Teenage Hackers Must be Stopped: US DHS’s CSRB Report
Lapsus$ social engineers exploited weak two-factor authentication. Something must be done! (Well, this is something.)
The U.S. government report into last year’s Lapsus$ attacks is finally public. The Department of Homeland Security’s Cyber Safety Review Board came to the oh-so-insightful conclusion that people shouldn’t use SMS 2FA and that cell carriers should stop letting scrotes abuse it.
Well, duh. In today’s SB Blogwatch, we wonder why we waited 18 months for this. Your tax dollars at work.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Doctor Which.
TL;DR: 2FA SMS FAIL
What’s the craic? Sean Lyngaas reports—“How teen hackers exploited security weaknesses in some of the world’s biggest companies”:
“Wreaked havoc”
… by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, a US government review of the incidents has found, in what is a cautionary tale for America’s critical infrastructure. The Department of Homeland Security … determined US regulators should penalize telecom firms with lax security practices.
…
[It] focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. … It was far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems [said] Homeland Security Secretary Alejandro Mayorkas.
…
The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms. [They had a] knack for social engineering – tricking victim organizations to surrender login information by targeting tech support. [And they] wreaked havoc by conducting “SIM-swapping” attacks, which essentially take over a victim’s phone number by having it transferred to another device.
And Adam Janofsky adds—“US should crack down on SIM swapping following Lapsus$ attacks: DHS”:
“Lax security practices”
In a 59-page report released Thursday, the department’s Cyber Safety Review Board called on the … FCC and … FTC to strengthen their oversight and enforcement activities focused on SIM swapping. … The board also recommended that organizations transition away from widely-used SMS and voice-based multifactor authentication.
…
SMS-based multifactor authentication … can be undermined by cybercriminals due to lax security practices at telecom firms. Lapsus$ was able to obtain basic information about its victims, such as their name and phone number, and used them to perform fraudulent SIM swaps and intercept text messages that allowed them to sign into accounts or perform account recoveries.
Horse’s mouth? DHS PR FTEs—“Cyber Safety Review Board Releases Report on Activities of … Lapsus$”:
The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against [such] groups. … The Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication.
Is it the fault of the mobile carriers? Narcocide alleges an allegation:
The cellular carriers have had ample time and every incentive to prevent this at their ends. Despite this, their security record is getting worse and they’re taking no action whatsoever. The only possible explanation for them not doing the right thing here is they’re taking money from organized crime or they’re actively run by organized crime. Follow the money, arrest the ringleaders. As long as they’re just picking off the minions without following the chain upwards this will continue.
Or should we blame the victims? wackazoa sounds slightly sarcastic:
There’s a novel idea. Companies that make billions, should put thought and effort into protecting themselves and their customers from … threats. Wonder how thats gonna be received? … Who am I kidding?
Which is it? buddy007 picks a side of the fence:
Multifactor authentication via SMS should be obsolete given how vulnerable cellular infrastructure is. These recommendations should be applied to banking too, where most banks still rely on SMS MFA.
However, milgner thinks that’s a “strange conclusion”:
Why is no one mentioning the elephant in the room? … Modern software quality is a ****show and companies have no incentives to do anything about it. Developers largely lack the qualifications and/or resources … to properly secure their products and companies are getting hacked left and right. If the infrastructure is too easy to hack, focusing on the attackers doesn’t help.
What’s that smell? Fuzzypiggy reaches Nirvana: [You’re fired—Ed.]
We could all do with a bit more of that teen spirit these guys show: Something we all surrender over time as we get older and set in our safe ways.
…
When you’re young you can think incredibly fast. You’re not tied down by years and years of doing the same thing, using the same tired ideas. Everything is new and you will do and try things just for the hell of it, even when smarter people will tell you it won’t work.
Meanwhile, easyTree translates the report from guvmint into english:
“OMG, if even the CHILDREN are doing it, imagine how dire our need for INCREASED FUNDING is.”
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: U.S. DHS (public domain)
