Being a hackerman initiate, do most large hacks happen from social engineering and lazy admins not doing their job, ie human error? Seems that way to me. Also, learned path traversal techniques today kewl
Being a hackerman initiate, do most large hacks happen from social engineering and lazy admins not doing their job...
Brandon Green
Jace Howard
Most hacks are social engineering and reused passwords.
Hunter Wood
this, but in my case its usually "lol the admin never changed the stock password what a fucking retard"
Blake Ramirez
In the past password resets were also pretty useful.
>in case you forget your password, please answer the following secret question
>what is your hobby / what is your mothers name
Kevin Wilson
Most vulnerabilities do come from human error, but not really from admins. A lot of it is social engineering and poorly trained employees who don't abide by the rules to protect a customer's privacy. With a name and a phone number, you can call that person's cell phone provider and attain full access to their account with good acting skills. You can act like the person's spouse and get access by acting all distressed and in a hurry and the operator on the line will likely not care if you can't answer the security questions or the person's SSN or anything.
Robocalls and telemarketing will always generate more revenue than trying to brute force into a network system.
Easton Foster
A lot of 2-factor verifications are also actually just 1-factor as they allow you to reset your password via SMS. Which must be the stupidest trend ever.
Zachary Anderson
>lazy admins not doing their job
change control is stronger than laziness
software exploits often have to be there because changing something will take weeks of testing before deploying a fix
Justin Lopez
You've got social engineers and you've got hackers along with script kiddies setting in moms basement.
All three are a type of genius in their own right. One has a silver tongue, one is a programmer, the other finds programs a programmer wrote to find exploits.
If a hacker wants in, he's going to get in... Invest in IDS like tripwire if you think you're going to be a target, those guys are into corporate espionage etc...
Social engineers? Incompetent employees.
Script kiddies, make it hard for em and they'll move on to another target.
Eli Taylor
Hey OP, the answer is "it depends". The key definition here is what you mean
by "big hacks."
Today there are a few different players in the "cyber game". Ranked in order
of technical capabilities:
Nation states that can employee vuln research teams, rootkit devs, etc. NSO
group sells to this level of actor. Access to information is the driving
factor behind these ops.
Lesser tier nation states, like North Korea. "Lazarus Group" is the name the
threat intel people go with for NK. Stealing crypto currencies has proven a
fruitful undertaking for kim.
Private firms that sell capabilities. NSO is the top right now, although they
have gotten a lot of bad press. Hacking team is mid tier, okay but not great
capabilities. COSEINC is pretty high tier, sells exploits and capabilities
to the highest bidder (China, lookup thomas lim infiltrate keynote). Wolf
Intelligence is a scam with 0 technical talent, but god bless their biz
hustle. Look up "post snowden cyber arms hustle".
Skilled crews/individuals. Phinus phisher is the most well known player because
he took Gamma and Hacking Team's stuff. Read his "hack back a DIY guide."
Starts of with pretty typical recon whatever, then he finds an 0day in the
middle of the article and uses it to slip in. Really great stuff, did an
interview with vice as a puppet. Italian police have no leads. I hope he stays free.
Malare authors operating from organized crime groups can be pretty skilled,
along with ransomare devs (sometimes). Mostly it's just stuff stolen and
repackaged to try and make money. People will call malware authors "evil" or
whatever, but they are the reason most infosec people in the USA have a job so
I'm fine with them. Write some malware to steal
(cont)
Elijah Baker
>that tatoo
yikes
Old servers get hacked easily, for example there's a nudes page I found the other day which runs RHEL 5 and I'm pretty sure that's out of support. It has to have some security problems
Nathan Smith
(correction from last post, meant to write that nso is at the level of good
teams, does not sell to the fort lol. They mostly sell to saudis and mexican
gov, countries that don't have decent sigint. ianbeerBHtalk.amnestyintnational)
Write some malware to steal btc, make 10K a month without
having to report to an annoying manager. Not a bad gig.
Attention whores/low skill crews. Their capabilities are mostly limited to
defacement via subdomain takeover, pulling public stuff off exploit db and
github. Lulzsec was the classic example of this.
If by "large hacks" you are referring to data breaches, the most common
reason is a company left a bunch of data sitting around in an area that was
easily accessed in a way it should not have been. Equifax is the big example
that is in everyone's mind right now. Read the house oversight whatever
report that just came out for details on the struts exploit. Every dumbass
"infosec thought leader" on twitter gave their take on this, but the tldr is
equifax was a business that pursured an aggressive growth strategy and the
leadership didn't put enough resources into making sure the IT infrasture
could be kept robust. They also should have had better detection capabilites.
Other stuff is more complex. Wannacry happened because someone took a great smb
exploit and shoved it in some ransomeware. Took down mersk and some hospitals.
Most companies simply do not have great IT. The only companies that can afford
to have a good security team are mega tech firms, F100, and some defense
contractors. If Unit 61398 takes their pick of any US firm tomorrow, they are
going to get their hands on whatever data they need.
Even the top "nation states" use stuff like word doc macros and stuff ripped
off github because it works. Podesta's emails got taken via phishing. Why
buy 0day if the simple stuff works?
if you're interested in the blockchain side of stuff, look up magoo's
"blockchain graveyard."
Cheers!
Sebastian Lewis
Why bother? seriously with the way cucks post every bit of what they do on facebook all you gotta do is watch what your "victim" posts and you can learn everything about them.
Colton Bailey
wrong
Whitehats and greyhats are usually into more complicated things. I used to do a bunch of stuff to start up websites that had absolutely NOTHING to do with passwords or accounts.
There is plenty of fun to be had without being le social engineer man
Thomas Allen
Like 999/1000 hacks are from unpatched software. It's that easy. The day a CVE comes out for something is the day that the software has to be upgraded. Big companies with a lot of shit running don't do that because they are incompetent and because they forget about what they are running. I was in the hospital recently and saw a machine running XP. Discovering zero days yourself is a waste of time. Why would you do that when you can just scan IP ranges and get thousands of machines that aren't patched?
Henry Anderson
you make mad $$$ where my IDA Pro niggas at
Dylan Sullivan
It's a mix. As a blue-teamer at a big dow jones company that has been victim to industrial espionage, we are always on the lookout for all of it. I would say these are the biggest threat vectors my company faces, in this order.
1. Employees & contracted workers moving data off the network, whether maliciously or just by accident. DLP is the biggest area of security spend right now.
2. user controls & permissions. Too many people have access to stuff they don't need. We aren't spending a lot here yet but we consider it a huge risk.
3. Technical flaws in our networks and system. We are individually targeted by 0days, but our systems design helps contain damage. This is the flashiest area of our work but realistically your prep work for 0days is damage control which isn't a super fun thought.
4. social engineering support staff. We re-engineered this all of support a few years ago, you now need to authenticate with a 2fa code (not a phone number!) to use any support service over the phone and we regularly send 'secret shoppers' though various support channels to test how effective their training is against shit like pretext calling.
Wyatt Ortiz
>DLP
lmao is it total garbage? every bluge bracket in nyc is using some total shit
love and support from nyc crew, you find any PLA implants recently?
Justin Morris
Nothing is a match for some exec who has you break protocol because their nephew Timmy needs his rootkitted ipad on the network to play Fortnite and they won't take no for an answer lest you lose your job.
Carson Green
If that’s you’re arm, you’re gayer than two boys fucking
Adam Perez
Seriously what the fuck are we looking at?
How in the FUCK is your forearm bigger than your bicep area.
Do a fucking push up every once in a while christ.
Kayden Price
just put it on a separate vlan and don't be that autistic it guy freaking out about execs not understanding stuff
Dylan Barnes
The gay kali Linux tattoo really sets it off
Christopher Bennett
Your post is nicely formatted
Charles Cooper
We have two products in use right now.
IBM Guardium which is hot garbage
Azure information protection which is actually pretty decent as long as employees properly tag their documents.
I think guardium can be alright if your data is highly numbers based (it works great with financial info and spreadsheets) but we can't get it to match on any of our engineering data aside from just datatypes.
We have a c-level security officer who isn't a total waste of space so we involve him whenever another exec decides to get uppity. doesnt last long. We have a 'manager requests security violation' escalation template in servicenow that fast tracks it to him.
Jaxon Barnes
wait were you at dow when jbone was ciso? shout out to muddy waters/immunity lmao
Logan Thompson
sorry to be clear I work for a manufacturer that is a part of Dow's index
Jordan Harris
Ièm sorry OP but I had to report for underage
Look at the size of his thighs
Connor Price
*richard bejtlich screaming chinks in the wire intensifies* #NetworkDefender #NSM #Bro #Snort #infosec
Daniel Carter
Cant use reverse image search
>the absolute state of/g/
Chase Mitchell
of the distros you could use on a server which ones are the ones with more timely security patches on the repositories?
Eli Bailey
>kali linux tatoo
hahahaha aaaaaaaaaaaaaaaahahahahahahhaha
yep, zoomers are not fucking retarded at all
Jonathan Edwards
good post
Alexander Davis
how is your bicep bigger than your forearm?
When working out my biceps, my forearms always get a nice workout too.
Alexander Brown
you got cucked by hollywood style marketing. hacking is not cool, and besides if you're not an experienced programmer you'll never have the foundation to become a halfway decent cracker or "pentester"