pisa journal · contract auditing service -- zeppelin, iosiro, experfy, to name a few. besides code...

www.pisa.org.hk

Professional Information Security Association MAR-2018

PISA Journal PISA Journal

Smart Contract != Secure Contract

Security in using Cryptocurrency and Blockchain

InfoSec Workshops for Kids

Issue 27

of 38 An Organization for Information Security Professionals

Special Topics

05 Smart Contract != Secure Contract

12 Security in using Cryptocurrency and Blockchain

22 Inforsec Workshops for Kids

Editor: [email protected]

Copyright 2018

Professional Information Security Association

of 38 A Publication of Professional Information Security Association

Intranet

04 Message from the Chairperson

21 The Editorial Board

28 Event Snapshot

38 Joining PISA

P

I S

A

J

o u

r n

a l



knowledge to help bring prosperity to the society in the Information Age.” We, as in-formation security practitioners, are obliged to assist the industry to cope with the chal-lenges of GDPR.

The challenge brings about new opportunity to information security professionals. We can see more job openings are created to help organizations to handle GDPR compli-ance. Let us stay on top of and surf on the new GDPR waves!

M ay 26, 2018 is an important day to information security

professionals. It is the date set for PISA Jam 2018, and also marks the commencement of the General Data Protection Regula-tion (GDPR) of European Union, the most tough regulation on data protection and pri-vacy.

Like the U.S. Foreign Corrupt Practices Act (FCPA), the impact of GDPR is beyond the European Union countries. There are explicit compliance requirements for organizations in non-EU jurisdictions. Companies with busi-nesses dealing with EU organizations or pro-cessing personal data of EU citizens are ex-pected to adhere to the GDPR requirements.

What this meant to PISA members or infor-mation security professionals? Recall the PISA vision statement, “to be the prominent body of professional information security practitioners, and utilize our expertise and

Ando Ho

Message from the

Chairperson

MAR-2018


Sam Ng CISSP CISA

Sam NG is an experienced software security expert . He research-es and develops new defense mechanism by runtime analysis technique.

He had contributed to PISA Journal on buffer overflow, SQL in-jection, and software development life-cycle.

Smart Contract

!= Secure Contract

P

I S

A

J

o u

r n

a l



As of this writing, the total market capital for Bitcoin is $180B USD (in com-pare to HSBC, which is about $140B USD). The second biggest crypto-currency is Ethereum, some people call it Crypto 2.0, with total market capital around $77B USD. And in case you don’t know, most of the ICO assets are built on top of Ethereum (see Fig. 1).

If the most important technology breakthrough by Bitcoin is Blockchain, then the most important technology breakthrough by Ethereum must be Smart Con-tract.

Fig 1 Image credit: https://techcrunch.com/2017/06/08/how-ethereum-became-the-platform-of-choice-for-icod-digital-assets/



MAR-2018

Issue 27

bytecode, sign the code and then send it to the Ethereum Blockchain (a bit like sending crypto-coins to another user) and then it will be executed in Ethereum Virtual Machines (a.k.a. EVM, a sub-module inside the Ethere-

What is Smart Contract?

You can say Smart Contract in cryp-tocurrency is like JavaScript in web browsers. It brings “scripting” capa-bility to Blockchain. Don’t mix up, a Smart Contract is not a legal con-tract, it is a program code that is exe-cuted on the Blockchain, and I mean it is executed by all the nodes on the Blockchain, when trig-gered. And because the code is published to the immutable Blockchain, everybody can inspect the code but no one can modify it after creation. It is 100% guaranteed the Blockchain will exe-cute the code as it is written.

In Ethereum, the most widely used language for writing a Smart Con-tract is Solidity (with syntax somewhat similar to JavaScript). You need to compile Solidity source file into binary Fig. 2

Image credit: http://solidity.readthedocs.io/en/v0.4.20/introduction-to-smart-contracts.html

P

I S

A

J

o u

r n

a l



Security Problems in Smart Contract

As a security professional, I bet when you heard me saying “Smart Contract is like JavaScript”, you immediately think of many different security prob-lems. And yes, there are many differ-ent security problems in Smart Con-tract. To give you an idea, a team from NUS did a study back in 2016 and flagged 8,833 out of 19,366 Ethereum contracts as vulnerable [1].

Reentrancy Vulnerability

One of the deadliest yet common secu-rity vulnerability in Smart Contract is called Reentrancy Vulnerability. Refer to Fig. 3, when the VictimContract.get() is executed, it will transfer the Ether back to the caller (i.e. it is supposed to let you get your own money back).

um node client). See Fig. 2 for a sample Smart Contract written in So-lidity.

For example, I can create a Smart Contract with initially zero balance, and if someone deposit some amount of ETH into the contract (i.e. to the contract address), I will keep track of each individual account balance within the contract. The contract code can be written in such a way that you and only you will be able to withdraw your own fund, or you can transfer this fund to another user if you want to. Now if I call the bal-ance within the contract a “Token”, does this sounds like an ICO con-tract to you?

Fig. 3A: a typical contract vulnerable to Reentrancy attack Fig. 3B: a typical contract for Reentrancy attack



MAR-2018

Issue 27

However, the caller can be a contract by itself!!! And if the attack contract calls the victim contract in the middle of VictimContract.get() again, and because the code clears the balance after msg.sender.call and not before it, the AttackCon-tract can withdraw the same amount multiple times (basically getting other peo-ple’s money).

Integer Overflow Vulnerability

Another common vulnerability in Smart Contract is Integer Overflow. Integers in Ethereum Smart Contract, by default, is 256 bits which is extremely large. But no matter how large it is, it is still susceptible to integer overflow. A very large number plus another very large number can cause an overflow to happen (i.e. high bits being truncated) and become a very small num-ber. While not related to Smart Contract, just a few weeks ago, a high profile Japan based crypto-exchange Zaif experienced ex-actly this particular problem, “… allowed customers to temporari-ly ‘buy’ trillions of dollars worth of bitcoin for free” according to

thebitcoinnews.com. [2]

Fig. 4 Image credit: https://unwire.hk/2018/02/18/zaifbug/fun-tech/

P

I S

A

J

o u

r n

a l



What should we do?

The Short Answer is — Secure SDLC.

Luckily, there are already best practices we can follow [3,4], the tool used by the NUS team I have talked about, which is called Oyente, is OSS, and there are some other tools listed in [3] that we can use to analyze our Smart Contract be-fore production. Likewise, there are already some companies providing Smart Contract auditing service -- Zeppelin, IOSiro, Experfy, to name a few.

Besides code analysis, there are also frameworks that allow Smart Contract de-velopers to write less (and hence fewer bugs) and to do unit test easier and fast-er (and hence find more bugs) -- Truffle (from ConsenSys) and OpenZeppelin (from Zeppelin) are two of those. I would say these frameworks are almost a must for professional Smart Contract development.


A Publication of Professional Information Security Association

MAR-2018

Issue 27

of 38

Copyright & Disclaimer

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Reference

[1] Making Smart Contracts Smarter Loi Luu, Duc-Hiep Chu, Hrishi Olick-el, Prateek Saxena, Aquinas Hobor http://www.comp.nus.edu.sg/~loiluu/papers/oyente.pdf

[2] SA glitch in Japan's ZaIF exchange gives out Free Bitcoins

https://article.wn.com/view/2018/02/23/A_glitch_in_Japans_Zaif_exchange_gives_out_Free_Bitcoins/ (new link) [3] Ethereum Smart Contract Security Best Practices https://consensys.github.io/smart-contract-best-practices/ [4] Security Considerations http://solidity.readthedocs.io/en/v0.4.20/security-considerations.html

TL;DR

Smart Contract is awesome, but writ-ing a bug free contract is very diffi-cult (and you have to do it right for the first time because there is no way to upgrade your contract). Luckily, the techniques we have learned from Secure SDLC are mostly applicable to Secure Smart Contract Develop-ment as well.

Finally, if I have to speculate, I would expect to see more research around applying formal verification on Smart Contracts. Smart Contract code is usually relatively short and it is usually about money. These two characteristics made Smart Contract a good candidate for applying the very rare formal verification to the SDLC. Let’s wait and see.

■ Sam Ng

An Organization for Information Security Professionals of 38


Security in using

Cryptocurrency and Blockchain

Wallace Wong

CISM, CISSP, CISA

Wallace Wong has different IT exposure in private and public sectors. He is currently working in the Government

for security, audit and project management.

MAR-2018


Introduction

Most people associate “Bitcoins” with WannaCry ransomware or extortion hacking attacks as to them the main application of Bitcoin was for the victim to pay a ransom in order to recover data being encrypted by ransomware, or for hacker to transfer money anonymously in the underground world without the fear to be tracked.

Fig. 1: WannaCry ransomware Screens (Newsweek., May 2017)

P

I S

A

J

o u

r n

a l



What are the changes?

Around September 2017, China an-nounced to stop the initial coin offer-ing (ICO) of cryptocurrencies. This move made the price of Bitcoin dropping around 40 percent from USD$5000 to $3000 in two weeks. However, this policy seemed to spread the trend of purchasing cryp-tocurrencies from China to other are-as as purchasing residential proper-ties and lands as before.

Fig. 3: Bitcoin Price (Coin desk., Sep 2017)

Fig. 2

China Ban ICOs (Forbes., Sep 2017)



MAR-2018

Issue 27

Moreover, the Hong Kong Monetary Authority (HKMA) has established a Fintech Facilitation Office (FFO) to facilitate the healthy development of fintech ecosystem in Hong Kong. The first whitepaper on Distributed Ledg-er Technology (DLT), or Blockchain, was released in 2016 with Applied Sci-ence and Technology Research Institute (ASTRI). The second one released in 2017 has involved more professionals, such as consultancy firms and law professors, for compliance, governance and legal considerations.

Since the usages of DLT or blockchain have been promoted as FinTech glob-ally, it becomes more and more companies, organizations and people begin-ning to study this technology. For example, our Professional Information Se-curity Association (PISA) have also arranged two related seminars as fol-lows:

Fig. 4a, b and c: Whitepapers on Distributed Ledger Technology (HKMA., Dec 2016 & Oct 2017)

P

I S

A

J

o u

r n

a l



Fig. 5a and b: Seminars related to Blockchain technology (PISA., Sep 2017 & Jan 2018)

What are the risks?

In fact, the most attractive part behind the Blockchain is the financial value built or assumed on it. The most famous cryptocurrency is back to Bitcoin even the financial institutions have also launched the futures for indirectly buying or sell-


Fig. 7: Futures (CME Group., Dec 2017)

Fig. 6: First US Bitcoin Futures (CBOE, Dec 2017)


MAR-2018

Issue 27

ing the Bitcoin.

However, people have to face the new security risks if they are using these cryptocurrencies or blockchains as follows:

Fig. 8: Hackers stole $530M (CNN, Jan 2018)

Fig. 9: Trojan Modifies Address (Jim., Jan 2018)

P

I S

A

J

o u

r n

a l



Measures to Secure Crypto-currencies and Blockchain

Since cryptocurrencies and block-chain are decentralized in nature, peo-ple need to take extra care to secure them. Some security measures refined from one of the TV programmes, are listed as follows:

1. Set up unique email(s) and different passwords to sign up the cryptocur-rency exchanges, cloud mining and digital wallets to avoid being com-promised for all your assets.

2. Put maximum protection on your mobile device, personal computer, wireless controller and internet gateway with latest firmware or software updates before the transac-tions.

3. Do not use text messages for two-factor authentication (2FA). Use a software authenticator like Google Authenticator or even hardware au-thenticator like Universal 2 Factor (U2F).


4. Diversify. Buy cryptocurrencies across multiple exchanges. Of course, the amounts should also be evenly distributed to avoid putting your eggs in a basket.

5. Keep your cryptocurrencies offline. Software wallet, e.g. blockchain app, is quick and easy to spend for micro-payment but weak in security due to centralized nature. Using hardware wallet, e.g. Trezor or Ledger, to store or hold your crypto assets by yourself and responsible for yourself. More importantly, do not take photo or make softcopy for the recovery / private key of your hardware wallet.

