Month: December 2021

Smart Contracts: Mission Possible

December 12, 2021 /

In the last article for 2021, I shall touch on one of the exciting topics in technology for the last decade. For sure, with its novel approach, blockchain technology managed to change and shape our technical landscape during that period. These days crypto is brutally adopted, and many people use cryptocurrencies every day. Additionally, we could see the mass adoption of NFT and how it changed the art industry. We saw many platforms making ICO as a replacement for IPO. All of these would not be possible without blockchain.

But what is blockchain? Essentially, blockchain is an append-only database system in which every transaction is cryptographically signed. Your digital identity is presented by a pair of public/private keys. The algorithms use these keys to encrypt/decrypt and sign/verify the data coming into and out of the database. These same keys are used to identify your wallet in the standard crypto-currencies world. However, a traditional key/value database system is not enough for real-world usage, which is why almost all blockchain networks now offer smart contracts. 

Every smart contract is a programming object with a lifecycle happening in the blockchain network. Additionally, every interaction with it is recorded and cryptographically signed with the same set of public/private keys used for your digital wallet. With such capabilities and a way for sending money, the blockchain networks offer pretty exciting opportunities:

You can see a standard workflow of using a smart contract on the diagram. The seller and buyer provide data to the code deployed in the blockchain, and it is executed to fulfill the contract
  • Replacement of standard contracts: In one ideal World, crypto would dominate people’s legal operations. It has all the tools for doing that, and many platforms, including IBM’s Hyperledger, offer such capabilities. Instead of signing on paper, people use digital signatures, and the system’s distributed nature ensures that no malicious modification can happen.
  • E-voting: Many people believe that we could replace the standard paper-based voting system entirely with the progress of zero-knowledge proof protocols. Indeed, the technology is promising and could offer genuine authenticity during the voting experience in the future. However, its current state (aka not supporting actual programming language experience) is hardly helpful for anything other than checking a simple boolean expression.
  • Decentralized Economy: In our current capitalism-based world, the parties issuing the money control the market. With the rise of crypto, that’s no longer true because now everyone can start issuing tokens and dictating how the market operates. And this is extremely helpful for smaller communities, which can detach themselves from the centralized issuing authority.

In conclusion, blockchain is quite existing technology, but unfortunately, it is still not mature enough for mass adoption. The main concern is that it is still possible to track the money transfers and identify the real people behind the public/private key pairs despite being anonymous. The same is true for smart contracts and e-voting – for sure, no one is going to be happy if people have access to her/his real estate’s notarial act or know for whom he/she voted. 

Why so much data?

December 4, 2021 /

New Year is coming, and usually, during this period, people assess what they did during the previous year. As a person with skills and experience in the defensive part of cybersecurity, I am always quite sensitive about sharing information, contracts, and legal documents with anyone, including institutions. During the last year on multiple times, I had to present official documents and explanations of why and how I did something. On one of the occurrences, I had to deliver around 20, again 20 papers to prove my right. Some of the documents did not relate to the right I wanted to execute, but the institution tried to enforce on me their policy. The representatives in the office even told me that I should trust the institution and that this was the first time someone asked for their data retention period, how they will assure that they will destroy the documents after that period and why they need the data at all.

During the last year, all of these experiences triggered the following questions in my mind – Is my data safe in any institution? Will it be in a safer place if I take care of my data, but not an institution? Can an ordinary person achieve a better level of security than an institution? 

The diagram shows a standard SSD storage system architecture used in almost all database systems. Because of its unique way of storing information, the standard secure delete procedures do not erase the data securely. Special tools are needed for this action, and we could only hope that the institution SysOps department is qualified enough to erase the information properly

For all of these questions, the answers are usually – it depends on the level of expertise of the defending side. So it largely depends on the professionals the institution hired. To strengthen my statement, I can list several case studies that showed how attackers could penetrate even institutions and leak data:

  • Bank Hack: During a regular penetration testing exercise, a team of white hats managed to penetrate multiple office branches of a substantial French bank. Only in one of the offices did the employees ask the penetration expert to identify himself and ask the headquarters whether they sent anyone.
  • Government Taxes Authorities Hack: A couple of years ago, a hacker managed to leak multiple gigabytes of data from the Bulgarian Taxes Agency. The security hole had been opened for an extended period, reported numerous times, and no one took action to close it.
  • Universities Hack: At the beginning of 2021, multiple US universities, including members of the Ivy League, were hacked, and the personal information and documents of their students, lecturers, and professors were leaked to the public.

