What are some of the recent security-related headlines in the news for blockchain companies? Here’s a roundup of some of the latest developments:
Project Everest releases ‘hack-proof’ cryptographic code
An ambitious research project that aims to improve the security of the internet’s Hypertext Transfer Protocol Secure (https) protocol recently released new cryptographic tools it says could make online software much harder to hack. EverCrypt was developed as part of Project Everest, an effort launched in 2016 with researchers from Microsoft, Inria, Carnegie Mellon University and the University of Edinburgh. “Wouldn’t it be great if a message you sent to your bank over the internet was guaranteed to be safe from tampering and readable only by your financial institution?” Microsoft asked in a 14 January blog post. “Project Everest is building software that provides such a guarantee as a theorem about the code that implements a secure communication protocol deployed in web browsers and servers everywhere.” EverCrypt, writes Quanta Magazine’s Eric Nyquist was developed by researchers who have “specified exactly what their code is supposed to do and then proved it does that and only that, ruling out the possibility that the code could deviate in unexpected ways under unusual circumstances. The general strategy is called ‘formal verification.’” In an announcement on 2 April, researchers Jonathan Protzenko and Bryan Parno note that they so far have one verified client written in EverCrypt's F* programming language: “a Merkle tree library usable for blockchains”. They added: “As tools improve and the scope of verification expands, we hope that EverCrypt will not only show that large-scale verified libraries are attainable but also that there now exist viable alternatives to legacy libraries. With EverCrypt, developers no longer have to compromise performance for security, and it is our aspiration that many more software projects start using EverCrypt for greater assurance.”
Researchers seek to develop ‘electronic fingerprints’ for blockchain
Researchers at Northern Arizona University recently received a $125,000 grant from the US Air Force Research Laboratory to support their efforts to use ternary computing to improve the security of blockchain systems. The research is aimed at developing “electronic fingerprints” that could reduce blockchain’s appeal to criminals, terrorists and other users who seek to remain anonymous. Ternary computing is based on logic that uses three possible values instead of the two usually employed in binary computing. “This one-year project represents a preliminary phase to provide proof of concept of our long-term vision to secure blockchain with NAU technologies for the protection of strategic functions such as financial institutions, smart manufacturing, supply chain and inventory management,” NAU professor of practice Bertrand Cambou said in a university press release.
Quantstamp’s approach to smart contract security wins Dubai challenge
Quantstamp, a blockchain security company backed by Y Combinator incubator funding, recently won first place at the Smart Dubai Global Blockchain Challenge 2019. A Silicon Valley startup founded in 2017, Quantstamp is working to develop automated security tools and auditing services that can ensure the security of smart contracts throughout their lifecycle. During the company’s presentation in Dubai, Quantstamp head of business Don Ho noted that more than $350m worth of cryptocurrencies have been lost or stolen in the past two years due to current vulnerabilities in smart contracts. “If blockchain security is not addressed,” the company said in an announcement on 9 April, “economies will be unable to realise the potential growth enabled by blockchain technology.” In the wake of winning the Dubai challenge, Quantstamp expects to work with city leaders to help them achieve their goal of becoming “the first blockchain-powered city by 2020”.
WEF: For blockchain security, ‘challenge conventional wisdom’
What are the three things leaders need to know about blockchain security? According to a recent article from the World Economic Forum, they are “1. Security is not just a technical problem, it is a leadership problem”, “2. Exploitation is not just a result of attacker capabilities, but also of developer errors”, and “3. While attackers do compromise a blockchain itself, they more commonly exploit the configuration of the technology leveraging a blockchain”. “Leaders today must challenge conventional wisdom and think differently, in order to achieve the highest possible security in the context of blockchain,” writes Ted Harrington, executive partner of the consulting firm Independent Security Evaluators. “Effective security leadership may be difficult, but it is achievable. As a leader, if you can break down the security challenge into its core components, you can then build out an action plan to address the root issues. Blockchain technologies are revolutionary in many ways, but the simple fact that blockchain is different need not require a wholly new security paradigm.”
Hong Kong eyes blockchain as solution to property vote tampering
Blockchain could help prevent property owners from manipulating polling systems and rigging bids for major projects, the South China Morning Post recently reported. In an article published on 6 April, the newspaper said that startups in Hong Kong are looking to develop blockchain-based voting systems that could stop such tampering. “Hong Kong people have really negative views of owners’ corporations because of all the bid-rigging cases and a lack of transparency in some,” Leo Lo Ming-yan, founder of a blockchain startup called Fonto, told the Post. “We hope to use the technology to solve the issue of trust.” The paper went on to note: “Almost half of 40,000 private buildings or housing estates in Hong Kong have an owners’ corporation, each with dozens to thousands of members. Such groups are formed by owners to jointly manage and maintain buildings, and are required to organise meetings and polls on major expenses. This is where a blockchain system comes in. Lo said property owners would need to pass several security questions using their personal information to obtain a key to vote.”