Homeland Security Report Details How Teen Hackers Exploited Security Weaknesses In Some of the World's Biggest Companies (cnn.com) 31
An anonymous reader quotes a report from CNN: A group of teenage hackers managed to breach some of the world's biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, a US government review of the incidents has found, in what is a cautionary tale for America's critical infrastructure. The Department of Homeland Security-led review of the hacks, which was shared exclusively with CNN, determined US regulators should penalize telecom firms with lax security practices and Congress should consider funding programs to steer American youth away from cybercrime. The investigation of the hacks -- which hit companies like Microsoft and Samsung -- found that, in general, it was far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems. [...]
"It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world," Homeland Security Secretary Alejandro Mayorkas told CNN in an interview, adding: "We are seeing a rise in juvenile cybercrime." After a series of high-profile cyberattacks marked his first four months in office, President Joe Biden established the DHS-led Cyber Safety Review Board in 2021 to study the root causes of major hacking incidents and inform policy on how to prevent the next big cyberattack. Staffed by senior US cybersecurity officials and executives at major technology firms like Google, the board does not have regulatory authority, but its recommendations could shape legislation in Congress and future directives from federal agencies. [...]
The board's first review, released in July 2022, concluded that it could take a decade to eradicate a vulnerability in software used by thousands of corporations and government agencies worldwide. The second review, to be released Thursday, focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. The audacious hacks were often followed by extortion demands and taunts by hackers who seemed to be out for publicity as much as they were for money. The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms with robust security programs. "If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?" the Cyber Safety Review Board's new report states. Lapsus$, as well as other hacking groups, conduct "SIM-swapping" attacks that can take over a victim's phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information.
"The board wants telecom carriers to report SIM-swapping attacks to US regulatory agencies, and for those agencies to penalize carriers when they don't adequately protect customers from such attacks," reports CNN.
"It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world," Homeland Security Secretary Alejandro Mayorkas told CNN in an interview, adding: "We are seeing a rise in juvenile cybercrime." After a series of high-profile cyberattacks marked his first four months in office, President Joe Biden established the DHS-led Cyber Safety Review Board in 2021 to study the root causes of major hacking incidents and inform policy on how to prevent the next big cyberattack. Staffed by senior US cybersecurity officials and executives at major technology firms like Google, the board does not have regulatory authority, but its recommendations could shape legislation in Congress and future directives from federal agencies. [...]
The board's first review, released in July 2022, concluded that it could take a decade to eradicate a vulnerability in software used by thousands of corporations and government agencies worldwide. The second review, to be released Thursday, focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. The audacious hacks were often followed by extortion demands and taunts by hackers who seemed to be out for publicity as much as they were for money. The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms with robust security programs. "If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?" the Cyber Safety Review Board's new report states. Lapsus$, as well as other hacking groups, conduct "SIM-swapping" attacks that can take over a victim's phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information.
"The board wants telecom carriers to report SIM-swapping attacks to US regulatory agencies, and for those agencies to penalize carriers when they don't adequately protect customers from such attacks," reports CNN.
SIM swapping (Score:2)
Putting it under government control would be just as bad, so how do we address this?
Re: (Score:1)
(one of the minions here in evidence ^)
Re: (Score:2)
Re: (Score:1)
The cellular carriers have had ample time and every incentive to prevent this at their ends. Despite this, their security record is getting worse and they're taking no action whatsoever. The only possible explanation for them not doing the right thing here is they're taking money from organized crime or they're actively run by organized crime. Follow the money, arrest the ringleaders. As long as they're just picking off the minions without following the chain upwards this will continue.
Re:SIM swapping (Score:5, Informative)
The weaknesses of SMS messages were always known, I do not understand how this came to be OK.
Re: (Score:1)
Free money for carriers === OK
Re: (Score:2)
A far simpler method exists, and SMS/RCS, Signal, Telegram Whatsapp, iMessage, Slack and Discord are all vulnerable. Probably not used in this case, but it's very simple. You wait until the victim is in the shower, you get the 2FA sent to their phone and you look at the lock screen and just read it off when the alert comes up.
Some banks deliberately say things like "This is $bank the multi-factor code you requested is..." so that it doesn't show up on the summaries that phones put on the lock screen, but no
Re: (Score:2)
There are so many ways to get access to SMS messages..
