Changing the pace again because SO MUCH IS HAPPENING! It is hard to keep up.
Web3 feels the burn of Web2.
Since our webinar on NFTs and scams, we have been following this area closely. Do you remember the OpenSea security incident from February? It happened right before our webinar on NFTs. Basically, OpenSea was upgrading its security so it asked its users to make a change, which they alerted the users to via email. A criminal sent an intercepting email trying to trick OpenSea users to click on a false link that would give the attacker access to the user’s wallet. It was so targeted that the attackers must have known about OpenSea’s security upgrade to target the phishing email so successfully. When that happened, all I could think about was, how did the criminal know the email addresses of OpenSea’s users? I am not sure I got my answer, but now I have a suspicion. Mailchimp disclosed last week that it had suffered a breach that targeted crypto accounts. The timing doesn’t seem to align and I could not figure out through my usual sleuthing if OpenSea even uses Mailchimp, but I do know that the start of a security incident is hard to pin down.
More on Mailchimp breach.
More on OpenSea phishing incident.
It’s just a stupid questionnaire.
PCI DSS is upgrading to version 4.0, which remains the optional version until March 31, 2024, when it becomes mandatory. I read a blog post about it because of this quote, “Given that PCI security assessments are not conducted under privilege, businesses should be prepared for the assessment papers to be scrutinized in the wake of a security incident.” All those answers without legal privilege means they can and will be used against you in a court of law. Frightening.
More on the new PCI DSS standards.
Teenagers, Am I Right?
My co-founder, George, told me that his wife noticed a kid in her class was trading crypto when he should have been listening. So, that’s what teenagers do for fun these days? Turns out that the pandemic may have had another effect on our youth that we are just starting to uncover. Instead of your sly 14 year old drinking alcohol or smoking pot behind your back, now they are “doxxing” friends online and finding ways to hack major corporations. LAPSUS$, the famous hacker group behind the Okta breach, was run by a group of teenagers. How did law enforcement figure it out? Well, apparently the two best friends behind LAPSUS$ had a falling out so one ratted out the other. I guess the playground changed, but not those tricky high school social constructs.
More on LAPSUS$.
More on the Okta compromise.
Another Day, Another Crypto Hack
It’s a bit old news now, but we talked about the Ronin Network breach during our webinar on cryptocurrencies last month. It seems to me that it is another case of human error leading to a security incident. But they got a bail out! I mean, that is crazy that Binance stepped in here to help the network survive. I have to admit that I am a bit critical. It isn’t nearly enough money to reimburse people, as the article claims that the money is for, but it is definitely enough to ease the pain. I am critical because it feels to me a bit like paying the hackers, which raises tough questions. The toughest question is, if Ronin is responsible for the vulnerability that led to the breach (and it seems like they are) then are they entitled to a bail out?
More on Ronin Network breach.
More on the bail out.
How to Start a DAO
We’ve covered a lot of topics about web3.0 technology and DAOs are no exception. I am fascinated by the governance potential of a DAO. And, yet, I find myself horrified that the mistakes being made by DAOs are usually ones that corporate law figured out decades ago. So, this corporate lawyer decided to start a DAO. I reached out to one of my women’s networks and about 100 women signed up! I will let you know how it goes…
Wrapping up, I was speaking to an individual the other day who asked me where I get my information on web3.0 technology and security. I told him I would send him all the blogs and publishers that I follow. Turns out, I don’t follow any. I just read a lot and do research. But then I found https://web3isgoinggreat.com/. It is a timeline of security issues in web3.0 and it is awesome.
Next webinar is May 24 and we are covering the Metaverse and regulation.
If you like this style of newsletter, let me know! I am thinking of keeping it for a while.
You’re the best,
Caroline
About the author: Caroline McCaffery is a co-founder at ClearOPS, offering third party risk management for both buyers and sellers. She is a frequent blogger and speaker with over 20 years of experience as a lawyer working with tech startups. You can connect with her on Linkedin.
About ClearOPS. ClearOPS is disrupting third party risk management. Nah. Just kidding. We hate the term “disruption.” We are just a simple software company solving some annoying problems, namely responding to assessments and questionnaires and keeping track of your third and fourth parties. Inquiries: info@clearops.io