Attacks/Breaches
8/31/2011
11:07 AM
50%
50%

14 Enterprise Security Tips From Anonymous Hacker

Former Anonymous member "SparkyBlaze" advises companies on how to avoid massive data breaches.

Want to avoid large-scale data breaches of the type served up by hacking group Anonymous, and its LulzSec and AntiSec offshoots? Start by paying attention to the security basics, including hiring good people and training employees to be security-savvy.

"Information security is a mess. ... Companies don't want to spend the time/money on computer security because they don't think it matters," said ex-Anonymous hacker "SparkyBlaze," in an exclusive interview with Cisco's Jason Lackey, published on Cisco's website Tuesday.

Accordingly, what's the best way for businesses to improve the effectiveness of their information security efforts? SparkyBlaze offered 14 tips, ranging from using "defense-in-depth" and "a strict information security policy"; regularly contracting with an outside firm to audit corporate security; and hiring system administrators "who understand security." Also encrypt data--"something like AE-256," he said--and "keep an eye on what information you are letting out into the public domain."

Other best practices: use an intrusion prevention system or intrustion detection system to detect unusual network activity. Employ "good physical security" too, he said, to ensure no one routes around your information security measures by simply walking through the front door. Finally, pay attention to employees' security habits and keep them briefed on the threat of social engineering attacks, since all it takes is one person opening a malicious attachment to trigger a data breach of RSA-scale proportions.

While SparkyBlaze's back-to-basics guidance isn't new, it bears repeating given the number of data breaches and releases executed by hacktivist groups in recent months. According to security experts, these attacks aren't necessarily highly sophisticated, and most don't make use of so-called advanced persistent threats. Rather, attackers often exploit common vulnerabilities or misconfigurations in Web applications, just as they've done for years.

SparkyBlaze defected from Anonymous earlier this month, saying via a Pastebin post that he was "fed up with Anon putting people's data online and then claiming to be the big heroes." As that suggests, there's no clear and easy definition of what constitutes "hacktivism." Even so, the "scope creep" in the type of data collected and released by Anonymous and its offshoots is evidently turning some people away from the collective.

"I love hacking and I believe in free speech and anti-censorship, so putting both together was easy for me. I feel that it is ok if you are attacking the governments. Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments," said SparkyBlaze to Cisco's Lackey.

But in his Pastebin post, SparkyBlaze said that AntiSec and LulzSec had increasingly been operating against the supposed mission statement of Anonymous, which was ostensibly formed to keep governments accountable. "AntiSec has released gig after gig of innocent people's information. For what? What did they do? Does Anon have the right to remove the anonymity of innocent people? They are always talking about people's right to remain anonymous so why are they removing that right?"

On a related note, the raison d'etre of Anonymous--WikiLeaks--appears to have lately suffered its own data breach, or at least loss of data control. On Monday, German weekly news magazine Der Spiegel reported that a file posted by WikiLeaks supporters to the Internet included concealed, password-protected, and unexpurgated versions of the 251,000 U.S. State Department cables that WikiLeaks released--with many sources omitted--in November 2010.

Through a somewhat circuitous sequence of events, possibly involving personnel disagreements inside WikiLeaks, the existence of a 1.73-GB "cables.csv" file, which contains the uncensored cables and which is protected by a password, became publicly known. Furthermore, thanks to an "external contact" of WikiLeaks, according to Der Spiegel, the password was also publicly disclosed, enabling the file to be unlocked.

But in a statement on Twitter, WikiLeaks disputed responsibility for the leak: "There has been no 'leak at WikiLeaks'. The issue relates to a mainstream media partner and a malicious individual." WikiLeaks, however, didn't name either.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Tell the sysadmin that we have a situation.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.