hbgary lessons from a hack

Lessons learned are always good to pass on, whether by gleaning mistakes others make from disclosure details, or their own words after the fact. Greg Hoglund offered some in the shadow of the recent HBGary Federal incident.

I wouldn’t be entirely surprised if the entire hack really was simply a gleaned password that then lead to other accounts, either by account/passwd reuse or because an email account is the contact target for passwd resets or something. (Side note: downloading a firm’s entire email spool…yes, it’s *that* big of a deal to keep protected. Don’t forget about it in the chatter of CC, SSN, PII, Corp Secrets, bank accounts, corp secrets…)

But in world where everything is connected, everything is on the Internet all the time, and we demand mobile “stuff,” a stolen credential is the new hack, really. Ten years ago that might get you into a corporate web mail account or VPN connection if you were lucky, but otherwise you still needed to get past the corporate virtual walls. Today, no so much. These credentials are also increasingly easy to snarf, sniff, sidejack, and replay…

picked up from the infosecnews mailing list.