[AusNOG] Fwd: LulzSec Leader Arrested in Sydney - One of our own

Shain Singh shain.singh at gmail.com
Thu Apr 25 11:59:31 EST 2013


On 25 April 2013 02:18, Michael Kahl <michael at kahl.id.au> wrote:

> It's interesting that a "commonly known exploit" was used to "hack" a
> government website.
>

Regular patch cycles anyone?


>
> If it was actually exploited remotely and assuming it is a government
> website it's safe to assume it was compliant with all of the various
> security standards, so what does that say for all of the standards and
> certification testing that's required these days?
>
>
Have to disagree, as there are very few "standards" besides PCI-DSS which
is just a money-spinner for security vendors. I would think its safe to
assume that government websites don't implement the access controls and
RBAC policies typically found in software for defence agencies. All your
security policies boil down to the weakest link - that being the user and
their password. In the age of Single-Sign-On, etc it's all up to how good
your password policy is and how often that gets changed (which is also a
flawed way of thinking IMHO).


> Businesses spend huge amounts of money complying with those requirements
> just to be allowed to stay in business but when Government sites get hacked
> through "commonly known exploits", and assuming they're the champions of
> those rules seeing as they created them, it has to be questioned the value
> of those rules and certifications in the first place.
>
>
>
Agreed. It doesn't take a genius to read through Full-Disclosure or Bugtraq
and fire off Metasploit. Deploying firewalls/IDS, etc. just mean all you're
mitigating is the lowest hanging fruit with brute force type scanners,
etc...  If you get someone who is determined to break into your site then
that's where things get real interesting...


-- 
Shaineel Singh
e: shain.singh at gmail.com
p: +61 422 921 951
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice charity" - Albert
Camus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130425/7c18a213/attachment.html>


More information about the AusNOG mailing list