Unsurprised it's teenager(s) - a lot of their escalation and traversal attempts as well as their bragging made it seem as though they had not worked in industry.
It's scary to think what someone with actual knowledge of common practice could do with the same kind of approaches.
Microsoft, NVidia, Okta, EA all hacked by someone that’s not state sponsored and sophisticated.
Tell’s quite a bit about the snake oil that is the current cybersecurity industry and its counterparts sloppy software development and lazy pointy haired boss.
miohtama is not blaming one party in their comment, they are blaming three:
- "cybersecurity industry"
- "sloppy software development"
- "lazy pointy haired boss"
Combine the three, and you end up with breaches like these, although I agree that "sloppy software development" is probably the least likely source of these issues. Thinking that security is just checklists that have to be checked (thinking done by party #1 and party #3) probably carries most of the blame here.
> It's all been social engineering. Are you saying the software developers should have programmed all the humans in these organizations better?
They should have used login mechanism that didn't failed so spectacularly as passwords. Anything that forces server to prove its identity to client, should be a good start.
>Multifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike. See the following recommendations to implement MFA more securely
Ah, MFA because bolting more passwords(things user knows and by knowing is able to prove his identity) on top of first one is a great idea. I'm sure no bad actor will try to get this information too.
MFA might or might not authenticate server. And relaying on user action for security is asking for problems. Does user is a security expert to be able to choose appropriate action? Because sometimes even security experts get phished.
I'm thinking about something simple, that have minimal user interactivity.
Something like WireGuard, but not with random keys in plain text. There are ways to prove identity/exchange keys without directly using private keys.
Low to mid-tier support agents are being targeted directly. Sometimes they get phished (yes people will give you MFA codes and authorize push notifications if asked), sometimes they get social engineered, and sometimes they just solicit and pay them. Not just speaking of LAPSUS$ here.
We can quibble about whether any system can be hacked through social engineeering (certainly /most/ can), but since that's always a weak link, there's ways to defend around it in depth...
No, but developer education and awareness can go a long way.
It is about building a level of trust and psychological safety between software developers and their managers. This way, blameless postmortems can be done in the event of an incident without finger-pointing.
I had a problem with a very persistent hacker once. Constantly causing havoc to my systems. I would talk to him on IRC as he wanted to boast about his exploits. Made himself out to be a 24-year-old Russian living in London and had plenty of anecdotes which seemed authentic.
One day I was on IRC talking to him while at home in the evening. He said "Watch this." My wife's cellphone rang and someone screamed down the phone at her. That was the breaking point for me. I put it a €15,000 bounty out there for someone to ID him. A few weeks later I had leads and tracked him down to Germany.
I had German friends dig into it. They found he was a 15-year-old kid working at a video store. My friends called his boss first and gave him the details. Then they called his dear old mother at home and regaled her with the stories of her son's other life.
I ran a very large Internet community of mostly technical people, so I made it known that the money was there and passed on all the details I'd recorded on the guy.
There almost certainly are more competent hackers exploiting the same vulnerabilities, but we don't know about them because they're not stupid enough to brag about it online.
Wow. Typical HN crowd to diminish anything other than their own accomplishments or lack thereof. This thread also managed to give backhanded comments to NVIDIA and Microsoft.
It's scary to think what someone with actual knowledge of common practice could do with the same kind of approaches.