Today, crypto companies are beginning to realize that it’s better to spend a sizeable portion of their budget on assessing security than to lose reputation. Nevertheless, the security problem of ICOs and crypto exchanges remains acute. Potential threats to crypto projects and reasons to engage in security testing have become the subject of our conversation with Dmitry Budorin, CEO of Hacken and HackIT 4.0, the annual forum on cybersecurity held in Ukraine.
According to various estimates, up to 90% of crypto-currency applications are experiencing security problems. Why is this happening?
Due to the hype at the end of 2017, when even a project without a single developer, idea and product could make money, most crypto startups, especially from the CIS and Asia, didn’t pay attention to security issues aspiring to launch their products as soon as possible. Now we are witnessing a market decline triggered, among other things, by projects without a real product entering the market. We ended up in crypto Wild West with ignoring the basic things necessary for business development. I’m talking about cyber security as well.
According to Skybox Security report, crypto-miners account for 32% of all cyberattacks in 2018. Are there any protection mechanisms against them?
Stealth mining and malware mining are really big problems. Means of combating them are quite simple: there are plug-ins for disabling scripts on Internet pages. This protects the user from the built-in miners. Don’t install suspicious apps from torrents, which often contain a “payload”.
What other types of attacks, in addition to viruses-miners, are common in crypto?
The most common attacks are directed at the user: gaining access to the user’s PC or malicious software that allows an attack such as man-in-the-browser.
Who should be entrusted with the examination? Hiring experts for audit or checking by yourself?
Of course, to hire specialists! An independent safety assessment is required. It’s necessary at least to run applications and infrastructure pen test and socio-technical assessment of the development team. But ideally, those are going to launch their product have to use the bug bounty and vulnerability reward platform.
What does the evaluation process consist of?
The first stage involves collecting information: obtaining data from the client or other open resources. Then a threat model – a plan for entering the system – is created. Next, the manual and automatic analysis is performed to identify vulnerabilities, after which these ones are exploited to understand how the attackers can use them and whether they are able to damage the system and the company as a whole.
Consequently, a report should appear, where all actions at each stage are documented, as well as recommendations for eliminating the vulnerabilities.
Does the crypto contain mandatory requirements and accepted safety standards?
In case of a decentralized application for receiving funds, the auditor must validate the source code of the contract, confirm that it operates in accordance with the specified public specification, and confirm that there are no errors and “backdoor” for the developer.
The other standards for applications and infrastructure migrate from the industry and are a mix of NIST, PCI DSS and ISO standards.
In your experience, are crypto projects engaged in their security issues? Is it worth to save on security?
We always say: it’s better to spend 15,000 dollars today to assess security and implement compensation measures than to lose reputation, or even business in the future. This view is shared by many crypto projects, dealing with their security in the long term and ordering service packages. Such a project can already be considered as half-valid.
You run HackIT for the fourth year in a row and this year you decided to focus on cybersecurity issues in crypto. Why is there a need for such a topic?
This year, for the first time, we’ll talk about the security of crypto exchanges. Hackers have already stolen millions so we need to change this statistics for the healthy growth of the crypto industry. At HackIT, we’ll hold roundtables with exchanges’ representatives, run a controlled hacking of their systems and talk about safety standards.