In case you have not yet read about the HBGary hack and email leak, I strongly suggest reading one of the many articles or blog posts published on the subject since the incident in early February. It serves as a strong cautionary tale about what can transpire when security firms fail to secure their own networks appropriately. Even if your company does not deal in security matters, there is certainly a great deal to be learned about how you can properly protect a website as well as a network from similar malicious hacks. Let’s go through the critical points of failure from this example step by step.
Do not slack on website security
The initial target for the hacker group was the HBGary Federal corporate site, where they were able to make use of a basic SQL injection to gain access to the website database. This gave them access to usernames, emails and “hashed” passwords (passwords encrypted with a hash function to prevent discovery). This might have been prevented by either employing a solid, up-to-date commercial content management system or by checking the custom CMS for SQL injection holes. This sort of exploit is frequently used in the hacker community and takes barely any talent to implement, as a result each and every security expert needs to be aware of it.
Create complicated passwords
Although all of the passwords had been encrypted in the database, there are common tools available to assist hackers try to work out any actual passwords based on the hashed data. These types of tools pre-compute thousands and thousands of prospective passwords and are then searchable for the resulting hash sequence. There are, of course, limitations to what these types of tools can do. For practical reasons they can only store information for a limited subgroup of possible passwords, for instance just passwords from one to eight characters that have lower case characters and numbers or just passwords from one to twelve characters in caps lock. Two people at HBGary (the CEO and COO) chose passwords that were only eight characters long with six lower case letters and two numbers, making them vulnerable to this particular attack. Using complex passwords with a combination of upper and lower case letters, numbers, and characters including & and % more or less removes the danger of these kinds of tools being employed to figure out a password.
Choose unique passwords
Obtaining user passwords for editing a corporate site is undesirable, but not life-ending for a security business. Unfortunately for HBGary, both of those uncovered passwords were reused in several places, such as social networking sites and email administration. It can be awfully tempting to reuse passwords – especially difficult ones – but the fact is that reusing passwords has turned out to be one of the most commonplace security issues right now. If you use the same password on your email as a low-profile news site, and that website’s database is compromised, it could be possible for people to use this password to gain access to your email and possibly much more.
Keep computer software up-to-date
A lot of issues with the safety of these websites could have been solved with appropriate security updates. Whenever security holes are found in programs, developers work to close the security holes and then send out updates to deal with the issue. Users that run these patches as they are released are significantly less liable to have their systems broken into, simply because hopeful attackers have a significantly shorter window of opportunity to act on a vulnerability.
Odds are fairly good that if you have ever studied effective security procedures, you already knew most of this. When even security corporations fail to adhere to this elementary advice, though, it may be good to double check your own security for potentially mistakes flaws.
I work at an IT support company helping small businesses with their IT outsourcing. I love keeping up with the latest news and sharing what I know with my clients to keep their networks safe.