[HN Gopher] Someone is hacking the hackers
___________________________________________________________________
Someone is hacking the hackers
Author : fortran77
Score : 217 points
Date : 2021-03-07 15:14 UTC (7 hours ago)
(HTM) web link (gizmodo.com)
(TXT) w3m dump (gizmodo.com)
| tyingq wrote:
| I'm curious what forum software Maza, Verified, and Exploit use.
| If they all use the same one, that might explain the quick
| succession.
| wyxuan wrote:
| I'm guessing xenforo? Most forums use it - even the illicit
| ones. The issue probably stems from an insecure plugin - this
| was how OGUsers was hacked.
| ryanlol wrote:
| None of these hacks were related to the forum software. Maza
| and VF run ancient vb, but nobody has found vulns in that for
| ages. Exploit frontend proxy was compromised by someone, most
| likely the hoster. The forum software doesn't run on the
| frontend proxy.
|
| VF was hacked with a MITM attack that intercepted admin
| credentials, you can check CT logs to verify this.
| tyingq wrote:
| I'm surprised even ancient vbulletin doesn't have new
| vulnerabilities arise. Last I looked at it, it was a horrible
| kluge. For example a fair amount of the actual PHP than runs
| was in database tables.
| jart wrote:
| That makes it unpleasant which does not necessarily mean
| insecure. In fact, having an unpleasant codebase can be an
| advantage from a security standpoint. If the code is so
| ugly and complicated that no one wants to add new features,
| then that means less churn, and less churn means fewer
| weaknesses. Imagine if the Sudo codebase, which has had
| over 9,000 changes, had been written that way. I think
| Donald Knuth got it right with his marvelous tex.web
| monstrosity that some software should arch towards
| immutability. https://mirrors.concertpass.com/tex-
| archive/systems/knuth/di...
| tyingq wrote:
| It's another surface to inject code, puts "eval" type
| functionality in the main code, and makes cleaning up
| after you've been compromised more difficult.
| tyingq wrote:
| This article says VF was hacked via their DNS registrar.
| Though I guess proxing the real site might be a
| straightforward MITM if you control the DNS.
| https://securityboulevard.com/2021/03/three-top-russian-
| cybe...
| ryanlol wrote:
| Yes, you can very this using passivedns. The DNS was
| briefly switched over to cloudflare right before the hack
| happened.
| fuoqi wrote:
| I do not know much about this whole story, but does it
| mean that Cloudflare has helped to perform those hacks?
| Since Firefox now uses it by default for its DoH, I think
| it warrants some serious questions about the choice.
| tyingq wrote:
| I don't imagine Cloudflare did anything other than
| provide a proxy platform that's nice for MITM because of
| features like ssl termination, edge workers, page rules,
| etc.
| bmsleight_ wrote:
| dang - can we change the source to https://krebsonsecurity.c
| om/2021/03/three-top-russian-cybercrime-forums-hacked/ please ?
| tacker2000 wrote:
| Yes please, Gizmodo is cancer. Whats with that sticky video
| container??
| [deleted]
| goatinaboat wrote:
| _I just love the arrogance of these fuckers. "No one but state
| level law enforcement could take us down!" What a crock of shit.
| More likely just an ex member with an axe to grind._
|
| Yep, everyone always says they were the victim of a sophisticated
| hack by advanced state-sponsored level hackers, whereas maybe
| their password was <company name>123.
| mannykannot wrote:
| Indeed; it seems unlikely that a state-level actor would
| announce to the targets that they have been compromised.
| chiefalchemist wrote:
| > This hack comes shortly after similar attacks on two other
| Russian cybercrime forums,
|
| I don't understand so I have to ask:
|
| What allows these sites to be designated as Russian? Is it simply
| the location of the server(s)? Is it a geographic designation, or
| more of a political one? Or both?
| theMuckPot wrote:
| According to this article:
| https://krebsonsecurity.com/2019/11/why-were-the-russians-so...
|
| _Since their inception in the mid-aughts, both of these forums
| (Mazafaka and DirectConnection) have been among the most
| difficult to join -- admitting only native Russian speakers and
| requiring each applicant to furnish a non-refundable cash
| deposit and "vouches" or guarantees from at least three
| existing members._
|
| In addition, their administration is exclusively Russian
| nationals, and all forum posts and communications are done in
| Russian.
| luplex wrote:
| I don't know the sites in question, but maybe the language?
| mrkramer wrote:
| "Criminal hackers have been known to hack each other, but is that
| what is happening here?"
|
| After years of researching computer security and cybercrime I
| think this is most likely the case with this one.
|
| "KrebsOnSecurity reports that the intruder subsequently dumped
| the stolen data on the dark web."
|
| If Law Enforcement people are after them they wouldn't do this
| they would simply seize the website and put notification on
| website's front page so it seems like rival group hacked them or
| simply whitehat hackers.
|
| Some of this cybercrime forums are running for more than a decade
| so no wonder they have attention and problems with Law and cyber
| criminals alike.
| hollander wrote:
| It could very well be law enforcement doing this, just to
| encite a war between different groups. Didn't they do this with
| drug gangs in Colombia?
| [deleted]
| mrkramer wrote:
| They don't do it when they prosecute cyber criminals. You
| don't dump data and information you seize in investigation
| because you can use it in further operations or because you
| will need to use it in court.
| newsclues wrote:
| If LEO gets data/evidence illegally and they are unable to use
| it for prosecution, leaking it is the modern anonymous phone
| call equivalent.
| mrkramer wrote:
| > If LEO gets data/evidence illegally and they are unable to
| use it for prosecution
|
| Law Enforcement Agencies work in cooperation with DOJ and
| they obtain evidence with the use of warrant[1] which is
| issued by court.
|
| Speaking of obtaining illegal evidence you can search for
| numerous court cases where judges turned blind eye on
| questionable methods of obtaining evidence using hacking
| techniques. Some of those cases were seizure of Dark Web
| websites and their servers. Courts will always protect
| government agencies because they want to be cohesive and in
| synergy.
|
| [1] https://en.wikipedia.org/wiki/Warrant_(law)
| sigmaprimus wrote:
| Im surprised there was no mention of Jokers Stash, it seems
| reasonable to me that after it shut down it left a power vacuum
| of sorts with several actors looking for new places to ply their
| trade. Not to mention the real possibility that some "peepls"
| have an axe to grind because they got burned when J$ closed up
| shop.
| ryanlol wrote:
| Nobody got burned when joker quit, everyone got paid.
| sigmaprimus wrote:
| I didn't say they didn't get paid. There a plenty of other
| ways to lose out from having the rug pulled out
| suddenly...but now that You made the argument, unless I
| missed it, the only evidence that everyone got paid was the
| promise made within the announcement which is no evidence at
| all.
| ryanlol wrote:
| There's lots of evidence if you read VF and similar forums.
| Joker manually processed withdrawals for those who
| requested them, even small amounts. All the sellers got
| paid.
| YarickR2 wrote:
| Brain drain, infosec edition. Pandemic struck, and suddenly
| relocation is all the rage. I know a few infosec guys moving from
| Russia to various places outside of reach of local law
| enforcement (and "law enforcement") agencies . Next steps are
| usually easy to guess - infosec guys are doing what they were
| doing before, but for new management, and with new targets (ex-
| allies) in sight. Just a wild guess, of course.
| cosmodisk wrote:
| The problem with infosec,even during good times, is that it's a
| low paid job. I don't mean it's 10$/h or something, however
| taking into consideration what's at risk and usually the
| knowledge required, majority get paid peanuts. No surprise more
| lucrative deals of questionble sort pop up and attract the more
| talented ones.
| derefr wrote:
| Is it just me, or has the number of large hacks on "things you'd
| expect to be at least somewhat secure" picked up since the
| pandemic started? It seems like every week now there's a source-
| code leak for some high-profile project.
|
| My own assumption so far is that credentials that were previously
| being passed along through (essentially) in-person key-exchange
| parties, have now been forced to be passed along over channels
| like email/Slack/etc., making the ability to spin "mail/chat
| server admin creds" into "general system-level elevated creds" a
| lot more frequent.
| TheRealPomax wrote:
| Sort of: since 2017 the number of CVEs have basically gone up a
| steady 8% per year [1], but the fact that you only noticed it
| this year also suggests that this alone is not why you noticed.
|
| The more likely reason you're noticing is that thanks to covid,
| and the accelerated death of real news services, combined with
| the echo chamber effect where we're all reminding each other of
| how bad things are, means you're getting more exposure to
| sensationalism, because that echos the best. And hacks
| certainly qualify as sensational, especially on slow news days,
| where news services desperately need clicks, and "X got hacked"
| gets those (even if it's a report on a hack that isn't actually
| one, like when someone walked into a data container with tens
| of servers, one of which happened to be rented by a password
| manager).
|
| The real wtf is what happened in 2017, though.
|
| [1]:
| https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&...
| SavantIdiot wrote:
| I don't think major hacker sites getting hacked, or the MSE
| exploit from a few months ago qualifies as "sensationalism".
| These, especially the latter, are a Pretty Big Deal (tm).
|
| What do you consider a big news item that isn't
| "sensationalism"? (Your link timed-out)
| [deleted]
| kilroy123 wrote:
| I think people just have a ton of free time these days. I know
| I have.
| fortyrod wrote:
| Occam called, he wants his razor back :)
| the8472 wrote:
| This shouldn't be necessary.
|
| Getting the SSH pubkeys of other developers is easy. Grab them
| from github or from a shared server or ask them once. Then use
| age/rage to asymmetrically encrypt the secret you want to
| share. No password has to travel in cleartext anywhere.
| aboringusername wrote:
| I think the pandemic has a role to play in this for sure. I
| imagine may were required to use computers/tech as they've not
| done before. Often times those who are uneducated have to be
| accounted for so concessions are made.
|
| For example, Sam needs to use a corporate network, doesn't
| really understand "apps" or what a "TOTP" is, so they optimize
| (weaken security) to allow them in.
| lpriv wrote:
| Cocks are tasty
| luckman212 wrote:
| Can we change this to "dumber than average" Sue? I guarantee
| when I'm 60 I'll still be able to safely operate a computer
| and understand what an "app" is, FFS. Ageism is really out of
| control these days.
| ldng wrote:
| You have a point about ageism, but you also make quite a
| condescending mistake of your own. You could have say "less
| tech savvy" than "dumber than average". It is not because
| you don't master something that you did not use before that
| you are dumb.
| aboringusername wrote:
| I edited the comment, you make a good point. My bias is
| that in my experience the elderly tends to struggle the
| most as it wasn't common in their day, but point duly
| noted.
| cosmodisk wrote:
| Absolutely agree on this. I've seen the entire spectrum by
| now: kids,who literally grew up with computers in their
| hands, not being able to operate simple software and people
| way past retirement age doing complex 'magic' on their PCs
| ethbr0 wrote:
| I'm not impressed by the digital native, current
| generations.
|
| I think a better descriptor would be "app-native" -- i.e.
| "I don't understand or care how anything computing works
| under the hood, and it'd better be tied off with a pretty
| bow and UI."
| cosmodisk wrote:
| This is a topic we discussed with a colleague earlier
| this week: everyone's smart to click some buttons on an
| app,which, even a monkey with some basic training could
| do, but anything outside their comfort zone is a foreign
| language to them. Just a few days ago got asked what's
| the url to login to Office 365. There doesn't seem to be
| any willingness to think.
| gmfawcett wrote:
| I don't understand your example. There is such a URL
| (https://www.office.com/). Or are you just suggesting
| that the colleague could have looked it up themselves?
| boomboomsubban wrote:
| As someone who hasn't touched Microsoft office in a
| decade, what's the URL for Office 365 seems like a fair
| question. Isn't it competing with Google? I assume they
| offer an in browser client,
|
| So yes, I have no idea how things I don't use work. This
| isn't that I'm unwilling to think, things are more open
| ended.
| cosmodisk wrote:
| It's not the part whether one knows or doesn't know the
| url fascinates me: it's a professional setting, where
| people are quite used to solve problems much more complex
| than figuring out what's the url. For me it's the thought
| process: What's the url? I don't know.. error... error..
| error. The equivalent of this is if I'd say to someone
| I've read a great article on Financial Times website,and
| they'd reply with: sorry, I can't read it,I don't know
| the url..
| klingon79 wrote:
| How about Pat? That's ambiguous enough.
| fortyrod wrote:
| Or pretend you're in the southeastern US, where "Sam" and
| "Sue" are both non-gendered, and probably ageless,
| according to Mr. Cash, at least. You could also go with
| Courtney, Tracy, Billie, Casey, Drew...
| jstanley wrote:
| Sure, but when you're 60 you might not be so hot on
| technology that you first encountered in your 50s.
|
| I'm sure today's 60-year-olds are still perfectly good at
| the kind of things they've been doing since they were 20.
| blackrock wrote:
| 25 years ago, the hot technology was dial-up modems. And
| PCMCIA cards to connect to WiFi.
|
| Haven't had much use of that lately.
| ineedasername wrote:
| The implication that someone couldn't keep up with a
| relatively new things-- in your case vague example
| something they even encountered a few years earlier-- is
| pretty much the definition of ageism. Anyone who decides
| to keep their professional skills current will do just
| fine whether they're 5 years out of school or 40 years
| out of school. If someone doesn't keep current & is 5
| years out of date on their skills, there's not a lot of
| difference between a 30 year old and a 60 year old that
| are equally 5 years out of date. Though the 60 year old
| might have decades more of experience working in their
| advantage, so maybe the two aren't equal.
