I was just reading an article on Ars Technica from Sean Gallagher called, “Hackers politely deface security firm website, suggest fixes.”  If you haven’t seen it, it’s interesting – and a little discomforting.

It seems some hackers (known as “MalSec”) are going around to security companies, defacing their web sites, and leaving “polite warnings” that they’d better get their act together or they face the risk of being hacked in a more malicious fashion.

The defacement itself was unusual, in that it pointed out some of the deficiencies they found in the process of owning the site: “Whilst no harm was done to the original site we urge you to secure your site before claiming to be ‘the best of the best’ in any kind of security. We were not first—traces of previous security breaches were found.”

In addition to the defacement, the hacker group not only called attention to their deed, they provided evidence of their success.  Quoting from the Ars Technica article,

In a Twitter post attributed to MalSec, the group pointed to the defacement, and wrote “We aren’t just madhakkars with no souls! That’s for the gingerhackers. We see a hole we fix it. unless urlame.” After claiming responsibility for a hack of a server belonging to the Nigerian Senate, the group posted a file alleged to include the hashed passwords of senators and cracked passwords of the lawyers that work with them.

So the big question:  Is this a good thing or a bad thing?  Are these “helpful” hacks really helpful or not?  I think  if they were only trying to be helpful, the presentation of evidence would not have been so visible.

My conclusion?  This is yet another example of why organizations need to get back to the basics of security.  More secure configurations, baselines of “known good” system states, and continuous monitoring for unauthorized change & access to our resources.  The note from MalSec that “We were not first—traces of previous security breaches were found.” is probably true for a lot of organizations – it’s happening under our noses, and we aren’t paying attention to the right things for us to notice.

What do you think?

Categories IT Security and Data Protection, , , , IT Security and Data Protection, , IT Security and Data Protection,

Tags , , , ,

SANS Endpoint Security Maturity Model
  • Urathonline

    What do I think? You mean besides the fact that it's criminal tresspassing and illegal?

    • http://twitter.com/ThatDwayne Dwayne Melancon

      Agreed.  And if they can be caught they should be prosecuted.

      What I intended to ask with my question (guess I should've been clearer about that) is:  Does this kind of activity drive the right response from site owners – both in the company that was defaced, as well as other orgs that see it?  Or is it just criminal graffiti that degrades the neighborhood for everyone? In the end, does it all just blend into the noise, whereby people just keep on with their lax security practices? And, if so, how do we bring the right attention to good security practices?

Dwayne Melancon

Dwayne Melancon has contributed 141 posts to The State of Security.

View all posts by Dwayne Melancon >