Blockchain Security Series

• Blockchain Security Series 17 - Scott Renna (Senior Solutions Architect @ Halborn)

  Blockchain Security Series 17 -  Scott Renna: Senior Solutions Architect @ HalbornHosted by Pablo Sabbatella - pablito.eth: Web3 OpSec Security Researcher, Opsek founder, SEAL (Security Alliance) memberTopics discussed:- 00:00 - Intro - 01:19 - Early days in computers and cybersecurity - 03:45 - Getting into crypto industry- 05:51 - Web2 and web3 security parallelism - 09:49 - Different challenges in cybersecurity- 16:20 - What have you learned from each industry- 25:58 - Buying leaked information and incentives - 33:39 - Lessons from web2 security to implement on web3- 42:37 - Incident response in web3- 48:09 - Addressing web2 risks in blockchain - 50:38 - Managing third parties risk- 53:31 - XZ backdoor and open source software risk- 55:32 - Using AI for scanning vulnerabilities- 57:22 -  Common attack vectors in smart contracts - 1:00:48 - Phishing attacks - 1:04:50 - Passkeys- 1:10:18 - Anon security researchers- 1:12:54 - Satoshie Nakamoto theories- 1:14:20 - Zero-day exploits and nation state actors- 1:22:17 - Best practices for securing private keys- 1:25:18 - Multi-party computation - 1:27:20 - Quantum computing and AI- 1:30:31 - Advice for security professionalsSummary:In this episode of the Blockchain Security Series, host Pablo Sabbatella interviews Scott Renna, a Senior Solutions Architect at Halborne, discussing his journey into cybersecurity, the evolution of threats, and the importance of security in the blockchain space. This talk explores the connection between blockchain security and traditional web2 security trying to shed light most common attack vectors in the industry. The guest also shares important lessons he learned in the different fields of cybersecurity he had the opportunity to work on.They explore the challenges faced by the industry, the role of human factors in security breaches, and the need for better practices in incident response sharing also insights on the impact of quantum computing and AI on security, as well as advice for new professionals entering the field.Highlights:- 11:35 - “The biggest challenge when you're talking about defending or preventing attacks is as an attacker, you only have to find one way to get in. We call those red teamers. I used to be one, but I became a blue teamer because it was too easy. But so as a blue team or a defender, you have to find all the holes and not just that. ”- 27:47 - “We worked a lot of ransomware cases, the colonial pipeline incident. This was public so I can share it. that was negotiated by Flashpoint. So we didn't make any, you know, suggestions or requests because again, we're in the business of doing business. My personal opinion is yes, you are correct. It incentivizes and drives the behavior, but what's the alternative? What's the solution? The solution is implementing security controls.”- 34:59 - “There seems to be this view in Web3 natives, not all, but a lot that I talk with. They don't understand that Web3 doesn't exist without Web2. You can't get on the chain without traditional infrastructure. And that's one of the reasons I came to Halborn. It's been a year and a half almost now at this point. We have an off-chain practice. We call it off-chain, but it's cloud infrastructure security, mobile app security. So it's not just necessarily, you know, I'm on the chain and this and that, it's the infrastructure that underpins it, right? ”- 1:09:10 - “With what happened with Luna, Luna wasn't hacked, never, they were not hacked. But the coordination calculation and then the move to sell the Luna Foundation Bitcoin, the Bitcoin guard, I think it was orchestrated by nation state actors, maybe not of specific nations, but.. That was a very well-constructed attack that involved a lot of money and resources. And there aren't many individuals that have access to that type of capital to make that happen. So Luna's great, but it's unfortunate with what happened.”Links:https://www.linkedin.com/in/scottrenna/

  --------  

  1:34:43

  --------

  1:34:43
• Blockchain Security Series 16 - Matt Aereal (Co-founder @ The Red Guild)

  Blockchain Security Series 16 - Matt Aereal (Co-founder @ The Red Guild) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member) Topics discussed: - 00:00 - Intro  - 01:40 - How you got into cybersecurity - 09:26 - Artist side: Producing events and photography - 12:52 - Parallelism between hacking, art and magic  - 16:31 - Ekoparty: Working for The biggest Latam Security Event       - 21:16 - Beginnings in blockchain and web3 security - 27:07 - The Red Guild  - 40:48 - SEAL: What is the Security Alliance and how are you related - 55:50 - The challenge of building web3 public goods - 01:04:01 - Educating consumers vs building more secure systems - 01:08:30 - OSINT and tools - 01:12:50 - Cybersecurity state in Argentina - 01:18:15 - Web2 exploits in web3 - 01:27:23 - Best security tips - 01:33:53 - Kraken’s lawsuit against Certik - 01:41:13 - Tooling in web3 research - 01:44:34 - Read teams work and training - 01:48:25 - Damn vulnerable DeFi - 01:51:26 - Final thoughts Summary: This is the 16th episode of the Blockchain Security Series Podcast but the first one recorded live! Pablito engages in an insightful conversation in Buenos Aires with Matt Aereal, co-founder of The Red Guild. Matt, a security generalist with a rich background in hacking and art, shares his journey into cybersecurity, starting from his early interests to his current endeavors in the blockchain and web3 space. Beginning with Matt recounting how he got into cybersecurity, highlighting the influences that shaped his career, the conversation delves into his artistic pursuits, including event production and photography, drawing parallels between hacking, art, and magic.  They touch upon the significance of Ekoparty, a renowned security conference in Latin America, and how it has fostered a community of like-minded professionals. Matt explains the origins and mission of The Red Guild, emphasizing its role in enhancing security within the web3 ecosystem. They will also explore his involvement with SEAL (Security Alliance), discussing how collaboration and shared knowledge are vital for advancing security measures and the importance of educating consumers versus the necessity of creating inherently secure systems.  In this episode you will be provided with a comprehensive exploration of the multifaceted world of cybersecurity, blending technical insights with philosophical reflections. It’s an enlightening listening for anyone interested in the nuances of blockchain security, the role of community in technological advancement, and the creative parallels that enrich the field. Highlights: - 29:19 - "We work as a non profit because we think that there’s space to complement the profit schemes that there are currently in the ecosystem and the way that we do so it’s being a group of security researchers with a lot of freedom to do it. So we take things really differently." - 59:43 - "If you think security is expensive, try with an incident”. - 01:05:26 - "There is a bigger problem that is that there is a huge gap between people who actually know about technology and people who don’t know about technology and the speed of the development of technology that has surpassed the capacity of some people to cope with it. And if the gap in technology itself is really really wide, then imagine in security." - 01:07:10 - "Do you know how people have an accountant or a lawyer for themselves? I'am thinking security specialists for individuals" - 01:44:34 - "At the beginning for people was always easier trying to break, because you know what to break, in comparison to defend, where you don’t have a scope of what to defend." Takeaways: - Having met Tincho Abbate they begin the journey of creating The Red Guild: an educational non-profit web3 organization. https://x.com/mattaereal https://x.com/theredguild https://blog.theredguild.org/ https://www.damnvulnerabledefi.xyz/

  --------  

  1:53:54

  --------

  1:53:54
• Blockchain Security Series 15 - Nikita Varabei (Founder @ ChainPatrol)

  Blockchain Security Series 15 - Nikita Varabei (Founder @ ChainPatrol) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member) Topics discussed: - 00:00 - Intro - 01:40 - How Nikita got into programming and blockchain security - 08:05 - How ChainPatrol started - 10:10 - Scam investigators - 12:20 - Burn Mywallet - 15:05 - ChainPatrol early days - 20:20 - What ChainPatrol does now - 24:25 - Social engineering - 28:30 - Post mortems - 33:04 - Scammers investments and ROI (Return on investment) - 38:10 - Service providers role: registrars, cloudflare, google ads, twitter, linkedin - 46:00 - Scammers stack: registrars, hosting providers - 51:18 - Mixing on-chain and off-chain data to detect threats - 55:21 - Collaboration between security companies, Threat Intel, SEAL ISAC - 58:56 - Issues with competitors and ChainPatrol openness - 01:02:10 - Web3 vs Web2 security - 01:06:18 - Scammers reporting each other - 01:10:04 - Methods used by scammers to avoid detection. Cloaking techniques, Cloudflare, Captcha. - 01:15:07 - Users and community reporting, incentives, threat hunters. - 01:19:37 - Making scammers lose time - 01:21:06 - Scammers using hacked domains and legitimate companies' domains getting hacked - 01:22:43 - Wordpress hacks and secure domain registrars - 01:25:35 - How to manage legitimate projects domains and accounts being compromised - 01:31:38 - Transaction simulation bypass. Proxy contracts, exploit of contract variables. Bit flip attack.  - 01:37:20 - Challenge to build for more privacy and improving threat detection at the same time. - 01:42:24 - Private information retrieval (PIR) - 01:44:11 - Companies taking more care of their users trend - 01:48:47 - IPFS being used by scammers - 01:49:55 - Best tips for crypto companies - 01:53:39 - Security tips for users - 01:56:41 - Final thoughts Summary: Pablito.eth sits down with Nikita Varabei, co-founder of ChainPatrol, to dive deep into the world of blockchain security, uncovering the tactics scammers use and the innovative ways companies like ChainPatrol are fighting back. From his background in programming and computer science, his love for crypto, and his experience working at Coinbase. He explains the need for dedicated security measures in the crypto space and how ChainPatrol helps protect users from phishing attacks and impersonation. Follow this road into the discussion of various topics related to blockchain security, including the prevalence of scams with social engineering , the challenges of detecting and preventing these attacks and how to frame security from a economical and incentives perspective where attackers make an investment expecting a return. Also they will address the importance of securing accounts and using trusted brand protection providers and why traditional companies are not succeeding in diminishing these scams.  Takeaways - ChainPatrol helps protect users from phishing attacks and impersonation by scanning domains, social media accounts, and replies to detect and block scammers. - Scammers in the crypto space operate like an industry, with developers creating scam kits and others deploying them to steal funds. - Post-mortems are crucial for improving security measures and preventing recurring issues in the crypto space. - Tracking down scammers and taking down their fraudulent accounts requires collaboration with domain registrars, hosting providers, and social media platforms. Scammers often go under the radar of detection systems on social platforms due to the volume of accounts to monitor. - Scammers employ various techniques, such as using Cloudflare and cloaking, to avoid detection. - Incentive mechanisms are needed to encourage users to report scams. Secure all your accounts and use strong authentication methods to prevent unauthorized access. - For individual users, use security extensions and wallets that offer protection against scams. Links: https://chainpatrol.io/

  --------  

  1:58:53

  --------

  1:58:53
• Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation)

  Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) Topics discussed: - 00:00 - Intro - 01:13 - How you started with computers and programming - 02:41 - Working in Blizzard Entertainment - 08:12 - Red and blue teams  - 14:19 - Incident response: What should web3 security learn from web2 industry? - 18:57 - Planned and unplanned war rooms  - 22:58 - Communication mistakes during incident response - 29:18 - Operational security - 36:38 - Security awareness - 39:19 - Social Engineering - 42:51 - Role at Ethereum Foundation - 45:38 - EF Bug Bounty Program - 47:18 - Bounties for the execution and the consensus layer - 49:01 - Most common types of vulnerabilities reported. - 51:20 - Vulnerability disclosure process. - 54:04 - Ethereum Protocol Attackathon with Immunefi. - 59:39 - Blockchain monitoring and live threat detection. - 01:01:46 - The future of the security in Ethereum: main challenges - 01:06:29 - Balance between daily work and technical research - 01:08:19 - Programming as a skill to be a blockchain security researcher? - 01:12:16 - Favorite conferences and events - 01:14:19 - Final thoughts Summary: In the 14th episode of the podcast, Fredrik Svantes, Security Research Lead at the Ethereum Foundation, shares his journey from his early days in computers and programming, through his time at Blizzard Entertainment, to his transition into the Ethereum ecosystem. In this discussion, he provides valuable insights into operational security within the blockchain space, emphasizing the crucial role of incident response, preparedness, and the growing need for security awareness and best practices. Fredrik also explores the significance of social engineering in cybersecurity and outlines the key responsibilities of the protocol security team at the Ethereum Foundation. This team is dedicated to protecting the Ethereum network and ensuring effective coordination of security efforts across various client teams. Fredrik discusses the Ethereum bug bounty program, shedding light on the management challenges and highlighting common vulnerabilities reported, such as denial-of-service attacks. He underscores the importance of clear communication and transparency in the vulnerability disclosure process. Looking forward, Fredrik shares his perspective on the future of Ethereum’s security and the challenges the network will face as it continues to evolve. Takeaways: He emphasizes the importance of incident response preparedness and conducting regular exercises to ensure a calm and effective response In the blockchain ecosystem, there is a need for increased focus on operational security, including securing front-ends, infrastructure, and private keys Security awareness and best practices should be tailored to specific roles and responsibilities within a project or organization. Social engineering is a critical aspect of cybersecurity. The protocol security team at the Ethereum Foundation focuses on ensuring the security of the Ethereum network and coordinating security between client teams. The bug bounty program is an essential part of vulnerability disclosure, and it helps identify and fix vulnerabilities in the Ethereum network. Communication in security and public disclosure are crucial in the vulnerability disclosure process, and the Ethereum Foundation follows a phased approach to disclosure. Blockchain monitoring and live threat detection are valuable tools in identifying and responding to security threats in the Ethereum ecosystem. The future of security in Ethereum lies in expanding the number of experts in protocol security and addressing the challenges posed by the evolving roadmap. Programming skills are not necessarily required to be a blockchain security researcher, but having an understanding of programming and the associated risks is important.