| lefstathiou wrote:
| It's not uncommon to test the resolve of a new administration
| soon after a changing of the guard.
| Barrin92 wrote:
| >things you'd expect to be at least somewhat secure
|
| I feel like with a lot of security or cyber-crime stuff there's
| a "physician who smokes" dynamic to it where the people who you
| expect to have great security actually often don't take a lot
| of precautions. How many hackers end up being exposed because
| of fairly trivial or random accidents is actually surprising.
| theMuckPot wrote:
| I've heard it said that first day beginners on a wood saw
| will almost never hurt themselves. Their fear of it, combined
| with their known ignorance of it, makes them extra cautious.
|
| Veterans of many years are the ones who get too comfortable,
| and too complacent. I guess the confidence of many years
| leads them to work a little too closely to the blade.
|
| This might be a universal human trait, across any industry.
| guerrilla wrote:
| That reminds me that Qualys was just hacked.
| Godel_unicode wrote:
| I wasn't surprised, I've used their product...
| mrkramer wrote:
| Pandemic has nothing to do with frequency of cyber security
| incidents at least not on a large scale. Every time when
| something global is happening spammers jump on the bandwagon
| and try to lure people into opening their email spam and buy
| something or download attachments filled with malware.
|
| This global situation is specific because a lot of people are
| working remotely so they easier to target and compromise then
| before.
|
| In the last decade or so a lot of businesses moved their
| presence and other ops online and lots of them practice poor
| cyber security that's why you see a lot of hacks happening.
|
| Speaking of big companies they are always targets of state
| sponsored attacks and industrial espionage.
| threeseed wrote:
| There was a US election.
|
| And one in which many countries i.e. Russia, Israel, China,
| Saudi Arabia, North Korea did not want Biden to win and who
| have a record of state-sponsored hacking.
|
| Solarwinds and the Microsoft compromises for example are
| clearly at a scale beyond your regular criminal hacker.
| dEnigma wrote:
| It wouldn't surprise me if the pandemic had an influence on
| some of these hacks. E.g. at our company there are some PCs
| still running Windows 7. For that reason they had no direct
| internet access, only to the internal network. But since about
| half the workforce, or at times more, had to work from home,
| and the licenses of our ERP software are bound to hardware, IT
| had to connect those PCs to the internet again, so the office
| workers could access them from home.
|
| Of course the whole situation was less than ideal to begin
| with, but now it's even worse.
| lostlogin wrote:
| > there are some PCs still running Windows 7.
|
| A humble brag!
|
| There are some very elderly machines out there.
| dboreham wrote:
| Just to point out this makes no sense: you can have
| connectivity between host A and host B without also enabling
| transitive connectivity to the world of hacker-contolled host
| N.
| dEnigma wrote:
| I should also mention that it isn't in-house IT, but a
| separate company, and the whole thing was set up in a
| rushed effort late on a Friday afternoon the week before
| the whole working from home business would start (our
| management slept on it until the last minute), with a lot
| of other companies requesting the same support from the IT
| company at the same time. Not that it completely excuses
| everything, and as you can tell from the Windows 7 PCs it
| was never the most secure setup, but simply to explain some
| of the reasons behind the mess.
| Kalium wrote:
| This has all the hallmarks of an organization that views
| IT as a cost center rather than an enabler. Such an
| organization will tend to resent any spending on IT, so
| it's unfortunately not a surprise that it has likely
| scrimped and saved its way into ineffectual IT.
| ethbr0 wrote:
| I believe this is assuming companies have segmented
| networks and jump hosts.
|
| In my experience, most... don't.
|
| Enterprise IT at non-tech companies is an absolute #&@_
| show. The only rationale I've been able to come with is: if
| some portion of your company isn't developing / keeping up
| with tech trends, your IT shop isn't going to be pressured
| to either.
| Godel_unicode wrote:
| It's also the case that the perception of non-technical
| companies having garbage IT means they get overlooked by
| more savy admins in their job-hunt. Very few people want
| to drag a manufacturer kicking and screaming into modern
| IT, when it's way easier to get a job with a company that
| gets it.
|
| This year is going to be huge for Google cloud and m365.
| Kalium wrote:
| It's also been my experience that non-technical companies
| sometimes strongly undervalue IT or programming
| expertise. Few who have a choice ways to take a job at a
| rate well under market using outdated technologies with
| an employer who will not value them.
|
| I had one of those jobs for a while. It was awful. The
| worst part was the ridiculous demands (example: all bugs
| should be fixable in 30 minutes or less) on top of the
| embarrassingly low pay.
| buran77 wrote:
| > non-technical companies sometimes strongly undervalue
| IT or programming expertise
|
| Half of this is actually the right way to do it. On one
| hand undervaluing IT in almost any company these days is
| a major problem waiting to blow up. IT isn't just an end,
| it's the means to do everything else. Using computers but
| ignoring any good IT practice under the excuse that it's
| not an IT company is like working from an office with
| asbestos, lead paint, and black mold because you're not a
| construction company.
|
| But on the other hand non-technical companies, meaning
| ones without a strong IT culture and focus, _should_
| undervalue programming expertise. One of the worst things
| a non-tech company should do is deploy all kinds of
| custom IT solutions developed internally by their
| "programmers with expertise". Invariably (and I mean this
| in the most literal sense possible) they will end up with
| a patchwork of systems that nobody understands or
| maintains properly but which underpins all the core
| services the company needs or delivers.
| danaris wrote:
| "Undervaluing", by definition, means "valuing something
| _under_ its actual value to you. " It doesn't just mean
| "value the thing less than you do now," or "value the
| thing less than the average."
|
| So...no, undervaluing programming expertise is never a
| good thing, whether your particular needs are for a lot
| of programming or only a little. Either you need exactly
| _zero_ programming--in which case undervaluing it is
| impossible--or you need _some_ --in which case you need
| to value it _the right amount_.
| buran77 wrote:
| Well you're technically correct but I was hoping my point
| was clear beyond the vocabulary nit-picking. This being
| said I also suggested "the right amount" of value such
| companies should put on those skills is none, because it
| suggest they have wrong priorities and/or unrealistic
| expectations of what they can achieve. You can't
| undervalue 0. Nit-picking works both ways but just lowers
| the quality conversation.
|
| In general precision is important but in this case it
| doesn't make that much of a difference besides a
| linguistic discussion. Let's try to look beyond it and
| more at the point I was trying to make: In the companies
| referenced above, as I understand them, valuing
| "programming expertise" at all is setting yourself up for
| disaster. You'll be tempted to use it but pretty much by
| definition in those companies you have no ability to
| support the outcome long term. Even tech focused
| companies have a hard time keeping up with the custom
| solutions they develop and are struggling with technical
| debt.
|
| If you worked in these companies you know how this goes
| and have seen the story countless times. IT manager of
| small IT dept has a "great idea", hires some people to
| implement it, and they get it sort of done with the
| limited resources. Pretty soon both the techies and the
| manager move on to greener pastures, leaving the
| solutions in the hands of someone with little to no
| interest in it but who has another "great idea". The best
| solutions are manageable ones and custom stuff is hard to
| manage in the best of cases. Programming expertise is
| like a live grenade, only useful in capable hands (which
| "non-tech" companies are almost without exception not).
| Kalium wrote:
| I think your first scenario is a good illustration of
| undervaluing IT, with attendant eventual disaster.
|
| Perhaps your second is IT being _over_ valued? You've
| described a situation where technologies are being
| deployed inappropriately by an organization ill-equipped
| to handle the ongoing effort required. This is the sort
| of silver bullet thinking I would expect from leadership
| that does not understand IT beyond that it is powerful.
| buran77 wrote:
| > You've described a situation where technologies are
| being deployed inappropriately by an organization ill-
| equipped to handle the ongoing effort required.
|
| I took the archetypal "non-technical companies" you gave
| as an example earlier. If I understood your meaning
| correctly in the vast majority of those cases
| undervaluing "programming expertise" is probably the best
| thing to do. And by "undervaluing" I mean they such
| companies should not consider this as a skill they should
| rely on to build their IT around.
|
| It's not that the skill is not useful in itself, just
| that it doesn't serve that type of company well, and
| valuing it suggests the companies are considering heading
| in waters that they're unlikely to successfully navigate.
|
| Most of those companies will do things inappropriately
| _because_ they are ill-equipped to handle this. For all
| intents and purposes "programming expertise" in such a
| company is like driving drunk. Sure you can get home safe
| anyway but that's not a reason to be proud of. Or you can
| crash but the real issue isn't that you couldn't cut it
| while driving drunk. You shouldn't be doing it to begin
| with.
| ethbr0 wrote:
| I think there are two different kinds of IT value.
|
| The first: I am a competent employee, who can do what
| needs to be done (in whatever technology).
|
| The second: I am a forward-thinking planner, who surveys
| and keeps abreast of options and can identify, test, and
| deploy appropriate ones.
|
| In my experience, it's the second that's lacking. Aka the
| "we can only deploy if Microsoft holds our hands through
| it" shops. Usually 1/2 because of lacking talent and 1/2
| because of lacking / incorrect policies.
|
| I've seen, but haven't seen too many, instances of
| "insert crazy state-of-the-art technology." Usually it's
| just institutional paralysis that prevents _anything_
| from getting done.
| HappyDreamer wrote:
| > non-technical companies sometimes strongly undervalue
| IT or programming expertise
|
| They might also be unable to know if a job applicant is
| good at IT or not? And listen mostly to how he/she
| describes him/herself, and how confident he/she sounds?
|
| Meaning, the company in effect hires IT people a bit
| randomly, and then mostly finds people who aren't that
| good at their job.
|
| And if the company started paying more, then, more
| competent people, but also lots of more so-so competent
| people, would apply for the job? And I wonder if the
| company then still ends up with a random mediocre IT
| people who are unable to really secure the network? Just
| that the salaries are higher?
|
| I wonder if the underlying problem is that 99% of the
| population is unable to know if someone is good at
| software or not
| jlg23 wrote:
| +1. Even when being told (for money!) to do the right
| thing most pay the consultant fee but don't act.
|
| True story: A friend was pentesting a large company
| network in Germany, wrote his report and got paid. Years
| later, when being hired as head of IT security, he pulled
| out his old report and simply tried the default/easily
| crackable passwords he had discovered in the core
| infrastructure: They all still worked.
|
| If his section about "use jump hosts" was ever useful for
| the company, it was because someone had that page open by
| accident, needed a place to put down his mug of coffee -
| et voila: His report even made a difference!
| dredmorbius wrote:
| This goes back well over a decade, but a talented Linux
| admin at a tech shop had to spin up a fresh Windows VM
| instance to use some MSIE-dependedent intranet app. By
| the time they'd completed the task ten minutes later, the
| instance had been pwned, on the office LAN.
|
| It's a sh*tshow _everywhere_.
| sbarre wrote:
| Most non-tech companies don't have an IT department, they
| outsource.
|
| Which means they rely on those companies to do the right
| thing, while not really prioritizing the work (i.e. not
| giving it much budget), or being able to critically
| evaluate the quality of the work being done.
|
| So none of this is surprising.
| bobbob1921 wrote:
| Great point. + most of mgmt doesn't see the real value in
| security until _after_ the first (major) incident has
| occurred. (Has been my experience atleaste for < 50
| employee orgs.)
| [deleted]
| ddalex wrote:
| VPNs ?
| Kalium wrote:
| You're absolutely correct. You can do that!
|
| There may be some room to question the general technical
| expertise and competence of a shop that runs a bunch of
| Windows 7 systems, though. IT running beyond the limit of
| their competency may not be capable of doing what you so
| wisely and rightly point to.
| reaperducer wrote:
| _There may be some room to question the general technical
| expertise and competence of a shop that runs a bunch of
| Windows 7 systems, though_
|
| Or they may simply not have a choice.
|
| My company has a particular automated machine that I have
| to work with once or twice a month. It is controlled by a
| computer that runs Windows XP. It can only run Windows XP
| because the company that made the software went out of
| business years ago.
|
| Because of that, the control computer is not permitted on
| the public internet. When I interface with it, it's using
| a dedicated laptop through a VPN to a remote session
| which then accesses the control machine on a dialup
| connection. It's slow as heck, but since I only have to
| do it once or twice a month, I deal.
|
| Just before the pandemic, we looked into replacing the
| circa 1995 automated machine with a new one. Because of
| the nature of the machine, and the local government
| regulations about replacing it, the cost would have been
| little over one million dollars. Not going to happen.
|
| Everyone hates it. But that's why my company's IT
| department, which tries hard to keep up with the times,
| has a single Windows XP computer in its stable.
| marshmallow_12 wrote:
| which regs tells you what computers you can buy?
| reaperducer wrote:
| _which regs tells you what computers you can buy?_
|
| Not all machines are computers.
| Kalium wrote:
| Sometimes medical devices and similar come with a
| computer as part of a whole certified system. The
| regulatory framework does not tell you which computer you
| can buy, precisely, but it does tell you what
| certifications your system must have to be used for a
| given purpose.
|
| Changing out the part for an unapproved one, obviously,
| voids the certification.
| dhosek wrote:
| Some? I've never seen anything newer than Windows 7 on a
| corporate PC. I'm sure they're out there somewhere but none
| of the companies that I've worked at in the last 9 years has
| ever had Windows 8 or newer.
| jcrites wrote:
| Amazon was on Windows 10 in 2020 (and probably earlier; I
| don't remember when I upgraded while I was there).
| inglor_cz wrote:
| The last Windows 7 I saw in production was on Wednesday. An
| attorney with a lot of secrets to protect had them on his
| notebook.
|
| He isn't entirely oblivious about security, has his hard
| drive encrypted and encrypts some of his calls, but the
| non-updated system is a disaster waiting to happen.
| cloudking wrote:
| Generally the only people I've seen transfer credentials
| securely are IT and software engineers. You can count on every
| other department to send passwords over plaintext channels.
| naebother wrote:
| > Whoever hacked Maza netted thousands of data points about the
| site's users, including usernames, email addresses, and hashed
| passwords, a new report from intelligence firm Flashpoint shows.
| Two warning messages were then scrawled across the forum's home
| page: "Your data has been leaked" and "This forum has been
| hacked."
|
| Oh no. Not my username, email address and hashed password. I'm
| shaking right now. But then again there's always some idiot who
| doesn't try to anonymize.
| lstamour wrote:
| All it takes is one hit traced to a misconfigured VPN or
| browser, for example, to learn an IP address and thus real
| user, at least from a law enforcement perspective... though I
| suppose the same is true for any honeypot links. Same goes for
| checking your "anonymous" email, unless the provider is only
| accessible to check email on Tor, for example. Anonymity, like
| security, is hard to do 24/7 if someone is actively interested
| in you...
| imwillofficial wrote:
| What is the route somebody takes to join forums like this? I've
| always found it fascinating. Even when I was a teenager.
| imhoguy wrote:
| word of mouth or challenges like Cicada 3301
| https://en.m.wikipedia.org/wiki/Cicada_3301
| cheeze wrote:
| I've read that the biggest thing is referrals. Gotta be in the
| know or 'trusted' by someone else in the scene
| thrownaway69 wrote:
| What does elders of HN do recommend if you find serious bug in
| security company's system?
|
| They don't have security.txt or bug bounty. First time I've had
| to go thru data I've obtained and email multiple times to get
| thing patched. They were ass about it.
|
| p.s. The company is affiliated with three letter agencies and
| basically offer them device decryption.
| varjag wrote:
| No honor among thieves.
| praptak wrote:
| It would be out of character for a government agency to act like
| that.
|
| Shutdown and a threatening message? Maybe. Dumping the data on
| darknet? I'm not even sure if they can legally do that. Besides,
| which agency wouldn't use that to gain even more possibly useful
| information?
| temp485850 wrote:
| You've clearly never heard of intelligence laundering before.
| libraryatnight wrote:
| Am I the only person, when thinking of governments, that has
| removed "legality" as a barrier to any potential action?
| srswtf123 wrote:
| You most certainly are not the only person.
|
| At this point, I _presume_ governments are breaking every law
| on the books. Who is going to stop them?
| juanani wrote:
| The government, in a time of war, will pull all sorts of nasty
| shenanigans. Thankfully, we've been at war for a while so..
| dont be traitors now.
| cosmodisk wrote:
| Nowadays you just call it the fight against terrorism and
| greenlight whatever you want.
| osipov wrote:
| It would not be out of character for a government contractor...
| sunstone wrote:
| Traditionally the message on the hacked homepage should be: All
| your base are belong to us.
| 1f60c wrote:
| What you say!!
| RedShift1 wrote:
| You have no chance to survive make your time!
| smoldesu wrote:
| Yeah, today's hackers lack class. The Cyberpunk codebase hack
| would be pretty funny if someone awk'd the subtitle files to
| say "Can I haz cheeseburger?", but I guess today's crowd is
| more interested in editing HTML and CSS.
| majkinetor wrote:
| Damn be those hacker hackers for breaking such a great
| tradition.
| killjoywashere wrote:
| In addition to law enforcement, keep in mind intel, counter-
| intel, and private-yet-national (e.g. Mandiant, Kaspersky,
| Sophos, et al)
| marshmallow_12 wrote:
| hmm. seems the US government hasn't been twiddling their thumbs
| doing nothing about Russian Hackers after all...
| joe_the_user wrote:
| Everyone's excuse is "state actors" now and maybe they're right;
|
| _Only intelligence services or people who know where the servers
| are located can pull off things like that," mused one mainstay of
| Exploit. "Three forums in one month is just weird. I don't think
| those were regular hackers. Someone is purposefully ruining
| forums._
|
| The thing with the state actor stuff is; once a actor state
| creates some tooling and methodologies, what could possibly
| prevent this from getting into private hands? (I mean, serious
| question) States have huge computing power for cracking passwords
| or whatever, state have "patience" but still, computing power can
| be stolen (via botnets or however), any process can be automated,
| etc.
| lpriv wrote:
| I suck cocks.
| ivanech wrote:
| [deleted]
| [deleted]
| dang wrote:
| " _Please don 't complain about website formatting, back-button
| breakage, and similar annoyances. They're too common to be
| interesting. Exception: when the author is present. Then
| friendly feedback might be helpful._"
|
| https://news.ycombinator.com/newsguidelines.html
| ivanech wrote:
| Whoops, sorry!
| dang wrote:
| Appreciated! These things genuinely are super annoying,
| which is why we need the rule. It's about foregoing a local
| optimum (justified but repetitive criticism of flaws in web
| pages and software) for a global one (more interesting,
| less predictable conversation).
| lpriv wrote:
| Hjj
| lpriv wrote:
| Gjj
| gigatexal wrote:
| The data that was harvested was leaked to other "dark web"
| locations. The gangster move to take out your hacker competitors
| is to "out" these hackers on something more social like a github
| dump or to pastebin.
| zelon88 wrote:
| Unless you want to run extortion or blackmail against them.
| ivrrimum wrote:
| Yeah... like any serious hacker would use his real
| email/identity when registering into a cybercriminal forum.
|
| Clickbait..
| beny23 wrote:
| Was it due to an intern?
| Strongylodon wrote:
| People still post about crime on the internet?
|
| A LOT of anti social people seem to act badly thinking no one is
| going to even look at what logs exist due to existing policy, let
| alone illegal sources of info that are used in parallel
| construction.
|
| https://www.npr.org/2021/03/04/973696073/a-former-police-chi...
| cyberlab wrote:
| > spurring fears among criminals that their identities might be
| exposed
|
| I imagine there is very little to gain from the leaked
| credentials. I mean we are talking about cyber-criminals, who
| always like to mess with their real IP with Tor or VPNs. And who
| would be stupid enough to use their legal name on a darkweb
| carding forum?
| tgsovlerkhgsel wrote:
| People make mistakes.
| klingon79 wrote:
| Or people just make it look like they've made mistakes.
|
| Maybe this was an elaborate honeytrap set by the hackers for
| the hacker hackers.
|
| Possibly an AI independently hacked the hackers.
|
| A hacker may have convinced an AI to hack the hackers while
| posing as the hacker hackers. The AI then hacked the hackers'
| honeytrap which exposed one single piece of data included by
| mistake. Only the AI knows why, since the hacker was
| brainwashed by a secret society of vegans.
|
| News at 11.
| alksjdalkj wrote:
| You'd be surprised, after 10+ years worth of accounts and
| online presence it's easy to trip up - reuse an account name
| from years earlier, use their real email to register for a
| domain, etc. Krebsonsecurity.com has a few articles where he
| tracks down an attacker's real identity - e.g.
| https://krebsonsecurity.com/2020/07/twitter-hacking-for-prof...
| ryanlol wrote:
| People have lost hundreds of thousands because they reused
| their forum logins on jabber... Lots (most?) of the people on
| these forums aren't hackers, but banking experts moving tens of
| millions of stolen money around the world.
| tgsovlerkhgsel wrote:
| How did they lose the money, impersonation? Are they running
| some informal banking/laundering system via jabber chats?
| ryanlol wrote:
| Hey, here's my new bitcoin address for payments:
|
| Hey, here's the new bank account info to send stolen money
| to:
|
| Hey bro, can you borrow me 100k for a few days?
| doniphon wrote:
| Strike Back - XXI season teaser
| williesleg wrote:
| About fucking time those commie chinese bastards get their shit
| stolen. Hopefully now I won't get those shit calls about my car
| warranty. Assholes.
| ChuckMcM wrote:
| Personally I would expect to see more of this than we have. After
| all, with crypto cash exploding in value it seems like there are
| assets to be seized. But the cynic in me suspects that its really
| just an escalation of the world wide cyber war that has been
| going on for years now and is getting more resources as it hits
| more sensitive spots.
| 0xbadcafebee wrote:
| I'll bet money this is a private corporation that sells 0days
| taking out their competition.
|
| State-sponsored entities and research groups don't take down
| forums, for the same reason you don't arrest all the low-level
| perps on the street. You need to watch them to trail them to the
| bigger crimes. And blackhats don't take out forums of other
| blackhats.
___________________________________________________________________
(page generated 2021-03-07 23:00 UTC)