> At an address listed in the leaked materials as the teen’s home near Oxford, a woman who identified herself as the boy’s mother talked with a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street about five miles from Oxford University.
> The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn’t be confirmed.
> She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police.
> The teen is so skilled at hacking -- and so fast-- that researchers initially thought the activity they were observing was automated, another person involved in the research said.
Thats when you know you are in the zone! I love the zone.
Unsurprised it's teenager(s) - a lot of their escalation and traversal attempts as well as their bragging made it seem as though they had not worked in industry.
It's scary to think what someone with actual knowledge of common practice could do with the same kind of approaches.
Microsoft, NVidia, Okta, EA all hacked by someone that’s not state sponsored and sophisticated.
Tell’s quite a bit about the snake oil that is the current cybersecurity industry and its counterparts sloppy software development and lazy pointy haired boss.
miohtama is not blaming one party in their comment, they are blaming three:
- "cybersecurity industry"
- "sloppy software development"
- "lazy pointy haired boss"
Combine the three, and you end up with breaches like these, although I agree that "sloppy software development" is probably the least likely source of these issues. Thinking that security is just checklists that have to be checked (thinking done by party #1 and party #3) probably carries most of the blame here.
> It's all been social engineering. Are you saying the software developers should have programmed all the humans in these organizations better?
They should have used login mechanism that didn't failed so spectacularly as passwords. Anything that forces server to prove its identity to client, should be a good start.
>Multifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike. See the following recommendations to implement MFA more securely
Ah, MFA because bolting more passwords(things user knows and by knowing is able to prove his identity) on top of first one is a great idea. I'm sure no bad actor will try to get this information too.
MFA might or might not authenticate server. And relaying on user action for security is asking for problems. Does user is a security expert to be able to choose appropriate action? Because sometimes even security experts get phished.
I'm thinking about something simple, that have minimal user interactivity.
Something like WireGuard, but not with random keys in plain text. There are ways to prove identity/exchange keys without directly using private keys.
Low to mid-tier support agents are being targeted directly. Sometimes they get phished (yes people will give you MFA codes and authorize push notifications if asked), sometimes they get social engineered, and sometimes they just solicit and pay them. Not just speaking of LAPSUS$ here.
We can quibble about whether any system can be hacked through social engineeering (certainly /most/ can), but since that's always a weak link, there's ways to defend around it in depth...
No, but developer education and awareness can go a long way.
It is about building a level of trust and psychological safety between software developers and their managers. This way, blameless postmortems can be done in the event of an incident without finger-pointing.
I had a problem with a very persistent hacker once. Constantly causing havoc to my systems. I would talk to him on IRC as he wanted to boast about his exploits. Made himself out to be a 24-year-old Russian living in London and had plenty of anecdotes which seemed authentic.
One day I was on IRC talking to him while at home in the evening. He said "Watch this." My wife's cellphone rang and someone screamed down the phone at her. That was the breaking point for me. I put it a €15,000 bounty out there for someone to ID him. A few weeks later I had leads and tracked him down to Germany.
I had German friends dig into it. They found he was a 15-year-old kid working at a video store. My friends called his boss first and gave him the details. Then they called his dear old mother at home and regaled her with the stories of her son's other life.
I ran a very large Internet community of mostly technical people, so I made it known that the money was there and passed on all the details I'd recorded on the guy.
There almost certainly are more competent hackers exploiting the same vulnerabilities, but we don't know about them because they're not stupid enough to brag about it online.
Wow. Typical HN crowd to diminish anything other than their own accomplishments or lack thereof. This thread also managed to give backhanded comments to NVIDIA and Microsoft.
> “[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”
> KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17)
If they're 17 years old, there's no way they bought into BTC recently.
5 years ago, BTC popped up to around $20k, and then fell down to near $3k. It took until December of 2020 to get back up to 20k.
If they were on Tor, they would have known about BTC, and if they were interested in black-hatting, BTC would have probably been the most accessible financial instrument for them to use in that pursuit. I'm 99% sure someone like that would have had a stash kicking around somewhere.
Think anyone paid the group for work? That'd be a good way to fill the coffers.
He bought and sold a doxing site and leaked all the doxers private dox so they super-doxed him in retaliation. After this, he didn't bother to change his username?
I don’t think we got here, we’ve always been here: most of us don’t want to go to prison and risk aversion increases with age. Regardless of how (in)secure systems are, the abundance of bad actors will be those with a high risk tolerance.
