Building Enterprise-Grade Security Solutions For Web3

In this AMA we hosted the team at Interlock. Interlock is a company that provides quality security solutions for web3 users. In the biggest AMA we've ever done, Interlock dives into how to protect your  web3 assets.

Hi, @channel, please join me in welcoming the team from Interlock.... Rick, Andrew Ciaccia John Mercouris

Backed by some of the biggest names in web3, Interlock are pioneers in web3 security, empowering defi users through security.

You can ask the team anything about:

1.The top security problems for crypto and web3 users?
2. Social engineering and how it relates to crypto and web3 users?

3. DeFi users (degens) are some of the prime targets. What are some of the ways in which they’re particularly vulnerable?

4.What are some rules of thumb for how they can protect themselves?

5.What are some other security problems for crypto and web3 users that you wouldn’t expect to hear about or are new to web3-native audiences?

7.What technologies can be used to help prevent this or minimize the effect of these social engineering practices?

8.How can you distinguish between a genuine threat and an innocent visual flaw or unconventional design?
Could an AI make these distinctions?

9.The possibilities that are uniquely enabled by web3 in terms of crowdsourcing intelligence?

10.The advantages and disadvantages of using blockchain technology to fight threats?

11. What’s the reason behind launching enterprise-grade security as a browser extension?

12. What’s it like to use ThreatSlayer? Can users expect a similar experience to using other security extensions?

13. How are ThreatSlayer users making the internet safer with Grey-area staking?

14. Why is blockchain technology critical for ThreatSlayer and the overall project?

Hi Rick and Andrew Ciaccia; great to have you with us today. Can you first start by explaining what interlock is!

Thanks for having us Jack Boreham - of course, happy to share what Interlock is 🙂

How do you protect web3 users from scams and attacks?

we identify malicious websites

Interlock is a blockchain based cybersecurity company that is building community-driven security products that crowdsource threat intelligence and promote collaboration between consumers and enterprises to make the web safer.

and then we warn the users that those sites are malicious

We protect Web3 users from scams and attacks via our products - currently, our browser extension, ThreatSlayer and our Discord bot Bouncer. ThreatSlayer blocks attacks you come across in your browser by detecting whether the site you're visiting is malicious, including metadata it detects as well. Bouncer blocks malicious links in Discord the same way but for the entire community it's deployed to.

we use a number of dimensions that assess whether a site is trying to impersonate another site to steal your credentials

this is commonly known as "phishing"

Interesting, so what would you say are the top security problems for defi folks, and how can they protect themselves on a day to day basis

The biggest problems people face are really still around phishing and social engineering. Getting the person to click a link that is urging them to sign a smart contract, or enter their password, or passphrase, immediately!

Or download a file, as well.

What is social engineering and how does this relate? Rick John Mercouris

Hello,Rick, Andrew Ciaccia John Mercouris
We are so glad to have you here!
Thank you Jack Boreham for outlining these amazing questions.

Rick Does AI play a huge role in Cybersecurity?
If yes, how does it play an important role?

Those sort of attacks are best thwarted by using security products like ours -- but if you need to take it into your own hands, you can just be sure to pay attention to every URL and every message you see. NEVER click without thinking and confirming

Social engineering is the idea of manipulating individuals on the basis of common social behaviors to bypass a security system. For example, you might think of the simplest type of social engineering as pleading to someone: "come on, it's not a big deal, just give me the password". However, typically, social engineering is used to mean manipulation/deception!

Social engineering is tangentially related in that a individual carrying out a social engineering attack may use Phishing as one of their weapons. You can imagine a scenario in which a fake website is used to convince somebody of something to further your attack into a security system.

I’d add that there are three main components to any social engineering attack: authority, urgency, and a call to action

so it’s not just “give me your password,” but “I’m an administrator and you need to give me your password now for a system reset”

I know this all sounds very vague, so let me sum it up: I can use a phishing website as part of a social engineering attack. So our product may help defend against some social engineering attacks that employ phishing sites as part of their strategy.

John Mercouris what kind of tech goes into threatslayer?

I cannot speak to specific details as it is like the Google page rank algorithm, we don't want to give ammunition to our adversaries, however I can provide a architectural level overview.

What we do is we look at a website, and we have a bunch of information we collect about that website. That information is then vectorized and fed into a machine learning classifier. That classifier will then provide us with an estimated probability that a website is malicious.

AI has a role in all new technology but in cybersecurity the huge part is plays is to help detect things before they're known. Using AI, Interlock determines the safety of a site even if its never been visited before.

More broadly, other cybersecurity tools and processes use AI to accomplish similar things

Is web3 easier than web2 to hack

No

Simply put, the ease of a hack is a function of the target

I'd say no but the assets are closer to exfiltration

since the targets are all individuals, the level is the same

Couldn't your technology be applied in the web2 space as well?

If so

Yes, it absolutely can, a good point

yep it absolutely applies to Web2, and everyone in Web2 benefits from our tech in the same way

Sorry to overlap 🙂

Sorry that I type faster

#sorrynotsorry

#rekt

to just add a little bit more, Web3 could use more protection than Web2 right now. There is already a lot of support for this kind of protection in Web2, but not much in Web3. We are filling that gap!

and as per Rick before, it’s easier to exfiltrate someone’s assets in web3 aka rip them off

s/exfiltrate/pwn

well, not exactly

to add to that point are there any competitors doing similar in the web2 space?

in web2, if someone gets access to my online bank account, I have other ways to protect my assets, legally and administratively

in web3, I’m screwed

Absolutely right Dan!

Jack Boreham indeed, however, we think our technology is the bestest 😉

our technology protects against so called "0-day" phishing attacks

we can detect novel phishing sites whereas most services rely on reports/lists submitted by people manually

Jack Boreham Guardio creates a web2 browser extension but lacks Web3 rewards and web3 threat protection

Rick With regards to AI, Interlock determines the safety of a site even if it has never been visited before.
How does it do that?

Valentine Enedah we use JIT (just in time) analysis, when a user wishes to know about a site that we haven't yet classified,we'll check it out just then!

hahaha, are you teaming up with anyone in the space to drive industry standards? I guess since web3 is so new it gives you the opportunity to 'pave the way' as some might say.

our algorithm is super fast, so it only takes miliseconds

We are certainly teaming up with people, I'll let our slow typing CEO respond to that

Jack Boreham currently we're in talks with a handful of partners and we'd love to dip into industry standards with them. ATM we're busy building 🙂

Come on, hit us with the hard questions, we're ready!

John Mercouris Recently the The Hermit spyware was discovered.
How does Interlock plan to protect users or fight this spyware?

Indeed, that is a tough one

Well, the first step is don't visit dangerous sites! so we should not be exposed to compromised things

that said, we are not targetting android/ios - YET!

stay tuned 🙂

In the past, we've avoided IOS/android due to browser limitations, but we're coming up with clever methods of applying our tech

as you know, "The Hermit" depended on users visiting unique /dangerous links, if we could warn people on mobile phones, then this kind of attack could be prevented!

Why would you say block chain tech is critical for your applications?

good question! we want to make sure users are involved in the process of improving security and the best way to do that is to incentivize them - so in the immediate term, blockchain provides us a way to grow and reward our community.

Longer-term, blockchain lets us decentralize and make security transparent - something which historically has never been transparent and ALWAYS owned by the security provider.

It's a much bigger piece of #desec as we grow - decentralized security

John Mercouris What is the use of DNS Monitoring?

Marco Sullivan can you please rephrase your question? what do you mean?

Are you asking how DNS monitoring can be used?

John Mercouris Yes, exactly!

What does your roadmap look like?

DNS monitoring is very useful for identifying changes in DNS records, age of domains etc

Why do you want to know that? because usually people change the DNS to do something "phishy"!

they want to impersonate another site, they register a new domain name, etc, they do it quickly, and they have a narrow window to work before they are reported!

does that answer your question?

John Mercouris I see what you did there!😂
How do you differentiate between Symmetric and Asymmetric Encryption?

