Those Who Fail to Learn the Lessons of History

Aaron Poffenberger

The GawkerMedia Security Mess in December is looking to be a faint and forgotten memory. A security consulting company by the name of HBGary Federal got into cross hairs of Anonymous. If you haven't heard of Anonymous yet that's not a huge surprise. They're a loose coalition of activists, pranksters and apparently skilled hackers who previous to their involvement protesting the treatment of Wikileaks were mostly known (at least to me) for their protests of Scientology and the Iran elections. (I saw Anonymous protesters here in Houston in front of a local Scientology "church". Love those Guy Fawkes masks!)

Anonymous really came to prominence with "Operation Payback". Operation Payback was a series of distributed denial of service (DDOS) attacks against businesses and organizations who had in one way or another for making anti-Wikileaks moves. E.g., when Amazon dropped Wikileaks from their distributed cloud infrastructure and Mastercard dropped a merchant who was accepting donations on behalf of Wikileaks. While the DDOS against Amazon didn't have a huge affect (Amazon a massive infrastructure) they were effective in their efforts to block access to MasterCard.

The CEO of HBGary Federal, Aaron Barr, had the "brilliant" idea that he could use social media and other sources of information to learn private identities of online personas and decided to test his ideas on Anonymous. In an interview with the Financial Times of London claimed he had identified the leaders of Anonymous using his social-media analysis methods. He claimed that if authorities had the information he had put together they could arrest Anonymous leaders. Anonymous were not amused.

The Saturday before the Super Bowl and the day of, Anonymous figuratively kicked down the door to HBGary Federal's online offices, took copies of files and backups, deleted the originals, gained access to HBGary Federal emails (and for sister company HBGary) and posted all of it on the internet. Not a good day for any company, least of all a company specializing in computer security.

Things are not looking good for HBGary Federal, HBGary or HBGary's founder, Greg Hoglund a well-known security researcher.

Again, don't make yourself or your company a target. Every company server is vulnerable in some way. If you haven't done so recently, now would be a good time to review your security policies including passwords (both rules for and storage of), user privileges, system configurations, backup procedures and off-site storage as a start. And set a policy for how often you