Interlock recently held a livestream event centered around demystifying Web3 security. Andrew Ciaccia, co-founder and CMO at Interlock kicked off the interview. He expressed his excitement about having their Security Advisor, Ethan Johnson, present valuable insights and learning opportunities on Web3 security.
Andrew noted that Ethan brought a uniquely compelling perspective to the discussion. With over a decade of cybersecurity expertise, Ethan has served as a Chief Information Security Officer (CISO) at various companies, thus offering a deep understanding of security threats and defense mechanisms at large institutions. Moreover, Ethan’s specialization in demystifying Web3 security architecture and control design distinguished him further. His experience spanned notable roles at major financial entities, including Citadel Securities, Galaxy Digital, and Bank of New York Mellon.
Die Hard: Connecting Pop Culture to Crypto Security
Andrew was eager to dive into the conversation. He set the stage by presenting a question that intriguingly connected pop culture with technical expertise, asking Ethan how the movie Die Hard related to crypto security.
Ethan explained a concept often overlooked or not immediately connected: bearer assets or instruments. In Die Hard, the antagonists targeted bearer bonds. These bonds lacked any associated name, meaning that possession equated to ownership. This concept drew a strong parallel to the world of cryptocurrency — just as possessing bearer bonds meant controlling them, holding onto one’s crypto keys essentially granted control over those digital assets and their movement.
Current Attack Vectors and Evolving Threats in Crypto Security
Andrew asked Ethan about the latest attack vectors and emerging threats in the crypto space.
Johnson provided an in-depth analysis of the current security landscape. At a high level, the issues making headlines were largely familiar, echoing patterns from recent years. The threats remained diverse, encompassing everything from fake tokens and malicious smart contracts to the exploitation of vulnerabilities. Consequently, while defenses against attacks like MEV attacks and flash loans had improved, the attacks themselves had become increasingly sophisticated.
Moreover, Ethan highlighted the ongoing problem of “pig butchering” scams, where perpetrators trick individuals into crypto schemes rather than stealing directly. This form of scam had unfortunately extended its reach beyond the crypto community, luring people not previously involved with digital assets.
Persistent Threats and Evolving Risks: Insider Threats and Physical Attacks
Furthermore, he observed that traditional issues, such as stolen keys and weak key management practices, persisted. Some high-profile hacks affecting major institutions raised concerns about insufficient attention to insider threats. As asset values increased, the risk of malicious actions from insiders grew, compounded by the trend of remote work and interviews, which had made it easier for entities like North Korea to infiltrate companies.
Physical attacks had also become more prevalent. He recalled a recent tragic incident in Ukraine, where violence over a sum of $170,000 had resulted in a fatality. This event spotlights the dark side of such attacks and the extreme lengths to which some would go, although the perpetrators were swiftly apprehended. Ethan lamented that such violence, driven by the perceived value of targets, illustrated the grim reality of security threats. Significantly, he tied this back to the Die Hard analogy, emphasizing that attacks often stemmed from a perceived value, reinforcing the notion that if something seemed worth attacking, it eventually would be.
Demystifying Web3 Security: Advanced Social Engineering Attacks and the Role of AI
Andrew inquired about some sophisticated social engineering attacks, prompting Ethan to share an intriguing example. He recounted an incident from about six months prior involving an advanced AI-driven attack. In this case, a large multinational company faced a significant breach where tens of millions of dollars were transferred. The funds were not from Web3 but rather from traditional finance.
The attack leveraged AI to convincingly mimic a senior executive’s voice and even generate a video presence, making it appear as though the communication was with high-level company leadership. This deception led employees to authorize the transfer of a substantial sum, illustrating the power of AI in social engineering.
Ethan pointed out that such incidents might not be isolated. Many companies, especially those not publicly traded, may not disclose these attacks, preferring to avoid the negative attention. Consequently, what is reported might only be the tip of the iceberg, leaving a broader range of such incidents unrecognized and unreported.
Sharing a more intriguing and recent example of a social engineering incident, he recounted a notable event involving a company called KnowBe4, which, while not a Fortune 100 firm, was well-known in the InfoSec community for its training and phishing testing services. Remarkably, KnowBe4 inadvertently hired an individual who was later discovered to be affiliated with North Korea. This individual had likely employed AI to impersonate someone else, effectively using a false identity.
Subsequently, the incident became public knowledge because KnowBe4 managed to identify and neutralize the threat within hours of the individual’s arrival. This swift response highlighted the reality of increasingly sophisticated threats. Moreover, Ethan emphasized that the rise of AI had significantly complicated the process of detecting such threats, making what would have been relatively straightforward to identify five or ten years ago much more challenging today.
Social Engineering Tactics and the Risks of Deceptive Links
Andrew reflected on the social engineering challenges faced by even smaller companies like theirs. Despite not being a massive corporation, Interlock frequently encountered attempts from scammers posing as job applicants or event organizers. These attempts often involved invitations to events or requests for collaboration, with links that seemed legitimate but were actually deceptive, such as fake Calendly links.
He also mentioned that such attempts occurred almost weekly, underscoring the importance of vigilance. He advised staying alert and cautious about unsolicited links, as one could never be certain about the intentions of those on the other side.
Adding a crucial point about the risks of clicking on deceptive links, Johnson emphasized that even if a link appeared harmless and everything seemed fine, one should not become complacent. For those not well-versed in cybersecurity, it was essential to remain cautious.
Furthermore, even an apparently benign link could still lead to more sophisticated attacks, even if no immediate signs of compromise were evident. Many incidents have resulted in financial losses due to such hidden threats, particularly in cases where individuals used single-signature systems for their cryptocurrency. Consequently, Ethan advised against overconfidence and stressed the importance of vigilance even after seemingly minor incidents.
In demystifying Web3 security, it becomes clear that advanced social engineering attacks and AI-driven threats pose significant risks across both traditional finance and the digital realm. The sophisticated nature of these attacks, such as AI-generated voice and video impersonations, underscores the evolving complexity of cybersecurity. By examining high-profile incidents and the risks associated with deceptive links, it’s evident that vigilance is paramount.
Understanding Advanced Security Measures in Asset Protection
Ethan discussed the concept of proportionality in cybersecurity, emphasizing its importance for effectively safeguarding assets. He explained that as organizations scale, controls must be proportional to the value of their assets and the associated threats.
Specifically, Ethan highlighted that investing a million dollars in controls would be excessive if only protecting ten dollars worth of assets. Conversely, spending just ten dollars on controls when managing millions of dollars in assets could be dangerously insufficient. It is crucial to ensure that security measures match the value of the assets being protected.
Moreover, Ethan pointed out that asset values and threat landscapes are dynamic and can change unexpectedly. Fluctuations in asset value could alter the threat picture, making it essential to regularly reassess and adjust security measures accordingly. By doing so, individuals and organizations could better manage and protect high-value assets in an ever-evolving environment.
Implementing Sophisticated Security Protocols for High-Value Assets
Andrew highlighted an important goal at Interlock: not only encouraging people to share data but also to prioritize security. He noted that, all too often, security becomes an afterthought, only receiving attention after an attack or loss has occurred.
Turning to Ethan, Andrew asked for insights into the advanced security measures employed by companies and funds managing hundreds of millions or even billions of digital assets. Ethan, drawing on his experience developing security programs for such high-stakes environments, provided a glimpse into the sophisticated strategies these organizations used to safeguard their digital assets.
Interlock’s Security Advisor stated that with such significant funds at stake, security protocols should be elevated to a different level. For example, it would be highly unusual to find a scenario where a single individual could move these funds, as this poses a significant risk.
Instead, these organizations implement solutions like Multi-Party Computation (MPC) and multi-signature (multi-SIG) systems to ensure that multiple parties are involved in authorizing transactions. Additionally, they establish rigorous protocols for each signer, including detailed procedures for how individual signers should handle their responsibilities.
Johnson also pointed out that some of these practices are standard best practices that everyone should adopt, while others represent more advanced measures tailored to high-value assets. This includes enhanced security for devices and laptops, as well as the use of hardware signing devices. These comprehensive steps help secure the overall ecosystem, from the initial transaction authorization to the ongoing protection of sensitive equipment.
Demystifying Web3: Essential Security Practices for Retail Investors
Ethan offered detailed advice for retail investors on securing their digital assets. He emphasized that while comprehensive security cannot be condensed into a brief explanation, several key practices could significantly enhance protection.
Firstly, Ethan recommended using hardware wallets to store digital assets. These devices provide a high level of security by keeping private keys offline. Additionally, he stressed the importance of employing strong two-factor authentication (2FA) for most services and considering passwordless authentication methods as a more secure alternative.
Furthermore, Ethan advised keeping devices patched and up to date, avoiding installations from dubious sources, and being cautious with links from unknown origins. Regular backups were also crucial, ensuring that recovery was possible in case of hardware failure.
Ethan also highlighted the importance of understanding the confidentiality, availability, and integrity of one’s assets. He suggested avoiding interactions with unknown tokens and being aware of tactics like dusting, which could compromise security. For those using DeFi exchanges, he recommended maintaining separate wallets for different activities to limit exposure and manage risks more effectively.
Lastly, he pointed out the value of tools such as transaction simulators and educational resources to better understand potential risks and transactions. By implementing these practices, investors could build a more robust defense against potential threats over time.
Evaluating Software and Browser Extension Wallets vs. Hardware Wallets
Ethan shared his perspective on software and browser extension wallets, noting that while they could be acceptable for very small amounts or for testing purposes, they were not ideal for managing significant funds. He pointed out that, despite their convenience, these wallets often fall short in protecting against the most advanced threats. Consequently, Ethan advised the use of more secure methods, such as hardware wallets, to ensure better protection of assets for substantial or meaningful amounts of cryptocurrency.
Ethan explained the concept of dummy wallets as a strategy to protect against physical attacks or coercion, such as a “wrench attack.” He described how having a dummy wallet with a seed phrase for non-essential funds could be a useful tactic.
For instance, if confronted by someone attempting to steal assets, one could provide a dummy wallet instead of the actual one. Some devices even offer the ability to store separate sets of funds within the same device, allowing for additional layers of deception.
Ethan noted that while this approach could be more advanced with features like separate fund areas, even a basic dummy wallet with a fake seed phrase might deter attackers. The goal was to trick the attacker into accepting the dummy assets, thereby protecting the real funds from theft.
Leveraging Social Media for Timely Crypto Security Insights
Offering an unexpected yet practical tip for enhancing individual crypto security, Ethan emphasized staying up-to-date on social media. He pointed out that trends and news often emerge first on platforms like Twitter. For example, he recalled learning about the Ledger vulnerability through social media rather than traditional cybersecurity feeds.
The key was not about having the most sophisticated tools but about being effective and timely in responding to new threats. This approach mirrored the mission of Interlock, which leverages crowd-sourced security capabilities to provide rapid intelligence and updates.
Andrew echoed this sentiment, highlighting that Interlock harnesses the power of crowd-sourced data and user reporting to enhance security. By integrating these timely insights into their products, they aimed to offer a proactive defense system for users.
Interlock’s Edge: Crowdsourced and AI-Driven Security Solutions
Moving along in the AMA, Andrew asked Ethan how he believes Interlock differentiates from traditional security tools. Johnson believes Interlock stands out from traditional security tools by emphasizing its crowdsourcing and AI-driven approaches. Interlock’s integration of crowdsourced data and advanced AI technologies differentiates it from conventional solutions. Unlike gimmicky or superficial applications of AI, Interlock uses it effectively to provide valuable insights and enhance security. This approach benefits users and also encourages active participation and engagement with the platform.
He pointed out that many security software products and online services collect data from users without necessarily offering direct rewards in return. This practice extends beyond security tools to various internet services, including ISPs, browsers, and social media platforms. He noted that while this data collection is often outlined in legal terms and privacy policies, it remains a significant part of the digital ecosystem.
Furthermore, Ethan highlighted that while many services, such as free email providers, may offer no-cost access, they typically monetize through data collection and analysis. This model serves as a reminder for users to be mindful of where and how their data is being used, even if the service appears to be free.
Strategies for Detecting and Mitigating Deep Fake Phishing Attacks in Web3
The Demystifying Web3 Security podcast tackled a pressing question from Interlock users, which was highly pertinent to the discussion: How can we effectively detect and mitigate sophisticated phishing attacks that use deep fakes to impersonate trusted individuals or organizations, especially within the Web3 space where social engineering is a significant concern?
To tackle sophisticated phishing attacks that leverage deep fakes for impersonation, Ethan offered one key strategy: avoid relying on a single communication channel. Trusting a person’s word alone is risky, so it’s essential to verify the authenticity of their messages through an independent method. For instance, a car company recently averted a major threat by cross-checking a detail from the supposedly trusted communication. When the response didn’t align with expectations, it revealed an attempt at deception, preventing a significant theft.
Another important aspect is the effective use of multi-factor authentication (MFA). Despite its proven benefits, MFA adoption remains slow, and many organizations still face security issues due to its inadequate implementation. Major breaches, including those involving high-profile entities like government agencies, have spotlighted the problem. Shared accounts, for example, can undermine MFA’s effectiveness, illustrating the need for proper and consistent security measures.
Enhancing Verification and Managing Anonymity in Web3 Security
Noting the parallel between Web2 and Web3 security, Ethan mentioned major transactions and verifying identities. It’s crucial to perform thorough checks and verifications to ensure you’re dealing with legitimate parties. Modern tools can enhance this process by requiring individuals to provide identification documents, such as a driver’s license or passport. These tools can scan and verify the document’s details and match the photo to the person.
Despite these advancements, AI attacks are continually improving, creating an ongoing arms race between security measures and malicious tactics. As technology evolves, the challenge of keeping pace with increasingly sophisticated threats remains a critical concern.
Moreover, in the realm of cryptocurrencies, the idea of anonymity is often overstated. Most transactions are pseudo-anonymous rather than completely anonymous. When converting funds from the Web3 world into traditional currencies or depositing them into a bank account, the process typically involves identity verification. This step creates a traceable record that law enforcement can track if needed.
While cryptocurrencies offer a degree of privacy, this is not absolute. Exceptions exist, particularly with certain privacy-focused coins, but these represent a much more complex and nuanced area of discussion.
Securing Interlock: Inside ThreatSlayer’s Multi-Layered Defense
Andrew posed a thought-provoking question, reflecting on the intersection of user experience and security. He highlighted a common issue: many security solutions falter due to excessive friction, leading users to either avoid or disable them. At Interlock, the goal was to streamline security so that it operated seamlessly in the background, only becoming noticeable when necessary. Notably, this approach aimed to integrate protection passively, enhancing user experience without compromising security.
With that context, Andrew asked Ethan a crucial question about safeguarding Interlock itself. Specifically, if Interlock was designed to protect users, who protected Interlock from threats? This inquiry delved into the multi-layered nature of security at Interlock, particularly concerning Threat Slayer.
Ethan explained that Interlock employed several rigorous measures to ensure its own security. The company had undergone comprehensive audits of its smart contracts and the Threat Slayer product. On the Web2 side, Interlock had engaged in penetration testing, where former hackers were hired to identify vulnerabilities in the software. Consequently, these findings were addressed promptly to fortify the system. The results of these tests will be published as the launch approaches.
On the operational and human side, Interlock relied on experts like Ethan to bolster its security posture. This included establishing robust security policies, implementing effective backup and recovery procedures, and managing access controls diligently. It was a blend of human oversight and technological solutions that ensured the company’s safety.
Exploring Systemic Risk: Security Challenges with Crypto ETFs and Centralized Assets
In a prior discussion, Ethan and Andrew had touched upon the concept of systemic risk, particularly in the context of exchange-traded funds (ETFs). Andrew invited Ethan to elaborate on the security concerns associated with ETFs, acknowledging that this was a significant topic within the broader discussion of systemic risk.
Ethan began by addressing the financial side of the issue. He noted the growing popularity of crypto ETFs, which had led to a significant influx of assets from traditional finance into the crypto world. However, he pointed out a critical concern: the centralization of these assets. Despite the decentralized ethos of the crypto ecosystem, a substantial portion of the funds was managed by a relatively small number of entities, such as Coinbase. This centralization created a potential single point of failure, posing a significant risk to the entire ecosystem.
Andrew then highlighted a recent example relevant to systemic risk — the situation involving CrowdStrike. Ethan agreed that this case underscored the difficulties and immense investment required to manage such risks effectively. He referenced the Delta Airlines incident, where a large number of devices were compromised, demonstrating the challenge of maintaining operational integrity when IT support is not readily available.
If an asset or service is critical, placing all reliance on a single provider can be perilous. He acknowledged that while CrowdStrike had previously maintained a strong reputation, the recent issues revealed vulnerabilities that might have been overlooked or deprioritized. The incident shows the inherent risk of depending entirely on any single provider, be it a security firm or an operating system like Microsoft.
Demystifying Web3 Security for a Safer Future
In conclusion, Interlock’s recent livestream event brought essential insights into the evolving landscape of Web3 security, anchored by Andrew Ciaccia’s engaging interview with Interlock’s Security Advisor, Ethan Johnson. The discussion illuminated critical aspects of security, from the intricate challenges of crypto ETFs and the impact of centralized assets to the profound implications of sophisticated phishing attacks and systemic risks.
The conversation also highlighted Interlock’s commitment to integrating seamless, behind-the-scenes security measures with its ThreatSlayer product, demonstrating the importance of multi-layered defenses. As the security landscape continues to evolve with emerging threats and advanced social engineering tactics, the principles shared during the event offer a solid foundation for both individual investors and organizations to build resilience.
By demystifying Web3 security, this event has equipped viewers with the knowledge and tools needed to navigate the digital frontier safely. As technology and threats advance, ongoing vigilance and adaptation remain crucial in maintaining a secure and trustworthy digital environment.
*Disclaimer: News content provided by Genfinity is intended solely for informational purposes. While we strive to deliver accurate and up-to-date information, we do not offer financial or legal advice of any kind. Readers are encouraged to conduct their own research and consult with qualified professionals before making any financial or legal decisions. Genfinity disclaims any responsibility for actions taken based on the information presented in our articles. Our commitment is to share knowledge, foster discussion, and contribute to a better understanding of the topics covered in our articles. We advise our readers to exercise caution and diligence when seeking information or making decisions based on the content we provide.
