Anatomy of the HBGary Hack 220
PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"
Definitely interesting.... (Score:4, Interesting)
Re:Definitely interesting.... (Score:4, Interesting)
Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:
The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.
Re:Incompetent (Score:5, Interesting)
Re:Definitely interesting.... (Score:4, Interesting)
What happened to HBGary is like a fire station burning down because the smoke alarms didn't work - you'd think they, of all people, would know better.
Re:Morals? (Score:4, Interesting)
Who started with the vigilantism here?
Aaron Barr at HBGary. He's not law enforcement and as far as I know wasn't under contract by any law enforcement agency to root out the members of Anonymous.
Yet he's threatening to name names. To accuse people of participating in disruptive, possibly criminal activities.
Not in a court of law. But in public.
He's going all "Wild West" on people here and threatening to "pull his gun".
In this case, Anonymous responded in kind and Aaron Barr, shootist, is now laying in the street in a puddle of his own blood.
Unfortunately, Anonymous brought a gatling gun to a pistol fight. So lots of other people have huge bullet holes blown in them too.
Now I deplore "hacktivism" as the WORST possible way to convey one's message to people.
But I'm VERY familiar with the notion of making it painful for people who're harassing you to continue to do so.
What Anonymous did was wrong. Make no mistake about it.
But what did these jackholes THINK was going to happen?