Hellfire Security founder and ethical hacker Gregory Pickett discusses the security risks of Web3 versus Web2 and the dangers of ignoring them
Cybersecurity expert Gregory Pickett runs his own firm, Chicago-founded Hellfire Security, which specialises in cybersecurity monitoring, a process that enables businesses to see what’s happening in their network to detect security threats before it escalates.
Pickett is what you’d call an “ethical hacker” or white hat, who has hacked the Bangkok Mass Transit System Skytrain ticketing system and EC-Council website. On the side, he has spoken at hacker convention Def Con and computer security conference Black Hat.
Since 2021, he has also been the chief information security officer at Bitkub Capital Group, a Thailand-based blockchain and digital asset company established by Gen.T honouree Jirayut “Topp” Srupsrisopa.
As demand for Web3 is expected to rise the fastest in Asia, we asked him about the potential security risks unique to it compared to Web2, and how founders and content creators can prepare for them.
Read more: What Exactly Is Web3 And Why Should We Care?
Define the key differences between Web2 and Web3.
Gregory Pickett (GP): To the user, everything pretty much looks the same. They will see a web server as they always have before. It presents the interface which should be the same for the user. The differences are on the back end or what is behind the web server.
With Web2, that web server would talk to some kind of application server with that application keeping its data in a database on a database server.
With Web3, that application server is replaced by the smart contract. The database server is replaced by the blockchain.
What are the security risks of Web2? How are they being tackled or managed?
GP: Flooding is an issue. Flooding is about denying access to a web application or API (application programming interface). Injection is an issue; it is about injecting commands that either end up in the user’s browser or within the application itself. There are a lot of different types and it depends on the type of interfaces that are available as well as the format of the data being sent and received by the application. Essentially, someone is trying to influence an application’s behaviour. They might also be trying to change, add or remove data from the application. There are also attacks against specific features, such as uploads and bypassing permissions to perform unauthorised operations.
That’s a lot to handle, right, and they typically do it with filtering, lots and lots of filtering. It is a primary line of defence and is done hopefully to give the team time to get to the root cause, so that filtering is not necessary any more (for that particular issue).
Read more: The 7 Web3 Entrepreneurs on the Gen.T List 2022
How will these risks evolve in Web3?
GP: Direct attacks such as those mentioned earlier were most prevalent under Web2. Under Web3, you see a lot more of what might be called side-channel attacks. Attacks like phishing key personnel and exploiting the servers of node operators. These are attacks from the Web2 era that were rarely used because direct attacks were less expensive to launch, had a higher probability of success and gave better returns on the investment.
Web3 uses platforms that are less susceptible to direct attacks. That being the case, attackers have had to pivot to these side-channel attacks. I, myself, have used such an attack to compromise an exchange. Attackers are still doing some direct attacks but in a much more limited fashion.
One example is using injections to target off-chain data (data not on a publicly accessible service). These side-channel attacks are much more resource-intensive and take longer to execute, but the attackers are in luck. Web3 payoffs are much bigger, which means that these types of attacks are now worth their investment.