Stop poking the tiger
8/Feb 2011
I can’t help but laugh as this has happened so recently after the gawker hacks. For those who don’t follow this kind of thing, the company publicly taunted a group of people who may or may not have ties to some people who may or may not also have ties to some people who may or may not allegedly be hackers. This stupid behavior resulted in the gawker being defaced. The social networking sites of the corporate entity and it’s employees were also popped, scrolling with sensitive personal data and assorted offensive one liners.
The sites main database was compromised which contained hashed passwords, potentially exposing 1.5 million users. As people tend to reuse passwords, one can only image how many other systems were compromised as a result. It’s pretty easy to hammer out a script to attempt to login to a list of sites using the stolen and cracked credentials. I have no doubt the attackers specifically targeted particular accounts from the database to escalate privileges elsewhere. People who do this kind of work are not your normal drive by exploiters.
This incident took place not even two months ago.
As the rest is already written, so i can just put the three relevant links here. A security consulting firm made a press release stating they had tracked down hackers which claim to be associated with anonymous. The result was their website was shredded, along with the social networking accounts of the entity and it’s employees, 66,000 company emails published, and sophos noted that someone else noted their backups allegedly trashed as well.
Point of me rehashing these stories that have been rehashed by everyone else?
STOP POKING THE TIGER.
This is the equivalent of the jackass that climbs over the fence at the zoo and acts surprised when they are mauled. “That is a tiger. It is a 500 pound predator. No, don’t approach it. No, don’t poke it in the eye. No, I’m not sure how to get your torso out of its jaws.”
For some reason corporations don’t understand that this playing field called the internet is not governed by rules, wealth, location, or “morals”. Taunting malicious users is the equivalent of walking into a shady bar, finding the guy that looks like he just got out of prison, and shoving him as hard as you can. It’s not going to end well, and your not going to come out ahead. You don’t gain from such actions.
If your going to do research and try to out someone, who allegedly has the clout to drop small companies such as mastercard for a day, you should be smart enough to assume they potentially have the resources do serious damage to your business and personal life.
Watch the service and ids logs on a server on your network that nobody cares about which is barely exposed to the internet for day. Now think about all the attacks to your web application which are not flagged or logged. Now think about your office and employees, usb thumb drives, your data center, your clients employees, delivery and building personnel, and all the threats in between. Yeah. There are a lot more attackers than there are defenders, and its not the majority you have to worry about. That’s what common practices and tools are for. Its the minority you don’t want around, much less invite.
So what simple policy can help mitigate the sophistication of the attacks? Start by not taunting the attackers. Stop poking the tiger. Enforce policy that discourages and holds employees responsible for making statements which blatantly invite attacks. Most business wouldn’t tolerate publishing intellectual property, much less libel, so why tolerate other internal hostile behavior? Train employees in your enterprise that these actions can result in business, financial, and personal “troubles”.
I should stop beating my head against the wall. I’m not getting anywhere. People just won’t learn.
Please stop poking the tiger. It will mess you up.