Tuesday, October 18, 2016

Blockchain.info incident - very good incident response

Amongst others, Blockchain.info provides online bitcoin wallets which makes it an atractive target. Last week, something happened, fairly outside its reach, but that had an exemplary response even if it was taking down the whole service for a day. Cannot blame blockchain.info and I applaud

News say the registrar (whois results here) was breached and blockchain.info can only accept the risk.

Attackers somehow managed to change the DNS records of the domain. The trick, I presume, is to redirect users to a specially crafted website with the same design and trick the users into typing in credentials.
 
Interestingly, a user on reddit posted an alert just 1h or so after it happened. I asked how he found out and he told me that he spotted it by accident when his application (that pulls data from blockchain.info) was reporting errors. Most likely, the errors and warnings were due to the self-signed certificates the attacker was using. Firefox and Chrome will be very zelous about this and request a multi-click authorisation from the user.

Practical highlights:
  • even if your budget is low, monitor your security. There is a lot one can do with off-the-shelf tools or open-srouce or - even - with good ol'scripting.
  • have an incident response plan, document and distribute to everyone. If resources are lacking just do what blockchain.info did: pull the plug as soon something happens that looks minimally serious. Then investigate, document and use it to add more controls, technical or process, to your cybersec framework..
  • once more, it shows that HTTPS helps in more than one way. Buy certificates from a well-known CA and use it generously. The main browsers will cooperate - and often stop it there by alerting the user - and are intensely pushing a https-only web.
  • if possible, making sense and being practical, insist that your users adopt 2FA. In this case, it would have stopped breaches if combined, for example, with a single-active-session policy on blockchain.info's servers. 
  • interestingly, if you have software-based service on which others rely, take advantage of your users as all have the incentive. Leverage this crowd-sourced tool and implement an action in a new guideline. This user on reddit seems to have caught really fast and probably faster than a SIEM could have caught especially if you do not monitor that side of your infrastructure.










No comments:

Post a Comment