In conclusion, I think we could safely assume that taking care of our data is our right and responsibility. I am happy to delegate this responsibility only to legal professionals (lawyers, notaries, and judges). They work with confidential documents every day and know how a data leak can affect people. In any other case, sharing data with 3rd parties must come with at least a declaration for their data retention practices and how they destroy the data (there are security practices for doing that correctly). 

Cybersecurity tactics for small teams – Public Image

December 4, 2021 /

And this is the last article on cybersecurity tactics for small teams series. We have already finished the hardware computer-based parts, and I shall use this last article to cover more the social side of cybersecurity. We shall spend the following paragraphs speaking about your organization’s public image and how it can be affected by your cybersecurity defenses. At the end of the article, we shall present a summarized budget using all the budgets we created during the last couple of months. So let’s start.

Social media

During the last decades, we witnessed the rapid growth of various social media platforms. These days every organization has to show a stable social presence to improve its marketing. It is fascinating how virtual space can reflect on real people and places with its data and information. Having this in mind, we have to treat all the social accounts of a given organization as assets, and by assets, we have to find a strategy to keep them safe and secured. 

Imagine what will happen if an attacker takes control of your team accounts. Usually, these accounts are used to have private chats with clients or customers in different social media systems. Data dump consisting of such talks can sometimes be quite hazardous to your organization.

You can see a Venn chart representing the different social media platforms on the diagram. As you can see, almost all of our digital life is located there, and this data is an asset

Internal Team Communication

As we discussed in the previous article, teams must communicate. In remote-first groups, this communication must happen in some virtual place, where team members can coordinate and write. By default, every email server, chat server, and video conferencing server record things into a historical log. It is essential to take into account that these logs are information and company assets. 

Sometimes the tone there is inappropriate, and thus dumping them over the Internet can cause significant problems to your organization. It is essential to understand that a cultural change must happen to make your organization understand the effects such an attack can have. 

Personal Space

Unfortunately, with the rise of digitalization, the following tendency started to emerge – your personal digital life can affect and hurt your professional one. It means you have to be aware that simple private communication can be leaked and can cause tremendous problems to your persona and your organization. 

Influencer economy and personal branding changed over the Internet during the last decade. Despite its asymmetric nature, the personal brands managed to keep going with the big enterprises. It is more and more common for companies to start using their employees’ brands to promote themselves. Which, in short, we can phrase as an asset’s loan. Employees loan out their assets to their employer during the period of working together. From a cybersecurity point of view, your organization must understand that now you defend company infrastructure and personal ones.

Now, after we covered the effects that public image can have on your organization, it is a good idea to cover how you can defend yourself from penetration:

  • Security awareness course: A good security course will cover all these topics and many more. Still, it is good to touch some information security, not only cybersecurity topics, during the period. I would advise you to search for vendors providing information security business-based courses.
  • 2FA: Especially for an account that is not part of your infrastructure, a 2FA is a must, including the organizational accounts and the personal accounts. 
  • Personal Development: Personal development of your team members can help a lot to avoid such attacks. There are multiple use cases and stories on the Internet from which you can take inspiration. 

Budget

As we already discussed in the final paragraph of this article will be a combined budget from all the previous articles together with this one. The budget will have two categories – per team and person. The per team will be for your whole team, and per person will be for one team member. The budget will be for two years because this is the service life of most of the hardware equipment. The team will be five people. So let’s do it.

Per team

  • Hardware toolkit (100$)
  • Paper Shredder (50$)
  • Camping Gear (50$)
  • Safe (500$)
  • Office Security System (4000$)
  • SIEM System (0$)
  • Email And Chat Server(85.68$)
  • VPN Server(85.68$)
  • GitLab Server(85.68$)
  • Video Conferencing Server(85.68$)
  • Cloud Storage(222.44$)
  • Security Awareness Course(1000$)

Total per team: 6266$

Per person

  • Router (180$)
  • Switch (150$)
  • Group Policy Server (150$)
  • Pacsafe Backpack (190$)
  • Business Series Laptop (1000$)
  • Laptop Operating System(0$)
  • Smartphone(200$)

Total per team member: 5 x 1870$ = 9350$

With a total budget of around 15616$ for two years, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. The budget is almost less than 3300$ per team member and around 140$ per month. 

And this brings our series to an end. I hope you enjoyed our journey, and in case of questions, you can always book a session with me. I shall be more than happy to answer.