> the story says hbgary hired an outside company to make this cms for them, which may explain the crappy security on that particular system.
Doesn't that make them look even more amateurish and incompetent? They chose an insecure content management system and, most importantly, they didn't isolate it enough. So penetrating that resulted in a complete penetration of their site.
If they were selling hand-made baskets, nobody would blame them, but they sell "security" and charge big bucks for it, so they deserve the ridicule.
It is an interesting perspective I guess on selling "security", both as a service and a product. One can charge lots of money, but unless there is a serious attack and penetration, it is hard to know what the quality of they security product is. Of course once the penetration happened, there is at best pity and at worst ridicule and blame.
Not really, they should've tested the site themselves and there's evidence that this actually happened on the main site but not federal. Normally a company contracts an external company to do the work for them and either asks the external company to independently check the security of the output or organises it themselves. In the case of federal it may have been the case that neither happened.
> If they were selling hand-made baskets, nobody would blame them, but they sell "security" and charge big bucks for it, so they deserve the ridicule.
I disagree. Anonymous were a highly motivated persistent attacker. It doesn't matter whether or not there was SQL injection involved, they'd just keep on going until they get in regardless. If there wasn't a SQL injection bug there'd be something else. Tptacek's company has been hacked into, our website got hacked into years ago (through having shared hosting - someone else had a SQL injection bug on the same box and the hackers defaced every site on the box. The difference is that we did a risk analysis beforehand and decided to never to store sensitive data there nor use the same credentials for that account anywhere else). Given a long enough timeline, everyone gets hacked. While the SQL injection bug was the way in, the real schoolboy error was Aaron Barr using a weak shared password for Google Apps admin.
> the real schoolboy error was Aaron Barr using a weak shared password for Google Apps admin.
I've been reading through some of this HBGary stuff, and I have come to the conclusion that Aaron Barr is kinda a dipshit.
Read the email analysis at http://www.wired.com/threatlevel/2011/02/spy/ and its filled with Aaron Barr "hacking" into people's facebook accounts and then posting pictures of their kids as if he made some awesome discovery.
someone else had a SQL injection bug on the same box and the hackers defaced every site on the box. The difference is that we did a risk analysis beforehand and decided to never to store sensitive data there nor use the same credentials for that account anywhere else
And that's precisely the difference everyone should look for when hiring a security company.
Doesn't that make them look even more amateurish and incompetent? They chose an insecure content management system and, most importantly, they didn't isolate it enough.
No more than google choosing a linux kernel with a privilege escalation bug for Android, anyone using OS X in 2009 while a remote jdk bug sat open for 6 months, anyone using windows+ie in dec '10 or jan '11.
Unless you can explain how to only buy software that will never have any vulnerabilities.
I understand the saying "the cobbler's children go barefoot;" if a security consulting company spent the man-hours to make sure their own systems were perfectly secure, they'd never have the spare time to bill any to their clients. Still, when making a trade-off between practicality and security, a security company should keep in mind the possible PR consequences.
This wasn't quite like Google choosing a linux kernel with a priv escalation bug or Apple leaving the JDK unpatched for 6 months. This was more like Google missing a great acquisition opportunity because they couldn't find the relevant documents on their internal fileserver, or Apple's website only rendering correctly in IE 5 because that's what they were using to test it.
Umm, if you're supposed to be a security guy, you shouldn't use IE+Windows, especially if there are publicly known vulnerabilities. You should also reconsider the use of OS X, and at least be able to follow instructions on how to disable the JDK. Etc.
Just means they've never had experience being attacked before. Always offense, never defense. In their minds, they never considered someone would have a reason to go after THEM.
They specialize in thinking up new ways to attack OTHERS, using OTHER peoples' tools. It's a huge problem in DC. A bunch of people telling other people what to do, without little idea or experience how to do it themselves.
Doesn't that make them look even more amateurish and incompetent? They chose an insecure content management system and, most importantly, they didn't isolate it enough. So penetrating that resulted in a complete penetration of their site.
If they were selling hand-made baskets, nobody would blame them, but they sell "security" and charge big bucks for it, so they deserve the ridicule.
It is an interesting perspective I guess on selling "security", both as a service and a product. One can charge lots of money, but unless there is a serious attack and penetration, it is hard to know what the quality of they security product is. Of course once the penetration happened, there is at best pity and at worst ridicule and blame.