How not to protect your computers when you are a computer security company

anonymousby munichnom

Feature: Anonymous speaks: the inside story of the HBGary hack
[Via Ars Technica]

It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group’s actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary’s servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.

Over the last week, I’ve talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary’s defenses and gave the company such a stunning black eye—and what the HBGary example means for the rest of us mere mortals who use the Internet.

[More]

This is a really interesting story regarding the details of a computer hack. What is surprising, and yet not so surprising, is that even a company devoted to computer security issues can have people who are just human.

HBGary was hacked not by sophisticated or arcane tools but by some of the simplest bolts in the hackers quiver: unpatched servers, poor passwords, reuse of passwords across systems and social engineering.

These allowed Anonymous to gain more and more information until it had the ability to root the servers, gaining access to the website, databases and even company emails.

Even some rudimentary precautions would have prevented much of this. But humans are humans and that is what hackers rely on most.

I imagine that there are a lot of  organizations having security audits done on their systems right now. As with many things, you may not be able to stop a determined thief – I remember reading about someone using a networked fax machine to get into the mainframe and root it, getting complete access – it is possible to slow them down enough to make it not worth their time.

Here, though, a security company that was not very concerned with its own security. Ironic.