The hacker group Anonymous has been in the news recently for a variety of reasons, including WikiLeaks, the HBGary breach, and other things. One recent item was a relatively high-profile defection from the organization, the departure of SparkyBlaze for a variety of reasons, including being “fed up with anon putting people’s data online and then claiming to be the big heroes.”
I run the @CiscoSecurity Twitter feed, so I spend a lot of time on Twitter, and saw that @SparkyBlaze was an active user, so I pinged him with a DM in an effort to get his side of the story. I also wanted to get a glimpse into things on the other side – it is probably in the best interest of everyone in the security industry to have a better understanding of Anonymous and others in the underground hacker community. While the human factors were of some interest, I was also really curious about his take on the state of corporate security and wanted to see what he had in the way of concrete recommendations for organizations wanting to prevent breaches and break-ins.
Some might ask, are we giving an illegal hacker a platform? I would say, no. Sparky himself says it very clearly: “Stay away from black hat hacking. White hat hacking is a lot more fun, you get paid for it, it is legal. A conviction for hacking and leaking a database will affect you for the rest of your life.”
Beyond the handle @SparkyBlaze and a Hushmail address, we know little about him, and beyond what we have below, he wasn’t talking. That said, here’s the interview:
JL: Can you tell us a little bit about your background?
SparkyBlaze: Well, I am from Manchester. I went through school not caring… my teachers always said I knew the stuff but I couldn’t be bothered to do anything. They were right, as nothing interested me. I am only hard-working if I am passionate about something, like computers. I went through my childhood bored as hell till I found computers. I love things like Defcon and hacker conferences and talking to other hackers. I love managing servers (and making sure they are secure).
I am white, in my 20’s and planning on moving to America to study computing and ethical hacking (I think it is best if they don’t know about me and anon ;D). I plan to live there as I have always wanted to. I love guns also, but it is mostly illegal in Britain and there are no ranges to shoot on.
JL: How did you get into computers and security?
SparkyBlaze: I got into computers as I grew up around them. I like physical security and just applied my interest to computers. Then I started to learn about firewalls and exploits… things like that.
JL: And how did you get hooked up with Anonymous?
SparkyBlaze: Well I got into Anonymous like most people there. I love hacking and I believe in things such as free speech. I came across a page on Anonymous and was interested in them so I just started hanging out in IRC with them and it went from there.
JL: What are your thoughts on hacktivism?
SparkyBlaze: Hacktivism is an interesting subject. I love hacking and I believe in free speech and anti-censorship, so putting both together was easy for me. I feel that it is ok if you are attacking the governments. Getting files and giving them to WikiLeaks, that sort of thing, that does hurt governments. But putting user names and passwords on a pastebin doesn’t [impact governments], and posting the info of the people you fight for is just wrong.
JL: How do you think the rest of the world views hackers?
SparkyBlaze: Hackers and computer savvy people are just frowned upon. Hackers are the big, bad wolf and computer savvy people need to “get out of there basement.” Most people don’t know what hacking is, they use the same passwords everywhere and don’t use antivirus/firewalls. For them it’s an “out of the box” Windows install with IE7. This is the issue with people nowadays; they don’t understand the importance of computers and computer security.
JL: What is your take on the current status of the security industry?
SparkyBlaze: Information security is a mess, like I have just mentioned. Companies don’t want to spend the time/money on computer security because they don’t think it matters. They don’t encrypt the data nor do they get the right software, hardware and people required to stay secure. They don’t train their staff not to open attachments from people they don’t know. The problem isn’t the software/hardware being used… it is the people using it. You need to teach these companies why they need a good information security policy.
JL: What are some of the biggest challenges you see out there?
SparkyBlaze: In my mind social engineering is the biggest issue today. We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing. It all comes down to lies, everyone does it and some people get good at it.
JL: So what sort of advice would you give enterprises and other organizations out there as they grapple with security-related issues?
SparkyBlaze: Here’s the advice I would give to companies:
- Deploy defense-in-depth
- Use a strict information security policy
- Have regular audits of your security by an outside firm
- Use IDS or IPS
- Teach your staff about information security
- Teach your staff about social engineering
- Keep your software and hardware up to date
- Watch security sites for news on computer security and learn what the new attacks are
- Let your sysadmins go to defcon ;D
- Get good sysadmins who understand security
- Encrypt your data (something like AES-256)
- Use spam filters
- Keep an eye on what information you are letting out into the public domain
- Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?
JL: What kind of advice would you have for young folks who are interested in working in security?
SparkyBlaze: Stay away from black hat hacking. White hat hacking is a lot more fun, you get paid for it, it is legal. A conviction for hacking and leaking a database will affect you for the rest of your life.
For example: You go for a job and it is down to you and someone else. You both have the same qualifications and are good at what you do. They do a background check on both of you… his is clean, yours says you hacked a server and put all the data online… Who will they give the job? It won’t be you.