Jaeson Schultz has an eye for online hazards. As technical leader for the Cisco Talos Security Intelligence and Research Group, he has spent more than two decades tracking how the IT threat landscape has developed along with the evolution of the Internet.
That evolution is now leading to the emergence of what is being called Web 3.0 or the ‘metaverse.’ This exciting new online realm is not exempt from threats—and in this Q&A, Schultz details what they are and how they might be avoided. You may read a copy of his recent security research on Web 3.0 here.
Q. What do the terms ‘Web 3.0’ and ‘metaverse’ mean, and why should people be taking notice of them?
A. Web 3.0 is a nebulous term. However, most people tend to agree that Web 3.0 is being driven by cryptocurrency, blockchain technology, decentralized applications, and decentralized file storage.
Web 1 was the initial World Wide Web, where people were putting up their first web pages during the 90s, running their software on home computers. That changed with Web 2, where a lot of applications moved into the online space. You ended up with applications like eBay and Facebook.
Web 3 is a new transition, into decentralized applications and decentralized file storage. The metaverse, another new concept, is a virtual reality space where you move away from the flat, two-dimensional web. It’s a much more immersive experience.
Q. What kinds of threats will we see in the metaverse? Are there any that we haven’t seen before?
A. The security threats that I have come across tend to fall into one of two buckets. One of these is existing scams that have been modified for Web 3.0, like phishing. They are basically old attacks that have been updated for the new space. But then you also have attacks that are brand new.
On blockchain, there are malicious smart contracts where people are minting NFTs [non-fungible tokens] under other people’s names and transferring them for sale.
You also have regular malicious smart contracts that are looking to steal tokens or cryptocurrency out of unsuspecting users’ wallets. Without Web 3 technology you wouldn’t have these new attack vectors.
Q. What sort of metaverse users are likely to be most vulnerable to cyber threats, and why?
A. I’ve been working in computer security for a long time, and I remember when PGP [Pretty Good Privacy] came out. I remember spending a significant amount of time leaning about private keys and public keys.
Now along comes cryptocurrency and the security of your wallet is a lot like keeping track of encryption keys. You have a lot of new users who are not necessarily used to having to deal with keeping their keys safe. They are ripe for certain types of scams.
Somebody will post, “Hey, I’m having trouble connecting my wallet to this website,” and then you get a direct message that says, “Oh, hi, I’m from the support team and I’m here to help you. All I need is your crypto wallet pass phrase.”
Somebody who’s new to this space thinks, “Oh great, they saw my message and now they’re here to support me,” when it’s a cybercriminal who is trying to steal your pass phrase.
Q. What additional challenges does the decentralized nature of the metaverse bring from a security point of view?
A. I think one you’re going to see immediately is going to be related to ownership. There was a case where Quentin Tarantino was going to release some NFTs and he was sued by Miramax.
I’ve already seen issues with copycat projects—where somebody takes a Bored Ape that is worth multiple thousands of dollars, mints it on a different blockchain or even the same blockchain under a different smart contract, and then puts it up on a marketplace for sale.
Also, you’ve got speculators who have purchased all kinds of .eth domains that technically should belong to other people. In the domain world, we have a process where we can resolve disputes and transfer domains to the rightful owner. There is no such thing on the blockchain.
Q. Most important of all: how can we stay safe in the metaverse?
A. Obviously, the security of your cryptocurrency wallet is going to be paramount. I encourage people to use a hardware wallet if you’re serious about this—that way you don’t end up with someone who breaks into your computer and steals the keys out of the hot wallet.
Other than that, a lot of it boils down to having an idea of the scams that are out there and just being careful. A lot of these things are just fundamental security.