6. Never trust anyone on Blockchain which do not require to build on trust. It is uncommon for the web-sites or posts about cryptocurren-cies, cloud mining and initial coin offerings (ICO) are scam, spam or fraud. You have to study in depth


MAR-2018

Issue 27

and counter-check with different sources against their past records before testing and then further proceed.

The last advice

I would like to use the reminder from Vitalik Buterin, co-founder of Ethereum blockchain and Ether cryptocurrency, in February 2018, as the conclusion:

“Cryptocurrencies are still a new and hyper-volatile asset class, and could drop to near-zero at any time. Don't put in more money than you can af-ford to lose. If you're trying to figure out where to store your life savings, traditional assets are still your safest bet.”

■ Wallace Wong

P

I S

A

J

o u

r n

a l

An Organization for Information Security Professionals


of 38

Copyright & Disclaimer

Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA

Reference (in chronological order) HKMA (2016). “Whitepaper on Distributed Ledger Technology” on 7 Dec 2016. Available http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/Whitepaper_On_Distributed_Ledger_Technology.pdf Anthony, C. (Newsweek, 2017) “Ransomware Attacks Rise 250 Percent In 2017, Hitting U.S. Hardest” on 23 May 2017. Available http://www.newsweek.com/ransomware-attacks-rise-250-2017-us-wannacry-614034 Kenneth, R. (Forbes, 2017). “China's ICO Ban Doesn't Mean It's Giving Up On Crypto-Currencies” on 6 Sep. 2017. Available https://www.forbes.com/sites/kenrapoza/2017/09/06/chinas-ico-ban-doesnt-mean-its-giving-up-on-crypto-currencies/#796e69697aeb Coin desk (2017). “Bitcoin (USD) Price” on 30 Sep. 2017. Available https://www.coindesk.com/price/ HKMA (2017). “Whitepaper 2.0 on Distributed Ledger Technology” on 25 Oct 2017. Avail-able ● http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/

infrastructure/20171025e1.pdf ● http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/

infrastructure/20171025e1a1.pdf COBE (2017). “The First U.S. Bitcoin Futures” on Dec 2017. Available http://cfe.cboe.com/cfe-products/xbt-cboe-bitcoin-futures CME Group (2017). “Trading in our Bitcoin futures begins tomorrow. Follow, trade & learn more here: ……” on 16 Dec 2017. Available https://twitter.com/CMEGroup PISA (2018). “The Era of BlockChain and Smart Contract Development” on 20 Jan 2018. Available https://www.pisa.org.hk/past-events/518-isc-2-hk-chapter-agm-cum-feature-talk-the-era-of-blockchain-and-smart-contract-development-20-jan-2018 Daniel, S. (CNN, 2018). “$530 million cryptocurrency heist may be biggest ever” on 29 Jan 2018. Available http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-


MAR-2018


You can contribute to PISA Journal by:

● Joining the Editorial Board

● Submitting articles to the Journal

SC Leung, Chief Editor [email protected]

Next Issue: Issue 28 (Sep-2018)

The Editorial Board

PISA Journal

Joyce Fan CISSP CRISC CISA

SC Leung CISSP CCSP CISA CBCP

Ian Christofis CISSP

Alan Ho CISSP CISA CISM CGEIT



Infosec Workshops for KIDS

Peter Cheung

Honeynet HK Chapter Members

MAR-2018


背景

台灣 Honeynet 分會在 2015 年舉辦了一埸専為兒童的資安冬令營，主題是⌈一起來創

造一個屬於孩童的不一樣的假期生活⌋。目標是通過多元化的實驗活動，讓兒童體驗互聯

網安全的重要性，希望他們能夠將學習成果應用於日常生活，在互聯網上保護自己。

我們 Honeynet SIG 覺得舉辦一個營的挑戰太大了，反而工作坊會比較可行。我向 PISA

的委員提出意見，得到他們支持，並且給我介紹了 Andy Li 老師。我跟老師經過數次的

討論，定下了工作坊的形式和內容。這樣，第一次的工作坊就開始了。

P

I S

A

J

o u

r n

a l



第一次工作坊

第一次工作坊 (2017 年 6 月) 是由三名成

員 (Eric, Roland 和我)負責，對象是兩班小

五學生。這次的特點是參加的學生來自一

間男校，我們預料學生的興趣和反應會比

男女校更積極。第一個遊戲是關於一種古

代的加密術：密碼棒。每組學生都得到一

支鉛筆和一條藏了密碼的紙條，他們要鬥

快找出密碼。過程中，他們盡顯創意，例如

把紙條反轉，上下倒轉紙條，刪去一些文字

等等。突然，一位學生大叫：”我揾到啦！”

答案就是把紙條卷在鉛筆上，密碼就是其

中打橫的一行文字。他告訴我原來他曾經

在卡通片中看過這種方法，所以才想到。老

師也得承認適當看電視也可以學習其他知

Infosec Workshops for Kids


MAR-2018

Issue 27

識。之後，彵們已經熱身好準備挑戰其餘的

難題。其中一些遊戲是關於加密法的概念，

例如凱撒密碼法和轉置密碼法等。我們會

先介紹了加密法的運作方法，然後學生運

用方法把密文解密。

第二次工作坊

第二次工作坊 (2017 年 6 月) 由另外三名

成員(Kelvin, Ting 和我) 負責。這次參加的

學生來自一間男女校，我們預期女生的投

入會比男生小，但是結果卻相反。女生不但

積極參與，而且成績絕不比男生差。

其中一個遊戲是在網頁中找出隱藏的密

碼。開始時他們嘗試了不同的方法，包括調

查整瀏覽器的大小，放大/縮小字體，甚至

P

I S

A

J

o u

r n

a l



從不同角度望向屏幕，幾乎試盡了毎個功

能，但是仍毫無頭緒。於是我給了提示: ”

源代碼“，結果不用一分鐘就有人找到答

案。這名學生是逐行逐行源代碼檢視而找

到答案。他解釋開始時沒有想過在源代碼

找答案，因為他不懂編程和代碼。接下一個

遊戲也是在網頁中找出隱藏的密碼，但是

密碼是用 Javascript 被混淆了的，所以學

生單單檢視源代碼也找不到答案。幾分鐘

後，一個學生大叫: “我揾到啦!” 原來他

是用開發工具來查看混淆了的 Javascript

而得到答案。事後他也認為是運氣，因為他

實際上不知道什麼是開發工具。由此可見，

勇於嘗試是學習的一個重要態度。

Infosec Workshops for Kids


MAR-2018

Issue 27

下一步

我們會和資訊科技教育領袖協會 (AiTLE) 合作，希望開發一套教材給老師在工作坊上

使用。亦可能舉辦老師工作坊，先讓老師了解教材內容和基本理論。

最後，我代表團隊多謝 Andy Li 老師的意見和分享，同時感謝慈幼學校和保良局王賜豪

（田心谷）小學的支持，才能夠試行這兩次的工作坊。

■ Peter Cheung



Event

Snapshot We Share. We Progress.

Cyber Security Professionals Awards (CSPA) 2017 (23 October 2017)

Congratulations!! Seven PISA members received the Awards in 2017.

(from left) Frank Chow, Martin Chan, Mike Lo, Frankie Leung, Eric Moy and Eric Fan.

Ricci Ieong (on the right hand side)

MAR-2018


Event

Snapshot We Contribute. We Achieve.

Sharing Session with (ISC)2 Safe and Secure Online (SSO) UK Lead Volunteer (12 January 2018)

Tim Wilson, (ISC)2 Safe and Secure Online (SSO) UK Lead Volunteer visited Hong Kong and met PISA and (ISC)2 Hong Kong Chapter Executive Committee members, and SSO trainers. He shared many valuable experi-ence in promoting online security to children.



Event


Safe Wife War Driving 2017 (17 December 2017)

PISA joined Hong Kong Wireless Technology Industry Association (WITA) to conduct Safe Wi-Fi War Driving 2017. We took a tram from Kennedy Town to Shau Kei Wan, and then returned to Kennedy Town. Much wireless network signals were captured for analysis.

Before got on a tram, we took a group photo first. We were ready to go!!!

Our mobile devices with war driving tools were capturing wireless network signals.

We sat at the back of a tram for signal capture.

MAR-2018


Event


Seminar: Understanding What is New in China Cybersecurity Law and What We Cannot Do (26 April 2018)

China Cybersecurity Law is effect on 1 June 2017. PISA is happy to invite two legal professional to share our members some key requirements, including safeguards for national cyberspace sovereignty, protec-tion of critical information infrastructure and data and protection of individual privacy. The Law also

100+ registration was received. Various questions were raised and discussed in the Q&A session.



Event


(ISC)2 HK Chapter AGM 2017 cum Feature Talk: The Era of BlockChain and Smart Con-

(ISC)2 HK Chapter, one of PISA Special Interest Groups (SIGs) ,had the AGM at PolyU with many members actively participated.

After a competitive election, the (ISC)2 Hong Kong Chapter Executive Committee (EXCO) 2018 was formed.. Welcome Ricci Ieong and Vincent Ip to join us. Thank you Eric Moy, Karson Chan, and Martin Chan for your time and support.

This is a group photo for 2017 and 2018 (ISC)2 Hong Kong Chapter Executive Committee Members.

Dr. Daniel Luo (left) and Dr. Allen Au (right)shared us latest blockchain and smart contract development. Our Chairperson presented gifts to thank you their sharing and continued sup-port to PISA.

MAR-2018


Event


PISA Spring Dinner 2018 (26 March 2018)

We had a great evening with our members. Besides social networking PISA members and having a nice din-ner, Chester Soong, our Honorary Advisor shared us his recent status. PISA Chairman and Executive Com-mittee shared updates and coming events.



Event


Seminar: Tackling System Security from the Perspective of Non-digital Components (9

Dr. Kehuan Zhang delivered an interesting security topic to us.

Seminar: The Integration of "Human + Machine" - The biggest security challenges in

Mr. Dixon Ho shared us the future trend of enterprise security service, the biggest security challenges for the inte-gration of “human + machine” and security measures.

MAR-2018


Event


PISA Speakers in the local community.

Frankie Leung spoke in the Office of Communication Authority public seminar on 8 November 2017.

Eric Moy spoke in the Office of Communication Authority public seminar on 13 December 2017.

Frankie Wong spoke in the Office of Communication Authority public seminar on 27 October 2017.



Event


Various talks to schools under (ISC)2 Safe and Secure Online Program

MAR-2018


Event


Various talks to schools under (ISC)2 Safe and Secure Online Program



Enquiry email:

[email protected]

Membership

Application Form:

http://www.pisa.org.hk/membership/member.htm

Code of Ethics:

http://www.pisa.org.hk/ethics/ethics.htm

to be the prominent body of professional information security practitioners, and utilize expertise and

Vision

Many Ways

Successful Career Networking

Enjoy networking and collabo-ration opportunities with other in-the-field security profession-als and exchange technical in-formation and ideas for keeping your knowledge up to date

Professional Recognition

You Can Benefit

Continued Education

Enjoy the discounted or free admissions to association activ-ities - including seminars, dis-cussions, open forum, IT related seminars and conferences orga-nized or supported by the Asso-ciation.

Sharing of Information Find out the solution to your tech-nical problems from our email groups and connections with our experienced members and advi-sors.

Realize Your Potential

Develop your potentials and cap-abilities in proposing and running project groups such as Education Sector Securi-ty, Mobile Security, Cloud Security, Hon-eynet, Public Policy Committee and oth-ers and enjoy the sense of achievement and recognition of your potentials

Membership Requirements

• Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee.

• All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association

Benefit from the immediate access to professional recognition by using post-nominal designation

Check out job listings infor-mation provided by members. Get information on continuing education and professional certi-fication

Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move for-ward towards a more suc-cessful career.


Membership Information

pisa journal · contract auditing service -- zeppelin, iosiro, experfy, to name a few. besides code...

Documents