The sixth edition of the ENISA NCSS seminar will take place on September 18th

By | NCSS | No Comments

On September 18th, 2018, the sixth edition of the seminar “ENISA NCSS” on national cybersecurity strategies in Helsinki (Finland) will take place.

The event, which has been jointly organized by the Finnish Telecommunications Regulatory Authority (FICORA) and ENISA, will have as its central theme the development, implementation and evaluation of national cybersecurity strategies (NCSS, in its acronym in English). The creation of National, European and Sectorial Information Sharing and Analysis Centres (ISACs) will also be addressed. In addition, there will be various discussion forums  in which representatives of the public and private sectors will be able to present their ideas on national cybersecurity strategies and will share best practices for the creation of ISACs.

Audience at ENISA NCSS

The audience that will attend this seminar are, mainly, those actors involved in the development and implementation of national cybersecurity strategies and the people involved in the creation of ISACs such as sector regulators and national supervisory authorities; legislators and national authorities; private sector and universities.

Activities at ENISA NCSS

Early in the morning, the opening ceremony will be held by the General Secretary of the Finnish Security Committee, Vesa Valtonen. Next, Pentti Olin, member of the Committee of Security, will expose  the national strategy of security implemented by Finland to the assistants.

Later on, the first working session will take place, with a focus on the dissemination of the updates in the national strategies included in the NIS technical standard. Several countries, including Luxembourg, will join this session, which will be closed with a panel discussion.

In the second session, celebrated in the afternoon, the different National, European and Sectorial Information Sharing and Analysis Centres (ISACs) will be analyzed. As in the previous session, a discussion panel will take place at the end of the presentations.

If you wish to take a look at the agenda, please click here.

Practical information on ENISA NCSS

Date: September 18th, 2018

Venue: Dynamicum, Erik Palménin aukio1, Helsinki (Finland).

If you want more information about the event, click here.

 

ENISA NCSS Workshop

ETSI publishes remote server signing standards draft versions

By | ETSI, European Telecommunications Standards Institute | No Comments

ETSILast July 2nd, 2018, the European Telecommunications Standards Institute (ETSI) published a new draft version of the following digital signature creation standards, which mainly focuses on develop the new technical environment of remote server signing compliant with eIDAS: ETSI TS 119 431-1, TS 119 431-2 and ETSI 119 432.

ETSI TS 119 431-1:Electronic Signatures and Infrastructures (ESI);Policy and security requirements for trust service providers; Part 1:TSP service components operating a remote QSCD /SCDev

This standard focuses on digital signature creation devices and aims to create a digital signature value on behalf of a remote signer.

Moreover, it specifies the policy and security requirements generally applicable to trust service providers (TSPs) which implement a service component that operates a signature or seal creation device (as defined in Regulation (EU) No 910 / 2014), called remote QSCD / SCDev.

This component contains a server signature application, which is the server signature application service (SSASC) component. In addition to being the signature application of the server, it contains the service elements and the signature creation device (SCDev).

The requirements of this standard are aligned with the requirements specified in CEN EN 419 241-1.

ETSI TS 119 431-2:Electronic Signatures and Infrastructures (ESI);Policy and security requirements for trust service providers;Part 2: TSP service components supporting AdES digital signature creation

ETSI TS 119 431-2 provides the policy and security requirements for the trust service provider (TSPs) that implements a service component that supports the creation of AdES digital signatures. This component contains a signature creation application and, in summary, is called the signature creation application service component (SCASC). However, it is more than just the SCA, since it contains the elements of service thanks to which a part of the main part of the application can be implemented as defined in EN 319 102-1 [1] and TS 119 101.

This standard is based on the general policy requirements specified in ETSI EN 319 401 [9] and take into account the related requirements of ETSI TS 119 101.

ETSI TS 119 432:Electronic Signatures and Infrastructures (ESI);Protocols for remote digital signature creation

This standard specifies the applicable protocols and interfaces when carried out, by a distributed solution composed of two or more systems / services / components, the process of creation of AdES digital signatures (as defined by ETSI EN 319 102-1 and / or digital signature values), as a result of the Data Representation Signatures to be signed. This standard is limited to the remote server signature.

If you wish, you can consult the original version of the documents and send your opinions through the contact form by clicking here.

For more information about ETSI, click here.

Security audits for projects with Blockchain and SmartContracts

By | Auditoría, Blockchain, Conformity Assessment | No Comments

According to some estimates, blockchain technology companies can expect business volumes of 6 billion euros by 2020. However, they must first deal with blockchain security vulnerabilities, which, despite their relevance, continue to be underestimated when It deals with the so-called “distributed accounting” technology (or DLT).

A comment here, to clarify the “distributed ledger” (DLT) widespread term that in my opinion should be renamed as “distributed accounting”, or better, “RJT Replicated Journal Technology” since it really registers entries in the log as they are produced, not reflecting the accounting itself.

Security vulnerabilities in block chains

Some aspects of security have to do with the use of cryptography, and given that cryptography is used intensively in blockchain contexts, there is a widespread belief that blockchain systems are inherently safe.

However, in complex systems, different attack vectors appear that must be identified and remedied, so that excessive confidence in the technology can be dangerous.

In fact, the technology called DLT is subject to a series of problems that centralized databases do not have.

The security risks of Blockchain exist, and must be recognized and mitigated so that Blockchain fulfills its promise to transform the way in which data is stored and how it affects the projects that use it.

As more government, industrial and commercial sectors adopt technology, the need to address these problems sooner rather than later becomes paramount.

Blockchain Vulnerabilities

Vulnerabilities of the interface system

One of the most likely vulnerabilities with DLT originates outside of the blockchain itself.

The interface system is the equipment that a user uses to access services based on blockchain.

In this system credentials are introduced, enough reason to attract attackers who exploit vulnerabilities. Other times, manipulating the “clipboard” the memory area used for copy and paste functions can allow an attacker to change the destination account of a transaction.

Malware detection is a desirable feature in tools that anticipate minimizing attacks on the interface system.

Security of public key cryptography

Those who propose transactions to form part of the chain (for example, value transfers in the case of crypto-assets and cryptocurrencies) sign them with a private key and give information about their public key. The private key is filed with the portfolio or equivalent mechanism. The protection of the equipment is again essential. But there are certain risks (for example, based on quantum computing) that in the future could allow obtaining the private key from the public one. To minimize risk, there are techniques associated with single-use portfolios that can be adopted.

Key backups should not be kept on the system that is used daily. And even less without encrypting.

Third party platforms

As cyber-currencies and applications using related technologies (such as DLT) become popular, the third-party solutions market will experience growth. Some possible services to be offered by third parties are:

  • Blockchain integration platforms
  • Payment processors
  • Wallets
  • Fintech entities
  • Cryptocurrency payment platforms
  • Smart contracts

These platforms use different vulnerable technologies, in addition to blockchain-specific ones. They are true Providers of Digital Trust Services and should comply with the standard EN 319 401 that the EIDAS Regulation imposes on Qualified Providers.

Control of  deployment

When a project starts or evolves within it, exhaustive tests must be carried out to detect vulnerabilities in the code before it passes to the final execution environment. This is especially relevant in smartcontracts. In the smarcontracts languages ​​such as Solidity are frequently used, with “defects” similar to those of Javascript. A case of special relevance may be to include the addresses of the portfolios in quotes. If not, the addresses are truncated and the amounts remitted can end up in an irrecoverable limbo.

Size of the block chain

Depending on the type of cryptoactive and how its transaction management system has been designed for its annotation in the block chain, it may be necessary to preserve the entire chain of blocks from its origins. Some variants allow converting the transaction history into a “status photo” from which the previous history can be discarded. Be that as it may, the more transactions are made, the more the chain grows, which can create sizing problems in the equipment in which they are managed.

51% attacks

Some cryptoactive systems with different block confirmation philosophies (PoW, Proof of Work, PoS, Proof of Stake, …) could be attacked by groups that exceed the 51% participation in the consensus mechanism. Therefore, it would be advisable to anticipate the need for reversion mechanisms and the responsibility for the execution of such mechanisms.

There have been real cases of this type of attack on Pow mechanism (theoretical until recently) that is understood knowing that a large number of mining equipment accumulation centers are built in countries where electricity is cheap and supervision is scarce

Lack of maturity of blockchain technology

In all technologies, essential lessons are learned as they are adopted and generalized. Problems are discovered and reselled. Blockchain technology is still in the early stages of development and all risks and their effects are not understood.

Risks due to insufficient standardization

Many of the blockchain systems are deployed with a “Whitepaper” and source code of the project available on Github. Although it is an exercise in transparency, it is often revealed that the promoters of such projects have little interest in knowing the standards or adopting them.

It is particularly striking in the field of electronic signature, whose main market has matured over the years giving rise to various laws and technical standards that create legal presumptions for those who adopt technology and that define the standards that facilitate their interoperability.

In contrast, the use of electronic signature technology in blockchain projects seems to come from undergraduate students who have read the basics of electronic signature theory and who ignore the advance of the standards. They look like academic exercises, instead of responding to market demands that require systems to interoperate and that their developers know the laws and standards.

Fortunately UNE and ISO (among other standardization bodies) are beginning to propose standards for the blockchain world, which should not ignore the advances made in common technologies with a certain level of maturity.

It should be remembered that standardization, against what its critics affirm, does not limit innovation but opens up new possibilities for it. And leaves solved problems that were undertaken in the past minimizing the risk of reinventing the wheel each time.

Subtle vulnerabilities

There are vulnerabilities difficult to detect that are visible after incidents of a certain magnitude. It is advisable to provide for reversion mechanisms before deployment in order to manage problems that have not been previously identified.

An example is shown by the case of “The DAO”

A “DAO” (Distributed Autonomous Organization) is a Decentralized Autonomous Organization built on some types of blockchain, with code execution functionality for intelligent contracts associated with investments in the capital of markedly digital companies. You could say that a DAO is a crowdsourcing venture capital fund that is managed on the basis of embedded smartcontracts in a chain of blocks. There are many DAOs, each created to host and execute smart contracts for specific organizations.

One of those DAO, known as “The DAO”, was founded in 2016 by members of the Ethereum team. During its creation period, The DAO made history in the field of crowdfunding by raising 150 million dollars. Shortly after, The DAO made history, once again, by being the first DAO to be pirated.

During the crowdsale, many members of the Ethereum community expressed concern that the DAO code could be attacked. Subsequently, a member of the DAO team found a “recursive error” but erroneously believed that there were no DAO funds at risk. A hacker proved he was wrong.

The attack occurred when the attacker exploited two vulnerabilities in the DAO code. The hacker knew that the code was designed to allow both a split and a transfer of tokens between accounts. The hacker also realized that the code would not update account balances fast enough to prevent the transfer of the same tokens more than once.

The hacker executed a spinoff function, creating a “child DAO” account and made repeated transfer requests from his first account in quick succession. Since the code did not decrease the original account balances after each transfer, there was nothing to prevent the same tokens being repeated about 40 times each, without destroying the original tokens.

After transferring $ 55 million in Ether, the hacker terminated the attack and some additional events happened, so I invite you to investigate this issue from which great lessons are drawn.

Call us if you need us

When serious blockchain projects are proposed, their promoters invest in technology developments that help define transaction types, identity management models, block confirmation mechanisms, block production rates and transaction limits. per block. There are many aspects that make each project different.

One that should begin to be taken into account is that of the project audit. Maybe he does not detect all the problems, but he will discover the main ones. We must begin to value what is already known and avoid making mistakes that have already been committed.

Contact the Trust Conformity Assessment Body (TCAB) if you need to audit a blockchain project.

24-28/09: Date with NIS Summer School in Greece

By | Ciberseguridad, Cybersecurity | No Comments

The fifth edition of NIS Summer School on Network and Information Security (NIS’18) will take place from 24th to 28th September in Heraklion (Greece).

NIS Summer School is organized by the European Union Agency for Network and Information Security (ENISA) and the Foundation for Research and Technology (Hellas). The meeting will reunite for four days different players in the sector such as the Public Administration , private sector companies and non-profit organizations.

This edition’s focus is “The Changing Risk Landscape”. The IT sector lives in constant evolution, which poses significant challenges. Due to this, the actors involved must accelerate their reaction time and encourage the exchange of collaboration and information to achieve adequate and effective responses to the challenges that may arise.

With this Summer School, ENISA seeks to promote a culture of cybersecurity in the EU. The aim is to  improve the capacity of Member States when responding to cyber-attacks. ENISA follows a risk mitigation strategy by raising awareness and publishing studies and reports on current NIS issues.

Disseminating works on Cybersecurity Threat Intelligence

Non-profit organizations working in Cyber Threat Intelligence will have the opportunity to present their work during the event, which may be related to Horizon 2020 projects, national academic research, development projects and open source communities.

Presentations at NIS Summer School

During NIS Summer School there will be a large number of speakers who come from both the public and private sectors and the university environment. Specifically, the following stand out:

  • Nektarios Tavernarakis (FORTH President)
  • Udo Helmbrecht (ENISA Executive Director)
  • Damien Cauquil (Head of Research & Development Digital Security – Econocom)
  • Piotr Kijewski (Strategic Programmes Manager The Shadowserver Foundation)
  • Prof. Dr. Ir. Bart Preneel (Full Professor Katholieke Universiteit Leuven)

 Data of the event

Date: 24th-28th September, 2018
Place: Galaxy Hotel Iraklio – Leof. Dimokratias 75, Iraklio 713 06, Grecia
URL: https://nis-summer-school.enisa.europa.eu/

To see  NIS Summer School 2018 program, click here.

NIS Summer School 2018