Blockchain Security Series 16 - Matt Aereal (Co-founder @ The Red Guild)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member)

Topics discussed:

- 00:00 - Intro

- 01:40 - How you got into cybersecurity

- 09:26 - Artist side: Producing events and photography

- 12:52 - Parallelism between hacking, art and magic

- 16:31 - Ekoparty: Working for The biggest Latam Security Event

- 21:16 - Beginnings in blockchain and web3 security

- 27:07 - The Red Guild

- 40:48 - SEAL: What is the Security Alliance and how are you related

- 55:50 - The challenge of building web3 public goods

- 01:04:01 - Educating consumers vs building more secure systems

- 01:08:30 - OSINT and tools

- 01:12:50 - Cybersecurity state in Argentina

- 01:18:15 - Web2 exploits in web3

- 01:27:23 - Best security tips

- 01:33:53 - Kraken’s lawsuit against Certik

- 01:41:13 - Tooling in web3 research

- 01:44:34 - Read teams work and training

- 01:48:25 - Damn vulnerable DeFi

- 01:51:26 - Final thoughts

Summary:

This is the 16th episode of the Blockchain Security Series Podcast but the first one recorded live!

Pablito engages in an insightful conversation in Buenos Aires with Matt Aereal, co-founder of The Red Guild. Matt, a security generalist with a rich background in hacking and art, shares his journey into cybersecurity, starting from his early interests to his current endeavors in the blockchain and web3 space. Beginning with Matt recounting how he got into cybersecurity, highlighting the influences that shaped his career, the conversation delves into his artistic pursuits, including event production and photography, drawing parallels between hacking, art, and magic.

They touch upon the significance of Ekoparty, a renowned security conference in Latin America, and how it has fostered a community of like-minded professionals. Matt explains the origins and mission of The Red Guild, emphasizing its role in enhancing security within the web3 ecosystem. They will also explore his involvement with SEAL (Security Alliance), discussing how collaboration and shared knowledge are vital for advancing security measures and the importance of educating consumers versus the necessity of creating inherently secure systems.

In this episode you will be provided with a comprehensive exploration of the multifaceted world of cybersecurity, blending technical insights with philosophical reflections. It’s an enlightening listening for anyone interested in the nuances of blockchain security, the role of community in technological advancement, and the creative parallels that enrich the field.

Highlights:

- 29:19 - "We work as a non profit because we think that there’s space to complement the profit schemes that there are currently in the ecosystem and the way that we do so it’s being a group of security researchers with a lot of freedom to do it. So we take things really differently."

- 59:43 - "If you think security is expensive, try with an incident”.

- 01:05:26 - "There is a bigger problem that is that there is a huge gap between people who actually know about technology and people who don’t know about technology and the speed of the development of technology that has surpassed the capacity of some people to cope with it. And if the gap in technology itself is really really wide, then imagine in security."

- 01:07:10 - "Do you know how people have an accountant or a lawyer for themselves? I'am thinking security specialists for individuals"

- 01:44:34 - "At the beginning for people was always easier trying to break, because you know what to break, in comparison to defend, where you don’t have a scope of what to defend."

Takeaways:

- Having met Tincho Abbate they begin the journey of creating The Red Guild: an educational non-profit web3 organization.

• https://x.com/mattaereal
• https://x.com/theredguild
• https://blog.theredguild.org/
• https://www.damnvulnerabledefi.xyz/

Blockchain Security Series 15 - Nikita Varabei (Founder @ ChainPatrol)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member)

Topics discussed:

- 00:00 - Intro

- 01:40 - How Nikita got into programming and blockchain security

- 08:05 - How ChainPatrol started

- 10:10 - Scam investigators

- 12:20 - Burn Mywallet

- 15:05 - ChainPatrol early days

- 20:20 - What ChainPatrol does now

- 24:25 - Social engineering

- 28:30 - Post mortems

- 33:04 - Scammers investments and ROI (Return on investment)

- 38:10 - Service providers role: registrars, cloudflare, google ads, twitter, linkedin

- 46:00 - Scammers stack: registrars, hosting providers

- 51:18 - Mixing on-chain and off-chain data to detect threats

- 55:21 - Collaboration between security companies, Threat Intel, SEAL ISAC

- 58:56 - Issues with competitors and ChainPatrol openness

- 01:02:10 - Web3 vs Web2 security

- 01:06:18 - Scammers reporting each other

- 01:10:04 - Methods used by scammers to avoid detection. Cloaking techniques, Cloudflare, Captcha.

- 01:15:07 - Users and community reporting, incentives, threat hunters.

