Slashdot Mirror
Anatomy of the HBGary Hack
PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"
The story of their being hacked and how it was done has probably done more for systems security than they as a company ever have......
I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.
But how many of these mistakes is your company making?
Most companies probably make these mistakes, all except the biggest mistake which was poking a sleeping bear.
Got Code?
Well, we're not going after 4chan/anonymous, so we're probably in the clear.
I think the biggest security mistake it's possible to make is antagonizing the largest collection of bored hackers/crackers/script kiddies/associated hangers on that exists.
As it turns out, Anonymous isn't a bunch of 16 year old Swedish kids in their moms' basements running the LOIC. No, my friends, Anonymous knows what they are doing, and God spare your soul if you provoke them.
Looks like they got taken out by Little Bobby Tables...
http://xkcd.com/327
http://www.object404.com
I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.
How do these people even get security jobs and be negligent in even the simplest security practices?
Gotta say, the linked article was a great education for me, one who's interested but never had time to dig into some of the arcana of stuff like SQL injection.
In watching Wikileaks, OpenLeaks, Egypt, the Palestine papers,and now HB Gary, I'm thinking that we're at the edge of something monumental. I expect we'll see a lot more formerly secret data become public, and see governments and corporations either clean up their acts, or become increasing desperate and hostile in trying to keep their inside info secret.
Either way we're in for a wild ride!
Three Squirrels
The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS...
They are the Tacoma Narrows bridge of the IT security world now. They will be the textbook case example of the generations of students, with the entire repertoire of what not to do every step of the way, especially the one about not pissing-off a malevolent, anonymous mass.
... and look at this as a layman.
OK, they chose a closed/custom CMS in hopes of security through obscurity, fair enough.
Ok, the guy thought he was talking to the boss and gave away the credentials, fair enough.
But how the HELL did they thought that such weak passwords, an out-of-date system and no SSH keys were fine?
Granted that all of their mistakes look unforgivable to me since I'm in the business but I simply can't wrap my head around the ones I mentioned.
Strong passwords aren't an inconvenience, damn let your browser remember them; why not keep an updated a system in the first place? And passwordless SSH logins are more secure and more convinient.
And an SQL injection? Even an automated scan would have found that! (No offence to scanner developers, I'm one myself)
This is amateurish to say the least....
Comment removed based on user account deletion
http://bobby-tables.com/
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
There's an example in the XKCD linked to near the top of the thread.
http://lmgtfy.com/?q=SQL+injection
The start of the problem was Barr mouthing off to the Anonymous contact about what he was going to do. Clearly, his ego is to blame for the trouble it caused his company.
If user input is not cleaned up before being used in a query, attacker can possibly execute some arbitrary SQL on your db. For example userName is passed in from the login form. Script uses it in a query:
SELECT * FROM customers WHERE name = '{$userName}'
Say if you pass in this as your username: \''; DROP TABLE customers; The query becomes:
SELECT * FROM customers WHERE name = ''; DROP TABLE customers;
or passing is ' OR 1=1; will find a match when there isn't one etc
Negative moral value of force outweighs the positive value of good intentions.
You're missing something.
http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27
Obviously the 2 and the 27 are not being validated before being appended into part of a larger SQL query, so construct your own URL substituting 2 (or 27) with something like 2';show tables; --
Find the one that looks like it contains user login information and then substitute again with 2';select * from user_table; --
Hey presto, you can now read all the user accounts and hashed passwords.
Really. +1.
If you mod me down, I shall become more powerful than you could possibly imagine.
somebody should add these to Anonymous' amazon wishlist : http://www.amazon.com/George-Hayduke/e/B001IYTP9E
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
put simply, when I submit this post it will go into a database.
There are characters such as ' or whatever that need to be escaped if for instance, the SQL is built up, say, by concatenating strings.
SQL = "INSERT INTO Post_Table (text,username) '" + PostData + "', '"+ username + "'";
In this case single quotes represent the start and end of string data in the SQL statement.
So if I put a single quote in some data I post, and it's not escaped in the SQL statement then I can craft a post that would allow me to execute another SQL statement afterwards, say the DBMS uses ; as a statement terminator
So say I post the data
foobar' , 'he he a pretend username'; DROP DATABASE;
well you get the idea.
There's more to it and more ways than that, stored procedures etc.... but that's the general idea, that if the data being posted isn't sent to or worked on in the DMBS properly, it's possible to add your own custom SQL statements that can do pretty much anything you like to the DBMS, and even get out onto the local network and then mess around with that yada yada....
I could for instance put
foobar' + (SELECT blah from blip) + 'rab
and then when my post get returned back to me it would contain whatever the select statement contained as well as the post.
thank God the internet isn't a human right.
They are giving you the original URL where the injection was used, not a link to the actual injection.
They probably replaced some of those parameters with the injection code.
page is probably how many results per page they want, and pageNav is what page they want, so probably page landed straight into a LIMIT in a sql query, without any kind of treatment. Most likely, just passing that crap through mysql_real_escape_string() would have been enough.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
ok actually.
websites take input from users. like when i log in to slashdot, it asks me for input.
it will run the input through a program, which will talk to a database.
how does it talk to the database? it runs an SQL command, like 'SELECT * FROM TABLE USERS WHERE NAME=$username'
$username for me is 'decora' because thats what i type into my little login box.
but lets say i uhm, type into the 'username' box something like 'decora OR name=cmdrtaco'.
now, instead of just getting my info, it might spit back all of cmdrtacos info too! maybe even his hashed password.
to protect against this, most programs will take measures like:
0. validate input (does the username have spaces in it? reject if so)
1. check the SQL query to make sure its 'safe' and contains no parsable SQL commands.
2. dont write stuff like 'SELECT * FROM', only read stuff you need.
3. validate data returned from the SQL query before printing it to an html page.
ie. if yr supposed to get one 5 datums back per user and instead you get 10, somethings wrong.
then again all that takes time and money and effort to do.
why bother, if nobody will ever care? the company that made the CMS for HBGary probably
contracted out the programming to some other company that hired people off a website,
(i have no evidence of course).
Watson: What is "http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27" Alex
Obviously, unless you expect someone to spend as much time and effort as has been spent already on writing a wikipedia page and numerous step by step example explanations when writing a slashdot comment. In which case I suspect you are going to be disappointed.
I think the big one is my CEO ain't talking shit about a bunch of hackers who are better at it than him.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
And you go to your professor or tutor without even looking at the basics first?
I'm glad you were never my one of my students. Well I hope you were never one of my students, there were a couple like that.
You can be a selfish jerk who thinks that other people should give them a personalized tutorial on everything instead of looking at the existing stuff first, that's fine. You'll find you learn stuff slower and burn all the people who might have helped you later when you get to the more difficult stuff though.
You seemed to get an answer you sort of liked so I guess it is working out for you. Mind you it took an hour after you posted as opposed to 5 seconds for the google search, and its example is incorrect as opposed to the numerous correct ones on the first result of the google search.
sql query is plain text template and parameter is pasted verbatim in proper place and then query is called.
let's say you got condition
where a='$param'
what happens when you enter "whatever'; some other stuff" as $param? legit query ends in the middle of $param value (at '; part) and the rest is treated as a separate command to execute and you can put *anything* there. That's why it's important to strip/escape any parse-related character that has no business being there.
You can't mention SQL injection without reading this awesome thread on TDWTF.
The basic idea is that SQL instructions are processed on the back end by an interpreter that accepts whatever plaintext requests it gets. The SQL interpreter has no real security, other than the fact that it is usually set up only to talk to the web front end. The frontend (Java, PHP, whatever) that runs the website, takes user inputs and process' that input, then creates the plaintext command to send to the SQL interpreter. when creating those plaintext commands, the frontend software is sometimes made without any smarts, so that if an attacker knows the correct language for the SQL interpreter being used, and the frontend software doesn't prevent it, you could put in your own plaintext commands instead of whatever you were supposed to put in. The result is that the frontend will simply pass what you gave it directly to the SQL interpreter unmodified, which effectively allows the end user to send commands directly to the SQL interpreter when all they were supposed to be able to do was put in their user name. The most commonly referenced command is "DROP TABLE" which tells the database to delete stuff; hence the xkcd comic about Bobby Tables.
