Phokus
Lifer
- Nov 20, 1999
- 22,994
- 779
- 126
Why? Anonymous has been a thorn at the side of the Church of Scientology and now they're supporting wikileaks. Yeah, they do 'black hat' hacking, but they do it for a good cause.
Why? Anonymous has been a thorn at the side of the Church of Scientology and now they're supporting wikileaks. Yeah, they do 'black hat' hacking, but they do it for a good cause.
can any amount of security and preparation really guard against simple human error, though, like giving out an unencrypted password over email (and especially without making sure the person on the other end is who they say they are)
Homerboy
Lifer
- Mar 1, 2000
- 30,890
- 5,001
- 126
Step #1 is firing the admin that opened the port in the exchanged emails. He should be gone and never find security employment again.
lxskllr
No Lifer
- Nov 30, 2004
- 60,083
- 10,559
- 126
Homerboy
Lifer
- Mar 1, 2000
- 30,890
- 5,001
- 126
Exactly. It probably started off as a joke "Just email and ask them to change the password"... "That's not going to work, who'd be dumb enough!??"... "Just try!"...."DERP!!!!!!!!!!!!!!!!!"
Though, any security training, instruction etc that you get, they ALWAYS point out that the weakest link is the operator. That through even a little "social networking" or whatever you want to call it, any security can be breeched.
I work for a hosting company... I'm trying to think of what we'd do if a client submitted a ticket asking us to reset his server's password and open a port on his firewall, and I can't say that we wouldn't not do it. (of course, I don't work in either department that would handle that, so they may/probably have security measures that I'm unaware of)
obviously they'd need the password for their account portal to generate the ticket and we'd send the server password to them in an encrypted form, but if they hacked into the account's primary email address, they could go through the old "I forgot my password" password reset thing that every single website everywhere has.
ViviTheMage
Lifer
We could go on and on all day about security, but if all anonymous needed was the root password ... they were definitely not prepared.
Hackers like this had to start somewhere, and I can guarantee you they don't, just do hacking for a 'good' cause.
Phokus
Lifer
- Nov 20, 1999
- 22,994
- 779
- 126
Why wouldn't you do something like have secret questions to recover the PW, like most websites do?
"What was the make of your first car?"
"Ford"
I mean, ok you probably want a more secure question as it might be possible to find something out like that through public records, but still...
Phokus
Lifer
- Nov 20, 1999
- 22,994
- 779
- 126
There are hackers that hack just for the sake of hacking, but Anonymous seems to be more about social activism. And yes, i think their causes are generally good.
Homerboy
Lifer
- Mar 1, 2000
- 30,890
- 5,001
- 126
ViviTheMage
Lifer
What about a system that pipes in emails, as long as they look like they come FROM the client? Every system i've worked with does this...another loophole
.I am all for ethical hacking, but we got burned a few months ago, so I am still bitter against them all.
we may. I don't have a client login and my personal password can only be reset by an admin, so I've never actually seen what happens if a client has to go through the forgotten password bit.
Phokus
Lifer
- Nov 20, 1999
- 22,994
- 779
- 126
What about a system that pipes in emails, as long as they look like they come FROM the client? Every system i've worked with does this...another loophole
I am all for ethical hacking, but we got burned a few months ago, so I am still bitter against them all.
How did you get burned? Anyway, ethical hacking means you hack based on the consent of the person/organization you're hacking. Anonymous does black hat hacking, but usually for good causes.
SpatiallyAware
Lifer
- Sep 7, 2009
- 12,960
- 3
- 0
They way they got that root pw is insane. That admin needs fired on the spot.
Even a small company should never reset a pw based simply on an email.
Even a small company should never reset a pw based simply on an email.
AnonymouseUser
Diamond Member
- May 14, 2003
- 9,943
- 107
- 106
preslove
Lifer
- Sep 10, 2003
- 16,754
- 64
- 91
ViviTheMage
Lifer
We had to block all of South America for a few days ... we had some open holes apparently.
The hacker was demanding we give him free servers (he was emailing us), or he'd continue his malicious activities ... we eventually blocked him entirely...but he was very persistent.
My cisco guy actually traced down his home IP, and got him kicked off his local ISP in brazil, I was fucking surprised that they did that for us. :thumbsup:
tidbits from it :
- He was using @london.com - informed me he took over their mail server and was using it for his maliciousness
- He was also using MIT, Yale, Harvard, high end school servers for his maliciousness (ip sources he was coming from trailed through all of these school servers...all *nix servers)...also had some local brazil government servers.
- He was using our cisco switches to get in, and actually got in through our VPN router at one point
I could go into a lot more detail, but that's the run down.
Phokus
Lifer
- Nov 20, 1999
- 22,994
- 779
- 126
Holy pwnage this is what anonymous claimed to have done... how the hell did they wipe his ipad?
http://www.guardian.co.uk/technology/2011/feb/07/anonymous-attacks-us-security-company-hbgary
http://www.guardian.co.uk/technology/2011/feb/07/anonymous-attacks-us-security-company-hbgary
http://www.guardian.co.uk/technology/2011/feb/07/anonymous-attacks-us-security-company-hbgary
http://www.guardian.co.uk/technology/2011/feb/07/anonymous-attacks-us-security-company-hbgary
So let me get this straight.
1. Douchebag claims he has inside info on hacking group. Possibly threatens to give/sell info to FBI.
2. Hacking group hacks his company email, twitter account, etc.
3. Hacking group finds that douchebag's company has NOTHING that can threaten said group.
4. Hacking group "retaliates" against "NOTHING" by posting personal private information, and company emails.
IMO, they should have just left it at hacking into the website and posting a message. Everything else was juvenile and criminal. They could easily have proven their claim to hacking the company emails by posting a just a select few.
This activity was not even debatably for the public good. It was just plain malicious and is a smack in the face to the "ethical" hackers.
1. Douchebag claims he has inside info on hacking group. Possibly threatens to give/sell info to FBI.
2. Hacking group hacks his company email, twitter account, etc.
3. Hacking group finds that douchebag's company has NOTHING that can threaten said group.
4. Hacking group "retaliates" against "NOTHING" by posting personal private information, and company emails.
IMO, they should have just left it at hacking into the website and posting a message. Everything else was juvenile and criminal. They could easily have proven their claim to hacking the company emails by posting a just a select few.
This activity was not even debatably for the public good. It was just plain malicious and is a smack in the face to the "ethical" hackers.
The way I see it, Anonymous is trying to defame and ruin the reputation of a "security" company. It's a much higher profile compromise if personal data is stolen and released than if the website was 'hacked'.
HBGary is very, very stupid for having ANY security holes and then antagonizing a hacker group. That's like stealing honeycomb and then just standing next to the hive. The bees are going to sting you.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter