here come the regulators - c.ymcdn.com evolution of commercial ecosystems ... beanie babies bubble...
TRANSCRIPT
Untraceable Currency
Today’s Moderator:
Mark Kadrich
CISO at Martin Luther King, Jr.
Hospital
Over 30 years in the security industry
To ask a question:
Type in your question in the Questions
area of your screen.
#ISSAWebConf
Speaker Introduction
Today’s Speakers
Jean PawlukExecutive Consultant, ISSA Distinguished Fellow
Gerry McGreevySenior Systems Analyst – Physician Network, MD Anderson Cancer Center
Branden WilliamsCTO at Union Bank
Speaker Introduction
Jean Pawluk
• Executive Consultant
• Distinguished Fellow of the Information Systems Security Association (ISSA) and honored in 2015 as a Woman of Influence by SC Magazine
• Developed an interest in security and cryptography developing electronic funds transfer networks for the financial industry and is focused on blockchains, augmented reality (AR /VR), & the Internet of Things (IOT)
• She is a speaker, lecturer, and consultant on various emerging technologies including information security.
• An initial founding member of the Cloud Security Alliance and currently on the advisory board of several startups
Blockchain and Cryptocurrency
The good and some lessons learned
Jean Pawluk
ISSA presentation
August 22nd, 2017
Why blockchains ?
➢ Trust – Through the use of Blockchain, all the parties involved in a transaction only have to trust the technology.
➢ Transparency – Because the ledger is distributed, all peers involved in the transaction network can view it (subject to security rights, of course).
➢ Accountability – Since all parties in the transaction can view the distributed ledger, everyone can agree on how the transaction is progressing while it is ongoing, and how it went once it is complete.
What the Blockchain IS NOT:
➢ Bitcoin or Altcoins
- They use blockchain structures
➢ Blockchain is not fast- Looking at the longest chain in bitcoin can take a while
➢ Blockchain is not simple- complexity is greater as efforts increase around scalability issues such as sidechains, partial chains, light clients, pruning, cross-chains etc..
What is it good for ?
Vitalik Buterin, ethereum’s founder perspective:
”The solution that is optimal for a particular industry depends very heavily on what your exact industry is. In some cases, public is clearly better; in others, some degree of private control is simply necessary. As is often the case in the real world, it depends”
Hype vs. Reality
➢ Remember the “year of PKI” ? - Today it’s “Blockchain Fever”
➢ Most R&D projects end in failure or pivot to new areas of research
- R3 consortium dropped blockchain projects in 2017
➢ Need to identify where investments in blockchain R&D have the most impact based on:
- current technology maturity - real savings in costs / processes- evolution of commercial ecosystems- public’s willingness to embrace a blockchain economy
Peer to Peer distributed ledgers
➢ Blockchain technology is uses a peer-to-peer network of parties, who all participate in a given transaction.
➢Uses a distributed ledger that is visible to all parties involved in the transaction.
➢ Through a consensus network, the ledger is guaranteed to be consistent.
➢ Ledger is distributed so everyone involved can see the “world state” at any point in time, and can monitor the progress of the transaction.
➢ Ledger is encrypted so that only parties allowed to view it may do so.
Smart ContractsContract
➢ A written or oral agreement, that is intended to be enforceable by law
Smart contract
➢ Code that facilitates, verifies, or enforces the negotiation or execution of a digital contract. Ideal for machine to machine business processes
Smart contract code on Blockchain
- Encapsulates Business logic as a computer program
- Represents the events which trigger that logic as message to program (allowed if pre-set conditions are met)
- Digital signatures used to prove who sent the message
Example
Car rental agencies could use smart contracts that automatically allow rentals when payment's received and insurance information is confirmed through a blockchain record.
Gartner predictsBlockchain Will Grow UP
➢ By 2022, a blockchain-based business will be worth $10 billion.
➢ Blockchain technology is established as the next revolution in transaction or event recording. A blockchain ledger provides an immutable, shared view of all transactions between engaging parties in a distributed, decentralized network
➢ While the bitcoin blockchain ledger is itself well-understood, blockchain remains an immature technology.
➢ By 2020, new businesses and business models will emerge based on smart contracts and blockchain efficiencies. These smart contracts automate at a reliability, customization level and speed not achievable with traditional business systems.
