The Blockchain Revolution
Page 17
Nobody broke the silence that followed, so eventually Frank did. “What struck me most was that although the pre-reads do a good job of laying out the landscape, they don’t suggest any particular way to go about devising a strategy for undermining the Russ. Was that on purpose?”
“Exactly,” Colonel Dix said. “Our goal in setting up this group was to give you a clean slate rather than bias your thinking with anything that’s already gone on inside CYBERCOM. What we’re looking for is the maximum amount of creativity and ingenuity from you all.” The colonel turned to Petrie, who was still clattering away at his keyboard. “I assume you’re taking notes, Doogie?”
“Sorry,” Petrie said, folding his arms as he pushed back from the table. “Just something I had to finish up.”
Colonel Dix glared at him until Petrie reluctantly closed his laptop. Dix turned back to Frank. “Did anything occur to you as a promising place to start?”
“Nothing concrete,” Frank said. “I tend to think from the top down. So, my usual approach is to start by categorizing things.”
“I’m not sure I follow you,” Colonel Dix said. “Can you elaborate?”
“Well, I started with the assumption that two types of attack were worth considering. The first is to attack the viability of the Russ as a cryptocurrency. So, for example, we could launch constant dedicated denial of service attacks against the Russ exchanges to make it difficult to do business. Or we could steal so many Russ that no one would want to risk owning it – rather like what happened recently with the big attack against cryptocurrencies. They all suffered for a while.”
“Yes, but then they all came back again,” Joel said. “There have been lots of thefts, none of them with lasting consequences.”
“Agreed,” Frank said, “And that led me to the second approach, which would be trying to come up with a cyberattack capable of disabling, destroying, or scrambling the Russ platform.”
“Difficult,” Dirk said. “That is the beauty of the blockchain. Once created and put into operation, it is very hard to change.”
“Yes,” Frank said, “But that conformity can also be a weakness. If we can find a way to monkey with the Russ software, it may take a long time for the Russians to redesign their system so we can’t do the same thing again. And if we come up with several strategies, every time they get it up and running, we’ll pull it back down again.”
“Indeed,” Dirk said. “But first we must find a flaw to exploit. And if they have done their job well, that is not so easy.”
* * *
As he’d hoped, Frank took a lot away from his meeting of the Russ Task Force. He had a whole floor of engineers at the bank to discuss BankCoin security with, but they were all down in the weeds, looking for flaws a criminal could exploit. They were good at that – probably better than he was. To the extent he could be useful, it would be at the big picture level.
So, it was great to be working with a group of hotshots who were all focused on how to massively disrupt or take down a blockchain-based cryptocurrency. What more could he – or the bank, for that matter – have hoped for? Too bad he couldn’t let First Manhattan know.
What he could do while the task force discussion was fresh in his mind was consider how an enemy might conduct a target analysis of BankCoin. The result was an outline that began like this:
Target could be:
– individual bank or banks
– banks in an individual country
– banks within an allied group of countries (e.g., European Union, NATO, etc.)
Goals might vary based on type of target, but could be to:
– make a political or other point
– undermine credibility of the BankCoin network
– disrupt financial operations
– stop financial transactions entirely
Attack types could include:
– traditional attacks to harm or punish specific banks temporarily (e.g., dedicated denial of service exploits, or hacking into a single bank’s systems to do damage)
– multi-bank attacks, exploiting a common vulnerability in the BankCoin software itself
That looked good as far as it went. It also helped him decide what to think about and what not. There was nothing he could do to influence how well a bank other than First Manhattan managed its own security, for example, so he’d concern himself only with the BankCoin platform itself and not how any individual bank could protect its unique hardware/software systems.
Where to next? Ah – attack vectors. That is, what means could the bad guys use to get access to the global BankCoin network? Back to his outline:
Attack methods affecting entire system could include:
– Attacker plants malware on a new version of BankCoin
– Attacker penetrates participating bank as a first step in penetrating BankCoin
He stared at the words. The first approach would be the cleanest. If the bad guys could install malware in a new release of the BankCoin software, it would end up at every bank when the new version was distributed. How about the other route? He started typing again:
Attacker penetrates participating bank and then:
– distributes the malware via phishing attacks launched from that bank
– plants the malware in a block that bank helps validate
How workable were those alternatives? Well, the phishing attack scenario was certainly plausible, at least in theory. People blithely clicked on links and files from criminals pretending to be coworkers all the time. Here, the message might come from an email account the hacker set up on a participating bank’s system. And the web page the black hat wanted the email recipient to visit might exist on the sending bank’s site, too – just hidden from the view of the site’s administrator.
But no. That kind of attack was technically possible, but it would be terribly difficult to pull off. For starters, participating banks were supposed to firewall BankCoin away from general software, like email and accounting programs. So, a phishing attack might get you inside a bank’s general firewall, but it shouldn’t give the attacker access to that bank’s copy of BankCoin. Even if the bank botched its firewalls, a hacker would still have to find a vulnerability in BankCoin to exploit, and everyone involved was trying as hard as possible to make sure such a vulnerability did not exist. Finally, at least somebody at one of the hundreds of BankCoin banks should recognize the email as part of a phishing attack and then raise the alarm. So not impossible, but close to it, and therefore, not likely to be the route an enemy state or terrorist would choose.
The other possibility, though, looked worrisome. Every bank could create transaction blocks and submit them for validation by other banks, after which those blocks were added on to all copies of BankCoin. So, a viable channel to distribute malware throughout the BankCoin network was built right into the system. Surely, the Foundation, or at least First National, must be scanning each new block to prevent such an attack. This was important enough to check right away.
It only took five minutes for Frank to see that Schwert had covered that concern in a surprisingly simple way. If any single transaction block had more than two hundred lines of information above the average found in the last thousand blocks, the validation software would trigger a virus alert so the anomaly could be investigated before the block was approved.
Not only a simple solution but an elegantly practical one, Frank mused. Elegant, because it was hard to imagine designing a truly dangerous payload using such a small number of lines of code and also because Schwert’s virus scanner could perform a line count almost instantaneously. That was crucial, because BankCoin needed to handle well over a hundred thousand transactions a minute if it was to be usable at all. Lastly, the few lines of code Schwert had written to perform the test were able to self-adjust as the marketplace and the technology evolved.
That ability to autonomously adapt was also elegant, because one of the neat features of BankCoin, like many other blockchains, was the ability to include “smart contracts” in blocks along with their related transactions. These were simple computer programs that could specify, for example, preconditions that must be met before a payment would follow. Because the terms of smart contracts would vary, the number of lines of information in a block would necessarily differ as well. Blocks would therefore not always be the same “size,” from a computing perspective. And because smart contracts were so new, you couldn’t know how complex they might become over time.
That solution appealed to Frank. Most programmers defaulted to complexity. Only the really good ones came up with simple solutions. This guy Schwert just might be as good as Dirk and everyone else seemed to think he was.
He turned next to what would clearly be an attacker’s preferred strategy: tampering with the master version of BankCoin hosted by the BankCoin Foundation with the goal of adding malware to a new release of the software before it was distributed. If the enemy could get away with that, it could compromise every single bank. Clearly, this was where Frank should focus his attention. Then he paused; no, there was one other approach. He added a third possibility to his outline:
– attacker adds the malware to an interim security patch which is then distributed to the network
Frank stared at his screen. Yes, any enemy would certainly decide to use one method or the other to launch its attack through the Foundation itself. As with all the other big open source projects, anybody could commit code if they earned the respect of the rest of the developers. That’s the way the world of open source software development worked, so if you wanted to attract the best programmers, you had to play by the community rules.
All of which Frank knew. But it still amazed him the banks had bought into such a vulnerable practice. He would have expected at least some kind of added vetting – most obviously, background checks. But, to be fair, that ship had already sailed. Just about everything in the world ran on open source software now, from telecommunications to automobiles to cloud computing to the Internet of Things, and all of that software was created through the same open process.
He shook his head. This was just another reflection of a mindset he’d always marveled at: once a risk became familiar, people forgot about it. Like driving on the highway even though you knew tens of thousands died there every year: you ignored the risk not because it was acceptable but because you got used to it.
Okay, back to business. He’d just have to work with the fact that hundreds of BankCoin programmers were spread out across the globe, any of whom might try to plant malware or install a “trap door” in BankCoin they could later use to launch an attack. The challenge would be to ensure the BankCoin Foundation and First Manhattan each had processes in place capable of detecting something evil before it was pushed out into the network.
That was a sobering thought and one he should expand on in his outline. He added the following:
Embedded malware could include:
– a trap door
– ransomware
– spyware
– error-inducing software
– destructive software
There were a lot of disturbing possibilities there. Installing a trap door in each copy of the platform would allow the enemy to cause mischief on a targeted basis, attacking as many or as few banks as it wished.
Ransomware – software that encrypted or wiped a system clean unless a payment was made – wasn’t employed just by criminals. Terrorists and nation states also used it to destroy enemy systems; the payment demand was purely camouflage to cover the attacker’s trail. North Korea had employed that gambit in a massive attack that crippled hundreds of targets including, for some strange reason, many hospitals. Of course, adding collaterally damaged target types could provide cover, too.
Now, how about spyware? Certainly, that was a possibility – maybe even an inevitability – because the entire global banking system ran on BankCoin. But Schwert’s software encrypted all data, so there wouldn’t be much point to that, assuming the encryption was strong enough. And anyway, Frank’s job was to head off a devastating attack, not protect data.
Error-inducing malware was a real concern, though. And so was destructive software. The task force had spent a fair amount of time considering each of those attack approaches. Could he reverse that perspective to spot something malicious before it was triggered? He wasn’t sure about that yet.
He tapped his fingers and reviewed his list. Done? No. He started typing again.
Specific destructive approaches could include:
– disable the ability to create new blocks
– disable the ability to verify new blocks
– erase the blockchain
He stared at the last entry. What a disaster that would be. And it wasn’t out of the realm of possibility. Back in 2012, persons still unknown had wiped the hard drives of thirty-five thousand computers owned by Aramco, the state oil company of Saudi Arabia. The impact was devastating.
Well, that was enough cheerful thinking for the moment. He shut his laptop and went to bed.
* * *
Crypto, meanwhile, was reaching the end of what had been a very good day. The hand on the main countdown clock had passed the six o’clock position – he was half-way there. The fact that the acceleration of the smaller clock’s hand had long since plateaued was also good news, because it confirmed that the entire global banking system had converted to BankCoin more quickly than Crypto had hoped. It was now impossible for any bank, or for any bank customer, public or private, large or small, to do business except in BankCoin. For months now, the hand on the smaller dial had spun swiftly and inexorably, bearing visual witness to the speed with which the apocalypse he had prepared was approaching. It was both soothing and gratifying to stare at the little clock face as its hand spun inexorably onwards.
Day by day, the world was being drawn deeper into his trap, like spiraling matter disappearing into the all-consuming maw of a black hole. Crypto smiled – it was an appropriate comparison. The gravitational force of such a cosmic abyss was so intense that within a certain distance – astrophysicists called it the event horizon – not even light could escape. With the developed world now universally committed to BankCoin, its event horizon was at hand.
Yes! You’re right! The BankCoin event horizon! A Bee cheered.
Not quite yet, Crypto thought, but very soon.
Chapter 22
What’s in a Chain?
Frank was feeling better about his job lately. He’d discovered several flaws in BankCoin now, some of which could have led to significant mischief if a black hat had found them first. They were pretty subtle, too. He figured that must have raised his stature some with the security team.
And the bank events he was expected to attend were turning out to be okay. Being squired around by an attractive and intelligent woman with a talent for putting people at ease – him in particular – rendered the events nowhere near as stressful as he had feared. Just last Friday night, for example, he’d attended a gala fundraiser, wearing a custom-tailored tuxedo that now held pride of place in his wardrobe. The next day, Lola sent him a link to a photo of the two of them from a newspaper story about the event. If he had a Facebook page of his own, he might have been tempted to post that one.
Ted Miller, Lola’s boss, was also pleased. Frank was turning out to be a better cybersecurity front man than Miller could have imagined. At Lola’s urging, Miller had begun promoting Frank as kind of a likable IT innocent abroad in the field of finance. Humanizing the security face of the bank couldn’t hurt, Miller decided. When the inevitable next breech came along, it might provide a modest reservoir of sympathy the bank could draw upon.
So, all in all, it was nice that Frank and Ted were feeling better. Sad
ly, the real world had other plans for their immediate future.
* * *
Gordon Greer settled in behind his Bloomberg terminal, hoping for another quiet day. Yup. Maybe he could catch lunch with some of his Wall Street bros and watch some curling on the TV over the bar.
But first, it was time to buy and sell some oil.
Except no. He squinted at his screen: it looked like nothing was trading. That was odd. Was it a problem with his computer? He moved his mouse around. Nope, his cursor was live, so his system wasn’t frozen. So why were all the price and volume fields filled with zeroes? The exchanges couldn’t all be down. He clicked over to a financial news site.
Wow! They weren’t down – but for some reason, the exchanges couldn’t access any data to trade on. What a mess! If this didn’t get sorted out soon, he could take the rest of the day off.
* * *
At the headquarters of Baher AG in Zurich, Switzerland, the absence of information was causing far more anxiety. As the second largest oil trading company in the world, Baher’s empire of storage facilities, refineries, pipelines, shipping terminals, and tankers spanned five continents and every ocean. Now all those assets were suddenly invisible.
That was bad enough, but Baher was also the manager of the recently activated Global Petro Blockchain Network – or the GPN, for short. And the hundreds of corporate members of that network were jamming Baher’s switchboard with demands to know what the heck was going on.
At the center of the storm sat Jonas Baher, youngest son of the company’s founder and the one in charge of the new network. Uncomfortably for him, he was also the one who had convinced the global commodity trading elite to buy into the GPN. Not that it had been a tough sell. His proposal met with immediate interest because of the complex route a barrel of oil took between the well and the ultimate customer – the type of path industries referred to as a supply chain.
That journey typically included time in pipelines, ships, barges, and trucks with layovers in collection facilities, refineries, port terminals, and distribution centers. Everyone – or at least their chief technology officers – agreed that a blockchain would provide a far better tool for tracking the billions of barrels of oil products that changed hands each year. And a superior tool for handling the financial terms that lubricated that supply chain, too.