Blockchain: Are You Ready?

Mitch Ross, Senior Consultant, Cyber Engineering, Coalfire

By now, most of us have heard of Bitcoin. Few of us really know the specifics about what that is. Fewer still have a workable (or even cursory) knowledge of the underlying technology that makes Bitcoin possible.

Bitcoin is a cryptocurrency, which means that it is a form of digital currency. Bitcoin can be used to make purchases electronically (at over 100,000 merchants currently), and several retail establishments are now accepting Bitcoin transactions through their point-of-sale systems. Using applications called crypto wallets, it is possible for one person to directly transfer bitcoin payments to another person. And it is also possible to exchange dollars and bitcoins in real time as needed using a growing network of Bitcoin ATMs. Although currently the most popular, Bitcoin is only one of several cryptocurrencies that are gaining popularity; this list includes Ethereum, Dash, Litecoin, Monero, Primecoin, and many, many others.

Bitcoin, like all cryptocurrencies, is built upon a technology called blockchain.

So, what is blockchain? It is an open, distributed ledger system that records transactions between parties in a verifiable fashion. Blockchain was first conceptualized and detailed in a whitepaper titled Bitcoin: A Peer-to-Peer Electronic Cash System published in 2008 by a person (or persons) using the name Satoshi Nakamoto. This paper laid out a method for two parties to transact directly with each other without the need for a trusted third party (a bank, for example).

To create a blockchain, many transactions (sell or buy) are first inserted into a block. This block is then inserted into the blockchain, and the blockchain is replicated to a networked community. Each block of the blockchain has two parts: the block header and the block of transactions. The transactions are built into a Merkle Tree, which is a collection of the transactions and hashes of those transactions in a very complex arrangement. The block header contains a SHA-256 hash of the previous block’s header, a pointer to the next block, and the Merkle Root (the hash of all hashes in the Merkle Tree – the “master hash”). Calculating the hash of a block’s header is a very compute-intensive operation. This creates a security feature in a blockchain because, in order to “hijack” a block or a transaction in a blockchain, every subsequent block must be recalculated and reconfirmed by the blockchain networked community. In addition, the computed header hash must be lower than or equal to a preset target in order to be a valid “proof of work.” To make this possible, a cryptographic nonce (incrementing number) is added to the calculation. It takes, on average, 10 minutes to produce the hash value, and the process repeats until a valid proof of work is produced. This process is called “mining” (hence the term bitcoin mining, when using bitcoins). Once the proof of work has been completed, this new block is inserted into the chain and is immediately distributed to all other miners in the networked community. These miners will check the proof of work (this calculation is much easier) and, if valid, will insert the block into their chain (the ledger). In this manner, all transactions are validated by the networked community, all members receive the same transactions, and all ledgers are consistent.

The mining process is designed to be very resource-intensive and difficult to complete, assuring a steady number of blocks produced each day. The miner (or miner group) that completes the proof of work for a block first is rewarded with a certain amount of cryptocurrency. This provides incentive for someone to dedicate the resources necessary to mine cryptocurrency (compute capabilities and electricity) and creates new coins.

As with any new technology, cryptocurrency built on blockchain has suffered some growing pains. Some notable cryptocurrency failures:

Steemit: This blockchain hack was not due to a vulnerability in the cryptocurrency itself but due to a vulnerability in the web browser front end. Around 260 accounts were affected, resulting in a loss of $85,000. A “hard fork” was performed (a correction to the blockchain) and all funds were restored to their rightful owners.

Krypton & Shift: These two cryptocurrencies fell victim to the 51% attack. If a bad actor can amass more hashpower (computing power) than the rest of the networked community’s miners it is possible to exert a certain amount of control over transactions. The loss from this attack was very small. It is difficult to execute this type of attack with established blockchains because it will have a very large decentralized networked community of miners, resulting in massive number-crunching power. For example, the bitcoin networked community of miners has 13,000 times more combined computing power than the world’s 500 largest supercomputers. So, in order to execute a 51% bitcoin attack, a bad actor’s compute power would need to exceed this incredible level!

Bitcoin: Very early in Bitcoin’s history (2010), a bad actor exploited a flaw in Bitcoin’s software that allowed the creation of an excessive number of transactions. This was resolved within five hours, and a “hard fork” was performed (a blockchain correction) that invalidated the bogus transactions. This was the only significant flaw ever discovered and exploited in Bitcoin, and no funds were lost.

The DAO: This was an Ethereum-based venture capital funding project. In a rather complex scenario, investors placed Ethereum cryptocurrency into a decentralized venture capital fund, which was then used to fund projects. A hacker discovered a flaw in this complex venture capital fund software and managed to drain $70 million from the fund before trading was halted in both Ethereum and DAO. To recover the funds, an Ethereum “hard fork” was executed. This caused a split in the Ethereum community, which resulted in the existing blockchain being renamed to Ethereum Classic while the forked blockchain continued on as Ethereum.

Blockchain technology, when executed properly, is a very safe and secure technology. The two main concerns are the 51% attack, which is a small risk only when a blockchain has a small networked community of miners (new blockchains) and flaws in software that is utilizing a blockchain (such as the DAO breach). Well-written and fully tested applications can reduce or eliminate this risk.

Today we see blockchain used in the implementation of many different cryptocurrencies. This is simply the first of many possible uses of blockchain, and the possibilities are numerous. Blockchain technology can potentially improve record keeping and transactional efficiencies in many areas. In stock trading, Nasdaq, the Australian Stock Exchange, the Korea Exchange, and others are experimenting with blockchain technology as a way to reduce stock transaction costs (no need to maintain expensive trading platforms), reduce settlement time, and reduce transaction duplications. Healthcare entities are exploring ways to use blockchain technology to enable data exchange systems while greatly reducing the associated costs. Pharmaceutical companies are considering the benefits of blockchain technology to ensure chain-of-custody, logging and tracking for each step of the drug supply chain to reduce drug counterfeiting. The possibilities are numerous and still emerging.

How can you prepare for blockchain technology and, hopefully, reap the benefits? As a potential consumer of services and capabilities based on blockchain, become aware and informed. Know what blockchain technology is and how it is used in order to establish a level of comfort and confidence in the technology. Blockchain-driven applications are emerging and gaining acceptance, and it is wise to be aware. As a potential application developer, now is the time to begin architecting a new approach to your existing applications. Blockchain technology is a significant departure from current database and centralized control applications, and the learning curve may be steep.

Within cybersecurity, bitcoin has been the currency of choice for some recent, highly publicized ransomware attacks, which has led to bad press (see how Coalfire can help defend against and respond to a ransomware attack). When looking deeper however, one can appreciate what blockchain technology is capable of. The potential rewards of utilizing blockchain technology are real and significant for endless use cases across various industries.

Mitch Ross


Mitch Ross — Senior Consultant, Cyber Engineering, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS