Meet ROKKEX Team: Chief Information Security Officer (CISO) Evaldas Usas

in #rokkex6 years ago (edited)

Evaldas Usas is a hacker at heart. His passion for breaking hardware and software systems led him to become a valuable professional in the cybersecurity industry. Beginning his career in the government sector, he later found himself working in one of the largest Scandinavian banks. 

Today, Evaldas has more than 5 years of hands-on experience in both the defensive and offensive sides of cybersecurity. His passion and expertise ensure that he is driven and focused on creating the most secure cryptocurrency exchange in the market — ROKKEX.



We talked with Evaldas about different types of hackers, the importance of security training for employees, what the reasons are for crypto exchanges to be hacked so often, and what measures should be taken beforehand. 


Everyone in the office knows you started breaking various systems from a young age. Do you remember how your first hack happened?

I remember it very well. While being a teenager, I had to go to the hospital for several months. Understanding that I needed to have something to waste my time on, I chose a Sony PSP handheld gaming console. Being a fan of old-school games, I wanted to emulate some NES, SNES roms on that device, so I had to hack the PSP to run emulators.

I had to downgrade my firmware to be able to hack the device. Found a way on the internet to modify the original battery and made a JigKick battery (a.k.a. Pandora battery). That battery initially was designed by Sony to be able to service bricked devices which failed their updates.

I downgraded the PSP, enabled homebrew using a TIFF exploit and enjoyed my time in hospital playing emulated Mario World and other NES and SNES classics. This kickstarted my interest in hacking in general.
After that, I've hacked almost every gaming console. I mostly enjoyed hacks that required some soldering and hardware modifications. The one I'm most proud of is downgrading a dual NAND version of PlayStation 3 console. Everyone who attempted this understands why.

Hackers are usually portrayed negatively. Are all hackers necessarily  bad? What's their main goal? Collateral damage or something else?

It depends on whom do we define as a hacker. There are several types of hackers: white hat hackers (a.k.a. Ethical hackers), black hat hackers, and grey hat hackers. The ones that are definitely bad and can be called computer criminals are the black hat. Compromising systems, they seek for personal gains, often targeting credit card numbers or personal data as this information can be sold very quickly. When a black hat hacker finds a new zero-day vulnerability, he would usually sell it to the highest bidder on the black market.

Then there are grey hat hackers. They do not ask for any permissions to compromise systems, but after compromising, they usually report vulnerabilities to the owner and help them fix it. Grey hat hackers do it for an expected reward. You can say they act like there's a bug bounty even when there is none.

Last, there are white hat hackers. They usually work for some company or freelance as bug hunters. Before acting they always ask for permission, define the scope, and report everything they find to stakeholders, helping to improve the security of the company.

Going back to the original question, definitely, not all hackers are evil. And not all bad guys are motivated by personal gains. Some just seek fame or want to create chaos, carnage, and uncertainty. Some are protesting against some ideologies. Just watch Mr. Robot TV series, you'll understand it better.

Are you doing bug hunting in your free time?

No, I am not doing any bug hunting. Before co-founding ROKKEX, I was into CTF challenges. It was my preferred way to test and improve my skills. Bug hunting never attracted me as I thought I could do some damage to someone's running system.

What was the most exciting CTF (Capture The Flag) challenge you took part in? Why?

I would say it was the one Danske Bank, my previous employer, organized. It was my first CTF, where I worked with the team being in the same room. I was the leader. Since we all had our expertise in somewhat different fields, I was thrilled to see all of us contributing, brainstorming, and getting VERY excited after every point won. We won that CTF by a small margin. Had a great afterparty afterward.

The thing which made this CTF the most memorable was the emotions and working together with your colleagues to reach the common goal.

Being a CISO at ROKKEX, what are your primary responsibilities?

My primary responsibilities are to create a security program here at ROKKEX and make sure we follow it. This includes assessing risks, thinking of possible attack vectors, and creating countermeasures for those.

