Chinese cyber-security firm Qihoo 360 Netlab reported last week that a group of hackers had stolen more than USD 20 million worth of Ethereum from Ethereum-based apps and mining rigs.
Even if you were not directly affected, it’s wise to know what happened and what you can do to protect yourself from such attacks.
First, what caused the theft in the first place? The answer is exposed vulnerability. Ethereum software applications have been configured to enable a Remote Procedure Call (RPC) interface that provides access to the programmatic API (application programming interface). Supposedly, only approved third-party services or apps can query and interact with or retrieve data from the original Ethereum-based service. However, the RPC interface opens up access to sensitive functions like private keys and personal information. Logic would dictate that the RPC should be disabled at all times. While this is mostly the case (the interface comes, by default, disabled in most apps with a stern warning not to enable it without sufficient protective measures), it’s not foolproof. The Achilles Heel appears to be in the fact that it’s relatively easy to hack Ethereum apps that enable an RPC interface with the world rather than purely local requests.
So what can you do? First, do not configure your Ethereum client unless you know what you’re doing. Familiarize yourself with the warning notices (and their implications). If you do want to tinker with the app, educate yourself. Don’t automatically pick the first solution you come across. Do your due diligence and IF you must enable the RPC interface, secure it using an Access Control List (ACL), firewall, or some other authentication system.
Staying one step ahead of hackers is hard; but the point of these safeguards is to make it difficult and unprofitable for them. Don’t be the low-hanging fruit. Protect yourself with knowledge and the application of the knowledge.