Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Lewis Maddison

CISA outlines guidance to prevent big tech being hacked again so easily

Hacker

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new report recommending that businesses make some changes to their security in light of the infamous Lapsus$ attacks. 

Lapsus$ is a threat group that used a range of relatively simple tactics to breach some of the biggest names in tech, including Microsoft, Nvidia, and Samsung. It was also responsible for leaking content from Rockstar Games' upcoming video game Grand Theft Auto VI.

Seven people in connection with Lapsus$, aged between 16 and 21, were arrested last year, but the group has claimed since that it is still active, and CISA warns that it and other similar threat actors are able to use "a playbook of effective techniques" to launch attacks to a "great and wide effect." 

SIM swapping and passwordless

Chief among the Lapsus$ tactics was sim swapping, whereby attackers managed, via social engineering attacks and other methods, to access incoming messages from phones belonging to employees at the target firm, in order to receive valuable info such as two-factor authentication codes delivered via SMS. 

CISA therefore wants the Federal Trade Commission and Federal Communications Commission to "mandate and standardize best practices to combat SIM swapping," as well as imploring cell operators to "better protect their customers by implementing stringent authentication methods."

This could include letting users lock their accounts out of SIM swaps, requiring strong verification procedures to allow them, and letting them see a record of what SIM swaps have occurred.

To further combat the issues, CISA also suggest that companies adopt passwordless solutions, which require no credentials or multi-factor authentication codes that can be intercepted. 

Passkeys are the current favorite, with their FIDO 2 standards set by the FIDO Alliance, a cross-industry association featuring all the names in big tech on the board of members, including Apple, Amazon, Google, and Microsoft. Many of the best password manager options are also starting to support eh use of passkeys, including Dashlane, 1Password and Bitwarden. 

They work by storing a cryptographic key on your device, which is not known to anyone. It is combined automatically with the pubic key of the service the user is trying to access their account for, granting them access. 

All that's needed to authenticate the login is whatever is used to lock the device itself. Typically, in the case of smartphones, this means biometric data, such as a fingerprint or facial recognition. A physical security key can also be used. 

As the known operators within Lapsus$ were so young, CISA also suggests that a Congress-funded prevention programs should be launched to stop juveniles getting involved with cybercrime, as well as redirecting those already involved away from it.   

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.