I sometimes shy away from the obvious big news that everyone is already talking about, but finally I read a decent enough article about the recent HBGray Federal drama, over at ars technica, of all places. That and the Krebs piece (whom I’ll just unofficially credit as breaking the news, when I saw his comments on Twitter as the Super Bowl was starting…) are all you really need.
Anonymous got into HBGary Federal’s e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data.
I’ll be the first to say that *everyone* is weak somewhere, even security firms, and it is difficult to always find attacks (through automated or manual means). Nonetheless, you need to be better at your damn security. Yes, a dedicated group of attackers can give anyone hell over x period of time, but you shouldn’t fall within days, not be able to detect it for 30 hours, and so on. And you surely as hell shouldn’t be so arrogent to expose such ignorance. The entire organization should have known that this guy was about to prick a group that would, in and of itself, be a major risk agent/threat, and have acted appropriately.
On the other hand, one of my favorite quotes: “A smooth sea never made a skillful mariner,” can be equated to an IT mantra, “we learn the most when we’re troubleshooting critical issues.” While one or a few of the major players, and maybe even this branch of the company, may end up flaming out because of this, hopefully the other bit players and techs and businesspersons will learn a valuable lesson and take some extra experience away from this.
As far as the major players go, it’s hard to feel sorry for either Aaron Barr or another recent “victim” Mr. Evans, when they’re essentially un-empathizable. It’s like the dumbass in the bar who keeps daring you to hit him and keeps barking loudly and making a scene all night, then starts crying when you do hit him and break his jaw. Rather than take moral sides in these situations, I’d just like say, “Welcome to 2011.”