- 01:19:37 - Making scammers lose time

- 01:21:06 - Scammers using hacked domains and legitimate companies' domains getting hacked

- 01:22:43 - Wordpress hacks and secure domain registrars

- 01:25:35 - How to manage legitimate projects domains and accounts being compromised

- 01:31:38 - Transaction simulation bypass. Proxy contracts, exploit of contract variables. Bit flip attack.

- 01:37:20 - Challenge to build for more privacy and improving threat detection at the same time.

- 01:42:24 - Private information retrieval (PIR)

- 01:44:11 - Companies taking more care of their users trend

- 01:48:47 - IPFS being used by scammers

- 01:49:55 - Best tips for crypto companies

- 01:53:39 - Security tips for users

- 01:56:41 - Final thoughts

Summary:

Pablito.eth sits down with Nikita Varabei, co-founder of ChainPatrol, to dive deep into the world of blockchain security, uncovering the tactics scammers use and the innovative ways companies like ChainPatrol are fighting back.

From his background in programming and computer science, his love for crypto, and his experience working at Coinbase. He explains the need for dedicated security measures in the crypto space and how ChainPatrol helps protect users from phishing attacks and impersonation.

Follow this road into the discussion of various topics related to blockchain security, including the prevalence of scams with social engineering , the challenges of detecting and preventing these attacks and how to frame security from a economical and incentives perspective where attackers make an investment expecting a return. Also they will address the importance of securing accounts and using trusted brand protection providers and why traditional companies are not succeeding in diminishing these scams.

Takeaways

- ChainPatrol helps protect users from phishing attacks and impersonation by scanning domains, social media accounts, and replies to detect and block scammers.

- Scammers in the crypto space operate like an industry, with developers creating scam kits and others deploying them to steal funds.

- Post-mortems are crucial for improving security measures and preventing recurring issues in the crypto space.

- Tracking down scammers and taking down their fraudulent accounts requires collaboration with domain registrars, hosting providers, and social media platforms. Scammers often go under the radar of detection systems on social platforms due to the volume of accounts to monitor.

- Scammers employ various techniques, such as using Cloudflare and cloaking, to avoid detection.

- Incentive mechanisms are needed to encourage users to report scams. Secure all your accounts and use strong authentication methods to prevent unauthorized access.

- For individual users, use security extensions and wallets that offer protection against scams.

Links:

https://chainpatrol.io/

Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)

Topics discussed:

- 00:00 - Intro

- 01:13 - How you started with computers and programming

- 02:41 - Working in Blizzard Entertainment

- 08:12 - Red and blue teams

- 14:19 - Incident response: What should web3 security learn from web2 industry?

- 18:57 - Planned and unplanned war rooms

- 22:58 - Communication mistakes during incident response

- 29:18 - Operational security

- 36:38 - Security awareness

- 39:19 - Social Engineering

- 42:51 - Role at Ethereum Foundation

- 45:38 - EF Bug Bounty Program

- 47:18 - Bounties for the execution and the consensus layer

- 49:01 - Most common types of vulnerabilities reported.

- 51:20 - Vulnerability disclosure process.

- 54:04 - Ethereum Protocol Attackathon with Immunefi.

- 59:39 - Blockchain monitoring and live threat detection.

- 01:01:46 - The future of the security in Ethereum: main challenges

- 01:06:29 - Balance between daily work and technical research

- 01:08:19 - Programming as a skill to be a blockchain security researcher?

- 01:12:16 - Favorite conferences and events

- 01:14:19 - Final thoughts

Summary:

In the 14th episode of the podcast, Fredrik Svantes, Security Research Lead at the Ethereum Foundation, shares his journey from his early days in computers and programming, through his time at Blizzard Entertainment, to his transition into the Ethereum ecosystem. In this discussion, he provides valuable insights into operational security within the blockchain space, emphasizing the crucial role of incident response, preparedness, and the growing need for security awareness and best practices.

Fredrik also explores the significance of social engineering in cybersecurity and outlines the key responsibilities of the protocol security team at the Ethereum Foundation. This team is dedicated to protecting the Ethereum network and ensuring effective coordination of security efforts across various client teams. Fredrik discusses the Ethereum bug bounty program, shedding light on the management challenges and highlighting common vulnerabilities reported, such as denial-of-service attacks. He underscores the importance of clear communication and transparency in the vulnerability disclosure process. Looking forward, Fredrik shares his perspective on the future of Ethereum’s security and the challenges the network will face as it continues to evolve.

Takeaways:

• He emphasizes the importance of incident response preparedness and conducting regular exercises to ensure a calm and effective response

• In the blockchain ecosystem, there is a need for increased focus on operational security, including securing front-ends, infrastructure, and private keys

• Security awareness and best practices should be tailored to specific roles and responsibilities within a project or organization. Social engineering is a critical aspect of cybersecurity.

• The protocol security team at the Ethereum Foundation focuses on ensuring the security of the Ethereum network and coordinating security between client teams.

• The bug bounty program is an essential part of vulnerability disclosure, and it helps identify and fix vulnerabilities in the Ethereum network.

• Communication in security and public disclosure are crucial in the vulnerability disclosure process, and the Ethereum Foundation follows a phased approach to disclosure.

• Blockchain monitoring and live threat detection are valuable tools in identifying and responding to security threats in the Ethereum ecosystem.

• The future of security in Ethereum lies in expanding the number of experts in protocol security and addressing the challenges posed by the evolving roadmap.

• Programming skills are not necessarily required to be a blockchain security researcher, but having an understanding of programming and the associated risks is important.

Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)

“There are a lot of hidden gem auditors in the space really. And this is my mission to find them and to work with them”

Topics discussed:

- 00:00 - Introduction

- 01:06 - How did you get started into computers and programming?

- 05:22 - Mastering Ethereum, Andreas Antonopoulos

- 07:05 - When and why did you decide to switch from developing to security research?

- 11:02 - Do you need to know how to code to be a smart contract auditor?

- 13:07 - What is your advice for someone that is just getting interested in cybersecurity?

- 15:10 - How important do you think it is to be a self-taught person in this industry?

- 16:15 - Reviewing new code step by step. You first understand what the protocol does on a high level or you just jump into de code?

- 19:17 - Income for a security researcher

- 24:12 - What things have changed in the security space in the last years and what things still remain the same?

- 26:42 - What does the ecosystem need in terms of security? More people, better tooling?

- 27:52 - On chain vs off chain audits. How have the incentives mechanisms been evolving and which one is in your opinion the system that works better for auditors? Code Arena, Hats Finance, Cantina, Sherlock, etc.

- 29:37 - How to choose the right audit contest? What strategy should one adopt (focusing only on DeFi protocols, bridges, etc)?

- 32:14 - Recommendations for developers and companies regarding secure software development? In what part of the development cycle should an auditor be involved?

- 35:49 - What can you share with us about your latest audits from some major protocols like Ethena, 1Inch or Layerzero?

- 37:42 - When, why and how did you decide to found a security company?

- 41:03 - Web2 security researcher vs Web3 developers

- 42:51 - Which would you say are the most important skills having worked with teams but also starting your own company?

- 44:03 - Would it have been possible to launch your company without being known in the industry already?

- 46:20 - Did you find it difficult to switch from an independent auditor to run a security auditing company?

- 47:34 - What is the hardest part about launching a boutique web3 security company?

- 48:49 - What are mistakes that should be avoided when building a brand?

- 50:18 - Angel investing. What excites you the most about investing in new companies? Are you planning to focus on other security companies, web3 protocols?- 53:41 - Do you invest in companies after having audited them?

- 53:30 - How do you get involved with companies you invest into?

- 56:56 - Accepting tokens as payment

- 59:04 - How do you keep updated in web3 cybersecurity? Newsletters, conferences and events

- 01:01:58 - Final thoughts

Summary:

In this episode, Pablo Sabbatella sits down with Pashov, the top tier smart contracts auditor and founder of Pashov Audit Group. They will explore Pashov's journey from being a developer to becoming a well known web3 security researcher, and sharing insights into his meticulous code auditing process and offering valuable advice for aspiring blockchain security professionals. Later in this talk they will also cover the evolving landscape of security, the financial realities for researchers, and the strategic decisions behind audit specialization.

Pashov also opens up about the challenges of launching a security firm, the rewards of investing in the crypto space, and the reason has led him to become an angel investor in several firms.

Takeaways:

- The income for security researchers can vary depending on factors like the type of work (contests, audits), skill level, and market conditions. Working harder during bull markets and focusing on stacking cash can be a good strategy.

- Having a long-term security partner is beneficial for companies, as it provides ongoing security support and expertise.

