Autor Cointelegraph By Lior Lamesh

CBDCs require governments to put a special focus on security

CBDCs require governments to put a special focus on security

Uverejnil používateľ | sep 6, 2022 |

Today’s financial world is becoming increasingly digitized, and naturally, central banks want to adapt to the changing environment. The use of cash is rapidly declining. Globally, the rise of digital payment apps and COVID-19 have only accelerated the decline in cash usage, fueling interest in digital currencies and demand for easier payment solutions.As crypto adoption continues to expand, the idea of central bank digital currencies (CBDCs) has also gained momentum. Governments across the world have been flirting with, and examining, the idea of issuing their own CBDCs, with a handful already launching. It isn’t clear when CBDCs will become normalized. Don’t expect CBDCs to resemble Bitcoin’s (BTC) decentralized characteristics because, by definition, a central bank is a centralized entity. That being said, they can provide some of the same benefits, such as reducing payment verification times and providing proof of transaction. There are, however, still quite a few challenges to overcome.Related: Built to fall? As the CBDC sun rises, stablecoins may catch a shadowAmong these challenges are the operational risks of the “cyber sphere.” While banks are accustomed to investing resources in safeguarding their “fiat” reserves, safeguarding digital currencies requires a different mindset. Blockchain technology has some inherent vulnerabilities — including anonymity and irreversibility — that can be exploited by clever scammers. Although, it’s not clear if CBDCs will leverage blockchain technology. Could CBDCs potentially expose central banks to new types of cyber threats? And how would these potential threats or vulnerabilities manifest themselves?Cybersecurity isn’t easyHackers have become increasingly sophisticated and brazen in their attacks over the last few years. Both traditional finance and blockchain protocols find themselves victims of malicious intent. In fact, Denmark’s central bank was hacked as part of the SolarWinds operation in late 2020. This should sound alarm bells for governments everywhere. Imagine a group of dedicated hackers finds, penetrates and gains access to a backdoor that gives them control of the central bank’s private key. Private keys are the most important elements of a blockchain system, as any transactions conducted with the private key are registered by the system as valid and secure. At this point, the bulk — or a significant chunk — of the country’s treasury could effectively be held hostage by a criminal organization. The hacker could mint or burn digital currency at will.An influx or reduction in a digital currency could affect the value of the genuine currency, have an impact on consumers through inflation, and lead to monetary losses for companies. A breach to this extent could be catastrophic and potentially lead to the devastation of the nation’s entire economy. Of course, an attack of this scale would be far too advanced for even some of the most talented criminal masterminds, but the threat cannot be dismissed. Such an attack would be unprecedented, so predicting the aftermath is anyone’s guess. But it wouldn’t be pretty: The world’s economic and political order and stability would, undoubtedly, be tested.Clearly, any government would spend top dollar on cyber defenses to protect its newly established digital infrastructure. But simply investing an abundance of resources isn’t a guarantee against hacks. Naturally, any central bank launching a digital currency would be an attractive target.So how can a country that is determined to launch its own CBDC protect its treasury from criminals trying to steal it? Securing the national treasuryDisincentivizing malicious cyber attackers is no easy task — they are always on the lookout for new and rewarding targets while exploiting the slightest vulnerabilities. Crypto hackers are adept at identifying attack surfaces, exploiting them, injecting malicious code, and taking control of individuals’ and organizations’ private keys. Banks invest millions, if not billions, each year to defend their databases and IT infrastructure. Various security layers are employed to protect against hackers, inside jobs or unintentional leakage of sensitive information. While banks are familiar with information security, safeguarding digital assets requires a vastly different approach than traditional assets. If they decide to leverage blockchain, central banks must consider how existing banking frameworks can be adapted to blockchain’s distributed architecture, with extra attention paid to the system architecture, governance and consensus mechanisms. When it comes to safeguarding a nation’s treasury, there is no such thing as “too secure.” In the case of CBDCs, banks must take great measures to protect and defend their private keys. Today’s custody solutions have come a long way, and yet, almost all of them suffer from the same deficit. Due to the anatomy of a blockchain transaction, all transactions must be conducted while connected to the internet at some point.Related: US central bank digital currency commenters divided on benefits, unified in confusionThis connectivity is their single point of failure and the reason they cannot be 100% secure. It is suggested that governments find a “never internet-connected” solution to store and manage the private keys while issuing the CBDCs, providing custody and conducting on-chain settlements. Most central banks are rightfully taking their time and conducting all the necessary due diligence to weigh the risks and rewards of CBDCs properly. Some may actually decide to push off their involvement, especially given the crypto market’s volatility. But any nation implementing a CBDC in the near future must make sure it’s ready to defend its digital assets and, most importantly, its private keys. When it comes to blockchain, central banks should completely rethink everything they know about IT security needs. Only then can they launch their digital currencies with enough peace of mind.Lior Lamesh is the co-founder and CEO of GK8, a blockchain cybersecurity company that offers a custodial solution for financial institutions. Having honed his skills in Israel’s elite cyber team reporting directly to the prime minister’s office, Lior led the company from its inception to a successful acquisition for $115 million in November 2021. In 2022, Forbes put Lior and his business partner Shahar Shamai on its 30 Under 30 List.

Čítaj viac
Is there a secure future for cross-chain bridges?

Is there a secure future for cross-chain bridges?

Uverejnil používateľ | máj 29, 2022 |

The plane touches down and comes to a halt. Heading to passport control, one of the passengers stops at a vending machine to buy a bottle of soda — but the device is absolutely indifferent to all of their credit cards, cash, coins and everything else. All of that is part of a foreign economy as far as the machine is concerned, and as such, they can’t buy even a droplet of Coke.In the real world, the machine would have been quite happy with a Mastercard or a Visa. And the cash exchange desk at the airport would have been just as happy to come to the rescue (with a hefty markup, of course). In the blockchain world, though, the above scenario hits the spot with some commentators, as long as we swap traveling abroad for moving assets from one chain to another.While blockchains as decentralized ledgers are pretty good at tracking transfers of value, each layer-1 network is an entity in itself, unaware of any non-intrinsic events. Since such chains are, by extension, separate entities vis-à-vis one another, they aren’t inherently interoperable. This means you cannot use your Bitcoin (BTC) to access a decentralized finance (DeFi) protocol from the Ethereum ecosystem unless the two blockchains can communicate.Powering this communication is a so-called bridge — a protocol enabling users to transfer their tokens from one network to another. Bridges can be centralized — i.e., operated by a single entity, like the Binance Bridge — or built to varying degrees of decentralization. Either way, their core task is to enable the user to move their assets between different chains, which means more utility and, thus, value.As handy as the concept sounds, it is not the most popular one with many in the community right now. On one hand, Vitalik Buterin recently voiced skepticism about the concept, warning that cross-chain bridges can enable cross-chain 51% attacks. On the other hand, spoofing-based cyberattacks on cross-chain bridges exploiting their smart contract code vulnerabilities, as was the case with Wormhole and Qubit, prompted critics to ponder whether cross-chain bridges can be anything other than a security liability in purely technological terms. So, is it time to give up on the idea of an internet of blockchains held together by bridges? Not necessarily.Related: Crypto, like railways, is among the world’s top innovations of the millenniumWhen contracts get too smartWhile details depend on the specific project, a cross-chain bridge linking two chains with smart contract support normally functions like this. A user sends their tokens (let’s call them Catcoins, felines are cool, too) on Chain 1 to the bridge’s wallet or smart contract there. This smart contract has to pass the data to the bridge’s smart contract on Chain 2, but since it’s incapable of reaching out to it directly, a third-party entity — either a centralized or a (to a certain extent) decentralized intermediary — has to carry the message across. Chain 2’s contract then mints synthetic tokens to the user-provided wallet. There we go — the user now has their wrapped Catcoins on Chain 2. It’s a lot like swapping fiat for chips at a casino.To get their Catcoins back on Chain 1, the user would first have to send the synthetic tokens to the bridge’s contract or wallet on Chain 2. Then, a similar process plays out, as the intermediary pings the bridge’s contract on Chain 1 to release the appropriate amount of Catcoins to a given target wallet. On Chain 2, depending on the bridge’s exact design and business model, the synthetic tokens that a user turns in are either burned or held in custody.Bear in mind that each step of the process is actually broken down into a linear sequence of smaller actions, even the initial transfer is made in steps. The network must first check if the user indeed has enough Catcoins, subtract them from their wallet, then add the appropriate amount to that of the smart contract. These steps make up the overall logic that handles the value being moved between chains.In the case of both Wormhole and Qubit bridges, the attackers were able to exploit flaws in the smart contract logic to feed the bridges spoofed data. The idea was to get the synthetic tokens on Chain 2 without actually depositing anything onto the bridge on Chain 1. And truthfully, both hacks come down to what happens in most attacks on DeFi services: exploiting or manipulating the logic powering a specific process for financial gain. A cross-chain bridge links two layer-1 networks, but things play out in a similar way between layer-2 protocols, too.As an example, when you stake a non-native token into a yield farm, the process involves an interaction between two smart contracts — the ones powering the token and the farm. If any underlying sequences have a logical flaw a hacker can exploit, the criminal will do so, and that’s exactly how GrimFinance lost some $30 million in December. So, if we are ready to bid farewell to cross-chain bridges due to several flawed implementations, we might as well silo smart contracts, bringing crypto back to its own stone age.Related: DeFi attacks are on the rise — Will the industry be able to stem the tide?A steep learning curve to masterThere is a bigger point to be made here: Don’t blame a concept for a flawed implementation. Hackers always follow the money, and the more people use cross-chain bridges, the bigger is their incentive to attack such protocols. The same logic applies to anything that holds value and is connected to the internet. Banks get hacked, too, and yet, we’re in no rush to shutter all of them because they are a crucial piece of the larger economy. In the decentralized space, cross-chain bridges have a major role, too, so it would make sense to hold back our fury.Blockchain is still a relatively new technology, and the community around it, as vast and bright as it is, is only figuring out the best security practices. This is even more true for cross-chain bridges, which work to connect protocols with different underlying rules. Right now, they are a nascent solution opening the door to move value and data across networks that make up something bigger than the sum of its components. There is a learning curve, and it’s worth mastering.While Buterin’s argument, for its part, goes beyond implementation, it’s still not without caveats. Yes, a malicious actor in control of 51% of a small blockchain’s hash rate or staked tokens could try to steal Ether (ETH) locked on the bridge on the other end. The attack’s volume would hardly go beyond the blockchain’s market capitalization, as that’s the maximum hypothetical limit on how much the attacker can deposit into the bridge. Smaller chains have smaller market caps, so the resulting damage to Ethereum would be minimal, and the return on investment for the attacker would be questionable.While most of today’s cross-chain bridges are not without their flaws, it is too early to dismiss their underlying concept. Besides regular tokens, such bridges can also move other assets, from nonfungible tokens to zero-knowledge identification proofs, making them immensely valuable for the entire blockchain ecosystem. A technology that adds value to every project by bringing it to more audiences should not be seen in purely zero-sum terms, and its promise of connectivity is worth taking risks.This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.Lior Lamesh is the co-founder and CEO of GK8, a blockchain cybersecurity company that offers a custodial solution for financial institutions. Having honed his cyber skills in Israel’s elite cyber team reporting directly to the Prime Minister’s Office, Lior led the company from its inception to a successful acquisition for $115 million in November 2021. In 2022, Forbes put Lior and his business partner Shahar Shamai on its 30 Under 30 list.

Čítaj viac
Want to weed out ransomware? Regulate crypto exchanges

Want to weed out ransomware? Regulate crypto exchanges

Uverejnil používateľ | feb 20, 2022 |

Just between July 2020 and June 2021, ransomware activity soared by a whopping 1,070%, according to a recent Fortinet report, with other researchers confirming the proliferation of this mode of extortion. Mimicking the prevalent business model of the legitimate tech world, ransomware-as-a-service portals popped up in the darker corners of the web, institutionalizing the shadow industry and slashing the skill ceiling for wannabe-criminals. The trend should be ringing a warning bell through the crypto ecosystem, particularly since ransomware attackers do have a knack for payments in crypto. That said, the industry that was once a Wild Wild West is now assuming a more orderly setting. Slowly but surely infiltrating the mainstream, it is now at the point where some of the largest centralized exchanges (CEXs) are hiring top-notch financial crime investigators to oversee their efforts against money laundering.The problem is that not all exchanges are made equal. A centralized exchange works in many of the same ways a traditional business entity does, but this is not to say that all of them are now lining up to get their Anti-Money Laundering (AML) right. Things get even trickier with decentralized exchanges (DEXs), which, let’s face it, are not as decentralized as the name implies, but like to claim otherwise. In most cases, DEXs have little, if anything, in terms of Know Your Customer (KYC) measures, helping users hop between coins and blockchains at their leisure while leaving few traces. While some of them may utilize various analysis services to do background checks on wallets, hackers can try making their way around those by using mixers and other tools.Related: DAOs are meant to be completely autonomous and decentralized, but are they?As far as ransomware cash flows go, both DEXs and CEXs are very much on the radar — but criminals use them for different purposes. Criminals use DEXs, along with mixing services, to launder the ransom paid by clients, moving it from address to address and from currency to currency, according to a recent report by the U.S. Financial Crimes Enforcement Network. CEXs, for their part, mostly work as the exit point for criminals, allowing them to cash out coins into fiat. Related: Crypto in the crosshairs: US regulators eye the cryptocurrency sectorHaving stolen money moved through your network is not a good look for anybody, and sometimes, it comes with consequences. Just this September, the U.S. Treasury slapped sanctions on OTC broker Suex for effectively working to facilitate ransomware money-laundering. The exchange was nested on Binance, though the company said it had de-platformed Suex long before the Treasury’s designation based on its own “internal safeguards.” The development should be a wake-up call for both CEXs and DEXs everywhere, as it applies the domino effect of U.S. sanctions to the crypto ecosystem. A sanctioned entity may be sitting comfortably in its home jurisdiction, but in the current interconnected world, U.S. sanctions hamper operations involving foreign clients it may wish to undertake even more. It just does not have to involve only Binance — it could include any legitimate business with a U.S. presence and interests, and the same goes for hosting providers, payments processors or anyone enabling the day-to-day business operations of the target company. Hypothetically, sanctions could even indirectly affect decentralized entities in a myriad of ways. Decentralized projects still normally have core dev teams associated with them, which invokes the prospect of individual responsibility. In the future, and with enough regulatory rigor, they could one day even see their incoming and outbound traffic throttled or outright blocked by IPSes unless users utilize extra obfuscation tools like VPN. Related: From NFTs to CBDCs, crypto must tackle compliance before regulators doAttrition war on ransomwareThe Suex OTC incident and its far-reaching implications point us at what could be a larger strategy for smothering ransomware groups. We know they are dependent on multiple nodes inside the crypto ecosystem, but DEXes and CEXes hold special value in their eyes by enabling them to hide their tracks and put hard cash in their pockets. And that’s the end goal, in most cases. It is naive to expect every player in this field to be equally diligent with their internal safeguards. Enforcing standards for KYC and AML across exchanges will, at the very least, make it harder for criminals to move crypto around and cash out. Such measures would amp up their losses, making the entire operation less profitable and, thus, less lucrative. In the long run, ideally, it could deny them vital areas of the vast infrastructure they use to haul the money around, making the cookie jar effectively inaccessible. And why pursue money you can’t put in your pocket? With advances in machine learning and digital identification, DEXes can be as apt in KYC as their centralized kin, using AI to process the same documents that banks would for their KYC efforts. It’s a procedure that can be automated, giving their legitimate customers more peace of mind and, potentially, draw in more cash flows with their regulated status. The crypto community could tread even further by implementing extra checks on transactions involving exchanges and services known to have a heavy proportion of illicit activity. Even though measures like blacklisting wallets are unlikely to gain much popularity (although blacklists are not unheard of in the crypto space — as an example, NFT platforms recently froze trading for stolen NFTs) — even their limited adoption can make a difference, bringing more legitimate traffic to exchanges that go the extra mile. Related: Major crypto exchanges eye Asian market amid growing regulatory clarityIn military terms, this is like waging a war of attrition against ransomware groups — wearing the enemy down as opposed to causing direct immediate damage. A sophisticated ransomware attack requires a hefty investment of time and money. This is true for both teams developing a tailored solution aimed at a specific high-profile target or an operator of a ransomware-as-a-service platform. Being unable to cash in on the ransom means most of that time, effort and investment just went into the trash bin.Critics may argue that such measures wouldn’t work, simply because the hackers can always move to another financial mechanism for claiming their cash, such as gift cards. To an extent, this is true; where there’s a will, there’s a way. But consider this: Colonial Pipeline had to pay a ransom of $5 million in crypto to suspected Russian hackers. How easy would it have been for the attackers to cash in the same amount in Walmart gift cards? Would the risk-reward ratio still justify the attack? I doubt it. It makes sense to invest millions to steal billions, but moving these billions in anything but crypto without setting off a bunch of red flags is a whole different story.Related: Are cryptocurrency ransom payments tax-deductible?There is a better counter-argument here: Ransom is not always the motivation. A state-backed group striking as part of a larger adversarial campaign would appreciate the extra cash, but it’s just as interested in keeping its handlers happy. This is the pinch of salt that goes well with the pro-regulation argument, and yet, even denying ransom to financially-motivated hackers would already make a dent or two in the proliferation of ransomware.All in all, ransomware is a complex problem, hard to solve with a single silver-bullet decision. It will require a more nuanced approach, and most likely, more international cooperation on the matter. There is nevertheless a strong case for making exchange regulation a major part of such efforts in a bid to deny attackers the ability to reap the fruits of their attacks — and thus go after the financial core of their operations. This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.Lior Lamesh is the co-founder and CEO of GK8, a cybersecurity company that offers a self-managed end-to-end custodial platform with true cold vault and hot MPC capabilities for banks and financial institutions. Having honed his cyber skills in Israel’s elite cyber team reporting directly to the Prime Minister’s office, Lior oversees the development of GK8’s on-premises hardware and software.

Čítaj viac

Získaj BONUS 8 € v Bitcoinoch

nakup bitcoin z karty

Registrácia Binance

Burza Binance

Aktuálne kurzy