Anonymous hacks Senate website

[Zelig]

Trained security experts can't see everything in thousands of lines of code

This is relevant to the discussion at hand how?

One of only a couple you could reasonably be implying is that large pieces of software have multiple security flaws in their implementation, leading to potential zero-day exploits.

This is simply not the case in a manner which leads to widespread security problems - there are plenty of security solutions which are considered extremely secure, and have been released in a fully publicly available fashion for years, without any exploits being revealed.

As a hacker, why bother investing the time looking for zero-day exploits when you can assured that there are stupid security departments open to year-old exploits or social engineering attacks instead? Hence why a very small minority of actual security breaches are from zero-day exploits. Take a look at some high-profile security breaches - the vast majority of them are occurring because of shoddy security practices, bordering on negligent for any competent professional.


Or maybe you're trying to imply that custom-built web-facing software is vulnerable, because the code authors can make mistakes with the code?

If so, that is exactly what I'm talking about; that is the fault of the organization for hiring incompetent staff. There is a ton of free open-source software reviewed by thousands of people which meets every security need around, or you can go for proprietary non-free solutions, where someone else takes on the liability for security breaches. If you actually decide you need a custom-built solution, you need to budget enough to hire enough competent staff to do it properly.

 

[Grisu]

They did the equivalent of stealing books from a restricted section of the Library of Congress

no, not the restricted section

They attacked the Senate. That's 1/2 of 1 of the 3 branches of the federal government.

I just fail to see how that can in any way be termed an 'attack on the senate' the attacke the senate's public website. If you really term this an act of war you're belittling real acts of war...imagine two illegal combatants meet in jail...one has defaced a government website...the other's blown up some army barracks....yep totally the same crime

And if the information in those books is classified?

if there was anything even remotely classified on that webserver (remember it was a public website) then the IT staff of the senate needs to find a new profession. I work for a government IT department that, among other things, operates some public websites and in our case it would even be illegal to have restricted information stored out there....

Trained security experts can't see everything in thousands of lines of code

They don't need to, since only very few interfaces are relevant to that. Furthermore, why do you need to review thousands of lines of code on a public website? that's about as standard as it comes. As Zelig said, there's plenty of servers/frameworks/tools out there that have been tested and hardened for exactly such a situation.

 

[civ_king]

My point is they weren't supposed to get at it hence calling it restricted. I'm terrible with analogies.

Sadly a lot of sites are designed crappy, I was staying at a Starwood hotel and got it to give me free internet via there site, took a couple hours though.

 

[Masada]

I wouldn't be messing with the government. We might not think it serious. But the government likely will and furthermore has the resources to throw at a problem like this. Moreover, if you do get caught, the kind of legislation you would likely be charged under, would be designed to deal with terrorists and spies and not doods doing it for lulz. Even if a Federal Judge were to find it funny, itself an unlikely event, he/she will probably have little lattitude in how they deal with you.

 

[LucyDuke]

Likely it'd go a bit like Bradley Manning, if they can track down the guilty.

 

[Masada]

I don't see the common ground. Manning has a public interest defence to play around with, these guys have nothing. And when one is dealing with the NSA, I wouldn't be so sure they couldn't be tracked down.

 

[LucyDuke]

I just mean the way they might be treated in custody.

 

[Mise]

Sure, but "difficult enough" in computer security terms can easily be made to be "difficult enough that nobody has time to crack it over the lifespan of the security solution".

Other than 0-day exploits, the vast majority of hacks occur because someone on the security team did something wrong.
(Or alternatively, because the security staff wasn't getting paid enough. You'd see fewer security breaches if security departments were better staffed and funded, rather than treated as a business expense to be minimized.)

I'd wager that this is why a lot of security, computing and networking blogs/sites are drawing attention to LulzSec and painting them in a relatively positive light (i.e. more white hat than black hat). They can do the kind of attacks that give massive exposure and generate a lot of publicity, that mainstream security firms can't -- which increases the awareness among management that security is a major concern for any company or organisation with a public face.

 

[Mise]

I just read this and lol'd hard: http://thenextweb.com/industry/2011...imple-enough-for-your-grandmother-to-exploit/

Citigroup ‘hack’ turns out to be simple enough for your grandmother to exploit

The hackers who recently attacked Citigroup and made of with the details of 200,000 customers used an extremely rudimentary attack that anyone could’ve pulled off, the Daily Mail reports.

All one needed to access other users’ information was a Citigroup account and a lot of spare time. After logging into the Citigroup credit card customer area of the site, accessing the information of other customers was simply a matter of replacing the account number in the browser’s URL bar with another number.

In short, potential thieves just needed a few lucky guesses to take other customer’s money.

