Security News

<< Next Post - Previous Post >>

Do what I say not what I do

Below is a very good article describing the recent battle between the Anonymous Hacking group and the HBGary company.

In a nutshell, a security company, “HBGary”, who is also working for the US government was about to release what they think were the identity of a hacking group called “Anonymous” who conducted some high profile hacks against large organisations who were against the wikileaks website. The hacking group response was swift and brutal, they hacked the HBGary websites, defaced them, hacked into the owner’s email account and grabbed lot of user personal information from one of the company’s related website, rootkit.com

It provides a good example of the old adage “do what I say not what I do” but this time in the world of IT Security. Of course you can almost never get IT Security 100% right, but in that case it would seem some of the security weaknesses that were exploited should have never been there or possible in the first place!

To add to what is already disccused in the article below, I think there was also a very basic security control missing in how that company operates/operated, the lack of a sensitive Information management process (email of both userid/password, no challenge response, etc).

Although this could act as a good reminder of “walking the talk” (another cliche!), I think it is unfortunately unlikely to change any company’s security agenda because in a corporate world where budget cuts, work load preassure, fast delivery is on the increase those kind of security practise shortcuts will remain, and so will the potential related attacks.
You could also argue there is a psychological aspect to this issue:
– The desire of doing favours for key people in the organisation, leading you to bypass procedures.
– Being over confident or expert in a field may drive you to neglect or being in deny of some basic issues.
– The need for trust in a working relationship may blind you to some questionable activities.

To get security right, one would need to be able to both take a step back, review and fix existing security issues while also moving forward with new technologies, changing IT landscape and fixing new security issues.

As this hacking incident illustrated, it is a very difficult balance to get right.

ARSTECHNICA Article on Anonymous vs HBGary

Update from the 1st of March:
It has costed HBGary Federal CEO’s role:
https://threatpost.com/en_us/blogs/hbgary-federal-ceo-aaron-barr-steps-down-022811

<< Next Post - Previous Post >>