Anatomy of the HBGary Hack 220
PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"
Mistakes (Score:5, Insightful)
But how many of these mistakes is your company making?
Most companies probably make these mistakes, all except the biggest mistake which was poking a sleeping bear.
The real mistake (Score:5, Insightful)
Well, we're not going after 4chan/anonymous, so we're probably in the clear.
I think the biggest security mistake it's possible to make is antagonizing the largest collection of bored hackers/crackers/script kiddies/associated hangers on that exists.
Incompetent (Score:5, Insightful)
I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.
How do these people even get security jobs and be negligent in even the simplest security practices?
And What's next? (Score:5, Insightful)
In watching Wikileaks, OpenLeaks, Egypt, the Palestine papers,and now HB Gary, I'm thinking that we're at the edge of something monumental. I expect we'll see a lot more formerly secret data become public, and see governments and corporations either clean up their acts, or become increasing desperate and hostile in trying to keep their inside info secret.
Either way we're in for a wild ride!
Re:Definitely interesting.... (Score:5, Insightful)
I like the idea of a custom CMS to avoid an open one (more security).
Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.
They will be famous for a long time (Score:5, Insightful)
Re:Definitely interesting.... (Score:5, Insightful)
A non-custom CMS like WordPress is very often the target of massive automated attacks: a new bug is discovered in WP and a tool is written to seek out vulnerable installations and exploit that bug. If you have the skill or $$ to pour over the code, you can probably find your own bugs before they become publicly known.
On the other hand, if your site is specifically targeted, then your custom CMS is as vulnerable or more than the WordPresses out there. You might have a bit of security through obscurity (in a standard WP install, the attacker might know file names and locations, variable names, classes, etc.) but this will probably do you little good if you weren't able to harden the code.
Lesson: you are screwed if a rich, powerful, or smart attacker singles you out. A standard CMS can land you in hot water if you don't have a knowledgeable person administering it (and who has that?).
How Many Of Those Mistakes is My Company Making? (Score:5, Insightful)
Comment removed (Score:5, Insightful)