Blockchain Security Series 12 - Stephen Tong (Co-Founder & CEO @ Zellic)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) Topics discussed: - 00:56 - Your story: How did you start getting interested in security? - 04:01 - Perfect blue: A weeb team with a CTF problem. Tell us all about it! - 06:49 - Similarities between web2 and web3 security. CTF skills comparison - 09:55 - Traditional security background for auditors - 11:41 - How did you start Zellic and what’s its focus? - 13:05 - Development cycle and security. - 15:11 - Unit testing - 18:35 - Formal verification: The wETH example - 23:27 - The current state of DeFi security - 26:27 - Hacks and kill switches and recovering funds mechanisms - 30:15 - Monitoring and threat detection - 31:05 - Code is law? - 32:18 - Consumer education & mass adoption - 33:19 - Security Alliance - Whitehat Safe Harbor Agreement - 35:35 - The Nomad hack: Audit diffs - 37:50 - Bridges and OpSec importance - 41:30 - Programming languages. Solidity and it’s origin - 43:15 - Rust & Move programming language - 46:05 - Key features of a blockchain programming language - 46:38 - ERC-4626: Standards for yield bearing assets - 47:40 - MPC from scratch - 50:04 - Zellic Forky - 51:03 - How to store crypto safely - 52:55 - Threat modeling - 55:15 - Favorite conferences

Summary:

In this conversation, Stephen Tong, co-founder and CEO of Zellic, shares his journey into blockchain security and the founding of Perfect Blue. He discusses the similarities and differences between security in web 2 and web 3, the importance of diverse skill sets in the security industry, and the origin and focus of Zellic. The conversation also covers topics such as the correct approach to security in blockchain development, the importance of unit testing and formal verification, and the challenges of ensuring safety in DeFi protocols. The discussion concludes with a reflection on the concept of code is law and the need for balance between being permissionless and protecting users from hacks. Stephen Tong covers the importance of decentralization and how to make the ecosystem more secure. The conversation touches on the initiatives of the Security Alliance (SEAL) and the need for a standardized approach to tokenizing yield-bearing assets. They also discuss the strengths and weaknesses of different blockchain programming languages, such as Solidity, Vyper, and Rust. The conversation concludes with recommendations for safely storing crypto assets and the importance of threat modeling.

Takeaways:

- Stephen's interest in security began with hacking Minecraft and Counterstrike, leading him to become a skilled auditor and co-founder of Perfect Blue.

- The skills required for auditing smart contracts in web 3.0 are similar to those needed for web app pen testing, low-level exploitation, and cryptography.

- The development cycle for secure smart contracts should include early engagement with security professionals, thorough testing, and formal verification.

- Unit testing is crucial for ensuring the security of smart contracts, and projects should aim for 100% line and branch coverage.

- Formal verification involves encoding code into mathematical formulas to prove that it adheres to protocol invariants, but it can be time-consuming and challenging.

- While no system can be 100% secure, it is possible to be reasonably sure about the security of a protocol under a given threat model and set of assumptions.

- Monitoring tools for detecting hacks before they happen are still maturing and often have false positives, but they are a step in the right direction.

- 'code is law' should be balanced with the protection of users from hacks

- Initiatives like the Security Alliance (SEAL) contribute to making the ecosystem more secure.

- Hardware wallets and compartmentalization are recommended for safely storing crypto assets.

- Threat modeling is essential for understanding and mitigating security risks.

Blockchain Security Series 11: Peter Kacherginsky (Lead @ Unit 0x Threat Research Team at Coinbase)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)

Topics discussed:

- 01:45 - How Peter get into crypto

- 03:39 - Interest in cybersecurity as teenager

- 08:44 - From web2 security to web3

- 10:29 - Why did you start BlockThreat?

- 11:25 - Generating content to keep learning

- 14:28 - Similarities and differences in security industry from the last 20 years

- 16:45 - Intelligence driven security

- 18:47 - Web2 criminals coming into web3

- 26:45 - Top 10 ways a protocol get hacked insights

- 35:55 - Threat actors profiles

- 39:36 - Insider threats

- 44:59 - Other personality profiles in the community

- 49:01 - Nation states criminals and other hacks

- 52:50 - The role of UX to leverage users security

- 01:01:15 - User’s education about security

- 01:07:15 - Most important things you learn about incident response

- 01:14:03 - Independent security researchers

Summary:

In the 11th episode of Blockchain Security Series we sit down with Peter Kacherginsky. We discuss his journey into the cryptocurrency world and his role in blockchain security. Also he talks about the early days of hacking and the parallels between web 2 security and blockchain security.

Peter shares his experience in creating BlockThreat, a popular newsletter in blockchain security and makes us think about the importance of threat intelligence and the need for mature security programs in the DeFi space. He also explores the top attack vectors in DeFi protocols and the profiles of threat actors. Later in this conversation, Peter Kacherginsky discusses various topics related to blockchain security, including threat actors, incident response practices, and user security. Emphasizing the importance of automation in incident response and the need for a security mindset among all team members he also highlights the significance of building trust in the crypto industry and the need for user-friendly and secure UX design and the potential for decentralized incident response and the role of independent security researchers in protecting protocols.

