[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Feds need to start thinking like hackers



http://www.nextgov.com/nextgov/ng_20120130_9449.php

By Aliya Sternstein
Nextgov
01/30/2012

Most government employees do not consider their usernames and passwords to be hot commodities, but that attitude began to change with a network attack on security contractor HBGary Federal. In early 2011, members of the hacker activist group Anonymous leaked an executive's email exchanges with FBI, Homeland Security Department and other government officials that contained their contact information.

"When you expose somebody's personal email messages, you're not just exposing their email but the email of everyone who interacted with them," says Mark D. Rasch, a former Justice Department computer crime investigator. "This is a question of national security and national integrity."

Increasingly, this scenario is playing out at government agencies worldwide. Federal protective details pack guns, government buildings have security guards, but online, public officials are more exposed. The motives for pilfering private data vary: The intruders do it for government secrets, social justice, street cred--even rent money. For some hacktivists "it's kind of extortion," says Chris K. Ridder, a San Francisco-based privacy and Internet law attorney. "They'll issue a list of demands, and if those demands aren't met they'll release embarrassing information."

Gregg Housh, a computer engineer affiliated with Anonymous, argues the HBGary dumping revealed corruption within the company and improper contracting practices. As for the innocent federal employees caught in the crossfire, "exposing the data is only showing you that your data is already out there" insecurely, he says. If Anons can exfiltrate emails, so can the professional bad guys who do this for a living, Housh adds.

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn