Baddies Bash Bountiful Bitcoins

This past week, the value of a Bitcoin crossed the $1,000 threshold — marking a new milestone for the virtual currency.

Bitcoins first emerged in 2009 as a decentralised form of money and,  its value rises, interest from hackers and criminals has also climbed.

There’s gold in them there Bitcoins

One of the most recent Bitcoin-related exploits is malware that installs itself on users’ PCs in order to “mine” new Bitcoins. The virtual currency is created through digital mining that leverages compute power to discover new blocks of Bitcoins. The Bitcoin-mining malware was reported by security firm Malwarebytes and is being installed on victims’ PCs by way of a malicious toolbar application.

Websites in the Bitcoin ecosystem have also been under recent attack. The bitcointalk.org community site was attacked this past week, with attackers gaining access to user names and passwords on the site.

The risk from such an attack is that the attackers can now potentially use those accounts to profit from Bitcoin activities. In a more direct attack, the European Bitcoin exchange BIPS (Bitcoin Internet Payment System) was breached last week, exploiting users of $1 million in Bitcoins.

While attackers are going after Bitcoin-related sites, there is an important distinction between the security of the Bitcoin network and the Bitcoin exchanges, Joe DeMesy, senior security analyst at Bishop Fox, said.

“The Bitcoin network is a network of computers that communicate using the Bitcoin protocol, allowing persons within the network to exchange and mine Bitcoin, whereas a Bitcoin exchange is just a ite that allows users to sell their existing Bitcoin in exchange for other currencies, such as US dollars,” DeMesy told eWEEK.

Bitcoin compromises

No one has ever found a critical vulnerability within the Bitcoin protocol itself that would allow a user within the Bitcoin network to fraudulently create coins or forge transactions, DeMesy said.

That said, there have been compromises of various Bitcoin exchanges throughout the virtual currency’s lifetime, and as the value of a Bitcoin increases, so does the risk in using exchanges.

“The design of these exchanges requires users to transfer their Bitcoins into an exchange, and if an attacker compromises the exchange, they can extract all the Bitcoins stored therein,” DeMesy said.

The other risk for users comes from the security of Bitcoin wallets, which is the technology that actually holds the Bitcoins that users have.

“We have observed several malware packages targeting Bitcoin users’ wallet.dat files,” Adam Meyers, vice president of intelligence at CrowdStrike, told eWEEK. “Losing your wallet.dat file is like losing your actual wallet stuffed with cash—if it’s gone, you likely won’t see that money ever again.”

Bitcoin wallets can be stored locally on a user’s hard drive (and potentially lost if that drive is thrown out), but they can also be stored in the cloud with a service provider, which presents another set of risks.

The fact that Bitcoins could be stored on Web services, associating them with cryptographically generated addresses, exposes them to the common threat vectors in the application layer, Bala Venkat, chief marketing officer at application security company Cenzic, told eWEEK.

“Hackers can easily exploit the vulnerabilities via SQL injection, XSS [cross-site scripting], etc. and retool these vectors to steal Bitcoins from Web services and online wallet services,” Venkat said.

The other risk to users with Bitcoin wallets is that unlike credit card transactions, Bitcoin payments are not reversable by a central authority like a bank or a credit card issuer.

Only the person receiving the funds can refund the Bitcoin transactions, Venkat said. “This means one should take extra care to do business with people and organizations that they trust,” Venkat said.

The fact that there is no central governing body that oversees Bitcoin transactions or sets any security standards regarding how, where or for what the virtual currency is used is seen as a cause for concern by Devin Krugly, vice president of marketing and business development at AccessData.

“Nearly anyone with a minimal set of IT experience can set up a Bitcoin-mining and -transaction site, so novices can easily be hacked,” Krugly told eWEEK.

Ultimately, as is the case with real hard currency, it is the responsibility of Bitcoin users to protect their own Bitcoins.

“If you don’t have a backup plan for your wallet, or if the location of your wallets or your passwords is not known by anyone when you are gone, there is no hope that your funds will ever be recovered,” Krugly said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Originally published on eWeek.