The Anonymous attack on HBGary Federal may have amused some who enjoyed the sight of a security firm left embarrassed and exposed, but it should send a shiver down the spine of any IT administrator responsible for securing their own company.
Because can you honestly put your hand on your heart and say a hack like the one against HBGary Federal couldn’t happen at your organisation too?
As Ars Technica explains, a weakness in a third-party CMS product used by HBGary’s website allowed Anonymous hackers to steal passwords that employees used to update the webpages.
Unfortunately they were passwords that weren’t encrypted strongly enough, and were possible to crack with a rainbow-table based attack. Amongst those exposed were CEO Aaron Barr and COO Ted Vera.
Worse still, it appears that Aaron Barr and Ted Vera were using the same passwords for their Twitter and LinkedIn accounts, and even for an account which administered the entire company’s email.
By exploiting software vulnerabilities, poor passwords and even some tried-and-trusted social engineering (see below) it was trivial for the hackers to steal the entire company’s email and deface its website.
As Chet explained in an earlier article, an employee not seeking proper verification when a company executive apparently asks for help can result in a corporate disaster.
But more than that, it’s also essential that all staff learn about how to use passwords properly.
For instance, don’t use easy-to-crack or obvious passwords. If you do, you’re asking for trouble.
And it’s critical that different passwords are used for different accounts. That way if your password gets exposed in one place, there won’t be a domino effect as a series of other accounts are unlocked by criminals using the same credentials.
Unconvinced by the scale of the problem? Well, Sophos’s research has found that 33% of people use the same password on every single website.
In wake of the attack, HBGary withdrew from the RSA Conference taking place in San Francisco this week, and replaced their booth with a sign:
Read the in-depth piece by Ars Technica now, investigating how the HBGary Federal occurred, and learn lessons which you can apply inside your own company. After all, you don’t want to be the next firm to have to put up a sign like that.
HBGary sign image credit: Colbinator on TwitPic.
Related Posts
- HBGary hack: lessons learned
Unless youve been living under a stone for last couple of weeks, you heard about the HBGary Federal hack. Seeing everything that was published about this probably make every security professional thin... - How to access my home computer from another PC? Learn with Panda Security
Published by Blanca Carton, Abril 2011
How many times you wished you could have accessed documents stored in your home PC when you were out? In my case, many. And I hate to say “I cannot send it right... - SSCC47- Now with transcript! Patch Tuesday, HBGary, Nasdaq hack, RBS WorldPay hacker and Pwn2Own
Michael Argast is my guest on this weeks Chet Chat as we discuss the weeks news you can use.
I have transcribed this episode (by hand) for the hearing impaired and those of you who prefer text to aud... - HBGary Federal hacked and exposed by Anonymous
As the coin was tossed to kick off Superbowl XLV, Anonymous unleashed their anger at a security firm who had been investigating their membership.
HBGary Federal had been working on unmasking their id... - When we should learn from history
Happy new year from Prevx Research Labs!
2010 is behind us and we already started this new exciting year strongly focused on Prevx4 development. However, today we're going to write again about the ... - Important Lessons from the Black Hat ATM Hack
A security researcher named Barnaby Jack amazed attendees at the Black Hat security conference by hacking ATM machines in a session titled "Jackpotting Automated Teller Machines Redux". There are some... - Sony says credit card details *were* encrypted, but questions still remain
Sony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.Sony reassured users of the PlayStati... - Playstation Network users at risk (updated)
Update 27/04/2011 15:30 GMTA Spanish user tweet shows he has been charged in his card, his bank has called him after a suspicious charge to Netflix has been done (Netflix is not available in Spain):He... - Sony PlayStation data breach fiasco: what bugs me about it
I have been skimming the glut of news stories covering the PlayStation hack following Sony's statement yesterday.
The issues that keeps coming back to me are these:
1. Sony, like any company who ke... - PlayStation Network hacked: Personal data of up to 70 million people stolen
Users of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.
The implications of the hack, which r...
