Roleplaying a Database Hack (rant alert)

Posted on February 3, 2013 by Alvin Plummer

Just read this article: “Anonymous speaks: the inside story of the HBGary hack”

What’s scary that the foundations of this amazing security disaster can be easily transported to the 53rd century (55th, if you are playing Classic Traveller):

The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems. They didn’t have to, for example, use any non-public vulnerabilities or perform any carefully targeted social engineering. And because of their desire to cause significant public disruption, they did not have to go to any great lengths to hide their activity.

Nonetheless, their attack was highly effective, and it was well-executed. The desire was to cause trouble for HBGary, and that they did. Especially in the social engineering attack against Jussi, they used the right information in the right way to seem credible.

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

And HBGary isn’t alone. Analysis of the passwords leaked from rootkit.com and Gawker shows that password re-use is extremely widespread, with something like 30 percent of users re-using their passwords. HBGary won’t be the last site to suffer from SQL injection, either, and people will continue to use password authentication for secure systems because it’s so much more convenient than key-based authentication.

So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn’t have caused the cascade of failures that followed.

The second lesson, however, is that the standard advice isn’t good enough. Even recognized security experts who should know better won’t follow it. What hope does that leave for the rest of us?

For a number of reasons, this kind of thing won’t work on a military secured system. (Let’s ignore that Chinese gentleman at the back, waving his arms…)

But the killer sentence is this: “Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them.”

The CEO of HBGary – you know, the man who used the same simple password for both home and work – started out in Navy intelligence, and was an infosec chief for a decade. The man knows better!

If he could trip up, so could you.

Yes, use the story as a great Traveller adventure. But make sure that the players learn from the experience, and at least change their email, work, and money passwords. Use those funky keys, and use wildly misspelled sentences that you’ll remember.

If you work in computer security, you know what to do. If some spacy amateur sci-fi writer knows this, then the real bad guys know it for sure!

In My Traveller Universe: The Vilani have an absolutely hard reputation for secure systems. Not just because of their better math & pattern recognition skills (although that helps).

No: the real reason is because THEY FOLLOW PROCEDURE!

    They don’t reuse passwords
    They regularly update their firewalls with patches
    They flag suspicious ‘social engineering’ conversations

None of this makes them invulnerable: a mildly creative, well-thought out attack will make mincemeat of the standard-format, vanilla-flavour, mass-produced Vilani database. But against a Vilani, the attacker has to at least his their game to B-grade level.

If you’re a Solomani, don’t feel too bad: you should see how Vargr ‘databases’ are ‘organized’ and ‘secured’.

If you’re a Vilani, don’t get arrogant: cracking a Hiver database is one of those once-in-a lifetime events that gets passed around those off-the-Net waterholes no proper Vilani has ever visited.

PS: A quick note on the importance of physical security.
(Old fashioned muscle still has a place in the Far Future…)

About Alvin Plummer

I enjoy playing in the huge sandbox that Classic Traveller represents. Come along for the ride!
This entry was posted in Jumpspace Transmission. Bookmark the permalink.

One Response to Roleplaying a Database Hack (rant alert)

  1. Pingback: Weighing the Odds | Stellar Reaches

Comments are closed.