"Criminal hackers have been known to hack each other, but is that what is happening here?"
After years of researching computer security and cybercrime I think this is most likely the case with this one.
"KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web."
If Law Enforcement people are after them they wouldn't do this they would simply seize the website and put notification on website's front page so it seems like rival group hacked them or simply whitehat hackers.
Some of this cybercrime forums are running for more than a decade so no wonder they have attention and problems with Law and cyber criminals alike.
Law enforcement isn't a cohesive entity, it's made up of thousands of groups with different intentions, and different levels and sources of funding.
In general, most of those organizations want convictions, and will do what you said in regard to seizures and warrants.
Some organizations, or people, might be playing a different game, and might see it advantageous to themselves or their governments if certain criminal entities are disrupted, but not convicted.
And then you have other organizations that have carte blanche to do whatever they want, from smuggling drugs[1] to funding paramilitary groups and terrorism abroad, who might be interfering with criminals simply because they got in their way.
"who might be interfering with criminals simply because they got in their way."
Or, that some russian intelligence service is linked to the forum (it would be unlikely for them to not at least use some of the potential) and it was part of a bigger play, to disrupt their activity.
> If LEO gets data/evidence illegally and they are unable to use it for prosecution
Law Enforcement Agencies work in cooperation with DOJ and they obtain evidence with the use of warrant[1] which is issued by court.
Speaking of obtaining illegal evidence you can search for numerous court cases where judges turned blind eye on questionable methods of obtaining evidence using hacking techniques. Some of those cases were seizure of Dark Web websites and their servers. Courts will always protect government agencies because they want to be cohesive and in synergy.
True, there are judges who are massively corrupt who fail to observe the Fruit of the poisonous tree doctrine[0]. But I’ve certainly read accounts of judges doing the right thing and tossing ill-gotten evidence. It’s just so unusual that I can’t find examples in the limited time that I’m willing to search the web. So… that kinda says something.
But the point being that it’s not universal that judges will facilitate such methods.
Right but it may be that the left hand doesn't know what the right hand is doing. Let's say if the CIA leaked it and then FBI used it. CIA operations are highly classified so we would never know if they leaked it, if they did.
“ If Law Enforcement people are after them they wouldn't do this they would simply seize the website and put notification on website's front page so it seems like rival group hacked them or simply whitehat hackers.”
False. These forums are hosted in places that US law enforcement have no power to seize.
I know that these forums are hosted in Russia but no way you would dump cybercrime's forum database no law enforcement agency would do this. When US seized the servers of Liberty Reserve their used its database to further investigate and arrest cyber criminals, hackers and spammers not to like someone said "dump it and encite a war between different groups."
Btw the most wanted hacker in the world was identified when his Jabber server was hosted in USA not in Russia. US used this opsec mistake and seized the server.
Russian cyber criminals often travel to Europe to countries like Czech Republic and Spain or to neighboring East Europe that's where they get arrested.
They don't do it when they prosecute cyber criminals. You don't dump data and information you seize in investigation because you can use it in further operations or because you will need to use it in court.
But this wouldn't be a typical law enforcement action. (If it is actually a government that's responsible, here. I think it's unlikely, but we can just assume it for the sake of argument.)
The likely culprits would be FIVEEYES law enforcement and/or intelligence. But the main people of interest on these forums likely all reside in Russia and perhaps some neighboring countries. An indictment against any of them is purely symbolic; these people know never to travel to a Western country and risk arrest.
So, if you're FBI/CIA/NSA or similar, and you want to mitigate and disrupt all this fraud and theft and malware and PII harvesting from semi-organized Eastern European cybercrime, you're going to have to use some unconventional tactics. If I were a US "cyber commander" I think I'd consider trying to breach and expose their infrastructure and account info, and perhaps also plant some false flags so they think a rival was responsible.
All of that helps encourage confusion, infighting, and decreased trade and communication. Keep doing it over and over and soon enough certain types of activities might become less lucrative, since more things have to be pushed even deeper underground and are less able to depend on semi-public advertisements for vending illicit goods and services.
I could also imagine the US government considering it "fair game" from a geopolitical perspective. The current administration probably would be more likely to feel that way compared to the previous one, at least. Especially since there's evidence the Russia security services do sometimes team up with cybercriminals for certain things and turn a blind eye to them as long as they aren't targeting other Russian citizens.
Brain drain, infosec edition. Pandemic struck, and suddenly relocation is all the rage. I know a few infosec guys moving from Russia to various places outside of reach of local law enforcement (and "law enforcement") agencies . Next steps are usually easy to guess - infosec guys are doing what they were doing before, but for new management, and with new targets (ex-allies) in sight.
Just a wild guess, of course.
The problem with infosec,even during good times, is that it's a low paid job. I don't mean it's 10$/h or something, however taking into consideration what's at risk and usually the knowledge required, majority get paid peanuts. No surprise more lucrative deals of questionble sort pop up and attract the more talented ones.
I just love the arrogance of these fuckers. “No one but state level law enforcement could take us down!” What a crock of shit. More likely just an ex member with an axe to grind.
Yep, everyone always says they were the victim of a sophisticated hack by advanced state-sponsored level hackers, whereas maybe their password was <company name>123.
Yeah, today's hackers lack class. The Cyberpunk codebase hack would be pretty funny if someone awk'd the subtitle files to say "Can I haz cheeseburger?", but I guess today's crowd is more interested in editing HTML and CSS.
> spurring fears among criminals that their identities might be exposed
I imagine there is very little to gain from the leaked credentials. I mean we are talking about cyber-criminals, who always like to mess with their real IP with Tor or VPNs. And who would be stupid enough to use their legal name on a darkweb carding forum?
You'd be surprised, after 10+ years worth of accounts and online presence it's easy to trip up - reuse an account name from years earlier, use their real email to register for a domain, etc. Krebsonsecurity.com has a few articles where he tracks down an attacker's real identity - e.g. https://krebsonsecurity.com/2020/07/twitter-hacking-for-prof...
People have lost hundreds of thousands because they reused their forum logins on jabber... Lots (most?) of the people on these forums aren’t hackers, but banking experts moving tens of millions of stolen money around the world.
We simply ask the user to install an App to iOS or Android that gives us two factor codes. This is done with the user contest. At least, that's how I do these things.
Or people just make it look like they’ve made mistakes.
Maybe this was an elaborate honeytrap set by the hackers for the hacker hackers.
Possibly an AI independently hacked the hackers.
A hacker may have convinced an AI to hack the hackers while posing as the hacker hackers. The AI then hacked the hackers’ honeytrap which exposed one single piece of data included by mistake. Only the AI knows why, since the hacker was brainwashed by a secret society of vegans.
Everyone's excuse is "state actors" now and maybe they're right;
Only intelligence services or people who know where the servers are located can pull off things like that,” mused one mainstay of Exploit. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.
The thing with the state actor stuff is; once a actor state creates some tooling and methodologies, what could possibly prevent this from getting into private hands? (I mean, serious question) States have huge computing power for cracking passwords or whatever, state have "patience" but still, computing power can be stolen (via botnets or however), any process can be automated, etc.
The tooling, while sometimes containing extremely valuable weapons (see: ETERNALBLUE and Shadow Brokers), generally isn't as as much of a public risk as you might think. With the very important exception of leaked zero-days, the leaks of what are probably a significant portion of NSA's and CIA's secret toolkits weren't really a big deal for anyone besides NSA and CIA.
Zero-days and backdoor access points are like turn-key WMDs and the rest are analogous to small pistols and oddly shaped special-purpose wrenches. As long as the zero-days and backdoors stay private, I think there isn't that much concern.
If they don't stay private, then, yeah, it's a severe risk to the world. But those aren't exactly tools; more like privileged knowledge.
You're unlikely to find some super secret intelligence agency hash cracker or DDoS tool that's 100x better than all existing free and paid tools, or something like that. And I think you're probably not going to find a leak that gives you access to a gargantuan government botnet, as you suggest. Even if they're incompetent enough to somehow have that become exposed and accessible by some random internet person, they'd almost certainly shut it down within minutes. Also, odds are such a person could rent a larger botnet through a number of much simple means, anyway.
I don't know how you can cite an example of Eternalblue and in the same sentence dismiss the risk.
https://en.wikipedia.org/wiki/EternalBlue "On May 12, 2017, the worldwide WannaCry ransomware used this exploit to attack unpatched computers.[6][8][9][10][11][12]:1 On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers."
In all of my posts I made it very clear that ETERNALBLUE and other leaked zero-days are an extremely serious risk. In each post, I variously described them as "turn-key WMDs", "magic powers bestowed onto ordinary people", and "huge risks", and included zero-days as an important caveat for everything I was trying to say.
I don't at all mean to downplay the severity of the risk of leaked zero-days in the slightest. It's massive. ETERNALBLUE leaking was an unprecedented fuckup, not unlike a government bioweapons facility accidentally leaking a supervirus that causes a pandemic. (Not trying to say anything about COVID, here; just an apt analogy, I think.)
However, I'd also say that zero-days aren't tools or part of tooling. They're discovered vulnerabilities - privileged knowledge, basically. Intelligence agencies possess a lot of privileged information which could be very damaging if leaked.
If a software tool contains an exploit for a zero-day, thus leaking the zero-day, then, yes, the tools themselves are a huge threat.
But I'm thinking more about the typical hacking and engineering tools you'd see, which generally aren't very weaponizable by the general public and not that interesting besides the purpose of potentially detecting their past usage and discovering things an intelligence agency might have done. That's why I said "as long as the zero-days and backdoors stay private, I think there isn't that much concern".
I interpreted the poster as being concerned about the more ordinary things (they mentioned password cracking and botnets, for example), though I think I misunderstood them.
>weren't really a big deal for anyone besides NSA and CIA.
It's an absolute nightmare if you're NSA or CIA. You're going to have to remake everything from scratch, pretty much. It'll be very tedious and will probably result in a lot of downtime and delays of other projects.
It's like when that stealth Black Hawk crash-landed on Osama bin Laden's compound. (Though that was probably a lot more annoying and difficult to re-engineer than software.)
I was just thinking about it in terms of a common media scaremonger narrative of them possessing tools that if leaked can in some way bestow magic powers or other unnatural abilities onto ordinary people. And that kind of is the case for major zero-days like ETERNALBLUE, but for general software tools, it's a total red herring.
I don't think this addresses my question, which whether there's anything that inherently makes "state actors" effective hackers than criminals or amateurs.
Maybe I misunderstood your original post. I thought you were asking about the risks of regular people being able to gain NSA-like abilities if NSA tools manage to fall into their hands. I think that's not a huge risk, beyond zero-days.
However, yes, a very dedicated, very smart group of blackhat hackers could probably achieve somewhat similar things as an intelligence agency's hacking division. You don't necessarily have to be a government to be an APT.
There are still other advantages, though. For one, at NSA, you can do anything you want with legal impunity, while a blackhat might be imprisoned for doing the exact same thing. Also, you have access to a huge organization and various things they've already embedded themselves into, like backdoors and internet traffic taps.
So, they do have an inherent advantage, even if the people involved aren't necessarily inherently better hackers. (Though they may be, if they're better at hiring than you are at recruiting for your private organization.) Given enough time and effort, a private group could maybe also embed themselves in a lot of places, but they're all at the mercy of their governments and allied governments, and may constantly risk arrest.
In terms of this particular incident, I believe it absolutely could be either a government or a private whitehat/greyhat/blackhat individual or group.
The closest we got to an answer about who perpetrated these hacks was a quote in the article:
> Only intelligence services or people who know where the servers are located can pull off things like that.
I don't really know how the quotee would arrive at that conclusion, but I do agree the seemingly systemic nature of these hacks, e.g. "Let's hit the popular dark web forums." isn't usually how criminals operate, based on my limited understanding.
That said, groups of people do seemingly weird things all the time, so I dunno if it's anything other than a gentle nudge in a direction. Hardly a smoking gun.
Additionally, I've always heard the sophistication levels of hacking groups go (from least to most): activists -> criminals -> state groups. I don't know if that's changed in some recent years, but that's how I learned it.
> "Let's hit the popular dark web forums." isn't usually how criminals operate, based on my limited understanding.
Indeed. Most cybercrime, like most crime in general, is primarily interested in just making money as effectively, efficiently, and safely as possible. No point stirring up a bunch of big hornet's nests when you don't need to.
Whatever it is, it's definitely not ordinary activity. Non-exhaustive list of some possibilities I'd imagine:
- Blackhats who are part of that sphere with a chip on their shoulder
- Blackhats trying to start, promote, or perhaps (false-flag style) direct suspicion towards a competing forum or other platform
- Whitehats / greyhats who just don't like fraudsters and thieves and want to fuck with them and give them a taste of their own medicine
Is it just me, or has the number of large hacks on “things you’d expect to be at least somewhat secure” picked up since the pandemic started? It seems like every week now there’s a source-code leak for some high-profile project.
My own assumption so far is that credentials that were previously being passed along through (essentially) in-person key-exchange parties, have now been forced to be passed along over channels like email/Slack/etc., making the ability to spin “mail/chat server admin creds” into “general system-level elevated creds” a lot more frequent.
It wouldn't surprise me if the pandemic had an influence on some of these hacks. E.g. at our company there are some PCs still running Windows 7. For that reason they had no direct internet access, only to the internal network. But since about half the workforce, or at times more, had to work from home, and the licenses of our ERP software are bound to hardware, IT had to connect those PCs to the internet again, so the office workers could access them from home.
Of course the whole situation was less than ideal to begin with, but now it's even worse.
Just to point out this makes no sense: you can have connectivity between host A and host B without also enabling transitive connectivity to the world of hacker-contolled host N.
I believe this is assuming companies have segmented networks and jump hosts.
In my experience, most... don't.
Enterprise IT at non-tech companies is an absolute #&@_ show. The only rationale I've been able to come with is: if some portion of your company isn't developing / keeping up with tech trends, your IT shop isn't going to be pressured to either.
+1. Even when being told (for money!) to do the right thing most pay the consultant fee but don't act.
True story: A friend was pentesting a large company network in Germany, wrote his report and got paid. Years later, when being hired as head of IT security, he pulled out his old report and simply tried the default/easily crackable passwords he had discovered in the core infrastructure: They all still worked.
If his section about "use jump hosts" was ever useful for the company, it was because someone had that page open by accident, needed a place to put down his mug of coffee - et voila: His report even made a difference!
It's also the case that the perception of non-technical companies having garbage IT means they get overlooked by more savy admins in their job-hunt. Very few people want to drag a manufacturer kicking and screaming into modern IT, when it's way easier to get a job with a company that gets it.
This year is going to be huge for Google cloud and m365.
It's also been my experience that non-technical companies sometimes strongly undervalue IT or programming expertise. Few who have a choice ways to take a job at a rate well under market using outdated technologies with an employer who will not value them.
I had one of those jobs for a while. It was awful. The worst part was the ridiculous demands (example: all bugs should be fixable in 30 minutes or less) on top of the embarrassingly low pay.
> non-technical companies sometimes strongly undervalue IT or programming expertise
Half of this is actually the right way to do it. On one hand undervaluing IT in almost any company these days is a major problem waiting to blow up. IT isn't just an end, it's the means to do everything else. Using computers but ignoring any good IT practice under the excuse that it's not an IT company is like working from an office with asbestos, lead paint, and black mold because you're not a construction company.
But on the other hand non-technical companies, meaning ones without a strong IT culture and focus, should undervalue programming expertise. One of the worst things a non-tech company should do is deploy all kinds of custom IT solutions developed internally by their "programmers with expertise". Invariably (and I mean this in the most literal sense possible) they will end up with a patchwork of systems that nobody understands or maintains properly but which underpins all the core services the company needs or delivers.
"Undervaluing", by definition, means "valuing something under its actual value to you." It doesn't just mean "value the thing less than you do now," or "value the thing less than the average."
So...no, undervaluing programming expertise is never a good thing, whether your particular needs are for a lot of programming or only a little. Either you need exactly zero programming—in which case undervaluing it is impossible—or you need some—in which case you need to value it the right amount.
Well you're technically correct but I was hoping my point was clear beyond the vocabulary nit-picking. This being said I also suggested "the right amount" of value such companies should put on those skills is none, because it suggest they have wrong priorities and/or unrealistic expectations of what they can achieve. You can't undervalue 0. Nit-picking works both ways but just lowers the quality conversation.
In general precision is important but in this case it doesn't make that much of a difference besides a linguistic discussion. Let's try to look beyond it and more at the point I was trying to make: In the companies referenced above, as I understand them, valuing "programming expertise" at all is setting yourself up for disaster. You'll be tempted to use it but pretty much by definition in those companies you have no ability to support the outcome long term. Even tech focused companies have a hard time keeping up with the custom solutions they develop and are struggling with technical debt.
If you worked in these companies you know how this goes and have seen the story countless times. IT manager of small IT dept has a "great idea", hires some people to implement it, and they get it sort of done with the limited resources. Pretty soon both the techies and the manager move on to greener pastures, leaving the solutions in the hands of someone with little to no interest in it but who has another "great idea". The best solutions are manageable ones and custom stuff is hard to manage in the best of cases. Programming expertise is like a live grenade, only useful in capable hands (which "non-tech" companies are almost without exception not).
I think your first scenario is a good illustration of undervaluing IT, with attendant eventual disaster.
Perhaps your second is IT being overvalued? You've described a situation where technologies are being deployed inappropriately by an organization ill-equipped to handle the ongoing effort required. This is the sort of silver bullet thinking I would expect from leadership that does not understand IT beyond that it is powerful.
> You've described a situation where technologies are being deployed inappropriately by an organization ill-equipped to handle the ongoing effort required.
I took the archetypal "non-technical companies" you gave as an example earlier. If I understood your meaning correctly in the vast majority of those cases undervaluing "programming expertise" is probably the best thing to do. And by "undervaluing" I mean they such companies should not consider this as a skill they should rely on to build their IT around.
It's not that the skill is not useful in itself, just that it doesn't serve that type of company well, and valuing it suggests the companies are considering heading in waters that they're unlikely to successfully navigate.
Most of those companies will do things inappropriately because they are ill-equipped to handle this. For all intents and purposes "programming expertise" in such a company is like driving drunk. Sure you can get home safe anyway but that's not a reason to be proud of. Or you can crash but the real issue isn't that you couldn't cut it while driving drunk. You shouldn't be doing it to begin with.
I think there are two different kinds of IT value.
The first: I am a competent employee, who can do what needs to be done (in whatever technology).
The second: I am a forward-thinking planner, who surveys and keeps abreast of options and can identify, test, and deploy appropriate ones.
In my experience, it's the second that's lacking. Aka the "we can only deploy if Microsoft holds our hands through it" shops. Usually 1/2 because of lacking talent and 1/2 because of lacking / incorrect policies.
I've seen, but haven't seen too many, instances of "insert crazy state-of-the-art technology." Usually it's just institutional paralysis that prevents anything from getting done.
> non-technical companies sometimes strongly undervalue IT or programming expertise
They might also be unable to know if a job applicant is good at IT or not? And listen mostly to how he/she describes him/herself, and how confident he/she sounds?
Meaning, the company in effect hires IT people a bit randomly, and then mostly finds people who aren't that good at their job.
And if the company started paying more, then, more competent people, but also lots of more so-so competent people, would apply for the job? And I wonder if the company then still ends up with a random mediocre IT people who are unable to really secure the network? Just that the salaries are higher?
I wonder if the underlying problem is that 99% of the population is unable to know if someone is good at software or not
This goes back well over a decade, but a talented Linux admin at a tech shop had to spin up a fresh Windows VM instance to use some MSIE-dependedent intranet app. By the time they'd completed the task ten minutes later, the instance had been pwned, on the office LAN.
Most non-tech companies don't have an IT department, they outsource.
Which means they rely on those companies to do the right thing, while not really prioritizing the work (i.e. not giving it much budget), or being able to critically evaluate the quality of the work being done.
Great point.
+ most of mgmt doesn’t see the real value in security until after the first (major) incident has occurred.
(Has been my experience atleaste for < 50 employee orgs.)
There may be some room to question the general technical expertise and competence of a shop that runs a bunch of Windows 7 systems, though. IT running beyond the limit of their competency may not be capable of doing what you so wisely and rightly point to.
There may be some room to question the general technical expertise and competence of a shop that runs a bunch of Windows 7 systems, though
Or they may simply not have a choice.
My company has a particular automated machine that I have to work with once or twice a month. It is controlled by a computer that runs Windows XP. It can only run Windows XP because the company that made the software went out of business years ago.
Because of that, the control computer is not permitted on the public internet. When I interface with it, it's using a dedicated laptop through a VPN to a remote session which then accesses the control machine on a dialup connection. It's slow as heck, but since I only have to do it once or twice a month, I deal.
Just before the pandemic, we looked into replacing the circa 1995 automated machine with a new one. Because of the nature of the machine, and the local government regulations about replacing it, the cost would have been little over one million dollars. Not going to happen.
Everyone hates it. But that's why my company's IT department, which tries hard to keep up with the times, has a single Windows XP computer in its stable.
Sometimes medical devices and similar come with a computer as part of a whole certified system. The regulatory framework does not tell you which computer you can buy, precisely, but it does tell you what certifications your system must have to be used for a given purpose.
Changing out the part for an unapproved one, obviously, voids the certification.
I should also mention that it isn't in-house IT, but a separate company, and the whole thing was set up in a rushed effort late on a Friday afternoon the week before the whole working from home business would start (our management slept on it until the last minute), with a lot of other companies requesting the same support from the IT company at the same time.
Not that it completely excuses everything, and as you can tell from the Windows 7 PCs it was never the most secure setup, but simply to explain some of the reasons behind the mess.
This has all the hallmarks of an organization that views IT as a cost center rather than an enabler. Such an organization will tend to resent any spending on IT, so it's unfortunately not a surprise that it has likely scrimped and saved its way into ineffectual IT.
Some? I've never seen anything newer than Windows 7 on a corporate PC. I'm sure they're out there somewhere but none of the companies that I've worked at in the last 9 years has ever had Windows 8 or newer.
The last Windows 7 I saw in production was on Wednesday. An attorney with a lot of secrets to protect had them on his notebook.
He isn't entirely oblivious about security, has his hard drive encrypted and encrypts some of his calls, but the non-updated system is a disaster waiting to happen.
I have to use Windows 7 daily at my current job at a bank (connecting via VDI). I forgot to wish the operating system happy tenth birthday a couple weeks ago.
I think the pandemic has a role to play in this for sure. I imagine may were required to use computers/tech as they've not done before. Often times those who are uneducated have to be accounted for so concessions are made.
For example, Sam needs to use a corporate network, doesn't really understand "apps" or what a "TOTP" is, so they optimize (weaken security) to allow them in.
Can we change this to "dumber than average" Sue? I guarantee when I'm 60 I'll still be able to safely operate a computer and understand what an "app" is, FFS. Ageism is really out of control these days.
The implication that someone couldn't keep up with a relatively new things-- in your case vague example something they even encountered a few years earlier-- is pretty much the definition of ageism. Anyone who decides to keep their professional skills current will do just fine whether they're 5 years out of school or 40 years out of school. If someone doesn't keep current & is 5 years out of date on their skills, there's not a lot of difference between a 30 year old and a 60 year old that are equally 5 years out of date. Though the 60 year old might have decades more of experience working in their advantage, so maybe the two aren't equal.
You have a point about ageism, but you also make quite a condescending mistake of your own. You could have say "less tech savvy" than "dumber than average". It is not because you don't master something that you did not use before that you are dumb.
Absolutely agree on this. I've seen the entire spectrum by now: kids,who literally grew up with computers in their hands, not being able to operate simple software and people way past retirement age doing complex 'magic' on their PCs
I'm not impressed by the digital native, current generations.
I think a better descriptor would be "app-native" -- i.e. "I don't understand or care how anything computing works under the hood, and it'd better be tied off with a pretty bow and UI."
This is a topic we discussed with a colleague earlier this week: everyone's smart to click some buttons on an app,which, even a monkey with some basic training could do, but anything outside their comfort zone is a foreign language to them. Just a few days ago got asked what's the url to login to Office 365. There doesn't seem to be any willingness to think.
As someone who hasn't touched Microsoft office in a decade, what's the URL for Office 365 seems like a fair question. Isn't it competing with Google? I assume they offer an in browser client,
So yes, I have no idea how things I don't use work. This isn't that I'm unwilling to think, things are more open ended.
It's not the part whether one knows or doesn't know the url fascinates me: it's a professional setting, where people are quite used to solve problems much more complex than figuring out what's the url. For me it's the thought process: What's the url? I don't know.. error... error.. error. The equivalent of this is if I'd say to someone I've read a great article on Financial Times website,and they'd reply with: sorry, I can't read it,I don't know the url..
Isn't it also the kind of thing that large organizations self host? Sure they could have probably found it with a search engine, or some employee reference, but asking someone isn't a huge deal.
I don't understand your example. There is such a URL (https://www.office.com/). Or are you just suggesting that the colleague could have looked it up themselves?
I edited the comment, you make a good point. My bias is that in my experience the elderly tends to struggle the most as it wasn't common in their day, but point duly noted.