This explains why the attack wasn’t spotted until May: it was the equivalent of a “no forced entry” break-in, using horribly lax authentication to access parts of the site without circumventing security measures.

If this is what online banks deem to be a secure system, I think I’ll put my cash under my mattress and sleep with a shotgun. Even with my non-existent aiming abilities, it’ll be safer.

The "a lot of spare time" part is nonsense, too, to anyone with even a vague idea of what a "computer" does...

 

[Ajidica]

My dad who works in computer networking and security told me about the Citigroup hack. Are their cyber security people stupid, incompetant, lazy, or an unholy combination of the three?

 

[Aegis]

Since when does war have to be waged only against nation states?

Since the Pentagon stated "that computer sabotage coming from another country can constitute an act of war,"

Which is why the hacker's question is pure trolling.

 

[The_J]

It's rather showing one of the basic logical faults in the goverments statement.

There is a ton of free open-source software reviewed by thousands of people which meets every security need around

that's rather a mysticism.

My dad who works in computer networking and security told me about the Citigroup hack. Are their cyber security people stupid, incompetant, lazy, or an unholy combination of the three?

They are not the programmers of the software, that's the problem.
You can only see such flaws if you're in the code. And if not...
And at the beginning, you hack something together just to get it running, a proof of concept. And then you forget about all the insecure, improvised and not well done code somewhere deeper in the programm. Then you have such a mess like here.

 

[Aegis]

It's rather showing one of the basic logical faults in the goverments statement.

And that logical fault is what, exactly?

If you say "because anyone from another country could perform such an attack so they'd be declaring war on a person," I am going to /facepalm.

 

[civ_king]

It's rather showing one of the basic logical faults in the goverments statement.



that's rather a mysticism.



They are not the programmers of the software, that's the problem.
You can only see such flaws if you're in the code. And if not...
And at the beginning, you hack something together just to get it running, a proof of concept. And then you forget about all the insecure, improvised and not well done code somewhere deeper in the programm. Then you have such a mess like here.

Actually they'd then be shoved into the illegal combatants category

 

[Mise]

@The_J: The Citigroup problem though... That was unbelievable. That's completely different than leaving an SQL injection or remote file inclusion open there.

 

[The_J]

And that logical fault is what, exactly?

If you say "because anyone from another country could perform such an attack so they'd be declaring war on a person," I am going to /facepalm.

The fault is the premise, that someone from another country might be attacking you.
And that they might act with command from the government.
Both is highly doubtful in every case.

Actually they'd then be shoved into the illegal combatants category

That might even be valid.

@The_J: The Citigroup problem though... That was unbelievable. That's completely different than leaving an SQL injection or remote file inclusion open there.

Yeah, even simpler.
I don't say that this is not incredibly dumb. I'm just saying that this can happen when a n00b is doing the job. Exactly one of the things which could happen if i programmed that site.

 

[Zelig]

that's rather a mysticism.

Not really, though Grisu put in in better terms than me.

I'm referring specifically to security needs, not necessarily other organizational requirements.

 

[Rashiminos]

They just need to treat hacking secure websites the same as robbing banks and the same punishments to match.

That hasn't been the practice for 10 years. It would be more popular just to enact broad measures which restrict access for everyone just so that it might be more difficult for these hackers to repeat this performance.

 

[Masada]

I don't say that this is not incredibly dumb. I'm just saying that this can happen when a n00b is doing the job. Exactly one of the things which could happen if i programmed that site.

Nah, the website coding would probably have been farmed out to a third party. Most banks have IT doods, but don't maintain that kind of presence. Basic maintenance, design and the interface would have been the banks job, but changes to the site's code would have been the external parties. This would likely have been a failing of the external party, perhaps more than the banks, but even so that's what you have in-house security techs, IT doods, external auditors and consultants for! Although, you can never rule out management adopting the ostrich approach to the situation...

 

[warpus]

My dad who works in computer networking and security told me about the Citigroup hack. Are their cyber security people stupid, incompetant, lazy, or an unholy combination of the three?

From my experience most people who work in "internet/computer security" are overworked, incompetent, or both... or they just don't care about patching every single hole. Everything's hackable - sometimes you lack the resources and do the best you can... if you are competent enough to, that is.

The Citigroup problem though... That was unbelievable. That's completely different than leaving an SQL injection or remote file inclusion open there.

I don't even have sites up (at work) that are so easily hackable for stuff that's not really that private or important I'm not a web security expert by any means, but whoever built that site doesn't know (or doesn't care about) the BASICS. Or hey, I suppose it's possible that the system requirement SPECS didn't outline a need for much security, which doesn't really make much sense to me.. but.. it's possible that the person writing up the system specs was incompetent and this was not the fault of the developers but rather some wanna-be "developer" who knows nothing about client-server architecture or web dev.