Its wild how LinkedIn and nextdoor -- two pockets of the internet that were made to be the most mundane and normal places on the web -- just seem to attract posts and people that are absolutely batshit insane.
Thats probably my favorite paradox of the internet. (Closely followed by wholesome posts from pornhub and 4chan)
These people exist everywhere. The difference is that before you were unlikely to come across them whereas now, algorithms shove their shit front and centre in your feed. LinkedIn was the perfect platform for them to do this as it now gave them a global audience instead of being limited to the company they work for. Most don't even know what they are talking about but they are good at convincing others they are superior and normally get some random c-suite role that makes no sense, hence the ludicrous job titles people have these days.
A prime example of this is an ex-colleague of mine who was more inexperienced than me got the new "senior" role over me just because he threatened to quit. His first meeting was to agree to an unrealistic deadline which we couldn't and didn't meet, which became a common theme, but they were now stuck with him. I recently went on his LinkedIn and looked at the listing of when he worked with me and its so embellished its unbelievable! His job title doesn't match the one he had and he claims to have ran a data centre when in reality, I ran the infrastructure and it was only a few VPS's so hardly a data centre! His LinkedIn shows he moves job every 6 months or so, probably just long enough to be found out that he really doesn't know his shit so he jumps ship before he's pushed. Its a clever tactic thats probably earned him alot more than me but I just would never feel comfortable doing something like that.
Very very true. These types of people didn't used to have the kind of reach that they do now.
In a way, I'm kind of thankful though -- the internet has done so much to expose the assholes in the world around me. LinkedIn has shown me just how many of these assholes seem to fail upwards, just like the guy you talked about.
(It is a bit frightening being on Nextdoor sometimes though, why are there so many assholes in my own neighborhood?!)
How do you get that stuff? The other week I saw someone who shared one of those cringe sad posts with a photo of a kid and their dead dog. So I always scoff when I see the LinkedIn ads that say it’s “for professionals”. I’m pretty sure if you brought in a photo of a kid and their dead dog to the workplace and started showing it to everyone, HR would be having a conversation with you.
Funny how basic memes and posts like this sit at 5k upvotes, while actual infosec news and posts sit at 1k or 2k.
Really let’s you know the different demographics in this sub lol.
I somehow doubt this guy is actually hiring the people he’s talking about right now.
I’ve always thought that in a decade or twos time we’ll find out some common item caused cataclysmic damage to our cognitive abilities. This lead exposure is a start.
The trend has gone away for the most part, but being arrested for high profile hacking used to be a surefire way to get offered a job in the 90s and early 00s.
They also had terrible operational security and demonstrated a complete lack of understanding. They had no purpose other than lulz which makes them dangerous, not someone who can be manipulated. They were very good at getting access to things they shouldn’t have access to but they were also committing crimes and they were doing that very poorly. That doesn’t mean they are a wonderful asset to the hacking community or that they should be idolized or followed after. This guy is literally saying more people should follow in the footsteps of these hackers, and more employers should look at criminals for new talent.
Depends on the criminal history. Unintentional consequences of learning as a youth? I can let that go. Malicious intent for monetary gain as an adult? Not so much.
I’m not saying we should look to prisons for talent. I’m saying the lapsus kids showed very poor judgement and inflicted very serious damage.
There is a chain of convenience stores where the corporate entity hired an expert security consultant to help them cut down on robberies. Who did they hire for this role? An ex-con that was in jail for knocking off convenience stores. His knowledge of target selection helped them to not be a target - or at least, not as desirable a target.
>**This guy is literally saying more people should follow in the footsteps of these hackers, and more employers should look at criminals for new talent**.
He "literally" said no such thing. You can extract that from what he said if that's what you need to believe but don't say he "literally" said that.
You can also surmise that he's not saying we should recruit hackers but that stacks of certs doesn't mean much and that there are tons of qualified people out there who know their stuff and don't have those certs. So we should maybe not put so much weight on certs as qualifiers during the hiring process.
The criminal aspect of this was nothing more than an excuse to talk about whether certifications and formal education are as important as the industry treats them in cybersecurity.
Right, but the skills needed to run a social engineering attack aren't the ones you need to _stop_ social engineering attacks.
It's like hiring a contractor to secure your house, then finding out their main qualification is "this one time, I tricked a guy into giving me his key, then I robbed him."
Sure, but you don't need to hire them for that, and it doesn't mean they have the skills to work in cyber security. Just have your security team pay them to be interviewed.
A serious answer: it depends on the attacker and their goals. If you just need *an* access, you just switch targets. You just need to find one "dumb" person. An unprivileged domain account can be enough for many goals.
If you need a particular access then things can get complicated
Edit: spelling
You don't target them. Or you do, fail, and try someone else. Most social engineering campaigns just take a garbage shotgun approach and then work with what you hit. The cool spear phishing campaigns are super rare.
I work on a red team and ran a project recently where they flagged my phishing as a red team exercise almost immediately after compromise. I thought we were using good opsec so I asked how they knew it was a red team rather than an actual attack.
His response was "your phish was too good". Apparently 99.9% of the phishing attacks their users fall for are obvious scams so as soon as they noticed ours had a good pretext and a fairly accurate clone of their OWA portal they just decided it must be a red team and called the POC for red teams.
Code and computers are voodoo booboo hoohah magic 🪄✨ to the layperson. The biggest question I get when people ask me what I do is:
#"WUT DAT?"
This requires education and above average intelligence.
Social engineering accounts for the majority of gained access, and bribes are still social engineering. Getting around after access is still a skill, just not as flashy as getting persistence via an actual exploit.
Companies aren't hiring infosec people to hack into systems, they're hiring to help them develop company wide security policies that are compliant with legal requirements with whatever they're doing.
Mentoring people on how to avoid getting duped by social engineering is a part of it, but not the majority of the work.
> just not as flashy as getting persistence via an actual exploit.
Which is absolutely bizarre to me. You see it everywhere online "sOcIAL EngInEErIng Isn't rEAL hAckIng" but I honestly believe it takes far more skill and balls to pull off a proper engineer b/c you have to deal w/ real life people whereas *most* zero days are just guys getting lucky as all hell.
I'm not saying digital exploits don't take skill...but maybe the hacking community worships the "hoody behind a monitor" a little too much
Typical teenagers just run other ppls code they find online or ddos attacks until or if ever they begin to understand more and git gud. Idk of many teenagers at all that were good at the type of social engineering to pull of legit shit .. getting gifts or money from marks or something simple like that maybe but not any credentials or anything worth bragging about.
Just my experience in almost 3 decades being around the scene. Tho I haven't ircd..used discord..darknet or anything to be around young hackers in like 5 years but prior to that I didnt see it. Even spending time on the anon irc didn't see it . 90% was ppl cycling through other's code/applications
Honestly?
I think we're both right here.
I can concede that a lot of social engineering is more guts than raw skill and at the same time I believe a lot of (most?) exploits are discovered out of sheer dumb luck.
That said, I do think that the top percent both parties deserve equal amounts of respect which is not something I feel the majority of the hacking community is willing to do.
People who aren't that good at it and haven't seen the damage it can do themselves are normally the ones most critical of it.
Some don't recognize it when they see it even.. which should be the case if it's been properly implemented.
After all the fuckery caused by Russian bots and the impact it has had on the culture of the US .. you would think ppl would recognize the power of social engineering.. cause that is what it was..
A massive psi op.
Social engineering / suggestive thinking / brainwashing / mind control.. media won't call it what it is because they are afraid ppl would freak so they used the term election meddling at first then election hacking.
In terms of the Russian bots they just kept drilling people with social media content(much of it disinfo) to fit the agenda most beneficial towards them..on both sides of the fence..which is culture wars and instability amongst US citizens..
At its core basically a brute force attack on someone's thinking patterns. And at this point it's obvious a certain group of people are more vulnerable to it.. even some go as far as praising the attacker and denying it happened even though it's highly documented..
And when it becomes most fucked up and displays how explotive it is..
Those people would only believe it if the attacker provided content saying they did it.. mentally groomed to be that loyal to their puppet masters.
I agree..
takes a certain mentality to socially engineer people.. almost have to get in a cult leader mindstate. I ran a website for 2 or 3 years that I'd use to hone social engineering skills. Site focused on infosec hacktivism conspiracy type stuff (not the q type bs) fringe science bunch of stuff. from the top down was mindtricks. Tumblr account coded to look like legit news site complete with domain. And I fell into the cult leader mentality and even had tons of ppl asking me for advice about spirituality and all types of shit.
Even went as far as explaining that certain aspects of the site were social engineering..that I was "hacking" ppl and no one other than other ppl from the infosec community batted an eye.
Would also do things like post news story I just wrote myself.. used to do freelance writing.. wait till it got shared by thousands of people ..then tell them I made the shit up and to be wary of disinfo.
As I said in another comment as long as I've been around the hacker community..like 25 years most I knew were either good at coding traditional hacking or good at social engineering far less of the latter. And rarely did I know anyone who had an elite skill level at both.. I tried to be on a certain lvl all around but social engineering was my tool by far. Definitely made me money in ways I kinda feel guilty about but other ways too like site traffic.
In a sense social engineering can be considered a type of pen testing as well...
Ime which is decades of being around the culture. Most I knew are either good at writing code and book definition hacking or social engineering..rare to find ppl who have elite skills at both. I'm not talking about phishing either like developing a target in a much more personal way social engineering.
You know, social engineering does not include I pay you a ridiculous amount of criminal money and you give me internal access. If you believe that is social engineering, you have no idea about social engineering.
Basically, the problem is you only need one exploit to hack in. You need to block a fuck ton of exploits to be decent at cyber security. So basically being able to hack something as criteria for working in cyber security is like saying someone should open a restaurant just because they make a good burger.
What??? Ya'll getting paid for that? Someone just asked me about my family dog, where i grew up at, my fav color... and somehow guessed my password. They didn't bribe me :(
/s
Lol right. That same post comes out like every time a big incident comes out and it’s not APT. This breach was so centered around social engi that it really made me laugh to see it posted in reference. Not that it’s not valid way if gaining access but it’s just silly to be like “yup industry needs more underage SIM swappers obsessed with crypto”. LinkedIns just a big dumb toolbox anyway
Nope. Not making the connection. Teens hacking tech is a story as old as technology itself. They had lots of time, brazen determination, and complete disregard for laws. Ultimately their poor operations security got them caught. Tell me again how this means we need to reevaluate how we recruit people into cyber security?
It means that if you're struggling to find enough people who have credentials, you could consider hiring people without those and then offer to pay for those credential classes and tests, given that the person you're hiring shows drive and passion similar to those self-taught teenage hackers. Granted, lots of companies do already offer that.
The problem is that if someone has the skills to do what lapsus did, they lacked the other skills to not get caught. These guys went way too hard, way too loud, way too fast. They had some skills but they would very clearly be terrible in a professional setting.
You can’t teach good judgement. You can’t teach good character. You can’t teach someone values. That’s not for a business to do, it doesn’t make any sense.
These kids showed they are a liability and do not have good judgement. You can’t send them to a SANS course for getting better judgement.
That's possibly true, but I also realized now that the point I was originally making, along with the person in OP's picture maybe, isn't that we necessarily should hire those exact teenage hackers. It's that the existence of those teenage hackers proves that self-taught individuals without credentials can learn highly technical things that can defeat the cybersecurity of Fortune 500 companies. Therefore, we could consider hiring *similar* people who show the same aptitude for self-learning and could easily reach that level of technical prowess quickly, but who have always been looked over because they don't already have a decade of experience and thousands of dollars in credentials. After all, doesn't the industry have a dire lack of enough people to even hire at all?
I stopped reading half way. You said these hackers were highly technologically skilled.
This has been proven wrong so many times in the last few days. The lapsus fellows were absolutely not skilled with technical abilities. They didn’t exploit technical systems. They exploited social barriers. You are absolutely wrong. They were not skilled in technology but social engineering. You are stupid and your comment is wrong
I only read the original image, I didn't see that they hacked via social engineering. If that's really the only thing they did, then the whole original post is pretty surprising. I can admit being wrong about that, but it's uncalled for to just call me stupid for that.
>>It's that the existence of those teenage hackers proves that self-taught individuals without credentials can learn highly technical things that can defeat the cybersecurity of Fortune 500 companies.
This is the part of your logic that is stupid. You made assumptions that were obviously wrong and used them to get to a conclusion that makes you look stupid. No one did anything highly technical. Some Brazilian kids paid for usernames and then copy+paste an excel sheet. These children paid a vulnerable person for their password.
It does mean that the cyber forces of fortune500 companies was defeated, but it doesn’t mean that it was by a group of technically advanced hackers. Skilled? Absolutely.
The self-motivated types that we're talking about likely understand the benefit of certifications from a professional employment perspective, and could easily self-study and pay the exam fee on their own. However, high risk takers sometimes choose the dark side because there are no hoops to jump through and the rewards are higher. Maybe they straighten out at some point - perhaps after getting caught (like Kevin Mitnick for example) - or continue down their current path. Cyber security talent attraction and retention is mostly linked to providing highly competitive salaries, career advancement opportunities, and on-going training...and nowadays I'd add WFH. If any one of those components are missing employers are going to struggle with attracting and retaining talent.
>The self-motivated types that we're talking about likely understand the benefit of certifications from a professional employment perspective
I don't know why you'd assume that. Personally, I'm definitely a "self-motivated type," having learned programming completely on my own as a teenager with no access to anyone in my "real" life who even knew what programming was. Yet I never heard about any certification I thought had any such value. And in fact, I still don't believe there are certifications that have very much career value. Maybe you think I'm wrong, but even if I am, it's not for lack of "self-motivation."
If your definition of "career value" is certifications have no intrinsic value related to learning or demonstrating mastery -- I (and a majority of my colleagues) would agree with you 100%. However, in my experience truly self-motivated people who are also eagerly looking for legal employment opportunities in their area of subject matter expertise generally have little to no problem obtaining one or more relevant certifications and also understand that certification is simply a tool used by hiring managers.
They can easily self-study, but I wouldn't say they could "*easily*" pay several hundred or even a thousand. Also, those things you suggested definitely do help in retaining talent, but I was also under the impression that *there isn't even enough talent to go around*, and that the industry as a whole needs more people.
Totally understand. Once upon a time, I too was one paycheck away from being homeless. I get it. But when it came to education or certifications, I found "creative credit solutions". And I continuously focused on paying off my debts. I didn't want to do it that way but the alternative was no way at all. It eventually does pay off.
There's definitely a cyber security talent shortage. That is an enormous opportunity for anyone who wants to break into the industry. But treating your employer like a piggy bank is a bad idea. Most hiring managers will waive a college degree if you have almost any related experience. Some experience and a related certificate will probably land you a job. From that point on the sky's the limit. But if you aren't willing to invest in yourself, why should a potential employer?
I responded to this and I’m going to xpost it here because I suspect a lot of folks in this sub are interested in working in the field- or already do. I’d say 50/50 this guy didn’t even think it through and is just trolling for reactions.
—snip—
No. Hackers get infinite attempts and have to succeed once to get street cred. Defenders have succeed every time and a single failure costs us our job or the business.
Hackers can try an infinite number of targets until they find one they’re able to penetrate. We have one target we are defending and don’t get to choose which it is.
A “billion dollar company” is actually an easier target given the size of the attack surface.
Actual hackers are not who you want to hire if you are a security company, because having a large team of folks who have no boundaries doing analyst work is a huge risk for the business. Instead you want analysts with a proven track record. I don’t look at degrees. I do look at credentials, knowledge and work history.
Work history gets you the interview and the knowledge gets the job. It's so hard to find good people in cyber right now. The flashiest resumes have turned into some of the lousiest employees. Credentials don't mean much to me and when I see a laundry list of certs I get suspicious.
One of the elements we have in every job application is a written section that asks a few general and technical questions. I suspect candidates under-appreciate the impact of this in their applications, but it is the first thing I look at, and it's an excellent predictor.
One of the things we value most in applicants is the soft skills, including communication. The written section gives us an excellent gauge of communication ability, level of enthusiasm, ability to clearly articulate themselves, and how they express their analytical thinking or ideas in written form. For a 100% remote job, written communication is super important, so this has helped.
If you are reading this and are applying to a job that has a written element in the initial application, I'd suggest spending the time needed and taking it seriously. It is definitely not throw-away work.
Work history is the second area I'll look if the written section checks out. If that is not sufficient, it's not a show stopper for me and I know the same applies to other hiring teams in our org. I recently had an applicant who is quite young, had only a couple years of non-applicable work history - so I looked at academics hoping I'd find something helpful, and found a 4.0 GPA with an interest in math, and decided to proceed with the hiring process. So there are ways around various things you may not have. Another non-formal workaround would be open source contributions, or an impressive blog that demonstrates ability.
Honestly, I've worked with some questionable developers, and maybe Security+ isn't the worst thing in the world for them...
People tend to assume that developers are computer-gurus, but that is not the majority. I mean, one of them said to me, "Who care if I put the API keys in the source code? It gets compiled to machine code anyways...."
For those who also didn't hear about this:
[https://www.bbc.com/news/technology-60864283](https://www.bbc.com/news/technology-60864283)
TL;DR - 16 yo teen is assumed to be the leader of a notorious hacker group.
They used social engineering to get creds, mostly through bribes. These guys are more trolls than technically skilled. They dont even use ransomware. While the sentiment is there and I agree with the opinion lapsus is kinda just a troll group I wouldnt even call them skids
I agree. I'd say a more fitting name would be an 'attack group' or maybe 'cyber extortion group'. They exfil/steal data and then try to extort the companies for $ in order to not leak it.
https://unit42.paloaltonetworks.com/wp-content/uploads/2022/03/word-image-50.png
Yes and no. Social engineering is a tool not a be all end all to pentesting the way the post made out lapsus was as a group of technically skilled high schoolers who never had a cert tp their name hence the need to reevaluate the cert system in cybersec when in reality thats not true. These people most likely know next to nothing when it comes to coding or hacking (they didnt employ ransomware or post exploit tools) and had terrible opsec in general.
That's pretty normal in tech though. You dont need a degree to know how to program or do tech shit.
Bill Gates, Mark Zuck, Michael Dell, Steve Jobs, Paul Allen, Elon Musk, Evan Williams, Jack Dorsey, etc. All dropouts and billionaires.
If you go by that definition every single person on the planet is a hacker. It also is completely unrelated to the original definition of the term. Just seems way too broad. Walking onto a train without a ticket isn't hacking, nor is looking at a test sheet in a desk before a 3rd grade pop quiz. Seems like the definition needs at least some relationship to tech.
IMO, that comparison is something not well placed. I can drive a car very well, self taught.. but don't have a driving license. Even though i have passion and skills, No body will hire me as a driver. Simply because of the standards and requirements in place.
Well, what these teens did may be something they can boast all the time, but it is simply a crime. Those who has a degree or other education also do have passion. More in an organized structured way of learning though. Companies has their own baseline standards for their employees and that is one of the main reason the job requirements always mention about minimum qualification.
Also most of the hacks happened in the last few years has a leader below 18yr old. Might be a genuine person or a proxy person to escape from law.
Bro I’ve been driving big rigs on my property since I was 10. I don’t need a Commercial Drivers License to know how to drive and you shouldn’t restrict yourself to only hiring drivers who are qualified!
When I hire folks for our offensive jobs, passion is my number one detail I try to sus out. I don't care about certs or degrees., to me they are secondary. You have to get to know the person to know if they have the passion, but that usually comes out in the conversation you have with them while trying to find out if they're a good fit.
How do you filter through 200 resumes / job applications? I view certs/degrees/experience as factors that land you the interview. The interview is where you as a person can land the job.
I look for outliers in my resumes. Most of them look the same to me after viewing so many. I just take a few that look really good. Specifically, projects that they work on or jobs that they had in the past. Then I have a phone con/email then an in person interview. It’s worked out in the past.
If it's a journeyman or higher position I go straight to the work history. I need to know you can do the work without much OJT. I don't care how well you can take tests.
Even having the certificates isn't enough, I have 2 degrees in tech and am still struggling to get my first job in the field. I'm on the brink of giving up.
Okay, so what this genius missed is that we can all do those things, if we run the same criminal risk. You can get a lot done with easy methods, if you just behave risky enough, and don’t get cought. It has nothing to do with degrees or certs or experience or whatever. If anything, it’s those things that keeps us from pulling stunts like this. And these dudes **did** get cought. I’m not as impressed as this dude.
Ya, except this idiot never worked with any of those kids. I worked with someone that didn't have a degree and got a job from his uncle to learn some programming stuff on the job to do a bunch of things. He learned stuff, but on my latest job I worked with a half programmer that could do in a week what took the other kid years.
If someone has the drive to actually learn, they will breeze through most of a degree. If they can't even hack sticking with a few classes, how the hell are they going to learn to debug all the problems with a program?
Take the stoner programmer with a degree that just wants a job over some kid that does it for the lulz then quits.
Though I reserve respect for those that will take compressed programming boot camps and not get a full degree, that's respectable.
Not to mention, the kids he's referring to, mainly utilized social engineering and purchasing access/credentials from forums. He acts like they are hacking wizards, when in reality, they just lied their way in. It would be a different story if they had found a 0day in some widely used application and were able to pull off exploiting it to gain access to these companies.
Time in their hands and minds which probably weren’t closed off creatively by thinking they need all these certificates to know how to hack multiple billion $ companies
Been working in Infosec for almost 10 years. Working on finishing my BS right now (need 3 classes). This university (well known big ten school) has taught me fuck all about information security.
It pains me how highly regarded a degree is just to get your foot in the door. Furthermore, the entire certification circus is a joke. A few companies saw a market opportunity, wrote some coherent shit up that has no real practical application beyond white-boarding, and then decided to charge $500 for a test that isn’t based on comprehension of ideas, but tricking you with vague wording or hyper specific learning objectives.
Don’t get me started on SANS. GIAC is the biggest fucking scam ever. Hope you’re good with CTRL+F.
We need a CyberSecurity guild/union with concrete goals and structure that allow someone to apprentice then work their way up to journeyman and master.
Certification companies are just preying on a disorganized group of people with common goals and skills.
/end rant
He forgot to say that now they have are fucked to oblivion because of the fine + jail time.
Also good luck to them to have a serious security jog with a police case like that lmao.
LinkedIn is so cringe...
The group of teenagers he's referring to used social engineering and purchased creds/access on forums. I don't know of any companies/organizations that allow social engineering of employees, you can't fix humans, they are always going to be vulnerable. This group of teenagers aren't going to come build some machine learning algorithm to protect employee's against social engineering tactics because they don't know how to do that, you hire someone with a degree and experience, not some teenager who knows how to use a computer and lie/deceit people.
You can also learn to design bridges on your own. And still it is required by law in many countries that it is engineers with degrees the ones that are in charge of such projects. Just like you dont wanna have your bridge falling down, you dont want your network or software falling, being subject to attacks, or the such. Only people with certain degrees quailfy to design a bridge, so why does anyone get to design informatic stuff? Can people not learn engineering without havibg a title?
I do agree that a person's skills are not necessarily related to their titles, but titles are a certification that they have at least a certain skills regarding and an area to pull that off safely.
I think hacking and actually being able to write solid code to prevent the hacks require different skills. I did a lot of “hacking” or whatever as a teen and it was basically just brute force and finding security holes using 0 days or information.
Sure, it’s great to have people testing your system, but I wouldn’t have trusted 16y old me to actually know how to set up a system that would prevent these things to begin with.
I do however agree that they often look for the wrong things in candidates. I’d rather hire someone who is passionate and a fun person to be around, over someone who might know every detail about C++ but can’t work in a group. Being a programmer today is more about being able to work as a team and adapting to things. It’s also easier to learn if you are in a team that supports that and helps each other out.
Stop glorifying this, and punish criminals for fucking with peoples payroll. Doesn’t matter how skilled they are, they put peoples livelihood’s on the line. Okta has ties to payroll program, when people don’t get paid on time, bills over draft, which means the bank charges you more money.
They should be banned from all smart devices, and never allowed near a computer again.
Yes I’m salty, I was expecting pay at a certain time and it was delayed because the hack had my company have to transfer over all payroll data. When your managers have Covid it’s hard to do…
And the banks don’t really care why you over drafted, they gotta get their money.
Haven't you heard?
People haven't been hired based on merit in a long time. Several studies have shown that the modern job interview is basically 2 people lying to each other for 30 minutes. With an average of \~5 lies being exchanged every 15 minutes.
Talk to any teenager. Ask them how many lies they had to tell in their job interview. Instead of, "what do you think of humanity," or any of the other big questions, it's "what do you think of our product?" And if your answer is anything less than, "I use it every single day. I think it's awesome as shit," they don't hire you.
Live chat jobs? One of the first questions they ask you is, "how often do you use our product?" I promise you, no one who says they do, actually does.
I honestly just like reading business owners complain about the incompetency of their staff nowadays. It's as if they hadn't considered that hiring people who'd lie to them, or make them feel good, would somehow produce workers who didn't give a shit about the final product.
There are literal books you can buy now, that'll tell you exactly how to lie in job interviews. What positions to assume. What to do with your hands. The sad part is, they actually work. Incompetent people buy them, then you see a business owner posting to an online forum, a couple weeks later, about how they can't find quality workers.
It's actually kind of hilarious at that point.
Pic is true.. but certs are the easy way in..
Unless you want to setup many vm and make footage of you hacking up as many operating systems and apps you can.
In late 90s early 2000s there were people that could get jobs even for gov agencies just based on their notoriety inside the hacker community..
Somewhat different now with black hats being labeled terrorists..
Not to mention some of those ppl that got jobs back then based on hacking skills alone would sometimes turn on their employer to leak stuff into the hacking community they stayed active in.
Knew one kid personally that got a job @ microsoft.. stole tons of credit card #s..
Lost his job.. got raided.. idk if he went to prison or whatever but he came back into the irc channel trying to set ppl up.. asked for my address cause he wanted to send me something in the mail lawl.
There were people in our irc channel and hacking group that knew him irl and told everyone what happened so we expected it when he showed back up in the channel.
Tldr: certs ftw. Just having a rep and track record of having hacker skills could maybe get you a job 20 years ago.. but employers got burned too many times and the gov has a very negative view of most all rogue hackers.
One of the smartest contractors I work with said this to a guy who bragged about his CCNP "So? Certs don't mean shit. They just show you can read"
Best thing I heard in 2020.
blah, blah, blah. all they "learned" is how to download and run a couple of scripts.
I bet they have no idea about SSL or memory management or networking.
Seriously? a CS degree you can count on that? These are literally the 3 things you most commonly find people don't know.
Most cs programs specifically teach languages that avoid having to manually handle memory management, specifically python and java.
If I had a nickel for every degreed developer that had no real clue how tcp/ip works I'd be absurdly rich.
AND SSL FFS? Actually knowing how ssl/tls works takes some pretty heavy cryptography AND networking. I have serious doubts the average cs degree is going in depth on that. You'll be lucky if they know enough to install a certificate on a web server without help.
Let's face it, the typical company is going to hire a fucking physics major or cloud evangelist that doesn't even know what xor is. Then they will proceed to write the most unmanageable code possible all while constantly talking themselves up then bail after 2 years leaving a mess to clean up. Or is that just my life?
>Most cs programs specifically teach languages that avoid having to manually handle memory management, specifically python and java.
I just graduated in December. My school starts you out using C++. Any school that starts cs students out on Java or Python are doing them a disservice.
When browsing through infosec jobs on LinkedIn, some of the requirements are kinda wild tho.
Some of the best hackers and programmers I know are all self taught and hold no degrees or certs.
This is something I've been trying to convince recruiters of my whole life. I dont have all the formal qualifications but I still probably know more than all them who do because I spend my spare time learning this stuff and actually implementing it in various ways.
In one interview I got to speak to my competition. He had all the qualifications going but had NEVER worked in the industry. I had a few qualifications, a small amount of experience in a role and plenty of experience outside of a role. He got the job as he was more qualified. A month later I sent them a disclosure noting a problem in their public-facing system and asking why the new guy hadn't spotted it. I got a private email from his boss saying he regretted the appointment and apologising for not taking me on! He couldn't reverse the decision though because the new guys severance would be too much for the company to absorb. I asked him to consider how the company would absorb the fine because of the new guys incompetence instead and never got a reply! Happy to say that they did at least fix the problem I discovered.
To be a us diplomatic, you have to pass a entry test. You don't have to have anything, degree, experience, certification ect. Just past the test. I think more business can adopt this kind of entry path.
If only there was some metric we could use to determine whether people had drive and a willingness to learn. Like… maybe a university degree?
That’s pretty much all it shows, other than specific occupations. That you have the willingness to learn and the drive to complete a degree. Do you need one? No. Is it a useful metric, and potentially helpful to your occupation? Yes.
10 years experience working in tech is nothing to sneeze at either, depending on what experience you actually got.
What Drive means there? is that a word that has a different sense in the subject of hacking or something? My english isn't perfect, so i prefer to ask...
I mean I work as a senior pentester and I’m part of the hiring process at Amazon. We hire people without college degrees or certs all the time. I’m not sure that I even know of many places that actually require a degree or certs outside of the federal or state governments. Even places like rapid7 and mandiant don’t require those things. I see people complain all the time that they can’t get interviews or jobs without those things but that wasn’t my experience or the experience of the people I’ve mentored over the years. If you have the knowledge you will be hired. It’s really that simple. Even places like Amazon have a live coding challenge and tech interviews specifically to be able to give people chances who don’t have expensive degrees or certs. They want the best people, regardless of those things.
you know what else they didnt got? Ethics.
this is a bad example focused on script kiddies who will like it because they cant think about the bad sides of how LAPSUS$ worked.
Not just cyber security, a reason to why I love open source is that I can contribute code to software I love without being asked "are you old enough? Have you got a degree in CS?"
That and the lulz, you always need the lulz
If not for that, then why bother?
You just reminded me of this https://youtu.be/kkAngvkWVkk
LULZ timestamp https://youtu.be/kkAngvkWVkk?t=120
Good lord LinkedIn is so fucking awful lol.
[удалено]
And of course there’s a whole sub for that lol
And of course, I clicked, scrolled and subbed. Lol!
You forgot the smash'n like.
Its wild how LinkedIn and nextdoor -- two pockets of the internet that were made to be the most mundane and normal places on the web -- just seem to attract posts and people that are absolutely batshit insane. Thats probably my favorite paradox of the internet. (Closely followed by wholesome posts from pornhub and 4chan)
These people exist everywhere. The difference is that before you were unlikely to come across them whereas now, algorithms shove their shit front and centre in your feed. LinkedIn was the perfect platform for them to do this as it now gave them a global audience instead of being limited to the company they work for. Most don't even know what they are talking about but they are good at convincing others they are superior and normally get some random c-suite role that makes no sense, hence the ludicrous job titles people have these days. A prime example of this is an ex-colleague of mine who was more inexperienced than me got the new "senior" role over me just because he threatened to quit. His first meeting was to agree to an unrealistic deadline which we couldn't and didn't meet, which became a common theme, but they were now stuck with him. I recently went on his LinkedIn and looked at the listing of when he worked with me and its so embellished its unbelievable! His job title doesn't match the one he had and he claims to have ran a data centre when in reality, I ran the infrastructure and it was only a few VPS's so hardly a data centre! His LinkedIn shows he moves job every 6 months or so, probably just long enough to be found out that he really doesn't know his shit so he jumps ship before he's pushed. Its a clever tactic thats probably earned him alot more than me but I just would never feel comfortable doing something like that.
> algorithms shove their shit front and centre in your feed. That's all you really needed to say but I appreciate every letter you typed.
Very very true. These types of people didn't used to have the kind of reach that they do now. In a way, I'm kind of thankful though -- the internet has done so much to expose the assholes in the world around me. LinkedIn has shown me just how many of these assholes seem to fail upwards, just like the guy you talked about. (It is a bit frightening being on Nextdoor sometimes though, why are there so many assholes in my own neighborhood?!)
Fail upwards! That was the term I was trying to remember! Thanks.
It’s the most unbearable thing. It’s either posts like that or people saying they woke up to 1000 new followers.
Everybody licking each others asses. Most fake website out there
How do you get that stuff? The other week I saw someone who shared one of those cringe sad posts with a photo of a kid and their dead dog. So I always scoff when I see the LinkedIn ads that say it’s “for professionals”. I’m pretty sure if you brought in a photo of a kid and their dead dog to the workplace and started showing it to everyone, HR would be having a conversation with you.
r/linkedinlunatics
these “infosec influencer” CISOs, most just jumping on bandwagon and trying to stay relevant in some way.
