Untraceable CurrencyAugust 22nd 2017

Untraceable Currency

Today’s Moderator:

Mark Kadrich

CISO at Martin Luther King, Jr.

Hospital

Over 30 years in the security industry

To ask a question:

Type in your question in the Questions

area of your screen.

#ISSAWebConf

Speaker Introduction

Today’s Speakers

Jean PawlukExecutive Consultant, ISSA Distinguished Fellow

Gerry McGreevySenior Systems Analyst – Physician Network, MD Anderson Cancer Center

Branden WilliamsCTO at Union Bank

Speaker Introduction

Jean Pawluk

• Executive Consultant

• Distinguished Fellow of the Information Systems Security Association (ISSA) and honored in 2015 as a Woman of Influence by SC Magazine

• Developed an interest in security and cryptography developing electronic funds transfer networks for the financial industry and is focused on blockchains, augmented reality (AR /VR), & the Internet of Things (IOT)

• She is a speaker, lecturer, and consultant on various emerging technologies including information security.

• An initial founding member of the Cloud Security Alliance and currently on the advisory board of several startups

Blockchain and Cryptocurrency

The good and some lessons learned

Jean Pawluk

ISSA presentation

August 22nd, 2017

Why blockchains ?

➢ Trust – Through the use of Blockchain, all the parties involved in a transaction only have to trust the technology.

➢ Transparency – Because the ledger is distributed, all peers involved in the transaction network can view it (subject to security rights, of course).

➢ Accountability – Since all parties in the transaction can view the distributed ledger, everyone can agree on how the transaction is progressing while it is ongoing, and how it went once it is complete.

What the Blockchain IS NOT:

➢ Bitcoin or Altcoins

- They use blockchain structures

➢ Blockchain is not fast- Looking at the longest chain in bitcoin can take a while

➢ Blockchain is not simple- complexity is greater as efforts increase around scalability issues such as sidechains, partial chains, light clients, pruning, cross-chains etc..

What is it good for ?

Vitalik Buterin, ethereum’s founder perspective:

”The solution that is optimal for a particular industry depends very heavily on what your exact industry is. In some cases, public is clearly better; in others, some degree of private control is simply necessary. As is often the case in the real world, it depends”

Anticipated Blockchain Timeline

Hype vs. Reality

➢ Remember the “year of PKI” ? - Today it’s “Blockchain Fever”

➢ Most R&D projects end in failure or pivot to new areas of research

- R3 consortium dropped blockchain projects in 2017

➢ Need to identify where investments in blockchain R&D have the most impact based on:

- current technology maturity - real savings in costs / processes- evolution of commercial ecosystems- public’s willingness to embrace a blockchain economy

Peer to Peer distributed ledgers

➢ Blockchain technology is uses a peer-to-peer network of parties, who all participate in a given transaction.

➢Uses a distributed ledger that is visible to all parties involved in the transaction.

➢ Through a consensus network, the ledger is guaranteed to be consistent.

➢ Ledger is distributed so everyone involved can see the “world state” at any point in time, and can monitor the progress of the transaction.

➢ Ledger is encrypted so that only parties allowed to view it may do so.

Smart ContractsContract

➢ A written or oral agreement, that is intended to be enforceable by law

Smart contract

➢ Code that facilitates, verifies, or enforces the negotiation or execution of a digital contract. Ideal for machine to machine business processes

Smart contract code on Blockchain

- Encapsulates Business logic as a computer program

- Represents the events which trigger that logic as message to program (allowed if pre-set conditions are met)

- Digital signatures used to prove who sent the message

Example

Car rental agencies could use smart contracts that automatically allow rentals when payment's received and insurance information is confirmed through a blockchain record.

Gartner predictsBlockchain Will Grow UP

➢ By 2022, a blockchain-based business will be worth $10 billion.

➢ Blockchain technology is established as the next revolution in transaction or event recording. A blockchain ledger provides an immutable, shared view of all transactions between engaging parties in a distributed, decentralized network

➢ While the bitcoin blockchain ledger is itself well-understood, blockchain remains an immature technology.

➢ By 2020, new businesses and business models will emerge based on smart contracts and blockchain efficiencies. These smart contracts automate at a reliability, customization level and speed not achievable with traditional business systems.

Some Blockchain Use Cases

Internet of Things Device management

Healthcare Electronic medical records Doctor-vendor RFP services &

contracts Blockchain health research

commons Blockchain health notaries

Government Government vendor processes Voting Taxes

Industrial Manufacturing processes

Financial services

Letters of credit

Corporate debts and bonds

Trading platforms

Payment remittance

Foreign exchange

Insurance

Claims processing

Insurance

Ownership titles

Sales & underwriting

Retail

Loyalty points

Other industries

Gaming

Music

Cross-industryIdentity managementCapital asset management

Blockchain Consortiums

➢ Over 25 Blockchain Consortiums globally

➢ Usually organized by industry verticals

Research & Development questions

How blockchain will affect businesses, governments, consumers

Current Projects

What are my peers doing and who should we partner with

Cost and value drivers for blockchain

➢ Financial and Tech largest four consortiums

Types of Blockchains

Public Blockchain (Permissionless)Everybody in the world can read, anyone can send transactions to and expect to see them included if they are valid, and anyone can participate in the consensus process

Private Blockchains (Permissioned)

➢ Consortium BlockchainConsensus process is controlled by a preselected set of nodes. Example is a consortium of several banks, each of which operates a node and of which some number of banks must sign every block in order for the block to be valid

➢ Private BlockchainWrite permissions are kept centralized to one organization. Read

permissions may be public or restricted to an arbitrary extent.

DAO / DAC

➢Decentralized Autonomous Corporations/Orgs

➢A computer program, with its own code and state, that can programmatically manage flows using smart contracts to automate processes- Whole behavior of the program is pre-established

Public Blockchain Issues

➢One of the drawbacks of a public blockchain is the substantial amount of compute power needed to maintain a distributed ledger at a large scale.

➢ To achieve consensus, each node in a network must solve a complex, resource-intensive cryptographic problem called a proof of work to ensure all blocks in chain are in sync.

➢Openness of public blockchain

little to no privacy for transactions

Lessons Learned

Gartner top 10 blockchain mistakes

1. Misunderstanding or ignoring the purpose of blockchain technology

2. Assuming that current technology is ready for production use

3. Confusing future blockchain technology with the present-day generation

4. Confusing a limited, foundation-level protocol with a complete business solution

5. Viewing blockchain technology purely as a database or storage mechanism

Assuming interoperability among platforms that don’t exist yet

6. Viewing blockchain technology purely as a database or storage mechanism

7. Assuming interoperability among platforms that don’t exist yet (blockchain standards do not yet exist)

http://www.gartner.com/smarterwithgartner/top-10-mistakes-in-enterprise-blockchain-projects/

Gartner top 10 mistakes (cont.)

8. Assuming that smart contract technology is a solved problem-Smart contracts currently lack scalability, auditability, manageability and verifiability.

there is no legal framework currently in existence — locally or globally — for their application.

9. Ignoring funding and governance issues for a peer-to-peer distributed network- Multiparty systems require new approaches to governance, security and economics

that raise technical, as well as political, societal and organizational questions.

10. Failure to incorporate a learning processEnterprises must take a hands-on approach to blockchain projects.

http://www.gartner.com/smarterwithgartner/top-10-mistakes-in-enterprise-blockchain-projects/

Roadblocks Fidelity Lessons Learned 1 & 2

1 Technological shortcomings

➢ The first concerns blockchain technology itself, there were "still questions to be answered,"

➢ "We understand there are important trade-offs that need to get made as these systems grow," Johnson said. "We care about the trade-off between scalability, privacy, and achieving peer-to-peer settlement. "

➢ Of these three, privacy was the most important, calling it "a core customer need" that was an area of investment for Fidelity initiatives.

2 Regulation

➢ Johnson called regulation "the policy challenge," as innovation in the blockchain industry was happening so fast "that it is outpacing the regulator's ability to keep up."

➢ The Securities and Exchange Commission (SEC) ruled against a product that would have led to the first bitcoin-tracking exchange-traded fund* (ETF) citing a lack of regulation in the marketplace.

➢ "We need to continue to work with regulators to have an open dialogue about this technology,"

Fidelity CEO Abigail Johnson reflects:

Roadblocks Fidelity Lessons Learned 3 &4 3 Control

➢ "Networks like bitcoin, by design, have no formalized management structure," Johnson said.

"They're open projects, which is great, but companies like Fidelity don't have the clarity on the future path they might take, or how to influence the developer communities."

➢ "The financial services industry will need to work to understand the risks associated with who controls the features of these new systems"

4 "Human Problems"

➢ "The human problem," is Johnson's reference to how bitcoin and blockchain are often seen as "solutions in search of a problem."

➢ Wider Consumer Acceptance issues

- The cafeteria in the Fidelity headquarters began to accept payment in bitcoin--doubling the number of places in Boston that did” Johnson joked.

"We don't just need these systems to be technically better; we need them to be more user friendly"

Perils ?

