Hamburger Menu
Globe
Hong Kong
EN
繁中
Malaysia
EN
Philippines
EN
Singapore
EN
Taiwan
繁中
EN
Thailand
ไทย
EN
Global
EN
繁中

Tatler Asia

City Guides
Bangkok
Hong Kong
Kuala Lumpur
Singapore
Tokyo
Power & Purpose
Asia's Most Influential
Front & Female
Sustainability
Philanthropy
Wealth
Gen.T
Gen.T List
Innovation
Leadership
Style
Asia's Most Stylish
Fashion
Watches
Jewellery
Beauty
Dining
Food
Drinks
Guides
Homes
Architecture & Design
Home Tours
Property
Lifestyle
Arts
Entertainment
Wellbeing
Travel
Sports
Gear
More
Videos
Podcasts
Newsletters
Search
Search
Close Icon
Globe
Global (EN)
Globe
Close Icon
Hong Kong
EN
繁中
Malaysia
EN
Philippines
EN
Singapore
EN
Taiwan
繁中
EN
Thailand
ไทย
EN
Global
EN
繁中
Cover Ethical hacker Gregory Pickett is the founder of Chicago-founded Hellfire Security and chief information security officer at blockchain company Bitkub Capital Group (Photo: Bitkub and Raphael Quaison)

Hellfire Security founder and ethical hacker Gregory Pickett discusses the security risks of Web3 versus Web2 and the dangers of ignoring them

Cybersecurity expert Gregory Pickett runs his own firm, Chicago-founded Hellfire Security, which specialises in cybersecurity monitoring, a process that enables businesses to see what’s happening in their network to detect security threats before it escalates. 

Pickett is what you’d call an “ethical hacker” or white hat, who has hacked the Bangkok Mass Transit System Skytrain ticketing system and EC-Council website. On the side, he has spoken at hacker convention  Def Con and computer security conference Black Hat. 

Since 2021, he has also been the chief information security officer at Bitkub Capital Group, a Thailand-based blockchain and digital asset company established by Gen.T honouree Jirayut “Topp” Srupsrisopa

As demand for Web3 is expected to rise the fastest in Asia, we asked him about the potential security risks unique to it compared to Web2, and how founders and content creators can prepare for them.

Read more: What Exactly Is Web3 And Why Should We Care?

Define the key differences between Web2 and Web3.

Gregory Pickett (GP): To the user, everything pretty much looks the same. They will see a web server as they always have before. It presents the interface which should be the same for the user. The differences are on the back end or what is behind the web server. 

With Web2, that web server would talk to some kind of application server with that application keeping its data in a database on a database server. 

With Web3, that application server is replaced by the smart contract. The database server is replaced by the blockchain.

What are the security risks of Web2? How are they being tackled or managed?

GP: Flooding is an issue. Flooding is about denying access to a web application or API (application programming interface). Injection is an issue; it is about injecting commands that either end up in the user’s browser or within the application itself. There are a lot of different types and it depends on the type of interfaces that are available as well as the format of the data being sent and received by the application. Essentially, someone is trying to influence an application’s behaviour. They might also be trying to change, add or remove data from the application. There are also attacks against specific features, such as uploads and bypassing permissions to perform unauthorised operations.  

That’s a lot to handle, right, and they typically do it with filtering, lots and lots of filtering. It is a primary line of defence and is done hopefully to give the team time to get to the root cause, so that filtering is not necessary any more (for that particular issue).

Read more: The 7 Web3 Entrepreneurs on the Gen.T List 2022

How will these risks evolve in Web3?

GP: Direct attacks such as those mentioned earlier were most prevalent under Web2. Under Web3, you see a lot more of what might be called side-channel attacks. Attacks like phishing key personnel and exploiting the servers of node operators. These are attacks from the Web2 era that were rarely used because direct attacks were less expensive to launch, had a higher probability of success and gave better returns on the investment.  

Web3 uses platforms that are less susceptible to direct attacks. That being the case, attackers have had to pivot to these side-channel attacks. I, myself, have used such an attack to compromise an exchange. Attackers are still doing some direct attacks but in a much more limited fashion. 

One example is using injections to target off-chain data (data not on a publicly accessible service). These side-channel attacks are much more resource-intensive and take longer to execute, but the attackers are in luck. Web3 payoffs are much bigger, which means that these types of attacks are now worth their investment.