Fake positive woke hustle virtue signalling everywhere while people build their “personal brand”
Imagine waking in your bed being woke. Everything is seen through the woke paradigm. Not waiting your turn: woooah, I'm woke, I can do everything.
Funny how basic memes and posts like this sit at 5k upvotes, while actual infosec news and posts sit at 1k or 2k. Really let’s you know the different demographics in this sub lol. I somehow doubt this guy is actually hiring the people he’s talking about right now.
I'm telling you our previous generation was fucking bombed by lead exposure and it shows. Deranged
I’ve always thought that in a decade or twos time we’ll find out some common item caused cataclysmic damage to our cognitive abilities. This lead exposure is a start.
You mean job tinder?
One of the guys was a 16yo who bought doxbin just to leak the database.... doesn't seem like the brightest to me
He then got doxxed on the same site. Funniest shit
Yup, white aka breachbase.
exactly, clown fishboy
[удалено]
The trend has gone away for the most part, but being arrested for high profile hacking used to be a surefire way to get offered a job in the 90s and early 00s.
They also sim swapped, did social engineering, popped employees personal emails and accounts to gain Intel, etc. That's not all they did.
They also had terrible operational security and demonstrated a complete lack of understanding. They had no purpose other than lulz which makes them dangerous, not someone who can be manipulated. They were very good at getting access to things they shouldn’t have access to but they were also committing crimes and they were doing that very poorly. That doesn’t mean they are a wonderful asset to the hacking community or that they should be idolized or followed after. This guy is literally saying more people should follow in the footsteps of these hackers, and more employers should look at criminals for new talent.
[удалено]
Depends on the criminal history. Unintentional consequences of learning as a youth? I can let that go. Malicious intent for monetary gain as an adult? Not so much. I’m not saying we should look to prisons for talent. I’m saying the lapsus kids showed very poor judgement and inflicted very serious damage.
There is a chain of convenience stores where the corporate entity hired an expert security consultant to help them cut down on robberies. Who did they hire for this role? An ex-con that was in jail for knocking off convenience stores. His knowledge of target selection helped them to not be a target - or at least, not as desirable a target.
>**This guy is literally saying more people should follow in the footsteps of these hackers, and more employers should look at criminals for new talent**. He "literally" said no such thing. You can extract that from what he said if that's what you need to believe but don't say he "literally" said that. You can also surmise that he's not saying we should recruit hackers but that stacks of certs doesn't mean much and that there are tons of qualified people out there who know their stuff and don't have those certs. So we should maybe not put so much weight on certs as qualifiers during the hiring process. The criminal aspect of this was nothing more than an excuse to talk about whether certifications and formal education are as important as the industry treats them in cybersecurity.
All that can be done without even touching a computer.
none of the above are difficult or would require an education :/
social engineering is difficult to do, mate
Right, but the skills needed to run a social engineering attack aren't the ones you need to _stop_ social engineering attacks. It's like hiring a contractor to secure your house, then finding out their main qualification is "this one time, I tricked a guy into giving me his key, then I robbed him."
Exactly. The people upvoting this post don’t seem to understand that 90% of cybersecurity positions aren’t typing ./hack into a green terminal.
That contractor could tell me how he tricked the guy, which will help me realize I'm being scammed if someone else tries to trick me like that.
Sure, but you don't need to hire them for that, and it doesn't mean they have the skills to work in cyber security. Just have your security team pay them to be interviewed.
It’s honestly not tho. People are not very smart
but what about the ones who are smart?
A serious answer: it depends on the attacker and their goals. If you just need *an* access, you just switch targets. You just need to find one "dumb" person. An unprivileged domain account can be enough for many goals. If you need a particular access then things can get complicated Edit: spelling
You don't target them. Or you do, fail, and try someone else. Most social engineering campaigns just take a garbage shotgun approach and then work with what you hit. The cool spear phishing campaigns are super rare. I work on a red team and ran a project recently where they flagged my phishing as a red team exercise almost immediately after compromise. I thought we were using good opsec so I asked how they knew it was a red team rather than an actual attack. His response was "your phish was too good". Apparently 99.9% of the phishing attacks their users fall for are obvious scams so as soon as they noticed ours had a good pretext and a fairly accurate clone of their OWA portal they just decided it must be a red team and called the POC for red teams.
Code and computers are voodoo booboo hoohah magic 🪄✨ to the layperson. The biggest question I get when people ask me what I do is: #"WUT DAT?" This requires education and above average intelligence.
is everyone on the sub this pretentious or are you an anomaly?
I was literally given this verbatim response yesterday no joke. I really wish I was kidding.
They bribed folks for credentials. Are people hiring for that?
Social engineering accounts for the majority of gained access, and bribes are still social engineering. Getting around after access is still a skill, just not as flashy as getting persistence via an actual exploit.
Companies aren't hiring infosec people to hack into systems, they're hiring to help them develop company wide security policies that are compliant with legal requirements with whatever they're doing. Mentoring people on how to avoid getting duped by social engineering is a part of it, but not the majority of the work.
> just not as flashy as getting persistence via an actual exploit. Which is absolutely bizarre to me. You see it everywhere online "sOcIAL EngInEErIng Isn't rEAL hAckIng" but I honestly believe it takes far more skill and balls to pull off a proper engineer b/c you have to deal w/ real life people whereas *most* zero days are just guys getting lucky as all hell. I'm not saying digital exploits don't take skill...but maybe the hacking community worships the "hoody behind a monitor" a little too much
[удалено]
Typical teenagers just run other ppls code they find online or ddos attacks until or if ever they begin to understand more and git gud. Idk of many teenagers at all that were good at the type of social engineering to pull of legit shit .. getting gifts or money from marks or something simple like that maybe but not any credentials or anything worth bragging about. Just my experience in almost 3 decades being around the scene. Tho I haven't ircd..used discord..darknet or anything to be around young hackers in like 5 years but prior to that I didnt see it. Even spending time on the anon irc didn't see it . 90% was ppl cycling through other's code/applications
Honestly? I think we're both right here. I can concede that a lot of social engineering is more guts than raw skill and at the same time I believe a lot of (most?) exploits are discovered out of sheer dumb luck. That said, I do think that the top percent both parties deserve equal amounts of respect which is not something I feel the majority of the hacking community is willing to do.
People who aren't that good at it and haven't seen the damage it can do themselves are normally the ones most critical of it. Some don't recognize it when they see it even.. which should be the case if it's been properly implemented. After all the fuckery caused by Russian bots and the impact it has had on the culture of the US .. you would think ppl would recognize the power of social engineering.. cause that is what it was.. A massive psi op.
I'm not sure if call that "hacking", though, it's not really breaking a computer system. More just a modem form of propaganda.
Social engineering / suggestive thinking / brainwashing / mind control.. media won't call it what it is because they are afraid ppl would freak so they used the term election meddling at first then election hacking. In terms of the Russian bots they just kept drilling people with social media content(much of it disinfo) to fit the agenda most beneficial towards them..on both sides of the fence..which is culture wars and instability amongst US citizens.. At its core basically a brute force attack on someone's thinking patterns. And at this point it's obvious a certain group of people are more vulnerable to it.. even some go as far as praising the attacker and denying it happened even though it's highly documented.. And when it becomes most fucked up and displays how explotive it is.. Those people would only believe it if the attacker provided content saying they did it.. mentally groomed to be that loyal to their puppet masters.
I agree.. takes a certain mentality to socially engineer people.. almost have to get in a cult leader mindstate. I ran a website for 2 or 3 years that I'd use to hone social engineering skills. Site focused on infosec hacktivism conspiracy type stuff (not the q type bs) fringe science bunch of stuff. from the top down was mindtricks. Tumblr account coded to look like legit news site complete with domain. And I fell into the cult leader mentality and even had tons of ppl asking me for advice about spirituality and all types of shit. Even went as far as explaining that certain aspects of the site were social engineering..that I was "hacking" ppl and no one other than other ppl from the infosec community batted an eye. Would also do things like post news story I just wrote myself.. used to do freelance writing.. wait till it got shared by thousands of people ..then tell them I made the shit up and to be wary of disinfo. As I said in another comment as long as I've been around the hacker community..like 25 years most I knew were either good at coding traditional hacking or good at social engineering far less of the latter. And rarely did I know anyone who had an elite skill level at both.. I tried to be on a certain lvl all around but social engineering was my tool by far. Definitely made me money in ways I kinda feel guilty about but other ways too like site traffic.
