Kevin Beaver's Security Blog

InfraGard Atlanta hack highlights some lessons for us all

What started with an email from a colleague’s compromised Gmail account Friday evening has ended up making international news – the InfraGard Atlanta website has been hacked. With user names, email addresses and passwords – including those associated with the FBI – available via a quick web search I knew that this was a pretty serious issue. Although I’ve been disconnected from InfraGard Atlanta for the past ~6 years, I originally served as an officer when the group was getting off the ground back in the early 2000s…I hate seeing something like this happen to my friends and colleagues.

What’s so frustrating in situations like this is the fact there are so many people associated with InfraGard Atlanta who are well-qualified (and often very willing) to pitch in and help to prevent such breaches. It must be human nature because I’ve offered to do gratis security assessments for various non-profits I’ve been associated with over the past few years and a funny – yet consistent – thing occurs every time…It’s cricket, cricket, then nothing but silence…Or “no thanks, we’re good” or “it’s just our website” or “we don’t have anything a hacker would want”…and on and on. You get my drift. Why is it we tend to ignore the elephant in the room and pass on pro bono services where they’re often needed the most? I digress.

So, what can we do about this other than getting people to buy into security which I suspect isn’t going to happen any time soon? The best thing you can do is to test every single system that’s publicly accessible on your network. It’s the only way you’re going to find the flaws that matter…and man oh man, do we ever have some low-hanging fruit out there for the taking! Still, all the penetration and vulnerability testing you can throw at your systems is not going to uncover every single flaw in your environment. But it’ll get you darn close and that’s where you want to be.

All of that said, here are the lessons to take from this:

1) Test your websites and your externally-accessible hosts for security flaws…ALL of them, right now! Start today.

2) Test your websites and your externally-accessible hosts for security flaws over and over again, never letting up until the sites/hosts are taken offline [by choice, not denial of service ;)].

3) Fix the flaws you find.

4) Stop making bad password decisions. We’ve all done it and it’s got to stop. Make a conscious choice right now to change that moving forward. Vow to never create an insecure password again and vow to stop sharing passwords across different websites and systems. Also, start going back and changing weak passwords that you know exist out there.

If you find the passwords that were recovered in the InfraGard Atlanta breach you’ll see how “complex” passwords can still be cracked. Sure, part of such password flaws are architecture or operational-based weaknesses but my point is if you have a choice, then choose to create long and complex passphrases that are easy to remember yet next to impossible to crack.

The choice is yours….use it wisely.