Defcon: The lesson of Anonymous? Corporate security sucks

LAS VEGAS -- Anonymous has run up quite a score against corporations, governments and law enforcement agencies, but for all these warnings corporate executives are turning their heads from the real problem -- their network security is terrible, a panel of experts concluded at Defcon.

The particularly high profile attack against security firm HBGary by the hacker collective earlier this year caught the attention of C-level executives for a few weeks, but then they relaxed, says krypt3ia, a panel member, a security blogger and longtime infosec practitioner.

The executives could have redoubled efforts to better defend their networks, but that's not what's happening. Rather than invest in better security, they're looking to hedge the economic impact if they do get hacked, he says.

MORE: Three tips for a better Anonymous

"It's no coincidence that hack insurance is up," he says. He said he'd heard at the conference that a major corporation laid off security staff and bought hack insurance instead. He wouldn't name the corporation.

In doing so, executives have taken their eye off the main goal, which is protecting corporate intellectual property. By and large the Anonymous hacks and attacks have not scored valuable business intelligence, says Josh Corman, director of security research for Akamai, but it's just a matter of time until they do.

"Your executives are distracted by DDoS attacks, a new noisy thing that distracts us from the actual mission," Corman says.

Meanwhile the panel had a low assessment of Anonymous in whose name many high-profile defacements, data thefts and posting of stolen information have been made.

"Build a better Anonymous," says Jericho, another panel member and security blogger. Stealing documents and posting them all with few or none of them revealing wrongdoing doesn't make a point about whey the victim was attacked in the first place, he says.

"Releasing 250,000 documents is cool, but it hurts the cause," he says. "It's noise."

Krypt3ia says stealing and posting information from random police agencies in response to police in the United Kingdom arresting a teenager purported to be a key member of Anonymous spinoff LulzSec is irresponsible.

He cited the case of data about Phoenix police being posted in protest of the Arizona immigration laws they enforce. "Cops are bound to carry out the laws," he says. Protests about the laws should be aimed at the legislators who create them, he says, but releasing personal information about police and other law-enforcement workers is reckless. "There could be people in danger now," he says.

Corman says that Anonymous was by design decentralized, but that loose structure has enabled just about anyone to carry out attacks and attribute them to Anonymous. In some cases -- like the assistance groups using the name Anonymous gave to support uprisings in the Middle East -- the actions may coincide with what the groups founders intended.

But a change has occurred and now Anonymous attacks have less clear motivations, Corman says. "It's a franchise. Some people took the name and did Arab Spring and used it locally," he says. "Then it was hijacked by smaller groups and now it's become something of a public nuisance."

Krypt3ia gives them less credit. "I think they just wanted to smash things, and if they get caught, we say, 'We believe this ...'" he says. "You want to out people for doing bad things, do it right. ... Stop taking down stuff that's unimportant."

He says Anonymous should do its homework better and use other methods than network attacks and infiltration. "Learn your target," he says. "Know what they're doing. The only real dirt comes from insiders, people in the know who have access to very dirty things."

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags firewallsDefconsecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?