General security

A Hacker’s Tips for Running a Security Company

There's always the sting of irony when a cyber security company gets hacked. Not to mention the embarrassment and bottom line impact suffered by the victim.

Just ask DDOS protection firm Staminus, the latest security company penetrated by hackers. Recently it was reported that hackers managed to bring down Staminus' entire network after infiltrating the company's server backbone and resetting routers to factory settings. From there they stole Staminus' databases and dumped the contents online. Everything from credit card records to customer support tickets to server log data to chat logs were made public on Tor.

And to cap it all off the hackers announced the exploit in an ezine, under the sarcastic title of "Tips When Running a Security Company." Their tips include:

• Use one root password for all the boxes
• Expose PDUs to WAN with telnet auth
• Never patch, upgrade or audit the stack
• Disregard PDO as inconvenient
• Hedge entire business on security theatre
• Store full credit card info in plaintext
• Write all code with reckless abandon

There's a lot here, so let's just focus on the first two tips.

Use one root password for all the boxes. The need to secure privileged credentials is a frequent topic on this blog. Countless data breaches have followed a similar pattern. Hackers use zero days, spear phishing exploits, or social engineering to get past an organization's perimeter defenses, capture an administrative credential and use that stolen credential to access all the systems on the network that share the same password.

This attack vector can be mitigated with privileged access management. Such solutions automatically update privileged credentials as frequently as necessary, even every couple of hours. So even if an intruder compromises a credential, it has a limited lifetime and is not shared among multiple systems.

Expose PDUs to WAN with telnet auth. A PDU, or power distribution unit, distributes power in a rack of servers. If the PDUs are connected to the network, as they are in most companies these days (especially where there are private clouds, managed services or just green services), access to one PDU can permit all servers to be improperly shutdown. This immediately causes denial of service, data corruption and data loss. It can even lead to strategic outages whereby specific machines that might otherwise alert about these attacks are taken down – literally by pulling the plug.

As for the second part of the "tip" – telnet. Using telnet is reckless behavior because all traffic sent over the network and all authentication – like usernames and passwords – are sent in clear text. In other words, you can read it just like you're reading this blog post. No special tools required.

You can learn a lot from a hacker. But you shouldn't need to. Just follow standard cyber security best practices and you'll be ahead of most organizations.