{"id":7686,"date":"2019-02-19T00:00:00","date_gmt":"2019-02-19T00:00:00","guid":{"rendered":"https:\/\/dev.abes.com.br\/?p=7686"},"modified":"2019-02-19T00:00:00","modified_gmt":"2019-02-19T00:00:00","slug":"seguranca-aprimorada-problemas-novos-causas-classicas","status":"publish","type":"post","link":"https:\/\/dev.abes.com.br\/en\/seguranca-aprimorada-problemas-novos-causas-classicas\/","title":{"rendered":"Enhanced security: new problems, classic causes"},"content":{"rendered":"<div style=\"text-align: center;\">\n\t<img decoding=\"async\" alt=\"\" src=\"\/wp-content\/uploads\/anterior\/Imagens\/Roberto%20Gallo.JPG\" style=\"width: 300px; height: 246px;\" \/><\/div>\n<p><\/p>\n<div>\n\tBy Roberto Gallo, coordinator of the Security and Cyber Risks Committee at ABES<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tAfter almost 20 years of working with cybersecurity and especially cryptography, we notice a few things. The first is that new companies, new processes, new technologies are always fun (at least from the point of view of those who work safely), as it guarantees new problems.<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tLet&#039;s take as an example a recent case of a Canadian Bitcoin Exchange company that is involved in a scandal in which they claim to have more than USD$100 million unavailable after the CEO, the only bearer of the company&#039;s Cold Wallet password, dies from complications of illness from Crohn on a trip to India!<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tIn this specific case, a lot of evidence points to fraud, but let&#039;s assume for a hypothesis that the story released by the company is true - \u201cThe CEO died and only he had the password (s) for the Cold Wallet (s) who were on his personal computer, and the individual died on a trip to India. \u201d<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tIf this is the case, it is a mixture of amateurism with criminal sloppiness. I comment below three points that are absolutely unthinkable for any Bitcoin Exchange (and that you who use this type of service need to know):<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\t* Cold Wallets control, in which the (permanent) unavailability of a person prevents their movement is, at the very least, reckless management (which is a crime). Every manager or business owner needs to be diligent, that is, to anticipate existential risks for the business itself and for its customers;<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\t* Using a personal laptop to charge the Cold Wallets is another nonsense. Would you carry a suitcase with USD$ 100 million locked only by a password that the bearer knows? It is obvious that, after all, for much less, criminals kill and torture. Well, with the personal laptop the problem is even greater, as it can be hacked, whether online or not (see side-channel attacks and Stuxnet \/ Iran).<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tThis specific case has a series of other absurdities, but the two above are enough to illustrate the other perception that I commented at the beginning of this text: the causes of the &quot;new&quot; problems are generally classic. Most of the time it is young people making an old mistake.<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tFor example, the question of the unavailability of the Canadian company&#039;s portfolio, could be easily prevented with a classic risk analysis (according to ISO 31,000, which as a rule is already 10 years old).&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tTechnically, the implementation of a mathematical \u201csecret sharing\u201d scheme could easily have avoided this problem and at the same time increased the company&#039;s level of security and availability. It is something that traditional payment companies have known for decades.<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tThe question of having a \u201csafe\u201d to store the cold Bitcoin wallet needs to be on \u201ctamper-proof\u201d systems (and never on a laptop or x86 server). For this, there are vault rooms and HSMs (hardware security modules), used with resounding success in the areas of digital certification and, once again, payments.<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tAssumptions aside (since the Canadian case, it seems that it increasingly seems to be a big case of fraud), it will be interesting and not surprising if central banks take advantage of the cue to regulate the sector more strongly.<\/div>\n<div style=\"text-align: justify;\">\n\t&nbsp;<\/div>\n<div style=\"text-align: justify;\">\n\tAnd that is the final lesson: in safety, the market rarely regulates itself. It is up to society to ensure that this regulation is well done and complied with.<\/div>\n<div>\n\t&nbsp;<\/div>\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>By Roberto Gallo, coordinator of the ABES Cyber Security and Risks Committee After almost 20 years working with cyber security and especially cryptography, we realize a few things. The first is that new companies, new processes, new technologies are always fun (at least from the point of view of those who work [\u2026]<\/p>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[8,19],"tags":[],"class_list":["post-7686","post","type-post","status-publish","format-standard","hentry","category-artigos","category-ultimas-noticias"],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2026-06-13 21:45:09","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category"},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/posts\/7686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/comments?post=7686"}],"version-history":[{"count":0,"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/posts\/7686\/revisions"}],"wp:attachment":[{"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/media?parent=7686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/categories?post=7686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dev.abes.com.br\/en\/wp-json\/wp\/v2\/tags?post=7686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}