Slashdot Mirror

← Back to Stories (view on slashdot.org)

HBGary Hack In Depth

Posted by timothy on from the injectification-nation dept.

Udo Schmitz writes "Heise's UK site has the English translation of an article from the latest issue of their magazine c't about Anonymous's HBGary hack. It shows that there was much more involved than just social engineering to get passwords, and how anonymous evolved following OpTunisia and OpEgypt."

65 comments

  1. Lots of Security Holes by WrongSizeGlass · · Score: 4, Funny

    HBGary's systems were just riddled with security holes. From URL parameters that weren't scrubbed to straight MD5 password hashing to using the same password for several (and possibly many) accounts on different systems (servers, email, Twitter, LinkedIn, etc). I'm sure glad something as important as our government didn't use their security services. Oh, wait ... D'oh!

    1. Re:Lots of Security Holes by Anonymous Coward · · Score: 2, Insightful

      Interestingly, HBGary Federal never won any actual government contracts.

    2. Re:Lots of Security Holes by Anonymous Coward · · Score: 0

      Out of curiosity, who says? I really doubt that if there where any contracts, they would be left unclassified.

    3. Re:Lots of Security Holes by cpscotti · · Score: 3, Insightful

      Out of curiosity, who says? I really doubt that if there where any contracts, they would be left unclassified.



      Duhh..... Well, I think all the data Anonymous "de-"classified would contain any hint to that if that was the case!
      We're not talking about all the things they "left unclassified" here; someone force-declassified everything!
  2. Well that was a load of crap by AmonTheMetalhead · · Score: 5, Insightful

    Check out Ars Technica's coverage, much much better

    1. Re:Well that was a load of crap by RafaelAngel · · Score: 2

      link?

    2. Re:Well that was a load of crap by Anonymous Coward · · Score: 0

      Clearly you're too lazy to look it up, just like he was too lazy to post the link.

    3. Re:Well that was a load of crap by RenHoek · · Score: 4, Informative

      It's here, in the Slashdot story that was already posted about 3 weeks ago:
      http://it.slashdot.org/story/11/02/17/0041208/Anatomy-of-the-HBGary-Hack

    4. Re:Well that was a load of crap by Udo+Schmitz · · Score: 3, Informative

      It's here, in the Slashdot story that was already posted about 3 weeks ago:
      http://it.slashdot.org/story/11/02/17/0041208/Anatomy-of-the-HBGary-Hack

      I missed that. Well ... what would /. be without dupes ...

      Another one:

      http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars

    5. Re:Well that was a load of crap by Carewolf · · Score: 3, Insightful

      Isn't this essential the Ars Technica's article translated to german, and then translated back to english?

    6. Re:Well that was a load of crap by AmonTheMetalhead · · Score: 2

      That would explain the odd writing i guess

    7. Re:Well that was a load of crap by Haedrian · · Score: 1

      http://developers.slashdot.org/story/11/03/06/2142233/Disarm-Internet-Trolls-Gently

      Why did you think that this article was a load of crap? Perhaps there's some good in both stories.

      Meh, this system sucks.

    8. Re:Well that was a load of crap by hitmark · · Score: 1

      I got that same sensation, tho it could be because of the same source material. The brief mention of a conversation with two "members" i do not recall showing up in any of the Arstechnica stuff.

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    9. Re:Well that was a load of crap by Jaqi · · Score: 2

      Here's the link: http://arstechnica.com/tech-policy/news/2011/02/anonymous-vs-hbgary-the-aftermath.ars

    10. Re:Well that was a load of crap by Samantha+Wright · · Score: 1

      No, no, you're doing it wrong. As the first reply to the first comment on this article said,

      Why do you feel that Python is so bad? What do you find wrong with it?

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    11. Re:Well that was a load of crap by Nogami_Saeko · · Score: 1

      The ArsTechnica article was far superior IMHO. Much more technical detail about how they went about it.

      The interesting thing is that a single solid security measure could've blocked (or at least limited) the scope of the hack, but they managed to chain enough exploits and hacks together to be able to spoof an identity, which resulted in the final hack that allowed them access to the email data.

      --
      "Nothing strengthens authority so much as silence." - Charles de Gaulle
    12. Re:Well that was a load of crap by plover · · Score: 1

      That they were able to chain so many together says loads about their security practices and policies. One SQL injection attack is a mistake. But on a home-grown internet-facing execs-only CMS server? Who architected their setup? Who did security reviews? Who set up their password policies? Hell, there's no evidence at all of a security policy. At a security company.

      It's good for them that Barr stepped down, but they have a lot to fix before the rest of their clients jump ship.

      --
      John
  3. Emergent behavior at its best by snikulin · · Score: 1

    I just wonder if Skynet can be powered by human brain cells.
    Also a lot of other sci-fi stuff comes to mind, including Azimov's Foundation.

    1. Re:Emergent behavior at its best by MareLooke · · Score: 1

      We have an internet provider called Skynet over here (Belgium), and it definitely is not powered by any kind of brain related things, greed on the other hand...

  4. Anonymous by Anonymous Coward · · Score: 0

    They're the sexiest Hydra alive today. .gov can't stand it.

    1. Re:Anonymous by Anonymous Coward · · Score: 5, Insightful

      They're not a Hydra, which is a monolithic monster with no single termination point and self-repair to incremental attacks.

      They're a stand-alone complex, which is not even a single entity to begin with.

      Which makes them even harder to kill, and, to established powers they oppose, even more fearsome. (OTOH, to the extent they can be developed and manipulated to suit one's ends, they're a most powerful weapon. You can bet the shadowier sides of governments have any number of would-be Kazundo Gouda types analyzing the phenomenon.)

    2. Re:Anonymous by Samantha+Wright · · Score: 1

      I was skimming the second half of your post, and "Kazundo Gouda" turned into "Kudzu". Let's go with "kudzu" instead of "hydra". It just fits so well. I mean, they're a pretty invasive species, and in the world of government intelligence operations, a fleet of teenagers in it for the lulz is pretty alien.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
  5. corepirate nazis transmit fake video to aliens? by Anonymous Coward · · Score: 0, Funny

    ALL happy/pink/chubby/well armed/ordained etc... we are in the clip? no surprise there? are we sleek or what?

  6. New villain by proverbialcow · · Score: 3, Funny

    Why do I get the feeling HBGary is just filling the void left by SCO as Slashdot's "villain to post about in the absence of real news"?

    --
    The only surefire protection against Microsoft infections is abstinence. - The Onion
    1. Re:New villain by AmonTheMetalhead · · Score: 1

      Hey, we got Apple for that!

    2. Re:New villain by Anonymous Coward · · Score: 0

      Apple gets more praise than not on Slashdot. The fanbois have a persecution complex though: even when they do outnumber everybody, they feel as if they're in the extreme minority.

    3. Re:New villain by hilather · · Score: 1

      Why do I get the feeling HBGary is just filling the void left by SCO as Slashdot's "villain to post about in the absence of real news"?

      I was really hoping Oracle with their attack on Android would fill that void... HBGary is just the comic relief.

    4. Re:New villain by Anonymous Coward · · Score: 0

      Well, that's because Steve Jobs does them one at a time, in a dark dungeon. Anybody is bound to feel insecure when he does not know just how many of his likes are out there in the line.

  7. We Can All Be Anonymous by Anonymous Coward · · Score: 3, Interesting

    We can all be anonymous. It helps to really know what you're doing, it helps to have no "skeletons" in the closet, it helps to have some passion about what's happening in the world and to want to do something about it. Who's in control? Does that matter? We all can be anonymous.

    ---Jack O

    1. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 5, Funny

      The first step of being anonymous would be to not sign your name at the end of a post...

    2. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 1

      Ha! you got pwned. My name is really Jim O.

    3. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      And I am Justin Beiber

    4. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      And I am Spartacus.

    5. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      I am Spartacus!

    6. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      And, I've been porking your mom!

    7. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      I'm Brian...and so's my wife!