However, I believe the most important role here for me is to educate our employees. We come from various backgrounds, and everyone must be aware of the threats we are going to face every day. You are as secure as your weakest link, and it became a rule that the weakest link in a company is always people.

Reaching the desired security maturity level is a long term game. We began introducing various restrictions for our employees right from day one. It's easier this way to get our employees to get used to restrictions and be aware from day one.

We joke here at ROKKEX that I'm the most hated guy in the company. I think I can understand why. :)


What metrics or KPIs do you use to measure security effectiveness?

It's not so easy to measure security effectiveness. Imagine a situation when a company has no monitoring and are sitting blind. In their eyes, they are safe, but in reality, they might already be compromised.

In general, you have to monitor as much infrastructure as possible. Count the alerts and incidents. Measure reaction time. In the end, the only thing that matters is whether you are compromised or not. It's a continuous cat and mouse game. Even if you think you are not compromised, the chances are that you are. That's why monitoring as extensive as possible is critical.

Are you planning any security training for employees? Are there any extra security measures within the company?

We already do security training during employee on-boarding. This is crucial to any company as any unconscious employee error can lead to a hack.

Regarding extra security measures, we pay much attention to keep our sensitive data inside the company. Insider's threat is the one I'm afraid the most so screening, monitoring, and controlling employee data and access to it is one of the biggest priorities.

Let's face the elephant in the room, why do you think many crypto exchanges are hacked? What security measures they lack and what should be done differently?

While doing my analysis, I concluded that often, the reason is some insider's job. Either someone helps from inside or a company just exit scams. Let's be real here; there is a lot of money on those exchanges. Unregulated ones do not risk a lot and just pretend they were hacked.

Of course, there were some serious hacks. There are speculations that most of them were state-sponsored by North Korea.

Talking about the lack of security measures, let's start with the obvious. 

  • You can not be serious about security if you use Microsoft Windows in your infrastructure. That is the beginning. By eliminating Windows, you almost completely eliminate the risk of a phishing attack, which is usually the first step to a successful hack.
  • Not secure wireless networks and IoT devices are also a common factor. Companies get their networks silently owned. The bad actor spends time collecting the data, pivoting deeper to the network, gets access to critical components, and strikes when you least expect it. 
  • Some exchanges forget to set their DMARC records, enabling hackers to send spoofed emails to exchange users, pretending to be legit support email, leading to a fake website, and capturing users credentials. 2FA helps here but not every exchange offers that option.
  • It seems like the most widely abandoned security feature is DNSSEC. DNS hijacking is getting more and more popular. Signing DNS records prevents bad actor to take over the DNS server and lead your user to his/her version of the site. By checking its associated signature, you can verify that a requested DNS record came from its authoritative name server and wasn't altered en-route, opposed to a fake record injected in a man-in-the-middle attack.
  • Some exchanges mismanage asset management. Some of them store all funds in hot wallets which makes it an easy target. Others used vulnerable multisignature cold storage wallets and get hacked. We at ROKKEX chose to go to market leaders, Ledger, for a cold storage solution as to meet our security standards ourselves would take too much time which we currently do not have.
  • We also introduced a lot of user-facing security features. The one I like the most is leaked password checking during user registration. We check and inform if the user’s password has previously been leaked using haveibeenpwned provided API.
  • Every secure platform must have constant penetration tests and a public or private bug bounty. Without 3rd party verification, you can not feel secure, no matter how many security measures you implement.

What will be your first question if a security breach would occur in the future?

Are user funds secure?

You may also Like

How Not to be Tracked: 3 Browser Extensions You Need

PoS, PoW, and 12 Other Blockchain Protocols You Didn’t Know About

At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise :)

If you have any ideas and suggestions, contact us at

Website . LinkedIn . Facebook . Twitter . Telegram . Reddit . Instagram .


Sort:  

Congratulations @rokkex! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You made more than 10 upvotes. Your next target is to reach 50 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!