how to write up and split incidents that have multiple causes

17 views
Skip to first unread message

Kurt Seifried

unread,
Feb 22, 2022, 12:03:21 PMFeb 22
to GSD Discussion Group
So if you've ever watched an airline investigation documentary you know that airplane crashes rarely have a single fault. In most cases, there are multiple faults/problems that line up, and then something that isn't supposed to happen, like a fuel pipe rupturing due to bad maintenance and the captain pumping more gas into the tanks that are actively losing fuel and the plane runs out of fuel (https://en.wikipedia.org/wiki/Air_Transat_Flight_236) or even more simply because math is hard (https://en.wikipedia.org/wiki/Gimli_Glider). 

Looking at the opensea.io NFT phishing hack from the weekend and we have:

17 people confirmed exploited, lost NFT's worth over a million dollars.

1) The attacker sent out a phishing email, good news is opensea.io has SPF/DKIM/DMARC properly setup. So the attacker used a similar looking domain name (I'm assuming, I haven't confirmed this yet). One possible thing opensea.io could have done here was also use BIMI (https://bimigroup.org/) which I have setup for the cloudsecurityalliance.org (it costs 1-2000$, plus you have to have your DMARC in a mature quarantine, 100%, etc policy). I would say this is less of a vulnerability and more of a risk/hardening step that high value email domains should take. E.g. a lack of any SPF/DKIM would be a vulnerability in my opinion because it makes email spoofing for to easy.

2) The attacker setup a fake website that people fell for. Not sure what can be done here. I feel like wallet software should maybe be smarter, so e.g. email->web browser->wallet the wallet checks the URL when being presented a transaction to sign and make sure it matches what it should be (e.g. opensea.io and not opensea-attacker-legit-yo.com). Again this is more of a hardening step, but inline with other software password managers already doing it.

3) The attacker leveraged a 4 year old abandoned contract written by opensea.io. Had opensea.io terminated this contract the vulnerability wouldn't have been exploitable. This is definitely 3a) a vulnerability in the old contract and 3b) a vulnerability in having 4 year old abandoned software floating around.

4) The user wallets don't show what is going on clearly enough, e.g. "YOU'RE SIGNING A 4 YEAR OLD CONTRACT THAT HAS BEEN REPLACED!" and/or "YOU'RE SIGNING A CONTRACT THAT HAS A DANGEROUS CLAUSE" one though here is opensea.io can publish a list of contracts that are current and valid and anything else (older) is suspect and shouldn't be interacted with unless extreme caution is take).

So I'm thinking basically:

GSD-1 for the incident (parent)
GSD-2 4 year old abandoned contract for the vulnerability (child of GSD-1)
GSD-3 wallet software UI is unsafe and doesn't make it clear what is going on, maybe CWE-451 or CWE-357? this one is squishy and not super actionable, but maybe is a good warning? (child of GSD-1)
GSD-4 lack of BIMI hardening (child) rational: high value email domains should probably do BIMI now (child of GSD-1)

I don't think the fake website warrants a GSD. Or if it does it's more of a wallet issue.


Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance

Kurt Seifried

unread,
Feb 22, 2022, 12:11:17 PMFeb 22
to GSD Discussion Group
Yeah screen shots from coinbase wallet for example (triggered by logging into opensea). I can’t even confirm the address without cut and paste and so on. 


-Kurt





On Feb 22, 2022, at 10:02 AM, Kurt Seifried <ksei...@cloudsecurityalliance.org> wrote:



Kurt Seifried

unread,
Feb 22, 2022, 9:16:16 PMFeb 22
to GSD Discussion Group
Reply all
Reply to author
Forward
0 new messages