Passwords exposed
So the passwords were stored without any form of hashing? Apparantly the FBI does not screen the companies they work with so well.
Mischief-making hacking group LulzSec hacked into the systems of an FBI-affiliated public-private partnership organisation, defacing its website and leaking its email database in the process. Website defacements included mooching messages such as "LET IT FLOW YOU STUPID FBI BATTLESHIPS" and a video clip. Part of the message …
This post has been deleted by its author
"They're only having a laugh, leave 'em alone!", was more less the attitude in the comments that I remember from the last story on Reg about this bunch, especially when anyone tried to condemn them for their actions. I'm all in favour of penetration testing but this sort of baptism of fire only favours security firms offering protection consultants at vastly inflated hourly rates. I'm sure some people think this will wake some companies up to deal with their security, but it won't. Companies won't spend money and the as usual the management will come up with something like, "We bought this firewall/IDS appliance then plugged it in, we're secure!".
This lot are the internet equivalent of "RatBoys", bust into somewhere, dump on the floor, grab anything they can that might be interesting and finally they can boast to their mates about what they did.
"this sort of baptism of fire only favours security firms offering protection consultants at vastly inflated hourly rates"
Correct me if I'm wrong, but isn't this guy one of the vastly inflated hourly rate consultants?
Note: If running a security consultancy, and getting hacked, keep head down, patch holes. Don't start shooting your mouth off and having a public bitch fight! Aka, when you hit rock bottom, don't continue digging!
But Unveillance is pretty much a scam outfit.
Everything about them, and everything about Karim Hijazi screams con artist. "He" has, in the past, generated a website that was nothing more than a scrape of Bruch Schneier's blog and seems pretty prolific at selling snake oil security.
I cant bring myself to feel sorry for him. At all.
Military and TFOLAO don't tend to get on with people who think "out of the box" as they call lateral thinking, and vastly prefer team players.
Herding techies makes herding cats look trivial, so these companies spring up that promote the Hollywood vision of benevolent hackers - You know the ones, bit smelly, but with the heart of a patriot and a surprising facility with automatic weapons when the chips are down - in order to cash in.
They certainly aren't the only IT "consultancies" who large up their skills and abilities. :(
Maybe these days, yes.
Back in the good old days (i.e. WWII), Churchill actually encouraged oddball thinkers in the intelligence agencies. They Germans was thought to think of in straight lines, so he wanted people who could think in curves.
Cue some very crazy ideas from some very imaginative people.
One such person was a chap called Ian Fleming (you may have heard of him). He came up with a plan called operation mincemeat - best not to look that one up if you've just had lunch.
While the "good guy" techies are only barely tolerated by military, FBI, et al, those who hack into FBI websites - at least as far as the FBI is concerned - fall squarely into "terrorist." And it only takes one mistake before someone is pointing a gun at you and saying, "Resist, I dare you."
"Hackers" was a fun movie, but it had nothing to do with real life.
"Military and TFOLAO don't tend to get on with people who think "out of the box"....." I call male-bovine-manure on that one! There are quite a number of "unconventional" people I know working in the industry, simply because they could show they could do the job as well as be unconventional. You seem to have swallowed the bilge put out by so many that can't do the job - "I only didn't get that job because I'm too off the wall, man!" There's a difference between being capable of working outside the box and being a lazy and unsklilled.
Yes, there are a large number of fakers in the security market, just liek any market that promsies lots of money, but just like with cowboy builders, they soon get found out and lose their customers.
"users' re-use of the same passwords"!
I'll keep saying it, use the same password and hand over the keys to any other sites or services you use. Follow easy techniques how to create complex and unique passwords you can remember listed near the end of this article http://wp.me/p1rE6R-4O and I use LastPass reviewed here http://wp.me/p1rE6R-dO
David
"In particular it claims to have targeted Karim Hijazi, who used his Infragard password for his Gmail account and a corporate account with a white-hat hacking group he runs, called Unveillance"
Monumental FAIL mr Hijazi.
I think you need to go and read a timeless old book, "The Hacker's Handbook" by Hugo Cornwall - it was first published in the mid 1980's, so you can probably find a plain .txt copy by googling if it makes your life easier (not that i'd recommend that as it's still in copyright.) and it makes several point in it that are still valid today.
Available thru Project Gutenberg:
http://www.textfiles.com/etext/MODERN/hckr_hnd.txt
http://www.textfiles.com/etext/MODERN/hhandbook.txt
http://www.textfiles.com/etext/MODERN/hhbk
Not sure what the difference are. Didn't download for myself. Unveillance is a fraud.
"To clarify, we were never going to extort anything from you. We were simply going to pressure you into a position where you could be willing to give us money for our silence, and then expose you publicly."
You're right, that's not extortion!! It's extortion (you still would have intimidated someone into giving you money, whether you were going to burn the money or give it to starving Haitian orphans afterwards is immaterial), plus conspiracy, plus a few civil charges around defemation of character, restraint of trade and unauthorized disclosure of IP!!
We really need to stop any romantisizing of these hacker networks like Anonymous or Lulzec. These guys are already going down the slippery slope from "freedom fighters" into thugs and terrorists. Kind of like a cyber Irish Republican Army!!
Imagine if this were 1942-44 and such slack security standards applied. Abwehr--German WWII intelligence--would have gained such a foothold on US wartime secrets that they may as well have been broadcast direct to Berlin by NBC or CBS.
How is such incompetence possible? Right, 'tis a rhetorical question, as we're almost certainly the answers.
As with the other current security story--the Google/China hacks--by now you'd think that two-level authentication/certificated/encrypted 'passwording' schemes would be commonplace when the stakes are high.
...But perhaps I'm wrong, maybe the stakes just aren't high enough for anyone to bother.