Blockchain Security Series 17 - Scott Renna: Senior Solutions Architect @ Halborn
Hosted by Pablo Sabbatella - pablito.eth: Web3 OpSec Security Researcher, Opsek founder, SEAL (Security Alliance) member
Topics discussed:
- 00:00 - Intro
- 01:19 - Early days in computers and cybersecurity
- 03:45 - Getting into crypto industry
- 05:51 - Web2 and web3 security parallelism
- 09:49 - Different challenges in cybersecurity
- 16:20 - What have you learned from each industry
- 25:58 - Buying leaked information and incentives
- 33:39 - Lessons from web2 security to implement on web3
- 42:37 - Incident response in web3
- 48:09 - Addressing web2 risks in blockchain
- 50:38 - Managing third parties risk
- 53:31 - XZ backdoor and open source software risk
- 55:32 - Using AI for scanning vulnerabilities- 57:22 - Common attack vectors in smart contracts
- 1:00:48 - Phishing attacks
- 1:04:50 - Passkeys
- 1:10:18 - Anon security researchers
- 1:12:54 - Satoshie Nakamoto theories
- 1:14:20 - Zero-day exploits and nation state actors
- 1:22:17 - Best practices for securing private keys
- 1:25:18 - Multi-party computation
- 1:27:20 - Quantum computing and AI
- 1:30:31 - Advice for security professionals
Summary:
In this episode of the Blockchain Security Series, host Pablo Sabbatella interviews Scott Renna, a Senior Solutions Architect at Halborne, discussing his journey into cybersecurity, the evolution of threats, and the importance of security in the blockchain space.
This talk explores the connection between blockchain security and traditional web2 security trying to shed light most common attack vectors in the industry. The guest also shares important lessons he learned in the different fields of cybersecurity he had the opportunity to work on.
They explore the challenges faced by the industry, the role of human factors in security breaches, and the need for better practices in incident response sharing also insights on the impact of quantum computing and AI on security, as well as advice for new professionals entering the field.
Highlights:
- 11:35 - “The biggest challenge when you're talking about defending or preventing attacks is as an attacker, you only have to find one way to get in. We call those red teamers. I used to be one, but I became a blue teamer because it was too easy.
But so as a blue team or a defender, you have to find all the holes and not just that. ”
- 27:47 - “We worked a lot of ransomware cases, the colonial pipeline incident. This was public so I can share it. that was negotiated by Flashpoint. So we didn't make any, you know, suggestions or requests because again, we're in the business of doing business. My personal opinion is yes, you are correct. It incentivizes and drives the behavior, but what's the alternative? What's the solution?
The solution is implementing security controls.”
- 34:59 - “There seems to be this view in Web3 natives, not all, but a lot that I talk with. They don't understand that Web3 doesn't exist without Web2. You can't get on the chain without traditional infrastructure. And that's one of the reasons I came to Halborn. It's been a year and a half almost now at this point. We have an off-chain practice. We call it off-chain, but it's cloud infrastructure security, mobile app security. So it's not just necessarily, you know, I'm on the chain and this and that, it's the infrastructure that underpins it, right? ”
- 1:09:10 - “With what happened with Luna, Luna wasn't hacked, never, they were not hacked. But the coordination calculation and then the move to sell the Luna Foundation Bitcoin, the Bitcoin guard, I think it was orchestrated by nation state actors, maybe not of specific nations, but.. That was a very well-constructed attack that involved a lot of money and resources. And there aren't many individuals that have access to that type of capital to make that happen. So Luna's great, but it's unfortunate with what happened.”
Links: