With no skill in software exploitation or encryption busting, Lapsus$ wins anyway.
See full article...
See full article...
Homeland Security details how teen hackers breached some of the biggest targets
- Thread starter JournalBot
- Start date
Longmile149
Ars Scholae Palatinae
Upvote
20
(39
/
-19)
Theres a novel idea. Companies that make billions, should put thought and effort into protecting themselves and their customers from outside/“inside” threats. Wonder how thats gonna be recieved.
Oh who am I kidding. After the article about Wells Fargo the other day, Im getting more and more cynical about things.
Perhaps, and Im not saying that Im a hacker or that I want anything to be hacked, if some “good” hacking group were to grab and offer up the personal data of the executive and board level suits then companies would care about actually protecting it.
Here is one caveat to my drivel… it is awfully hard to make something bullet proof. If there is a desire for it, people will just make a bigger bullet.
But if you make it hard enough, you make the desire lesser and the odds of catching the attack greater.
Oh who am I kidding. After the article about Wells Fargo the other day, Im getting more and more cynical about things.
Perhaps, and Im not saying that Im a hacker or that I want anything to be hacked, if some “good” hacking group were to grab and offer up the personal data of the executive and board level suits then companies would care about actually protecting it.
Here is one caveat to my drivel… it is awfully hard to make something bullet proof. If there is a desire for it, people will just make a bigger bullet.
But if you make it hard enough, you make the desire lesser and the odds of catching the attack greater.
Upvote
70
(71
/
-1)
Modern day script kiddies, good at social engineer -- but that matches up with weak points very well
Upvote
88
(88
/
0)
j17robotdancer
Ars Praefectus
They should hire these teenagers. You're never going to be on top of COMSEC unless you think creatively.
Upvote
16
(31
/
-15)
Upvote
139
(139
/
0)
Krebs did a write up on Lapsus going through the indictments when the fbi arrested a bunch of the kids. IIRC, they played tons of people pretty hilariously(disclamer:Hacking is NOT COOL!) in a way security professionals with masters degrees and decades of experience couldn't prevent, and one tried to bluff the FBI agents interviewing them several times. It really debunks the "(un)motivated attacker" view of security through obscurity preventing script kiddies.
"These aren't script kiddies, they're script teenagers" [suspense noise]
"These aren't script kiddies, they're script teenagers" [suspense noise]
Upvote
89
(89
/
0)
Reading daily the number of companies who admit to being hacked is worrying. When it is so easy for teenagers to gain access, how much easier for the nation states who have so much more resources?
Sadly, the recommendations are rarely implemented and if they are implemented take way too long.
Sadly, the recommendations are rarely implemented and if they are implemented take way too long.
Upvote
26
(28
/
-2)
Upvote
41
(41
/
0)
There's an old adage that says if you want to find a flaw in the security of a system you've designed, offer a kid/teen $100 dollars if they can find a way to bypass the security.
I've heard it's surprisingly effective.
I've heard it's surprisingly effective.
Upvote
67
(67
/
0)
The FBI? All the reporting I've managed to dig up says that it was the City of London Police that made the arrests. Do you have a link to the indictment or Krebs' writeup? I couldn't find it during a quick trawl through the archives.
Upvote
36
(36
/
0)
OK, so not nation state hackers like Russia and North Korea, sounds kind of cute?
OK, actually just as sociopathic and evil as nation state hackers like Russia and North Korea. **** them.
Upvote
58
(58
/
0)
https://krebsonsecurity.com/2022/04/the-original-apt-advanced-persistent-teenagers/https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/This was several months ago, there was a link to the actual sworn FBI affidavit linked somewhere on one of these pages.
I tried searching on google and DDG and the results are being diluted by irrelevant "Trump indictment/affadavit" pages.
Upvote
31
(31
/
0)
Right, I saw and skimmed those articles, but as far as I can see none makes mention of LAPSUS$ members interacting with FBI agents beyond the FBI seizing one of their AWS data dumps. It's entirely possible I'm missing something.
Upvote
17
(17
/
0)
To be fair, an immutable law of the universe is that absolutely nothing will stand between a bored teenager and what they want at any particular moment. Things like parental filters and such are overwhelmingly useless and always have been.
Upvote
31
(31
/
0)
I looked as well, and couldn't find it. It was the FBI special agent affadavit to extradite "white" from the UK to US. It might have been a different site too. I think the fact they are a minor when they commited the crimes is also possibly preventing an easy search by defendant name.
Last edited:
Upvote
9
(9
/
0)
Remember the breathless brouhaha about FIDO2 and passkeys?
This this is what FIDO2 was designed to fight. Specifically making sure the authentication device is within a few feet of the point of access being authenticated.
This this is what FIDO2 was designed to fight. Specifically making sure the authentication device is within a few feet of the point of access being authenticated.
Upvote
33
(34
/
-1)
Not so surprising, really. Kevin Mitnick was exceptionally skilled in social engineering, and was good with computers and technology. Why waste time on finding zero-days in complex pieces of software, when you can 'simply' call people up and get the password for the admin account?
Upvote
46
(46
/
0)
Fuzzypiggy
Ars Scholae Palatinae
When you're young you can think increidbly fast, you're not tied down by years and years of doing the same thing using the same tired ideas, everything is new and you will do and try things just for the hell of it even when smarter people will tell you it won't work.
To be honest we could all do with a bit more of that teen spirit these guys show, something we all surrender over time as we get older and set in our safe ways.
To be honest we could all do with a bit more of that teen spirit these guys show, something we all surrender over time as we get older and set in our safe ways.
Upvote
67
(69
/
-2)
When this all came out, I was floored to hear how few of these companies (e,g, only Cloudflare) were requiring the use of FIDO/hardware tokens. I mean, I'm just some guy who doesn't even work in cyber security and I use one.
Upvote
13
(15
/
-2)
The people that downvote this don't get it. The phonecalls are the wrench. You can create all the sophisticated security system in the world but you break down the person controlling the machine it becomes meaningless.
Upvote
45
(52
/
-7)
Upvote
5
(5
/
0)
It's not being downvoted because people don't understand it, it's being downvoted because so many of us already read xkcd and posting a link to one is a bit of a tired cliché. If you're going to do it, at least add some sort of commentary or additional information to make it worthwhile (and no, stating "obligatory xkcd" doesn't count...)
Upvote
7
(31
/
-24)
Upvote
22
(22
/
0)
We did, only we hacked the environmental control systems and permanently set them to "bake".
My take about this is that we accept all of the damage that "Dave" will do to infosec systems and design infosec systems to at the very least sound an alarm when, not if, they're breached. The most annoying thing I've found about these hacks is that they're discovered weeks, to years, after they happened.
In addition to beefing up systems to prevent intrusion, it'd be nice if we had more active and reliable intrusion detection. Accepting that no intrusion prevention system is going to keep everyone out, at least have equally (or more) robust systems that warn when an intrusion has happened.
Upvote
15
(16
/
-1)
I'd feel slightly less gross if the information on new standards had been distributed effectively and not been bogged down in Google PR peppering "death of the password" in every headline to the point it could have been a drinking game.
Upvote
27
(27
/
0)
It's all fun and games until a real threat from some totalitarian government hacks these teenagers..
Upvote
7
(7
/
0)
A mere few weeks or days after Kevin Mitnick passed, truly plus ca change...
The difference is that 30 or so years ago, networked computers, even the concept of infosec was still new, Here Be Dragons terror incognita.
What's the excuse in this day and age?
The difference is that 30 or so years ago, networked computers, even the concept of infosec was still new, Here Be Dragons terror incognita.
What's the excuse in this day and age?
Upvote
2
(5
/
-3)
It helps against that particular attack because it keys the device, which not all MFA systems do.
Other ways to do this are issuing an RSA key as is common in SSH connections (at which point they need the key from that computer, not just a password), or storing a cookie in your browser and putting you through enhanced validation if it is not found (which indicates you have not logged in from that device before).
Upvote
10
(11
/
-1)
I do online services since 4 decades, nothing of that is really new.
In fact the CCC (Chaos Computer Club) used social engineering to access accounts, with people dedicated to obtain public records about targets, that meant going to local administrations and ask for these records and also befriend them as much as possible.
As security experts, we have to protect people from themselves while making their work easy (and their account access!) instead relying on tiring protocols that they won't follow under pressure that will make their life more miserable!
Strongly secure biometric inside devices, avoiding using long passcode they won't remember, thus writing them down or using the same everywhere, Password Manager inside their computer sessions, and physical FIDO2 key (both 2FA for the session and opening the Password Manager).
Limiting use of human-generated password to the maximum, 2FA as much as possible (biometric + FIDO2 key)
Notice that FIDO2 key could stay connected, when authentication is needed the user just have to tap on it. Fast and easy. Some may also integrate fingerprint biometrics for elevated security.
In fact the CCC (Chaos Computer Club) used social engineering to access accounts, with people dedicated to obtain public records about targets, that meant going to local administrations and ask for these records and also befriend them as much as possible.
As security experts, we have to protect people from themselves while making their work easy (and their account access!) instead relying on tiring protocols that they won't follow under pressure that will make their life more miserable!
Strongly secure biometric inside devices, avoiding using long passcode they won't remember, thus writing them down or using the same everywhere, Password Manager inside their computer sessions, and physical FIDO2 key (both 2FA for the session and opening the Password Manager).
Limiting use of human-generated password to the maximum, 2FA as much as possible (biometric + FIDO2 key)
Notice that FIDO2 key could stay connected, when authentication is needed the user just have to tap on it. Fast and easy. Some may also integrate fingerprint biometrics for elevated security.
Last edited:
Upvote
11
(11
/
0)
Time limits on network access is a pain in the ass. I am fortunate enough to be able to stay mostly ahead of my teen so far. One is frustrated when the "internet doesn't work" when actually TikTok is blocked.
Occasionally workarounds would be found. I enjoyed that because the tit for tat experience helped me dive into the mind of someone who was trying to get somewhere they shouldn't. If only I could social engineer them into thinking they weren't supposed to get their homework done.
Upvote
19
(19
/
0)