Mischief-making hacking group LulzSec hacked into the systems of an FBI-affiliated public-private partnership organisation, defacing its website and leaking its email database in the process. Website defacements included mooching messages such as "LET IT FLOW YOU STUPID FBI BATTLESHIPS" and a video clip. Part of the message …
What a to do
"They're only having a laugh, leave 'em alone!", was more less the attitude in the comments that I remember from the last story on Reg about this bunch, especially when anyone tried to condemn them for their actions. I'm all in favour of penetration testing but this sort of baptism of fire only favours security firms offering protection consultants at vastly inflated hourly rates. I'm sure some people think this will wake some companies up to deal with their security, but it won't. Companies won't spend money and the as usual the management will come up with something like, "We bought this firewall/IDS appliance then plugged it in, we're secure!".
This lot are the internet equivalent of "RatBoys", bust into somewhere, dump on the floor, grab anything they can that might be interesting and finally they can boast to their mates about what they did.
You know, man...
"That carpet really held the room together."
The title is required, and must contain letters and/or digits.
"this sort of baptism of fire only favours security firms offering protection consultants at vastly inflated hourly rates"
Correct me if I'm wrong, but isn't this guy one of the vastly inflated hourly rate consultants?
Note: If running a security consultancy, and getting hacked, keep head down, patch holes. Don't start shooting your mouth off and having a public bitch fight! Aka, when you hit rock bottom, don't continue digging!
So the passwords were stored without any form of hashing? Apparantly the FBI does not screen the companies they work with so well.
re: passwords exposed
The passwords were hasbrowns but they had no salt. Doesn't make for a tasty password.
Is that a bit of "egg on their face"?
Exposed passwords, big fail. I would hate to be in there shoes right about now!
re: passwords exposed
I know this is a serious breach, but I appreciated your comment! A little humor plus I'm hungry for hash browns now!
Wrong way to do things....
But Unveillance is pretty much a scam outfit.
Everything about them, and everything about Karim Hijazi screams con artist. "He" has, in the past, generated a website that was nothing more than a scrape of Bruch Schneier's blog and seems pretty prolific at selling snake oil security.
I cant bring myself to feel sorry for him. At all.
The worrying thing about this hack and the HBGary one before is that they are showing these "whitehats" to be anything but. Even worse is that governments are using and paying these shady cnuts.
The problem is...
Military and TFOLAO don't tend to get on with people who think "out of the box" as they call lateral thinking, and vastly prefer team players.
Herding techies makes herding cats look trivial, so these companies spring up that promote the Hollywood vision of benevolent hackers - You know the ones, bit smelly, but with the heart of a patriot and a surprising facility with automatic weapons when the chips are down - in order to cash in.
They certainly aren't the only IT "consultancies" who large up their skills and abilities. :(
re: The problem is...
Maybe these days, yes.
Back in the good old days (i.e. WWII), Churchill actually encouraged oddball thinkers in the intelligence agencies. They Germans was thought to think of in straight lines, so he wanted people who could think in curves.
Cue some very crazy ideas from some very imaginative people.
One such person was a chap called Ian Fleming (you may have heard of him). He came up with a plan called operation mincemeat - best not to look that one up if you've just had lunch.
More to the point however...
While the "good guy" techies are only barely tolerated by military, FBI, et al, those who hack into FBI websites - at least as far as the FBI is concerned - fall squarely into "terrorist." And it only takes one mistake before someone is pointing a gun at you and saying, "Resist, I dare you."
"Hackers" was a fun movie, but it had nothing to do with real life.
re: The problem is..
Herding cats is simple. You just have to make sure that they *want* to go where you want to herd them.
Of course, implementation is slightly more complex..
RE: The problem is...
"Military and TFOLAO don't tend to get on with people who think "out of the box"....." I call male-bovine-manure on that one! There are quite a number of "unconventional" people I know working in the industry, simply because they could show they could do the job as well as be unconventional. You seem to have swallowed the bilge put out by so many that can't do the job - "I only didn't get that job because I'm too off the wall, man!" There's a difference between being capable of working outside the box and being a lazy and unsklilled.
Yes, there are a large number of fakers in the security market, just liek any market that promsies lots of money, but just like with cowboy builders, they soon get found out and lose their customers.
If most of this group are American and the administration has said any hack is an act of war. Does this mean America is at civil war.
You have to use unique, strong passwords! Here's how I...
"users' re-use of the same passwords"!
I'll keep saying it, use the same password and hand over the keys to any other sites or services you use. Follow easy techniques how to create complex and unique passwords you can remember listed near the end of this article http://wp.me/p1rE6R-4O and I use LastPass reviewed here http://wp.me/p1rE6R-dO
or, to put it another way....
"In particular it claims to have targeted Karim Hijazi, who used his Infragard password for his Gmail account and a corporate account with a white-hat hacking group he runs, called Unveillance"
Monumental FAIL mr Hijazi.
I think you need to go and read a timeless old book, "The Hacker's Handbook" by Hugo Cornwall - it was first published in the mid 1980's, so you can probably find a plain .txt copy by googling if it makes your life easier (not that i'd recommend that as it's still in copyright.) and it makes several point in it that are still valid today.
The Hacker's Handbook, by Hugo Cornwall (1985)
Available thru Project Gutenberg:
Not sure what the difference are. Didn't download for myself. Unveillance is a fraud.
Time to stamp on the hacker networks....
"To clarify, we were never going to extort anything from you. We were simply going to pressure you into a position where you could be willing to give us money for our silence, and then expose you publicly."
You're right, that's not extortion!! It's extortion (you still would have intimidated someone into giving you money, whether you were going to burn the money or give it to starving Haitian orphans afterwards is immaterial), plus conspiracy, plus a few civil charges around defemation of character, restraint of trade and unauthorized disclosure of IP!!
We really need to stop any romantisizing of these hacker networks like Anonymous or Lulzec. These guys are already going down the slippery slope from "freedom fighters" into thugs and terrorists. Kind of like a cyber Irish Republican Army!!
Eventually, the FBI will make "LulzSecurity" their little bitch.
Oh, and by the way.
Not wanting to exclusively lay into the Lulzec perps--has the "security consultant" in question ever heard of hashing passwords?? I have, and I am just a lowly, barely-technical marketing guy!!
Maybe I should open up a cyber-security consultancy to do business with the FBI!!
Remember to add salt to hash
The number of sites which forget this little point are Legion.
Go for it
You'd be hard pressed to be any worse than Unveillance, Infraguard, or HBGary.
Who is pulling the strings?
Look for the one who benefits from this....
nice way to cut the contracts without lengthy procedures?....maybe....
shift attention from RSA data breach in preparation for a new Stuxnet?....who knows...
Says it all.
Imagine if this were 1942-44 and such slack security standards applied.
Imagine if this were 1942-44 and such slack security standards applied. Abwehr--German WWII intelligence--would have gained such a foothold on US wartime secrets that they may as well have been broadcast direct to Berlin by NBC or CBS.
How is such incompetence possible? Right, 'tis a rhetorical question, as we're almost certainly the answers.
As with the other current security story--the Google/China hacks--by now you'd think that two-level authentication/certificated/encrypted 'passwording' schemes would be commonplace when the stakes are high.
...But perhaps I'm wrong, maybe the stakes just aren't high enough for anyone to bother.