142 reads
Building Enterprise-Grade Security Solutions For Web3
by Jack BorehamJanuary 20th, 2023
Too Long; Didn't Read
This Slogging thread by Jack Boreham, Rick, goldenwarrior, John Mercouris, Terry Jones, Valentine Enedah, Dan Tennery-Spalding, Jason Green, Marco Sullivan, Limarc Ambalina, Mónica Freitas, Sara Pinto and Andrew Ciaccia occurred in slogging's official #amas channel, and has been edited for readability.People Mentioned
In this AMA we hosted the team at Interlock. Interlock is a company that provides quality security solutions for web3 users. In the biggest AMA we've ever done, Interlock dives into how to protect your web3 assets.
Hi, @channel, please join me in welcoming the team from Interlock.... Rick, Andrew Ciaccia John Mercouris
Backed by some of the biggest names in web3, Interlock are pioneers in web3 security, empowering defi users through security.
You can ask the team anything about:
1.The top security problems for crypto and web3 users?
2. Social engineering and how it relates to crypto and web3 users?
3. DeFi users (degens) are some of the prime targets. What are some of the ways in which they’re particularly vulnerable?
4.What are some rules of thumb for how they can protect themselves?
5.What are some other security problems for crypto and web3 users that you wouldn’t expect to hear about or are new to web3-native audiences?
7.What technologies can be used to help prevent this or minimize the effect of these social engineering practices?
8.How can you distinguish between a genuine threat and an innocent visual flaw or unconventional design?
Could an AI make these distinctions?
9.The possibilities that are uniquely enabled by web3 in terms of crowdsourcing intelligence?
10.The advantages and disadvantages of using blockchain technology to fight threats?
11. What’s the reason behind launching enterprise-grade security as a browser extension?
12. What’s it like to use ThreatSlayer? Can users expect a similar experience to using other security extensions?
13. How are ThreatSlayer users making the internet safer with Grey-area staking?
14. Why is blockchain technology critical for ThreatSlayer and the overall project?
🔥 5
:saluting_face: 3
Hi Rick and Andrew Ciaccia; great to have you with us today. Can you first start by explaining what interlock is!
Rick
Thanks for having us Jack Boreham - of course, happy to share what Interlock is 🙂
goldenwarrior
How do you protect web3 users from scams and attacks?
John Mercouris
we identify malicious websites
Rick
Interlock is a blockchain based cybersecurity company that is building community-driven security products that crowdsource threat intelligence and promote collaboration between consumers and enterprises to make the web safer.
John Mercouris
and then we warn the users that those sites are malicious
Rick
We protect Web3 users from scams and attacks via our products - currently, our browser extension, ThreatSlayer and our Discord bot Bouncer. ThreatSlayer blocks attacks you come across in your browser by detecting whether the site you're visiting is malicious, including metadata it detects as well. Bouncer blocks malicious links in Discord the same way but for the entire community it's deployed to.
John Mercouris
we use a number of dimensions that assess whether a site is trying to impersonate another site to steal your credentials
John Mercouris
this is commonly known as "phishing"
Interesting, so what would you say are the top security problems for defi folks, and how can they protect themselves on a day to day basis
Rick
The biggest problems people face are really still around phishing and social engineering. Getting the person to click a link that is urging them to sign a smart contract, or enter their password, or passphrase, immediately!
Rick
Or download a file, as well.
Terry Jones
What is social engineering and how does this relate? Rick John Mercouris
Hello,Rick, Andrew Ciaccia John Mercouris
We are so glad to have you here!
Thank you Jack Boreham for outlining these amazing questions.
Rick Does AI play a huge role in Cybersecurity?
If yes, how does it play an important role?
❤ 1
Rick
Those sort of attacks are best thwarted by using security products like ours -- but if you need to take it into your own hands, you can just be sure to pay attention to every URL and every message you see. NEVER click without thinking and confirming
John Mercouris
Social engineering is the idea of manipulating individuals on the basis of common social behaviors to bypass a security system. For example, you might think of the simplest type of social engineering as pleading to someone: "come on, it's not a big deal, just give me the password". However, typically, social engineering is used to mean manipulation/deception!
John Mercouris
Social engineering is tangentially related in that a individual carrying out a social engineering attack may use Phishing as one of their weapons. You can imagine a scenario in which a fake website is used to convince somebody of something to further your attack into a security system.
Dan Tennery-Spalding
I’d add that there are three main components to any social engineering attack: authority, urgency, and a call to action
Dan Tennery-Spalding
so it’s not just “give me your password,” but “I’m an administrator and you need to give me your password now for a system reset”
John Mercouris
I know this all sounds very vague, so let me sum it up: I can use a phishing website as part of a social engineering attack. So our product may help defend against some social engineering attacks that employ phishing sites as part of their strategy.
goldenwarrior
John Mercouris what kind of tech goes into threatslayer?
John Mercouris
I cannot speak to specific details as it is like the Google page rank algorithm, we don't want to give ammunition to our adversaries, however I can provide a architectural level overview.
John Mercouris
What we do is we look at a website, and we have a bunch of information we collect about that website. That information is then vectorized and fed into a machine learning classifier. That classifier will then provide us with an estimated probability that a website is malicious.
Rick
AI has a role in all new technology but in cybersecurity the huge part is plays is to help detect things before they're known. Using AI, Interlock determines the safety of a site even if its never been visited before.
Rick
More broadly, other cybersecurity tools and processes use AI to accomplish similar things
Jason Green
Is web3 easier than web2 to hack
John Mercouris
No
John Mercouris
Simply put, the ease of a hack is a function of the target
Rick
I'd say no but the assets are closer to exfiltration
John Mercouris
since the targets are all individuals, the level is the same
Jason Green
Couldn't your technology be applied in the web2 space as well?
Jason Green
If so
John Mercouris
Yes, it absolutely can, a good point
Rick
yep it absolutely applies to Web2, and everyone in Web2 benefits from our tech in the same way
Rick
Sorry to overlap 🙂
John Mercouris
Sorry that I type faster
John Mercouris
#sorrynotsorry
:rolling_on_the_floor_laughing: 2
John Mercouris
#rekt
John Mercouris
to just add a little bit more, Web3 could use more protection than Web2 right now. There is already a lot of support for this kind of protection in Web2, but not much in Web3. We are filling that gap!
Dan Tennery-Spalding
and as per Rick before, it’s easier to exfiltrate someone’s assets in web3 aka rip them off
John Mercouris
s/exfiltrate/pwn
Dan Tennery-Spalding
well, not exactly
to add to that point are there any competitors doing similar in the web2 space?
Dan Tennery-Spalding
in web2, if someone gets access to my online bank account, I have other ways to protect my assets, legally and administratively
Dan Tennery-Spalding
in web3, I’m screwed
John Mercouris
Absolutely right Dan!
🙏 1
John Mercouris
Jack Boreham indeed, however, we think our technology is the bestest 😉
John Mercouris
our technology protects against so called "0-day" phishing attacks
John Mercouris
we can detect novel phishing sites whereas most services rely on reports/lists submitted by people manually
Rick
Jack Boreham Guardio creates a web2 browser extension but lacks Web3 rewards and web3 threat protection
Rick With regards to AI, Interlock determines the safety of a site even if it has never been visited before.
How does it do that?
John Mercouris
Valentine Enedah we use JIT (just in time) analysis, when a user wishes to know about a site that we haven't yet classified,we'll check it out just then!
❤ 1
hahaha, are you teaming up with anyone in the space to drive industry standards? I guess since web3 is so new it gives you the opportunity to 'pave the way' as some might say.
John Mercouris
our algorithm is super fast, so it only takes miliseconds
John Mercouris
We are certainly teaming up with people, I'll let our slow typing CEO respond to that
😂 1
Rick
Jack Boreham currently we're in talks with a handful of partners and we'd love to dip into industry standards with them. ATM we're busy building 🙂
John Mercouris
Come on, hit us with the hard questions, we're ready!
:boxing_glove: 1
😂 1
John Mercouris Recently the The Hermit spyware was discovered.
