Security
 

Internet

See all Internet

IT

See all IT

Mobile Tech

See all Mobile Tech

Security

See all Security

Technology

See all Technology

Newsletters

See all Newsletters

Forrester Report Cautions About Web3 Security

Web3 security

The next generation web — Web3 — has been hailed as more secure than the current incarnation of cyberspace, but a report released Tuesday warns that may not be so.

While Web3 may be difficult to subvert on an infrastructure level, there are other points of attack that may offer threat actors more opportunity for mischief than can be found in the legacy web, according to the report from Forrester, a national technology research company.

Web3 applications, including NFTs, aren’t just vulnerable to attack; they often present a broader attack surface than conventional applications due to the distributed nature of blockchains, Forrester reported.

Further, it added, Web3 apps are desirable targets because tokens can be worth substantial sums of money.

The openness of Web3, which is supposed to be one of its chief benefits, can be a detriment, too. “Code that’s running on a public blockchain is easily accessible, by anybody with the required technical skills, from anywhere in the world — no need to penetrate any corporate defenses in getting to it,” observed Forrester Vice President and Principal Analyst Martha Bennett, who is also a co-author of the report.

“Source code is typically also easily available, as running closed source ‘smart contracts’ is frowned upon. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.

Undesirable Complexity

David Rickard, CTO for North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on the distributed control of data and identity by its users.

“That broadens the attack surface to individuals who may be unwilling or simply unable to handle management of their own data and identity, bringing a technical complexity to an arena that desires ‘easy to use’ above anything else,” he told TechNewsWorld.

“Individuals, going beyond text messaging, email, and scrolling through social media and shopping apps is a real challenge for them,” he added.

The Web3 idea of making code transparent and publicly available is unlikely to gain real traction, he maintained. “Between capital investors and users of blockchain financial systems and NFTs, there’s too much money at stake,” he said.

Making code transparent and public can also broaden the attack surface in obvious ways, he continued. “Secure coding practices that predict how one may misuse a system for nefarious gains aren’t that commonly practiced,” he explained. “It’s not easy to predict how people may use systems for purposes other than those intended.”

“Most financial losses concerning blockchain and NFT exploit not the immutable object itself but manipulate them by exploiting the applications that can impact them,” he said.

In addition, while legacy systems may be old, they can also be robust. “What is new also tends to be the most insecure,” declared Matt Chiodi, chief trust officer at Cerby, maker of a platform to manage Shadow IT, in San Francisco.

“While time is not always a friend of security, it does allow an application to become battle tested,” he told TechNewsWorld. “Web3 is no different. It’s new and very much untested. Legacy applications have the benefit of time. Web3 does not.”

NFT Becoming Popular Target

Regardless of whether code is visible and accessible, the report noted, attackers will find the weak points. It explained that while it’s tempting to assume that attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favored target.

“Why go for a more difficult hack if there are easier ways of achieving what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] marketplaces and communications tools attract those who want to steal or otherwise subvert the rules.”

“In anything to do with Web3, speed is of the essence, and many of those involved don’t have the required expertise even to assess what might be a potential security issue,” she said. “Sometimes, startups don’t even advertise for a head of security until after something bad happened.”

One of the largest breaches of an NFT marketplace occurred in June at OpenSea, which exposed some 1.8 million email addresses. “That particular case involved an insider threat, but applications handling transactions can be quite vulnerable,” Rickard observed.

“There may be hundreds of thousands of ways these can be misused that coders have to try to account for, yet a hacker need only discover one vector, one time for a breach to occur,” he said.

Hangout for Scammers

Forrester also reported that Discord, a social media network, has become a major weak point in NFT and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.

It explained that the attacks are typically targeted at community managers and administrators. Once an administrator account has been successfully taken over, attackers have the opportunity to steal on a grand scale, because users tend to trust messages from community administrators.

Discord was designed primarily to be a communications forum for gamers, not a place to hold and exchange value, Bennett noted, and it does have mechanisms in place to mitigate risk. “But these mechanisms can only help if they’re implemented, and it’s clear that all too often, they’re not,” she said.

“Also,” she added, “being the favored communications mechanism for token projects, Discord attracts a commensurate share of phishing attacks and scam messages.”

Rickard maintained that Discord communities provide a rich source of information for scammers, as well as investors. “Harvesting contact information of participants leads to phishing,” he said. “Hacks into digital wallets are not unusual.”

“Discord bots have been hacked so threat actors can post fake minting offers, resulting in theft of cryptocurrency,” he added.