Some Blockchain Use Cases
Internet of Things Device management
Healthcare Electronic medical records Doctor-vendor RFP services &
contracts Blockchain health research
commons Blockchain health notaries
Government Government vendor processes Voting Taxes
Industrial Manufacturing processes
Financial services
Letters of credit
Corporate debts and bonds
Trading platforms
Payment remittance
Foreign exchange
Insurance
Claims processing
Insurance
Ownership titles
Sales & underwriting
Retail
Loyalty points
Other industries
Gaming
Music
Cross-industryIdentity managementCapital asset management
Blockchain Consortiums
➢ Over 25 Blockchain Consortiums globally
➢ Usually organized by industry verticals
Research & Development questions
How blockchain will affect businesses, governments, consumers
Current Projects
What are my peers doing and who should we partner with
Cost and value drivers for blockchain
➢ Financial and Tech largest four consortiums
Types of Blockchains
Public Blockchain (Permissionless)Everybody in the world can read, anyone can send transactions to and expect to see them included if they are valid, and anyone can participate in the consensus process
Private Blockchains (Permissioned)
➢ Consortium BlockchainConsensus process is controlled by a preselected set of nodes. Example is a consortium of several banks, each of which operates a node and of which some number of banks must sign every block in order for the block to be valid
➢ Private BlockchainWrite permissions are kept centralized to one organization. Read
permissions may be public or restricted to an arbitrary extent.
DAO / DAC
➢Decentralized Autonomous Corporations/Orgs
➢A computer program, with its own code and state, that can programmatically manage flows using smart contracts to automate processes- Whole behavior of the program is pre-established
Public Blockchain Issues
➢One of the drawbacks of a public blockchain is the substantial amount of compute power needed to maintain a distributed ledger at a large scale.
➢ To achieve consensus, each node in a network must solve a complex, resource-intensive cryptographic problem called a proof of work to ensure all blocks in chain are in sync.
➢Openness of public blockchain
little to no privacy for transactions
Gartner top 10 blockchain mistakes
1. Misunderstanding or ignoring the purpose of blockchain technology
2. Assuming that current technology is ready for production use
3. Confusing future blockchain technology with the present-day generation
4. Confusing a limited, foundation-level protocol with a complete business solution
5. Viewing blockchain technology purely as a database or storage mechanism
Assuming interoperability among platforms that don’t exist yet
6. Viewing blockchain technology purely as a database or storage mechanism
7. Assuming interoperability among platforms that don’t exist yet (blockchain standards do not yet exist)
http://www.gartner.com/smarterwithgartner/top-10-mistakes-in-enterprise-blockchain-projects/
Gartner top 10 mistakes (cont.)
8. Assuming that smart contract technology is a solved problem-Smart contracts currently lack scalability, auditability, manageability and verifiability.
there is no legal framework currently in existence — locally or globally — for their application.
9. Ignoring funding and governance issues for a peer-to-peer distributed network- Multiparty systems require new approaches to governance, security and economics
that raise technical, as well as political, societal and organizational questions.
10. Failure to incorporate a learning processEnterprises must take a hands-on approach to blockchain projects.
http://www.gartner.com/smarterwithgartner/top-10-mistakes-in-enterprise-blockchain-projects/
Roadblocks Fidelity Lessons Learned 1 & 2
1 Technological shortcomings
➢ The first concerns blockchain technology itself, there were "still questions to be answered,"
➢ "We understand there are important trade-offs that need to get made as these systems grow," Johnson said. "We care about the trade-off between scalability, privacy, and achieving peer-to-peer settlement. "
➢ Of these three, privacy was the most important, calling it "a core customer need" that was an area of investment for Fidelity initiatives.
2 Regulation
➢ Johnson called regulation "the policy challenge," as innovation in the blockchain industry was happening so fast "that it is outpacing the regulator's ability to keep up."
➢ The Securities and Exchange Commission (SEC) ruled against a product that would have led to the first bitcoin-tracking exchange-traded fund* (ETF) citing a lack of regulation in the marketplace.
➢ "We need to continue to work with regulators to have an open dialogue about this technology,"
Fidelity CEO Abigail Johnson reflects:
Roadblocks Fidelity Lessons Learned 3 &4 3 Control
➢ "Networks like bitcoin, by design, have no formalized management structure," Johnson said.