Or pretend you're in the southeastern US, where "Sam" and "Sue" are both non-gendered, and probably ageless, according to Mr. Cash, at least. You could also go with Courtney, Tracy, Billie, Casey, Drew...
Sort of: since 2017 the number of CVEs have basically gone up a steady 8% per year [1], but the fact that you only noticed it this year also suggests that this alone is not why you noticed.
The more likely reason you're noticing is that thanks to covid, and the accelerated death of real news services, combined with the echo chamber effect where we're all reminding each other of how bad things are, means you're getting more exposure to sensationalism, because that echos the best. And hacks certainly qualify as sensational, especially on slow news days, where news services desperately need clicks, and "X got hacked" gets those (even if it's a report on a hack that isn't actually one, like when someone walked into a data container with tens of servers, one of which happened to be rented by a password manager).
I don't think major hacker sites getting hacked, or the MSE exploit from a few months ago qualifies as "sensationalism". These, especially the latter, are a Pretty Big Deal (tm).
What do you consider a big news item that isn't "sensationalism"? (Your link timed-out)
Something can be a pretty big deal in terms of security, and get dressed up in sensationalism by news outlets to get more clicks. They're not mutually exclusive categories. But it's the "we can get clicks by reporting more of these" that most folks notice, rather than the reporting being in lockstep with the number of hacks being perpetrated every month/week/day for the last 4 years.
Pandemic has nothing to do with frequency of cyber security incidents at least not on a large scale. Every time when something global is happening spammers jump on the bandwagon and try to lure people into opening their email spam and buy something or download attachments filled with malware.
This global situation is specific because a lot of people are working remotely so they easier to target and compromise then before.
In the last decade or so a lot of businesses moved their presence and other ops online and lots of them practice poor cyber security that's why you see a lot of hacks happening.
Speaking of big companies they are always targets of state sponsored attacks and industrial espionage.
Generally the only people I've seen transfer credentials securely are IT and software engineers. You can count on every other department to send passwords over plaintext channels.
>things you’d expect to be at least somewhat secure
I feel like with a lot of security or cyber-crime stuff there's a "physician who smokes" dynamic to it where the people who you expect to have great security actually often don't take a lot of precautions. How many hackers end up being exposed because of fairly trivial or random accidents is actually surprising.
I've heard it said that first day beginners on a wood saw will almost never hurt themselves. Their fear of it, combined with their known ignorance of it, makes them extra cautious.
Veterans of many years are the ones who get too comfortable, and too complacent. I guess the confidence of many years leads them to work a little too closely to the blade.
This might be a universal human trait, across any industry.
Getting the SSH pubkeys of other developers is easy. Grab them from github or from a shared server or ask them once. Then use age/rage to asymmetrically encrypt the secret you want to share. No password has to travel in cleartext anywhere.
And one in which many countries i.e. Russia, Israel, China, Saudi Arabia, North Korea did not want Biden to win and who have a record of state-sponsored hacking.
Solarwinds and the Microsoft compromises for example are clearly at a scale beyond your regular criminal hacker.
None of these hacks were related to the forum software. Maza and VF run ancient vb, but nobody has found vulns in that for ages. Exploit frontend proxy was compromised by someone, most likely the hoster. The forum software doesn’t run on the frontend proxy.
VF was hacked with a MITM attack that intercepted admin credentials, you can check CT logs to verify this.
I do not know much about this whole story, but does it mean that Cloudflare has helped to perform those hacks? Since Firefox now uses it by default for its DoH, I think it warrants some serious questions about the choice.
I don't imagine Cloudflare did anything other than provide a proxy platform that's nice for MITM because of features like ssl termination, edge workers, page rules, etc.
I'm surprised even ancient vbulletin doesn't have new vulnerabilities arise. Last I looked at it, it was a horrible kluge. For example a fair amount of the actual PHP than runs was in database tables.
That makes it unpleasant which does not necessarily mean insecure. In fact, having an unpleasant codebase can be an advantage from a security standpoint. If the code is so ugly and complicated that no one wants to add new features, then that means less churn, and less churn means fewer weaknesses. Imagine if the Sudo codebase, which has had over 9,000 changes, had been written that way. I think Donald Knuth got it right with his marvelous tex.web monstrosity that some software should arch towards immutability. https://mirrors.concertpass.com/tex-archive/systems/knuth/di...
It's another surface to inject code, puts "eval" type functionality in the main code, and makes cleaning up after you've been compromised more difficult.
Word of mouth and sometime challenges. I remember, there used to be a Greek forum, pwnb0x (which appears to have vanished from all search engines), that allowed members with referrals or by solving puzzles.
I'll bet money this is a private corporation that sells 0days taking out their competition.
State-sponsored entities and research groups don't take down forums, for the same reason you don't arrest all the low-level perps on the street. You need to watch them to trail them to the bigger crimes. And blackhats don't take out forums of other blackhats.
It would be out of character for a
government agency to act like that.
Shutdown and a threatening message? Maybe. Dumping the data on darknet? I'm not even sure if they can legally do that. Besides, which agency wouldn't use that to gain even more possibly useful information?
What does elders of HN do recommend if you find serious bug in security company's system?
They don't have security.txt or bug bounty. First time I've had to go thru data I've obtained and email multiple times to get thing patched. They were ass about it.
p.s. The company is affiliated with three letter agencies and basically offer them device decryption.
Personally I would expect to see more of this than we have. After all, with crypto cash exploding in value it seems like there are assets to be seized. But the cynic in me suspects that its really just an escalation of the world wide cyber war that has been going on for years now and is getting more resources as it hits more sensitive spots.
Im surprised there was no mention of Jokers Stash, it seems reasonable to me that after it shut down it left a power vacuum of sorts with several actors looking for new places to ply their trade. Not to mention the real possibility that some "peepls" have an axe to grind because they got burned when J$ closed up shop.
I didn't say they didn't get paid. There a plenty of other ways to lose out from having the rug pulled out suddenly...but now that You made the argument, unless I missed it, the only evidence that everyone got paid was the promise made within the announcement which is no evidence at all.
There’s lots of evidence if you read VF and similar forums. Joker manually processed withdrawals for those who requested them, even small amounts. All the sellers got paid.
The data that was harvested was leaked to other “dark web” locations. The gangster move to take out your hacker competitors is to “out” these hackers on something more social like a github dump or to pastebin.
A LOT of anti social people seem to act badly thinking no one is going to even look at what logs exist due to existing policy, let alone illegal sources of info that are used in parallel construction.
> This hack comes shortly after similar attacks on two other Russian cybercrime forums,
I don't understand so I have to ask:
What allows these sites to be designated as Russian? Is it simply the location of the server(s)? Is it a geographic designation, or more of a political one? Or both?
Since their inception in the mid-aughts, both of these forums (Mazafaka and DirectConnection) have been among the most difficult to join — admitting only native Russian speakers and requiring each applicant to furnish a non-refundable cash deposit and “vouches” or guarantees from at least three existing members.
In addition, their administration is exclusively Russian nationals, and all forum posts and communications are done in Russian.
"Please don't complain about website formatting, back-button breakage, and similar annoyances. They're too common to be interesting. Exception: when the author is present. Then friendly feedback might be helpful."
Appreciated! These things genuinely are super annoying, which is why we need the rule. It's about foregoing a local optimum (justified but repetitive criticism of flaws in web pages and software) for a global one (more interesting, less predictable conversation).
> Whoever hacked Maza netted thousands of data points about the site’s users, including usernames, email addresses, and hashed passwords, a new report from intelligence firm Flashpoint shows. Two warning messages were then scrawled across the forum’s home page: “Your data has been leaked” and “This forum has been hacked.”
Oh no. Not my username, email address and hashed password. I'm shaking right now. But then again there's always some idiot who doesn't try to anonymize.
All it takes is one hit traced to a misconfigured VPN or browser, for example, to learn an IP address and thus real user, at least from a law enforcement perspective… though I suppose the same is true for any honeypot links. Same goes for checking your “anonymous” email, unless the provider is only accessible to check email on Tor, for example. Anonymity, like security, is hard to do 24/7 if someone is actively interested in you…
After years of researching computer security and cybercrime I think this is most likely the case with this one.
"KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web."
If Law Enforcement people are after them they wouldn't do this they would simply seize the website and put notification on website's front page so it seems like rival group hacked them or simply whitehat hackers.
Some of this cybercrime forums are running for more than a decade so no wonder they have attention and problems with Law and cyber criminals alike.