Anything can become insecure if it is used insecurely

- Gregory Pickett -

What are the new security challenges or risks of Web3? What is fueling them?

GP: With Web2, there is a gatekeeper. In order to get to anything interesting, the attacker had to get past the web server first. 

With Web3, the attacker can bypass the gatekeeper and communicate directly with the application, the smart contract. They can communicate directly with the database, the blockchain. Web3 being much more open means that anyone can communicate with your application and database without anything standing in its way like a web server.  

The implication is that while you don’t have to worry so much about your application code before, now you do. Everyone can see the contract code. Everyone can attack that contract. There is no longer any filtering and little to no recourse should an attack be successful. 

The challenge then will be making sure that there are no vulnerabilities in the contract prior to deploying it, which is a difficult thing to do. 

With the first use cases for Web3 being finance-related, a lot of money is at stake so they have the incentive to make sure that they do that. They have a big incentive to make sure that indeed their contracts are vulnerability free.

Read more: The 101 on the Ethereum Merge

How can we prepare for or prevent these new cybersecurity threats when there isn't any precedence set?

GP: First, we have to recommit ourselves to best practices. Threat modelling and code review were often skipped during the Web2 era. Sometimes, they would even skip post-deployment testing. All of that is part of a Secure Software Development Life Cycle (SSDLC). Many organisations considered that optional in the Web2 era. The SSDLC is now a must in the Web3 era. You are not going to get by without it.

Second, you must be very careful when you choose your deployment model. I am referring to both the architecture of your contract and the blockchain that you choose to deploy it onto. 

If you are talking about dealing with the unknown, you need options. Your deployment model is going to determine what your options are in the event of an attack. The more options you have, the better you are going to be able to deal with what may be, for the most part, something you are not expecting or have ever seen before. 

The options should include contracts with the ability to pause and be disabled permanently, better known as a kill switch. Your contract should also be upgradeable so that faulty code can be swapped out for fixed code. Some private blockchains may even have a roll-back feature. Essentially, all the nodes agree to forget. Public blockchains can accomplish the same with a hard fork, [a radical change to the network’s protocol that makes previously valid blocks and transactions invalid or vice-versa], but only if the governance model allows it. 

All of these give you options for dealing with unexpected or unknown threats. There are more.

Are there any risks unique to Asia?

GP: Asia, specifically Southeast Asia, is more heavily invested in Web3 than other parts of the world, so there is more exposure here right now. Many of the solutions that are being developed are being deployed to private blockchains though. Contrary to what some might think, private blockchains don’t reduce the overall risk. They change the risk profile; there are different risks to worry about.  

The primary reason that the risk profile changes is the shift toward centralisation in a private blockchain. An example can be found in a private blockchain that has a Membership Service Provider (MSP). The MSP determines the permissions of all blockchain participants. If that MSP is compromised by an attacker, the attacker now controls the blockchain. 

There is also a significantly higher regulatory risk in Southeast Asia. Blockchains, which are the foundations of Web3, are designed to be self-governing. However, overly regulating these blockchains is going to severely restrict their ability to adapt to changing conditions. It is going to severely limit their ability to provide the benefits that they were deployed to provide in the first place. That risk is not necessarily cybersecurity-related, but it is a risk nonetheless.

What’s your top advice for founders or content creators in Web3?

GP: On hearing the many security benefits of Web3, it is common for both Web3 founders and content creators to assume that they don’t have to worry about security at all or as much as before. That is not true. Anything can become insecure if it is used insecurely. 

That 256-bit encryption can be easily overcome if you are keeping the seed to your private key in your wallet. That, I think, is quite obvious, but not everything is as obvious. If you are building a Web3 solution, find a good cybersecurity partner. You concentrate on the business model and let them handle the security.

See honourees from the Technology category of the Gen.T List 2022.

NOW READ

Davos 2023: Tech entrepreneurs share key takeaways from the WEF annual meeting

ChatGPT answers questions about physics, fear and the World Cup

The collapse of FTX and what crypto's future may look like

Topics

Web3 Cybersecurity Technology Blockchain
Tatler Asia
Contact UsPrivacy PolicyTerms and ConditionsAdvertiseCareers
InstagramTiktokYoutube
© 2024 Tatler Asia Limited. All rights reserved.