Anonymous vs WBC
Just did a Google and, as I'd have guessed, the main reasons the hack worked were that they using a version of their CMS with known security holes, crappy encryption for their passwords (they were easily crackable with a rainbow table, so I guess they either had no or predictable salts), and the classic hole that is idiots using the same passwords for everything. The IT staff in the company also handed out the root password for their servers to a randomer who claimed to be an employee, which shows very bad internal security.
Well, I hope that in the future government employees & high level business people ensure better security. America's real enemies could conceivably learn from tactics like this
The real scary thing is that we're not even talking about super-advanced hacking here. The CMS was hacked because of an SQL injection exploit and everything else that followed was a domino effect of that. Plus, they didn't use a popular CMS, they got a custom made one which lacked any technical support or updates, making the likelihood of unnoticed exploits cropping up stupidly high.
For a security firm who invests a lot on high-end security for the systems themselves to prevent them getting infected with malware and such, they sure didn't seem to pay much attention to the basic security required to prevent people from accessing them.
Perhaps the Chinese have been doing it for a long time
Anonymous may have done a favor by exposing this weakness in rather benign ways
Yet, certainly, the wise learn many things from their enemies; for caution preserves all things. From a friend you could not learn this, but your foe immediately obliges you to learn it. For example, the states have learned from enemies, and not from friends, to build lofty walls, and to possess ships of war. And this lesson preserves children, house, and possessions. - Aristophanes, The Birds
_________________
Opportunities multiply as they are seized. -Sun Tzu
Nature creates few men brave, industry and training makes many -Machiavelli
You can safely assume that you've created God in your own image when it turns out that God hates all the same people you do
Anonymous may have done a favor by exposing this weakness in rather benign ways
Yet, certainly, the wise learn many things from their enemies; for caution preserves all things. From a friend you could not learn this, but your foe immediately obliges you to learn it. For example, the states have learned from enemies, and not from friends, to build lofty walls, and to possess ships of war. And this lesson preserves children, house, and possessions. - Aristophanes, The Birds
Certainly, being hacked should teach you important lessons. But it keeps shocking me just how bad the security for all these big corporations is, and since these really are basic flaws that are being exploited, it shouldn't be possible to hack these systems the way they were hacked. The guys running them should have used basic common sense when they put the systems together and checked for injection exploits, hashed the passwords properly, and made sure the admin and staff passwords were secure (and regularly changed) ones. But they didn't bother.
Human laziness is the biggest security hole, it seems. Even if there was a hypothetically perfect system, the organic part in front of the keyboard would still cause problems.
HBGary was probably the most prominent security firm until Anonymous ripped them out. I read an article (can't find it right now) in which an anonymous guy explained how they completely obliterated HBGary:
* SQL injection to find hash (this is a very basic vulnerability in web software that really SHOULDN'T happen.
* Simple md5 bruteforcing to get password from hash - This means that the password was not safe and/or the hash security was very poor.
* Finding out the admin used the same password in both the site and his email. (Which is a no-no for things this important.
* Finding tons and tons of things in gmail, including information about other sites he administers. And also tons of confidential documents
* Social engineering to find an unknown password. This was rather sad. The hacker used the stolen gmail to pretend to be the admin, and asked the other guy for a password that the real admin was supposed to know. The other guy sent the password just like that, without further security through email.
_________________
.
* SQL injection to find hash (this is a very basic vulnerability in web software that really SHOULDN'T happen.
* Simple md5 bruteforcing to get password from hash - This means that the password was not safe and/or the hash security was very poor.
* Finding out the admin used the same password in both the site and his email. (Which is a no-no for things this important.
* Finding tons and tons of things in gmail, including information about other sites he administers. And also tons of confidential documents
* Social engineering to find an unknown password. This was rather sad. The hacker used the stolen gmail to pretend to be the admin, and asked the other guy for a password that the real admin was supposed to know. The other guy sent the password just like that, without further security through email.
I'm guessing this is the article you speak of, just had a read of it myself.
Basic textbook errors, really. It's ridiculous.
"Man usually avoids attributing cleverness to somebody else unless it is an enemy." - Albert Einstein
The WBC really does get on my nerves.
_________________
Life is real ! Life is earnest!
And the grave is not its goal ;
Dust thou art, to dust returnest,
Was not spoken of the soul.
This is pretty sweet revenge lol. WBC was definitely asking for it. It was probably just a big stunt for media attention, and now they totally embarassed themselves in front of the whole world LOL. Even as a Christian, I really don't like the way WBC treats other people. Many of my friends are GLBT, but I'm definitely not going to protest their funerals, nor would I ever protest the funeral of any military service member. I wonder if anyone has ever protested a funeral of a WBC member? They would probably go on a media rampage and act like the victim of some kind of heinous crime. It really annoys me when people have that kind of a double standard.
_________________
I'm 24 years old and live in WA State. I was diagnosed with Asperger's at 9. I received a BS in Psychology in 2011 and I intend to help people with Autistic Spectrum Disorders, either through research, application, or both. On the ?Pursuit of Aspieness?.
If Hell is real, the WBC is going to burn there. Christianity shouldn't be about hate and ignorance, and picketing funerals. Most Baptist organizations, afaik, denounce the WBC
_________________
Opportunities multiply as they are seized. -Sun Tzu
Nature creates few men brave, industry and training makes many -Machiavelli
You can safely assume that you've created God in your own image when it turns out that God hates all the same people you do
Anonymous? Yeah....they're gonna piss off the wrong person eventually and get slammed hard but you gotta appreciate the good they're doing in the mean time.
_________________
Wherever they burn books they will also, in the end, burn human beings. ~Heinrich Heine, Almansor, 1823
?I wouldn't recommend sex, drugs or insanity for everyone, but they've always worked for me.? - Hunter S. Thompson
Anonymous? Yeah....they're gonna piss off the wrong person eventually and get slammed hard but you gotta appreciate the good they're doing in the mean time.
They also already got a bounty on their heads. The HBGary guy thinking he had their heads is just one of many security experts that would love to become the man who beat anonymous now that anon are receiving so much publicity. Actually, after wikileaks a lot of their infrastructure got down.
_________________
.