Crime is still Crime! Pt 2

Published: 2011-02-07
Last Updated: 2011-02-07 15:10:08 UTC
by Richard Porter (Version: 1)
3 comment(s)


There is an interesting piece running on several web news outlets and twitter is abuzz with HBGary Federal being hacked by Anonymous. HBGary was in the news less than 3 days ago stating they were tracking down members of Anonymous and aiding the FBI.

Last month we ran a piece Crime is still Crime and were assessing the risks of non-security firms "attacking back."

http://www.isc.sans.org/diary.html?storyid=10300

With today's events and HBGary having an incident it re-enforces the advice for of assess your risk and posture before attacking back. Esspecially for those that are not in the Information Security field. If your revenue driver is making baby bottles then ask yourself is this the right move and do I have the skill set on staff.

Less than 3 days ago:
http://uk.finance.yahoo.com/news/Cyberactivists-warned-arrest-ftimes-3487898538.html?x=0
Today:
http://nakedsecurity.sophos.com/2011/02/07/hbgary-federal-hacked-and-exposed-by-anonymous/

I have been following these events (And will continue to follow) from the start as they cross government lines and this could set legal precedent for the future. Let's stay tuned as this takes shape.

And remember a paraphrase/quote from Cliff Stoll's The Cuckoo's Egg "Professionals don't make big mistakes, they make little ones!"

Richard Porter

--- ISC Handler on Duty

3 comment(s)

Comments

I think some sensitive organizations allow HBGary remote access into their networks for incident response and such. Imagine the awkward conversations happening today with those customers. And HBGary essenitally publicly taunted Anonymous to start all of this off.
The social engineering apparently used in the attack is definitely thought-provoking. Having reset the password for and gained access to an admin's email account with an external provider, and armed with a history of sent and received emails stored therein, could an attacker persuade one of your co-admins to reset your account password? And could you then sudo into a server's root account using the same?

Is your organisation's own, secure email infrastructure so good that your employees actually do use it? Do you actually sign your email as standard practice, such that unsigned email would immediately appear suspicious? And are there real barriers in place to prevent further escalation of privileges if an account is breached?

The method employed by Anonymous perhaps reflects how HBGary likewise supposedly used social engineering and perhaps even attempted exploits or trojans. This too is worrying. Would law enforcement really have paid for information obtained in this way, and acted upon it? If an analysis is made of the leaked documents and emails it may bring some answers.
(Disclaimer: Not law enforcement, not a lawyer.)

That's a good question, Steven.

They might treat information gathered using black hat tactics in the same way as information provided by an informant. I don't know if it would be admissible as evidence but it could be used to provide direction or uncover leads that could be followed up using more conventional methods.

Diary Archives