8/24/2017 24(c) Jean Pawluk

Unregulated means by which funds are raised by crowd funding for a new cryptocurrency venture.

➢ Percentage of the cryptocurrency is sold to early backers of the project in exchange for cash or cryptocurrencies (usually Bitcoin)

➢ Bypasses the rigorous and regulated capital-raising process required by SEC, venture capitalists or banks

➢ Crypto tokens from venture are not stocks

8/24/2017 25

Initial Coin Offering (ICO)

(c) Jean Pawluk

Remember ?

2000 $3000 eachNow $6-$10

Beanie Babies Bubble 1995 - 2001

8/24/2017 26(c) Jean Pawluk

➢ Speculators and scammers are rushing in

➢ People are “investing” in ICO’s and cryptocurrencies- Maxing out credit & debit cards purchases

- Draining bank accounts & retirement plans

- Mortgaging homes

➢ Sound Familiar ?

Some may win big, but many will lose most or all

➢ Are you and your customers financial savvy ?

- Risks

- No protection against loss

- Not regulated or registered

- Scarcity and volatility of tokens is not a guarantee of future profits

- No guarantee that new ICO project will be there tomorrow

Feeding Frenzy

8/24/2017 27(c) Jean Pawluk

➢ Yes but not untraceable

➢ Bitcoin is pseudo-anonymous- pseudonym (bitcoin address) is recorded, but identity is unknown.

➢ Tumblers / Mixers attempt to disguise source and destination of transactions that would connect to real id

➢ So how do you move your ill gotten gains in public view ?

- send and receive bitcoins to another bitcoin address on blockchain . Use several addresses and store coins elsewhere in wallets and / or in dark exchanges.

8/24/2017 28

Is Bitcoin Anonymous ?

(c) Jean Pawluk

Speaker Introduction

Gerry McGreevy

• Senior Systems Analyst at Physician Network, MD Anderson Career Center in Houston, Texas

• Holds a CISSP certification and a FinTeccertification from Massachusetts Institute of Technology

• Nearly 20 years in the IT industry as a database administrator, data architect, security and compliance analyst and entrepreneur

BLOCKCHAIN: Concerns for Infosec

8/22/2017 gerry.mcgreevy@beiser.us 31

Birth and Evolution of Blockchain

Early Uses

Recent Developments

Industry Applications

8/22/2017 gerry.mcgreevy@beiser.us 32

New Types of Services Are Flourishing

8/22/2017 gerry.mcgreevy@beiser.us 33

Blockchain: Friend or Foe?

Blockchain as a Target: Disrupt transactions, aquire assets and data

Blockchain as a Tool: Enhances data integrity, transparency & availability

External Operations - Asset transfers, transaction reconcilliation, regulatory reporting

Internal Operations - Monitoring, approvals and permission grants

Application Developers - Permission aware applications, carry-thru privs

Infosec Depts - Secure registration, logging, and privileges management

8/22/2017 gerry.mcgreevy@beiser.us 34

Blockchain: Tools for INFOSEC

End User Friendly Tools

Multi-signature required applications

Advanced Secure Wallet technology and features

Chain-long fine grained permissioned access that end user controls

8/22/2017 gerry.mcgreevy@beiser.us 35

Woes of Blockchain

Scalability : BlockSize, Network Bandwidth, Mining Resources, MarketSize

Competing / Diverging Interests

Infant Standards – Ethereum, EU, ISO, (No US federal, but a few states developing)

Security Concerns: Wallets and codebase hacked, Man-in-middle, DNS attacks, 51% attack

8/22/2017 gerry.mcgreevy@beiser.us 36

Essential Elements of Blockchain

Cryptographic Hashes

Distributed Ledger

Software - open source Major flavors: Bitcoin, Ethereum, Linux Foundation

Network - P2P, software and protocols

Entity Participants (Roles) Miners, reporting nodes, test nodes, access portals, proxy, regulators, users

Blockchain Mining8/22/2017 gerry.mcgreevy@beiser.us 37

Goals of Mining

Security: Make Attacks expensive

Economics: Incentivize CPU processing

Mining Schemes:

Proof of Work Proof of Stake

Proof of Activity Proof of Burn

Proof of Capacity Proof of Authority

CASPER Proof of Elapsed Time

Cost of Energy vs Cost of Owning Coins

8/22/2017 gerry.mcgreevy@beiser.us 38

Blockchain Evolution

1st Generation - Ledger applications: Evolving Uses

Q: Where to put blockchain? A: Where there is a lack of trust

Asset Tracking / Transference

Information documentation

Proof of process

2nd Generation - Smart Contracts Auto Execute, DAO (Distributed Autonomous Organizations), Distributed Computing

3rd Generation – Identity Management,

Permission Aware Applications

Evolving Trend: Increasing Dependence on Validating Sources and Data

8/22/2017 gerry.mcgreevy@beiser.us 39

Value of Blockchain Derived from

Cryptographically Validated IMMUTABLE DATA INTEGRITY

Shared Transaction Journal DISTRIBUTED

No Central Authority DECENTRALIZED, CONSENSUS

IMMUTABLE SHARED TRUTH = TRANSPARENCY > TRUST

8/22/2017 gerry.mcgreevy@beiser.us 40

High Level Benefits of Blockchain

Enables TRUST within an otherwise TRUSTLESS environment

Efficiently Verifies the Accurate Recording of Information

Assets Transfers

Permission Grants, privileges

Auditable rules & protocols

Major Reductions in costs and time to reconcile

Accelerates payment cycles > Frees up capital for other uses

8/22/2017 gerry.mcgreevy@beiser.us 41

Protections of Blockchain

Confidentiality: (Optional) – Blockchain contents publically viewable. For private data, encrypt, hash use pointer links (expensive).

Integrity: Yes - Hashed data + Distributed Ledger + Consensus

Availability: Theoretical Yes, but long queue, poor network performance, DDOS attacks are common

Immutable + Distributed = Transparent Data Integrity

8/22/2017 gerry.mcgreevy@beiser.us 42

Public vs Private Chain?

Public Blockchain appropriate for:Public facing apps

Apps that interact with wider marketplace (incl. publicly exchanged tokens)

More applicable to trustless environment and interactions w/ large numbers of

participants

Higher costs to operate

Private Blockchain appropriate for:Vetted and verified entry / participation

Higher level of trust between participants than trustless public

More appropriate for consortiums, enterprise level applications,

and controlled exchanges

Lower cost to operate (mining not necessarily necessary)

8/22/2017 gerry.mcgreevy@beiser.us 43

Systemic Vulnerabilities

Control / Influence of mining pools Mining Pools are economically advantaged.

Large pools are risk to blockchain (50% attack)

Concentrated Mining: 90% of bitcoin mining occurs in China -Subject to political and / or regulatory moods.

Network - Technical limits on bandwidth. Latency could cause

problems. Success of blockchain depends on specific network performance (can differ per-chain).

Storage – Password portected data at rest, password management

issues.

8/22/2017 gerry.mcgreevy@beiser.us 44

Systemic Vulnerabilities

Risks Associated with Open Source and Common Code

Common vulnerabilities: Crypto-libraries, Backdoors, Zero-day

Consensus on all Code Changes

Maintenance - timing of updates and patches

Risk of forks

If chain is invalidated, what happens to all assets and info contained within?

8/22/2017 gerry.mcgreevy@beiser.us 45

Attack Vectors

Code libraries

Storage / Data Wallets - key management, online/offline

Network - 51% attack, clock drift, packet sniffing, DNS, ARP spoofing,

spamming and DDOS attacks (delay specific transaction)

Social Engineering

Privacy - (public ledger) - All information recorded WITHIN blockchain is publicly viewable

8/22/2017 gerry.mcgreevy@beiser.us 46

Tracking and IP Address

Transaction History (ie. donations)

Trading crypto on a national / regulated exchange (ie. Coinbase).

Using Thin Client or Hosted Wallet

ISP records

Insider Abuse, or Public Outing

8/22/2017 gerry.mcgreevy@beiser.us 47

Known Breaches

August of 2016 - Bitfinex (Hong Kong) $65 M US

June of 2016 - Ethereum - $150M US - backdoor to application.

June 2017 - Freewallet.org - data wallets

Excellent Source of blockchain breaches

https://magoo.github.io/Blockchain-Graveyard/

8/22/2017 gerry.mcgreevy@beiser.us 48

Emerging Standards

Mostly Nascent, or non-existent

ISO/TC 307 - Blockchain and distributed ledger technologies

Increasing Regulatory Oversight(Europe & World > more regulation, US < less regulation)

Linux Foundation

8/22/2017 gerry.mcgreevy@beiser.us 49

Uses for Infosec

Certificate TransparencyPublish public certs into blockchain

Reduces reliance on CA as sole proprietor of truth, no single point of failure

Eliminates the risk of false key propagation

CertCoin (MIT) - Early implementation of blockchain-based PK

Decentralized DNS-PKI - Replace DNS root servers w/ blockchain

mappings to domain names and PKI keys (harder to censor, harder to alter)

Nebulis, Blockcstack

Support for other TechnologiesCyber-physical systems (confidentiality not a concern)

Validate the providence devices (IOT, network, endpoints, supporting software and incoming data integrity)

8/22/2017 gerry.mcgreevy@beiser.us 50

Successful Blockchain Implementations

Strong Governance

Risk Management Framework

Operational Risks - policies, procedures control

8/22/2017 gerry.mcgreevy@beiser.us 51

Selected References

Mining Info: https://www.coindesk.com/short-guide-blockchain-consensus-protocols/

Wallet Info: https://blockgeeks.com/guides/cryptocurrency-wallet-guide/

8/22/2017 gerry.mcgreevy@beiser.us 52

Speaker Introduction

Branden Williams

• CTO at Union Bank

• Regularly assists top global firms with their information security and technology initiatives

• Branden is the author of the Herding Cats feature in the ISSA Journal.

• Holds DBA, CISSP and CISM certificates

Crypto Payments & Financial SystemsBranden R. Williams, DBA, CISSP, CISM

Crypto Payments & Privacy

➢ Transactions, or blocks, on the blockchain for popular crypto currencies are public.

➢ Future blocks validate past blocks and prevent double spending.

➢Anonymity on the blockchain: Some cryptocurrencies, like Bitcoin, appear

anonymous.

Poor OpSec can link digital wallets to real identities.

Several companies offer services to attach identities to digital wallets.

➢ Be aware of information stored in the block!

Crypto Payments Integrity

➢As the blockchain builds, previous transactions are immutable.

➢ Consensus works to ensure only valid transactions on the blockchain.

➢ In the case of Bitcoin, the most recent block on the chain be altered by consensus, wait until there are two blocks following (T+2).

Decentralized Crypto Payments

➢Over 1,000 different crypto currencies as of August 2017.

➢Decentralization preserves integrity across the currency by: Preventing currency manipulation by government or

central bank.

Preventing a single bad actor from introducing fraudulent or duplicate transactions.

➢ Legal Notes: SEC does not categorize digital currency as a “security”

CFTC recognizes digital currency as a ”commodity”

Crypto vs. Traditional Payments

➢Transaction costs paid to “miners”.

➢Low transaction costs.

➢Settlement at T+2.

➢Transact “directly.”

➢Not regulated.**

➢Decentralized.

➢AML applied when crypto currency is converted to bank currency.

➢Transaction costs paid to “networks”.

➢High transaction costs.*

➢Settlement going to T-0.

➢Transact via intermediaries.

➢Regulated.

➢Centralized.

➢AML and Bank Secrecy acts in play at all times.

Crypto Currency Traditional Payments

* With the exception of ACH.** Conversion to actual currency can impact this.

Challenges for Traditional Banks

➢ Bank regulations focus on traditional currencies: Exception: Tunisian e-Dinar and Senegal’s Franc.

UK, Russia, Canada, and China experimenting.

➢ Even these examples are still real currency, not cryptocurrency.

➢ Know Your Customer becomes more challenging with some crypto currencies.

➢Other options for Blockchain: Smart Contracts.

Currency for in-game scenarios.

Voting.

62

Open Discussion & Q&A

• Mark Kadrich – Moderator

• Jean Pawluk

• Gerry McGreevy

• Branden Williams To ask a question:

Type in your question in the Questions

area of your screen.

You may need to click on the double

arrows to open this function.

#ISSAWebConf

63

Mobile App Security2-Hour Live Event: Tuesday, September 26th, 2017

Start Time: 9:00 a.m. US-Pacific/ 12:00 noon US-Eastern/ 5:00 p.m. London

Overview:Along with the explosion of mobile devices and the crowded marketplace for applications comes a much more vast threat landscape. How can the security world adapt to an environment featuring independent programmers and an increasingly time critical business model as groups look for the next killer app? Especially when, as usual, security is the last consideration of development.

Next International Web Conference:

https://attendee.gotowebinar.com/register/7561103254002094082

64

A recording of the conference and a link to the survey to get CPE credit for attending the August ISSA International Web Conference will soon be available at: https://www.issa.org/page/August2017and check out previous web conferences at https://www.issa.org/?OnDemandWebConf

If you or your company are interested in becoming a sponsor for the monthly ISSA International Web Conferences, please visit: https://www.issa.org/?page=BecomeASponsor

Web Conference Survey

Join ISSA

Webinar attendees can join ISSA at a 20% discount by using the code WEBCON42 during the checkout process

The discount is available for all memberships except Students, and can also be used to renew your membership