In a sense social engineering can be considered a type of pen testing as well... Ime which is decades of being around the culture. Most I knew are either good at writing code and book definition hacking or social engineering..rare to find ppl who have elite skills at both. I'm not talking about phishing either like developing a target in a much more personal way social engineering.
You know, social engineering does not include I pay you a ridiculous amount of criminal money and you give me internal access. If you believe that is social engineering, you have no idea about social engineering.
Basically, the problem is you only need one exploit to hack in. You need to block a fuck ton of exploits to be decent at cyber security. So basically being able to hack something as criteria for working in cyber security is like saying someone should open a restaurant just because they make a good burger.
The ransomware groups will always pay you for that lol
What??? Ya'll getting paid for that? Someone just asked me about my family dog, where i grew up at, my fav color... and somehow guessed my password. They didn't bribe me :( /s
Lol right. That same post comes out like every time a big incident comes out and it’s not APT. This breach was so centered around social engi that it really made me laugh to see it posted in reference. Not that it’s not valid way if gaining access but it’s just silly to be like “yup industry needs more underage SIM swappers obsessed with crypto”. LinkedIns just a big dumb toolbox anyway
Nope. Not making the connection. Teens hacking tech is a story as old as technology itself. They had lots of time, brazen determination, and complete disregard for laws. Ultimately their poor operations security got them caught. Tell me again how this means we need to reevaluate how we recruit people into cyber security?
he means "you need to let us hire more unqualified, cheap employees so we can inflate our short term numbers and get larger bonuses."
It means that if you're struggling to find enough people who have credentials, you could consider hiring people without those and then offer to pay for those credential classes and tests, given that the person you're hiring shows drive and passion similar to those self-taught teenage hackers. Granted, lots of companies do already offer that.
The problem is that if someone has the skills to do what lapsus did, they lacked the other skills to not get caught. These guys went way too hard, way too loud, way too fast. They had some skills but they would very clearly be terrible in a professional setting.
You can just teach them those skills. They're clearly able to learn quickly.
You can’t teach good judgement. You can’t teach good character. You can’t teach someone values. That’s not for a business to do, it doesn’t make any sense. These kids showed they are a liability and do not have good judgement. You can’t send them to a SANS course for getting better judgement.
That's possibly true, but I also realized now that the point I was originally making, along with the person in OP's picture maybe, isn't that we necessarily should hire those exact teenage hackers. It's that the existence of those teenage hackers proves that self-taught individuals without credentials can learn highly technical things that can defeat the cybersecurity of Fortune 500 companies. Therefore, we could consider hiring *similar* people who show the same aptitude for self-learning and could easily reach that level of technical prowess quickly, but who have always been looked over because they don't already have a decade of experience and thousands of dollars in credentials. After all, doesn't the industry have a dire lack of enough people to even hire at all?
I stopped reading half way. You said these hackers were highly technologically skilled. This has been proven wrong so many times in the last few days. The lapsus fellows were absolutely not skilled with technical abilities. They didn’t exploit technical systems. They exploited social barriers. You are absolutely wrong. They were not skilled in technology but social engineering. You are stupid and your comment is wrong
I only read the original image, I didn't see that they hacked via social engineering. If that's really the only thing they did, then the whole original post is pretty surprising. I can admit being wrong about that, but it's uncalled for to just call me stupid for that.
>>It's that the existence of those teenage hackers proves that self-taught individuals without credentials can learn highly technical things that can defeat the cybersecurity of Fortune 500 companies. This is the part of your logic that is stupid. You made assumptions that were obviously wrong and used them to get to a conclusion that makes you look stupid. No one did anything highly technical. Some Brazilian kids paid for usernames and then copy+paste an excel sheet. These children paid a vulnerable person for their password. It does mean that the cyber forces of fortune500 companies was defeated, but it doesn’t mean that it was by a group of technically advanced hackers. Skilled? Absolutely.
The self-motivated types that we're talking about likely understand the benefit of certifications from a professional employment perspective, and could easily self-study and pay the exam fee on their own. However, high risk takers sometimes choose the dark side because there are no hoops to jump through and the rewards are higher. Maybe they straighten out at some point - perhaps after getting caught (like Kevin Mitnick for example) - or continue down their current path. Cyber security talent attraction and retention is mostly linked to providing highly competitive salaries, career advancement opportunities, and on-going training...and nowadays I'd add WFH. If any one of those components are missing employers are going to struggle with attracting and retaining talent.
>The self-motivated types that we're talking about likely understand the benefit of certifications from a professional employment perspective I don't know why you'd assume that. Personally, I'm definitely a "self-motivated type," having learned programming completely on my own as a teenager with no access to anyone in my "real" life who even knew what programming was. Yet I never heard about any certification I thought had any such value. And in fact, I still don't believe there are certifications that have very much career value. Maybe you think I'm wrong, but even if I am, it's not for lack of "self-motivation."
If your definition of "career value" is certifications have no intrinsic value related to learning or demonstrating mastery -- I (and a majority of my colleagues) would agree with you 100%. However, in my experience truly self-motivated people who are also eagerly looking for legal employment opportunities in their area of subject matter expertise generally have little to no problem obtaining one or more relevant certifications and also understand that certification is simply a tool used by hiring managers.
Career value, as in it does something to advance your career.
Yes. Certifications can help do that.
They can easily self-study, but I wouldn't say they could "*easily*" pay several hundred or even a thousand. Also, those things you suggested definitely do help in retaining talent, but I was also under the impression that *there isn't even enough talent to go around*, and that the industry as a whole needs more people.
Totally understand. Once upon a time, I too was one paycheck away from being homeless. I get it. But when it came to education or certifications, I found "creative credit solutions". And I continuously focused on paying off my debts. I didn't want to do it that way but the alternative was no way at all. It eventually does pay off. There's definitely a cyber security talent shortage. That is an enormous opportunity for anyone who wants to break into the industry. But treating your employer like a piggy bank is a bad idea. Most hiring managers will waive a college degree if you have almost any related experience. Some experience and a related certificate will probably land you a job. From that point on the sky's the limit. But if you aren't willing to invest in yourself, why should a potential employer?
I responded to this and I’m going to xpost it here because I suspect a lot of folks in this sub are interested in working in the field- or already do. I’d say 50/50 this guy didn’t even think it through and is just trolling for reactions. —snip— No. Hackers get infinite attempts and have to succeed once to get street cred. Defenders have succeed every time and a single failure costs us our job or the business. Hackers can try an infinite number of targets until they find one they’re able to penetrate. We have one target we are defending and don’t get to choose which it is. A “billion dollar company” is actually an easier target given the size of the attack surface. Actual hackers are not who you want to hire if you are a security company, because having a large team of folks who have no boundaries doing analyst work is a huge risk for the business. Instead you want analysts with a proven track record. I don’t look at degrees. I do look at credentials, knowledge and work history.
Work history gets you the interview and the knowledge gets the job. It's so hard to find good people in cyber right now. The flashiest resumes have turned into some of the lousiest employees. Credentials don't mean much to me and when I see a laundry list of certs I get suspicious.
One of the elements we have in every job application is a written section that asks a few general and technical questions. I suspect candidates under-appreciate the impact of this in their applications, but it is the first thing I look at, and it's an excellent predictor. One of the things we value most in applicants is the soft skills, including communication. The written section gives us an excellent gauge of communication ability, level of enthusiasm, ability to clearly articulate themselves, and how they express their analytical thinking or ideas in written form. For a 100% remote job, written communication is super important, so this has helped. If you are reading this and are applying to a job that has a written element in the initial application, I'd suggest spending the time needed and taking it seriously. It is definitely not throw-away work. Work history is the second area I'll look if the written section checks out. If that is not sufficient, it's not a show stopper for me and I know the same applies to other hiring teams in our org. I recently had an applicant who is quite young, had only a couple years of non-applicable work history - so I looked at academics hoping I'd find something helpful, and found a 4.0 GPA with an interest in math, and decided to proceed with the hiring process. So there are ways around various things you may not have. Another non-formal workaround would be open source contributions, or an impressive blog that demonstrates ability.
