Towards Web 3, but first: What is it?

I am sorry, but I am confused.

I am reading and hearing about “Web 3”, but I am not sure if I understand what it is all about. It is quite possible that I missed some information.

So, to what I understand:

  1. Web 1 seems to correspond to the first incarnation of the “WWW”, from the first years to the first e-commerce platforms (up to approx 2004)
  2. Web 2 seems to correspond to what we currently know as “WWW”, based on dynamic pages and services, or “Web as a platform” where most services are centralised (eg. Cloud) and/or users are also producers of contents (social media etc.)
  3. Web 3 is not here yet, but should be arriving soon and should be a “decentralised online ecosystem based on blockchain” (see Wikipedia) and should incorporate also some features envisioned by Tim Berners-Lee in his 1999 proposal of a “Semantic Web” (or Web 3.0, just to add to the confusion) which should be a web of data that can be processed by machines (that is to make Internet data machine-readable).

And 2021 should have been the year of the real beginning of Web 3, with crypto-currencies, NFTs and a general adoption of blockchain decentralised services. But opinions on this are quite diverging: from extremely optimistic to “marketing buzzword”.

I’ve tried to think about it and from the little I understand I see at least two points of view: as persons and companies. As personal use of WWW I do not think that much will change, still there will be services to use online, Apps to install (and update, but no pain please) and companies that will deliver all that (at a price or with other business models). From the company point of view, the only thing that comes to my mind is a parallel with the IT Out-sourcing / In-sourcing cycle: technologies and business models change, and approaches follow.

Still it is not really clear to me what Web 3 actually is or should be.

Managing Security “in the Clouds”

The number of Cloud security management platform solution categories (according to Gartner) continues to grow. As far as I know, this is the current list:

  1. Cloud Access Security Broker (CASB)
  2. Cloud Workload Protection Platform (CWPP),
  3. Cloud Security Posture Management (CSPM),
  4. Cloud Infrastructure Entitlement Management (CIEM),
  5. Cloud-Native Application Protection Platform (CNAPP)

(For details on what they are, look for example here.) And the list is growing… This means on one side that the market for Cloud security management solutions is growing rapidly, on the other side that Cloud security is really an issue and that we haven’t really yet found a good way to manage it.

Fixing Cryptography is not Always Easy

The latest version of the Zloader banking malware is (also) exploiting a Microsoft Signature Verification bug (CVE-2013-3900) for which the bugfix exists since 2013 (see for example here for more details). In this case the security issue is not due to users not updating their systems with the mandatory security patches but to the fact that the patch is optional and should be installed manually.

The problem is that the stricter signature verification implemented by the Microsoft Authenticode patch which fixes this bug, has an extremely high risk of false positives in many situations, for example some installers can be identified as having an invalid signature. So Microsoft decided to let the user decide if the patch would create more problems than solving some.

The Zloader malware uses this “bug” to be able to run some modified (and then unsigned) libraries. But this requires that the malware is already on the system, so applying this patch does not prevent a system from being infested by this malware.

The issue that, again, this event points out, is how difficult it is to balance strict security, in particular if cryptography is involved, and usability / availability of systems and services.

CISA Catalogue of Known and Exploited Vulnerabilities

The Cybersecurity & Infrastructure Security Agency (CISA) has recently published the “Binding Operational Directive 22-01” which has the purpose of identifying the known and exploited vulnerabilities and address their resolution so to reduce the associated risks. 

In other words, CISA has identified the most risky and exploited vulnerabilities creating a catalogue (here) which can be used by everybody to identify the vulnerabilities which must be patched first. Indeed running a vulnerability scanner (or performing a penetration test) too often produces an extremely long list of vulnerabilities, classified by severity typically according to the CVSS-v3 standard: but which ones are really important / risky / even scary? A catalogue of vulnerabilities actually exploited by attackers can help to select the ones which really matter and that should be patched as-soon-as-possible.

Again Social Engineering and Fraud

Interesting article by Brian Krebs (here) about a social engineering fraud which obviously uses “human as the weakest link” but also some aspects of “using security to defeat security” itself.

In very few words, the scammer calls by phone the victim and asks the victim to prove to be the rightful owner of her/his bank account by providing the username and a code that she/he will receive as a 2nd factor authentication code. What the scammer is actually doing with the username and the 2FA code is to reset the password of the victim’s bank account and then to transfer some money out of the bank account. 

What goes wrong here is, first, that the victim should identify the caller, not viceversa, and that the victim should never divulge to a person a 2FA code. Thus by abusing the human weakest link and a “secure” reset password process, the scammer manages to perform the fraud.

On the technical side, one should be very careful on evaluating security risks associated to a self-service reset password process, including social engineering attacks like this one.

 

Risks of Cryptography

Cryptography is too often considered as the “final” solution for IT security. In reality cryptography is often useful, rarely easy to use and brings its own risks, including an “all-in or all-out” scenario.

Indeed suppose that your long-lived master key is exposed, then all possible security provided by cryptography is immediately lost, which it seems to be what happened in this case.

Solar Superstorms and IT BC/DR

Very interesting research paper with a scary title “Solar Superstorms: Planning for an Internet Apocalypse“. It is about a Black Swan event which has actually already happened in 1859, a major solar Corona Mass Ejection (CME) which has some chance to happen in the next future. Without entering in any detail (the research paper is quite readable) the main point is that if a CME of 1859’s magnitude would hit earth today, the consequences would be catastrophic.  Apart from the impacts on the electric grid, and in particular to the long distance power distribution (but power operator should be aware of this threat), the research paper points out that there would be severe damages to satellites, in particular low-orbit ones, with possible total failure of satellite communication including GPS, television broadcasting and data (internet) transmission. But equivalently at risk are long distance communication cables, more noticeable submarine optical fibre cables. Actually, optical fibres per se would not be affected, but optical repeaters along the fibres at distances of 50 – 150 km at the bottom of the oceans would burn out and stop almost all communication between continents.

I remember years ago discussing a similar scenario with some physicist friends and wondering if it could have been a threat or not. It seems that it can be, but is the cost of mitigating this threat worth it?  Should we act today?