I always see this stated/repeated. But, I have no idea how any rando like me can intercept SMS messages. Can you link me to any actual factuals, rather than the esoteric and highly improbable conceptuals?
Re: (Score:2)
How about outlawing SMS and phone call based 2FA? (Score:2)
You have to use a hardware key or 2FA app.
Re: (Score:3)
Re: (Score:2)
And not based on some "service" owned by someone else, like Google, Microsoft, or Apple which can access/control the stuff.
FreeOTP. See posting lower down.
Re: (Score:2)
OTP is great when you are connecting to only one system but as soon as you start adding systems you need to grow the window otherwise the key ends up too far ahead. As you grow the window the avenue of attack widens.
When you add up your accounts you can end up with over 20. Bank, Cerdit cards, computer, other devices, email, online services, etc... How large a window should you keep? How often do you login at each? How many keys are you willing to carry?
OTP as is, has limited usage cases unless it gets modi
Re: (Score:2)
Not sure what you mean. TOTP is time-based.
You are correct that it can get unruly with lots of accounts. But no worse than same with passwords. At least FreeOTP+ allows you to rename, group, sort, and search accounts. Plus you can export your keys (which are completely under your control) if needed.
The primary benefit of TOTP, other than security, is that it is possible to create secure codes without disclosing more of your identity or personal info to the site. It is infuriating that companies seem to
Re: (Score:2)
I was responding to the comment referencing OTP. TOTP while very similar has additional requirements such as a clock.
There is nothing wrong with email. email contents can be encrypted with less effort than TOTP. PGP/GPG can include the public key in every email.
johnny lee miller (Score:1)
i imagine the film hackers would be a lot more mundane if it came out nowadays
Insulting headline (Score:2)
suggests that some kids stumbled across a way in.
is more honest. And the story isn't the kids, it's that companies face no real government penalty.
Right... (Score:3)
able to embarrass major tech firms
Impressive!
far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems
Oh. SMS. Well, yeah.
robust security programs
...that still included SMS. Oops.
TOTP (Score:5, Informative)
>" conduct "SIM-swapping" attacks that can take over a victim's phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information."
It is called TOTP and it is nothing new.
https://en.wikipedia.org/wiki/... [wikipedia.org]
* Has nothing to do with SIMs
* Requires no special hardware
* Works on all phones, tablets, computers, operating systems
* Is available for free and without patents or licensing
* Does not require any cloud services or stupid Google/MS/etc account
* Does not require any network connection or phone number to use
* Does not reveal your phone number or other data to service
* Has open-source support and implementations
* Is easy to set up and use and with multiple sites/services
* Gives a code instantly
* Is very secure
https://play.google.com/store/... [google.com]
https://play.google.com/store/... [google.com]
https://apps.apple.com/us/app/... [apple.com]
Juvenile cybercrime? (Score:4, Funny)
"We are seeing a rise in juvenile cybercrime."
"Juvenile cybercrime" is almost a redundancy. Do they have any idea how much cybercrime was perpetrated by juveniles in the 1980s and 1990s?
Re: (Score:1)
"omg, if even the CHILDREN are doing it, imagine how dire our need for INCREASED FUNDING is omgnotlol"
Re: (Score:2)
The big point is, it was exactly this cyber-crime: Well, not the SIM-swapping but definitely the "intercept text messages". After 40 years of teenagers cracking computer systems and scavenging discarded hardware, adults aren't any smarter and again, most refuse to plan for cyber-cracking.
Plus, in the USA, every server collecting profile data means there are millions of targets for cyber-crackers: Of course, the cyber-crackers are going to win. At that scale, cyber-security is the equivalent of putting
Re: Juvenile cybercrime? (Score:2)
Strange conclusion (Score:5, Insightful)
Not interesting. Read Krebs instead. (Score:3, Informative)
The root causes of major hacking incidents (Score:1)
It's A Lie! (Score:4, Interesting)
Loose band of teenagers breaching major corporations? What is this 1997?
Anyone that has watched the news lately knows, beyond a shadow of a doubt, that they were "sophisticated nation state hackers". Teenagers couldn't possibly be so sophisticated as to hack a major company. In comprehensible.
best-defended companies? (Score:1)
"It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world,"
Doesn't this demonstrate that they're not actually the best-defended companies in the world ?