#Blockstack: an introduction
Posted on May 4th, 2016
05/04/2016 @ AWS popup loft, 350 West Broadway, NY
Blockstack offers secure identification based on blockchain encryption and confirmation. Six speakers described the underlying machinery and applications.
- Muneeb Ali – An Overview of Blockstack
- Jude Nelson – The Blockstack Server and CLI
- Josh Jeffryes – OpenBazaar and Blockstack Identity
- Arkadiy Kukarkin – MediaChain
- Ryan Shea – Blockstack Desktop
- Juan Benet – Blockstack Naming with IPFS
As in Bitcoin, Blockstack promises secure identification and transactions without using a central verifying agent.
The BlockStack application stack from the bottom up contains:
- Blockchain – want to use the most secure chain, which is currently bitcoin.
- Naming – intermediate pseudonym
- Identity – establish who you are
- Authentication – use electronic signature
- Storage – put pointers in the block chain, so you need storage for the actual information
- Apps built on top of the stack
- Cryptcurrency blockchain
- Virtual blockchain – gives flexibility to migrate to another cryptocurrency.
- Routing – pointers data location. Initially used a DHT (distributed hash table).
- Data on cloud servers. Could be Dropbox, S3, …
1&2 are the control plane, above that is data plane
The current implementation uses a bitcoin wallet for identity and requires 10 blockchain confirmations to set up a person.
- OpenBazaar (a place to buy and sell without an intermediary) has a long identification string for each buy/sell. Blockstack provides a secure mapping of these ids to a simpler human-readable id
- Mediachain is a data network for information on creative works in which contributed information is validated by the contributor’s identity. All objects are IPFS + IPLD objects with information saved to Merkel trees. They are working on the challenge of private key management: high volumes of registrations and the need to register on behalf of 3rd
- IPFS (interplanetary file system) proposes to
- Create a DNS based on the package content which will allow copies to be located on several locations in the network
- Greater individual control over DNS names independent of any centralized naming body
- There are three levels of naming
- The content defines the address through a hash tag. But if the blog changes, the address changes.
- Key name. a mutable layer of names that is stable even as the content changes
- DNS name. a humanly readable name that is paired with the key name
#PostGresSQL conf 2016: #DataSecurity
Posted on April 18th, 2016
04/18/2016 @ New York Marriott Brooklyn Bridge
Several morning presentations concentrated on data security. Secure data sharing has several conflicting goals including
- Encourage data sharing
- Restricting who can see the data and who can pass on the rights to see the data
- Integrity of the original data including verification of the sender/originator
- Making protection transparent to users
Traditional approaches have concentrated on encryption that cannot be broken by outsiders and schemes so users can validate content and ensure confidential data transmission.
The following additional approaches/ideas were discusses
- Create a system when the data are self-protecting
- Enforce encryption at the object or attribute level?
- No security system will be water tight (except no access), so one needs to understand what are the major threats and what are the best solutions and the tradeoffs. Who can you trust?
- Can control be extended beyond the context of the system?
- Hardware Security Modules may offer more security but the raw key cannot be exported and could be hacked by the OS
- The use of point-to-point security systems so data is only available when needed.
- Point-to-point key management systems offer the possibility of understanding the usage patterns to identify security breaches
The problem is not software, it is the requirements. One wants to trust the user as much as possible and not rely on the service provider. However, in big organization, one needs a recovery key since there is premium on recovering lost data.
#DigitalPayments and #Fintech
Posted on September 29th, 2015
09/29/2015 @ Barclays, 101 Barclay St., NY
A panel of experts and a series of presentations covered the topics of digital payments and fintech initiatives on a wide range of topics including consumer verification to currency exchange.
The panel covered many topics including
- Payments are made in two steps: 1. Account # verification 2. Account owner verification. The use of biometrics and EMV-chip credit cards is changing this landscape.
- Fintech often piggy backs on the current bank infrastructure
- It is challenging to groom the IT talent pool as the speed of innovation has quickened
- Distributed ledger is an opportunity to speed payments and move information quicker
- There is a need to build governance and rules on top of the technology such as block chain
- Customer desires may be contradictory: immediate payment vs. revocability, ease of use vs. fraud is hard
- The bank relationship with customers may change with the proliferation of payment services.
- There is a sense that banks are moving from model in which banks owned the technology to one in which the bank manages the technology – agnostic as to the technology. Focus on business serving the client.
After the panel, there were six 5 minute presentations by Irish companies exploiting technology in finance:
Fexco transaction services – Denis McCarthy – started doing FX transactions in County Kerry,Ireland. Now global retail payments. Challenges 1. Legacy platforms.2. cross-border processing 3. Alternative payments 4. Omni-channel experience (in store, online). sell a white label solution.
Sysnet Global Solutions – Safemaker product to simplify security & compliance. 85% of breaches are stolen credit card information. Most are small businesses. Create a customized program for small businesses to secure their network – maintain compliance.
Trustev – Rurik Bradbury – stop online fraud. Can flag in real-time. Cloud data base –how they behave when come to web site. Are they trying to mask their location, is it a spam bot, look at credit file, social, known email address, …
Continuum Commerce – online customer needs an issuing bank and the retailer needs an acquiring bank. If there is a cross currency transaction the retail bank will apply a 3% fee for FX. Continuum allows the customer to have the option to pay in their native currency as opposed to the default currency of the retailer at a lower fee.
Acquirer Systems –help customers protect their brand value. Automated test and validation services so the retailer can accept a card with confidence. E.g. help retailers in the U.S. update their systems so they can accept EMV (chip-based) systems.
Daon – Conor White – make it easy for consumers to pay and interact online by authenticating humans using a mobile biometrics. Using face, voice recognition. Device is encrypted and by taking a selfie (person needs to blink so the system knows that it is not a picture.) For a demo go to www.daon.com/paymentsdemo to get a link for you to try the system.
#InternetOfThings NY #21 Smart #HomeSecurity / Security of #SmartHome
Posted on July 24th, 2015
IoT meetup NYC #iotNY @lindadrabik
07/23/2015 @ Cardozo Law School room 206, 55 Fifth Ave, NY
The meetup had two speakers and three presentations by IoT hackathon award winners
In the first presentation Andrey Katsman @Canary (a home security system) spoke about the differences between most programming and software development for IoT. The three main differences he highlighted were
- specific to hardware
- better performance
- greater robustness
One of the key differences is the need for precision especially in coordinating the timing of the program to the timing of actions to be performed in the physical world. This is especially important for safety (self-driving vehicles).
Andrey recommended several ways to minimize errors. These include
- unit tests
- statistical analysis, be as scientific as possible
- analyze the math (e.g. roundoff errors)
- collect data and visualize it
- chart how the logic should behave
- study your data sheets,
He next talked about precise timing
- real time means done exactly as expected
- hard real time is the goal
- soft real time means we are close enough to satisfy the task (just good enough)
- goal is deterministic control of all peripherals
and how do we get there
- use lower level language (compilers try to optimize the code & garbage collector can cause problems)
- be mindful of how hardware is called
- delay of a sensor reporting results – problems with blocking & time delay
- memory mapping – compiler needs to know about it
- know the limitations about your processor – e.g. how are threads handled especially on a single core processor
- make sure your processor can handle the network
- plan for firewalls
- plan for encryption.
He then talked about how low level drivers can be tricky – unexpected behavior since it might be trying to optimize specific targets that may or may not be consistent with your assumptions such as how they are initialized,
Next, Sanjay Sarma @ MIT spoke via speaker phone on the ongoing challenges facing IoT.
He noted that historically the most successfully technologies were eventually dominated by a single technology (e.g. packets to create the internet, internal combustion engines, AC current). But IoT has many ways to connect thing (e.g. Zigbee, Wifi,…) and networks such as those in cars are not secure and idiosyncratic. Standardization and protocols will make security better. He proposes creating everything as an avatar in the virtual world. In a world with massively pervasive sensors, anything you buy will also include an avatar in the virtual world.
The evening was concluded by three lighting talks
Goodsleep talked about monitoring the humidity, temp, light, accelerometer, sound, VOC in the bedroom to assist in getting a good night’s sleep.
Microexpression talked about using a state machine to map text to Morse code
TeamImpact talked about sensors to save lives and better understand the effects of head trauma. They use accelerometers to measure head impacts which can be compared to historical trends, benchmarked against ones cohort and epidemiologically studied.
Computer #Security Basics – Lessons from a Paranoid
Posted on June 19th, 2015
06/17/2015 @ Yahoo, 229 West 43rd St, 10th floor, NY
With recent high profile system attacks on businesses (such as EMC) and the U.S. government, this talk is very timely. One of the attack methods (XSS) in this presentation was recently revealed to be a vulnerability of a commonly used WordPress plugin.
- Thinking about attacks and responses
- Common web vulnerabilities
- Tool to improve security
- Modern attacks
- Thinking about threats
- Analyze security from the attacker’s perspective
- Map the system
- What are the trust boundaries
- Assets that the attacker might be interested in
- Who interacts with the system
- Trust level – who has what access rights
- Types of attacks: Spoofing – pretend to be someone else, etc.
- Assess the level of risk by each type of attack : e.g. likelihood x impact and the costs, etc.
- Consider range of mitigants : do nothing –vs– transfer risk –vs– mitigate –vs– terminate the server
- Common web vulnerabilities
- Cross Site Scription (XSS) – embed JS in a social message; Mitigant – use frameworks: e.g. convert < into “<” have a content security policy so an HTTP header is only allowed access to some resources: limit use of JS and CSS.
- Cross Site Request Forgery (CSRF) – confused deputy problem; can steal money from banks and more; can be used as a HTTP post as well as an HTTP get (for clickable images); Mitigant – all forms have nonce/token (hidden token sent as part of an input tag from a bank, which is needed to complete a transaction); use frameworks protection; don’t allow GET to change state (need a POST); short cookie expiry time
- SQL Injection – adjust a SQL query so that the query executes not only the response, but any additional code such as a “Where” statement that always tests “true” . NOSQL is also vulnerable; Mitigant – parameterize queries and programmatically extract and insert a string as the password; use stored procedures within DB; escape the user-supplied input to filter out “=” for example; be explicit about allowable types such as forcing a response to be a string.
- Command injection (Stuart considers this potentially to be the most damaging attack). Here, a web page takes the input and executes a command. This means that an attacker can insert additional commands after the required input. Mitigation – use the actual command, not the user inputs; filter and escape all inputs so they are treated as arguments, not commands
- Forced browsing / improper authorization– use DirBuster a tool for brute forcing urls to get to a monitoring panel; Mitigation – proper authorization also non-guessable resource IDs and passwords.
- Exposed Services – Mitigation – scan the network (including printers, cameras) to see if they hold viruses that can jump to the network; set up Jenkins Servers to avoid a backdoor for command injection; password protect everything
- Sensitive Data Exposure – a reset-password email contains a token, but this can make it possible for others to reset the password in the future; Mitigation – use transport encryption; identifiers should not be guessable; encrypt sensitive information (SSN); authenticating information should not be contained in return emails; only keep the logs you need since logs are often not protected, but may contain passwords, etc.;
Tool to improve security
- Static analyzers – look for potential problems
- Vulnerability scanners e.g. Nessus
- Spidering – follow all he links
- Network scanning e.g. Nmap – port scanning
- Fuzzing – feed garbage to a system and see what happens
- Social engineering – best way to protect is by getting everyone to be aware of vulnerabilities
- Finding, selling and exploiting 0day – attacking your browser, office software and phones;
- N-day botnets; take recent attacking methods and replicate them across the net
- Ransomware – “will tell the FBI about ___ unless you send $$$$”
- Advanced Persistent Threats (APTs) – persistent on your network and be quiet.