tools could have missed it too). My point is that no system is perfect. All technologies – regardless of the hype, especially when they are new – need extra scrutiny before deployment. Blockchain technology is no different.
For more information on how BeyondTrust can help with cybersecurity basics, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.