  --------  

  1:17:16

  --------

  1:17:16
• Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group)

  Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) “There are a lot of hidden gem auditors in the space really. And this is my mission to find them and to work with them” Topics discussed: - 00:00 - Introduction - 01:06 - How did you get started into computers and programming? - 05:22 - Mastering Ethereum, Andreas Antonopoulos - 07:05 - When and why did you decide to switch from developing to security research? - 11:02 - Do you need to know how to code to be a smart contract auditor? - 13:07 - What is your advice for someone that is just getting interested in cybersecurity? - 15:10 - How important do you think it is to be a self-taught person in this industry?  - 16:15 - Reviewing new code step by step. You first understand what the protocol does on a high level or you just jump into de code?  - 19:17 - Income for a security researcher - 24:12 - What things have changed in the security space in the last years and what things still remain the same? - 26:42 - What does the ecosystem need in terms of security? More people, better tooling? - 27:52 - On chain vs off chain audits. How have the incentives mechanisms been evolving and which one is in your opinion the system that works better for auditors? Code Arena, Hats Finance, Cantina, Sherlock, etc. - 29:37 - How to choose the right audit contest? What strategy should one adopt (focusing only on DeFi protocols, bridges, etc)? - 32:14 - Recommendations for developers and companies regarding secure software development? In what part of the development cycle should an auditor be involved?  - 35:49 - What can you share with us about your latest audits from some major protocols like Ethena, 1Inch or Layerzero? - 37:42 - When, why and how did you decide to found a security company? - 41:03 - Web2 security researcher vs Web3 developers - 42:51 - Which would you say are the most important skills having worked with teams but also starting your own company? - 44:03 - Would it have been possible to launch your company without being known in the industry already? - 46:20 - Did you find it difficult to switch from an independent auditor to run a security auditing company?  - 47:34 - What is the hardest part about launching a boutique web3 security company? - 48:49 - What are mistakes that should be avoided when building a brand? - 50:18 - Angel investing. What excites you the most about investing in new companies? Are you planning to focus on other security companies, web3 protocols?- 53:41 - Do you invest in companies after having audited them? - 53:30 - How do you get involved with companies you invest into? - 56:56 - Accepting tokens as payment - 59:04 - How do you keep updated in web3 cybersecurity? Newsletters, conferences and events - 01:01:58 - Final thoughts Summary: In this episode, Pablo Sabbatella sits down with Pashov, the top tier smart contracts auditor and founder of Pashov Audit Group. They will explore Pashov's journey from being a developer to becoming a well known web3 security researcher, and sharing insights into his meticulous code auditing process and offering valuable advice for aspiring blockchain security professionals. Later in this talk they will also cover the evolving landscape of security, the financial realities for researchers, and the strategic decisions behind audit specialization. Pashov also opens up about the challenges of launching a security firm,  the rewards of investing in the crypto space, and the reason has led him to become an angel investor in several firms. Takeaways: - The income for security researchers can vary depending on factors like the type of work (contests, audits), skill level, and market conditions. Working harder during bull markets and focusing on stacking cash can be a good strategy. - Having a long-term security partner is beneficial for companies, as it provides ongoing security support and expertise.

  --------  

  1:03:41

  --------

  1:03:41

More Technology podcasts

Trending Technology podcasts

About Blockchain Security Series