Better Security Than Legacy Web?

In the fast-moving Web3 world, it’s tempting to ignore security in favor of innovating quickly, but public security issues can easily derail a major launch or slow down the product team by forcing them to analyze and mitigate critical security flaws, Forrester’s report noted.

Firms can identify risks and protect both their Web3 application’s decentralized and centralized components by engaging their security teams — not just in the software development lifecycle — but throughout the product lifecycle, it added.

“Web3 needs to shift its focus to the left, meaning getting security as close to the developers as possible and making prevention the end goal,” Chiodi observed. “Without this focus, Web3 will end up no differently than Web2. That would be a shame given its tremendous potential, especially around decentralized identity.”

“The distributed approach of Web3 provides different types a security capabilities, but the fundamental problems remain the same,” added Mark Bower, vice president for product at Anjuna, a confidential computing company, in Palo Alto, Calif.

“If an attacker gets access to credentials, root-level privilege or keys — particularly private keys that run across the entire ecosystem,” he told TechNewsWorld, “then it’s game over, just as it would be in a centralized platform.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Get Permission to License or Reproduce this Article

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
Cryptocurrency Custody Concerns: Who Holds the Digital Storage Keys?
June 21, 2022
Finding the Fun in Non-Fungible E-Commerce
April 28, 2022
More by John P. Mello Jr.
view all
Space-Based Adaptive Communications Node
DARPA Moves Forward With Project To Revolutionize Satellite Communication
August 16, 2022
Social media apps Facebook, Pinterest, Instagram Twitter, Quora, Snapchat displayed on a smartphone
A Third of US Social Media Users Creating Fake Accounts
August 10, 2022
Netflix Games
Stat Firm Reports Less Than 1% of Subscribers Playing Netflix Games
August 9, 2022
Top Universities Exposing Students, Faculty and Staff to Email Crime
August 3, 2022
Countries ranked in the 2021 Digital Quality of Life Index
Denmark Tops in Digital Quality of Life, US in Fifth Place
August 2, 2022
man with face mask in home quarantine lockdown checking pandemic news
Meta Moves To Back Off Removing Covid Misinformation From Platforms
July 27, 2022
home security system
Home Security Market Thriving Despite Dread of False Alarms
July 26, 2022
online reviews
Amazon Lawsuit Fingers Facebook Groups Recruiting Fake Reviewers
July 20, 2022
Bad Comparisons Distort State of US Broadband
July 12, 2022
electric vehicle charging station
Rapid EV Adoption by Low-Income Drivers Needed To Curb Climate Change: Report
June 29, 2022
More in Security
IoT internet of things
Unresolved Conflicts Slow eSIM Upgrade Path to Better IoT Security
July 5, 2022
Security Pros Lured to Bug Bounties by Big Pay Days
June 28, 2022
Digital Devices of Corporate Brass Ripe for Hacker Attacks
June 22, 2022
Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022
June 14, 2022
Lax Cyber Skills, Dev Blind Spots Behind Organizations’ AppSec Breakdowns
May 31, 2022
Netenrich Introduces AI/ML Platform for Cloud Security
May 24, 2022
Hackers Cast LinkedIn as Most-Popular Phishing Spot
May 16, 2022
Open Source Leaders Push WH for Security Action
May 13, 2022
Open-Source Code a Marginal Problem, Managing It the Key Challenge: Report
May 9, 2022
Linux Security Study Reveals When, How You Patch Matters
April 25, 2022

Is Wikipedia a credible source of information?
Loading ... Loading ...

Technewsworld Channels

Applications

Applications

Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022

Canonical Lets Loose Ubuntu 22.04 LTS ‘Jammy Jellyfish’

Low-Code Platforms Help Ease the Shadow IT Adversity Pain

Audio/Video

Audio/Video

Study Finds Sports Is King Among Livestreamers

New Cisco Conferencing Devices Designed To Heal Meeting Fatigue

Amazon Puts High-Tech Spin on Play Dates With Kiddie Video-Calling Device

Chips

Chips

Apple Shows Off Vast Upgrades to Software, Hardware, User Experiences at WWDC22

Microsoft’s Innovative 4-Processor PC

Slipping Graphics Chip Prices Could Signal Coming End of Semiconductor Shortages

Computing

Computing

Security Demands Shifting Business Backups Away From On-Prem Boxes

Ubuntu Core 22 Release Addresses Challenges of IoT, Edge Computing

KYY 15.6″ Portable Monitor Packs Value With a Healthy Feature Set

Cybersecurity

Cybersecurity

Forrester Report Cautions About Web3 Security

IT Security Pros Push for Consolidated Standards, Vendor Products

5 Cyber Safety Tips To Survive the Internet, Hackers and Scammers

Data Management

Data Management

Data Observability’s Big Challenge: Build Trust at Scale

The Business Case for Clean Data and Governance Planning

6 Critical Steps for Scaling Secure Universal Data Authorization

Developers

Developers

Leapwork CEO: No-Code Platforms Democratize Testing Automation

Cognitive Skills for Engineering Success

Apple and Microsoft Developers Conferences Exhibit Companies’ Strengths, Weaknesses

Emerging Tech

Emerging Tech

Nvidia and Disney Can Breathe Life Into the Metaverse

The Metaverse Future: Are You Ready To Become a God?

Home Security Market Thriving Despite Dread of False Alarms

Exclusives

Exclusives

B2B Funding Firms Banking on Embedded Finance

Unresolved Conflicts Slow eSIM Upgrade Path to Better IoT Security

Cryptocurrency Custody Concerns: Who Holds the Digital Storage Keys?

Gaming

Gaming

Stat Firm Reports Less Than 1% of Subscribers Playing Netflix Games

Nvidia Showcases the Metaverse Future at GTC

Play-To-Earn Gaming Faces Hurdles To Rapid Growth

Hacking

Hacking

Top Universities Exposing Students, Faculty and Staff to Email Crime

6 Signs Cybercriminals Infected Your Phone and How To Fix It

Security Pros Lured to Bug Bounties by Big Pay Days

Hardware

Hardware

New Linux Laptop Line Advances HP, System76 Open-Source Collaboration

InnoView’s 15.6″ 4K Portable Panel Could Be the Ultimate Touchscreen Accessory

The 5 Coolest Things at Dell World Almost No One Saw

Health

Health

Meta Moves To Back Off Removing Covid Misinformation From Platforms

Hack Your Metabolism To Improve Health With the Lumen Smart Device

Amazon Rolls Out Alexa for Senior Living and Healthcare Providers

Home Tech

Home Tech

Digital Devices of Corporate Brass Ripe for Hacker Attacks

Home Automation Faces 3 Perpetual Problems

How the War in Ukraine Is Changing the Technology Landscape

How To

How To

Start Here When Things Go Wrong on Your Linux System

Computers Use Processes, So Should You

NICE Platform Answers Call for Hyper-Personal CX Tools

Internet of Things

Internet of Things

Foundries and Arduino Team To Patch IoT Devices

Remote Work Heightens Privacy and Security Anxiety Among Employees

Amazon Super Smart Fridge Is Reportedly in the Works

IT Leadership

IT Leadership

Denmark Tops in Digital Quality of Life, US in Fifth Place

Unprotected Machine Identities Newest Enterprise IT Security Concern

Cybersecurity Pros Preach Constant ID Challenging, Attack Readiness To Defeat Threats

Malware

Malware

New Software Vulnerability Zeroes In on Microsoft Programs

Hackers Cast LinkedIn as Most-Popular Phishing Spot

Forrester Pegs B2B Fraud, Cyber Insurance Complacency as Top Threats in 2022

Mobile Apps

Mobile Apps

Kids’ Screen Use Sees Fastest Rise in 4 Years

Sports Betting Platforms Gambling With Substandard CX

Appdome CEO on Mobile App Security: No Developer, No Code, No Problem

Operating Systems

Operating Systems

Titan Linux Beta Brings Simplicity, Finesse to KDE Remake

Linux Security Study Reveals When, How You Patch Matters

New Breeze Theme Gives KDE Neon Release Lots of Sparkle

Privacy

Privacy

PII of Many Fortune 1000 Execs Exposed at Data Broker Sites

US-Led Seizure of RaidForums May Defy Lasting Effect on Security

Atlas VPN Debuts MultiHop+ for Added Layer of Internet Privacy and Security

Reviews

Reviews

Rebuilding Ukraine: 3D Printing and the Metaverse Could Help Create the Cities of Tomorrow

InnoView 15.8″ Portable Display: More Screen Space for Small Devices

Desklab Portable Monitor: Ideal for Work, Play, Mobile Productivity

Science

Science

DARPA Moves Forward With Project To Revolutionize Satellite Communication

Science, Art Inspire Women in Tech Entrepreneurship

Why Commercial Space Travel Is Unlikely To Scale Up

Search Tech

Search Tech

Microsoft Bing, Yandex Create New Search Protocol

Botify SEO Platform Helps Brands Navigate Organic Search Rankings

Google Cloud Seeks To Cure Retailers’ Search Woes, Help Compete With Amazon

Servers

Servers

Cyber Asset Management Overwhelming IT Security Teams

30 Years of Linux History Told via Distros

Stale Open Source Code Rampant in Commercial Software: Report

Smartphones

Smartphones

What’s in Store for Next-Gen Digital Wallets

Apple Refreshes iPhone SE, iPad Air, Debuts Studio Desktop

Tesla Smartphone Could Be a Game Changer

Social Networking

Social Networking

A Third of US Social Media Users Creating Fake Accounts

Amazon Lawsuit Fingers Facebook Groups Recruiting Fake Reviewers

Big Tech Firms Move To Squash Deceptive Info on Ukraine Crisis

Space

Space

Nvidia Launches Earth 2 and Goes to War Against Climate Change

Kuo Predicts ‘iPhone 13’ Will Support Satellite Calls and Texting

30 Years Later, the Trajectory of Linux Is Star Bound

Spotlight Features

Spotlight Features

Don’t Become a Fool in the IT Gold Rush

Marketers: Beware Florida’s Mini-TCPA

Natural Language Speaks Loudly About a Big Shift in AI

Tablets

Tablets

Microsoft Finally Has Truly Competitive Alternatives to Apple Products

New iPad Mini Stars at Apple Refresh Event

Chromebook Shipments Jump 75% YoY in Q2

Tech Buzz

Tech Buzz

Musk-Twitter, Qualcomm-Apple, Netflix-Microsoft: Deciphering the Insanity

The World Is Not Yet Ready for Electric Cars

The Importance of the Metaverse Standards Forum

Tech Law

Tech Law

New EU Law Will Force Google, Meta, Others To Expose Algorithms

Pandemic, Compliance Driving Increased Privacy Spending

Report Argues Antitrust Bill Would Hurt Consumers, Stymie Innovation

Transportation

Transportation

Lucid, Nvidia and the Rapidly Changing Future of Electric Cars

Rapid EV Adoption by Low-Income Drivers Needed To Curb Climate Change: Report

BlackBerry and Preparing for the Software-Defined Automobile

Virtual Reality

Virtual Reality

New Recipe for Marketing Success: Blend Digital and CX, Mix Well With AI

Meta vs. Varjo and Nvidia: The Bifurcation of the Metaverse

A Step Into Meta’s VR Meeting World, Horizon Workrooms

Wearable Tech

Wearable Tech

Apple MR Specs Will Shun Metaverse: Report

Apple Wearables Holiday Sales Knock It Out of the Park

5 Terrific Tech Gift Ideas for Your Holiday Shopping List

Women In Tech

Women In Tech

Cybercriminals Employing Specialists To Maximize Ill-Gotten Gains

Encouraging Research Finds Brain Adjusts to ‘Third Thumb’

E-Commerce Tending to Health and Wellness Needs

More from ECT News Network

E-commerce Times

Pulse Check on Physical, Digital Commerce Health
Pulse Check on Physical, Digital Commerce Health
August 16, 2022
The Transformation of Warehouses to E-Commerce Fulfillment Centers
The Transformation of Warehouses to E-Commerce Fulfillment Centers
August 10, 2022
4 Ways To Build Customer Loyalty Amidst Sky-High Inflation
4 Ways To Build Customer Loyalty Amidst Sky-High Inflation
August 8, 2022

LinuxInsider

New MakuluLinux Brings 'Shifting' Innovations to Desktop Design
New MakuluLinux Brings 'Shifting' Innovations to Desktop Design
August 8, 2022
Feuding Developers, Dueling Distros Make Linux Lineage Revival Legendary
Feuding Developers, Dueling Distros Make Linux Lineage Revival Legendary
July 27, 2022
Linux Spreads, Nvidia Now Part Open-Source, Backup Tool Gets More Time
Linux Spreads, Nvidia Now Part Open-Source, Backup Tool Gets More Time
July 6, 2022

CRM Buyer

Oracle's 'Box of Chocolates'
Oracle's 'Box of Chocolates'
August 15, 2022
Monday.com's New Tools Showcase Low-Code/No-Code Trend in CRM
Monday.com's New Tools Showcase Low-Code/No-Code Trend in CRM
August 4, 2022
How To Build the Most Effective Customer Journey
How To Build the Most Effective Customer Journey
August 3, 2022