Takeaways:

- Threat intelligence is crucial in understanding who the adversaries are and how they target DeFi protocols.

- The top attack vectors in DeFi protocols include stolen private keys, function parameter validation, and JavaScript injection.

- Crypto natives, individuals with technical proficiency and questionable ethical beliefs, are responsible for a majority of exploits in the blockchain space.

- Insider threats and stolen private keys are significant risks that DeFi protocols need to address.

- The industry should focus on building mature security programs and adopting industry standards and procedures.

- The complexity of DeFi protocols and the financial incentives make them attractive targets for attackers. Automation is crucial in incident response to detect and respond to exploits quickly.

- All team members should have a security mindset and be involved in security practices.

- Building trust is essential for mass adoption of blockchain technology.

- User-friendly and secure UX design is important for protecting users from scams and phishing attacks.

- Decentralized incident response and the involvement of independent security researchers can enhance the security of protocols.

Sound Bites:

"It's been more than six years now and still enjoying it like it's never a dull moment."

"Not so many people that are today in blockchain security come from web 2 security, right? But some people as you or me do, well, we have all these things in common."

"We can't live in a society where we don't trust anyone."

"We need to build everything within incident response and monitoring to strive towards automation."

"Everyone is a security team. Everyone is an incident responder to the degree that they can"

Blockchain Security Series 10: Adrian Ludwig (CISO @ Tools for Humanity) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher)

Topics discussed:

- 01:10 - Adrian’s background and journey

- 03:55 - Introduction to Worldcoin

- 06:16 - What changed in the last 25 years in security?

- 08:35 - Security Challenges for you as CISO

- 11:40 - Identity Verification: biometric data privacy

- 15:40 - Zero Knowledge Proofs

- 17:25 - Open-Source and decentralization

- 20:55 - The ZK backdoor and Open-Source challenges

- 24:00 - Decentralization vs. Security

- 26:00 - Incident Response

- 28:58 - War rooms

- 30:45 - Collaboration with the Community regarding security

- 33:50 - Technological innovations

- 36:55 - Self custody challenges

- 39:15 - AI and Fraud Prevention

- 45:10 - User Education

- 50:00 - Typical Day as a CISO

- 53:49 - C levels: soft vs hard skills

- 55:52 - Learning

- 58:05 - Future of Blockchain Security

- 01:01:05 - Controversial Belief about security

Summary:

In this episode, we sit down with Adrian Ludwig, Chief Information Security Officer at Tools for Humanity, to explore his extensive background in cybersecurity and his journey to his current role.

Adrian begins by providing an insightful overview of WorldCoin and its mission to improve trust and expand access to the global economy through blockchain technology. He underscores the significance of open source and community collaboration in bolstering WorldCoin's security framework, delving into the challenges posed by decentralization and the critical role of incident response in managing potential security breaches.

As the discussion deepens, he covers the use of zero-knowledge proofs and other advanced technologies to enhance WorldCoin's security posture, and the importance of secure multi-party computation (SMPC) and self-custody in the blockchain space. Adrian emphasizes the need for decentralization while balancing self-custody with data availability and explains how WorldCoin's World ID system addresses AI-driven fraud and the crucial role of privacy in blockchain transactions.

Later in the conversation, he shares his daily responsibilities as a CISO, offering insights into the blend of technical and soft skills required for leadership positions.

Challenging the notion that security conflicts with other values, Adrian advocates for clean and simple security solutions that uphold all principles.

Takeaways:

- WorldCoin's mission is to improve trust and increase access to the global economy using blockchain technology.

- Open source and community collaboration are important in enhancing WorldCoin's security.

- Decentralization is seen as a way to test the effectiveness of security controls.

- Incident response requires good visibility, communication, and ownership.

- WorldCoin leverages cutting-edge technologies like zero-knowledge proofs to enhance its security posture.

- Decentralization and privacy are key considerations in the design of blockchain systems.

- WorldCoin's World ID system aims to address AI-driven fraud by providing proof of humanity.

- A balance between technical and soft skills is crucial for leadership positions in the security field.

- The future of blockchain security lies in combining transparency and auditability with privacy.

- Good security is clean, simple, and does not compromise other values.

Bites

- "We're trying to provide privacy-enhancing services to enhance protections in the age of AI."

- "A lot of what we have to do as technologists is identify how we can change the underlying infrastructure to acknowledge the limits of humans and acknowledge the limits of our existing technology and build new technology to move past that."

- "Our belief is data about a person is really something that should be held by that person."

- "Dealing with the reality that humans make mistakes and they lose stuff has been a challenge for cryptographic systems forever."