

Why are big sites like CBS.com still getting hacked? - JakeFratelli

I'm trying to figure out how the websites of big companies are still getting compromised and defaced. Many of the attacks don't seem that sophisticated. . . thought this community might be able to help clarify.  Thanks
======
EwanToo
In general, you only need to make 1 mistake for your website to be vulnerable
to what looks like a trivial hack.

The mistake could be anything from an insecure form input parser, through to
not updating your web server to the latest update.

Once one hacker finds that vulnerability, it looks like it's an easy thing to
do to take down or modify the side, but the finding of it can be extremely
time consuming.

On the other side, look at who didn't go down in the recent Anonymous attacks
- CBS and Universal Music went down, but Sony, EMI, Warner, etc, remained up.

Anonymous only had to find a couple of major relevant corporations that were
vulnerable to make a big impact, it doesn't matter that the other dozens
(100s?) of suitable targets were more secure.

~~~
JakeFratelli
If it only takes 1 mistake, would having a hot backup or failover be a best
practice, so that if something does happen, you can immediately channel
traffic to a live site?

~~~
EwanToo
Quite often the failover is just a DNS change to a static page saying "Sorry,
we're currently unavailable".

The difficulty of having a hot backup is preventing a hacker repeating their
attack immediately after you fail over.

~~~
JakeFratelli
Thanks EwanToo - that makes perfect sense. A combination of some security
monitoring system that notifies you of the vulnerabilities along with someone
to update your system is needed. But what if the updates have dependencies,
for instance, incompatible Ruby gems or so. At that point, do you have to make
the tradeoff of security risk vs time to update all gems/resolve
incompatibility issues/deal with bugs in latest release?

~~~
EwanToo
Exactly, if you've got a complex environment, you might not even know that one
of your suppliers deployed an insecure ruby gem (or any other package), but
you'll want to do full testing before upgrading.

All this leaves big windows of opportunity for attacks.

------
JakeFratelli
*Point of clarification: I'm not asking why Anon went after them, just how they could be so vulnerable.

------
JuurianChi
CBS and other companies are what we call "old money". And when it comes to
things like Websites and social networks, they just don't have the mindset
that they should have when it comes to it. That said, their servers are
greatly under managed, and the people working in those areas are unable to
keep up because when they first started, they where still writing "the book".
Also, Anon is made up of more than just bored 18 year olds (As the media
greatly dramatizes.)but rather "disgruntled" and "fed up" masters who want to
retaliate in any way possible.

