Wilson Bautista: Challenges in Securing the Metaverse

All right. Hey, good morning everybody. My name is Wilson. I'm going to do a talk about it. So, I mean the main thing we're going to probably get out of this is that I'm I'm a little crazy, right? So, don't take anything uh too seriously. It's just I've got ideas and

>> so I got I got ideas, right? I got ideas about the metaverse and it's really exciting stuff and I wanted to put it together in a talk and you know really really see what other people's opinions are about it as well. So the agenda today talk about what the metaverse is, what augmented reality is, what exactly mixed reality is, just a little bit about that and talk about the issues that we see currently with the metaverse and blockchain as well as possible solutions and then maybe some question and answers. Um, if you do have some questions, please let me know. I'm going to tell you right now. I probably don't have all the answers. So, um I'll

probably write it down and probably get back to you or maybe not. I don't know. But it'll give you time. All right. So, metaverse. Metaverse is all Mark Zuckerberg created. No, it's really not. Um so, metaverse is I don't know. It's like the hottest right now. Everybody's talking about it. Everybody's like, "Oh, the metaverse. Metaverse. Everything came from the metaverse." and everything with NFTs and everything with cryptocurrency. But if you've played online gaming before, you've been in the metaverse already. Um, I'm big into World of Warcraft. Back in the day, I still play Fantasy, although my wife doesn't allow me to all the time, and I'm I'm confessing that to everybody now. Anyways, so you got you got different

kinds of metaverses. We talked about World of Warcraft. talk about um uh Final Fantasy, you have the central man, you have sandbox, you got a few other things going on. I got music. So, why should I care about this? Why should you care about this? As um the metaverse is gaining momentum with companies. We're seeing more and more companies using the metaverse. It's becoming it's going to be more complex and it's going to pose unique challenges for us in the industry. Would you agree? We'll get to it. Uh blockchain technology is happening. We need to learn its impact to our users and organizations and it presents opportunity to think about possibilities for rehashing of old

ones of solutions to a new environment. Sorry, I got to stop this music over here.

Sorry guys.

So, let's talk about what the metaverse is. Um, in futurism and science fiction, the metaverse is a hypothetical iteration of the internet. I'm not going to read it, but this is what the metaverse is. Augmented reality. Who who here has played Pokémon Go? Raise your hand. This is augmented reality, right? It's not real, but you know, you find your Pikachu somewhere, you you're searching around. That's augmented reality. And uh mixed reality, which is actually really cool. Um it's it's a blend of the physical and digital worlds where you're unlocking natural intuitive 3D human computer environmental interactions. Uh, one of the clients that I went to is a medical university and they actually to save money with um, not using

cadaabvers, they use mixed reality in order to dissect things and people. And it's really interesting because you're able to look at somebody's heart and zoom in, zoom out. You're able to switch things around, look at specific muscles. really interesting stuff. So, let's talk about some of the issues that we see. These are oldies goodies, right? The first one is um identity theft, right? When you're in um the metaverse, augmented reality, well, the metaverse, you you know, you can steal somebody's identity, you know, just username, password, um lost digital assets, your avatar. or somebody stole my my World of Warcraft avatar and then sent all the gold to China. I'm just kidding. It didn't really happen, but it

can't happen. Um, social relationships, history of your digital life. All right. Compersonation attack. You have the rock and this is me, the pebble.

I know I make those myself. Um, so this attack occurs when the attacker pretends to be authorizer. I do not pretend like I'm the wrong at all, but impersonation attack. This is this is what it is. Hackers can also do that. Um, data tampering, pretty self-explanatory. Uh, somebody somebody just changes information. For instance, if somebody had access to a central database with, I don't know, um, social security numbers or credit card information, they could just change it to give a denial of service to whoever um, is trying to make a legitimate transaction. >> And then we got some new stuff which is really interesting to me. Um, now we're now we're learning how to protect uh information in a turnary

world, as they would say, in the physical, digital, and human world. And so I'll just read this one. Turnary, three worlds represent the physical, digital, and human worlds. All three are integrated into the metaverse, allowing an attacker to track users, and determine their positions. In the real world, hackers may also track users through compromised headsets and other wearable devices. The next one I have here is um uncontrolled data collection. It was interesting that as I was talking about what I'm going to talk about today, uh we were talking about the Oculus and how it how when you sign the um the agreement that you basically authorize them to get your uh I don't say biometric data heristics. So it knows

