Defcon: Anonymous hacking shows typical weakness in corporate security

The continued hacking success of Anonymous simply shows the typically poor standard of enterprise security, according to a panel of experts at the Defcon hacking conference.

Share

The continued hacking success of Anonymous simply shows the typically poor standard of enterprise security, according to a panel of experts at the Defcon hacking conference.

Anonymous has run up quite a score against corporations, governments and law enforcement agencies, but for all these warnings corporate executives are turning their heads from the real problem of their network security levels, said members of the panel.

The particularly high profile attack against security firm HBGary by the hacker collective earlier this year caught the attention of C-level executives for a few weeks, but then they relaxed, said krypt3ia, a panel member, a security blogger and longtime infosec practitioner.

The executives could have redoubled efforts to better defend their networks, but that's not what's happening. Rather than invest in better security, they're looking to hedge the economic impact if they do get hacked, he said.

"It's no coincidence that hack insurance is up," he said.

In doing so, executives have taken their eye off the main goal, which is protecting corporate intellectual property. By and large the Anonymous hacks and attacks have not scored valuable business intelligence, said Josh Corman, director of security research for Akamai, but it's just a matter of time until they do.

"Your executives are distracted by DDoS attacks, a new noisy thing that distracts us from the actual mission," Corman said.

Meanwhile the panel had a low assessment of Anonymous in whose name many high-profile defacements, data thefts and posting of stolen information have been made.

"Build a better Anonymous," said Jericho, another panel member and security blogger. Stealing documents and posting them all with few or none of them revealing wrongdoing doesn't make a point about whey the victim was attacked in the first place, he says.

"Releasing 250,000 documents is cool, but it hurts the cause," he says. "It's noise."

Krypt3ia said stealing and posting information from random police agencies, in response to police in the United Kingdom arresting a teenager purported to be a key member of Anonymous spinoff LulzSec, is irresponsible.