Kaspersky and INTERPOL Say Blockchain is Vulnerable

[shorena]

If there is anything it has not yet been disclosed to the core devs their youtube video demo shows nothing that suggests the blockchain itself is vulnerable. From what I can see they merely used it to store data.

see here -> https://bitcointalk.org/index.php?topic=1021143.0

[Beliathon]

they are trying to hard to kill bitcoin price with all those troll news, despite all the 230 mark is still holding strong

they should at least back up their claim, why they don't try to abuse the blockchain then?

This.  Either that, or insiders know something that's why they are selling.

No one is more of an insider than Satoshi Nakamoto, and Satoshi has not sold a single dollar's worth of bitcoin! Everyone here needs to grow a pair and



Or get out of the way and remain irrelevant.

[tokeweed]

they are trying to hard to kill bitcoin price with all those troll news, despite all the 230 mark is still holding strong

they should at least back up their claim, why they don't try to abuse the blockchain then?

This.  Either that, or insiders know something that's why they are selling.

No one is more of an insider than Satoshi Nakamoto, and Satoshi has not sold a single dollar's worth of bitcoin! Everyone here needs to grow a pair and



Or get out of the way and remain irrelevant.

Who are you?

Bit yeah.  This is clearly a start of a FUD campaign.  Looks like 2015 will be another bad year for BTC.  

[R2D221]

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

Exploiting a vulnerability before a malicious entity does actually is helpful because you can be prepared and patch it before shit happens. Whether or not what Kaspersky found is a vulnerability to begin with is another question (which I believe is not, like all of you).

[ajareselde]

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

Exploiting a vulnerability before a malicious entity does actually is helpful because you can be prepared and patch it before shit happens. Whether or not what Kaspersky found is a vulnerability to begin with is another question (which I believe is not, like all of you).

I am not entirely cartain about the story, but i have read that there were even cases of shild porn pictures stored in blockchain, there is a copy here ;
https://bitcointalk.org/index.php?topic=191039.0 , and that is only a start of blockchain abuse.
I dont see why everyone is attacking kaspersky, they are making a warning before shings get out of hand, atleast what we can do is listen to what they  have to say.

cheers

[tokeweed]

It's not FUD?

[tokeweed]

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

Exploiting a vulnerability before a malicious entity does actually is helpful because you can be prepared and patch it before shit happens. Whether or not what Kaspersky found is a vulnerability to begin with is another question (which I believe is not, like all of you).

I am not entirely cartain about the story, but i have read that there were even cases of shild porn pictures stored in blockchain, there is a copy here ;
https://bitcointalk.org/index.php?topic=191039.0 , and that is only a start of blockchain abuse.
I dont see why everyone is attacking kaspersky, they are making a warning before shings get out of hand, atleast what we can do is listen to what they  have to say.

cheers

LOL did you read that thread? Its already known long time ago how is it a vulnerability?

You cant be serious. (about listening to Kaspersky)

Until Kaspersky can make a tool to prove there is a vulnerability, I am not believing anything.

Prove it.

[stevenh512]

Kaspersky Labs and INTERPOL have presented research in which they show how blockchain-based cryptocurrencies can potentially be abused with arbitrary data that can be disseminated through its public decentralized databases.

To me, this makes Kaspersky and INTERPOL sound like a joke. A well-known antivirus/security software company and a large international police force took this long to figure out that you can put arbitrary data in the blockhain? The rest of us have known this all along, a few even use it as their business model. While I could see it being a problem in the future (especially if we don't fork to increase the block size, these spam transactions could eventually make it harder to get a legitimate transaction confirmed), so far it hasn't really hurt anything, it's just made the blockchain take up a little bit more hard drive space than it would have otherwise.

I am not entirely cartain about the story, but i have read that there were even cases of shild porn pictures stored in blockchain, there is a copy here ;
https://bitcointalk.org/index.php?topic=191039.0 , and that is only a start of blockchain abuse.

