Re: BlockChain Security - Page 2

Adesoji · ‎05-22-2018

Does anyone have any information or some sort of nugget on BlockChain Security?

Or some BlockChain Security Hygiene.

Adesoji · ‎06-02-2018

Please Chuxing, keep the information coming.

I am enjoying it

rslade · ‎08-16-2018

@Adesoji wrote:
So, the earlier security professionals discovers and understand the weaknesses of blockchain the better in order for us to help protect it

And we'd better do it fast. Blockchain is becoming the "biometric" of our day: the magic cure-all that fixes everything we don't understand ...

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎08-16-2018

Blockchain lacks enterprise security frameworks and associated controls: Rather like the chain of trust, including that of Public Key Infrastructure (PKI) you need to look under the hood and simply ask the questions:

https://securityintelligence.com/why-you-should-do-your-homework-before-investing-in-enterprise-bloc...

Regards

Caute_cautim

Early_Adopter · ‎08-17-2018

To quote Hal Finney:

"Bitcoin seems to be a very promising idea. I like the idea of basing security on the assumption that the CPU power of honest participants outweighs that of the attacker. It is a very modern notion that exploits the power of the long tail.”

There was a lot of game theory going into blockchain(assuming you don't live in sociopath central), and while the philosophy is sound we do have to look at the weakest link.

If you think about it form a classical engineering standpoint joints between materials of different hardness and toughness can be problematic, applying it to new technologies - sixty odd years ago DeHaviland Comets were popping like balloons because(simplifying) - square corners on windows.

https://aerospaceengineeringblog.com/dehavilland-comet-crash/

Blockchain itself isn't the problem, it's how it's used, developed and tested. you assume that your HSM keeps the private key all nice and secure, but then a new attack comes along and maybe you need this:

https://arxiv.org/pdf/1710.01430.pdf

But then what of this:

https://www.bbc.com/news/technology-45194333

Baechle · ‎08-17-2018

@Adesoji wrote:
Does anyone have any information or some sort of nugget on BlockChain Security?
Or some BlockChain Security Hygiene.

Are you talking about implementing a Private, Public, or Hybrid BlockChain?

If it's private, then really you're talking about all the standard protective measures applied to your most critical systems along with proper crypto key management.

If it's public then what we are talking about is trusting a public consensus. There is an assumption in the public blockchain implementations that the participants doing the "mining" or keeping the ledger are all altruistic. However it's theoretically possible to attack the blockchain by overwhelming it with unaffiliated zombies (any group, such as a mining club, that can perform 51% of the transactions causes the chain to fail).

Hybrid Public/Private systems introduce vulnerabilities into the whole system from the vectors present in the respective parts.

Sincerely,

Eric B.

rslade · ‎08-17-2018

The real issue is that, however it started out, blockchain has now become kind of a marketing term: it means whatever the vendor selling it to you thinks it means. (Which is not necessarily what you need it to mean.)

At base, it is an amalgamation of two ideas. Digital signing of transactions, and a distributed database of those transactions and signatures.

Beyond that, we have implementation details. And those, as always, are where the problems arise.

Are you really serious about the signatures? Are you doing confidentiality, or just the authentication? How serious is your signature algorithm? What about key management? Have you got all the bits you need for a full PKI? Are you using a heirarchical model or web of trust?

And these are only the beginning of the questions. On the signature side.

How are you going to distribute the transaction ledger? Is it going to be full everywhere? Is it going to be full anywhere? How can it be accessed and checked? Will a complete examination of the register identify an individual even if a single transaction doesn't?

So, ultimately, the answer to your question is "no." There isn't any nugget. There isn't any cheat sheet. The hygiene depends upon what you build or buy.

And that's why BLOCKCHAIN IS NOT THE ANSWER.

(Blockchain isn't even the question. Even if the answer is "no.")

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎08-19-2018

And one of those is the actual partners themselves.

h_s_shekhawat · ‎08-19-2018

Hi Chuxing,

Nice article, thanks for sharing.

I am not able to find the part 2 of this series, appreciate if you can share the link for that too.

Thanks,

Hemant Shekhawat

rslade · ‎08-21-2018

Cheat sheet on blockchain.

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

CraginS · ‎08-21-2018

Blockchain Can Save the World!
(Oh, Wait, wasn't that Cloud Last Year?)

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts