CISA outlines guidance to prevent big tech being hacked again so easily
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new report recommending that businesses make some changes to their security in light of the infamous Lapsus$ attacks.
Lapsus$ is a threat group that used a range of relatively simple tactics to breach some of the biggest names in tech, including Microsoft, Nvidia, and Samsung. It was also responsible for leaking content from Rockstar Games’ upcoming video game Grand Theft Auto VI.
Seven people in connection with Lapsus$, aged between 16 and 21, were arrested last year, but the group has claimed since that it is still active, and CISA warns that it and other similar threat actors are able to use “a playbook of effective techniques” to launch attacks to a “great and wide effect.”
SIM swapping and passwordless
Chief among the Lapsus$ tactics was sim swapping, whereby attackers managed, via social engineering attacks and other methods, to access incoming messages from phones belonging to employees at the target firm, in order to receive valuable info such as two-factor authentication codes delivered via SMS.
CISA therefore wants the Federal Trade Commission and Federal Communications Commission to “mandate and standardize best practices to combat SIM swapping,” as well as imploring cell operators to “better protect their customers by implementing stringent authentication methods.”
This could include letting users lock their accounts out of SIM swaps, requiring strong verification procedures to allow them, and letting them see a record of what SIM swaps have occurred.
To further combat the issues, CISA also suggest that companies adopt passwordless solutions, which require no credentials or multi-factor authentication codes that can be intercepted.
Passkeys are the current favorite, with their FIDO 2 standards set by the FIDO Alliance, a cross-industry association featuring all the names in big tech on the board of members, including Apple, Amazon, Google, and Microsoft. Many of the best password manager options are also starting to support eh use of passkeys, including Dashlane, 1Password and Bitwarden.
They work by storing a cryptographic key on your device, which is not known to anyone. It is combined automatically with the pubic key of the service the user is trying to access their account for, granting them access.
All that’s needed to authenticate the login is whatever is used to lock the device itself. Typically, in the case of smartphones, this means biometric data, such as a fingerprint or facial recognition. A physical security key can also be used.
As the known operators within Lapsus$ were so young, CISA also suggests that a Congress-funded prevention programs should be launched to stop juveniles getting involved with cybercrime, as well as redirecting those already involved away from it.
