> At an address listed in the leaked materials as the teen’s home near Oxford, a woman who identified herself as the boy’s mother talked with a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street about five miles from Oxford University.
> The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn’t be confirmed.
> She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police.
> The teen is so skilled at hacking -- and so fast-- that researchers initially thought the activity they were observing was automated, another person involved in the research said.
Thats when you know you are in the zone! I love the zone.
Unsurprised it's teenager(s) - a lot of their escalation and traversal attempts as well as their bragging made it seem as though they had not worked in industry.
It's scary to think what someone with actual knowledge of common practice could do with the same kind of approaches.
Microsoft, NVidia, Okta, EA all hacked by someone that’s not state sponsored and sophisticated.
Tell’s quite a bit about the snake oil that is the current cybersecurity industry and its counterparts sloppy software development and lazy pointy haired boss.
I had a problem with a very persistent hacker once. Constantly causing havoc to my systems. I would talk to him on IRC as he wanted to boast about his exploits. Made himself out to be a 24-year-old Russian living in London and had plenty of anecdotes which seemed authentic.
One day I was on IRC talking to him while at home in the evening. He said "Watch this." My wife's cellphone rang and someone screamed down the phone at her. That was the breaking point for me. I put it a €15,000 bounty out there for someone to ID him. A few weeks later I had leads and tracked him down to Germany.
I had German friends dig into it. They found he was a 15-year-old kid working at a video store. My friends called his boss first and gave him the details. Then they called his dear old mother at home and regaled her with the stories of her son's other life.
There almost certainly are more competent hackers exploiting the same vulnerabilities, but we don't know about them because they're not stupid enough to brag about it online.
Wow. Typical HN crowd to diminish anything other than their own accomplishments or lack thereof. This thread also managed to give backhanded comments to NVIDIA and Microsoft.
> “[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”
> KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17)
If they're 17 years old, there's no way they bought into BTC recently.
5 years ago, BTC popped up to around $20k, and then fell down to near $3k. It took until December of 2020 to get back up to 20k.
If they were on Tor, they would have known about BTC, and if they were interested in black-hatting, BTC would have probably been the most accessible financial instrument for them to use in that pursuit. I'm 99% sure someone like that would have had a stash kicking around somewhere.
Think anyone paid the group for work? That'd be a good way to fill the coffers.
He bought and sold a doxing site and leaked all the doxers private dox so they super-doxed him in retaliation. After this, he didn't bother to change his username?
I don’t think we got here, we’ve always been here: most of us don’t want to go to prison and risk aversion increases with age. Regardless of how (in)secure systems are, the abundance of bad actors will be those with a high risk tolerance.
I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
I also think that things aren't as bad as we think security wise. The attacker's lack of industry experience helps with marketing to media who also lack industry experience. Somehow "Lapsus$" are "the world's most dangerous hacking syndicate", but in reality they've fully compromised several Portuguese companies with poor information security to begin with, released a treasure trove of mostly only curiosity-interesting source code from some big names, and posted some screenshots of restricted-access customer support tools. Breathless excitement about each new discovery has whipped the media into a frenzy over disclosures which sound juicy but ultimately aren't altogether that impactful - another accidental benefit of youth, I think.
To me the scariest thing in "cyberspace security terms" probably isn't that a minor has done all this - that seems reasonable to me - but what happens when an adult is inspired to adopt the same approaches? IMO this is the leading edge of something, an innovative approach pioneered by an outsider, less so than it is the trailing edge of "even a teenager could do this."
I think the biggest insight here is the power of chat tools like Slack. These tools need much more robust controls than are currently present at most companies. At most large enterprise software companies I've seen, there is little-to-no role based or level based access control applied to chat, and a vast amount of information is accidentally available in messaging logs, even to employees like contractors or low-trust employee accounts which have been locked out and just "need to Slack someone to get back in." Chat apps need much more access control from both a role and trust level point of view.
> I think we should expect this kind of thing from teenagers: there's a certain level of out of the box thinking and risk to reward inversion that comes from youth. Brazen solicitation of associates / operatives on public forums is certainly unique, and not a tactic which most other actors would pursue due to the risk involved.
Hoping to earn himself expulsion from the school for his ruthlessness, he sacrifices his entire fleet to fire a Molecular Disruption Device at the planet. The Device completely destroys the planet and the surrounding bugger fleet. He is shocked to hear the I.F. commanders cheering in celebration. Mazer informs Ender that the "simulations" he has been fighting were real battles, directing human spacecraft against Formic fleets via an ansible's instantaneous communication, and that Ender has won the war.
I feel like companies have invested a lot in securing internal services from external actors, and the threat model has moved to compromise these organizations from the inside with underpaid disgruntled employees being promised riches. It should be important not only to punish those insiders involved, but also to have the least possible permissions for developers, support desk workers or anyone really.
> but also to have the least possible permissions for developers, support desk workers or anyone really.
Considering that Okta say they already do "Zero Trust security" and giving people least possible authorization (and also that they were never breached in the first place, still), I don't have a lot of fate in the industry realizing anything from this breach.
A single low paid employee shouldn't have the access rights to do serious damage. For example Okta probably has rate-limits on how many users a CSR can reset the password for.
More like, imagine what a state-level actor has done already. Heck they don't even need to carry out hacks of this nature. It would be trivial for a government to embed an agent at any tech company at a way higher level than customer support. Do people really think a top CS graduate recruited to a coveted intelligence role can't pass a FAANG interview?
> Do people really think a top CS graduate recruited to a coveted intelligence role can't pass a FAANG interview?
There are no top CS grads working for any government, other than perhaps academy graduates, and then only temporarily. For a top CS grad, private sector salaries are 5-20x what government will pay, and if they are top CS grads, they'll be smart enough to do the math.
The threat of coercion or bribery by a state actor is absolutely real, and has already played out in the past month.
The threat of wilful cooperation by sympathetic employees with loyal ties to their homeland has also been a widely covered in several Chinese cases, less so by Russia. This isn’t isolated to those countries either - it’s almost certainly being done by the west too.
"Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal."
Are they victims or co-conspirators? These people were paid to provide access.
About the language part: I'm a native speaker of Portuguese. Their posts on Reddit[1], requesting paid insiders on some mobile networks, are very clearly machine translated. When they started out, hacking the Ministry of Health here in Brazil, the defacing text had a wrong plural, and was written in a way that a native speaker never would.
If I wanted to be hard to detect, I'd run my messages through a couple machine translators so any metrics you may want to collect would be distorted enough it wouldn't be easy to tie them to your own messaging.
And that target is what made me first think of one or more government agents infiltrating and financing the group.
I imagine they meant the corporate victims. That is two separate pieces of evidence that they have some tie to Brazil: the recruits, and the selected corporate victims.
Readit News
Okta’s Investigation of the January 2022 Compromise - https://news.ycombinator.com/item?id=30775180 - March 2022 (112 comments)
New Updated Okta Statement on Lapsus$ - https://news.ycombinator.com/item?id=30774193 - March 2022 (24 comments)
Updated Okta Statement on Lapsus$ - https://news.ycombinator.com/item?id=30769537 - March 2022 (220 comments)
Also:
DEV-0537 (LAPSUS$) Criminal actor targeting organizations - https://news.ycombinator.com/item?id=30774406 - March 2022 (0 comments)
Lapsus$ hackers leak 37GB of Microsoft's alleged source code - https://news.ycombinator.com/item?id=30763623 - March 2022 (117 comments)
> The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details couldn’t be confirmed.
> She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police.
https://www.bloomberg.com/news/articles/2022-03-23/teen-susp...
Thats when you know you are in the zone! I love the zone.
It's scary to think what someone with actual knowledge of common practice could do with the same kind of approaches.
Tell’s quite a bit about the snake oil that is the current cybersecurity industry and its counterparts sloppy software development and lazy pointy haired boss.
