Dustin Plantholt, joined panelists on stage who work in the cybersecurity field “who have helped keep viruses at bay from destroying everything.”
In this conversation during SiGMA / AGS Dubai, panelists Dr. Jason Gamage, CISO of Goldilock; Robert Grant, president and founder of Crown Sterling; and Simas Simanauskas, director of partnerships at ConnectPay join our moderator Dustin Plantholt, founder and CEO of Crypterns to discuss cybersecurity and hackers. Why have the systems of some of the world’s largest companies been breached?
Grant opened the discussion by saying that this may be multifactorial. He believes one of the things is that it has become something that the world is now used to it. We see it every day, another story of another major gap and there are many aspects of it. The aspect he tends to focus on is cryptography and encryption. He goes on to explain that even if they breach systems, you should consider getting a great system that doesn’t rely on block ciphering, because in this case, once it is decrypted, all the files are lost.
Grant explains that we need a new type of cryptographic protocol that is not tied to all these files. A visible example to pay attention to is the Equifax data breach, where 400 million people’s records were lost. The moderator, Dustin Plantholt, then jumps to another important question being discussed: whether data is important. He goes on to ask: If they have nothing to hide or have nothing of value, should they worry about it?
Simas Simanauskas, director of partnerships at ConnectPay, believes this is paramount, as data security is as critical to financial institutions as a reputational aspect, which simply cannot be compromised.
It’s a matter of compliance, losing data security it’s the same as losing compliance, it’s very important and very critical. That’s why at ConnectPay, according to Simanauskas, they take it very seriously. ConnectPay is ISO 27001 certified and has many processes in place, such as PSI DSS certification as well.
Financial institutions or the FinTech sector are one of the most targeted sectors in the world. He goes on to explain that this is a real fight, hackers only have to succeed once and you one hundred percent of the time.
Watch the entire panel here:
Detailed explanation of the term Blockchain
Plantholt asks Robert Grant to elaborate on the term Blockchain.
Grant goes on to say that it’s curious because if you talk to most people in the outside world and ask them what blockchain is, they think it has encryption. If you do a survey and ask consumers, they may know the word decentralization, but they don’t really know what it means.
Here, people know that it’s a distributed ledger and there’s a whole governance process around it, which is unique and different. There are many other aspects of having a historical record that you can’t change, such as the fact that it’s immutable.
These are all fundamental aspects of how exciting the blockchain industry is. When you get to the consumer side, people still don’t understand it.
I think that’s one of the things we have to overcome. On this security issue, as an entire industry, we’ve gotten used to believing in all the standards bodies that are already out there, but the problem is that the standards bodies can’t keep up with the pace of innovation of that hacker who only has to succeed once.
Considering the NITS the National Institute of Technology Standards), who have spent the last five years working to solve the quantum problem of quantum computers. In the meantime, there have been many new developments.
IBM, later this year and in the first part of next year, is going to release a 1000+ qubit quantum computers, with which we will be able to crack at least 99% of the current cryptographic profiling protocols that are already available on the blockchain and through banking systems.
Before he had this role, Robert was the president of a very large organization and what he saw there were constant threats all around him. Why do you think now he’s in a position to make that change? Dustin asks.
“My historical perspective is this. I was a CEO of large corporations. I was CEO of Bausch + Lomb surgical, the pharmaceutical eye care company. I was also president of Allegan medical, and I’ve launched major products like Botox and Juvederm, which then became household names.
“So that’s my kind of marketing promotion. I’ve always been very interested in and always liked mathematics. When I discovered a prime number pattern in 2018 and published it, it made me start to delve into the question of quantum computing, as well as geometric solutions and I was quite interested to see that just this last week, there was an article that came out in Ars Technica about how a geometric approach was used to crack encryptions in nature, which was kind of satisfying because it’s one of the things I’ve been saying, for the last few years.
It’s something I’m passionate about.”
Can the Blockchain be hacked?
Simas goes on to say that while he is not a technical expert in blockchain technology, he believes that everything can be hacked, so it is a constant struggle between those who build things and those who destroy them.
Dr. Jason Gamage, Goldilock’s CISO, then joins the conversation. Gamage has been in the security field for 32 years. He goes on to explain that encryption can be broken. Vulnerabilities can creep into the code or be found in the code and cause a breach.
Typical mistakes are made, and the approach of training people who code to do so securely is new. For most of his career, Gamage, has spent most of his time with application security teams, developing a security expert within that team so he can be the hero.
“I’ve tried to change the paradigm of how we look at set security. We have sensitive information, similar to blockchain – do we really need to keep it online all the time, does it really need to be on the Internet?” he asks.
The second question is: does it need to be on the Internet all the time? If the answer is no, why put it in the cloud? What people do is focus on access control and being able to encrypt it and put it there. These things can be breached. They can be circumvented. SolarWinds is a great example of how a nation-state can circumvent port control, which allows you to get into air gaps. These air gaps are typically found where it is a manual disconnect from the Internet.
This is something that was and still is used in many industrial control systems, but not typically with sensitive information. Today everything is based on access control and that means bad control. Having bad control means it can be circumvented as in SolarWinds.
One of the ideas put forward by Ganage’s company is to create a solution that disconnects information from the Internet and has a different way of connecting it.
Putting the Blockchain into perspective, Ganage explains that if you have a wallet you probably want to be able to store your fragments in a couple of different places so you can protect them. One of those places should be something like Goldilock.
Being the CISO of Goldilock, he explains that they have a solution where you can put one of them being able to disconnect it from the internet completely. Making you the only person going back in to unlock it since you have to make a phone call or SMS to be able to activate it.
To access your wallet you need to make that other out-of-band communication, which is not connected to the internet in any way, otherwise it would stay disconnected.
This is an idea that cannot be hacked by quantum computing. It cannot be breached because it is not connected to the internet, because when you finish using it, you disconnect it.
Going back to Plantholt’s question about whether blockchain can be breached, Robert Grant, who did quite a bit of research on the topic, explains that the state transition function has encryption and has two aspects of that encryption. Even people who work in blockchain, don’t always fully understand how encryption works.
The two aspects of encryption in cybersecurity
The two aspects of encryption are the symmetric key and the asymmetric key. Symmetric key can also be referred to as AES or SHA-256 advanced encryption standard and uses a block cipher that is truncated to 256 bits.
On the other hand, there are asymmetric keys that use public key cryptography to send information to another party. This asymmetric key is where the real quantum risk lies, since it is not trivial for a standard computer, or even a supercomputer, to factor a very large number.
If a quantum computer or an attacker intercepts with the public key and they are able to very quickly find the two factors or the exponentiation of the elliptic curve, then they could crack it and redirect the funds to them.
Quantum computers are supposed to be able to crack ciphers in polynomial time, which is many times faster than exponential time. In an article on this topic, Grant goes on to say that yes, you can intercept messages or get into a wallet that is not quantum encrypted with standard public key cryptography.
This is a public key address that is very simple to use, he explains. It is not resistant to a quantum attack. Gamage said this is quite expensive, but one of the reasons you want to put encryption in is because of the return on investment for the typical hacker. If the investment is too high, the ROI will be too high.
To close the discussion, Gamage said that the future is the future, but tomorrow is also the future. We need to start preparing for the immediate future instead of waiting for the long-term future to catch up with us. Security is the key.
Join us for SiGMA Americas – Toronto:
Toronto is the perfect hub for SiGMA’s growth in North America, making it a nexus of networking and business development in the region with regards to land-based, iGaming, sports betting, and more. Playing host to a massive iGaming industry, Toronto will be the home for the SiGMA Group’s initiative to link the industry pioneers of the continent together for 3 days of networking, workshops, and awards. To learn more about sponsorship and speaking opportunities or to inquire about attending the event, please contact Sophie on [email protected]