Anatomy of the HBGary Hack

PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"

Awesome

[cs668]

The story of their being hacked and how it was done has probably done more for systems security than they as a company ever have......

Re:Awesome

[b4dc0d3r]

This is just a test, ignore. Thanks for fixing, geeknet!

Re:Awesome

[hairyfeet]

Don't you just love it? Whether you are for the Anon guys or not you just gotta love a bunch that advises others on security that falls for every single bad practice in the book. They had badly coded CMS that didn't sanitize squat, no real rules when it came to passwords, passwords badly hashed, reuse of passwords, just on and on it is like a comedy of fail!

I have to agree with you that this should be a valuable life lesson for those that haven't paid attention before. Of course I figured that by the time SQL injection tricks had gotten so common XKCD was doing the "Bobby Drop Tables" bit that surely everyone had learned to sanitize? Apparently not and how sad but funny that it was a security group that was such a king of fail. Its like having the town drunk lecture you on responsible drinking while killing his second bottle of Jack! its just too funny!

Re:Awesome

[azalin]

The SQL injection problem falls into the classic DO NOT TRUST USER INPUT rule. For web applications escape everything (especially POST and GET vars), cast known number inputs to int (or float), cut off input that is longer than the corresponding input field allows, have default values to fall back on, encrypt... It isn't paranoia if they truly are out to get you. And on the net they are. Know that there are people who are better at breaking things than you are at patching the holes, so don't make their live to easy. Best thing to do, is to learn from others (and your own) failures.

Re:Awesome

[b4dc0d3r]

sorry, not fixed yet. go ahead an mod me off-topic people, I'm demonstrating things for geeknet. Love you too.

Re:Awesome

[f1vlad]

testing

because

Pride comes before a fall

Re:because

[hesiod]

That's correct. What comes before a fall is "Oh $#!&, I'm about to fall."

Definitely interesting....

[jesseck]

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.

Re:Definitely interesting....

[NevarMore]

I like the idea of a custom CMS to avoid an open one (more security).

Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.

Re:Definitely interesting....

[nodwick]

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security).

Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:

Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer. Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.

Re:Definitely interesting....

[jamienk]

A non-custom CMS like WordPress is very often the target of massive automated attacks: a new bug is discovered in WP and a tool is written to seek out vulnerable installations and exploit that bug. If you have the skill or $$ to pour over the code, you can probably find your own bugs before they become publicly known.

On the other hand, if your site is specifically targeted, then your custom CMS is as vulnerable or more than the WordPresses out there. You might have a bit of security through obscurity (in a standard WP install, the attacker might know file names and locations, variable names, classes, etc.) but this will probably do you little good if you weren't able to harden the code.

Lesson: you are screwed if a rich, powerful, or smart attacker singles you out. A standard CMS can land you in hot water if you don't have a knowledgeable person administering it (and who has that?).

Re:Definitely interesting....

[Ihmhi]

What happened to HBGary is like a fire station burning down because the smoke alarms didn't work - you'd think they, of all people, would know better.

Re:Definitely interesting....

[PitaBred]

A custom CMS will protect you against most automated attacks against a "generic" CMS. But it will leave you more vulnerable to directed attacks, which is what happened here.

Re:Definitely interesting....

[benjamindees]

It's more like a fire station burning down because the fire chief was being paid by the mayor to make molotov cocktails and throw them at local teenagers and one day they decided to throw one back and instead of putting the fire out the firemen screamed and ran around in circles and poured gasoline on it and the fire station exploded. But, yeah.

Re:Definitely interesting....

[jamienk]

But if you are vulnerable to automated attacks, then you most certainly are also vulnerable to directed attacks, no? The attacker can just use a known (or new) attack against WordPress once they see that that is what you are running:

"Aha! From the Meta Tags I can tell they're running WordPress. Looks like it's version X. I'll do a POST to site/wp-admin/tiny-mce/lang/en-us/takefile.php of a PHP script. If they didn't apply the patch that was released yesterday I should be able to upload my PHP script which will allow me write access or at least read access..." If you were not up-to-date in your install (or if you haven't audited any plugins you used), then the entire hack might takes just a few minutes, and could be done by someone with only rudimentary skills.

No?

Re:Definitely interesting....

I like the idea of a custom CMS to avoid an open one (more security).

Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.

To add to your point.

The same vulnerability information that was available to Anonymous was available to the admin (if the admin had cared to look). This is not about open vs. closed source or security through obscurity - it's about taking security seriously.

Re:Definitely interesting....

[nedlohs]

Sure, but the idea is that you do apply the patch that was released yesterday at some point in the very near future, so you are only vulnerable for a short time period. So most of the time you there aren't any known vilnerabilities that make you vulnerable and the direct attacker likely isn't going to find one right now.

Re:Definitely interesting....

[Sulphur]

It's more like a fire station burning down because the fire chief was being paid by the mayor to make molotov cocktails and throw them at local teenagers and one day they decided to throw one back and instead of putting the fire out the firemen screamed and ran around in circles and poured gasoline on it and the fire station exploded. But, yeah.

In a WWII test of bat delivered incendiaries, the bats set fire to the base's wooden water tower and other locations. Further development was canceled.

Re:Definitely interesting....

[CodeBuster]

Another benefit of choosing the "generic" CMS solution is that even when a new exploit is discovered, it's highly unlikely that those in possession of such a valuable prize, a zero day vulnerability in a major CMS product, are going to waste in on a small security company like HBGary (high-profile antics of one ridiculously over the top CEO, Aaron Barr, not withstanding) or some random individual user. No, the exploit will be saved for a high value target or sold to the highest bidder. Writing your own CMS from scratch and then exposing it to the public Internet is like writing your own "killer" encryption algorithm, it just shouldn't be done. It's better to leave such concerns to established projects, both open source and proprietary, that have received ample scrutiny over the years by real experts, not the sort like Aaron Barr, and repeatedly probed for weaknesses in the wild.

Re:Definitely interesting....

No you don't, even digital security experts don't audit their code.

Re:Definitely interesting....

[SlappyBastard]

A custom CMS isn't a bad thing is you commit hard to securing it.

For various reasons, I've built custom CMSes. What I've committed to doing is limiting the accepted inputs. If something only needs an ID, then the inputs should be scrubbed down to only accept integers. If something only needs a name, scrub the inputs down to a regular expression covering letters, spaces and integers.

Where people get in trouble is not scrubbing their input aggressively.

Re:Definitely interesting....

[smellotron]

A non-custom CMS like WordPress is very often the target of massive automated attacks: a new bug is discovered in WP and a tool is written to seek out vulnerable installations and exploit that bug. If you have the skill or $$ to pour over the code, you can probably find your own bugs before they become publicly known

Wordpress is a particularly bad example. There are a lot of features it supports that a custom CMS may not support that make security more difficult. It's not unreasonable to expect a custom-build solution to be more secure than the generic solution if the generic solution has many more features (and thus more complexity and potential for nuanced bugs).

Re:Definitely interesting....

[Pootie+Tang]

Yes and no.

With custom code that audit, should you bother, needs to happen once and then perhaps again when changes are made.

An open CMS is likely a moving target. Depending on the code quality and the familiarity of the audit team, an audit probably is easier, but how long is that audit really good for? What do you do when you KNOW you are running an insecure version as a hole has been found, but are not in a position to upgrade and re-audit the entire CMS? Do you get paid to keep the software updated to the latest version at all times?

It sounds very much to be like HBGary was a target who didn't feel the need to secure their own systems as well as they could have. I don't think an open or closed CMS matters that much compared to their perceived business priorities. How many open CMS products make the same mistakes of using a fast hash function like MD5? Without a salt or multiple iterations?

These problems are common. It takes more resources to fix them. Is it worth it? For them I can easily see them laughing all the way to the bank had one clueless individual not provoked Anonymous. They fired the vendor, that's probably the fix they intend on as far as their CMS goes. After all, if your admin is going to give out the passwords based on an email, does how you store it protect you?

For them the ROI of STFU was greater than fixing every best practice ignored. But they screwed that up too. I'm sure they could have screwed it up with an open CMS as well.

Re:Definitely interesting....

[Isaac+Remuant]

I thought this was commons standard for people who worked with these type of web projects. I guess the haste of finishing or implementing something may end up with the creators overlooking vital security procedures?

I mean, I've heard it from every expert, in every tutorial, from every knowledgeable user.

Re:Definitely interesting....

[LoztInSpace]

There's no harm in using regex etc to perform some basic up-front validation, but the best and only way to prevent this crap is to use paramaterised queries. It's all you need to do to. (Oh, and escape your output appropriately to your target environment as well)

Re:Definitely interesting....

[somersault]

I work for a small business and have made some CMSes that were originally intended for LAN access only (though now are exposed to the web), but even then I looked into half decent password security. I still use MD5, but I salt the passwords to make them less susceptible to rainbow tables, plus the user database is held in a separate database from the rest, so even if someone got a go of a session that is already logged in and found an injection flaw then it would be difficult to find an input that was interacting with the users database. I use SQL parameters and some escaping for user input, though I don't go as far as to check only for integers in integer fields etc. I obviously now run it only over HTTPS so that people can't snoop on session cookies even from inside the building, but it's especially important when people are logging in from out and about. I haven't enforced any password complexity rules, but I have set up the login page so that each user can only make a login attempt every 5 seconds or so.. it adds in a random delay of a few seconds too so that they shouldn't even be able to tell if a username is valid or not by measuring response times etc..

I can understand some noob writing an insecure CMS for a small time family business or something, but for Security "Experts" to have commissioned and use a system like this is a joke. I wouldn't recommend myself to a banking or security firm as I still consider myself clueless in terms of real systems hardening, but wtf.. on top of this system being written by a clueless or lazy ass, they just treated it as if it was 100% secure, using the same passwords for it as they do for everything else. I sometimes re-use passwords, but since I don't really trust even my own system as 100% secure as I'm sure I don't know about every exploit out there, I use a separate password for it.

Re:Definitely interesting....

[somersault]

You also need to make sure that the library you're using for parameterised queries implements them properly.. some libraries are apparently lazy and just concatenate stuff together behind the scenes rather than doing it the right way.

Re:Definitely interesting....

[somersault]

Writing your own CMS from scratch and then exposing it to the public Internet is like writing your own "killer" encryption algorithm, it just shouldn't be done

Uh oh! Guess I'm going to hell.

Re:Definitely interesting....

[somersault]

I think it's reasonable to expect the login security of Wordpress to be pretty hardened. The CMS that I wrote won't even do anything unless you've logged in first. I tried running skipfish on it after giving it a login account, and other than filling a few tables with failed attempts at SQL injections, it was fine. That's not to say it's 100% secure, or more secure than something like Wordpress though. I'd trust the system that's very public and likely subject to constant attacks more than my own one, which very few people even know exists. I definitely wouldn't want to post the address of it up somewhere like here or 4chan D: Actually I'd be really interested to see the results and learn some lessons, but not when it would actually damage the company I work for.

The guys that they got to redesign our public website recently were complete idiots, I bet there are a few security flaws in there... I should maybe have a play about with it..

Re:Definitely interesting....

The OP was being sarcastic. Recalibrate your sensors.

Re:Definitely interesting....

[Ihmhi]

I dunno, I'd call that a successful test, wouldn't you?

Re:Definitely interesting....

[SlappyBastard]

Considering the number of hacked major websites I've now heard of storing their passwords in plaintext, my faith in industry standards is shot. When sites the size of Gawker, Reddit and Plenty of Fish fail this really braindead obvious level of security, I think people who implement plain MD5 start to feel like geniuses.

Re:Definitely interesting....

[DarkOx]

Its also true that if you are willing to put the time and resources into developing your own CMS you could use those same resources to add whatever features you need and spend the rest of the time auditing and hardening and Open Source solution.

There is some terrible Open Source software out there just becuase its open does not mean its secure but with little effort you could likely compile a list of open cms products with the features you need, then sort them by best security track record weighted by market share. Take the top result and get work.

Audit it, harden it, discretely report any bugs you discover and fix to the project maintainer. That is what I would have done if I worked at a security company and was given the resources requried to build a custom solution.

Re:Definitely interesting....

[mcvos]

For various reasons, I've built custom CMSes. What I've committed to doing is limiting the accepted inputs. If something only needs an ID, then the inputs should be scrubbed down to only accept integers. If something only needs a name, scrub the inputs down to a regular expression covering letters, spaces and integers.

Where people get in trouble is not scrubbing their input aggressively.

Scrubbing your input is the wrong approach. The fix for SQL-injection is really simple: use parametrized queries. If you always, always do that, you can accept any input, and it will never accidentally be interpreted as a query. Explicitly scrubbing your input makes it possible, and therefore likely, to forget something. Parametrized queries is the only way to go. Accept no exceptions.

Unfortunately my bank seems to use input scrubbing for passwords, and that frightens me. It gives me the impression that they're incompetent about web security. And they probably are.

Re:Definitely interesting....

[Sulphur]

I dunno, I'd call that a successful test, wouldn't you?

Yes, I would. It might have something to do with a poorly designed test and someone's effectiveness rating.

Re:Definitely interesting....

Two problems here though - (1). HBGary are supposed to be security experts, so if they'd simply got caught out by a WordPress bug before it was patched, at least they'd have an excuse; as it is, they look like a bunch of arse-clowns, and (2). While WordPress does have security flaws, they generally aren't as dumb as the flaws in HBGarys system.... so perhaps they should outsource their security audits to the WordPress devs! :D

Finally, it may not have been viable for HBGary, but it is very simple to setup a CMS purely for content management on a privately accessed server, and push changes onto a public facing server with only static content. As I say, it might not have suited their environment, but it is *REALLY* simple to create something like that and it is pretty solid.

Mistakes

[codepunk]

But how many of these mistakes is your company making?

Most companies probably make these mistakes, all except the biggest mistake which was poking a sleeping bear.

Re:Mistakes

"Anonymous' is not a bear. They're an anthill. Unlikely to be deadly, but it's embarassing and bad for business when you're picking them out of your clothes at a security conference.

Re:Mistakes

[mcvos]

But how many of these mistakes is your company making?

That's the important question here. And it wasn't any terribly advanced cracking that brought HBGary down. Apart from the bit where they gave a normal linux user superuser privileges through some exploit, I could have done every step of it myself. And I'm no security expert.

A couple of really basic lessons here:
* Always, always use parametrized queries. It makes your code cleaner, and it automatically protects against SQL-injection. There's no reason not to do this.
* Always salt your hash. Yeah, I don't do it either, but this article makes very clear why it's important.
* Use long passwords, and don't reuse important passwords. Really, length is by far the most important defense for passwords. Don't go for 8 characters, go for 16. (I'm at 10-12 currently. I think I need to make them longer. Also, I do reuse passwords, which I clearly shouldn't.)

Re:Mistakes

[mcvos]

Forgot another important one: don't neglect to install the security patches for your OS.

Re:Mistakes

[Magada]

And boy, were they http://hbgary.anonleaks.ch/aaron_hbgary_com/9464.html>poking. Trying to distribute a compromised LOIC? That alone could have gotten a lot of people angry.

The real mistake

[Fex303]

The full story will make you wince — but how many of these mistakes is your company making?

Well, we're not going after 4chan/anonymous, so we're probably in the clear.

I think the biggest security mistake it's possible to make is antagonizing the largest collection of bored hackers/crackers/script kiddies/associated hangers on that exists.

Re:The real mistake

Rule 34 of HBGary, I need it.

Re:The real mistake

Rule 34 of HBGary, I need it.

I LOL'ed FWIW

Re:The real mistake

moar sauce

Re:The real mistake

[dwarfsoft]

In other words: you have installed curtains and have bought a dog. Anonymous is no longer a threat to you...

Re:The real mistake

[GNUALMAFUERTE]

needs more desu

Re:The real mistake

[GNUALMAFUERTE]

That's not going to help, now we have this Anon: http://images.encyclopediadramatica.com/images/b/b0/DogproofAnonymous.jpg

Re:The real mistake

[gosand]

Well, to be fair - a COMPANY doesn't have to go after Anonymous... all it takes is one person, then the company may be held accountable. Can you control what every person in your company says or does? All it takes is one comment, one "published" opinion to set off vigilantes. Then how do you stop them?

Re:The real mistake

A shame, this should have been modded funny.

I don't believe anyone really thinks that the trick to information security is a political answer. Especially the long-tried and failed answer of hoping those who can break in for your information, won't, if you are nice enough to them.

Anonymous

[Conrthomas]

As it turns out, Anonymous isn't a bunch of 16 year old Swedish kids in their moms' basements running the LOIC. No, my friends, Anonymous knows what they are doing, and God spare your soul if you provoke them.

Re:Anonymous

except if you read the IRC logs when the CEO of hbgary (penny something) went to talk to anon, it was mentioned that the sql portion of the hack was actually done by a 16 year old girl who goes by the handle kayla

Re:Anonymous

[Neuroelectronic]

Did you read the article? There was nothing special about this hack.

Re:Anonymous

[the+linux+geek]

Because social engineering is so totally an Uber Advanced Hacking Technique. Anyone who hands out a root password, enables remote root SSH access, and shuts off a firewall because of an email message is dangerously complacent.

Re:Anonymous

[Zironic]

I'm not sure, supposedly the girl that got the root password was 16 years and it's not like you have to be a hacking genius to exploit an SQL injection in their page URL and crack the MD5 through a free websites rainbow table.

Neither is it hardcore hacking to google "[Linux flavor vulnerability] and run it on an unpatched machine"

Re:Anonymous

About as "talented" as Kevin Mitnick then?

Re:Anonymous

[HornWumpus]

And they had dated pictures of her tits to prove that she was an actual girl?

Re:Anonymous

Yeah, he was pretty much a talentless asshole. Conning someone doesn't take any kind of special gifts even if he seems to think so.

Re:Anonymous

[JonySuede]

conning someone requires wit and charisma d20 check

Re:Anonymous

[PitaBred]

Tits do not a girl make

Re:Anonymous

knowing what /b/ does, they have sharpie pictures too

Re:Anonymous

[CodeBuster]

It's easy to monday morning quarterback this thing but consider the following two points (from TFA):

1. The social engineering portion of the attack originated from Aaron's company gmail account (HBGary used Google Apps for mail), which anonymous had gained access to through the gmail account of the admin who re-used his password from the hacked CMS. So the email to the Finnish sysadmin came from Aaron's gmail account (i.e. Anonymous was effectively impersonating Aaron using his own credentials).

2. The email exchange, which is repeated in TFA, shows that Anonymous used information from Aaron's old emails, including two previous root passwords, to further reinforce the notion that the email did indeed come from Aaron Burr who was in a jam before meeting clients in Europe and needed root SSH access asap.

So while the method itself may not have been sophisticated, the wording of the spear phishing messages, carefully chosen to create just the right combination of credibility and urgency, really was a master stroke. Obviously Anonymous has a few people who have done this before. Besides, have you ever tried to make credible pretext emails or phone calls to social engineer information? It's harder than it looks.

Re:Anonymous

'16 year old girl' is a meme.

Re:Anonymous

[Isaac+Remuant]

Obviously, you're to take everything you read at face value.

Specially when it serves to further embarrass the antagonists of the "truth tellers".

Re:Anonymous

[Ash+Vince]

As it turns out, Anonymous isn't a bunch of 16 year old Swedish kids in their moms' basements running the LOIC. No, my friends, Anonymous knows what they are doing, and God spare your soul if you provoke them.

As with any large group, there will be a mix.

There will be plenty of the clueless 16 year old variety, and these were probably the ones that Aaron Whats-his-name is had "unmasked". We used to call this lot rentamob as they were great for bulking out numbers, being vocal and asking the questions other people wanted answering but did not want to ask themselves. The quiet ones sitting on IRC but hardly ever saying anything apart from asking people to go to a private channel when they say something interesting are probably the ones to look out for, but they probably know how to make sure their communication is both private and fairly anonymous.

PS - I know I could lookup Aaron's real surname, but he is not worth wasting my time on as my lunch break is precious.

Re:Anonymous

[Inda]

Yeah, but, those emails were almost childish in nature. Do people really format their emails like that in the professional world?

Were Anon clever enough to mimic his original sloppy writing style?

Re:Anonymous

[Carewolf]

You can always spoof a from address. That is the easiest trick in the book, and it doesn't matter WHO your email provided is. From adresses are not authenticated. I would say the access to old emails making it possible to use the same language and tone, was much more important

Re:Anonymous

1) Actually it was gary hoglands email that was used to get the public ip and root password (and even gary's own username which he had apparantly forgotten?? this should have been the biggest clue to Jussi..)

2) What kind of security company distributes root passwords through plain text emails on fucking Gmail?!?!? They got what was coming to them in my opinion. If it wasn't anonymous, maybe it would have been a competitor eventually..

The social engineering side of it was not mitnick-esque. I'm really suprised that Jussi fell for it. I'm really suprised that the company KNEW that Aaron was trying to infiltrate Anonymous, but NOBODY in the company was on the lookout for anything fishy? A security company??? But really the whole thing stemmed from running a proprietary badly coded CMS, bad internet facing network/machines. The whole thing is an uber-embarassment especially to (even a small) federally funded company in my opinion.

Re: SQL injection

[naz404]

Looks like they got taken out by Little Bobby Tables...

http://xkcd.com/327

Incompetent

I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

How do these people even get security jobs and be negligent in even the simplest security practices?

Re:Incompetent

I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

How do these people even get security jobs and be negligent in even the simplest security practices?

Because they're smarmy yet personable little nothing bastards who can quickly make most people like them by playing the "life of the party" role, talking about themselves a lot, speaking much more loudly than what is necessary to guarantee that you can hear them, never shutting up, and generally bieng full of themselves. For some reason the more average people eat that shit up, perhaps because that's how they got where they are too and consider it a willingness to play the game, or a form of deference and flattery. Thus they get into the positions they have not because of merit and skill, but because they knew the right people.

People like that quite literally run the world. They love the sense of importance they get from positions of authority, mistaking that role for true inner meaning and purpose. Only enough is never enough when you do that the wrong way. So governments get bigger, corporations become more powerful and gain more political clout. They and the interests they represent so faithfully get to make all of the important decisions. That's why it does not matter for whom you vote, for anyone who gets into office will face the same pressures. Does that explain a few things for you?

This little hubris displayed by self-appointed experts HBGary is just a microcosm of far larger trends. It is only a matter of scale. Anonymous represents the growing numbers of people who are frustrated because there are few "working within the system" options that can address the problem. This kind of informational attack is far more civilized than the kind of terrible, physical rioting that is going on now in Egypt, making it easier for people to risk real jail time to engage in it. At least, I think that's why they are so willing to break the law. I'm not a member of Anonymous, I neither condemn nor condone their actions, I just see a lot of stories lately involving them. The above is my speculation about why they do what they do with such effectiveness and determination.

Re:Incompetent

[Flyerman]

Technically, his "boss" started it by putting the passwords in email, when he replied, he didn't use the full pass.

Changing his boss's pass and telling him the username was a bit silly, though.

Re:Incompetent

[HornWumpus]

A quick Google reveals he apparently used to work for Nokia. First as a design engineer then as a 'Chief Security Specialist' (ether that or he is a Russian Guitarist).

It has no record of his having moved to a new job. Perhaps this was his first day?

He had reached his level of incompetence. I'm guessing he is now unemployed and very soon unemployable. Google hasn't indexed much of this yet.

Re:Incompetent

[jesseck]

I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email. Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".

Re:Incompetent

Everyone is anonymous.
You simply choose not to recognize it at this time.

We are legion, etc etc.

Re:Incompetent

I don't know about you but we get weird questions like this all the time from upper management and it actually IS upper management. It look almost three days to convince the senior admins that allowing ssh with public key auth was secure. This is the same company that passes around passwords for 1500 servers in an Excel sheet with a three character password.

Re:Incompetent

[Steauengeglase]

Reading through some of this, I got the impression that the problem has a lot more to do with making those above you happy, than anything else.

While Jussi's mistake was pretty damned boneheaded, how often do you do what your boss says, because they said so? Not from the perspective of "How I do my job right?", but "Will I get canned if I say no? I'm not going to tell my boss that he is too stupid to remember both his username and his password".

Granted, at that point, I'd probably just tell them, "I'll give you a ring, it'll clear things up quicker".

On the plus side, we now have a modern, real world, textbook case on how not to handle these things.

Re:Incompetent

I'm Brian and so's my wife!

Re:Incompetent

[Vaphell]

I'd hire him with no problem and most probably for peanuts. He got so burned that the paranoia will be eating him alive from now on. Yes, you can learn all you want about good practices and whatnot but sometimes you need to get really hurt to actually LEARN.

Re:Incompetent

[Caraig]

Good observation. I went to SUNY Maritime College at about the time they hired Joe Hazlewood as an instructor. The man was probably the most exacting officer on a deck watch. Granted, he was conning a ship full of cadets that had a big-ass 'STUDENT DRIVER' sign on the stern kingpost, but he knew his stuff, and like you said, paranoia will be eating him alive any time he's aboard a ship.

Re:Incompetent

[Isaac+Remuant]

123 ?

Re:Incompetent

[gblfxt]

Well, it was the government who hired them, the government never hires the most competent help, usually the lowest bidder, you know how that goes.

Re:Incompetent

[Ginger+Unicorn]

if people ask me for passwords/credit cards numbers/bank details via email, the first thing i do is find their phone number via external means, then phone them to verify their identity, then give them the information over the phone. How fucking hard is that to do, even if it is your boss asking for root access?

Re:Incompetent

[gnasher719]

I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently.

That is the one thing that was new to me and where I could have gone wrong myself (but then I'm not a security guy): The person imitating the boss _did_ have the root password. And you'd think that anyone who has the root password can be trusted because they have ultimate power over the machine anyway. They can _read_ and _change_ any user password, so you would think that giving them a user password shouldn't hurt. But the root password doesn't allow them access through SSL! A hacker with root password does need an ordinary user password to get into the machine through SSL!

Re:Incompetent

[WWWWolf]

I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

Well, he works for Nokia, so this move was done completely in accordance with the new Microsoft security guidelines. </obviousjoke>

Re:Incompetent

[JumperCable]

All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email.

I haven't received a reprimand like that.

But think about how you would want to go out? Would you rather be fired for not dishing out a password without verification? Or would you rather be fired for letting hackers into your systems and run amok? One scenario will make you look decent in an interview. The other will ensure no one in town will hire you.

I've gone to bat about foreign workers sharing login ids. I would flat out refuse to reset their passwords. It happened alot. But I was backed up on my stance. They got told to get their act together and they stopped sharing their user ids.

The hard part for Jussi is that he/she got the request from her boss's e-mail account. An account that presumably only the really person would have access to.

Re:Incompetent

Not that I'd hire him, but I second your opinion about "you need to get really hurt to actually LEARN".

I was writing some security software, and my bosses thought it would be a good idea to hire an outside firm to try to break it. I had left some debugging code in, told them it was debugging code and to ignore it. Instead, they targeted just this code that I had told them wouldn't be in the final product and said "Look, we've broken in". This did not make me look good in front of my bosses.

In the future, if I tell someone not to use a part of the code, I'm going to slip in big bells and whistles if they try to exploit what they shouldn't be wasting their time on anyway.

Re:Incompetent

[mcvos]

While Jussi's mistake was pretty damned boneheaded, how often do you do what your boss says, because they said so? Not from the perspective of "How I do my job right?", but "Will I get canned if I say no? I'm not going to tell my boss that he is too stupid to remember both his username and his password".