"They're open projects, which is great, but companies like Fidelity don't have the clarity on the future path they might take, or how to influence the developer communities."
➢ "The financial services industry will need to work to understand the risks associated with who controls the features of these new systems"
4 "Human Problems"
➢ "The human problem," is Johnson's reference to how bitcoin and blockchain are often seen as "solutions in search of a problem."
➢ Wider Consumer Acceptance issues
- The cafeteria in the Fidelity headquarters began to accept payment in bitcoin--doubling the number of places in Boston that did” Johnson joked.
"We don't just need these systems to be technically better; we need them to be more user friendly"
Unregulated means by which funds are raised by crowd funding for a new cryptocurrency venture.
➢ Percentage of the cryptocurrency is sold to early backers of the project in exchange for cash or cryptocurrencies (usually Bitcoin)
➢ Bypasses the rigorous and regulated capital-raising process required by SEC, venture capitalists or banks
➢ Crypto tokens from venture are not stocks
8/24/2017 25
Initial Coin Offering (ICO)
(c) Jean Pawluk
➢ Speculators and scammers are rushing in
➢ People are “investing” in ICO’s and cryptocurrencies- Maxing out credit & debit cards purchases
- Draining bank accounts & retirement plans
- Mortgaging homes
➢ Sound Familiar ?
Some may win big, but many will lose most or all
➢ Are you and your customers financial savvy ?
- Risks
- No protection against loss
- Not regulated or registered
- Scarcity and volatility of tokens is not a guarantee of future profits
- No guarantee that new ICO project will be there tomorrow
Feeding Frenzy
8/24/2017 27(c) Jean Pawluk
➢ Yes but not untraceable
➢ Bitcoin is pseudo-anonymous- pseudonym (bitcoin address) is recorded, but identity is unknown.
➢ Tumblers / Mixers attempt to disguise source and destination of transactions that would connect to real id
➢ So how do you move your ill gotten gains in public view ?
- send and receive bitcoins to another bitcoin address on blockchain . Use several addresses and store coins elsewhere in wallets and / or in dark exchanges.
8/24/2017 28
Is Bitcoin Anonymous ?
(c) Jean Pawluk
Speaker Introduction
Gerry McGreevy
• Senior Systems Analyst at Physician Network, MD Anderson Career Center in Houston, Texas
• Holds a CISSP certification and a FinTeccertification from Massachusetts Institute of Technology
• Nearly 20 years in the IT industry as a database administrator, data architect, security and compliance analyst and entrepreneur
Birth and Evolution of Blockchain
Early Uses
Recent Developments
Industry Applications
8/22/2017 [email protected] 32
Blockchain: Friend or Foe?
Blockchain as a Target: Disrupt transactions, aquire assets and data
Blockchain as a Tool: Enhances data integrity, transparency & availability
External Operations - Asset transfers, transaction reconcilliation, regulatory reporting
Internal Operations - Monitoring, approvals and permission grants
Application Developers - Permission aware applications, carry-thru privs
Infosec Depts - Secure registration, logging, and privileges management
8/22/2017 [email protected] 34
Blockchain: Tools for INFOSEC
End User Friendly Tools
Multi-signature required applications
Advanced Secure Wallet technology and features
Chain-long fine grained permissioned access that end user controls
8/22/2017 [email protected] 35
Woes of Blockchain
Scalability : BlockSize, Network Bandwidth, Mining Resources, MarketSize
Competing / Diverging Interests
Infant Standards – Ethereum, EU, ISO, (No US federal, but a few states developing)
Security Concerns: Wallets and codebase hacked, Man-in-middle, DNS attacks, 51% attack
8/22/2017 [email protected] 36
Essential Elements of Blockchain
Cryptographic Hashes
Distributed Ledger
Software - open source Major flavors: Bitcoin, Ethereum, Linux Foundation
Network - P2P, software and protocols
Entity Participants (Roles) Miners, reporting nodes, test nodes, access portals, proxy, regulators, users
Blockchain Mining8/22/2017 [email protected] 37
Goals of Mining
Security: Make Attacks expensive
Economics: Incentivize CPU processing
Mining Schemes:
Proof of Work Proof of Stake
Proof of Activity Proof of Burn
Proof of Capacity Proof of Authority
CASPER Proof of Elapsed Time
Cost of Energy vs Cost of Owning Coins
8/22/2017 [email protected] 38
Blockchain Evolution
1st Generation - Ledger applications: Evolving Uses
Q: Where to put blockchain? A: Where there is a lack of trust
Asset Tracking / Transference
Information documentation
Proof of process
2nd Generation - Smart Contracts Auto Execute, DAO (Distributed Autonomous Organizations), Distributed Computing
3rd Generation – Identity Management,
Permission Aware Applications
Evolving Trend: Increasing Dependence on Validating Sources and Data
8/22/2017 [email protected] 39
Value of Blockchain Derived from
Cryptographically Validated IMMUTABLE DATA INTEGRITY
Shared Transaction Journal DISTRIBUTED
No Central Authority DECENTRALIZED, CONSENSUS
IMMUTABLE SHARED TRUTH = TRANSPARENCY > TRUST
8/22/2017 [email protected] 40
High Level Benefits of Blockchain
Enables TRUST within an otherwise TRUSTLESS environment
Efficiently Verifies the Accurate Recording of Information
Assets Transfers
Permission Grants, privileges
Auditable rules & protocols
Major Reductions in costs and time to reconcile
Accelerates payment cycles > Frees up capital for other uses
8/22/2017 [email protected] 41
Protections of Blockchain
Confidentiality: (Optional) – Blockchain contents publically viewable. For private data, encrypt, hash use pointer links (expensive).
Integrity: Yes - Hashed data + Distributed Ledger + Consensus
Availability: Theoretical Yes, but long queue, poor network performance, DDOS attacks are common
Immutable + Distributed = Transparent Data Integrity
8/22/2017 [email protected] 42
Public vs Private Chain?
Public Blockchain appropriate for:Public facing apps
Apps that interact with wider marketplace (incl. publicly exchanged tokens)
More applicable to trustless environment and interactions w/ large numbers of
participants
Higher costs to operate
Private Blockchain appropriate for:Vetted and verified entry / participation
Higher level of trust between participants than trustless public
More appropriate for consortiums, enterprise level applications,
and controlled exchanges
Lower cost to operate (mining not necessarily necessary)
8/22/2017 [email protected] 43
Systemic Vulnerabilities
Control / Influence of mining pools Mining Pools are economically advantaged.
Large pools are risk to blockchain (50% attack)
Concentrated Mining: 90% of bitcoin mining occurs in China -Subject to political and / or regulatory moods.
Network - Technical limits on bandwidth. Latency could cause
problems. Success of blockchain depends on specific network performance (can differ per-chain).
Storage – Password portected data at rest, password management
issues.
8/22/2017 [email protected] 44
Systemic Vulnerabilities
Risks Associated with Open Source and Common Code
Common vulnerabilities: Crypto-libraries, Backdoors, Zero-day
Consensus on all Code Changes
Maintenance - timing of updates and patches
Risk of forks
If chain is invalidated, what happens to all assets and info contained within?
8/22/2017 [email protected] 45
Attack Vectors
Code libraries
Storage / Data Wallets - key management, online/offline
Network - 51% attack, clock drift, packet sniffing, DNS, ARP spoofing,
spamming and DDOS attacks (delay specific transaction)
Social Engineering
Privacy - (public ledger) - All information recorded WITHIN blockchain is publicly viewable
8/22/2017 [email protected] 46
Tracking and IP Address
Transaction History (ie. donations)
Trading crypto on a national / regulated exchange (ie. Coinbase).
Using Thin Client or Hosted Wallet
ISP records
Insider Abuse, or Public Outing
8/22/2017 [email protected] 47
Known Breaches
August of 2016 - Bitfinex (Hong Kong) $65 M US
June of 2016 - Ethereum - $150M US - backdoor to application.
