February 17, 2011, 1:50 PM — The hactivist group Anonymous used a series of simple technical and social exploits to crack the network of security-technology firm HBGary Federal, giving the company a schooling that other network security pros can learn from.
The overriding lesson: Meticulously follow the basic best-practices of corporate defense. But there are more detailed takeaways for those who are willing to learn from HBGary Federal's mistakes. (For a detailed account of just how Anonymous cracked HBGary Federal, check out this thorough Ars Technica story.)
THE LATEST SECURITY PICTURES: Hot products from RSA 2011
HBGary Federal ran afoul of Anonymous when CEO Aaron Barr said he planned to name members of the secretive international group that famously came to the defense of WikiLeaks. Anonymous DDoSed businesses that tried to take down WikiLeaks sites that expose U.S. State Department diplomatic cables.
Here are seven lessons to learn:
1. Don't assume what type of attack you will suffer. Barr thought Anonymous would only launch a DDoS attack against the company's Web site, just as it had against others. That turned out not to be the case.
2. Use a tried and tested content management system that comes with updates, patches and support. HBGary used a custom CMS for its Web site that was susceptible to SQL injection attacks that led to Anonymous accessing data in HBGary's database.
3. Thoroughly hash and rehash passwords stored in databases. HBGary did hash its passwords, but didn't add extra characters that have to be removed to reveal the actual password. Nor did it rehash the hashed passwords to add layers of complexity to brute forcing the passwords out of the hash. The passwords would still have been susceptible to brute-force attacks, but it would have taken a lot longer to succeed.