Seven ways to avoid getting hacked by Anonymous

The hactivist group Anonymous used a series of simple technical and social exploits to crack the network of security-technology firm HBGary Federal, giving the company a schooling that other network security pros can learn from.

The overriding lesson: Meticulously follow the basic best-practices of corporate defense. But there are more detailed takeaways for those who are willing to learn from HBGary Federal's mistakes. (For a detailed account of just how Anonymous cracked HBGary Federal, check out this thorough Ars Technica story.)

THE LATEST SECURITY PICTURES: Hot products from RSA 2011

HBGary Federal ran afoul of Anonymous when CEO Aaron Barr said he planned to name members of the secretive international group that famously came to the defense of WikiLeaks. Anonymous DDoSed businesses that tried to take down WikiLeaks sites that expose U.S. State Department diplomatic cables.

HBGary Federal suffered the public posting of tens of thousands of its e-mails and the defacing of its Web site and Barr's Twitter page, as well as a black eye to its reputation as a security firm.

Here are seven lessons to learn:

1. Don't assume what type of attack you will suffer. Barr thought Anonymous would only launch a DDoS attack against the company's Web site, just as it had against others. That turned out not to be the case.

2. Use a tried and tested content management system that comes with updates, patches and support. HBGary used a custom CMS for its Web site that was susceptible to SQL injection attacks that led to Anonymous accessing data in HBGary's database.

3. Thoroughly hash and rehash passwords stored in databases. HBGary did hash its passwords, but didn't add extra characters that have to be removed to reveal the actual password. Nor did it rehash the hashed passwords to add layers of complexity to brute forcing the passwords out of the hash. The passwords would still have been susceptible to brute-force attacks, but it would have taken a lot longer to succeed.

4. Use strong passwords. Long passwords that use the full range of characters represented on computer keyboards are much harder to break because they rule out the use of rainbow tables -- lists of hashes and the passwords they represent. If passwords are composed of long strings of characters and the characters are drawn from all the characters on the computer keyboard (not just letters and numbers), hashes of the passwords become so complex that it isn't practical to create rainbow tables for them. Two key HBGary Federal executives used simple eight-character passwords -- two numbers and six letters. Rainbow tables worked on them.

5. Don't reuse passwords. Some HBGary executives used the same passwords for access to the company's CRM system as they did for its Google Apps e-mail, as they did for Twitter, as they did for SSH authentication to company storage servers. One of the cracked passwords was for the company's e-mail administrator's Google account, which led to all the company's e-mails being hacked.

6. Keep current with patches. Key HBGary servers had a known privilege-elevation flaws for which patches existed. Anonymous exploited the vulnerabilities.

7. Heighten user awareness of social engineering. Anonymous sent e-mails from the hacked account of HBGary founder Greg Hoglund to a network administrator requesting key information as if Hoglund himself were asking. In response, the admin opened firewall ports and gave up Hoglund's user name and password for root access to the servers supporting the company's rootkit.com Web site.

Read more about wide area network in Network World's Wide Area Network section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags AnonymousHBGary Federalsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?