Cronicles of a successful hack attempt by Anonymous

[Icy]

Good read, both fun (specially for computer literates) and will make you think about your own company security.

Anonymous speaks: the inside story of the HBGary hack

[RainMaker]

It's a good read. I saw this a few days back.

[Ronnie Dobbs2]

What amazes me is how many sequential bits of incompetence were needed for that to work.

For the tl;dr crowd:

Quote:

So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.

[chesapeake]

With the cherry-on-the-top being that HBGary is in the business of IT security. I passed the story onto the resident nerds in the office. And basking in the righteous glow of my secure, unique and recently changed password.

[PackerFanatic]

Quote:

Originally Posted by Ronnie Dobbs2

What amazes me is how many sequential bits of incompetence were needed for that to work.

No doubt - especially from a seemingly competent security organization. Yowza.

[k0ruptr]

oh if only I still was in the scene

[jeff061]

Quote:

What amazes me is how many sequential bits of incompetence were needed for that to work.

I'd say the vast majority of companies out there have similar problems, though that shitty custom CMS system was a killer. Most places won't have that problem, but not because they are any smarter, they are just going to use some widely used standardized app.

However, as mentioned, they are a god damned security firm. Which makes everything special.

[Glengoyne]

I did appreciate the HBGary fellow that spoke to NPR. liberally paraphrased~ "The Illegality of what they've done shouldn't be ignored, and I'll ....(sic)... not be taking any lessons in transparency from an organization with 'Anonymous' in their name."

[Icy]

To me the most shocking thing is the emails exchange and how the system admin gave them all the info, user, pass, open ports, etc.

[jeff061]

Lot of sys admins out there aren't going to say no to the owner. Easier said than done.

[Glengoyne]

Quote:

Originally Posted by jeff061

Lot of sys admins out there aren't going to say no to the owner. Easier said than done.

I'd like to think that simple dilligence toward important security policies would over ride this compliance with authority. If credentials are only supposed to be delivered verbally over the phone, You'd hope that more techs would stand up to an exec. Did you really just send our root password in plain text in an email? or I've reset your credentials, let me call you with the password.

I don't think many companies would fare much better, which is pretty scary. More alarming to me, is that it would be next to trivial to crack my passwords on a number of sites. They are generally different, but not sufficiently complex...apparently.

At one company I worked for, a VP would always call saying he'd forgotten his password. I'd have a tech change it, then call him back and tell him the new password, that he'd have to log in with and then be forced to immediatley change. I started with DipWad01 and incremented all of the way to DipWad14.

[jeff061]

There is no incentive to stand up to the exec. What we read in this article is a rarity and it's much more likely you are going to do nothing but piss the exec off. Not worth it. Not saying it's right, but that's what a scrub sys admin is going to think.

That said, a company like this should be held to a much higher standard .

The main issue was having a externally facing, custom built(thus shittily supported) application with an unpatched SQL injection exploit. Horrible. I'd say they should be hiring auditors to detect that stuff, but they are the auditors. Still probably should get an outside set of eyes on things.

[johnnyshaka]

Quote:

Originally Posted by jeff061

Lot of sys admins out there aren't going to say no to the owner. Easier said than done.

I'll concur as I've been with my current place of employment for 10 years and know several "higher ups" who haven't changed a password since I've been there. They've been told to do so by us (the IT Dept.) and by auditors but simply refuse to do it. Is locking them out of the network worth risking my job? Uhm, no.

If they want to risk the integrity of "their" network...go right ahead...I've signed all the appropriate paperwork to make sure my butt is covered if the fit were ever to hit the shan.

[MizzouRah]

We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.

[Drake]

Quote:

Originally Posted by MizzouRah

We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.

Heh. I've got one of these, too.

Of course, I've also got post-its with passwords stuck to my monitors, too. The good news is that I don't indicate what accounts they go to, so they're not even useful to me.

[MizzouRah]

Quote:

Originally Posted by Drake

Heh. I've got one of these, too.

Of course, I've also got post-its with passwords stuck to my monitors, too. The good news is that I don't indicate what accounts they go to, so they're not even useful to me.

LOL.. yeah I love getting a laptop from a user and when I open it up, it has their logon password on a post it note.

[johnnyshaka]

We're in the midst of a migration from Netware to Windows (ugh) and we've decided to try and play the "there is nothing we can do, Server 2008 requires that you change your password at least every 90 days" card and so far it's been working. We see what happens when we hit the "higher ups" with that line...lol.

[Alf]

Good read. Thanks Icy

[jeff061]

Quote:

Originally Posted by johnnyshaka

We're in the midst of a migration from Netware to Windows (ugh) and we've decided to try and play the "there is nothing we can do, Server 2008 requires that you change your password at least every 90 days" card and so far it's been working. We see what happens when we hit the "higher ups" with that line...lol.

Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.

[johnnyshaka]

Quote:

Originally Posted by jeff061

Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.

LOL...I rarely deal with end users any more and cringe when I have to head out to do so. While it's great to visit with them it's a painful experience to try and convey just how utterly ridiculous they sound when they hate having to type their password in after their coffee break.

A few years ago we had a particular auditor who thought she was an IT wizard because she, and I quote, "builds PCs in her basement for fun"...GOLD! Anyway, I took this opportunity to sit her down and tell her that we NEEDED certain things to show up in the audit report like a password policy and screensaver locks. Well, she looked at me oddly and said it had been in there already for the past several years...LOL. So I told her to emphasize them somehow.

Well, she certainly did that and it's still talked about by the "higher ups" to this day. She waited until most of the staff was gone for lunch and then she went around to every office and sat down to see if she could get into anything and if so, what kind of trouble she could cause. She didn't have to go far as the first office she tried was my boss' office (not an IT person in the least yet she's our director...awesome) and her laptop was open and logged in with a plethora of stickies all over it containing various websites and passwords. The auditor opened up every site listed on the stickies (did not login to the sites but entered all the info necessary to do so but never clicked OK), opened up budget files, had email marked "confidential" opened up, among a bunch of other things. Awesome.

The best part of the whole situation was that this was a Wednesday and my boss hadn't been in since the previous Friday and wasn't going to be in that week at all. Office door wasn't locked either. That's the DIRECTOR OF IT.

Even better, the next office over is the Secretary Treasurer and the same situation would've gone down had the auditor chose to go to her office first.

When the senior execs got wind of what happened they were livid.........at the auditor. Seriously. My boss still growls when anybody mentions auditors. They still think the auditor operated unprofessionally and oddly enough we've never seen that particular auditor back again. Too bad, too, that was the best audit we've ever had.

Oh, and we still can't get approval to force screensaver locks.

[RainMaker]

Quote:

Originally Posted by jeff061

Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.

I know it sounds minor, but 5 minutes a day actually translates out to over 20 hours a year. Nearly 3 full days of work. Factor that into all the people working for a company and it could end up in some major numbers.

I've worked both sides of the fence, so I think there needs to be some balance. I remember my first job out of school where we had a guy called the "Nazi IT guy". He was anal with security and the bosses who didn't know better were fine with that. But a lot of the stuff was overdone and wasn't protecting anything of value. Just ended up costing everyone a lot of time,

[PackerFanatic]

Quote:

Originally Posted by MizzouRah

We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.

Ditto

[jeff061]

Quote:

Originally Posted by RainMaker

I know it sounds minor, but 5 minutes a day actually translates out to over 20 hours a year. Nearly 3 full days of work. Factor that into all the people working for a company and it could end up in some major numbers.

I've worked both sides of the fence, so I think there needs to be some balance. I remember my first job out of school where we had a guy called the "Nazi IT guy". He was anal with security and the bosses who didn't know better were fine with that. But a lot of the stuff was overdone and wasn't protecting anything of value. Just ended up costing everyone a lot of time,

First off, it was a bit of an exaggeration. No one is unlocking their computer 50 times a day. Second, setting a screen timeout is not being nazi. Anyone who thinks it is I'm just going to ignore whenever they have an IT related "thought".

[jeff061]

Also, most security looks like a waste, until just that single time you regret it.

That's IT in general, a waste of time and money until something bad happens. Which sucks, since if they are doing their job that bad thing won't happen.

In short:

Quote:

he was anal with security and the bosses who didn't know better were fine with that

It's likely it is not the bosses that do not know better.

[RainMaker]

Quote:

Originally Posted by jeff061

First off, it was a bit of an exaggeration. No one is unlocking their computer 50 times a day. Second, setting a screen timeout is not being nazi. Anyone who thinks it is I'm just going to ignore whenever they have an IT related "thought".

I'm not talking about that, just some of the over-the-top things I've seen IT guys do. We used to have to get a password for the printer. He'd change it every other week and would have to come to your desk and put it in. Was just a huge waste of time to track the guy down when we needed something to print.

And the other was some web security software that seemed to block out half the sites on the web, including ones we needed to access.

I'm all for security. I run many sites/stores online that puts that at the top of the list. But I do think some guys get way too critical over minor things.

[jeff061]

Well, yeah. I've seen people lock down costly color printers, but there are more efficient ways of doing that than a password for the printer itself .

There's a difference between being over zealous and simply being incompetent.

[johnnyshaka]

I'm in a battle right now to prevent some staff from getting local admin rights on their laptops. My boss is sick of dealing with the calls about wanting to have abc software installed because they can't do it themselves (not that they ever could before) because they don't have the necessary rights. Instead my boss wants to give them free reign on their laptops and have a quick imaging solution for them when they messed them up. Also, having them sign an agreement along the lines that as soon as they install anything on their own (in other words, outside of the scope of applications we install and support) we will no longer support the hardware or software, even the stuff we installed prior to giving them the laptop will quiet the phones so we can actually get some work done.

I, for one, am not onside with doing something like this, from the perspective of somebody on the IT side of things. Thoughts from other guys on this side of the fence?

How about from the user perspective?

[gstelmack]

Quote:

Originally Posted by johnnyshaka

I'm in a battle right now to prevent some staff from getting local admin rights on their laptops. My boss is sick of dealing with the calls about wanting to have abc software installed because they can't do it themselves (not that they ever could before) because they don't have the necessary rights. Instead my boss wants to give them free reign on their laptops and have a quick imaging solution for them when they messed them up. Also, having them sign an agreement along the lines that as soon as they install anything on their own (in other words, outside of the scope of applications we install and support) we will no longer support the hardware or software, even the stuff we installed prior to giving them the laptop will quiet the phones so we can actually get some work done.

I, for one, am not onside with doing something like this, from the perspective of somebody on the IT side of things. Thoughts from other guys on this side of the fence?

How about from the user perspective?

This depends on what these users are/do. As developers we were set up with separate admin accounts so we could install stuff we needed, but ran as standard users most of the time for security. But developers often need that kind of access for day-to-day work. Typical office staff probably DON'T need that kind of access, and installations should go through IT, but then it is incumbent upon IT to be responsive to requests to install stuff.

[johnnyshaka]

Quote:

Originally Posted by gstelmack

This depends on what these users are/do. As developers we were set up with separate admin accounts so we could install stuff we needed, but ran as standard users most of the time for security. But developers often need that kind of access for day-to-day work. Typical office staff probably DON'T need that kind of access, and installations should go through IT, but then it is incumbent upon IT to be responsive to requests to install stuff.

Sorry, good point, our users could be considered typical office staff where email, internet, and Office would suffice for probably be 90% of their daily workflow. The rest of their day would likely be comprised of using other in-house software.

Obviously there are exceptions here and there but 99% of our users have all the software they need installed and available to them when they get their computers.

There are a few advanced users out there who do need more than what we routinely provide and those cases are usually taken care of quickly enough provided the requests are reasonable...like wanting MS Office 2000 instead of 2010 because they like it better...won't happen.

[DeToxRox]

Hacktivists associated with Anonymous have tangled with Sony, state police, and security firms, but drug cartels? According to a YouTube video posted online, the group is targeting the Zetas drug cartel in Mexico over the kidnapping of one of its members.
The message, which is in Spanish, said Anonymous is "tired of the criminal group the Zetas, which is dedicated to kidnapping, stealing and extortion," according to a translation published by the Guardian.
Hackers apparently have data that would expose the police officers, journalists, taxi drivers, and others who are working with the cartel. "You have made a great mistake by taking one of us. Free him," the video said.

Anonymous Threatens to Expose Drug Cartel | News & Opinion | PCMag.com

[Shkspr]

November 2's headline at PCMag.com: Head and Hands of Anonymous Hostage Delivered to Newspaper Office