Syrian Electronic Army’s attack on Reuters makes a mockery of cyber-security (again)

While it took a while for The Onion to understand what had happened, Reuters quickly detected the compromise and had fixed the content within twenty minutes. But in classic form, when The Onion had got on top of the problem, it posted an article whose headline read, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels.

These examples illustrate that organizations need to understand that there are new risks within the information age and there are new ways to distribute messages, especially from hackers skillful enough to be able to disrupt traditional forms for dissemination.

The nature of the cause is likely to vary widely. In 2011, for example, Tunisian government Web sites were attacked by dissident group Anonymous because of Wikileaks censorship.

The same year, the Sony Playstation Network was hacked after Sony said it would name and shame the person responsible for hacking its consoles. This showed that just because you are small on the Internet doesn’t mean you cannot have a massive impact. Sony ended up losing billions on its share price and lost a great deal of customer confidence.

HBGary Federal vs Anonymous
The attack on security firm HBGary Federal is perhaps the best one in terms of how organizations need to understand their threat landscape. It started when Aaron Barr, the security firm’s chief executive, announced it would unmask some of the key people involved in Anonymous, and contacted a host of agencies, including the U.S. National Security Agency and Interpol.

Anonymous bounced a message back saying HBGary shouldn’t do this, as it would retaliate. As a leading security organization, HBGary thought it could cope and went ahead with its threat.

Anonymous then searched the HBGary content management system and found it could get access to a complete database of usernames and hashed passwords by inserting a simple PHP embed.

As the passwords were not encrypted, it was an easy task to reverse engineer the hashes back to the original password. Their target, though, was Aaron Barr and his chief operating officer, Ted Vera, each of which used weak passwords of six characters and two numbers, which are easily broken.

Having obtained their login details, Anonymous moved on to other targets. Surely they wouldn’t have used the same password for their other accounts? Sure enough they had, including the likes of Twitter and Gmail, which allowed access to gigabytes of research information. Then the hackers noticed that the system administrator for their Gmail e-mail account was called Aaron. As a result they managed to gain complete control of the company e-mail system, which included the e-mail system for the Dutch police.

Latterly they went after top security expert Greg Hoglund, who owned HBGary. This involved sending him an e-mail from within the Gmail account, from the system administrator, asking for him to confirm a key system password. After Hoglund replied back with it, Anonymous then went on to compromise his accounts.

HBGary Federal ended up being closed down due to the adverse publicity around the hack. Having said that, its partner company, HBGary, has gone from strength to strength. Hoglund is well known for making visionary presentations on computer security around the world. The word in the industry is that HBGary still did pass the Anonymous names to the American authorities, but no one knows for sure.

Conclusions
One lesson from all of this is that a focus of any attempted hack will be a spear phishing e-mail. Tricking users into entering their details may be simple, but it can be very serious. For example the Reuters site integrates more than thirty third-party/advertising network agencies into its content. A breach on any of these could compromise the agency’s whole infrastructure.

I’ll end with a few straightforward pieces of advice that anyone who cares about security ought to follow:

  • Use strong passwords
  • Never re-use passwords
  • Patch systems
  • Watch out for internal e-mails from bogus sources
  • Beware external Web sites that integrate with your organization’s site
  • Get a service level agreement (SLA) from your cloud provider. This should state how quickly the provider will react to requests for a lockdown of sensitive information, along with providing auditing information to trace the compromise
  • Don’t store e-mails in the cloud
  • Test your Web software for scripting attacks

Bill Buchanan is Head, Center for Distributed Computing, Networks and Security at Edinburgh Napier University. This story published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).