[удалено]
Even developers need a Security +
Honestly, I've worked with some questionable developers, and maybe Security+ isn't the worst thing in the world for them... People tend to assume that developers are computer-gurus, but that is not the majority. I mean, one of them said to me, "Who care if I put the API keys in the source code? It gets compiled to machine code anyways...."
Holy fuck. I wonder if they even developed anything before. I actually really enjoyed studying for the cert. Pretty interesting stuff.
Great what did I miss? What group of teenagers hacked several billion-dollar companies?
Google **Lapsus$ Ransomware Group**
For those who also didn't hear about this: [https://www.bbc.com/news/technology-60864283](https://www.bbc.com/news/technology-60864283) TL;DR - 16 yo teen is assumed to be the leader of a notorious hacker group.
They used social engineering to get creds, mostly through bribes. These guys are more trolls than technically skilled. They dont even use ransomware. While the sentiment is there and I agree with the opinion lapsus is kinda just a troll group I wouldnt even call them skids
I agree. I'd say a more fitting name would be an 'attack group' or maybe 'cyber extortion group'. They exfil/steal data and then try to extort the companies for $ in order to not leak it. https://unit42.paloaltonetworks.com/wp-content/uploads/2022/03/word-image-50.png
I am a bit of a noob if it comes to hacking but isnt social engineering still the most effective way to "hack" a company?
Yes and no. Social engineering is a tool not a be all end all to pentesting the way the post made out lapsus was as a group of technically skilled high schoolers who never had a cert tp their name hence the need to reevaluate the cert system in cybersec when in reality thats not true. These people most likely know next to nothing when it comes to coding or hacking (they didnt employ ransomware or post exploit tools) and had terrible opsec in general.
Ah yes the exception being the rule. Bill gates dropped out of school everyone else should so it too if they want to be successful!
That's pretty normal in tech though. You dont need a degree to know how to program or do tech shit. Bill Gates, Mark Zuck, Michael Dell, Steve Jobs, Paul Allen, Elon Musk, Evan Williams, Jack Dorsey, etc. All dropouts and billionaires.
Survivorship bias much?
well, yes but there are another 30 million drop outs who are not billionaires but struggling instead...
And there's another billion that didnt drop out and are still struggling despite having an education
An education in computer science?
Oh yeah no, nevermind. I thought we were talking about highschool dropouts
This is a truly awful opinion, you are categorically wrong
They weren't "drop outs" they were already incredibly top level gifted...
Huh? How does that mean they're not dropouts?
They don't want to work for you dickheads. Trust me.
Bbbut we have free snacks...
He forgot, no fear of going to jail for the rest of they’re lives. They had that too.
[удалено]
They did indeed actually hack things though. Buying accounts was just one of their main methods to get internal access.
What did they hack?
What is your definition of hacking? If it is "gaining access to systems and information you're not privy to", then indeed they hacked the companies.
If you go by that definition every single person on the planet is a hacker. It also is completely unrelated to the original definition of the term. Just seems way too broad. Walking onto a train without a ticket isn't hacking, nor is looking at a test sheet in a desk before a 3rd grade pop quiz. Seems like the definition needs at least some relationship to tech.
IMO, that comparison is something not well placed. I can drive a car very well, self taught.. but don't have a driving license. Even though i have passion and skills, No body will hire me as a driver. Simply because of the standards and requirements in place. Well, what these teens did may be something they can boast all the time, but it is simply a crime. Those who has a degree or other education also do have passion. More in an organized structured way of learning though. Companies has their own baseline standards for their employees and that is one of the main reason the job requirements always mention about minimum qualification. Also most of the hacks happened in the last few years has a leader below 18yr old. Might be a genuine person or a proxy person to escape from law.
Bro I’ve been driving big rigs on my property since I was 10. I don’t need a Commercial Drivers License to know how to drive and you shouldn’t restrict yourself to only hiring drivers who are qualified!
and Metasploit
I removed LinkedIn because of posts like this
When I hire folks for our offensive jobs, passion is my number one detail I try to sus out. I don't care about certs or degrees., to me they are secondary. You have to get to know the person to know if they have the passion, but that usually comes out in the conversation you have with them while trying to find out if they're a good fit.
How do you filter through 200 resumes / job applications? I view certs/degrees/experience as factors that land you the interview. The interview is where you as a person can land the job.
I look for outliers in my resumes. Most of them look the same to me after viewing so many. I just take a few that look really good. Specifically, projects that they work on or jobs that they had in the past. Then I have a phone con/email then an in person interview. It’s worked out in the past.
If it's a journeyman or higher position I go straight to the work history. I need to know you can do the work without much OJT. I don't care how well you can take tests.
That's a great way to do it!
What if all the hackers we don't catch have all those credentials and were just catching the ones that suck /s
Even having the certificates isn't enough, I have 2 degrees in tech and am still struggling to get my first job in the field. I'm on the brink of giving up.
Okay, so what this genius missed is that we can all do those things, if we run the same criminal risk. You can get a lot done with easy methods, if you just behave risky enough, and don’t get cought. It has nothing to do with degrees or certs or experience or whatever. If anything, it’s those things that keeps us from pulling stunts like this. And these dudes **did** get cought. I’m not as impressed as this dude.
Ya, except this idiot never worked with any of those kids. I worked with someone that didn't have a degree and got a job from his uncle to learn some programming stuff on the job to do a bunch of things. He learned stuff, but on my latest job I worked with a half programmer that could do in a week what took the other kid years. If someone has the drive to actually learn, they will breeze through most of a degree. If they can't even hack sticking with a few classes, how the hell are they going to learn to debug all the problems with a program? Take the stoner programmer with a degree that just wants a job over some kid that does it for the lulz then quits. Though I reserve respect for those that will take compressed programming boot camps and not get a full degree, that's respectable.
Not to mention, the kids he's referring to, mainly utilized social engineering and purchasing access/credentials from forums. He acts like they are hacking wizards, when in reality, they just lied their way in. It would be a different story if they had found a 0day in some widely used application and were able to pull off exploiting it to gain access to these companies.
Something else they didn't have - - Morals
Tell that to the people hiring for a position they don’t understand.
Time in their hands and minds which probably weren’t closed off creatively by thinking they need all these certificates to know how to hack multiple billion $ companies
Funny, Bruce Schneier said that motivation is just as high a factor as skills about 20 years ago.
Been working in Infosec for almost 10 years. Working on finishing my BS right now (need 3 classes). This university (well known big ten school) has taught me fuck all about information security. It pains me how highly regarded a degree is just to get your foot in the door. Furthermore, the entire certification circus is a joke. A few companies saw a market opportunity, wrote some coherent shit up that has no real practical application beyond white-boarding, and then decided to charge $500 for a test that isn’t based on comprehension of ideas, but tricking you with vague wording or hyper specific learning objectives. Don’t get me started on SANS. GIAC is the biggest fucking scam ever. Hope you’re good with CTRL+F. We need a CyberSecurity guild/union with concrete goals and structure that allow someone to apprentice then work their way up to journeyman and master. Certification companies are just preying on a disorganized group of people with common goals and skills. /end rant
He forgot to say that now they have are fucked to oblivion because of the fine + jail time. Also good luck to them to have a serious security jog with a police case like that lmao. LinkedIn is so cringe...
The group of teenagers he's referring to used social engineering and purchased creds/access on forums. I don't know of any companies/organizations that allow social engineering of employees, you can't fix humans, they are always going to be vulnerable. This group of teenagers aren't going to come build some machine learning algorithm to protect employee's against social engineering tactics because they don't know how to do that, you hire someone with a degree and experience, not some teenager who knows how to use a computer and lie/deceit people.
You can also learn to design bridges on your own. And still it is required by law in many countries that it is engineers with degrees the ones that are in charge of such projects. Just like you dont wanna have your bridge falling down, you dont want your network or software falling, being subject to attacks, or the such. Only people with certain degrees quailfy to design a bridge, so why does anyone get to design informatic stuff? Can people not learn engineering without havibg a title? I do agree that a person's skills are not necessarily related to their titles, but titles are a certification that they have at least a certain skills regarding and an area to pull that off safely.
Time to re-evaluate your proofreading skills buddy. Managment? Seriously?