How does Interlock plan to protect users or fight this spyware?
John Mercouris
Indeed, that is a tough one
John Mercouris
Well, the first step is don't visit dangerous sites! so we should not be exposed to compromised things
John Mercouris
that said, we are not targetting android/ios - YET!
💚 1
John Mercouris
stay tuned 🙂
Rick
In the past, we've avoided IOS/android due to browser limitations, but we're coming up with clever methods of applying our tech
💚 1
John Mercouris
as you know, "The Hermit" depended on users visiting unique /dangerous links, if we could warn people on mobile phones, then this kind of attack could be prevented!
💚 1
Terry Jones
Why would you say block chain tech is critical for your applications?
Rick
good question! we want to make sure users are involved in the process of improving security and the best way to do that is to incentivize them - so in the immediate term, blockchain provides us a way to grow and reward our community.
Rick
Longer-term, blockchain lets us decentralize and make security transparent - something which historically has never been transparent and ALWAYS owned by the security provider.
Rick
It's a much bigger piece of #desec as we grow - decentralized security
Marco Sullivan
John Mercouris What is the use of DNS Monitoring?
John Mercouris
Marco Sullivan can you please rephrase your question? what do you mean?
John Mercouris
Are you asking how DNS monitoring can be used?
Marco Sullivan
John Mercouris Yes, exactly!
goldenwarrior
What does your roadmap look like?
John Mercouris
DNS monitoring is very useful for identifying changes in DNS records, age of domains etc
John Mercouris
Why do you want to know that? because usually people change the DNS to do something "phishy"!
😅 1
John Mercouris
they want to impersonate another site, they register a new domain name, etc, they do it quickly, and they have a narrow window to work before they are reported!
John Mercouris
does that answer your question?
👍 1
Marco Sullivan
John Mercouris I see what you did there!😂
How do you differentiate between Symmetric and Asymmetric Encryption?
John Mercouris
Ah, yes, very simply. Symmetric encryption sucks, and asymmetric encryption is good 😄
John Mercouris
On a more serious note, I prefer asymmetric encryption, personally
John Mercouris
why do I prefer it? because I can send you encrypted messages and you can send me encrypted messages, and it is clear from whom they are coming from
John Mercouris
if we are using some symmetric encryption it wouldn't exactly be clear who encrypted what
John Mercouris
of course a "man in the middle" type attack is totally possible with asymmetric encryption, but that is another discussion!
Rick Can you explain a Brute Force Attack Along With the Steps To Prevent It?
John Mercouris
Marco Sullivan does that make sense? it's a sort of practical answer, not really explaining the differences between them, but how I differentiate their usage
Marco Sullivan
John Mercouris Yes,I actually understand this perspective.
How about ARP poisoning?
Can you explain it with an example?
Dan Tennery-Spalding
Marco Sullivan from what I know about ARP poisoning, it’s more common to local network attacks, which is not our focus
👍 1
Rick
our roadmap for the next 12+ months looks like the following:
- Get ThreatSlayer to as many users as possible to keep them safe
- Get Bouncer to as many users as possible, for the same reason!
- Release our security API, Autocrat
- Prepare for our token launch and testnet launch with audits
- Launch our token
- Close fundraising round(s)
- Launch our data platform
Rick
not in that order!
Rick What are the possibilities that are uniquely enabled by web3 in terms of crowdsourcing intelligence?
Rick
Valentine Enedah great q - the biggest is that we can reward people for creating security data for us. That data is valuable to us and to enterprises, so it should also have value for our users who help create it. Our token helps us reward, and blockchain tech helps us grow the community and decentralize the way data is made and accessed.
💚 1
Dan Tennery-Spalding
I think of web3 enabling us to create a security ecosystem that everyone in the system benefits from
Dan Tennery-Spalding
in web2, only big companies got the benefits — web3 let’s us share the wealth with all the people who help create it
John Mercouris
Marco Sullivan I could explain ARP poisoning, but that is currently beyond our scope XD
💚 1
John Mercouris
There are a million and one ways the network itself could be compromised. Unfortunately, from the host machine, I don't see how we could see how the network is compromised. I'm sure there is some research on this topic, but I don't know it yet! I am happy to be informed though!
