Bitcoin domino effect and start-up Exchanges

I am not really sure about how many BitCoins have been stolen in past six months. But signals are discouraging.

As of a statement made on The Hacker News on 24th January, another BitCoin exchange, one of the really big ones, shuts down. Its CEO Mr. Mark Karpeles resigned also from his seat in the board of Bitcoin Foundation. What's all the fuss about all this? Well if you sum 2.7M USD of the last theft from Mr Gox and add it to the other million of USDs stolen in past months, numbers get impressive. "Our" money (even though, I don't own any BitCoin at this time).

The BitCoin ecosystem itself is an interesting phenomenon. It saw a wide success and an incredible growth in its value. It has been used as a payment form for some RansomWare due to its almost impossible to track transaction path (CryptoLocker itself raised up possibly around 1 million USD in BitCoins in one single day). Worms and BotNets used to "implant" BitCoin mining routines on infected computers to generate a currency that has no real countervalue in real life. And the stolen money were pretty much real. You could even buy a house or a car using BC.

Most of BitCoin websites talk only about implementation of the technology itself, poorly documented or completely lacking of the security aspects of the entire system. Actually I have seen only one site so far talking about the BitCoin Security, and this site is bitcoinsecurityproject.org, which's goal is to deploy a set of general security proofs of concept to defend the system. Hopefully the currency itself will survive, yet BitCoin Exchanges are falling like domino tiles.

I have had an interesting statement about keeping Security "open-source" because many BitCoin Exchanges are start-ups, so they need to keep investment low. But keeping investments low shall not be an excuse to say "we will implement security later", it could be already too late. Likewise the BitCoin business should do its work and focus on that, and OpenSource Security is as much effective as you know the topic and technologies. Indeed defending a start-up business having money exchange (real money) as its core business is not an option. Luckily for start-ups, solutions can be deployed even in Cloud evnironments (like the Watchguard XTMv Virtual Appliances) and an entry level system can be pretty affordable. For sure very affordable when we talk of 700K BitCoins.

Security around money is a real concern. It's enough to see what happened to Target, badly hit by a worm that successfully stealed more than 100M credit card numbers directly from the POS systems. And the credit card industry has strong regulations about security, yet it happened to be void.

The real concern, in my opinion, is the lack of common sense when it comes to critical infrastructures. When I approached my first PCI DSS project and met the auditor we had more than 2/3 of the checklist done just during the first meeting. The rest was just a matter of a couple of days to figure out the changes to be applied and then deployed. The most interesting point was that security has been a concern from a human perspective internally rather tha technical, since I had mostly to deal with people that saw "rules" as a problem rather than a solution, so I can say that the lack of common sense and security effort is a human matter rather than a lack of technologies. The funny part is that the Customer had little or no impact about the rules adopted.

The conclusion of this whole thought is about common sense. When BitCoin started to fall I was suggested to consider watching an "alternative" digital currency. History repeats itself if the common sense of the need of a security strategy and its value will not get correctly understood by new CEOs. Nowadays security design can be done in a way where it allows business to run more securely, and the value added by a Security Consultants (implementing and auditing - never the same for both) results in procedures that enforce adopted policies. You might want to think to make your business run. Just do it securely.

Contacts

I have been working as an IT professional since late 1990s. I had the chance to build a horizontal skillset that allowed me to approach almost any IT related project. Since 2005 my role has mainly been as CTO in different companies, spacing between small ISPs and System Integrators. Since 2017 I am workig on a new platform for Intellectual Property and Copyright assets protection and management.

Do you have any questions, or is there I could help you with? Please feel free to contact me throughout one of the companies listed below or throughout one of the social media channels.

Header picture: me at the Blockchain Milan event organised by Rights Chain Ltd. in November 2018.