Crowdcurity brings crowdsourced hacker testing to bitcoin

crowdcurity031
16 October 2013

Bitcoin websites are prime targets for cyber-attacks. Now, a company called Crowdcurity wants to apply the wisdom of crowds to make them more secure. How will it work?

Protecting against attacks isn’t optional if you want to keep your web-based bitcoin app in business. Bitcoin apps can often hold hundreds in individual coins, leaving their users incurring significant financial losses if they are compromised. This is particularly true in the case of exchanges.

For example, margin-trading site Bitcoinica was sued for $460,000 in 2012 after being hacked twice. US-based exchange BitFloor suffered major embarrassment after 24,000 bitcoins were stolen following a hack in September 2012 – a figure that represented almost ten years of transaction fees. That’s a difficult loss to bounce back from. This isn’t the first instance, the problems go back further still: Vicurex saw its wallet compromised in 2011. And these are just examples from a far larger set.

Breaking into a web app

Not all of these bitcoin thefts are explicitly the result of website problems. Some stem from human error, and some are, as yet, unexplained. But one thing is for sure: badly-designed code doesn’t help, and is responsible for at least some of these issues.

How many ways can a person break into a web application? There are tens of them, but the Open Web Application Security Project (OWASP) breaks them down into ten broad categories. It updates the list each year, and 2013’s makes gruesome reading.

At the top of the list? Injection. This happens when someone injects code that shouldn’t be there into a web application, usually through a parameter passed to a URL. It can be used to execute unintended commands, including putting dangerous malware on a web page to infect visiting machines, or dumping customer details, for example.

Other potential attacks include exploiting poor security configuration (including configuration of hosting servers), and broken authentication, in which sessions are not properly managed, enabling attackers to hijack accounts. Another old chestnut is the cross-site scripting attack, in which bad data is sent to a browser using JavaScript, causing it to misbehave. The fact that these attacks are still possible years after they were first discovered is a discredit to the software development community.

The problem for a lot of software developers in the bitcoin space and elsewhere is that it is difficult to spot all of the bugs. Several bitcoin sites employ ‘bug bounties’ to solve the problem, offering eagle-eyed members of the community rewards to spot and fix problems.

Coinbase has one, with a minimum payout of 5 BTC, and no maximum payout. At the time of writing, it had awarded bitcoins to 27 people, amounting to at least 135 BTC. Payward, which runs the Kraken margin trading site, is stingier about its bounty program, offering a minimum of a single bitcoin per bug. Another bitcoin trading site, 1Broker, also ran a program.

Enter Crowdcurity

Crowdcurity hopes to standardize the bug bounty concept by outsourcing the process. The online service connects companies that have software to debug with a community of around 250 software testers, which it has found via security forums.

how-crowdcurity-worksHow Crowdcurity works

The firm isn’t solely bitcoin focused, as its process can be applied to any web-based application. Nevertheless, it’s an important market for the firm. “Bitcoin companies are already very focused on security and they know that they need to focus on it,” says Jacob Hansen, founder of Crowdcurity, who is already negotiating with at least one large bitcoin-based business. “Traditional e-businesses don’t always have the same awareness.”

[post-quote]

Customers can create a reward program with the site, setting rules and amounts for bug programs. The challenge is then sent to the testing community, which works on reporting vulnerabilities. The customer validates the bugs in conjunction with Crowdcurity, and payouts are awarded based on bug severity.

More than half of the payouts have been made in bitcoins for the single customer that the firm had dealt with as of last week. “Many of these payments may be $25-$50 if the bugs are low criticality, and with bitcoins you have lower fees, and it makes payments faster,” Hansen says.

The site’s testers can target a test site, or an operational site that is already processing live data, Hansen explains. But sites shouldn’t just rely on external testers, he argues.

Crowdcurity is effectively a penetration testing service, in which a crowd of testers tries to hack a website. But what they don’t do is look at a site’s code. In one sense, this is a good thing, because closed source sites won’t want people ogling their intellectual property. In another sense, it leaves the analysis of the code up to the company, which then has to find the skills to do it.

“They should do security reviews of their code internally. Then, there are a lot of automatic tools out there which can look at your code and discover common vulnerabilities.” Crowdcurity uses tools like Brakeman for its own site, which scans for vulnerability in Ruby on Rails apps. There are more for other languages – but companies have to have the skills and discipline to use them.

As bitcoin grows up and companies get better funding, software developers will hopefully be in a better position to cover all of their security bases. And maybe we’ll see fewer disaster stories like Bitcoinica or Bitfloor.