Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Security

Homeland Security Report Details How Teen Hackers Exploited Security Weaknesses In Some of the World's Biggest Companies (cnn.com) 31

An anonymous reader quotes a report from CNN: A group of teenage hackers managed to breach some of the world's biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, a US government review of the incidents has found, in what is a cautionary tale for America's critical infrastructure. The Department of Homeland Security-led review of the hacks, which was shared exclusively with CNN, determined US regulators should penalize telecom firms with lax security practices and Congress should consider funding programs to steer American youth away from cybercrime. The investigation of the hacks -- which hit companies like Microsoft and Samsung -- found that, in general, it was far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems. [...]

"It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world," Homeland Security Secretary Alejandro Mayorkas told CNN in an interview, adding: "We are seeing a rise in juvenile cybercrime." After a series of high-profile cyberattacks marked his first four months in office, President Joe Biden established the DHS-led Cyber Safety Review Board in 2021 to study the root causes of major hacking incidents and inform policy on how to prevent the next big cyberattack. Staffed by senior US cybersecurity officials and executives at major technology firms like Google, the board does not have regulatory authority, but its recommendations could shape legislation in Congress and future directives from federal agencies. [...]

The board's first review, released in July 2022, concluded that it could take a decade to eradicate a vulnerability in software used by thousands of corporations and government agencies worldwide. The second review, to be released Thursday, focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. The audacious hacks were often followed by extortion demands and taunts by hackers who seemed to be out for publicity as much as they were for money. The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms with robust security programs. "If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?" the Cyber Safety Review Board's new report states.
Lapsus$, as well as other hacking groups, conduct "SIM-swapping" attacks that can take over a victim's phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information.

"The board wants telecom carriers to report SIM-swapping attacks to US regulatory agencies, and for those agencies to penalize carriers when they don't adequately protect customers from such attacks," reports CNN.
This discussion has been archived. No new comments can be posted.

Homeland Security Report Details How Teen Hackers Exploited Security Weaknesses In Some of the World's Biggest Companies

Comments Filter:
  • You can just pay to clone SIMs. Key people within the companies have the access knowledge, and no checks.

    Putting it under government control would be just as bad, so how do we address this?
    • The cellular carriers have had ample time and every incentive to prevent this at their ends. Despite this, their security record is getting worse and they're taking no action whatsoever. The only possible explanation for them not doing the right thing here is they're taking money from organized crime or they're actively run by organized crime. Follow the money, arrest the ringleaders. As long as they're just picking off the minions without following the chain upwards this will continue.

    • Re:SIM swapping (Score:5, Informative)

      by laughingskeptic ( 1004414 ) on Thursday August 10, 2023 @08:28PM (#63757796)
      There are so many ways to get access to SMS messages I question if SIM cloning is what is really happening in all cases or if they are lumping all cases where text messages wound up in the wrong hands without stealing a phone as being "SIM cloning". For a while you could pay $8 to shady partners of Syniverse to get anyone's texts. I'm sure there are still ways to spoof SS7 in various odd corners of the world to get texts sent to places they shouldn't be sent. Femtocells can also be hacked to make a number appear to be a client and therefore have texts sent in its direction. Text messages are just some extra bytes tagged onto a control packet, they were never designed to be secure or private. They were implemented as "yay free bytes we can shoe-horn onto the existing tech stack".

      The weaknesses of SMS messages were always known, I do not understand how this came to be OK.
      • Free money for carriers === OK

      • A far simpler method exists, and SMS/RCS, Signal, Telegram Whatsapp, iMessage, Slack and Discord are all vulnerable. Probably not used in this case, but it's very simple. You wait until the victim is in the shower, you get the 2FA sent to their phone and you look at the lock screen and just read it off when the alert comes up.

        Some banks deliberately say things like "This is $bank the multi-factor code you requested is..." so that it doesn't show up on the summaries that phones put on the lock screen, but no

      • There are so many ways to get access to SMS messages..

        I always see this stated/repeated. But, I have no idea how any rando like me can intercept SMS messages. Can you link me to any actual factuals, rather than the esoteric and highly improbable conceptuals?

    • Some attack vectors are quite convenient, especially for remote criminals. Like this video about attacking voicemail systems [media.ccc.de] shows
  • You have to use a hardware key or 2FA app.

    • Software 2FA like Authenticator Apps are secure so long as they really are on a second device.
      • And not based on some "service" owned by someone else, like Google, Microsoft, or Apple which can access/control the stuff.

        FreeOTP. See posting lower down.

        • by MeNeXT ( 200840 )

          OTP is great when you are connecting to only one system but as soon as you start adding systems you need to grow the window otherwise the key ends up too far ahead. As you grow the window the avenue of attack widens.

          When you add up your accounts you can end up with over 20. Bank, Cerdit cards, computer, other devices, email, online services, etc... How large a window should you keep? How often do you login at each? How many keys are you willing to carry?