A simple and slightly flawed analogy is a function call into a jump table that is supposed to allow you to call functions 1 through 5, but the function call doesn't check to see what number you gave it so you can actually tell it to call any function in the table just by putting in a different number. A properly written frontend would do the checking to see that all you gave it was a number between 1 and 5. A poorly written front end will just take whatever number you gave it and call that function from the table...
-=Geoskd
I wish I had a good sig, but all the good ones are copyrighted
But on the other, will we have no discussion of whether a vigilante retaliation is appropriate? Logging in, maybe some embarassing modifications to the web site, sure. Publishing all the employee's e-mails and deleting backups, too? (If someone had come and broken Barr's legs in an alley, would we be so ready to gobble up the technical details of how it'd been done?)
I'll take that one... I think it is reasonably proactive of Anonymous to have taken up this path. HBGary claims to know who at least some influential members of Anonymous are. HBGary also claims to be a security specialist. By demonstrating that HBGary is not competent as a security specialist, Anonymous have also, by extension, cast doubt onto HBGarys claims to know who Anonymous are. This throws any conclusions HBGary may have made public into doubt, and establishes reasonable doubt. This will muddy the waters if anything ever makes it to court.
As long as were on the topic, whatever made you think that a government should have any right or authority that an individual does not have? Why should an individual not be allowed to act in the capacity as judge. Our world has demonstrated repeatedly that those that have been selected by governments to perform as judges are often woefully inadequate to the task, and we would often be better off letting the mob make the decisions, because the judges are outright corrupt. Why is it that when a government retaliates it is called justice, and when and individual retaliates it is called revenge? I call that a monumental violation of common sense, and a most egregious violation of human rights. There should be no power that a government wields that the constituents of that government are prevented from wielding.
-=Geoskd
I wish I had a good sig, but all the good ones are copyrighted
Revenge is almost never the right thing to do. It is a thing to do, and it's an unfortunate human trait that the overwhelming majority of us feel when we have been wronged or perceive that a wrong has been committed against us. I've posted in a previous thread about my thoughts related to this, but I can essentially sum it up by stating that I think it was wrong what Anonymous did primarily because they have may have hurt many more people than just Barr. Though I do admit that I can't think of a more deserving target than Barr given his arrogance that could have lead to hurting innocent people with his own hands. And I think that's one of the more frightening underpinnings of this story that isn't getting due press--what happens if a (rogue) researcher is so confident he's identified a dangerous group of hackers that he's willing to do whatever it takes, even if his assumptions were completely wrong? What if they're so hungry for clients or press that they don't care if innocent people get slammed?
The other thing that surprises me about Barr is that he must have been greatly ignorant of basic childhood rhymes. There's plenty of sayings that come to mind that I'm sure he's heard before: play with fire, and you're going to get burned; don't poke the bear; let sleeping giants lie; and the list goes on and on.
Back to the discussion: sure, it's surprising that a security/consultancy firm like HBGary was hit so hard by something as simple as the attacks outlined in TFA, but I think it is far more surprising to me that Mr. Barr did not see this coming. From the previous articles I read on Ars Technica, it seems to me that the only level-headed person in the whole ordeal was Barr's programmer--a man who warned Barr numerous times not just about possible retaliation but that the names Barr had accumulated were almost certainly innocent people. But Barr was certain that they were the right names. Can you imagine the damage he would have done if he released them publicly or to the FBI (assuming that the FBI would take him seriously--I'd like to believe they wouldn't, but given the recent DHS fiasco with FreeDNS I have my doubts)? The potential for some poor innocent bystander who happened to friend the wrong person on Facebook may have found their doors knocked down at 6AM for something they didn't do. All that because of Barr's certainty he was right.
I guess it just surprises me that a security company whose job it is to analyze malware and is almost certainly well aware of the personality profile of the typical attacker didn't see this out of control freight train. I know that doesn't justify thoroughly destroying a company, but I don't think they're particularly deserving of much sympathy either. Barr's programmer warned company executives in the e-mails as reported by Ars, and I seem to recall at least one exchange where one of the higher ups told Barr to back off. He didn't, and he cost all of them dearly.
It's not unlike having a family reunion at the zoo where one of the overly curious bull-headed adolescents decides it would be funny to open the bear cage and poke it with a stick or throw rocks at it. He is then surprised when he and his entire family is mauled.
Family member: "Aaron, what are you doing?"
Aaron: "I'm going to poke the bears."
Family member: "Don't do that. They'll get angry."
Aaron: "I just want to open the cage."
Family member: "Are you serious? That's got to be the stupidest thing I've ever heard."
*bear cage opens, bear gets poked*
*assorted growls and screams*
Weeks later, in recovery; Aaron: "I don't know why it was so angry..."
Regardless, I'm with a couple of the previous posters. This is going to go into college books for the next 30-50 years as an example not unlike Enron. Further, as someone else also pointed out, Barr probably did more to further educate the technology-minded masses on exploits in a single week by screwing himself over than he has in decades.
On the plus side, I doubt he'll be poking the bear cage any time soon.
He who has no
It's on par with what Sterling wrote in The Hacker Crackdown.
.. a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering.
Not the people I would go to for security advice
"but how many of these mistakes is your company making?"
Looks like I got lax in cracking the whip. I just went from 3 errors to 33 errors.
Time to crack the whip, again.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
It's midnight PST here, and 4chan is having MASSIVE issues in posting anything. I've tried multiple (unsecured) connections besides my own, and it's the same result, even from VPN halfway across the country.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Who started with the vigilantism here?
Aaron Barr at HBGary. He's not law enforcement and as far as I know wasn't under contract by any law enforcement agency to root out the members of Anonymous.
Yet he's threatening to name names. To accuse people of participating in disruptive, possibly criminal activities.
Not in a court of law. But in public.
He's going all "Wild West" on people here and threatening to "pull his gun".
In this case, Anonymous responded in kind and Aaron Barr, shootist, is now laying in the street in a puddle of his own blood.
Unfortunately, Anonymous brought a gatling gun to a pistol fight. So lots of other people have huge bullet holes blown in them too.
Now I deplore "hacktivism" as the WORST possible way to convey one's message to people.
But I'm VERY familiar with the notion of making it painful for people who're harassing you to continue to do so.
What Anonymous did was wrong. Make no mistake about it.
But what did these jackholes THINK was going to happen?
Chas - The one, the only.
THANK GOD!!!
Forgive my lack of terminology; I know next to nothing of databases anymore. MSAccess was forced on me at college, and know nothing to speak of SQL.
One of those passed parameters was passed directly to an SQL query, with no validation or sanitation whatsoever. Turning "...&page=27" into '...&page="; DROP TABLE (FOO);' or somesuch would result in the whole query being executed.
Look for the XKCD on "Bobby Tables" for a better example. Again, I know next to nothing of the exact methods involved. It's just just how I understand SQL injection to work.
Finally had enough. Come see us over at https://soylentnews.org/
Is this revenge or pragmatism? When someone says they're going to attack you, a preemptive strike is often the most intelligent move you can make. This is not like a drive-by shooting on a crowded street; any "bystander" hurt by an attack on HBGary is a tool who is funding their nefarious behavior, they are part of the problem, and they deserve what happens to them.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
or if you're expecting a number run it through something like parseInt() first. How hard is that?!
If you don't risk failure you don't risk success.
No, it is from a different cartoon.
The name of the company is not HBGary. It is HBGary Federal.
Nuff said. No further comment necessary.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
They are giving you the original URL where the injection was used, not a link to the actual injection.
They probably replaced some of those parameters with the injection code.
page is probably how many results per page they want, and pageNav is what page they want, so probably page landed straight into a LIMIT in a sql query, without any kind of treatment. Most likely, just passing that crap through mysql_real_escape_string() would have been enough.
In the case of this both of those parameters should be restricted to being numeric only. This should be done as soon as the page reads the values from the querystring. On top of this they could use PDO or some other kind of prepared statements to provide a further level of security.
Lets not restart the argument with Jamie about prepared statements being the only way of doing things :)
I dont read
Yeah, I mentioned proper escaping and input validation because a rewrite of that app to use PDO would take time and be expensive. Adding input validation and escaping all strings is trivial and can be done in an afternoon.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Exactly my argument. If you use some ancient code and it doesn't use PDO or $PREPARED_STATEMENT_SYSTEM, you don't have to rewrite it. Just use basic input validation and escape all strings, and you should be relatively safe.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
HBGary and HBGary Federal are 2 different companies, that are related. HBGary was the one hacked.
That's correct. What comes before a fall is "Oh $#!&, I'm about to fall."
But on the other, will we have no discussion of whether a vigilante retaliation is appropriate?
What would you have them do? Work through the legal channels? When the law is so heavily stacked against justice, you can't blame people for taking vigilante action. It's the corrupt justice system that is at fault.
Give me Classic Slashdot or give me death!
this is the accepted way for a lot of places to transfer credentials. I'm really surprised a place like HBGary did the same. It was a long time coming if this is SOP for them.
http://dazzlepod.com/site_media/txt/rootkit.com.txt
boycott slashdot February 10th - 17th check out: altSlashdot.org
Would you be willing to share some details? In particular, what would be the needed complexity of the Master Password to make it just as worthwhile to brute-force the Firefox password vault as to guess the Master Password? How many bits? (Or, alternatively, how long would a lower-case-letters-only password have to be to have the correct complexity?)
If you say 8 letters lower-case, I'm going to delete all my passwords from Firefox...
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
...
What Anonymous did was wrong. Make no mistake about it.
...
That is your opinion.
I think what they did was right. HBGary talked the talk, but couldn't walk the walk. Who better but anonymous to show us whats up?
anonymous is the public. It's mobs. Mob justice. It's the reminder that you might not be all that and a bag of chips if your doing something people might not like.
If you have nothing to hide, you shouldn't be worried.
Be seeing you...
The problem with SQL-injection is that the programmer uses direct input from the user as part of a query for his database. Consider this SQL query:
select * from articles where topic='cars';
Now imagine that the user has some way to select the topic he wants to see articles of. Maybe there's a select box where you can select between 'cars', 'women' and 'beer'. So the programmer builds his query like this:
"select * from articles where topic='" + params.topic +"';"
He blindly assumes that params.topic can only be 'cars', 'women' or 'beer', because that's all the options that he wrote in the client side. The problem is that the client side (the HTML + javascript) runs on the user's machine, and is automatically compromised. Instead of asking for the web page brokensite.com/articles?topic=cars , he can also call:
brokensite.com/articles?topic='; select * from tables; --
And that turns the SQL query into:
select * from articles where topic=''; select * from tables; --';
So suddenly you've got two queries. (Everything after the -- is comment; it's ignored.) Exactly what happens now probably depends a bit on the web framework used, but with a bit of luck you'll get an error page that includes everything that these queries returned. Including the names of all the tables in the database. Figure out which table looks like it contains user information, and then you go to:
brokensite.com/articles?topic='; select * from users; --
Basically the brokensite.com/articles?topic='; part is now a prefix with which you can access their entire database from your browser. You can retrieve information, change it, destroy it, anything.
Of course the big mistake the programmer made is using user input as part of the query. You should never ever do that. The query should be a constant string, and user input should be added as parameters to that query. How you do that exactly depends on your language and framework, but in Ruby I believe it's something like:
["select * from articles where topic=?", params.topic]
This way, nobody can sneak a different query into your database.
Go ahead and hire a private tutor to shovel knowledge into your brain, then.
Until you can afford that, show some gratitude to people who point you in the right direction.
There is no fairness. There are only lulz. :D
Everyone is taking this all too seriously. It is sad when people become mired in their own self-importance. Then we need someone who plays the music. If you want to argue that the firm lost millions due to the hack, then it is a sign that you are taking this too seriously. Because money is not the end of itself but the means to make life more interesting. Consider this the sacrifice for the world which was greatly entertained by this. :D
...
What Anonymous did was wrong. Make no mistake about it.
...
That is your opinion.
I think what they did was right.
No, that is YOUR opinion. Breaking into systems not owned by you, destroying data, and other forms of vandalism is wrong. Regardless of the motives.
HBGary talked the talk, but couldn't walk the walk. Who better but anonymous to show us whats up?
anonymous is the public. It's mobs. Mob justice. It's the reminder that you might not be all that and a bag of chips if your doing something people might not like.
If you have nothing to hide, you shouldn't be worried.
Talk about mob justice to all the victims of lynchings in the American south and southwest. A mob is a mob. Justice is not the first thing on it's mind.
Chas - The one, the only.
THANK GOD!!!
You're right, and that's also another side of the coin. Thanks, drinky.
Of course, I don't really lean either way. Part of me wishes to play devil's advocate, but I certainly do believe that HBGary was more or less asking for what happened to them. Plus, Anonymous knew Mr. Barr was planning on meeting with the FBI so they had no idea whether he was going to release names (or not). He claimed he wouldn't, but given his continued deception (attempted, anyway) toward members of Anonymous, you're absolutely right--it's easy to see how they would have believed an attack was imminent.
Regardless of whether you see the attacks as preemptive or retaliatory, I believe you would agree that they are the result of the arrogance of one man blowing up in his own face. Mr. Barr's problem (well, one of many) was that he honestly believed himself to be smarter than everyone else. While I'm not so sure recent events will change his inflated self-opinion, I suspect he'll have a hard time being hired for analyst work in the future.
Or maybe not. The corporate world often dooms itself by picking up well known people regardless of their performance history.
He who has no
The following Google query returns some fantastic results (thousands of them):
inurl:select inurl:where inurl:%20
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Exactly. They used SQL injection to get a list of users and hashed passwords from the database, used rainbow tables to find users with easy (short) passwords, and then tried if any of those passwords would also work on other accounts, that didn't even have anything to do with this database. Like linux accounts, gmail accounts, etc.
So it's the accumulation of 3 big errors that made this possible. Had they prevented SQL injection, it wouldn't have worked. Had they used very long passwords, it wouldn't have worked. Had they not reused the passwords in this database for other accounts, then maybe the database and apps relying on it would have been completely compromised, but their servers and email accounts would still have been safe.
SQL injection = some prat didn't use a decent data abstraction layer, or there was one really fucked up stored procedure.
unfortunately, that's about 90% of the IT people I've worked with.
thank God the internet isn't a human right.
A plain English analogy.
lets say you hand the bus driver some change for a ticket.
Now most bus drivers have a policy of not turning their back on you whilst your there, as you may be able to nick their wallet from their pocket whilst their back is turned.
One stupid company thought it was friendly and open if, after taking your money they got their drivers to glance away for a second.
Someone noticed this, and with slight of hand nicked the bus drivers wallet.
Except it's SQL and data not money.
thank God the internet isn't a human right.
That would take _roughly_ 35 mins on an average workstation/multiple PC's working together. Include numerals and special characters to magnify the possible permutations, and you push it up to _about_ 2 years.
Give or take depending on processing power, implementation, and such other many things you can imagine and Google.
see here for interesting values, if that helps? http://www.lockdown.co.uk/?pg=combi