I’ve never postured to be someone who understands and appreciates high-brow art and culture, so I’m not ashamed to admit that I’ve come to regard the 1984 film classic Revenge of the Nerds as one of the greatest flicks of all time. I put it up there with Animal House, a tour de force for folks like me who appreciate puerile humor, but that film lacked the vision of Revenge of the Nerds, whose prescience I’d liken to Orwell’s. Revenge of the Nerds prepared us for the world in which we are currently living.
For the art house crowd, Revenge of the Nerds was a film about a fraternity of socially challenged computer geeks who used technology to wreak havoc on the jocks who harassed them and the sorority girls who tormented them. The nerds understood technology and how to harness it to further their ends, like installing video cameras in a sorority house. It goes without saying that I’ve developed the maturity to know that behavior was wrong and criminal, but the portrayal of nerds getting the upper hand because of their technology prowess was ahead of its time.
I’ve become fascinated with the world of cybersecurity since reading about Uber’s recent hack, which caused the company to lose control of its internal IT systems. Unlike most of the public, I refuse to adopt a “yeah, whatever” attitude about the global epidemic of corporate and government breaches, which I regard as a major threat to U.S. national security and the personal and financial safety of Americans.
What’s alarming about the hacks is that breaking into corporate IT systems literally might be child’s play. Earlier this year London police arrested seven individuals believed responsible for some of the more egregious corporate hacks, ranging in age from 16 to 21. The youths were said to be part of a cybergang known as Lapsus$ who have successfully attacked other technology companies you’d expect would be on the cutting edge of cybersecurity, including Microsoft, Cisco, Nvidia, Samsung, and Okta, which – are you ready for this? – is a San Francisco-based IT management company specializing in secure user authentications.
Uber said it believes Lapsus was behind the company’s latest breach.
The BBC reported in March that London police had identified one of the leaders of the Lapsus$ gang, a 16-year-old who lives with his parents and reportedly has amassed a personal fortune estimated at $14 million. The teenager, who couldn’t be identified because of his age, reportedly is autistic and attends a special needs school in Oxford.
News that the teenager, whose online moniker was “White” or “BreachBase,” was a notorious and wealthy cyber extortion gang leader came as a shock to his father.
“I had never heard about any of this until recently,” the teenager’s father told the BBC. “He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.”
The BBC said the boy’s mother declined to comment.
London police said they arrested seven individuals related to the Lapsus$ gang but it wasn’t clear if “White” was one of them. The Lapsus$ gang is believed to have a major presence in South America, where some of their most notorious breaches have taken place, including hacking into Brazil’s health ministry’s website and gaining access to the systems storing information about the country’s national immunization program and issuing digital vaccination certificates.
Interestingly, White’s identity became known because there is apparently honor among cyberthieves. As reported by Brian Krebs, a former Washington Post writer with a website called Krebs on Security, White ran afoul with the dark web crowd after purchasing Doxbin, a website where cybercriminals can post personal information of a target or find personal information on hundreds of thousands whose identities had been “doxed” or exposed.
“(White) wasn’t a good administrator, and couldn’t keep the website running properly,” Allison Nixon, chief research officer at Unit 221B, a cybersecurity consultancy based in New York, told Krebs. “The Doxbin community was pretty upset, so they started targeting him and harassing him.”
White got the message and sold Doxbin, supposedly at a considerable loss. In a FU to his harassers, White made public Doxbin’s entire data set.
“Back at you,” the harassers declared, making public White’s identity and videos supposedly shot at night outside his home in the United Kingdom.
That’s supposedly how the London police were able to finger White.
That a 16-year-old could manage a global network of cyber thieves doesn’t ring right to me, and I’m heartened that some of Krebs’ readers agree with me. To hack into systems, White was reportedly openly bribing insiders at technology companies and wireless carriers, offering generous bounties of $20,000 a week to perform “low risk” inside jobs.
“It is difficult for me to believe this whole story,” a reader with the moniker Enestas posted on Krebs’ website. “It reeks of a scape goat. While I could stomach that there is a super talented mastermind teenager, the real issue comes from having all those funds to pay the employees and their massive success in such a short time.”
Regardless of the age of the Lapsus$ gang, what’s disconcerting is that some in the cybersecurity community aren’t surprised that Uber was hacked because the company allegedly wasn’t following best practices to prevent a breach.
“Uber may not have followed best practices, but many other companies don’t either,” security researcher Bill Demirkapi told the trade publication Dark Reading. “The main point I’d like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well.”
One would expect that Uber would be a leader in best practices given that its chief information security officer (CISO) is Latha Maripuri, who regularly speaks at cybersecurity conferences, including Bloomberg’s Technology Summit held last June. But let’s not rush to judgment about Maripuri.
I imagine being a CISO is a thankless job, as few people appreciate the importance of the position until there’s a breach. There’s a significant cost to keeping abreast of best practices and then immediately making the necessary investments, which many companies no doubt are reluctant to make. Many CEOs seem to prefer to live dangerously and risk paying significant legal settlements rather than paying to protect their IT at a fraction of the cost.
Hackers aren’t only targeting big corporations. Hospital systems are supposedly a walk in the park to compromise, which explains why healthcare accounts for nearly 79 percent of all IT reported breaches. These breaches put patients at risk.
Last December, Ultimate Kronos Group (UKG) disclosed that it was the victim of an ongoing ransomware attack impacting its Kronos Private Cloud, which hosts the workforce management software most widely used by U.S. corporations, municipalities, and public entities. Millions of workers, including frontline hospital, police, and firefighters couldn’t be paid in a timely manner because of the breach.
Then there’s the hacks the public never hears about, like the unidentified hotel in Israel whose swimming pool controller was breached, giving the cyber attackers control of its pool chemical concentrations. IT breaches are so pervasive there’s even a YouTube channel reporting on them. Shannon Morse, the channel’s anchor, strikes me as more authentic and representative of her generation than most of the on-air talent at the major networks.
As porous as America’s corporate IT systems are, U.S. government systems are seemingly way worse. The Washington Post on April 21, 2021, posted this story headlined, “Chinese Hackers Compromise Dozens of Government Agencies, Defense Contractors.” It quoted technology expert Charles Carmakal saying the hack was “classic” China-based espionage, involving theft of intellectual property and project data.
“We suspect there was data theft that occurred that we won’t ever know about,” Carmakal said.
That’s how pathetic IT protections really are. The U.S. government suffered major breaches and doesn’t have a clue as to all the data that was compromised. One must be Pollyannish to believe that if a U.S. president ever engages the nuclear codes, the missiles will fire.