Front Office Football Central  

Go Back   Front Office Football Central > Main Forums > Off Topic
Register FAQ Members List Calendar Mark Forums Read Statistics

Reply
 
Thread Tools
Old 02-17-2011, 01:17 PM   #1
Icy
Pro Starter
 
Join Date: Sep 2003
Location: Toledo - Spain
Cronicles of a successful hack attempt by Anonymous

Good read, both fun (specially for computer literates) and will make you think about your own company security.

Anonymous speaks: the inside story of the HBGary hack
__________________


Icy is offline   Reply With Quote
Old 02-17-2011, 01:32 PM   #2
RainMaker
Hall Of Famer
 
Join Date: Jun 2006
Location: Chicago, IL
It's a good read. I saw this a few days back.
RainMaker is offline   Reply With Quote
Old 02-17-2011, 01:36 PM   #3
Ronnie Dobbs2
Pro Rookie
 
Join Date: Jun 2012
Location: Bahston Mass
What amazes me is how many sequential bits of incompetence were needed for that to work.

For the tl;dr crowd:

Quote:
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.
__________________
There's no I in Teamocil, at least not where you'd think

Last edited by Ronnie Dobbs2 : 02-17-2011 at 01:38 PM.
Ronnie Dobbs2 is offline   Reply With Quote
Old 02-17-2011, 02:00 PM   #4
chesapeake
College Starter
 
Join Date: Apr 2007
Location: Arlington, VA
With the cherry-on-the-top being that HBGary is in the business of IT security. I passed the story onto the resident nerds in the office. And basking in the righteous glow of my secure, unique and recently changed password.
chesapeake is offline   Reply With Quote
Old 02-17-2011, 02:22 PM   #5
PackerFanatic
Pro Starter
 
Join Date: Jul 2005
Location: Appleton, WI
Quote:
Originally Posted by Ronnie Dobbs2 View Post
What amazes me is how many sequential bits of incompetence were needed for that to work.

No doubt - especially from a seemingly competent security organization. Yowza.
PackerFanatic is offline   Reply With Quote
Old 02-17-2011, 04:42 PM   #6
k0ruptr
Pro Starter
 
Join Date: Apr 2003
Location: Las Vegas
oh if only I still was in the scene
__________________
Xbox Live Gamertag: k0ruptr
My Favorite Teams : Chicago White Sox - Carolina Panthers - Orlando Magic - Phoenix Suns - Anaheim Ducks - Hawaii Warriors - Oregon Ducks
k0ruptr is offline   Reply With Quote
Old 02-17-2011, 05:49 PM   #7
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Quote:
What amazes me is how many sequential bits of incompetence were needed for that to work.

I'd say the vast majority of companies out there have similar problems, though that shitty custom CMS system was a killer. Most places won't have that problem, but not because they are any smarter, they are just going to use some widely used standardized app.

However, as mentioned, they are a god damned security firm. Which makes everything special.
__________________

jeff061 is offline   Reply With Quote
Old 02-17-2011, 05:55 PM   #8
Glengoyne
Grizzled Veteran
 
Join Date: Sep 2003
Location: Fresno, CA
I did appreciate the HBGary fellow that spoke to NPR. liberally paraphrased~ "The Illegality of what they've done shouldn't be ignored, and I'll ....(sic)... not be taking any lessons in transparency from an organization with 'Anonymous' in their name."
Glengoyne is offline   Reply With Quote
Old 02-17-2011, 05:57 PM   #9
Icy
Pro Starter
 
Join Date: Sep 2003
Location: Toledo - Spain
To me the most shocking thing is the emails exchange and how the system admin gave them all the info, user, pass, open ports, etc.
__________________

Icy is offline   Reply With Quote
Old 02-17-2011, 06:02 PM   #10
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Lot of sys admins out there aren't going to say no to the owner. Easier said than done.
__________________

jeff061 is offline   Reply With Quote
Old 02-17-2011, 07:22 PM   #11
Glengoyne
Grizzled Veteran
 
Join Date: Sep 2003
Location: Fresno, CA
Quote:
Originally Posted by jeff061 View Post
Lot of sys admins out there aren't going to say no to the owner. Easier said than done.

I'd like to think that simple dilligence toward important security policies would over ride this compliance with authority. If credentials are only supposed to be delivered verbally over the phone, You'd hope that more techs would stand up to an exec. Did you really just send our root password in plain text in an email? or I've reset your credentials, let me call you with the password.

I don't think many companies would fare much better, which is pretty scary. More alarming to me, is that it would be next to trivial to crack my passwords on a number of sites. They are generally different, but not sufficiently complex...apparently.

At one company I worked for, a VP would always call saying he'd forgotten his password. I'd have a tech change it, then call him back and tell him the new password, that he'd have to log in with and then be forced to immediatley change. I started with DipWad01 and incremented all of the way to DipWad14.
Glengoyne is offline   Reply With Quote
Old 02-17-2011, 07:42 PM   #12
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
There is no incentive to stand up to the exec. What we read in this article is a rarity and it's much more likely you are going to do nothing but piss the exec off. Not worth it. Not saying it's right, but that's what a scrub sys admin is going to think.

That said, a company like this should be held to a much higher standard .

The main issue was having a externally facing, custom built(thus shittily supported) application with an unpatched SQL injection exploit. Horrible. I'd say they should be hiring auditors to detect that stuff, but they are the auditors. Still probably should get an outside set of eyes on things.
__________________

jeff061 is offline   Reply With Quote
Old 02-17-2011, 08:32 PM   #13
johnnyshaka
College Benchwarmer
 
Join Date: Oct 2002
Location: Edmonton, AB
Quote:
Originally Posted by jeff061 View Post
Lot of sys admins out there aren't going to say no to the owner. Easier said than done.

I'll concur as I've been with my current place of employment for 10 years and know several "higher ups" who haven't changed a password since I've been there. They've been told to do so by us (the IT Dept.) and by auditors but simply refuse to do it. Is locking them out of the network worth risking my job? Uhm, no.

If they want to risk the integrity of "their" network...go right ahead...I've signed all the appropriate paperwork to make sure my butt is covered if the fit were ever to hit the shan.
johnnyshaka is offline   Reply With Quote
Old 02-17-2011, 09:42 PM   #14
MizzouRah
Hall Of Famer
 
Join Date: Sep 2002
Location: Troy, Mo
We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.
MizzouRah is offline   Reply With Quote
Old 02-17-2011, 10:20 PM   #15
Drake
assmaster
 
Join Date: Feb 2001
Location: Bloomington, IN
Quote:
Originally Posted by MizzouRah View Post
We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.

Heh. I've got one of these, too.

Of course, I've also got post-its with passwords stuck to my monitors, too. The good news is that I don't indicate what accounts they go to, so they're not even useful to me.
Drake is offline   Reply With Quote
Old 02-17-2011, 11:12 PM   #16
MizzouRah
Hall Of Famer
 
Join Date: Sep 2002
Location: Troy, Mo
Quote:
Originally Posted by Drake View Post
Heh. I've got one of these, too.

Of course, I've also got post-its with passwords stuck to my monitors, too. The good news is that I don't indicate what accounts they go to, so they're not even useful to me.

LOL.. yeah I love getting a laptop from a user and when I open it up, it has their logon password on a post it note.
MizzouRah is offline   Reply With Quote
Old 02-18-2011, 11:34 AM   #17
johnnyshaka
College Benchwarmer
 
Join Date: Oct 2002
Location: Edmonton, AB
We're in the midst of a migration from Netware to Windows (ugh) and we've decided to try and play the "there is nothing we can do, Server 2008 requires that you change your password at least every 90 days" card and so far it's been working. We see what happens when we hit the "higher ups" with that line...lol.
johnnyshaka is offline   Reply With Quote
Old 02-18-2011, 11:37 AM   #18
Alf
Pro Starter
 
Join Date: Jan 2001
Location: Rennes, France
Good read. Thanks Icy
__________________
FOFL - GML - IHOF - FranceStats
Alf is offline   Reply With Quote
Old 02-18-2011, 11:50 AM   #19
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Quote:
Originally Posted by johnnyshaka View Post
We're in the midst of a migration from Netware to Windows (ugh) and we've decided to try and play the "there is nothing we can do, Server 2008 requires that you change your password at least every 90 days" card and so far it's been working. We see what happens when we hit the "higher ups" with that line...lol.

Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.
__________________

jeff061 is offline   Reply With Quote
Old 02-18-2011, 12:36 PM   #20
johnnyshaka
College Benchwarmer
 
Join Date: Oct 2002
Location: Edmonton, AB
Quote:
Originally Posted by jeff061 View Post
Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.

LOL...I rarely deal with end users any more and cringe when I have to head out to do so. While it's great to visit with them it's a painful experience to try and convey just how utterly ridiculous they sound when they hate having to type their password in after their coffee break.

A few years ago we had a particular auditor who thought she was an IT wizard because she, and I quote, "builds PCs in her basement for fun"...GOLD! Anyway, I took this opportunity to sit her down and tell her that we NEEDED certain things to show up in the audit report like a password policy and screensaver locks. Well, she looked at me oddly and said it had been in there already for the past several years...LOL. So I told her to emphasize them somehow.

Well, she certainly did that and it's still talked about by the "higher ups" to this day. She waited until most of the staff was gone for lunch and then she went around to every office and sat down to see if she could get into anything and if so, what kind of trouble she could cause. She didn't have to go far as the first office she tried was my boss' office (not an IT person in the least yet she's our director...awesome) and her laptop was open and logged in with a plethora of stickies all over it containing various websites and passwords. The auditor opened up every site listed on the stickies (did not login to the sites but entered all the info necessary to do so but never clicked OK), opened up budget files, had email marked "confidential" opened up, among a bunch of other things. Awesome.

The best part of the whole situation was that this was a Wednesday and my boss hadn't been in since the previous Friday and wasn't going to be in that week at all. Office door wasn't locked either. That's the DIRECTOR OF IT.

Even better, the next office over is the Secretary Treasurer and the same situation would've gone down had the auditor chose to go to her office first.

When the senior execs got wind of what happened they were livid.........at the auditor. Seriously. My boss still growls when anybody mentions auditors. They still think the auditor operated unprofessionally and oddly enough we've never seen that particular auditor back again. Too bad, too, that was the best audit we've ever had.

Oh, and we still can't get approval to force screensaver locks.
johnnyshaka is offline   Reply With Quote
Old 02-18-2011, 03:28 PM   #21
RainMaker
Hall Of Famer
 
Join Date: Jun 2006
Location: Chicago, IL
Quote:
Originally Posted by jeff061 View Post
Have you nutted up and implemented 15 minute idle screensaver locks? I've had so many "execs" tell me they are far to busy to have to deal with that.

What do you think, lets go overboard and say you need to unlock your system 50 times a day. Probably takes , what, 5 minutes tops per day? So glad I don't deal with end users.
I know it sounds minor, but 5 minutes a day actually translates out to over 20 hours a year. Nearly 3 full days of work. Factor that into all the people working for a company and it could end up in some major numbers.

I've worked both sides of the fence, so I think there needs to be some balance. I remember my first job out of school where we had a guy called the "Nazi IT guy". He was anal with security and the bosses who didn't know better were fine with that. But a lot of the stuff was overdone and wasn't protecting anything of value. Just ended up costing everyone a lot of time,
RainMaker is offline   Reply With Quote
Old 02-18-2011, 03:36 PM   #22
PackerFanatic
Pro Starter
 
Join Date: Jul 2005
Location: Appleton, WI
Quote:
Originally Posted by MizzouRah View Post
We have so many systems and passwords at work, I think people get to a point where for memory sake, they make them all the same or very similar.

Even being in IT, I keep a password protected spreadsheet with all my passwords.. I always one day what would happen if I forgot it.

Ditto
PackerFanatic is offline   Reply With Quote
Old 02-18-2011, 03:41 PM   #23
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Quote:
Originally Posted by RainMaker View Post
I know it sounds minor, but 5 minutes a day actually translates out to over 20 hours a year. Nearly 3 full days of work. Factor that into all the people working for a company and it could end up in some major numbers.

I've worked both sides of the fence, so I think there needs to be some balance. I remember my first job out of school where we had a guy called the "Nazi IT guy". He was anal with security and the bosses who didn't know better were fine with that. But a lot of the stuff was overdone and wasn't protecting anything of value. Just ended up costing everyone a lot of time,

First off, it was a bit of an exaggeration. No one is unlocking their computer 50 times a day. Second, setting a screen timeout is not being nazi. Anyone who thinks it is I'm just going to ignore whenever they have an IT related "thought".
__________________


Last edited by jeff061 : 02-18-2011 at 03:42 PM.
jeff061 is offline   Reply With Quote
Old 02-18-2011, 03:43 PM   #24
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Also, most security looks like a waste, until just that single time you regret it.

That's IT in general, a waste of time and money until something bad happens. Which sucks, since if they are doing their job that bad thing won't happen.

In short:

Quote:
he was anal with security and the bosses who didn't know better were fine with that

It's likely it is not the bosses that do not know better.
__________________


Last edited by jeff061 : 02-18-2011 at 03:44 PM.
jeff061 is offline   Reply With Quote
Old 02-18-2011, 03:52 PM   #25
RainMaker
Hall Of Famer
 
Join Date: Jun 2006
Location: Chicago, IL
Quote:
Originally Posted by jeff061 View Post
First off, it was a bit of an exaggeration. No one is unlocking their computer 50 times a day. Second, setting a screen timeout is not being nazi. Anyone who thinks it is I'm just going to ignore whenever they have an IT related "thought".
I'm not talking about that, just some of the over-the-top things I've seen IT guys do. We used to have to get a password for the printer. He'd change it every other week and would have to come to your desk and put it in. Was just a huge waste of time to track the guy down when we needed something to print.

And the other was some web security software that seemed to block out half the sites on the web, including ones we needed to access.

I'm all for security. I run many sites/stores online that puts that at the top of the list. But I do think some guys get way too critical over minor things.
RainMaker is offline   Reply With Quote
Old 02-18-2011, 03:58 PM   #26
jeff061
Grizzled Veteran
 
Join Date: Nov 2003
Location: MA
Well, yeah. I've seen people lock down costly color printers, but there are more efficient ways of doing that than a password for the printer itself .

There's a difference between being over zealous and simply being incompetent.
__________________

jeff061 is offline   Reply With Quote
Old 02-18-2011, 04:15 PM   #27
johnnyshaka
College Benchwarmer
 
Join Date: Oct 2002
Location: Edmonton, AB
I'm in a battle right now to prevent some staff from getting local admin rights on their laptops. My boss is sick of dealing with the calls about wanting to have abc software installed because they can't do it themselves (not that they ever could before) because they don't have the necessary rights. Instead my boss wants to give them free reign on their laptops and have a quick imaging solution for them when they messed them up. Also, having them sign an agreement along the lines that as soon as they install anything on their own (in other words, outside of the scope of applications we install and support) we will no longer support the hardware or software, even the stuff we installed prior to giving them the laptop will quiet the phones so we can actually get some work done.

I, for one, am not onside with doing something like this, from the perspective of somebody on the IT side of things. Thoughts from other guys on this side of the fence?

How about from the user perspective?
johnnyshaka is offline   Reply With Quote
Old 02-18-2011, 04:29 PM   #28
gstelmack
Pro Starter
 
Join Date: Oct 2000
Location: Cary, NC
Quote:
Originally Posted by johnnyshaka View Post
I'm in a battle right now to prevent some staff from getting local admin rights on their laptops. My boss is sick of dealing with the calls about wanting to have abc software installed because they can't do it themselves (not that they ever could before) because they don't have the necessary rights. Instead my boss wants to give them free reign on their laptops and have a quick imaging solution for them when they messed them up. Also, having them sign an agreement along the lines that as soon as they install anything on their own (in other words, outside of the scope of applications we install and support) we will no longer support the hardware or software, even the stuff we installed prior to giving them the laptop will quiet the phones so we can actually get some work done.

I, for one, am not onside with doing something like this, from the perspective of somebody on the IT side of things. Thoughts from other guys on this side of the fence?

How about from the user perspective?

This depends on what these users are/do. As developers we were set up with separate admin accounts so we could install stuff we needed, but ran as standard users most of the time for security. But developers often need that kind of access for day-to-day work. Typical office staff probably DON'T need that kind of access, and installations should go through IT, but then it is incumbent upon IT to be responsive to requests to install stuff.
__________________
-- Greg
-- Author of various FOF utilities
gstelmack is offline   Reply With Quote
Old 02-18-2011, 04:44 PM   #29
johnnyshaka
College Benchwarmer
 
Join Date: Oct 2002
Location: Edmonton, AB
Quote:
Originally Posted by gstelmack View Post
This depends on what these users are/do. As developers we were set up with separate admin accounts so we could install stuff we needed, but ran as standard users most of the time for security. But developers often need that kind of access for day-to-day work. Typical office staff probably DON'T need that kind of access, and installations should go through IT, but then it is incumbent upon IT to be responsive to requests to install stuff.

Sorry, good point, our users could be considered typical office staff where email, internet, and Office would suffice for probably be 90% of their daily workflow. The rest of their day would likely be comprised of using other in-house software.

Obviously there are exceptions here and there but 99% of our users have all the software they need installed and available to them when they get their computers.

There are a few advanced users out there who do need more than what we routinely provide and those cases are usually taken care of quickly enough provided the requests are reasonable...like wanting MS Office 2000 instead of 2010 because they like it better...won't happen.

Last edited by johnnyshaka : 02-18-2011 at 04:46 PM.
johnnyshaka is offline   Reply With Quote
Old 10-31-2011, 04:11 PM   #30
DeToxRox
Head Coach
 
Join Date: Dec 2002
Location: Michigan
Hacktivists associated with Anonymous have tangled with Sony, state police, and security firms, but drug cartels? According to a YouTube video posted online, the group is targeting the Zetas drug cartel in Mexico over the kidnapping of one of its members.
The message, which is in Spanish, said Anonymous is "tired of the criminal group the Zetas, which is dedicated to kidnapping, stealing and extortion," according to a translation published by the Guardian.
Hackers apparently have data that would expose the police officers, journalists, taxi drivers, and others who are working with the cartel. "You have made a great mistake by taking one of us. Free him," the video said.

Anonymous Threatens to Expose Drug Cartel | News & Opinion | PCMag.com
DeToxRox is offline   Reply With Quote
Old 10-31-2011, 06:04 PM   #31
Shkspr
College Benchwarmer
 
Join Date: Nov 2000
Location: Amarillo, TX
November 2's headline at PCMag.com: Head and Hands of Anonymous Hostage Delivered to Newspaper Office
Shkspr is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump


All times are GMT -5. The time now is 01:39 PM.



Powered by vBulletin Version 3.6.0
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.