Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anatomy of the HBGary Hack

Posted by samzenpus on from the plan-of-attack dept.

PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"

19 of 220 comments (clear)

  1. Awesome by cs668 · · Score: 5, Funny

    The story of their being hacked and how it was done has probably done more for systems security than they as a company ever have......

    1. Re:Awesome by hairyfeet · · Score: 4, Insightful

      Don't you just love it? Whether you are for the Anon guys or not you just gotta love a bunch that advises others on security that falls for every single bad practice in the book. They had badly coded CMS that didn't sanitize squat, no real rules when it came to passwords, passwords badly hashed, reuse of passwords, just on and on it is like a comedy of fail!

      I have to agree with you that this should be a valuable life lesson for those that haven't paid attention before. Of course I figured that by the time SQL injection tricks had gotten so common XKCD was doing the "Bobby Drop Tables" bit that surely everyone had learned to sanitize? Apparently not and how sad but funny that it was a security group that was such a king of fail. Its like having the town drunk lecture you on responsible drinking while killing his second bottle of Jack! its just too funny!

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Definitely interesting.... by jesseck · · Score: 3, Interesting

    I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.

    1. Re:Definitely interesting.... by NevarMore · · Score: 4, Insightful

      I like the idea of a custom CMS to avoid an open one (more security).

      Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.

    2. Re:Definitely interesting.... by nodwick · · Score: 3, Interesting

      I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security).

      Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:

      Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer. Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

      The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.

    3. Re:Definitely interesting.... by jamienk · · Score: 4, Insightful

      A non-custom CMS like WordPress is very often the target of massive automated attacks: a new bug is discovered in WP and a tool is written to seek out vulnerable installations and exploit that bug. If you have the skill or $$ to pour over the code, you can probably find your own bugs before they become publicly known.

      On the other hand, if your site is specifically targeted, then your custom CMS is as vulnerable or more than the WordPresses out there. You might have a bit of security through obscurity (in a standard WP install, the attacker might know file names and locations, variable names, classes, etc.) but this will probably do you little good if you weren't able to harden the code.

      Lesson: you are screwed if a rich, powerful, or smart attacker singles you out. A standard CMS can land you in hot water if you don't have a knowledgeable person administering it (and who has that?).

    4. Re:Definitely interesting.... by Ihmhi · · Score: 3, Interesting

      What happened to HBGary is like a fire station burning down because the smoke alarms didn't work - you'd think they, of all people, would know better.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    5. Re:Definitely interesting.... by benjamindees · · Score: 5, Funny

      It's more like a fire station burning down because the fire chief was being paid by the mayor to make molotov cocktails and throw them at local teenagers and one day they decided to throw one back and instead of putting the fire out the firemen screamed and ran around in circles and poured gasoline on it and the fire station exploded. But, yeah.

      --
      "I assumed blithely that there were no elves out there in the darkness"
  3. Mistakes by codepunk · · Score: 5, Insightful

    But how many of these mistakes is your company making?

    Most companies probably make these mistakes, all except the biggest mistake which was poking a sleeping bear.

    --


    Got Code?
  4. The real mistake by Fex303 · · Score: 5, Insightful

    The full story will make you wince — but how many of these mistakes is your company making?

    Well, we're not going after 4chan/anonymous, so we're probably in the clear.

    I think the biggest security mistake it's possible to make is antagonizing the largest collection of bored hackers/crackers/script kiddies/associated hangers on that exists.

  5. Re: SQL injection by naz404 · · Score: 4, Funny

    Looks like they got taken out by Little Bobby Tables...

    http://xkcd.com/327

    --
    http://www.object404.com
  6. Incompetent by Anonymous Coward · · Score: 5, Insightful

    I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

    How do these people even get security jobs and be negligent in even the simplest security practices?

    1. Re:Incompetent by jesseck · · Score: 4, Interesting

      I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email. Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".

  7. And What's next? by rueger · · Score: 4, Insightful

    Gotta say, the linked article was a great education for me, one who's interested but never had time to dig into some of the arcana of stuff like SQL injection.

    In watching Wikileaks, OpenLeaks, Egypt, the Palestine papers,and now HB Gary, I'm thinking that we're at the edge of something monumental. I expect we'll see a lot more formerly secret data become public, and see governments and corporations either clean up their acts, or become increasing desperate and hostile in trying to keep their inside info secret.

    Either way we're in for a wild ride!

    --
    Three Squirrels
  8. Attack Summary by Anonymous Coward · · Score: 4, Informative
    1. SQL Injection

      The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS...

    2. Password Hashes didn't use salts etc.
    3. Password hashing was done using MD5.
    4. Password complexity policy was crap anyway.
    5. Password recovery policy was vulnerable to social engineering (insider attack).
  9. They will be famous for a long time by RelaxedTension · · Score: 4, Insightful

    They are the Tacoma Narrows bridge of the IT security world now. They will be the textbook case example of the generations of students, with the entire repertoire of what not to do every step of the way, especially the one about not pissing-off a malevolent, anonymous mass.

  10. Re: SQL injection (I'm confused) by Sulphur · · Score: 3, Funny

    Watson: What is "http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27" Alex

  11. How Many Of Those Mistakes is My Company Making? by Greyfox · · Score: 4, Insightful

    I think the big one is my CEO ain't talking shit about a bunch of hackers who are better at it than him.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  12. Re:Morals? by Chas · · Score: 3, Interesting

    Who started with the vigilantism here?

    Aaron Barr at HBGary. He's not law enforcement and as far as I know wasn't under contract by any law enforcement agency to root out the members of Anonymous.

    Yet he's threatening to name names. To accuse people of participating in disruptive, possibly criminal activities.

    Not in a court of law. But in public.

    He's going all "Wild West" on people here and threatening to "pull his gun".

    In this case, Anonymous responded in kind and Aaron Barr, shootist, is now laying in the street in a puddle of his own blood.

    Unfortunately, Anonymous brought a gatling gun to a pistol fight. So lots of other people have huge bullet holes blown in them too.

    Now I deplore "hacktivism" as the WORST possible way to convey one's message to people.

    But I'm VERY familiar with the notion of making it painful for people who're harassing you to continue to do so.

    What Anonymous did was wrong. Make no mistake about it.

    But what did these jackholes THINK was going to happen?

    --


    Chas - The one, the only.
    THANK GOD!!!