Ah, yes, very simply. Symmetric encryption sucks, and asymmetric encryption is good 😄

On a more serious note, I prefer asymmetric encryption, personally

why do I prefer it? because I can send you encrypted messages and you can send me encrypted messages, and it is clear from whom they are coming from

if we are using some symmetric encryption it wouldn't exactly be clear who encrypted what

of course a "man in the middle" type attack is totally possible with asymmetric encryption, but that is another discussion!

Rick Can you explain a Brute Force Attack Along With the Steps To Prevent It?

Marco Sullivan does that make sense? it's a sort of practical answer, not really explaining the differences between them, but how I differentiate their usage

John Mercouris Yes,I actually understand this perspective.
How about ARP poisoning?
Can you explain it with an example?

Marco Sullivan from what I know about ARP poisoning, it’s more common to local network attacks, which is not our focus

our roadmap for the next 12+ months looks like the following:

not in that order!

Rick What are the possibilities that are uniquely enabled by web3 in terms of crowdsourcing intelligence?

Valentine Enedah great q - the biggest is that we can reward people for creating security data for us. That data is valuable to us and to enterprises, so it should also have value for our users who help create it. Our token helps us reward, and blockchain tech helps us grow the community and decentralize the way data is made and accessed.

I think of web3 enabling us to create a security ecosystem that everyone in the system benefits from

in web2, only big companies got the benefits — web3 let’s us share the wealth with all the people who help create it

Marco Sullivan I could explain ARP poisoning, but that is currently beyond our scope XD

There are a million and one ways the network itself could be compromised. Unfortunately, from the host machine, I don't see how we could see how the network is compromised. I'm sure there is some research on this topic, but I don't know it yet! I am happy to be informed though!

Dan Tennery-Spalding Thank you for the amazing responses.
I think this question might be generic.
What are the current challenges, Cybersecurity faces in the Web3 space?

Marco Sullivan The big challenge is the lack of a way to keep up with how new threats are created, to be clear, thats a problem in web2 as well. But now, in web3, it has a deeper impact because users are being targeted for their assets at an alarming rate.

John Mercouris What are the several indicators of compromise(IOC) that organizations should monitor?

Valentine Enedah I think they should be looking at the origin of network traffic first and foremost. It's typically extraterritorial IPs that are conducting cyber attacks. Secondly, they should train a model against their typical network activity, then when the model detects a abnormal/improbable condition it should warn them of this.

Rick This makes a lot of sense.
I need more clarity on how Blockchain technology is critical for Threatslayer and the overall project?

I did some research on the training of finite automata with guards to represent the nominal activity of a system and to warn against this, if you are truly interested I can go quite into depth 😄

John Mercouris Amazing. I would be glad to know more about your research.

Marco Sullivan specifically, blockchain enables our ability to distribute rewards to our users in an efficient, fair, economical manner. In the future, its tech will allow people to host their own Interlock nodes

Rick And what will be the function of these interlock nodes?

Valentine Enedah I shall provide a short little summary here: what we do is we install a whole bunch of sensors on a system. The sensors are collecting data about this system. We sum all of these sensor values into a vector of N dimensions (where N is the amount of points we collect). We look at the way the vectors change over time. We model this change into something called a finite state machine. If we observe a change/pattern in the vectors we've not observed before, we can conclude the system is NOT operating nominally! I hope that helps. Trying to summarize years of research is sometimes challenging 😄

Dan Tennery-Spalding Although,I found some information on the internet that says SSL are more secure that Https. But why do most websites still use Https?

Valentine Enedah they will host their own versions of our detection that John Mercouris has made! And a copy of our data, allowing people to have their own users of Interlock, and helping us decentralize our detection. They will get rewarded for running a node

Marco Sullivan I think there may be some slight confusion, these topics are a bit orthogonal 🙂

HTTPS is the most commonly secure way to access a website

so, if the site has HTTPS, you are A-OK! 🙂

John Mercouris Wow, amazing work! Thank you for throwing more light on that.

