Anonymous rapes "security" firm investigating them for WikiLeaks related DDoSing

[Dr. Zaus]

The way I see it, Anonymous is trying to defame and ruin the reputation of a "security" company. It's a much higher profile compromise if personal data is stolen and released than if the website was 'hacked'.

HBGary is very, very stupid for having ANY security holes and then antagonizing a hacker group. That's like stealing honeycomb and then just standing next to the hive. The bees are going to sting you.

Hubris.

You can be as technically proficient as you want, but when you call in pretending to be the big-boss (or his daughter) you can get all sorts of things done .

 

[Vette73]

They way they got that root pw is insane. That admin needs fired on the spot.


Even a small company should never reset a pw based simply on an email.

Really, then how so? You want a phone call?

If sites set up some super tricky way to get a password reset there be a lot of wasted time and pissed off former customers.

 

[apac]

Hubris.

You can be as technically proficient as you want, but when you call in pretending to be the big-boss (or his daughter) you can get all sorts of things done .

2 root causes to this problem:

1. Compromised email server. Anything external needs to be locked down. This is basic, basic network security.
2. Really terrible admin. An email like that should be highly suspect.

Would you want to hire a company that had both of these internal problems? I understand that they are probably still a decent company, but bad press is bad press.

I think Anon proved their point quite well.

 

[bignateyk]

Really, then how so? You want a phone call?

If sites set up some super tricky way to get a password reset there be a lot of wasted time and pissed off former customers.

Usually you at least have to answer a security question before having a password reset.

 

[Vette73]

Usually you at least have to answer a security question before having a password reset.

Yea but as pointed out, let alone the S.Palin reset, most questions are easy to get.

Fav car, mothers name, pet, high school, etc....

I use basic questions but give fake answers. 1 was where were you born I had russia as the answer. Another was moms name I put timmy. But most use REAL answers that are easy to find.

 

[Phokus]

The way I see it, Anonymous is trying to defame and ruin the reputation of a "security" company. It's a much higher profile compromise if personal data is stolen and released than if the website was 'hacked'.

HBGary is very, very stupid for having ANY security holes and then antagonizing a hacker group. That's like stealing honeycomb and then just standing next to the hive. The bees are going to sting you.

It just blows me away that anyone would try to fuck with anonymous. You would think that a security firm, of all organizations, would know not to do this. I mean, even if you do get a few members arrested, all that happens is another 10 take their place. It's a total decentralized 'organization'.

 

[silverpig]

Epic fail. Wow.

 

[Dr. Zaus]

2 root causes to this problem:

1. Compromised email server. Anything external needs to be locked down. This is basic, basic network security.
2. Really terrible admin. An email like that should be highly suspect.

Would you want to hire a company that had both of these internal problems? I understand that they are probably still a decent company, but bad press is bad press.

I think Anon proved their point quite well.

The point being "don't f with Anon"
Which makes sense... because I am as much anon as anyone else;

 

[sdifox]

The point being "don't f with Anon"
Which makes sense... because I am as much anon as anyone else;

not me, I don't have the technical knowhow

 

[IceBergSLiM]

IMO, they should have just left it at hacking into the website and posting a message. Everything else was juvenile and criminal. They could easily have proven their claim to hacking the company emails by posting a just a select few.

This activity was not even debatably for the public good. It was just plain malicious and is a smack in the face to the "ethical" hackers.

u mad? :sneaky:

 

[iGas]

Really, then how so? You want a phone call?

If sites set up some super tricky way to get a password reset there be a lot of wasted time and pissed off former customers.

I worked in security a decade ago, and our policy were, change all admin PWs monthly as well as root password (root pass word can only be change at the server terminal in the server room).

All client PW request are to be by phone, and it is on the call back.

1.The client email us for a PW change request.
2. We email back to confirm and setup time for call back.
3. We call them by using the name & phone number on our contact list.
4. Give the PW verbally to the admin that we talked to.

And, we lay low because staying anonymous is an additional layer of defense.

 

[iGas]

u mad? :sneaky:

What Anon did was not ethical, but IMHO Anon did a great service to society & the security community by letting everyone know where is the weakest link, and saving the tax payer some money while they are at it.

 

[Kadarin]

So let me get this straight.

1. Douchebag claims he has inside info on hacking group. Possibly threatens to give/sell info to FBI.
2. Hacking group hacks his company email, twitter account, etc.
3. Hacking group finds that douchebag's company has NOTHING that can threaten said group.
4. Hacking group "retaliates" against "NOTHING" by posting personal private information, and company emails.

IMO, they should have just left it at hacking into the website and posting a message. Everything else was juvenile and criminal. They could easily have proven their claim to hacking the company emails by posting a just a select few.

This activity was not even debatably for the public good. It was just plain malicious and is a smack in the face to the "ethical" hackers.

You are wrong. Anonymous accomplished real good here by exposing a "security" company that we now know is pretty much worthless.

 

[MotF Bane]

lolwin

 

[Vette73]

I worked in security a decade ago, and our policy were, change all admin PWs monthly as well as root password (root pass word can only be change at the server terminal in the server room).

All client PW request are to be by phone, and it is on the call back.

1.The client email us for a PW change request.
2. We email back to confirm and setup time for call back.
3. We call them by using the name & phone number on our contact list.
4. Give the PW verbally to the admin that we talked to.

And, we lay low because staying anonymous is an additional layer of defense.

Oh hi I moved and did not update my contact my new number is... so when can I get my PW.

There is ALWAYS the human part that fails. I can't remember his name, very famous hacker, that got the orignal cell phone plans by just asking over the phone.

I work Fed Gov and they did a test where they called people and said "this is IT give me your login and password we have problems..." and it worked quite a bit.

 

[Matthiasa]

Yea but as pointed out, let alone the S.Palin reset, most questions are easy to get.

Fav car, mothers name, pet, high school, etc....

I use basic questions but give fake answers. 1 was where were you born I had russia as the answer. Another was moms name I put timmy. But most use REAL answers that are easy to find.

The security questions answer should be at least as long as the real password, or you just rendered even the most complex password useless...

Its like yeah sure you got 20+ char long password, but the security questions answer is only 5-8... yeah not an issue with that or anything.

 

[BudAshes]

All hackers/malicious fucks should burn in a raging fire in hell.

Pretty stupid of the guy from HBGary Federal to go public, against anonymous though, when they CLEARLY were not prepared for it.

There's a chance they wanted them to do stuff like this so that they could bring up bigger and better charges.

 

[iGas]

Oh hi I moved and did not update my contact my new number is... so when can I get my PW.

There is ALWAYS the human part that fails. I can't remember his name, very famous hacker, that got the orignal cell phone plans by just asking over the phone.

I work Fed Gov and they did a test where they called people and said "this is IT give me your login and password we have problems..." and it worked quite a bit.

Doesn't work, we only accept known work phone number. The policy is that we must speak to the person that we have met or have been introduce to verbally in the past before the PW is hand over.

It is still not a bullet proof method, hence the stress on staying anonymous as an additional level of defense.

 

[OOBradm]

Oh hi I moved and did not update my contact my new number is... so when can I get my PW.

There is ALWAYS the human part that fails. I can't remember his name, very famous hacker, that got the orignal cell phone plans by just asking over the phone.

I work Fed Gov and they did a test where they called people and said "this is IT give me your login and password we have problems..." and it worked quite a bit.

I think you're talking about Kevin Mitnick.

I highly recommend the book "The Art of Deception" if this sort of thing is interesting to you.

http://www.amazon.com/Art-Deception-...7192120&sr=8-1

 

[Gooberlx2]

how the hell did they wipe his ipad?

Well, they hacked his email, twitter, etc. right? He probably uses the same pw for his mobileme account, and you can remote wipe from there. It's not a big deal if he regularly backs it up on his computer anyway.

 

[shortylickens]

All this will lead to is another round of FBI investigations and arrests, even bigger criminal charges, then more retaliation by Anonymous, and the cycle then repeats yet again. Is this really accomplishing anything useful?

Well I just spent the past 5 minutes laughing my balls off, so yes. There is one good outcome. My balls.

Also:

 

[Eli]

I love shit like this.

 

[RPD]

nice av

Thanks
They did do a service by exposing a company not living up to it's services. The bitch slap is just extra "country justice".

 

[wheresmybacon]

Some of the best pwnage of its type I've ever seen.

 

[tk149]

u mad? :sneaky:

Nope, just disgusted by a group of hackers with the attitude of a schoolyard bully. Just because you CAN, doesn't mean that you SHOULD.