Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not really, they should've tested the site themselves and there's evidence that this actually happened on the main site but not federal. Normally a company contracts an external company to do the work for them and either asks the external company to independently check the security of the output or organises it themselves. In the case of federal it may have been the case that neither happened.

> If they were selling hand-made baskets, nobody would blame them, but they sell "security" and charge big bucks for it, so they deserve the ridicule.

I disagree. Anonymous were a highly motivated persistent attacker. It doesn't matter whether or not there was SQL injection involved, they'd just keep on going until they get in regardless. If there wasn't a SQL injection bug there'd be something else. Tptacek's company has been hacked into, our website got hacked into years ago (through having shared hosting - someone else had a SQL injection bug on the same box and the hackers defaced every site on the box. The difference is that we did a risk analysis beforehand and decided to never to store sensitive data there nor use the same credentials for that account anywhere else). Given a long enough timeline, everyone gets hacked. While the SQL injection bug was the way in, the real schoolboy error was Aaron Barr using a weak shared password for Google Apps admin.



> the real schoolboy error was Aaron Barr using a weak shared password for Google Apps admin.

I've been reading through some of this HBGary stuff, and I have come to the conclusion that Aaron Barr is kinda a dipshit.

Read the email analysis at http://www.wired.com/threatlevel/2011/02/spy/ and its filled with Aaron Barr "hacking" into people's facebook accounts and then posting pictures of their kids as if he made some awesome discovery.


someone else had a SQL injection bug on the same box and the hackers defaced every site on the box. The difference is that we did a risk analysis beforehand and decided to never to store sensitive data there nor use the same credentials for that account anywhere else

And that's precisely the difference everyone should look for when hiring a security company.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: