The document discusses the complexities and vulnerabilities of blockchain technology and cryptocurrencies, highlighting its use as a shared immutable ledger across various industries. It details numerous security breaches and hacks affecting cryptocurrency exchanges, ICOs, and smart contracts, emphasizing the necessity for robust security measures. Additionally, it outlines the activities of local hacker groups focused on infosec, hardware hacking, and community engagement in Puerto Rico.

1. “Hacking” Blockchain
José L. Quiñones, BSEET
MCSA, RHCSA, HIT, CNDP, CCFI, CMSP, C|EH, C|EI, C)PEH, C)M2I

2. ./whois Jose L. Quiñones
• UPR, School of Medicine
• IT Director
• Obsidis Consortia, Inc
• Co-Founder & CEO
• Head Organizer >> Security B Sides Puerto Rico
• Founder & Mentor >> Defcon Group 787
• Engine 4 CWS
• Technical Consultant for the IoT Lab & Smart
City Initiative
• Mentor for Habitants Internship Program
• Private Consultant & Technical Instructor
• Microsoft
• Linux
• Networking
• Cybersecurity

4. If This, Then NOT That
Cryptocurrency is blockchain,
… but blockchain is not just cryptocurrency

5. What is blockchain?
• A blockchain network is the notion of a shared, immutable ledger.
This ledger records all the transactions that take place within a
network and distributes exact copies of that record, cryptographically
protected so they cannot be changed, to all members on the network.
• IBM has hundreds of blockchain projects underway in diverse
industries, including supply chain, food safety, government,
healthcare, travel and transportation, chemicals and petroleum,
insurance and more.

6. Not all cryptocurrencies are created equal
• Bitcoin
• Bitcoin operates within a network of “anonymous” participants
• Etherium
• A.K.A. Blockchain 2.0, is an enterprise-class blockchain is openly governed
and feature permissioning to handle interactions between known parties.
• Zcash
• is the first open, permissionless cryptocurrency that can fully protect the
privacy of transactions using zero-knowledge cryptography.
• Ripple
• Bank backed centrally controlled blockchain

7. Must read!
• Bitcoin White paper
• https://bitcoin.org/bitcoin.pdf
• Ethereum White paper
• https://github.com/ethereum/wiki/wiki/White-Paper

8. Websites and devices gets hacked
• A cryptocurrency exchange or service website it’s still a website.
• Vulnerable to SQLi, DNS hijacking, XSS, etc. using “old fashion” cyber
attacks various cryptocurrency exchanges have been hacked.
• IoT devices and services standout for their lack of security measures.
• Unpatch computers/servers are vulnerable

9. Miner malware
• Many of the biggest malware botnets today exists simply to mine
bitcoin
• Browser based mining are using Chrome Extensions, Firefox Add-ons,
Embedded JavaScript and Webpage Widgets.
• MassMiner— uses exploits for vulnerabilities such as CVE-2017-10271
(Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-
5638 (Apache Struts), also leveraging SQLck, a tool for carrying out
brute-force attacks against Microsoft SQL databases

11. Stolen file stores (wallets)
• Wallets with no passwords or with weak passwords can be access by
malware or an attacker if device is hacked.

12. Attacking the ICO
• Coindash, an Israeli based company, As a result of this hack, more
than half the funds being raised in the ICO were diverted to a rogue
Ether address. The ICO was suspended while the rogue address was
removed.
• Veritaseum completed an ICO, but only one month later it was posted
posted in the Veritaseum Slack group that hackers had stolen 36,000
VERI tokens at the time worth approximately USD$8.7M (USD$32.5M
as at 1 January 2017). The hackers defeated two factor authorization
on two different accounts
• The total value these and other hacks and fails on 1 January 2018
prices is just shy of USD$1 billion, an eye-watering USD$978M.

13. “Smart” contracts
• Smart contracts are meant to be stand-alone agreements,
not subject to interpretation by outside entities or
jurisdictions.
• Immutable, the code itself is meant to be the ultimate
arbiter of "the deal" it represents.
• No updates, no patches, once deployed it “can’t” be pulled
back.

14. The DAO Hack
• What is DAO?
• Decentralize Autonomous Organization
• Like decentralize Kickstarter or Venture Capital movement
• DAO tokens where used to vote for ideas
• What happened?
• The contract checked balance after sending the tokens
• The failure check made recursion possible
• 3.8 millions where stolen with 258 tokens

15. Tools & Methodology
• Review and Compile .sol file (solidity)
• Dissect code flow (Solgraph)
• Check functions (oyente)
• Mannually check for vulns
• Its all about the order of execution

16. Konstantinos Karagiannis
Defcon25 - Hacking Smart Contracts

17. Polluting the chain
… unremovable links
to illegal child
pornography

18. Some ways of polluting the Blockchain
• The coinbase field of a mined block allows for hex data which can
hold approximately 1 tweet worth of data.
• Multiple outputs can be used for a transaction such that each holds
hex data. This would imply dust value outputs (outputs of <5640
satoshis) and would be frowned upon for bloating the Blockchain.
• Hex data from a multi-signature transaction could be used to encode
information
• Sidechains allow for assets to be linked (though more abstractly) to a
time/black in the Blockchain

19. Embedding
• http://proofofexistence.com
• allows for a hash of a document to be embedded in the Blockchain
to prove an instance of an object (document/file) existed at a
certain time.
• Blockchain.info
• allows for messages which are linked to transactions but are not
embedded in the Blockchain.

20. Hacking trust
• Using an 1 of 3 raw multisig output, where 1 of the public keys is real
and the other 2 are just data. There's no way for the network to know
that the public keys given are not real public keys.
• Most cryptocurrencies expose your entire payment history to the
public.

21. DC787 Meets: at Engine 4 Co-Working Space in Bayamon, PR every other Wednesday. .
Location: Bayamon, Puerto Rico
Point of Contact: Jose L. Quinones
POC Email: josequinones@codefidelio.org
Website: pending
Description: The DC787 started as the “Init.d” InfoSec interest group in 2012. It was formed by several local hackers and started
meeting whenever we could and wherever we were welcomed. Jose L. Quiñones, Jose A. Arroyo and Carlos Perez run the meetings
and keep the social media outlets updated. We value community feedback and our activities are designed to fill the community’s
needs.
Interests: We work with Lock picking, Hardware Hacking, IoT, Blue & Red Team Techniques, and many other hacker/technology
related topics.

22. October / November
2018
Follow us: @bsidespr

23. Thanks!
• josequinones@codefidelio.org
• @josequinones
• http://codefidelio.org
• jquinones@obsidisconsortia.org
• @obsidis_NGO
• http://obsidisconsortia.org