💚 1
Marco Sullivan
Dan Tennery-Spalding Thank you for the amazing responses.
I think this question might be generic.
What are the current challenges, Cybersecurity faces in the Web3 space?
Rick
Marco Sullivan The big challenge is the lack of a way to keep up with how new threats are created, to be clear, thats a problem in web2 as well. But now, in web3, it has a deeper impact because users are being targeted for their assets at an alarming rate.
💚 1
John Mercouris What are the several indicators of compromise(IOC) that organizations should monitor?
John Mercouris
Valentine Enedah I think they should be looking at the origin of network traffic first and foremost. It's typically extraterritorial IPs that are conducting cyber attacks. Secondly, they should train a model against their typical network activity, then when the model detects a abnormal/improbable condition it should warn them of this.
💚 1
Marco Sullivan
Rick This makes a lot of sense.
I need more clarity on how Blockchain technology is critical for Threatslayer and the overall project?
John Mercouris
I did some research on the training of finite automata with guards to represent the nominal activity of a system and to warn against this, if you are truly interested I can go quite into depth 😄
John Mercouris Amazing. I would be glad to know more about your research.
Rick
Marco Sullivan specifically, blockchain enables our ability to distribute rewards to our users in an efficient, fair, economical manner. In the future, its tech will allow people to host their own Interlock nodes
Rick And what will be the function of these interlock nodes?
John Mercouris
Valentine Enedah I shall provide a short little summary here: what we do is we install a whole bunch of sensors on a system. The sensors are collecting data about this system. We sum all of these sensor values into a vector of N dimensions (where N is the amount of points we collect). We look at the way the vectors change over time. We model this change into something called a finite state machine. If we observe a change/pattern in the vectors we've not observed before, we can conclude the system is NOT operating nominally! I hope that helps. Trying to summarize years of research is sometimes challenging 😄
Marco Sullivan
Dan Tennery-Spalding Although,I found some information on the internet that says SSL are more secure that Https. But why do most websites still use Https?
Rick
Valentine Enedah they will host their own versions of our detection that John Mercouris has made! And a copy of our data, allowing people to have their own users of Interlock, and helping us decentralize our detection. They will get rewarded for running a node
John Mercouris
Marco Sullivan I think there may be some slight confusion, these topics are a bit orthogonal 🙂
💚 1
John Mercouris
HTTPS is the most commonly secure way to access a website
🔥 1
John Mercouris
so, if the site has HTTPS, you are A-OK! 🙂
🔥 1
John Mercouris Wow, amazing work! Thank you for throwing more light on that.
John Mercouris
Thank you Valentine Enedah
John Mercouris
here's what I want to know: can you guys tell me about some experiences you've had with hacking, phishing? cool stuff?
John Mercouris
something you are curious about? perhaps we can discuss it and see how we could help protect against it!
Rick That makes so much sense!
Great perspective.
Where do you see Interlock in the next five years?
John Mercouris
on a private yacht in the bahamas
🔥 1
John Mercouris
no doubt
Rick
Valentine Enedah id like to see it become the defacto for security in web3, creating an entire stack of security products and tools that users, researchers, and companies will use in the web3 sphere. all focused on transparency and efficacy
💚 1
Rick
i get seasick, no boats.
😂 1
John Mercouris
on a private blimp in the bahamas
John Mercouris
no doubt
John Mercouris
fun fact, most of the interlock team actually live on a blimp
:rolling_on_the_floor_laughing: 2
John Mercouris I don't have so much experience with hacking but my facebook account was hacked years ago and I was just curious to know how they got access to the account considering the fact that I didn't use it very often.
John Mercouris
Valentine Enedah most attacks are multi pronged, they don't use a single vector, they use a piece which get's them another piece and so on and so forth
💚 1
John Mercouris
that makes it really hard to trace a exploit to a single point of failure
John Mercouris
potentially it could be something as simple as an old security question that you used somewhere being exposed
John Mercouris
that's the challenge with security, the attack surface can be infinitely large!
💚 1
Rick Nice!
What do you think would make Interlock standout from other cybersecurity companies?
John Mercouris
well, firstly, we all live on a blimp
John Mercouris
secondly, we detect NOVEL attacks, things that haven't been seen before!
John Mercouris
thirdly, we are transparent
John Mercouris
our client code is open source, inspectable, verifiable!
💚 1
Rick
yeah what john said. and then on top of that, we make products that bridge the problems of web2 to web3, without leaving either or behind Valentine Enedah
💚 1
Rick
We already ARE standout 🙂
John Mercouris
you heard it here first, the CEO just confirmed we live on a blimp
😂 1
John Mercouris Rick Interlock!🔥
Rick should consider getting an island and naming it "Interlock-Land"
A place you are protected physically and virtually.
John Mercouris
That's a great idea Valentine Enedah,we look forward to welcoming you on our island
🔥 1
John Mercouris
we'll have barbecues and play beach volleyball until the sun sets, it'll be great
🔥 1
John Mercouris
Valentine Enedah Nice GH profile, very creative!
John Mercouris Thank you so much!
How do you promote cyber security in your local community?
John Mercouris
I go door to door
John Mercouris
I knock on people's doors and ask them if they have updated their OS and drivers
😂 2
John Mercouris
no, I'm just kidding
John Mercouris
the answer is, I have no idea how I would engage with my local community about this topic, I typically engage with people on the Internet about it instead
John Mercouris
if you have any suggestions on how we can raise awareness and keep people safe, I am all ears!
John Mercouris I totally understand. Do you share your perspectives on Hackernoon?
Dan Tennery-Spalding
Valentine Enedah how would you suggest we do that? you got a link we should go to?
John Mercouris Dan Tennery-Spalding
Well, a very fast way is by joining communities and speaking to them about Cybersecurity.
HackerNoon has a huge community and we are so glad to have you here!
PS: You can also write on HackerNoon. I guess you know that already.😂
🔥 1
🙏 1
Thanks for being here Rick John Mercouris Andrew Ciaccia and team!
My question is: Do you think that the push for better crypto security and the real changes will only come from government regulation and intervention or do you think it will come from the market?
Rick
Limarc Ambalina thanks! I think it will come from both - but if you look at Web2, most regulation hasnt fixed security. HIPAA and SOC, PCI, etc., never solve security. They just made a new checkbox list and often times opened more vulnerabilities.
Hi Rick Andrew Ciaccia and John Mercouris! Nice to meet you! What the best piece advice have you ever been given that has made a difference in your career? And what have you learn from your experience that you think it's important for new comers to web3 space to know?
Hey everyone! Nice no meet you all. What does the future hold for Interlock? Do you have any projects in mind you'd like to further explore? Rick, Andrew Ciaccia and John Mercouris
Andrew Ciaccia
Sara Pinto Hey Sara! A few cool web3 projects to checkout: Aleph Zero, an up and coming layer 1 that we’re launching our product and token on.
Webacy, doing cool things for web3 security
Ahoy Connect: a community marketing tool, very cool product, and I’m actually headed to NYC now to have lunch with the founder!
Rick
Mónica Freitas Best advice I've gotten was never take yourself too seriously.
As far as important for newcomers, is simply to stay vigilant and try not to ape into new trends without first confirming what you're interacting with is legitimate
Thank you Andrew Ciaccia Rick John Mercouris for answering all our questions in this exciting ama. Any final thoughts you guys want to add to wrap up?
Rick
Thank you for your time!
❤ 1
L O A D I N G
. . . comments & more!
. . . comments & more!
About Author
TOPICS
THIS ARTICLE WAS FEATURED IN...
RELATED STORIES
10 Cutest Pink Pokémon of All Time #pokemon
Jun 18, 2021
104 Stories To Learn About Slack #slack
Nov 26, 2023
10 Games from 2022 to Check Out in 2023 #slogging
Jan 04, 2023
10 Best Slack Apps for Remote Work In 2021 #slack
Feb 12, 2021
