[HN Gopher] N. Korean hackers breached 10 defense contractors in...
___________________________________________________________________
N. Korean hackers breached 10 defense contractors in South for
months
Author : hassanahmad
Score : 57 points
Date : 2024-04-24 18:37 UTC (4 hours ago)
(HTM) web link (english.hani.co.kr)
(TXT) w3m dump (english.hani.co.kr)
| verisimi wrote:
| So simple for police to establish the location of hackers....
| HenryBemis wrote:
| Well, yes, but not really. Also, please elaborate.. and
| assuming that the Police of X country has evidence that the
| hackers are in Y country, it's not 'that' easy to get them
| arrested, tried, convicted. Is it?
| Eji1700 wrote:
| I mean...it literally says in the title they're from N.
| Korea. So it's not like we don't know where they are, and we
| all know the US government can do mostly fuck all about that,
| so not sure what point OP was trying to make.
| kube-system wrote:
| These aren't street cops, this is South Korea's national police
| agency, not unlike the FBI. They have the expertise and
| resources to investigate internet crimes, and an 8 billion
| dollar budget. And they also sometimes work with international
| partners.
| HenryBemis wrote:
| > ..outsourcing relationships with them..
|
| One of my latest gigs was on Third-Party Security. For years and
| years companies (especially banks) were giving little to no
| attention to third-party security/privacy. I've happily seen that
| over the past 5 years most (mega-big) banks have taken it "all
| the way up to 11".
|
| Hackers are smart people, why hack company X with 50 people on
| their SOC and not hack a vendor that is lazy and clumsy? (and in
| some cases it's 5 guys with laptops behind a cheap never-hardened
| router in some random country)
| hangonhn wrote:
| Oh and then when they get breached they will send me a letter
| informing me and say it was their vendor's fault.
|
| No, buddy. That's still on you.
| manvillej wrote:
| Third Party Risk is a big deal these days. Especially with the
| rise in supply chain attacks
| everdrive wrote:
| That's the primary thing a contractor does: get breached. They
| also cost the same as an employee, but are usually less talented
| or at least less integrated within the organization. Somehow, the
| moment you become an executive, contractors become an appealing
| option due to some unknowable black magic.
| Rinzler89 wrote:
| _> due to some unknowable black magic_
|
| That "black magic" is just different budget pools.
|
| Taxpayers and shareholders hate seeing lots of highly paid
| people on the payroll, so instead, you have very few full time
| employees (usually managers) that fit within your limited
| hiring budget dictated from the top to show you're a lean and
| responsible organization that doesn't waste money, and then you
| have a lot of even more expensive external contractors to
| balance your needs that are part of a different budget that's
| less scrutinized because those are not _YOUR_ employees, they
| 're just soulless bills in an Excel sheet, like the one for
| catering, cleaning, maintenance, etc. which are rubber stamped
| and nobody looks at.
|
| Blame our capitalist society for hating to see people on the
| payroll, assuming it automatically means inefficiency.
| Eji1700 wrote:
| Yeeeeeup.
|
| And even better, contractors often cost VASTLY MORE than an
| employee because you've got a shit ton of middle man overhead
| to cover (their HR, their benefits, their managers, etc).
|
| It's darkly funny how much of modern business management is
| really just knowing how to get the right numbers in front of
| the right people. I've worked at far too many places that
| have someone who ONLY looks at payroll and wants to make sure
| it doesn't go up too much. "Everything else" isn't their
| concern, so all those projects get bloated with consultants
| that just fall under project budgets.
| KittenInABox wrote:
| Contractors are appealing because they don't have the same
| legal liabilities or expectations as an employee. You don't
| have to worry about PTO, 401k, healthcare, sick days,
| overworking, family leave, mandatory breaks, respecting any
| unionization attempts, etc. You don't have to worry about
| withholding their wages for things like taxes, social security,
| etc.
| HankB99 wrote:
| When the need for their talents is gone, you just cut them
| loose. (Likewise if the company hits a budget crunch as
| well.)
| GartzenDeHaes wrote:
| Use of contractors allow for outsourcing of blame.
| resource_waste wrote:
| "That's the primary thing a contractor does: get breached. They
| also cost the same as an employee, but are usually less
| talented"
|
| Is this exclusive to government work?
|
| In my industry the employees are the people who are less
| talented and basically have to stick around at the same job
| until retirement. They 'dont think they can learn a new job'.
|
| These are engineers too. Mind boggling.
| carabiner wrote:
| "Contractor" here just means a company that does business with
| the government. Google and Microsoft are both contractors for
| the US govt.
| resource_waste wrote:
| I have no idea what to do about tech security. The holes will
| seemingly always exist unless we go back to safety critical code.
|
| Its far easier to be a hacker than a programmer of the same
| economic/political influence. You can take the second or third
| tier of programmers and they will be able to get you into a
| system.
|
| My only thought is to only prevent non-anonymous entry, require
| some real world presence, and have capachas between commands...
| This doesnt scale.
| mamonster wrote:
| The main problem is that most companies are still not spending
| anywhere near enough on cyber. Even the big boys(mostly because
| until they actually get hacked they have no idea how much value
| they have at risk and IMO gov fines for this are nowhere near
| big enough) like systemic banks are way behind where they
| really need to be.
|
| The problem with cybersecurity is that if you have no breaches
| its a "great" item for some striver manager to cut and if you
| get breached the budget will go up, but the guy in the
| cybersecurity department will at a minimum get told off and
| held back, and likely fired.
| vondur wrote:
| Serious question, how hard would it be to block all data from
| North Korea, or do they piggy back on other networks?
| manvillej wrote:
| yes, hackers will use VPNs.
| chankstein38 wrote:
| I was wondering this too! Like could we just turn off North
| Korea's international internet?
| saagarjha wrote:
| North Korean hackers often operate from different countries.
| mamonster wrote:
| If China and Russia were willing to play along then sure.
| protomolecule wrote:
| You, Americans, need to stop having the illusion that you own
| the internet.
| wood_spirit wrote:
| It would be technically straightforward for China to put a stop
| to the current crop of NK hacker groups.
| spxneo wrote:
| despite being allies, big reason why Americans do not trust or
| share sensitive information with South Korea-whatever they share
| always ends up in North Korea and China
|
| but perhaps the biggest enablers of these security lapses aren't
| just the shoddy cybersecurity management but the political
| environment
|
| anytime you try to fix or address an issue, the opposition party
| will take contrarian stance without merit.
|
| no political party in america will disagree with the events of
| 9/11 yet in south korea disagreeing/contrarian stance is the
| default because they have premature understanding of what
| democracy is (ex.
| https://en.wikipedia.org/wiki/ROKS_Cheonan_sinking - imagine if a
| major American political party started refuting the events of
| 9/11 and defending Al Qaeda!)
|
| so its no wonder that stuff like this will result in no arrests
| and waste valuable tax dollars.
| alephnerd wrote:
| A lot of Korean govt tech is also just protected by defense in
| depth instead of strong principles. It's kinda sad that
| Japanese organizations that by most standards are much more
| behind SK in digitization tend to at least have half decent
| security fundamentals. Hell, a misconfigured key exchange in
| their switch took down the entire government for 4 days because
| they couldn't even find it.
|
| One jarring thing I heard from friends is the hacky MDM the
| ROKA would try to install on phones of conscripts who are
| serving. Instead of undermining the default security measures
| they should just ban all outside interconnected devices or buy
| a half decent MDM instead, but then again the contract wouldn't
| go to some politically connected dev consultancy.
|
| ROKA (and a lot of Korean government institutions) are just
| plain incompetent at long term maintenance tbh (which makes
| sense as most infra in SK is newish - only 30-50 years old at
| most).
|
| They should also just end KATUSA which is clearly being abused
| by the politically connected.
| spxneo wrote:
| another quality insider info, greatly appreciated alephnerd!
| laborcontract wrote:
| Can you elaborate or provide a link to the KATUSA stuff?
| mamonster wrote:
| >they have premature understanding of what democracy is
|
| SK's problem is that unlike Japan with zaibatsu there was
| basically no movement/attempt to delimitate the powers of
| chaebols. Result: You "average" SK person is quite happy to
| launch into "deep state" related topics and has been ready to
| do so for the last (at least) 20 years. I've spent quite a bit
| of time there and a lot of the people I met have "shady
| oligarchy nudges the country" as their default image of the
| political landscape.
| macintux wrote:
| Don't be too sure about your assessment of American politics.
| We have one major political party who is at least half in the
| bag for Russia during a war of aggression.
___________________________________________________________________
(page generated 2024-04-24 23:02 UTC)