Don't share credentials between your accounts, especially if security is your business.
I thought it was silly of Gawker Media to taunt world-plus-dog
to test its IT security, only to be caught napping last year when its systems
were compromised. But when your whole business is IT security, it's even more
embarrassing to be caught reenacting the tale of the cobbler's children.
In that story, the cobbler was so busy making shoes for the
village that his own children had to run around barefoot. This is-after being
updated for the 21st century-pretty much what happened to security consultancy
HBGary and its subsidiary HBGary Federal. From what I understand, one or more
of the company's executives thought that it was a good idea to use the same
password for Twitter, LinkedIn and the firm's content-management system. That became
a problem after HBGary Federal's CEO Aaron Barr decided that he was going to
try to infiltrate the hacktivists collectively known as "Anonymous." He was
successful in doing so, but after revealing himself, apparently thought that
his company was immune to retaliation.
But Barr's sloppiness with passwords gave his enemies enough
of a toehold to allow them to break into the consultancy's e-mail server in
early February and capture about 50,000 documents and messages. For the last
few weeks, the two firms have been the butt of jokes, especially after HBGary
posted a "pity me" sign in place of its booth at the RSA Conference in San
Here's the thing that makes this situation even more amusing
than the Gawker debacle: HBGary was soliciting clients by letting them believe that
its team knew better than to reuse passwords among key systems. (I'm sure that
wasn't actually in the pitch, but it was one of those things that you assume is
there in much the same way that one assumes that a LAN uses Ethernet.) On top
of that, HBGary had offered its services to Bank of America as experts in
fighting back against WikiLeaks and in turn, Anonymous. This is the Internet's
equivalent of waving a red cape in front of a bull; do it enough, and you're
likely to be gored.
More likely than not, from some of the e-mail that I've seen
that passed between Barr and one of his top coders, arrogance played a part in
the debacle. The problem with the "can't touch this" attitude is that it's only
valid while the people who want to take you down have better things to do.
I'm sure that the HBGary executives were thinking the same
thing most of us do: "I'm kind of busy right now, and I'll change it to
something stronger when I have a little more time." I've done that more times
than I care to think about, as I noted in December when the Gawker story broke.
Since then, I've become a little bit better at resisting the temptation to slap
a quick and dirty password on an account. But I'm still doing it from time to
time, as I realized the last time I ordered a cable from my new favorite vendor
for such things.
I'm convinced that practicing password security in the
fashion that many security experts say we should is just too much bother for
all but a handful of people. "Easy to remember, hard to forget" only gets one
so far if the password has to be rotated every month or two. Maybe we really
are better off carrying around a piece of paper full of random characters with
a few real passwords embedded in the randomness. This "poor man's
steganography" has to be a better approach to password security than what we
P. J. Connolly began writing for IT publications in 1997 and has a lengthy track record in both news and reviews. Since then, he's built two test labs from scratch and earned a reputation as the nicest skeptic you'll ever meet. Before taking up journalism, P. J. was an IT manager and consultant in San Francisco with a knack for networking the Apple Macintosh, and his love for technology is exceeded only by his contempt for the flavor of the month. Speaking of which, you can follow P. J. on Twitter at pjc415, or drop him an email at email@example.com.