Thank you Valentine Enedah

here's what I want to know: can you guys tell me about some experiences you've had with hacking, phishing? cool stuff?

something you are curious about? perhaps we can discuss it and see how we could help protect against it!

Rick That makes so much sense!
Great perspective.
Where do you see Interlock in the next five years?

on a private yacht in the bahamas

no doubt

Valentine Enedah id like to see it become the defacto for security in web3, creating an entire stack of security products and tools that users, researchers, and companies will use in the web3 sphere. all focused on transparency and efficacy

i get seasick, no boats.

on a private blimp in the bahamas

no doubt

fun fact, most of the interlock team actually live on a blimp

John Mercouris I don't have so much experience with hacking but my facebook account was hacked years ago and I was just curious to know how they got access to the account considering the fact that I didn't use it very often.

Valentine Enedah most attacks are multi pronged, they don't use a single vector, they use a piece which get's them another piece and so on and so forth

that makes it really hard to trace a exploit to a single point of failure

potentially it could be something as simple as an old security question that you used somewhere being exposed

that's the challenge with security, the attack surface can be infinitely large!

Rick Nice!
What do you think would make Interlock standout from other cybersecurity companies?

well, firstly, we all live on a blimp

secondly, we detect NOVEL attacks, things that haven't been seen before!

thirdly, we are transparent

our client code is open source, inspectable, verifiable!

yeah what john said. and then on top of that, we make products that bridge the problems of web2 to web3, without leaving either or behind Valentine Enedah

We already ARE standout 🙂

you heard it here first, the CEO just confirmed we live on a blimp

John Mercouris Rick Interlock!🔥
Rick should consider getting an island and naming it "Interlock-Land"
A place you are protected physically and virtually.

That's a great idea Valentine Enedah,we look forward to welcoming you on our island

we'll have barbecues and play beach volleyball until the sun sets, it'll be great

Valentine Enedah Nice GH profile, very creative!

John Mercouris Thank you so much!
How do you promote cyber security in your local community?

I go door to door

I knock on people's doors and ask them if they have updated their OS and drivers

no, I'm just kidding

the answer is, I have no idea how I would engage with my local community about this topic, I typically engage with people on the Internet about it instead

if you have any suggestions on how we can raise awareness and keep people safe, I am all ears!

John Mercouris I totally understand. Do you share your perspectives on Hackernoon?

Valentine Enedah how would you suggest we do that? you got a link we should go to?

John Mercouris Dan Tennery-Spalding
Well, a very fast way is by joining communities and speaking to them about Cybersecurity.
HackerNoon has a huge community and we are so glad to have you here!
PS: You can also write on HackerNoon. I guess you know that already.😂

Thanks for being here Rick John Mercouris Andrew Ciaccia and team!

My question is: Do you think that the push for better crypto security and the real changes will only come from government regulation and intervention or do you think it will come from the market?

Limarc Ambalina thanks! I think it will come from both - but if you look at Web2, most regulation hasnt fixed security. HIPAA and SOC, PCI, etc., never solve security. They just made a new checkbox list and often times opened more vulnerabilities.

Hi Rick Andrew Ciaccia and John Mercouris! Nice to meet you! What the best piece advice have you ever been given that has made a difference in your career? And what have you learn from your experience that you think it's important for new comers to web3 space to know?

Hey everyone! Nice no meet you all. What does the future hold for Interlock? Do you have any projects in mind you'd like to further explore? Rick, Andrew Ciaccia and John Mercouris

Sara Pinto Hey Sara! A few cool web3 projects to checkout: Aleph Zero, an up and coming layer 1 that we’re launching our product and token on.

Webacy, doing cool things for web3 security

Ahoy Connect: a community marketing tool, very cool product, and I’m actually headed to NYC now to have lunch with the founder!

Mónica Freitas Best advice I've gotten was never take yourself too seriously.

As far as important for newcomers, is simply to stay vigilant and try not to ape into new trends without first confirming what you're interacting with is legitimate

Thank you Andrew Ciaccia Rick John Mercouris for answering all our questions in this exciting ama. Any final thoughts you guys want to add to wrap up?

Thank you for your time!