          OTP as is, has limited usage cases unless it gets modi

          • Not sure what you mean. TOTP is time-based.

            You are correct that it can get unruly with lots of accounts. But no worse than same with passwords. At least FreeOTP+ allows you to rename, group, sort, and search accounts. Plus you can export your keys (which are completely under your control) if needed.

            The primary benefit of TOTP, other than security, is that it is possible to create secure codes without disclosing more of your identity or personal info to the site. It is infuriating that companies seem to

            • by MeNeXT ( 200840 )

              I was responding to the comment referencing OTP. TOTP while very similar has additional requirements such as a clock.

              There is nothing wrong with email. email contents can be encrypted with less effort than TOTP. PGP/GPG can include the public key in every email.

  • Comment removed based on user account deletion
    • A group of teenage hackers managed to breach some of the world's biggest tech firms last year

      suggests that some kids stumbled across a way in.

      Hackers breached some of the world's biggest tech firms last year

      is more honest. And the story isn't the kids, it's that companies face no real government penalty.

  • by jargonburn ( 1950578 ) on Thursday August 10, 2023 @10:16PM (#63757954)

    able to embarrass major tech firms

    Impressive!

    far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems

    Oh. SMS. Well, yeah.

    robust security programs

    ...that still included SMS. Oops.

  • TOTP (Score:5, Informative)

    by markdavis ( 642305 ) on Thursday August 10, 2023 @11:03PM (#63758008)

    >" conduct "SIM-swapping" attacks that can take over a victim's phone number by having it transferred to another device, thereby gaining access to 2FA security codes and personal messages. These can then be used to reveal login credentials and access financial information."

    It is called TOTP and it is nothing new.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

    * Has nothing to do with SIMs
    * Requires no special hardware
    * Works on all phones, tablets, computers, operating systems
    * Is available for free and without patents or licensing
    * Does not require any cloud services or stupid Google/MS/etc account
    * Does not require any network connection or phone number to use
    * Does not reveal your phone number or other data to service
    * Has open-source support and implementations
    * Is easy to set up and use and with multiple sites/services
    * Gives a code instantly
    * Is very secure

    https://play.google.com/store/... [google.com]
    https://play.google.com/store/... [google.com]
    https://apps.apple.com/us/app/... [apple.com]

  • by kmoser ( 1469707 ) on Friday August 11, 2023 @12:10AM (#63758080)

    "We are seeing a rise in juvenile cybercrime."

    "Juvenile cybercrime" is almost a redundancy. Do they have any idea how much cybercrime was perpetrated by juveniles in the 1980s and 1990s?

    • "omg, if even the CHILDREN are doing it, imagine how dire our need for INCREASED FUNDING is omgnotlol"

    • ... how much cybercrime ...

      The big point is, it was exactly this cyber-crime: Well, not the SIM-swapping but definitely the "intercept text messages". After 40 years of teenagers cracking computer systems and scavenging discarded hardware, adults aren't any smarter and again, most refuse to plan for cyber-cracking.

      Plus, in the USA, every server collecting profile data means there are millions of targets for cyber-crackers: Of course, the cyber-crackers are going to win. At that scale, cyber-security is the equivalent of putting

    • Any parent with teenagers know itâ(TM)s a losing battle they have time and numbers to combat our experience. I remember when I was a teen getting information from friends on BBS system today they have far greater numbers and social networks and if one of them finds a method that works itâ(TM)s spread quickly
  • Strange conclusion (Score:5, Insightful)

    by milgner ( 3983081 ) on Friday August 11, 2023 @12:49AM (#63758104)
    So they want to combat the spread of cybercrime? Fine. But why is no one mentioning the elephant in the room which is the fact that modern software quality is a shitshow and companies have no incentives to do anything about it? Developers largely lack the qualifications and/or resources (time to write correct software) to properly secure their products and companies are getting hacked left and right. If the infrastructure is too easy to hack, focusing on the attackers doesn't help.
  • by Togamika ( 10460595 ) on Friday August 11, 2023 @05:51AM (#63758400)
    I read the report. It is not interesting. Better read what Krebs reported in march 2022 (https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/).
  • The Department of Homeland Security [dhs.gov] (DHS) established a Microsoft Enterprise License Agreement (ELA) Blanket Purchase Agreement (BPA) to provide access to all Microsoft product offerings listed on the Contractor’s General Services Administration (GSA) Schedule”
  • It's A Lie! (Score:4, Interesting)

    by SlashbotAgent ( 6477336 ) on Friday August 11, 2023 @08:35AM (#63758728)

    Loose band of teenagers breaching major corporations? What is this 1997?

    Anyone that has watched the news lately knows, beyond a shadow of a doubt, that they were "sophisticated nation state hackers". Teenagers couldn't possibly be so sophisticated as to hack a major company. In comprehensible.

  • "It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world,"

    Doesn't this demonstrate that they're not actually the best-defended companies in the world ?

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...