I was just reading an article on Ars Technica from Sean Gallagher called, “Hackers politely deface security firm website, suggest fixes.” If you haven’t seen it, it’s interesting – and a little discomforting.
It seems some hackers (known as “MalSec”) are going around to security companies, defacing their web sites, and leaving “polite warnings” that they’d better get their act together or they face the risk of being hacked in a more malicious fashion.
The defacement itself was unusual, in that it pointed out some of the deficiencies they found in the process of owning the site: ”Whilst no harm was done to the original site we urge you to secure your site before claiming to be ‘the best of the best’ in any kind of security. We were not first—traces of previous security breaches were found.”
In addition to the defacement, the hacker group not only called attention to their deed, they provided evidence of their success. Quoting from the Ars Technica article,
In a Twitter post attributed to MalSec, the group pointed to the defacement, and wrote “We aren’t just madhakkars with no souls! That’s for the gingerhackers. We see a hole we fix it. unless urlame.” After claiming responsibility for a hack of a server belonging to the Nigerian Senate, the group posted a file alleged to include the hashed passwords of senators and cracked passwords of the lawyers that work with them.
So the big question: Is this a good thing or a bad thing? Are these “helpful” hacks really helpful or not? I think if they were only trying to be helpful, the presentation of evidence would not have been so visible.
My conclusion? This is yet another example of why organizations need to get back to the basics of security. More secure configurations, baselines of “known good” system states, and continuous monitoring for unauthorized change & access to our resources. The note from MalSec that “We were not first—traces of previous security breaches were found.” is probably true for a lot of organizations – it’s happening under our noses, and we aren’t paying attention to the right things for us to notice.
What do you think?
Categories: IT Security and Data Protection, Cyber Security, Incident Detection, IT Security and Data Protection, IT Security and Data Protection, Security Controls, IT Security and Data Protection, Security Hardening