Remember Terry Childs? Withholding passwords from your boss can land you in jail, apparently.

Re:Incompetent

In any instances where I, my coworker, or boss needed a root password communicated to them, it has always been done by phone at that moment. If no one is available, whatever the task, it gets put on hold till someone is reached.

Password in an email? Rarely ever, certainly not root!
Unencrypted? Are these people insane?!

This is just stupifying!

Re:Incompetent

[arth1]

My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time.

The executive in question here was Greg Hoglund, the guy behind rootkit.com -- any Unix admin here on /. has probably heard the name and most would know that he knows ssh. But that doesn't protect him from being lax, or being impersonated.

Re:Incompetent

[squallbsr]

No, didn't you see hackers, it obviously is 'GOD'.

Re:Incompetent

[Dman33]

Sure, the "we pay your ass, do it when I tell you to!" card is played all the time in corporate culture however a skilled and experienced security professional knows how to deal with that. It goes along the lines of "you may me to do my job to the best of my ability, if you want a yes-man then fire me and hire an intern".

Corporate culture is not an excuse in infosec, especially for a security company. If corporate culture IS like that, then change the corporate culture. If you cannot or do not know how to change the culture, then don't get a job in a leadership position.

Why is this so hard??

And What's next?

[rueger]

Gotta say, the linked article was a great education for me, one who's interested but never had time to dig into some of the arcana of stuff like SQL injection.

In watching Wikileaks, OpenLeaks, Egypt, the Palestine papers,and now HB Gary, I'm thinking that we're at the edge of something monumental. I expect we'll see a lot more formerly secret data become public, and see governments and corporations either clean up their acts, or become increasing desperate and hostile in trying to keep their inside info secret.

Either way we're in for a wild ride!

Re:And What's next?

I for one welcome our cyberpunk future!

Re:And What's next?

rueger:

I think we're in the middle of the 'increasing desperate and hostile' stage. HBGary is SO out of the picture that I'd guess the 'increasing desperate and hostile' behavior is coming from the 'collateral damage' department. The government agencies that condoned HBGary's tactics must just be in a tizzy! Can't put the genie back in the bottle though...

It takes a long time to earn trust... only a second to destroy it.

-t

Re:And What's next?

[gman003]

Well, a Wikileak (that's the term for something Wikileaks leaks, right?) was one of the things that started the Tunisian revolution, which led to the revolt in Egypt, and protests in Algeria, Libya, Yemen, and Bahrain, and it seems to be spreading further, as far away as Iran, and Jordan. Add the fact that some pretty major corporations are also being attacked (), and this could be on the scale of 1848. I'm willing to bet that this chain of uprisings won't stop before it reaches Russia and Italy, and I'm hoping it goes all the way to the US.

We all know that America (hell, most of the world) has needed a major change in government for years now. Decades, even. It isn't bad enough that we need to start lining people against a wall, but at the very least, we need some changes that are big enough that the status quo would be upset.

Re:And What's next?

Wikileaks had nothing to do with the Tunisian revolution. That was due more to the state of the economy and the corruption. When a young man set himself alight that was the tipping point for the Tunisian revolution. Nothing whatsoever to do with Wikileaks.

Re:And What's next?

[LordLucless]

That's the end goal Assange always envisaged for Wikileaks. He wanted to make governments either become more open, or become so inefficient due to the security needed to hold their secrets, that Darwin would see them replaced with a more open one.

Was talked about in one of the interviews he gave.

Re:And What's next?

[Flyerman]

Wikileaks is more effective at regime change in the middle east than WBush. News at 11, on the BBC.

Re:And What's next?

[gman003]

Quoth Wikipedia: "Another cause for the uprising has been attributed to the inability of the Tunisian government from being able to censor information from reaching the Tunisian people, such as information from WikiLeaks describing rampant corruption in the Tunisian government."

Main cause? No. Contributing factor? Yes. At the very least, it seems like it was the spark that brought all the other factors into focus.

Re:And What's next?

Revolution is much better than war.

This in itself makes wikileaks a force of good.

Re:And What's next?

[jrumney]

...Yemen, and Bahrain, and it seems to be spreading further, as far away as Iran, and Jordan.

Jordan is much closer to Tunisia than Yemen and Bahrain.

Re:And What's next?

Right. Keep up with the mental masturbation until you see the promised unicorns and rainbows. Wikileaks has caused a stir - little else. OpenLeaks has yet to do anything. Egypt was 30 years in the making. The Palestine papers are a cruel joke. And HB Gary, while becoming a punch line, is little more than a curiosity (and a handy "this is why we can't have nice things" example for IT meetings everywhere). But hey - Anonymous, Assange / Wikileaks... they'll all point out how they're personally leading us to a new dawn. You can even toast to it while drinking the cool-aid. Just don't look too closely at what it's made of.

Re:And What's next?

[seyyah]

Well look at the last comma. It sort of absolves him of being ignorant about the location of Jordan.

It is an awkward sentence mind you.

Re:And What's next?

...Yemen, and Bahrain, and it seems to be spreading further, as far away as Iran, and Jordan.

Jordan is much closer to Tunisia than Yemen and Bahrain.

In geography, yes; in political makeup, not so much.

Re:And What's next?

[WATist]

Although, some of the opinions from the leaked cables that have been blasted may have been rude, crude, and bigoted; there is a problem here; if you start punishing people for honest opinions they will start lying to you.

Re:And What's next?

[gblfxt]

more hostile so far?
http://www.gpo.gov/fdsys/pkg/BILLS-111hr6506ih/pdf/BILLS-111hr6506ih.pdf

Re:And What's next?

[pinkushun]

A great meaning for a 'hack', one often undermentioned in the media, is to investigate, learn, and then use something in a way that it was not intended to be used. This does not even require exploiting the system or changing it in any way. Its the result of lateral thinking and curiosity.

You may enjoy hacking Google searches, it gives great insight into how their search engine operates, and you end up using these techniques to pinpoint your searches amazingly well sometimes!

Check it out: http://www.hackersforcharity.org/ghdb/

Re:And What's next?

Let's not go crazy over this: everyone in Tunisia and Egypt knew about corruption and whatnot already. These riots are a result of millions of young men* being unemployed and unable to provide food or shelter for their families, nothing more complex than that. The leaks were just the spark -- and possibly not even that, the rising food prices all over the world mat have been enough -- they definitely weren't the real reason.

*) I don't mean to imply that men are somehow especially in problems or important in that sense, I mean that revolutions are traditionally executed by 20-something men -- if that group has jobs to keep them busy then the government in question probably has nothing to worry about.

Re:And What's next?

[Thelasko]

I'm thinking that we're at the edge of something monumental.

It reminds me of Project Mayhem.

Re:And What's next?

[mcvos]

Gotta say, the linked article was a great education for me, one who's interested but never had time to dig into some of the arcana of stuff like SQL injection.

SQL injection is not arcana. It's incredibly obvious to anyone who knows SQL. Exploiting OS security vulnerabilities to gain superuser access, that's arcana.

Re:And What's next?

Wikileaks had nothing to do with it.

The only leaked document having to do with Tunisia was the U.S. calling the head honcho a dictator.

What really set off the middle eastern revolutions was the man Mohamed Bouaziz who set himself on fire to protest the government. To take away credit from him and give it to the internet in an attempt to make it more relevant is disgusting imo

Re:And What's next?

[SharpFang]

Main cause was the rampant corruption in the Tunisian government. It's like: "Another cause for the hospital blowing up has been attributed to the inability of the hospital management from being able to use open fire within range of the fumes from the enormous fuel, ammo, weapons and explosives storage in the hospital basement." No, it's not whoever stored the fuel, ammo and explosives that is at fault, it's the person who lit a match too close to a barrel, and the security guy who didn't stop them from reaching the hospital basement.

Shorter version.

Greedy fake security guy tries to troll a large group of random strangers for money.
Large group of strangers punk him hard.

Profit for the news media!

Attack Summary

1. SQL Injection

   The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS...

2. Password Hashes didn't use salts etc.
3. Password hashing was done using MD5.
4. Password complexity policy was crap anyway.
5. Password recovery policy was vulnerable to social engineering (insider attack).

Re:Attack Summary

[Flyerman]

You forgot the part where the CEO of HBGFed used the same six letter pass in the CMS, his email, twitter, facebook...

Basically step 4->5 went lousy password to same password used for the email admin to another user's email account to the social engineering.

Re:Attack Summary

[dwarfsoft]

6. After targetting Anonymous they didn't invest in curtains.

7. After targetting Anonymous they didn't invest in a dog.

Surely they saw the FOX11 story on Anonymous when checking out the background of their quarry?

Re:Attack Summary

[pinkushun]

This is especially shocking, as MD5 has had known vulnerabilities since 1996!

Any person worth their salt should know better! :-D

Methinks the CMS designers should don their Drainpipe pants, Canvas Shoes and Rubber Bracelets, and catch the next plane to 10 years into the future.

Re:Attack Summary

[squallbsr]

No, collision vulnerabilities are for validating the contents of a file haven't changed using an MD5 hash. The reason you don't use MD5 hashing to store a 1-way hash of a password is that it is an extremely fast algorithm to compute - meaning it takes a lot less time to compute a rainbow table or brute force hashes in order to figure out the password.

Re:Attack Summary

[pinkushun]

Ah point well made! I had this crazy idea that you could also use a collision value, instead of the real password, if they both compute to the same MD5. But the increase in chances of finding two matching 'passwords' aren't much greater than one.

Seriously

[drwhite]

Why would Jussi Jaakonaho share sensitive info over e-mail? MEMO to Jussi the "Security" in Chief Security Specialist means just that. Not Chief Shithead Specialist.

They will be famous for a long time

[RelaxedTension]

They are the Tacoma Narrows bridge of the IT security world now. They will be the textbook case example of the generations of students, with the entire repertoire of what not to do every step of the way, especially the one about not pissing-off a malevolent, anonymous mass.

Re:They will be famous for a long time

[DNS-and-BIND]

not pissing-off a malevolent, anonymous mass
Yeah, the wrong sort of people pissed off a malevolent, anonymous mass before. In order for vigilantism to win, good people need only do nothing.

Re:They will be famous for a long time

not pissing-off a malevolent, anonymous mass
  Yeah, the wrong sort of people pissed off a malevolent, anonymous mass before. In order for vigilantism to win, good people need only do nothing.

Strikes me, that they actually pissed off an indifferent, anonymous mass, thereby making it subsequently, malevolent.

Poking hornet nests has a habit of doing that, you know.

Re:They will be famous for a long time

[clears throat poignantly]

I'm almost certain you meant 'benevolent' .. right?

Re:They will be famous for a long time

[MimeticLie]

As much as I love a good Godwining, your analogy sucks. The Jews were being oppressed by the German government and one of them stuck out in anger, leading to a backlash. HBGary was trying to find information about Anonymous to sell the the FBI. Fair enough, they're a security company. But then their CEO had the balls to brag about what he was doing to the very people he was trying to fight. That's not an example of "good people" standing up, it's just a self-important braggart grandstanding. He wasn't acting out of desperation because his family was at risk, he was poking a bear with a stick because he could.

Re:They will be famous for a long time

[gblfxt]

most likely not, knowing how the government works, they will probably STILL get the lowest bid.... :)

Re:They will be famous for a long time

[drinkypoo]

In order for vigilantism to win, good people need only do nothing.

What happens when vigilantism is the only solution remaining? What do the good people do then? Pretty sure "nothing" is not the answer.

Re:They will be famous for a long time

Unfortunately, this is pretty much how it has to be.

The government uses the lowest bidder because the taxpayers demand it.

The taxpayers really don't have a good choice but to retain this stance because, since there are no means available to prevent corruption in government, spending extra money on government often doesn't actually result in any measurable gain.

That's how you get nonsensical policy while everyone is acting reasonably.

I'll drop my webapp sec researcher hat...

[Zapotek]

... and look at this as a layman.
OK, they chose a closed/custom CMS in hopes of security through obscurity, fair enough.
Ok, the guy thought he was talking to the boss and gave away the credentials, fair enough.

But how the HELL did they thought that such weak passwords, an out-of-date system and no SSH keys were fine?
Granted that all of their mistakes look unforgivable to me since I'm in the business but I simply can't wrap my head around the ones I mentioned.

Strong passwords aren't an inconvenience, damn let your browser remember them; why not keep an updated a system in the first place? And passwordless SSH logins are more secure and more convinient.
And an SQL injection? Even an automated scan would have found that! (No offence to scanner developers, I'm one myself)
This is amateurish to say the least....

Re:I'll drop my webapp sec researcher hat...

[wmbetts]

You shouldn't ever let your browser store passwords.......

Re:I'll drop my webapp sec researcher hat...

You know the tech industry is 50% marketing. Selling to clueless purchasing managers, making false presentations to people who will never use the service, stoking fanboyism and spreading FUD is part of the game. Now imagine how much of a clue local and federal government have in evaluating how well you're securing their system. Aggressive marketing wins the contract, skill can always be subcontracted in later, who'll notice.

Re:I'll drop my webapp sec researcher hat...

[AHuxley]

Classic MS like group think? With the US and UK .gov..edu .com crypto circles they lived in/sold to ... whats to worry about?
A very MS focused team to offer deep MS related solutions?

Re:I'll drop my webapp sec researcher hat...

[ISoldat53]

Not all sites let you use browser stored passwords.

Re:I'll drop my webapp sec researcher hat...

[VortexCortex]

You shouldn't ever let your browser store passwords.......

Why not? I let my computer store my passwords.

I have to unlock the key-ring with my master password; I drop access rights to the key-ring when I'm done "entering" the stored password; The passwords are encrypted while stored. What's the big deal? Don't all modern operating systems have this feature?

Is the issue, "Single point of failure"? I have a strong 23 character master password. It's much easier to remember than 30 different variable length passwords, and no less secure than a keyed/salted password hashing algorithm based on the domain name (still a singe point of failure).

Without the saved passwords I would have to weaken the strength of all my online passwords so that I can remember them.

Please, inform me of my folly.

Re:I'll drop my webapp sec researcher hat...

[Tukz]

Like /.

I have to click login, then login without credentials, to be taken to the "wrong password" page, where it DOES work.

Re:I'll drop my webapp sec researcher hat...

[L4t3r4lu5]

As long as your key is backed up, you're good to go. Ignore the ney-sayers.

Re:I'll drop my webapp sec researcher hat...

[pinkushun]

No folly there.

The first thing I did, after Google Chrome came out, was go through the source code to see how it encrypts saved passwords.

Before using Firefox password saving feature, with a master password, I researched what techniques there are to brute force it open, and which password combinations are the most secure. I even bruted my own key file (with no important saved passwords btw) as a test.

I then chose a password with a complexity to match my own educated guess.

From my view, I'm pretty comfortable to let those two browsers save passwords, of course I have other security layers in place, too.

Re:I'll drop my webapp sec researcher hat...

And passwordless SSH logins are more secure and more convinient.

They're certainly more convenient for the hacker when you've compromised one account. No need to even have to guess what the password is for the remote systems, ssh will let you in to the remote system without even asking anything; shell histories and the .ssh/known_hosts file will give you a few hints as to where you might be able to go.

Just imagine if he'd set up passwordless ssh login from support.hbgary.com to rootkit.com. No need to even socially engineer Jussi. No worry if the password on rootkit.com was completely different as it'll let you straight in if you've already got on to the first machine.

passwordless ssh (between systems with different authentication backends) just compounds the 'weakest link in the chain' problem.

Re:I'll drop my webapp sec researcher hat...

[karuna]

>> And passwordless SSH logins are more secure and more convinient.

Yes and No. Imagine Greg has lost his laptop set up to log in? Or rather fake message from the boss that he has lost his laptop and needs to change SSH credentials quickly because someone could use the lost key to gain illegal entry?

The proper procedure would be to call the boss to his cell phone, recognize him by voice and verify that it is really him writing these messages.

Re:I'll drop my webapp sec researcher hat...

Well not in cleartext no, but if you use a master password you should be clear. I think that Firefox uses the master password as a symmetric encryption key that it runs against the saved password list. Otherwise you can use something like KeePass or your operating systems built in keychain to store them in ciphertext.

Real Original Title There PCM2

[eldavojohn]

Interesting title to select. Sounds a lot like the story I submitted at 9:30 AM ET -- 11 hours prior to PCM2's submission above. Or maybe PCM2 just ripped off my comment earlier today? Figures, this is Slashdot ...

Re:Real Original Title There PCM2

[Dahan]

u jelly?

Help me out here

[EW87]

I followed the article very well but I still don't quite understand what a SQL injection is...Can someone explain it a bit better?

Re:Help me out here

[Dracos]

There's an example in the XKCD linked to near the top of the thread.

Re:Help me out here

[nedlohs]

http://lmgtfy.com/?q=SQL+injection

Re:Help me out here

[clarkkent09]

If user input is not cleaned up before being used in a query, attacker can possibly execute some arbitrary SQL on your db. For example userName is passed in from the login form. Script uses it in a query:

SELECT * FROM customers WHERE name = '{$userName}'

Say if you pass in this as your username: \''; DROP TABLE customers; The query becomes:

SELECT * FROM customers WHERE name = ''; DROP TABLE customers;

or passing is ' OR 1=1; will find a match when there isn't one etc

Re:Help me out here

[oliverthered]

put simply, when I submit this post it will go into a database.

There are characters such as ' or whatever that need to be escaped if for instance, the SQL is built up, say, by concatenating strings.

SQL = "INSERT INTO Post_Table (text,username) '" + PostData + "', '"+ username + "'";

In this case single quotes represent the start and end of string data in the SQL statement.

So if I put a single quote in some data I post, and it's not escaped in the SQL statement then I can craft a post that would allow me to execute another SQL statement afterwards, say the DBMS uses ; as a statement terminator

So say I post the data

foobar' , 'he he a pretend username'; DROP DATABASE;

well you get the idea.

There's more to it and more ways than that, stored procedures etc.... but that's the general idea, that if the data being posted isn't sent to or worked on in the DMBS properly, it's possible to add your own custom SQL statements that can do pretty much anything you like to the DBMS, and even get out onto the local network and then mess around with that yada yada....

I could for instance put
foobar' + (SELECT blah from blip) + 'rab
and then when my post get returned back to me it would contain whatever the select statement contained as well as the post.

Re:Help me out here

[EW87]

Ok I'm kind of getting it. I wish I knew more about Databases. I am a hardware/Network systems guy. As I understand it your adding your own information into a line of SQL. Umm...is it like when I was 13 and used to go through porn sites free tours and when they ended on "Freepic13.jpg" I changed it to freepic14.jpg and found the hidden images? Or am I missing the point about adding your own text to the SQL?

Re:Help me out here

[EW87]

I promise I'm not trolling I just don't understand how accessing a file that's published TO BE accessed allows someone into your system.

Re:Help me out here

i'm 12 years old and what is this

Re:Help me out here

[EW87]

I saw the comic a while back I just don't understand the concept.

Re:Help me out here

[EW87]

You mean in a room full of IT Professionals the best answer to my question is going to come from Google?

Re:Help me out here

Yep, because one of the IT Professionals in this room already wrote the best answer to your question, and does not care to waste his effort repeating himself every time a clueless noob comes along asking.

So... are you trolling, looking to make a lame point about RTFM attitudes, or just that thick?

Re:Help me out here

[nedlohs]

Obviously, unless you expect someone to spend as much time and effort as has been spent already on writing a wikipedia page and numerous step by step example explanations when writing a slashdot comment. In which case I suspect you are going to be disappointed.

Re:Help me out here

[EW87]

Having a professor or tutor beats an encyclopedia any day for me. If I have a question for more granular or comprehensive help for aiding my understanding then a person is more appropriate for my request.

Re:Help me out here

[nedlohs]

And you go to your professor or tutor without even looking at the basics first?

I'm glad you were never my one of my students. Well I hope you were never one of my students, there were a couple like that.

You can be a selfish jerk who thinks that other people should give them a personalized tutorial on everything instead of looking at the existing stuff first, that's fine. You'll find you learn stuff slower and burn all the people who might have helped you later when you get to the more difficult stuff though.

You seemed to get an answer you sort of liked so I guess it is working out for you. Mind you it took an hour after you posted as opposed to 5 seconds for the google search, and its example is incorrect as opposed to the numerous correct ones on the first result of the google search.

Re:Help me out here

[Vaphell]

sql query is plain text template and parameter is pasted verbatim in proper place and then query is called.
let's say you got condition
where a='$param'
what happens when you enter "whatever'; some other stuff" as $param? legit query ends in the middle of $param value (at '; part) and the rest is treated as a separate command to execute and you can put *anything* there. That's why it's important to strip/escape any parse-related character that has no business being there.

Re:Help me out here

[EW87]

I just need to learn more I guess, I am kind of understanding the concept here. I just need to learn the subject. "Parse" etc

Re:Help me out here

[geoskd]

The basic idea is that SQL instructions are processed on the back end by an interpreter that accepts whatever plaintext requests it gets. The SQL interpreter has no real security, other than the fact that it is usually set up only to talk to the web front end. The frontend (Java, PHP, whatever) that runs the website, takes user inputs and process' that input, then creates the plaintext command to send to the SQL interpreter. when creating those plaintext commands, the frontend software is sometimes made without any smarts, so that if an attacker knows the correct language for the SQL interpreter being used, and the frontend software doesn't prevent it, you could put in your own plaintext commands instead of whatever you were supposed to put in. The result is that the frontend will simply pass what you gave it directly to the SQL interpreter unmodified, which effectively allows the end user to send commands directly to the SQL interpreter when all they were supposed to be able to do was put in their user name. The most commonly referenced command is "DROP TABLE" which tells the database to delete stuff; hence the xkcd comic about Bobby Tables.

A simple and slightly flawed analogy is a function call into a jump table that is supposed to allow you to call functions 1 through 5, but the function call doesn't check to see what number you gave it so you can actually tell it to call any function in the table just by putting in a different number. A properly written frontend would do the checking to see that all you gave it was a number between 1 and 5. A poorly written front end will just take whatever number you gave it and call that function from the table...

-=Geoskd

Re:Help me out here

[mcvos]

The problem with SQL-injection is that the programmer uses direct input from the user as part of a query for his database. Consider this SQL query:

select * from articles where topic='cars';

Now imagine that the user has some way to select the topic he wants to see articles of. Maybe there's a select box where you can select between 'cars', 'women' and 'beer'. So the programmer builds his query like this:

"select * from articles where topic='" + params.topic +"';"

He blindly assumes that params.topic can only be 'cars', 'women' or 'beer', because that's all the options that he wrote in the client side. The problem is that the client side (the HTML + javascript) runs on the user's machine, and is automatically compromised. Instead of asking for the web page brokensite.com/articles?topic=cars , he can also call:

  brokensite.com/articles?topic='; select * from tables; --

And that turns the SQL query into:

select * from articles where topic=''; select * from tables; --';

So suddenly you've got two queries. (Everything after the -- is comment; it's ignored.) Exactly what happens now probably depends a bit on the web framework used, but with a bit of luck you'll get an error page that includes everything that these queries returned. Including the names of all the tables in the database. Figure out which table looks like it contains user information, and then you go to:

  brokensite.com/articles?topic='; select * from users; --

Basically the brokensite.com/articles?topic='; part is now a prefix with which you can access their entire database from your browser. You can retrieve information, change it, destroy it, anything.

Of course the big mistake the programmer made is using user input as part of the query. You should never ever do that. The query should be a constant string, and user input should be added as parameters to that query. How you do that exactly depends on your language and framework, but in Ruby I believe it's something like:

["select * from articles where topic=?", params.topic]

This way, nobody can sneak a different query into your database.

Re:Help me out here

[mcvos]

Go ahead and hire a private tutor to shovel knowledge into your brain, then.

Until you can afford that, show some gratitude to people who point you in the right direction.

Re:Help me out here

[EW87]

Ok So they didn't actually BREAK IN using the injection, but they got the credentials they needed TO break in, by USING the SQL injection.

Re:Help me out here

[mcvos]

Exactly. They used SQL injection to get a list of users and hashed passwords from the database, used rainbow tables to find users with easy (short) passwords, and then tried if any of those passwords would also work on other accounts, that didn't even have anything to do with this database. Like linux accounts, gmail accounts, etc.

So it's the accumulation of 3 big errors that made this possible. Had they prevented SQL injection, it wouldn't have worked. Had they used very long passwords, it wouldn't have worked. Had they not reused the passwords in this database for other accounts, then maybe the database and apps relying on it would have been completely compromised, but their servers and email accounts would still have been safe.

Re:Help me out here

[oliverthered]

SQL injection = some prat didn't use a decent data abstraction layer, or there was one really fucked up stored procedure.

unfortunately, that's about 90% of the IT people I've worked with.

Re:Help me out here

[oliverthered]

A plain English analogy.
lets say you hand the bus driver some change for a ticket.
Now most bus drivers have a policy of not turning their back on you whilst your there, as you may be able to nick their wallet from their pocket whilst their back is turned.
One stupid company thought it was friendly and open if, after taking your money they got their drivers to glance away for a second.
Someone noticed this, and with slight of hand nicked the bus drivers wallet.

Except it's SQL and data not money.

Comment removed

[account_deleted]

Comment removed based on user account deletion

yeah, I can be an ass sometimes

[Thud457]

http://bobby-tables.com/

Re: SQL injection (I'm confused)

One of the two parameters was changed to something that allowed an SQL injection attack.

Likely something like: pageNav=';SHOW TABLES;

Ego

[dark+grep]

The start of the problem was Barr mouthing off to the Anonymous contact about what he was going to do. Clearly, his ego is to blame for the trouble it caused his company.

Re: SQL injection (I'm confused)

You're missing something.

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

Obviously the 2 and the 27 are not being validated before being appended into part of a larger SQL query, so construct your own URL substituting 2 (or 27) with something like 2';show tables; --

Find the one that looks like it contains user login information and then substitute again with 2';select * from user_table; --

Hey presto, you can now read all the user accounts and hashed passwords.

Morals?

On the one hand, the more I read the more it sounds like HBGary had it coming (and was sloppy and inept).

But on the other, will we have no discussion of whether a vigilante retaliation is appropriate? Logging in, maybe some embarassing modifications to the web site, sure. Publishing all the employee's e-mails and deleting backups, too? (If someone had come and broken Barr's legs in an alley, would we be so ready to gobble up the technical details of how it'd been done?)

Or, for a third argument, is it the right response because Anonymous –fighting the battle the government is failing to pick up –has no recourse but itself? I don't know: I'm asking; but I'm asking because I'm surprised not to see it as part of current discussion.

Re:Morals?

[Thud457]

somebody should add these to Anonymous' amazon wishlist : http://www.amazon.com/George-Hayduke/e/B001IYTP9E

Re:Morals?

[geoskd]

But on the other, will we have no discussion of whether a vigilante retaliation is appropriate? Logging in, maybe some embarassing modifications to the web site, sure. Publishing all the employee's e-mails and deleting backups, too? (If someone had come and broken Barr's legs in an alley, would we be so ready to gobble up the technical details of how it'd been done?)

I'll take that one... I think it is reasonably proactive of Anonymous to have taken up this path. HBGary claims to know who at least some influential members of Anonymous are. HBGary also claims to be a security specialist. By demonstrating that HBGary is not competent as a security specialist, Anonymous have also, by extension, cast doubt onto HBGarys claims to know who Anonymous are. This throws any conclusions HBGary may have made public into doubt, and establishes reasonable doubt. This will muddy the waters if anything ever makes it to court.

As long as were on the topic, whatever made you think that a government should have any right or authority that an individual does not have? Why should an individual not be allowed to act in the capacity as judge. Our world has demonstrated repeatedly that those that have been selected by governments to perform as judges are often woefully inadequate to the task, and we would often be better off letting the mob make the decisions, because the judges are outright corrupt. Why is it that when a government retaliates it is called justice, and when and individual retaliates it is called revenge? I call that a monumental violation of common sense, and a most egregious violation of human rights. There should be no power that a government wields that the constituents of that government are prevented from wielding.

-=Geoskd

Re:Morals?

[Zancarius]

Revenge is almost never the right thing to do. It is a thing to do, and it's an unfortunate human trait that the overwhelming majority of us feel when we have been wronged or perceive that a wrong has been committed against us. I've posted in a previous thread about my thoughts related to this, but I can essentially sum it up by stating that I think it was wrong what Anonymous did primarily because they have may have hurt many more people than just Barr. Though I do admit that I can't think of a more deserving target than Barr given his arrogance that could have lead to hurting innocent people with his own hands. And I think that's one of the more frightening underpinnings of this story that isn't getting due press--what happens if a (rogue) researcher is so confident he's identified a dangerous group of hackers that he's willing to do whatever it takes, even if his assumptions were completely wrong? What if they're so hungry for clients or press that they don't care if innocent people get slammed?

The other thing that surprises me about Barr is that he must have been greatly ignorant of basic childhood rhymes. There's plenty of sayings that come to mind that I'm sure he's heard before: play with fire, and you're going to get burned; don't poke the bear; let sleeping giants lie; and the list goes on and on.

Back to the discussion: sure, it's surprising that a security/consultancy firm like HBGary was hit so hard by something as simple as the attacks outlined in TFA, but I think it is far more surprising to me that Mr. Barr did not see this coming. From the previous articles I read on Ars Technica, it seems to me that the only level-headed person in the whole ordeal was Barr's programmer--a man who warned Barr numerous times not just about possible retaliation but that the names Barr had accumulated were almost certainly innocent people. But Barr was certain that they were the right names. Can you imagine the damage he would have done if he released them publicly or to the FBI (assuming that the FBI would take him seriously--I'd like to believe they wouldn't, but given the recent DHS fiasco with FreeDNS I have my doubts)? The potential for some poor innocent bystander who happened to friend the wrong person on Facebook may have found their doors knocked down at 6AM for something they didn't do. All that because of Barr's certainty he was right.

I guess it just surprises me that a security company whose job it is to analyze malware and is almost certainly well aware of the personality profile of the typical attacker didn't see this out of control freight train. I know that doesn't justify thoroughly destroying a company, but I don't think they're particularly deserving of much sympathy either. Barr's programmer warned company executives in the e-mails as reported by Ars, and I seem to recall at least one exchange where one of the higher ups told Barr to back off. He didn't, and he cost all of them dearly.

It's not unlike having a family reunion at the zoo where one of the overly curious bull-headed adolescents decides it would be funny to open the bear cage and poke it with a stick or throw rocks at it. He is then surprised when he and his entire family is mauled.

Family member: "Aaron, what are you doing?"
Aaron: "I'm going to poke the bears."
Family member: "Don't do that. They'll get angry."
Aaron: "I just want to open the cage."
Family member: "Are you serious? That's got to be the stupidest thing I've ever heard."
*bear cage opens, bear gets poked*
*assorted growls and screams*
Weeks later, in recovery; Aaron: "I don't know why it was so angry..."

Regardless, I'm with a couple of the previous posters. This is going to go into college books for the next 30-50 years as an example not unlike Enron. Further, as someone else also pointed out, Barr probably did more to further educate the technology-minded masses on exploits in a single week by screwing himself over than he has in decades.

On the plus side, I doubt he'll be poking the bear cage any time soon.

Re:Morals?

[Chas]

Who started with the vigilantism here?

Aaron Barr at HBGary. He's not law enforcement and as far as I know wasn't under contract by any law enforcement agency to root out the members of Anonymous.

Yet he's threatening to name names. To accuse people of participating in disruptive, possibly criminal activities.

Not in a court of law. But in public.

He's going all "Wild West" on people here and threatening to "pull his gun".

In this case, Anonymous responded in kind and Aaron Barr, shootist, is now laying in the street in a puddle of his own blood.

Unfortunately, Anonymous brought a gatling gun to a pistol fight. So lots of other people have huge bullet holes blown in them too.

Now I deplore "hacktivism" as the WORST possible way to convey one's message to people.

But I'm VERY familiar with the notion of making it painful for people who're harassing you to continue to do so.

What Anonymous did was wrong. Make no mistake about it.

But what did these jackholes THINK was going to happen?

Re:Morals?

[drinkypoo]

Is this revenge or pragmatism? When someone says they're going to attack you, a preemptive strike is often the most intelligent move you can make. This is not like a drive-by shooting on a crowded street; any "bystander" hurt by an attack on HBGary is a tool who is funding their nefarious behavior, they are part of the problem, and they deserve what happens to them.

Re:Morals?

[Hatta]

But on the other, will we have no discussion of whether a vigilante retaliation is appropriate?

What would you have them do? Work through the legal channels? When the law is so heavily stacked against justice, you can't blame people for taking vigilante action. It's the corrupt justice system that is at fault.

Re:Morals?

[Nyder]

...

What Anonymous did was wrong. Make no mistake about it.

...

That is your opinion.

I think what they did was right. HBGary talked the talk, but couldn't walk the walk. Who better but anonymous to show us whats up?

anonymous is the public. It's mobs. Mob justice. It's the reminder that you might not be all that and a bag of chips if your doing something people might not like.

If you have nothing to hide, you shouldn't be worried.

Re:Morals?

[Chas]

...

What Anonymous did was wrong. Make no mistake about it.

...

That is your opinion.

I think what they did was right.

No, that is YOUR opinion. Breaking into systems not owned by you, destroying data, and other forms of vandalism is wrong. Regardless of the motives.

HBGary talked the talk, but couldn't walk the walk. Who better but anonymous to show us whats up?

anonymous is the public. It's mobs. Mob justice. It's the reminder that you might not be all that and a bag of chips if your doing something people might not like.

If you have nothing to hide, you shouldn't be worried.

Talk about mob justice to all the victims of lynchings in the American south and southwest. A mob is a mob. Justice is not the first thing on it's mind.

Re:Morals?

[Zancarius]

Is this revenge or pragmatism? When someone says they're going to attack you, a preemptive strike is often the most intelligent move you can make. This is not like a drive-by shooting on a crowded street; any "bystander" hurt by an attack on HBGary is a tool who is funding their nefarious behavior, they are part of the problem, and they deserve what happens to them.

You're right, and that's also another side of the coin. Thanks, drinky.

Of course, I don't really lean either way. Part of me wishes to play devil's advocate, but I certainly do believe that HBGary was more or less asking for what happened to them. Plus, Anonymous knew Mr. Barr was planning on meeting with the FBI so they had no idea whether he was going to release names (or not). He claimed he wouldn't, but given his continued deception (attempted, anyway) toward members of Anonymous, you're absolutely right--it's easy to see how they would have believed an attack was imminent.

Regardless of whether you see the attacks as preemptive or retaliatory, I believe you would agree that they are the result of the arrogance of one man blowing up in his own face. Mr. Barr's problem (well, one of many) was that he honestly believed himself to be smarter than everyone else. While I'm not so sure recent events will change his inflated self-opinion, I suspect he'll have a hard time being hired for analyst work in the future.

Or maybe not. The corporate world often dooms itself by picking up well known people regardless of their performance history.

+1

[Gary+W.+Longsine]

Really. +1.

Re: SQL injection (I'm confused)

[GNUALMAFUERTE]

They are giving you the original URL where the injection was used, not a link to the actual injection.

They probably replaced some of those parameters with the injection code.

page is probably how many results per page they want, and pageNav is what page they want, so probably page landed straight into a LIMIT in a sql query, without any kind of treatment. Most likely, just passing that crap through mysql_real_escape_string() would have been enough.

imagine a conical bath...

[decora]

ok actually.

websites take input from users. like when i log in to slashdot, it asks me for input.

it will run the input through a program, which will talk to a database.

how does it talk to the database? it runs an SQL command, like 'SELECT * FROM TABLE USERS WHERE NAME=$username'

$username for me is 'decora' because thats what i type into my little login box.

but lets say i uhm, type into the 'username' box something like 'decora OR name=cmdrtaco'.

now, instead of just getting my info, it might spit back all of cmdrtacos info too! maybe even his hashed password.

to protect against this, most programs will take measures like:

0. validate input (does the username have spaces in it? reject if so)
1. check the SQL query to make sure its 'safe' and contains no parsable SQL commands.
2. dont write stuff like 'SELECT * FROM', only read stuff you need.
3. validate data returned from the SQL query before printing it to an html page.
  ie. if yr supposed to get one 5 datums back per user and instead you get 10, somethings wrong.

then again all that takes time and money and effort to do.
why bother, if nobody will ever care? the company that made the CMS for HBGary probably
contracted out the programming to some other company that hired people off a website,
(i have no evidence of course).

