Jason Lackey runs the @CiscoSecurity Twitter feed and managed to get an interview with @SparkyBlaze, or else someone who has access to his/her Twitter account, for his latest blog post here. Sparky used to be a member of the hacking group Anonymous, who has been responsible for break ins to a variety of sites, most recently run by the Syrian government and the BART transit agency.
Sparky left Anonymous, saying that the group wasn’t doing much more than just “getting kids arrested.” S/he is in the process of moving to the States, perhaps to take some formal CS classes. S/he cautions any would-be hacker to stay away from black-hat hacking. “You go for a job and it is down to you and someone else. You both have the same qualifications and are good at what you do. They do a background check on both of you… his is clean, yours says you hacked a server and put all the data online… Who will they give the job? It won’t be you.”
Sparky has a great list of preventative measures that corporations should take to beef up their security, including:
- Deploy defense-in-depth
- Use a strict information security policy
- Have regular audits of your security by an outside firm
- Use IDS or IPS
- Teach your staff about information security
- Teach your staff about social engineering
- Keep your software and hardware up to date
- Watch security sites for news on computer security and learn what the new attacks are
- Let your sysadmins go to defcon ;D
- Get good sysadmins who understand security
- Encrypt your data (something like AES-256)
- Use spam filters
- Keep an eye on what information you are letting out into the public domain
- Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?
It is worth reading the entire post, although no great insights into the hacking mystique there. What is interesting is how much social engineering – misrepresenting yourself as a trusted employee – can still deliver the goods.