How long ago was that, and Kaspersky (along with INTERPOL) is just figuring it out? No wonder people are laughing at this and/or attacking them. BTW, if you had read the entire thread you linked and looked into it, there were not (and as far as I know still are not) child porn pictures in the blockchain. What is there is some data from a TOR service called The Hidden Wiki which includes, among other things, links to TOR hidden services which served as blackmarkets, child porn sites and the like. Odds are, with all the "dark web" busts in recent news, a lot of those services have probably been shut down by now anyway and I'm sure new ones are springing up every day.

[Ron~Popeil]

Elmer Fud again. It is common knowledge that you can put arbitrary data in the blockchain. There is no known way to use it for anything other than marking an occasion or including a read only message with a transaction. Pretty weak attack.

[drawingthesun]

It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as a code.

So it is complete FUD - no normal Bitcoin client works like this at all.

You'd need some specially created Bitcoin client that uses something like OP_RETURN data as an executable (and I don't believe there even is such software in existence unless Kaspersky created it just to published this FUD article).

CIYAM, I agree that the way we're reading that line makes no sense, as no Bitcoin client will execute the code like this. However there is the chance that a malware or virus could use the Blockchain to store its data and code, it would be more resistant than storing it on some hacked server in Russia.

So the virus attack vector would be the same as always, a dodgy email, a USB drive found on the side of the road.
The difference being, that when the virus turns on, it'll always be able to find it's P2P network, latest instructions, latest patch for the virus, as it'll all be stored on the eternal, distributed, invincible database known as the Bitcoin blockchain.

Of course a couple of issues with this:

1) The cost to store this data would be stupidly high. Much better to used some hacked servers.
2) As I understand it, most Bitcoin clients do not store the 40 (or is it 80) bytes of arbitrary storage available per transaction.
(Meaning that if not enough nodes have the stored data that the virus needs, it'll be useless)

I think this issue might be worse with Ethereum, as the virus can be sure that all nodes are saving all the code on the blockchain.

Remember, we're not talking about getting infected from the blockchain, but once infected, the virus will use it's updates and data from the blockchain to update itself and be commanded.

I think that is the only real threat here, and I am not sure if it's even a practical one.

[majeis]

...and Kaspersky just lost my general recommendation as antivirus software. Time to tell everyone to use virustotal with avira or avast again, I guess.

[drawingthesun]

...and Kaspersky just lost my general recommendation as antivirus software. Time to tell everyone to use virustotal with avira or avast again, I guess.

Why aren't you using Microsoft security essentials? I'm assuming you're on a Windows box.

[R2D221]

...and Kaspersky just lost my general recommendation as antivirus software. Time to tell everyone to use virustotal with avira or avast again, I guess.

Why aren't you using Microsoft security essentials? I'm assuming you're on a Windows box.

If you're in the latest Windows (8.1), there's no Security Essentials anymore. You're looking for Windows Defender.

[drawingthesun]

...and Kaspersky just lost my general recommendation as antivirus software. Time to tell everyone to use virustotal with avira or avast again, I guess.

Why aren't you using Microsoft security essentials? I'm assuming you're on a Windows box.

If you're in the latest Windows (8.1), there's no Security Essentials anymore. You're looking for Windows Defender.

Good point, I'm stuck on Windows 7 for now.

[Lauda]

This,

where is the research? They cannot say "blockchain is vulnerable" without give a full report and various example of that attack.

I trust my cat more than FBI + Interpol .

Well this doesn't surprise me. I'm just disappointed that Kaspersky has joined them. I've had some faith in them.

Until Kaspersky can make a tool to prove there is a vulnerability, I am not believing anything.

Prove it.

Exactly. Let's say that Kaspersky wanted to be the good guy here. They should have gives us information so that it can be fixed.

[LiteCoinGuy]

[poncom]

This,

where is the research? They cannot say "blockchain is vulnerable" without give a full report and various example of that attack.

I trust my cat more than FBI + Interpol .

Well this doesn't surprise me. I'm just disappointed that Kaspersky has joined them. I've had some faith in them.

Until Kaspersky can make a tool to prove there is a vulnerability, I am not believing anything.

Prove it.

Exactly. Let's say that Kaspersky wanted to be the good guy here. They should have gives us information so that it can be fixed.

For viruses I thought it's standard practice to keep quiet about a new vulnerability until the experts develop a fix for it. They tell each other about it but keep quiet about it publicly. Why has Kaspersky publicly blurted out a story about a vulnerability before the experts have had a chance to work on it?

[lucullus]

This,

where is the research? They cannot say "blockchain is vulnerable" without give a full report and various example of that attack.

I trust my cat more than FBI + Interpol .

Well this doesn't surprise me. I'm just disappointed that Kaspersky has joined them. I've had some faith in them.

Until Kaspersky can make a tool to prove there is a vulnerability, I am not believing anything.

Prove it.

Exactly. Let's say that Kaspersky wanted to be the good guy here. They should have gives us information so that it can be fixed.

For viruses I thought it's standard practice to keep quiet about a new vulnerability until the experts develop a fix for it. They tell each other about it but keep quiet about it publicly. Why has Kaspersky publicly blurted out a story about a vulnerability before the experts have had a chance to work on it?

Good question 

[Blazr]

What they are basically saying is that viruses can use the Bitcoin blockchain to communicate with their authors. So for example the virus author could put code into the blockchain and the infected computers would all get that code from the blockchain and run it.

This is a concern to kaspersky because normally the viruses would connect to a server, called a command and control server, to receive new instructions from the virus' author and send back stolen data etc. So all law enforcement would have to do is shut down the command and control server and they can cut the virus authors access to the infected computers. However, if the virus was using a blockchain, there would be no central point of failure and cutting the authors access would be non-trivial.

Other security researchers also had concerns about the website pastebin.com for similar reasons, that it could be used for botnet communication: http://blog.spywareguide.com/2009/06/pastebin-botnets.html

Most people are going to read this article and take it to mean that computers can be infected via the blockchain. This is not true. What they are talking about is using the blockchain as a way for hackers to send instructions to infected computers.

[sana54210]

Kaspersky Labs and INTERPOL have presented research in which they show how blockchain-based cryptocurrencies can potentially be abused with arbitrary data that can be disseminated through its public decentralized databases.

These two entities addressed the issue at the BlackHat Asia conference in Singapore. They successfully demonstrated how arbitrary data can be injected into a digital currency decentralized database simply by using an exploit code that opens a notepad enabling corrupted data to be inserted into the Blockchain.

Not long ago, Kaspersky Lab’s signed an agreement and a memorandum of understanding with INTERPOL and Europol in order to expand cooperation in a joint fight against cyber crime. In addition, the company has also organized a series of training sessions for INTERPOL staff to give them some knowledge about malware analysis, digital forensics, and financial threat research.

A Kaspersky researcher named Vitaly Kamluk explains:


“Blockchainware, short for blockchain-based software, stores some of its executable code in the decentralized databases of cryptocurrency transactions. It is based on the idea of establishing a connection to the P2P networks of cryptocurrency enthusiasts, fetching information from transaction records and running it as a code. Depending on the payload fetched from the network, it can be either benign or malicious.”


Vitaly also stresses that before digital currency can be widely accepted, we need to understand the full potential of the threats it faces. The Bitcoin community seems to agree with Vitaly, as security is a healthy industry seeing remarkable growth in the cryptocurrency ecosystem.

A report from Juniper projects that the number of active Bitcoin users worldwide will reach 4.7 million by the end of 2019, up from just over 1.3 million last year. The company expects usage to continue to be dominated by exchange trading, with retail adoption largely restricted to relatively niche demographics. This is surely good news for the virtual currency industry, and it means that the potential of the technology has already been recognized.

The importance of cryptocurrencies on e-commerce and other online financial activities has been growing at an astonishing rate, and concerns over security are growing. Security issues will likely always be present in the Bitcoin world, and users will have to rely on cybersecurity firms to constantly innovate and provide solutions.

http://insidebitcoins.com/news/kaspersky-and-interpol-say-blockchain-is-vulnerable/31578

Lol without proper proof how can they claim that they can do it. It looks none other than a publicity stunt. Finding a loophole in Blockchain can't be done by these folks in the near future with current technology IMO.