Defcon: The lesson of Anonymous? Corporate security sucks

LAS VEGAS -- Anonymous has run up quite a score against corporations, governments and law enforcement agencies, but for all these warnings corporate executives are turning their heads from the real problem -- their network security is terrible, a panel of experts concluded at Defcon.

The particularly high profile attack against security firm HBGary by the hacker collective earlier this year caught the attention of C-level executives for a few weeks, but then they relaxed, says krypt3ia, a panel member, a security blogger and longtime infosec practitioner.

The executives could have redoubled efforts to better defend their networks, but that's not what's happening. Rather than invest in better security, they're looking to hedge the economic impact if they do get hacked, he says.

MORE: Three tips for a better Anonymous

"It's no coincidence that hack insurance is up," he says. He said he'd heard at the conference that a major corporation laid off security staff and bought hack insurance instead. He wouldn't name the corporation.

In doing so, executives have taken their eye off the main goal, which is protecting corporate intellectual property. By and large the Anonymous hacks and attacks have not scored valuable business intelligence, says Josh Corman, director of security research for Akamai, but it's just a matter of time until they do.

"Your executives are distracted by DDoS attacks, a new noisy thing that distracts us from the actual mission," Corman says.

Meanwhile the panel had a low assessment of Anonymous in whose name many high-profile defacements, data thefts and posting of stolen information have been made.

"Build a better Anonymous," says Jericho, another panel member and security blogger. Stealing documents and posting them all with few or none of them revealing wrongdoing doesn't make a point about whey the victim was attacked in the first place, he says.

"Releasing 250,000 documents is cool, but it hurts the cause," he says. "It's noise."

Krypt3ia says stealing and posting information from random police agencies in response to police in the United Kingdom arresting a teenager purported to be a key member of Anonymous spinoff LulzSec is irresponsible.

He cited the case of data about Phoenix police being posted in protest of the Arizona immigration laws they enforce. "Cops are bound to carry out the laws," he says. Protests about the laws should be aimed at the legislators who create them, he says, but releasing personal information about police and other law-enforcement workers is reckless. "There could be people in danger now," he says.

Corman says that Anonymous was by design decentralized, but that loose structure has enabled just about anyone to carry out attacks and attribute them to Anonymous. In some cases -- like the assistance groups using the name Anonymous gave to support uprisings in the Middle East -- the actions may coincide with what the groups founders intended.

But a change has occurred and now Anonymous attacks have less clear motivations, Corman says. "It's a franchise. Some people took the name and did Arab Spring and used it locally," he says. "Then it was hijacked by smaller groups and now it's become something of a public nuisance."

Krypt3ia gives them less credit. "I think they just wanted to smash things, and if they get caught, we say, 'We believe this ...'" he says. "You want to out people for doing bad things, do it right. ... Stop taking down stuff that's unimportant."

He says Anonymous should do its homework better and use other methods than network attacks and infiltration. "Learn your target," he says. "Know what they're doing. The only real dirt comes from insiders, people in the know who have access to very dirty things."

Read more about wide area network in Network World's Wide Area Network section.

Tags firewallsDefconsecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?