Gawker Lessons Not Learned
The massive data breach on Gawker in December revealed nearly 30 percent people tended to use the same password across multiple sites, a security no-no. It turned out both Barr and Vera were no better, using the same password for e-mail, Twitter, and other systems. Barr had used the same password for his e-mail account, and as the administrator, had access to all the company's mail and other users' mailboxes, giving Anonymous full access to all the e-mails. Vera had also used the same password on the company's support server. The attack could have easily stalled there as Vera didn't have any administrative rights, except the IT team had not patched the privilege escalation vulnerability in the Linux kernel. The flaw had been identified in October, and patches released a month later. With full access on the box, the attackers discovered gigabytes of backups and research data, which they promptly deleted.Barr and HBGary Federal was embroiled in another controversy as the contents of its e-mails were publicized, revealing various dirty tricks the company engaged on behalf of clients such as law firms, banks, and the U.S. Chamber of Commerce. Some of the proposals listed borderline illegal tactics aimed at discrediting WikiLeaks, including cyberattacks, forged documentation, and blackmailing WikiLeaks supporter and Salon journalist Glenn Greenwald. "I need to focus on taking care of my family and rebuilding my reputation," Barr said. Stephen Colbert had mocked Barr's World of Warcraft account and referenced some of the more embarrassing e-mails on The Colbert Report last week.
The Anonymous hack used standard, widely known techniques to compromise a system, collect information and use the collected data to compromise additional systems. It didn't matter if most of the employees had complex passwords, because the attackers needed to crack just one password to gain access.