June 2017 - Freewallet.org - data wallets
Excellent Source of blockchain breaches
https://magoo.github.io/Blockchain-Graveyard/
8/22/2017 [email protected] 48
Emerging Standards
Mostly Nascent, or non-existent
ISO/TC 307 - Blockchain and distributed ledger technologies
Increasing Regulatory Oversight(Europe & World > more regulation, US < less regulation)
Linux Foundation
8/22/2017 [email protected] 49
Uses for Infosec
Certificate TransparencyPublish public certs into blockchain
Reduces reliance on CA as sole proprietor of truth, no single point of failure
Eliminates the risk of false key propagation
CertCoin (MIT) - Early implementation of blockchain-based PK
Decentralized DNS-PKI - Replace DNS root servers w/ blockchain
mappings to domain names and PKI keys (harder to censor, harder to alter)
Nebulis, Blockcstack
Support for other TechnologiesCyber-physical systems (confidentiality not a concern)
Validate the providence devices (IOT, network, endpoints, supporting software and incoming data integrity)
8/22/2017 [email protected] 50
Successful Blockchain Implementations
Strong Governance
Risk Management Framework
Operational Risks - policies, procedures control
8/22/2017 [email protected] 51
Selected References
Mining Info: https://www.coindesk.com/short-guide-blockchain-consensus-protocols/
Wallet Info: https://blockgeeks.com/guides/cryptocurrency-wallet-guide/
8/22/2017 [email protected] 52
Speaker Introduction
Branden Williams
• CTO at Union Bank
• Regularly assists top global firms with their information security and technology initiatives
• Branden is the author of the Herding Cats feature in the ISSA Journal.
• Holds DBA, CISSP and CISM certificates
Crypto Payments & Privacy
➢ Transactions, or blocks, on the blockchain for popular crypto currencies are public.
➢ Future blocks validate past blocks and prevent double spending.
➢Anonymity on the blockchain: Some cryptocurrencies, like Bitcoin, appear
anonymous.
Poor OpSec can link digital wallets to real identities.
Several companies offer services to attach identities to digital wallets.
➢ Be aware of information stored in the block!
Crypto Payments Integrity
➢As the blockchain builds, previous transactions are immutable.
➢ Consensus works to ensure only valid transactions on the blockchain.
➢ In the case of Bitcoin, the most recent block on the chain be altered by consensus, wait until there are two blocks following (T+2).
Decentralized Crypto Payments
➢Over 1,000 different crypto currencies as of August 2017.
➢Decentralization preserves integrity across the currency by: Preventing currency manipulation by government or
central bank.
Preventing a single bad actor from introducing fraudulent or duplicate transactions.
➢ Legal Notes: SEC does not categorize digital currency as a “security”
CFTC recognizes digital currency as a ”commodity”
Crypto vs. Traditional Payments
➢Transaction costs paid to “miners”.
➢Low transaction costs.
➢Settlement at T+2.
➢Transact “directly.”
➢Not regulated.**
➢Decentralized.
➢AML applied when crypto currency is converted to bank currency.
➢Transaction costs paid to “networks”.
➢High transaction costs.*
➢Settlement going to T-0.
➢Transact via intermediaries.
➢Regulated.
➢Centralized.
➢AML and Bank Secrecy acts in play at all times.
Crypto Currency Traditional Payments
* With the exception of ACH.** Conversion to actual currency can impact this.
Challenges for Traditional Banks
➢ Bank regulations focus on traditional currencies: Exception: Tunisian e-Dinar and Senegal’s Franc.
UK, Russia, Canada, and China experimenting.
➢ Even these examples are still real currency, not cryptocurrency.
➢ Know Your Customer becomes more challenging with some crypto currencies.
➢Other options for Blockchain: Smart Contracts.
Currency for in-game scenarios.
Voting.
62
Open Discussion & Q&A
• Mark Kadrich – Moderator
• Jean Pawluk
• Gerry McGreevy
• Branden Williams To ask a question:
Type in your question in the Questions
area of your screen.
You may need to click on the double
arrows to open this function.
#ISSAWebConf
63
Mobile App Security2-Hour Live Event: Tuesday, September 26th, 2017
Start Time: 9:00 a.m. US-Pacific/ 12:00 noon US-Eastern/ 5:00 p.m. London
Overview:Along with the explosion of mobile devices and the crowded marketplace for applications comes a much more vast threat landscape. How can the security world adapt to an environment featuring independent programmers and an increasingly time critical business model as groups look for the next killer app? Especially when, as usual, security is the last consideration of development.
Next International Web Conference:
https://attendee.gotowebinar.com/register/7561103254002094082
64
A recording of the conference and a link to the survey to get CPE credit for attending the August ISSA International Web Conference will soon be available at: https://www.issa.org/page/August2017and check out previous web conferences at https://www.issa.org/?OnDemandWebConf
If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor
Web Conference Survey