Many companies concentrate all the security efforts at the perimeter.
One day I was on IRC talking to him while at home in the evening. He said "Watch this." My wife's cellphone rang and someone screamed down the phone at her. That was the breaking point for me. I put it a €15,000 bounty out there for someone to ID him. A few weeks later I had leads and tracked him down to Germany.
I had German friends dig into it. They found he was a 15-year-old kid working at a video store. My friends called his boss first and gave him the details. Then they called his dear old mother at home and regaled her with the stories of her son's other life.
Never had any trouble from him again after that.
> “[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”
> KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17)
> “After a few years his over 300BTC [appreciated] to $14 mil.”
5 years ago, BTC popped up to around $20k, and then fell down to near $3k. It took until December of 2020 to get back up to 20k.
If they were on Tor, they would have known about BTC, and if they were interested in black-hatting, BTC would have probably been the most accessible financial instrument for them to use in that pursuit. I'm 99% sure someone like that would have had a stash kicking around somewhere.
Think anyone paid the group for work? That'd be a good way to fill the coffers.
I also think that things aren't as bad as we think security wise. The attacker's lack of industry experience helps with marketing to media who also lack industry experience. Somehow "Lapsus$" are "the world's most dangerous hacking syndicate", but in reality they've fully compromised several Portuguese companies with poor information security to begin with, released a treasure trove of mostly only curiosity-interesting source code from some big names, and posted some screenshots of restricted-access customer support tools. Breathless excitement about each new discovery has whipped the media into a frenzy over disclosures which sound juicy but ultimately aren't altogether that impactful - another accidental benefit of youth, I think.
To me the scariest thing in "cyberspace security terms" probably isn't that a minor has done all this - that seems reasonable to me - but what happens when an adult is inspired to adopt the same approaches? IMO this is the leading edge of something, an innovative approach pioneered by an outsider, less so than it is the trailing edge of "even a teenager could do this."
I think the biggest insight here is the power of chat tools like Slack. These tools need much more robust controls than are currently present at most companies. At most large enterprise software companies I've seen, there is little-to-no role based or level based access control applied to chat, and a vast amount of information is accidentally available in messaging logs, even to employees like contractors or low-trust employee accounts which have been locked out and just "need to Slack someone to get back in." Chat apps need much more access control from both a role and trust level point of view.
Reminds me of: https://en.wikipedia.org/wiki/Ender's_Game
Hoping to earn himself expulsion from the school for his ruthlessness, he sacrifices his entire fleet to fire a Molecular Disruption Device at the planet. The Device completely destroys the planet and the surrounding bugger fleet. He is shocked to hear the I.F. commanders cheering in celebration. Mazer informs Ender that the "simulations" he has been fighting were real battles, directing human spacecraft against Formic fleets via an ansible's instantaneous communication, and that Ender has won the war.
Considering that Okta say they already do "Zero Trust security" and giving people least possible authorization (and also that they were never breached in the first place, still), I don't have a lot of fate in the industry realizing anything from this breach.
More like, imagine what a state-level actor has done already. Heck they don't even need to carry out hacks of this nature. It would be trivial for a government to embed an agent at any tech company at a way higher level than customer support. Do people really think a top CS graduate recruited to a coveted intelligence role can't pass a FAANG interview?
There are no top CS grads working for any government, other than perhaps academy graduates, and then only temporarily. For a top CS grad, private sector salaries are 5-20x what government will pay, and if they are top CS grads, they'll be smart enough to do the math.
Deleted Comment
Think of our top political enemies and consider which direction the Visas go.
The threat of wilful cooperation by sympathetic employees with loyal ties to their homeland has also been a widely covered in several Chinese cases, less so by Russia. This isn’t isolated to those countries either - it’s almost certainly being done by the west too.
Are they victims or co-conspirators? These people were paid to provide access.
https://camas.github.io/reddit-search/#{%22author%22:%22okla...
And that target is what made me first think of one or more government agents infiltrating and financing the group.