I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
I also think that things aren't as bad as we think security wise. The attacker's lack of industry experience helps with marketing to media who also lack industry experience. Somehow "Lapsus$" are "the world's most dangerous hacking syndicate", but in reality they've fully compromised several Portuguese companies with poor information security to begin with, released a treasure trove of mostly only curiosity-interesting source code from some big names, and posted some screenshots of restricted-access customer support tools. Breathless excitement about each new discovery has whipped the media into a frenzy over disclosures which sound juicy but ultimately aren't altogether that impactful - another accidental benefit of youth, I think.
To me the scariest thing in "cyberspace security terms" probably isn't that a minor has done all this - that seems reasonable to me - but what happens when an adult is inspired to adopt the same approaches? IMO this is the leading edge of something, an innovative approach pioneered by an outsider, less so than it is the trailing edge of "even a teenager could do this."
I think the biggest insight here is the power of chat tools like Slack. These tools need much more robust controls than are currently present at most companies. At most large enterprise software companies I've seen, there is little-to-no role based or level based access control applied to chat, and a vast amount of information is accidentally available in messaging logs, even to employees like contractors or low-trust employee accounts which have been locked out and just "need to Slack someone to get back in." Chat apps need much more access control from both a role and trust level point of view.
> I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
Hoping to earn himself expulsion from the school for his ruthlessness, he sacrifices his entire fleet to fire a Molecular Disruption Device at the planet. The Device completely destroys the planet and the surrounding bugger fleet. He is shocked to hear the I.F. commanders cheering in celebration. Mazer informs Ender that the "simulations" he has been fighting were real battles, directing human spacecraft against Formic fleets via an ansible's instantaneous communication, and that Ender has won the war.
I feel like companies have invested a lot in securing internal services from external actors, and the threat model has moved to compromise these organizations from the inside with underpaid disgruntled employees being promised riches. It should be important not only to punish those insiders involved, but also to have the least possible permissions for developers, support desk workers or anyone really.
> but also to have the least possible permissions for developers, support desk workers or anyone really.
Considering that Okta say they already do "Zero Trust security" and giving people least possible authorization (and also that they were never breached in the first place, still), I don't have a lot of fate in the industry realizing anything from this breach.
A single low paid employee shouldn't have the access rights to do serious damage. For example Okta probably has rate-limits on how many users a CSR can reset the password for.
More like, imagine what a state-level actor has done already. Heck they don't even need to carry out hacks of this nature. It would be trivial for a government to embed an agent at any tech company at a way higher level than customer support. Do people really think a top CS graduate recruited to a coveted intelligence role can't pass a FAANG interview?
> Do people really think a top CS graduate recruited to a coveted intelligence role can't pass a FAANG interview?
There are no top CS grads working for any government, other than perhaps academy graduates, and then only temporarily. For a top CS grad, private sector salaries are 5-20x what government will pay, and if they are top CS grads, they'll be smart enough to do the math.
I don't think India would weaponize H1-B, but it wouldn't be beyond Russia or China. BTW, having sleeper agents deeply implanted in other countries is an insurance policy.
China and Russia were the two countries I was primarily thinking of when I wrote that post. It's worth pointing out that in the international spy game your friends also spy on you. I feel confident India has agents in the US.
They would be stupid if they didn’t. The US has a tendency to meddle in internal politics of other countries and having sleeper assets in sufficient numbers is a deterrent.
Unfortunately, for these countries, H1Bs are very easy to locate.
The threat of coercion or bribery by a state actor is absolutely real, and has already played out in the past month.
The threat of wilful cooperation by sympathetic employees with loyal ties to their homeland has also been a widely covered in several Chinese cases, less so by Russia. This isn’t isolated to those countries either - it’s almost certainly being done by the west too.
"Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal."
Are they victims or co-conspirators? These people were paid to provide access.
About the language part: I'm a native speaker of Portuguese. Their posts on Reddit[1], requesting paid insiders on some mobile networks, are very clearly machine translated. When they started out, hacking the Ministry of Health here in Brazil, the defacing text had a wrong plural, and was written in a way that a native speaker never would.
If I wanted to be hard to detect, I'd run my messages through a couple machine translators so any metrics you may want to collect would be distorted enough it wouldn't be easy to tie them to your own messaging.
And that target is what made me first think of one or more government agents infiltrating and financing the group.
I imagine they meant the corporate victims. That is two separate pieces of evidence that they have some tie to Brazil: the recruits, and the selected corporate victims.
Phishing-resistant 2FA is the way I reckon. I think this was included in the Zero Trust Architecture being pushed hard by the US Government post-colonial pipeline debacle.
I kinda love it, you take some people working for these big corps doing customers service, that are exploited and paid like shit, and give them money to f*ck their exploiters, that's awesome
>"... prior to launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group... specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address."
I said I like the concept of people paying exploited unfairly paid people, to knee their exploiters, then that was it, like just avoid traveling with the brain and go to unexplored lands where I said oh I like bomb threats and hostage situations
To be clear, WhiteDoxBin is bribing individuals to commit crimes, for which they may later go to prison. Also, WhiteDoxBin is a horrible person in other ways. I don't see anything to like or love.
The world is full of horrible people who are worshipped just because they poison the society either corrupting politicians or by operating in the grey areas of the law. I am by vocation against companies and corporations, whatever people do to make them suffer, I like.
So he’s paying some individuals to commit crimes
doesn’t make him a horrible person by default, in my opinion, the law is just there to protect the wealthy, is not something that defines what is just, correct or fair. There is nothing intrinsically noble in respecting the law and there is nothing intrinsically horrible in not respecting it
So, you're ok with exploiting already exploited people even more? Just this time for purely criminal endeavors? If you do things like that you are horrible person, period.
The "customer service" role itself is an invention for companies to absolve themselves of core responsibilities.
Company screws up, the only option available is "contact customer service." And actually getting in touch with customer service is made as difficult as possible by design.
If you do have the patience and persist, it turns out the customer service agent doesn't have the power to do anything either. In a lot of cases (as it was for the Okta incident) they don't even work for the company in question!
First, let me acknowledge that some companies do truly have terrible customer service. But some have great customer service. Both types of companies exist.
However...
> The "customer service" role itself is an invention for companies to absolve themselves of core responsibilities.
This seems like a pretty extreme take. Are you saying that customer service shouldn't exist?
I could easily reframe this to say "Companies employ customer service departments to fulfill their responsibilities which they otherwise could not scale without a department dedicated to it".
Even if software is perfect and has no bugs, most software that has a customer service department behind it is also sufficiently complex that at some point, support is going to need to get involved. This is especially true in the enterprise software space where Okta plays.
I don't mean the job title itself, but the fact that companies employ (or mostly outsource) a team of people who it treats as second class citizens and does not give the necessary tools to fulfill these responsibilities you mention. These agents are paid mostly to be a sounding board for customer abuse.
That is a very broad generalization of customer service/support organizations. That is certainly not the case for organizations I've personally worked for, and that includes time I spent as a phone tech early in my career.
> the fact that companies employ ... a team of people who it treats as second class citizens and does not give the necessary tools to fulfill these responsibilities
Again, I acknowledge that there are orgs that do exactly what you describe, and sure, call out the bad where it exists, but it's also not fair to generalize this to "companies".
The people who provide the funding and the labor which perpetuate the existence of employers who exploit workers aren't innocent -- simply complicit. Or, at best, negligent.
Hi! I'm updating my parent post with more accurate data:
* $11K/year would place you in the top 16% wages
* $14K/year would place you in the top 10% wages.
This stats don't include commissions (like the ones sales teams get), people who are self employed, informal sector or business owners that don't receive a wage.
did you read this bit?- "first surfaced....extortion demand on Brazil’s Ministry of Health"
If you are still of the same opinion...
Just saying that providing primary care by getting down there and using you skills to improve the situation would be preferable to simply extorting money because the bureaucracy running the care givers is flawed.
Okta’s Investigation of the January 2022 Compromise - https://news.ycombinator.com/item?id=30775180 - March 2022 (112 comments)
New Updated Okta Statement on Lapsus$ - https://news.ycombinator.com/item?id=30774193 - March 2022 (24 comments)
Updated Okta Statement on Lapsus$ - https://news.ycombinator.com/item?id=30769537 - March 2022 (220 comments)
Also:
DEV-0537 (LAPSUS$) Criminal actor targeting organizations - https://news.ycombinator.com/item?id=30774406 - March 2022 (0 comments)
Lapsus$ hackers leak 37GB of Microsoft's alleged source code - https://news.ycombinator.com/item?id=30763623 - March 2022 (117 comments)