exactly um you can create a baseline based off of your your avatar and how you use the device itself. So if you look at uncontrolled data collection, can you just imagine like when uh you get facial expressions, hand eye movements, speech, biometric features, it presents a huge opportunity for attackers to just steal your identity. And we're we're going to get into my crazy ideas. >> Uh digital footprint threats to your digital footprints. um your habits, activities, your avatars that reflect the end user in your real world. Um attackers can use these footprints to exploit real world features. Users can also be stuck in without their knowledge thanks to the third person.

This was really interesting to me because I've never heard this one before, but it's a simple attack uses a single node to operate many active fate identities simultaneously with other network. So what in the world does that mean? I had to kind of look this up. Um so if you think about the way that I thought about this was like if we have like a has anybody heard of like a decentralized autonomous organization, you know, like I see yes, I see no. So just think about a group of people that have the same common idea um but they govern themselves and the way that they govern themselves is by voting and the way that you get votes is if you I don't know

invest money or invest time you get more votes right so just imagine Wilson is one user and then I say you know what I'm just going to replicate myself have Wilson one Wilson 2 Wilson 3 Wilson four and then I'm going to create more votes for myself and let's just say I have a $1 million project or the the organization has a $1 million project and um I'm the benefactor of that project. I can vote I could have that organization vote to take on that project. Does that make sense? So this would be an example of a Okay. All right. Here we go. My point of view shortterm you're going to have identification issues. We're

going to have authentication issues. Um we're going to have to work with people uh for user education with a new technology. As far as the long term is concerned, if we want to um if we want to utilize this new technology to benefit everybody, we're going to have to sacrifice security for the speed of enterprise business adoption. Um, and then as corporations continue to improve and get their technology up to par with uh with all these new technologies, the small businesses are going to lag behind what they're already doing. So, a lot of big companies right now are investing in metverse uh metverse digital assets and um a lot of small companies just don't know what

that is. So as we adopt the metaverse, as we adopt augmented reality and mixed reality, um the small businesses need to keep up in order to be competitive. So the way that I look at um well the way that people normally look at communications is we have senders um we have a communication network and then we have recipients. And when we look at the way that businesses work, we have users um and then we have businesses when we talk about turnary worlds where you have the physical world, the digital world and the human world all are symbiotic with each other in order to make progress. So from a business standpoint, it's pretty easy. uh when you look at a

business they can say hey I just want to hang out in the central land and I want to hang out in meta right this is where I'm going to invest my money in order to do business and with that it gets a little bit more complicated when you start thinking about the cryptocurrencies that are currently making transactions within those metaverse but it's still easier for businesses because they can just say I'm just going to hang out with uh the central and I'm just going to use and I'm just going to hang out in this metaverse one and two and they use a theory and right but for a user it's much more complicated right if you if you look at

a user you have the digital you have the human you have the physical aspects maybe today they're world of warcraft they're using credit card essentially you're using they have a crypto crypto wallet They're on um Horizon World with their VR headset because Meta owns Oculus and every kind of transaction you want to do is bank and credit card. And then you have the businesses that only do credit card work, right? So this is present day how it is now. And what I anticipate is later on that well the portra will still exist. You can still use bank credit card. The central land and uh Horizon will Horizon worlds will use uh cryp their crypto wallets. Businesses will

start moving away from banking credit cards and start moving into crypto wallets. And it's going to be really interesting to see how that's all going to work. And I'm really trying to figure out how in the world is this going to work. So, does that make sense? Am I talking crazy? Do I need to slow down because I get really excited about this stuff. All right. So, fundamental challenges that we are facing. Um, users are able to access multiple environments with multiple devices and make transacts. Again, showing that there's identity authentication access issues as well as authorization and permission issues. All right. How do we fix this? Short-term solutions. I hate to say it's security

awareness, right? We need people to understand basic cyber security in the metaverse and augmented reality and mixed reality. We need to tell people, hey, don't click on that. That's probably not going to be good for you. And it seems so simple, but people still screw it up. um understanding the blockchain. It's going to it's it's complicated for a lot of people. We still need to um educate the user base on what blockchain is as well as some uh basic safety um or best practices when handling cryptocurrency such as having a cold hot a cold warm and hot crypto wallet storage.

So these are our crazy rules about securing the new technology reality. Unique identity should be established and attributed for each user. Why? Because in cyber security if we want to know that somebody did something wrong, we have to attribute it to somebody. The uh devices should be registered for each user/ identity. Um if we could if we could track the user, we should be able to know what devices that they use at what times. Um identity baseline should be established for each user in identity. Um what we had talked about like with behavioral um uh like eye like retinal scans um behaviors as far as movement, hand eye movement, the way that you walk with and talk virtuality.

You should be able to develop a baseline in order to identify the person that belongs to that baseline as well as the uh registered device that's al together right authentication should be mandatory for user identity user/identity device and entity access should be limited to groups roles assigned to users/ identity authorization should be limited to groups/ roles assigned to users/ identities this crazy talk. It's crazy talk, but what it what it really sounds like to make this point real quick. What it really sounds like is like we need to like make it a corporate network, right? But reality is it's never going to be like that. Yes, ma'am.

So the question was if somebody dies and they have like a digital wallet, what happens to all that money if they didn't pass the uh the 12word pass phrase to whoever? That money is just kind of like an ether. Who gets it? It does belongs to the person that died pass.

Okay. So the solution is to create an omniverse, right? Um Gollum, one rule, one ring to rule them all. One omniverse to rule them all. But reality is not um is is that it's never going to be like that. And the issue is because um privacy, right? You don't want to be able uh if you can identify people like we're going to have issues with um with uh EU with the GDPR like how are we going to make sure that uh people can remove the information that they have given a specific company after a while. um there's just a lot of transaction, a lot of um uh data complexity and that's it's just going to be very difficult.

However, in my world, that doesn't matter. I'm just going to still try to figure out how we can do this. And so, this is my uh this is how we're going to do this, right? So how do we move forward with new technology when we cannot secure it like a corpor corporation would with the data um we have to challenge the system meaning the laws or whatever system is holding us back restraining us from improving ourselves and this is the kind of way that I think so we challenge the system and we propose solutions. So without further ado we create the solutions. All right, first we get decentralized identity management system. How do we ensure that an

individual says who they say they are across multiple environments? And the way that I think about this is the way we look at maybe domains and they trust each other, but we have an identity management solution provider um being able to uh allow user to access Metverse one, metverse 2, but also get that user wanted to access Metverse 3. there's a trust with another identity management solution provider so they can go across all all three metaverses make sense now the issue here that I have is who is who are these are these corporations or are these countries right is this is this Europe is Europe going to control their people's debt I don't I don't know But it would work

right if there was a trust between countries or maybe trust between corporations by just again my crazy idea. two um device device management solutions, right? Like like I said before, if you have a user, it has to be attributed to to sorry, if you have an individual and you have multiple users across multiple metaverses and that user has a specific device that they use or devices, then they should be attributed to that user, right? And those users should be well those devices should be registered to that user through device management. And those device management providers should have trust with another device management provider so to speak but it's not it's not control. Yes. >> How do you manage devices?

>> That's a good question that I don't have to but I'm trying to figure out.

So >> the user logs into a device is associated with that user solution possibly. Possibly um yes >> like a physical register. >> Okay. Anybody else have So again crazy talk. Crazy talk here. Everybody seen the movies where like like someone gets um like an alien like loses their weapon and like a guy grabs a weapon. They try to pull the trigger and it doesn't work because it has some biometric signal that needs to connect with the weapon and then they take off the guy's hand or healing's hand and they start pulling the trigger. Crazy talk. Crazy talk. I'm telling you this this could happen, right? It could happen next time. All right. Next. Um, decentralized

biometric heristic attribute attribution. People say that five times fast. How do we ensure that an individual's physical IG factor and behavior belong to the individual? Ensure that it can well that it can access multiple devices. It's the same concept, right? If you have a registered baseline of how you move, how you walk, how you, how you talk, you should be able to attribute that to your identity. You should also be able to attribute that to the devices that are registered to you, whether it's shared. Make sense? All right. I didn't put the fourth one up there, but how about geographic location? You say who you are. Register device. You move the way that you move, but

you're not in the location that you're supposed to be in. Right? Those be like four factors of authentic or four factors to prove true in order to access what you need. So maybe this is maybe this is the solution. We have all of these solution providers have some kind of trust with multiple metaverses at the same time is that you have these multiple solution providers able to show that you're trusted with using uh by doing transactions both from a crypto wallet concern as well as a bank your bank credit card I don't All right, ready to talk over with? Yes, sir. >> So, that's a good question. Um my thoughts are yeah we would be we

would be relying on specific organizations to handle um I would say decentral I want to say decentralized databases of identities devices and behaviors but that gives I don't know um it doesn't give like a true sense of uh decentralization when you can only attribute it to a specific specific set of providers. So the whole point of like blockchain and and all that is is to have you know decentral um decentralized authority in order to make decisions like when you when I talked about these uh decentralized autonomous organizations. You want to be able to have more votes based on you know what you what you put into an organization. How is that going to work in cyber

security? I have no clue. Right. But from my point of view is that as technology improves, we're going to be facing these kind of problems, right, on multiple levels. And my question to those of you who are in the industry is how we address it. My question to you in uh for all of those students is how are you going to address it because this is is it your own maybe right? Yes. Good talk by the way. But uh f first off um is there has future solution one already been proven out? It seems like uh things like um like maston and stuff like that already have it where you have like your centralized uh initial access

and they trust other groups and they talk to each other. >> Yeah. So the question the question was has the first solution didn't prove it out. I if mascot has their own solution that's great but the the first solution also included that you have decentralized identification management solution providers. So does Masodon have a trust relationship with another organization? I think that's how it works right there. There's like like you sign into yours like I say I'm on like the BSC network and then they decide to trust other ones to allow that content in as well. So then like one of those becomes bad and it's like hey we don't trust that anymore. Yeah, of course. There's definitely need

to be multiple administrators of the of the >> still putting the trust in that one person. >> You are you are definitely. >> But my bigger my bigger question about the metaverse in general is what companies are out there doing it right now? Who's like in the industry? Um let's see. Victoria Secret is one. Um I think Deutsche Bank is starting to put their stuff together as well. Um, I know Citizens Day has an initiative going on right now with the metaverse from the from like an attacker's point of view. What does that open them up to? What are you seeing that open them up to? Is there like social engineering activity going on in that area? Is there

what other type of things? >> Yeah. So, so like what I was saying before is like you have you have the same old like tactics impersonation, social engineering to grab credentials, grab grab information. So you have those kind of things that are that'll that'll still continue to happen in the metaverse. Um what just makes it more interesting is that like right now it's like I don't know you have a username and password >> and you get into somebody's account, right? Or two factor authentication, but the second factor may just be the Oculus headset, >> right? So yeah, it's it's really interesting stuff and it's like how how do we as um information security professionals, how do we how do we

address this? It's kind of weird, but it's kind of cool at the same time. Um what else? Yes. How do you address the box issue? >> The box expansion

by some type of AI application. Um what what is going to determine

um I think that that's where the break comes down the same

as the US does so country environments and become somebody who created I don't know I don't know and you know I'm still researching I'm still trying to figure out you know how we can do this because there's a lot of >> there's there's a lot of things I'll say and it'scomes And if we don't control that now at the beginning of it's going to be >> yeah it's it's it's a really interesting method. So that's why

>> yes so so all these things really seems to come down gentlemen.

Sorry. >> Yes. Security, >> right? Before we try to do anything that's making it more, but inherently you're decreasing you're decreasing. That's why I was saying that's why I was saying is that you you sacrifice security for operation speed which you know what we're always dealing with in information security in general like you're making risk exceptions all day and you want to punch people in the throat all day. Um but it's going to be like that in the metaverse and when we have all these different technologies is that what are we going to sacrifice right and then um to make it more complex is um like for GRC professionals how are we going to ensure

that we're following regulations in order to make sure we don't get sued millions of dollars. >> Cool. just kind of leave you chew on that a little bit. Um, but if you have any questions, let me know. But I appreciate your time. Thank you so much.

I'll be here all day.