Re:imagine a conical bath...

[EW87]

OK that makes more sense now. I am sure I am oversimplifying it, but I assumed SQL Databases were like giant spreadsheets that contained columns like "Username" and were populated by forms and radio buttons. This makes me want to learn SQL.

Re:imagine a conical bath...

[EW87]

You really simplified it with the cmdrtaco example. Thank you.

I'll tell you the #1 mistake we aren't making...

My company isn't pissing off a buncha teenage hackers.

We

We are Anonymous.

We are legion.

(surprised no one has done this yet) :)

Re: SQL injection (I'm confused)

Yeah, it's not a SQL injection. My reading of this is that the above URL produced an error message leaking useful information about table names, the DB server being used, possibly even the full query being executed etc. This would suggest the vulnerability and form the basis for devising the actual injection against pages.php.

Re: SQL injection (I'm confused)

[Sulphur]

Watson: What is "http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27" Alex

Re: SQL injection (I'm confused)

Simple, you append the SQL code to one of the parameters:
Simple:
http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27;

and let the server process the request. If there is no parameter validation being done at any point between when the request is made and the SELECT is made on the database, you get SQL injection.

Presumably they do something along the lines of

"SELECT * from PAGE where ID = " + pageParam;

Where pageParam equals "27;SELECT ....." with another SQL statement.

French Military Advise

Kill the head, ... the body follows.

Welcome to your grave Aaron Barr (Saigon Style on the street in front of a restaurant at the corner).

XXOO

-308

How Many Of Those Mistakes is My Company Making?

[Greyfox]

I think the big one is my CEO ain't talking shit about a bunch of hackers who are better at it than him.

Re: SQL injection

[pclminion]

You can't mention SQL injection without reading this awesome thread on TDWTF.

That was a great article

[dave562]

It's on par with what Sterling wrote in The Hacker Crackdown.

Not a great advert for a security firm.

[Chrisq]

.. a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering.

Not the people I would go to for security advice

Re:Not a great advert for a security firm.

Doesn't mean they don't give out good advice - just means they don't take good advice.

Example: lot's of doctors smoke.

Hmm, mistakes?

[Khyber]

"but how many of these mistakes is your company making?"

Looks like I got lax in cracking the whip. I just went from 3 errors to 33 errors.

Time to crack the whip, again.

4chan being counter-attacked?

[Khyber]

It's midnight PST here, and 4chan is having MASSIVE issues in posting anything. I've tried multiple (unsecured) connections besides my own, and it's the same result, even from VPN halfway across the country.

Re:4chan being counter-attacked?

meh, sounds like typical 4chan connection. probably m00t uploading his next puddie mod....

Re: SQL injection (I'm confused)

[L4t3r4lu5]

Forgive my lack of terminology; I know next to nothing of databases anymore. MSAccess was forced on me at college, and know nothing to speak of SQL.

One of those passed parameters was passed directly to an SQL query, with no validation or sanitation whatsoever. Turning "...&page=27" into '...&page="; DROP TABLE (FOO);' or somesuch would result in the whole query being executed.

Look for the XKCD on "Bobby Tables" for a better example. Again, I know next to nothing of the exact methods involved. It's just just how I understand SQL injection to work.

Re: SQL injection (I'm confused)

[cyclomedia]

or if you're expecting a number run it through something like parseInt() first. How hard is that?!

Re: SQL injection

[arivanov]

No, it is from a different cartoon.

The name of the company is not HBGary. It is HBGary Federal.

Nuff said. No further comment necessary.

Anonymous living up to the hype of Kevin Mitnick?

I remember when Kevin was being hunted and the world was fearful that he could whistle down the phone line and launch a nuclear attack .... Now it appears that Anonymous ARE actually capable of mass effect out in the real world whereas the media fear of Mitnick was all legal propaganda. I just found that interesting.

Re: SQL injection (I'm confused)

[Ash+Vince]

They are giving you the original URL where the injection was used, not a link to the actual injection.

They probably replaced some of those parameters with the injection code.

page is probably how many results per page they want, and pageNav is what page they want, so probably page landed straight into a LIMIT in a sql query, without any kind of treatment. Most likely, just passing that crap through mysql_real_escape_string() would have been enough.

In the case of this both of those parameters should be restricted to being numeric only. This should be done as soon as the page reads the values from the querystring. On top of this they could use PDO or some other kind of prepared statements to provide a further level of security.

Lets not restart the argument with Jamie about prepared statements being the only way of doing things :)

Re: SQL injection (I'm confused)

[GNUALMAFUERTE]

Yeah, I mentioned proper escaping and input validation because a rewrite of that app to use PDO would take time and be expensive. Adding input validation and escaping all strings is trivial and can be done in an afternoon.

Re: SQL injection (I'm confused)

[GNUALMAFUERTE]

Exactly my argument. If you use some ancient code and it doesn't use PDO or $PREPARED_STATEMENT_SYSTEM, you don't have to rewrite it. Just use basic input validation and escape all strings, and you should be relatively safe.

gold star for the day

From: rich@hbgary.com
To: all@hbgary.com
Date: Tue, 10 Feb 2009 19:51:04 +0000
Subject: Kaspersky labs website hacked

Simple Sql injection was the attack vector... Does our new website have a sql backend?
Sent from my Verizon Wireless BlackBerry

Really?

C'mon Anonymous...

Posting all their client's info, confidential product info, staff personal emails, and personal details of clients too? What did those people do, apart from buy HBGary's products. You've collectively punished them for nothing, when they were innocent by-standers. I didn't realise this was the Anonymous way...

2.3GB torrent of stuff no less. I admit it made good reading and gave an interesting insight into software development and the security industry.

However, in terms of revealing their client-base and info, this is like punishing Microsoft users for buying a Microsoft product. (Isn't that punishment enough?).

Aaron Barr's clumsy attempts to ingratiate himself to Anonymous, were certainly worthy of contempt, and his attempts to identify individuals like some kind of private eye, certainly singled himself out for attention as the idiotic poster boy Security Guy. By all means, flood his home connection off the 'net. But HBGary Federal produces fairly sophisticated products designed to try and stop malware/spyware and root-kits, and you chose to try and wreck their whole business that it took them 3 years or so to build? C'mon, where is the fairness?

I can't help thinking that Anonymous (due to their 3 of the DDoS), felt threatened by HBGary as they are the "competition", and might have had some success against Botnets in the past.

I think in this case Anonymous over-stepped the mark, and are operating with their own flawed morality. You've really got to think things through before you just do it. Think of the bigger picture. You just came off as a cruel bunch of f-tards with this stunt.

I think I'll post this one Anonymously.. :) Pardon the pun...

Re:Really?

[karuna]

There is no fairness. There are only lulz. :D

Everyone is taking this all too seriously. It is sad when people become mired in their own self-importance. Then we need someone who plays the music. If you want to argue that the firm lost millions due to the hack, then it is a sign that you are taking this too seriously. Because money is not the end of itself but the means to make life more interesting. Consider this the sacrifice for the world which was greatly entertained by this. :D

Re: SQL injection

[PawNtheSandman]

HBGary and HBGary Federal are 2 different companies, that are related. HBGary was the one hacked.

HBGary got cracked becuase of stupidity

[bl8n8r]

this is the accepted way for a lot of places to transfer credentials.  I'm really surprised a place like HBGary did the same.  It was a long time coming if this is SOP for them.

http://dazzlepod.com/site_media/txt/rootkit.com.txt

How strong is the Firefox/Chrome master password?

[KWTm]

The first thing I did, after Google Chrome came out, was go through the source code to see how it encrypts saved passwords.

Before using Firefox password saving feature, with a master password, I researched what techniques there are to brute force it open, and which password combinations are the most secure. I even bruted my own key file (with no important saved passwords btw) as a test.

I then chose a password with a complexity to match my own educated guess.

Would you be willing to share some details? In particular, what would be the needed complexity of the Master Password to make it just as worthwhile to brute-force the Firefox password vault as to guess the Master Password? How many bits? (Or, alternatively, how long would a lower-case-letters-only password have to be to have the correct complexity?)

If you say 8 letters lower-case, I'm going to delete all my passwords from Firefox...

an endless souce of entertainment...

[Thud457]

just to spread the gnawlidje, someone on another thread pointed to this, which points out :

The following Google query returns some fantastic results (thousands of them):

inurl:select inurl:where inurl:%20

Vigilantism or Public Service?

People have been looking at the anonymous study of HBGaryFederal and the information that has been posted. That got our attention, and helped us gauge that company and its capabilities in the security field.

What if this is just the low lying fruit, damning evidence easily found?

If we are lucky, a copy of the email database and backups was sent to Wikileaks. Those people can take the time to do a more thorough analysis. And publish.

Here's hoping
--
If our politicians told us they lied, we still wouldn't believe them.

Re:How strong is the Firefox/Chrome master passwor

[pinkushun]

That would take _roughly_ 35 mins on an average workstation/multiple PC's working together. Include numerals and special characters to magnify the possible permutations, and you push it up to _about_ 2 years.

Give or take depending on processing power, implementation, and such other many things you can imagine and Google.

see here for interesting values, if that helps? http://www.lockdown.co.uk/?pg=combi