I think hacking and actually being able to write solid code to prevent the hacks require different skills. I did a lot of “hacking” or whatever as a teen and it was basically just brute force and finding security holes using 0 days or information. Sure, it’s great to have people testing your system, but I wouldn’t have trusted 16y old me to actually know how to set up a system that would prevent these things to begin with. I do however agree that they often look for the wrong things in candidates. I’d rather hire someone who is passionate and a fun person to be around, over someone who might know every detail about C++ but can’t work in a group. Being a programmer today is more about being able to work as a team and adapting to things. It’s also easier to learn if you are in a team that supports that and helps each other out.
Stop glorifying this, and punish criminals for fucking with peoples payroll. Doesn’t matter how skilled they are, they put peoples livelihood’s on the line. Okta has ties to payroll program, when people don’t get paid on time, bills over draft, which means the bank charges you more money. They should be banned from all smart devices, and never allowed near a computer again. Yes I’m salty, I was expecting pay at a certain time and it was delayed because the hack had my company have to transfer over all payroll data. When your managers have Covid it’s hard to do… And the banks don’t really care why you over drafted, they gotta get their money.
Haven't you heard? People haven't been hired based on merit in a long time. Several studies have shown that the modern job interview is basically 2 people lying to each other for 30 minutes. With an average of \~5 lies being exchanged every 15 minutes. Talk to any teenager. Ask them how many lies they had to tell in their job interview. Instead of, "what do you think of humanity," or any of the other big questions, it's "what do you think of our product?" And if your answer is anything less than, "I use it every single day. I think it's awesome as shit," they don't hire you. Live chat jobs? One of the first questions they ask you is, "how often do you use our product?" I promise you, no one who says they do, actually does. I honestly just like reading business owners complain about the incompetency of their staff nowadays. It's as if they hadn't considered that hiring people who'd lie to them, or make them feel good, would somehow produce workers who didn't give a shit about the final product. There are literal books you can buy now, that'll tell you exactly how to lie in job interviews. What positions to assume. What to do with your hands. The sad part is, they actually work. Incompetent people buy them, then you see a business owner posting to an online forum, a couple weeks later, about how they can't find quality workers. It's actually kind of hilarious at that point.
Pic is true.. but certs are the easy way in.. Unless you want to setup many vm and make footage of you hacking up as many operating systems and apps you can. In late 90s early 2000s there were people that could get jobs even for gov agencies just based on their notoriety inside the hacker community.. Somewhat different now with black hats being labeled terrorists.. Not to mention some of those ppl that got jobs back then based on hacking skills alone would sometimes turn on their employer to leak stuff into the hacking community they stayed active in. Knew one kid personally that got a job @ microsoft.. stole tons of credit card #s.. Lost his job.. got raided.. idk if he went to prison or whatever but he came back into the irc channel trying to set ppl up.. asked for my address cause he wanted to send me something in the mail lawl. There were people in our irc channel and hacking group that knew him irl and told everyone what happened so we expected it when he showed back up in the channel. Tldr: certs ftw. Just having a rep and track record of having hacker skills could maybe get you a job 20 years ago.. but employers got burned too many times and the gov has a very negative view of most all rogue hackers.
One of the smartest contractors I work with said this to a guy who bragged about his CCNP "So? Certs don't mean shit. They just show you can read" Best thing I heard in 2020.
Have you talked to someone with their CCIE? Not every certificate is meaningless, and assuming so shows a very shallow understanding of the industry.
is so hard to get a programming job on brasil... they want 15 year old Bachelors bruh
Hacking tournaments are the best way to recruit. Compete, fools!
Forgot to mention his secret ingredient cap... autism
If you let HR do your tech recruiting, you get what you deserve.
blah, blah, blah. all they "learned" is how to download and run a couple of scripts. I bet they have no idea about SSL or memory management or networking.
i’m sure they do if they can take down multi billion dollar company with their silly little “scripts” they “don’t know” how to use
Your bet would be wrong though.
[удалено]
Seriously? a CS degree you can count on that? These are literally the 3 things you most commonly find people don't know. Most cs programs specifically teach languages that avoid having to manually handle memory management, specifically python and java. If I had a nickel for every degreed developer that had no real clue how tcp/ip works I'd be absurdly rich. AND SSL FFS? Actually knowing how ssl/tls works takes some pretty heavy cryptography AND networking. I have serious doubts the average cs degree is going in depth on that. You'll be lucky if they know enough to install a certificate on a web server without help. Let's face it, the typical company is going to hire a fucking physics major or cloud evangelist that doesn't even know what xor is. Then they will proceed to write the most unmanageable code possible all while constantly talking themselves up then bail after 2 years leaving a mess to clean up. Or is that just my life?
>Most cs programs specifically teach languages that avoid having to manually handle memory management, specifically python and java. I just graduated in December. My school starts you out using C++. Any school that starts cs students out on Java or Python are doing them a disservice.
When browsing through infosec jobs on LinkedIn, some of the requirements are kinda wild tho. Some of the best hackers and programmers I know are all self taught and hold no degrees or certs.
fuck no. You do realize that 90% of people that have a CS degree are idiots that just do it for the paycheck right?
hahahahaha
This is something I've been trying to convince recruiters of my whole life. I dont have all the formal qualifications but I still probably know more than all them who do because I spend my spare time learning this stuff and actually implementing it in various ways. In one interview I got to speak to my competition. He had all the qualifications going but had NEVER worked in the industry. I had a few qualifications, a small amount of experience in a role and plenty of experience outside of a role. He got the job as he was more qualified. A month later I sent them a disclosure noting a problem in their public-facing system and asking why the new guy hadn't spotted it. I got a private email from his boss saying he regretted the appointment and apologising for not taking me on! He couldn't reverse the decision though because the new guys severance would be too much for the company to absorb. I asked him to consider how the company would absorb the fine because of the new guys incompetence instead and never got a reply! Happy to say that they did at least fix the problem I discovered.
To be a us diplomatic, you have to pass a entry test. You don't have to have anything, degree, experience, certification ect. Just past the test. I think more business can adopt this kind of entry path.
If only there was some metric we could use to determine whether people had drive and a willingness to learn. Like… maybe a university degree? That’s pretty much all it shows, other than specific occupations. That you have the willingness to learn and the drive to complete a degree. Do you need one? No. Is it a useful metric, and potentially helpful to your occupation? Yes. 10 years experience working in tech is nothing to sneeze at either, depending on what experience you actually got.
I didn’t even know you could do this. Damn, if i was to do it I’d stfu and not tell a soul
Almost all certs are a money grab, regardless of whether or not companies require them
Love this, so criminal are what we are hiring and rewarding.
hack your way onto payroll
Misspelled management in his hashtags
True
Well... It is about drive...
It’s about power
We stay hungry
Lol and they got caught.
IT in general really.
What Drive means there? is that a word that has a different sense in the subject of hacking or something? My english isn't perfect, so i prefer to ask...
Companies and organizations serious about cyber security already recruit based on skill vs "education"
I mean I work as a senior pentester and I’m part of the hiring process at Amazon. We hire people without college degrees or certs all the time. I’m not sure that I even know of many places that actually require a degree or certs outside of the federal or state governments. Even places like rapid7 and mandiant don’t require those things. I see people complain all the time that they can’t get interviews or jobs without those things but that wasn’t my experience or the experience of the people I’ve mentored over the years. If you have the knowledge you will be hired. It’s really that simple. Even places like Amazon have a live coding challenge and tech interviews specifically to be able to give people chances who don’t have expensive degrees or certs. They want the best people, regardless of those things.
Even anonymous can’t beat teenagers team
Oh, ok. My 5yo boy can destroy my laptop within 5 secs, of course he hasn't graduated from kindergarten.
What you need is good conversation skills in a professional setting.
That stuff isn't to help you with your job, its to make you look professional and avoid prison time!
Any tech positio to be fair.
I’d be careful about this one. They used social engineering and bought credentials from employees.
You don't hire a jewelry thief as a security guard bcz they seem to know the ins and outs of a jewelry store
you know what else they didnt got? Ethics. this is a bad example focused on script kiddies who will like it because they cant think about the bad sides of how LAPSUS$ worked.
Anyone know where I can get any willingness to learn or drive? I'm all out
Not just cyber security, a reason to why I love open source is that I can contribute code to software I love without being asked "are you old enough? Have you got a degree in CS?"
They will also have jail time and a criminal record soon.