    8. Re:We Can All Be Anonymous by scubamage · · Score: 1

      I am the walrus. Koo-koo-ka-choo.

    9. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 1

      And my axe.

    10. Re:We Can All Be Anonymous by Anonymous Coward · · Score: 0

      So THAT'S what happened to Cowboy O!(Formerly, Cowboy X)

      Nice to see ya on slashdot! Feel free to stop by the gift shop, while you're at it!

      Might say "hi" to Cowboy Neal, since you're here.

  8. What a waste of time by Anonymous Coward · · Score: 5, Interesting

    Don't bother reading this article, it's horribly written and not particularly correct. They make it sound like HBGary Federal was some giant security company when in reality is was a small-time 4 person company. Oh my god you broke into a 4 person company's email and the idiot manager's twitter account!

    So tired of seeing this "hack" replayed on Slashdot.

    1. Re:What a waste of time by Anonymous Coward · · Score: 0

      Oh, hi Penny!

    2. Re:What a waste of time by Anonymous Coward · · Score: 0

      It wasn't well written, although there are a few tidbits here that I haven't read elsewhere. The hack sounds really bush league. SQL injection has been around for a very long time. There are gobs of security countermeasures. One password easily sniffed with Ribbon tables? Weak password! (and from a security company?). Repeating a password? Bush league! Not keeping a system up to date (and don't tell me Linux is hard to keep up to date, the updates come automatically with update manager, it pops up on its own, and all you have to do is press a button labelled 'update' and enter your (non-root) password. It does all the rest!). Linux updates are also secure: every package is cryptographically signed, and verified immediately after download. If it fails, the file is resent. If that fails, it tries another server. If that fails, it doesn't update that package and sends an error message. Arron Barr clearly doesn't know anything about computers, security, or statistics. How he got the job (apart from being a suit with a winning smile, firm handshake, and a power tie) is a mystery. From the emails and his attempts at data mining, he has neither skill in numeracy nor literacy.

    3. Re:What a waste of time by Runaway1956 · · Score: 5, Informative

      Actually, you overplay your attempt to downplay HBGary Federal. While they never actually won any government contracts, they did have credibility with the US government, they did have access to a lot of "insider" stuff, and they were in negotiations with other contractors to provide some rather big-time stuff. They enjoyed the backing of their parent company, a major figure in the corporate world.

      Note that I do NOT claim that thier credibility was justified, nor do I claim that their wares were anything more than vaporware - but they were much, much more than some upstart company operating on less than a shoestring in someone's garage with only 4 employees.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    4. Re:What a waste of time by Anonymous Coward · · Score: 0

      A 4 person company? I see atleast a dozen people with @hbgary.com email addresses.

    5. Re:What a waste of time by Anonymous Coward · · Score: 0

      They enjoyed the backing of their parent company, a major figure in the corporate world.

      Hahahahahaha, "major figure" in the corporate world. So major that nobody on Slashdot had heard of them before this. So major that they have 2 total products? So major that they are headquartered out of... Sacramento? Hahahaha.

    6. Re:What a waste of time by Anonymous Coward · · Score: 0

      HBGary != HBGary Federal. Different companies.

    7. Re:What a waste of time by Anonymous Coward · · Score: 0

      Nah, they are the fake profiles that Aaron Barr set up to game Anonymous and others to gain legitimacy.

    8. Re:What a waste of time by Anonymous Coward · · Score: 2, Interesting

      Greg Hoglund is quite a major figure, after his work on rootkit.com and lectures at Blackhat Briefings.

  9. Old news by Anonymous Coward · · Score: 1

    hbgary was foolish. hbgary got punked.

    we all laughed.

    NEXT!

    1. Re:Old news by Anonymous Coward · · Score: 0

      And yet you come here, day after day.

    2. Re:Old news by scubamage · · Score: 1

      Slashdot, like /b/, was always dying, and will always be dying. Kinda like a hypocondriac with access to a medical encyclopedia and too much spare time.

    3. Re:Old news by michaelok · · Score: 1

      You forget that it's the YOU that make or break the site. So if Slashdot still has the interest of some sharp folks out there, with excellent insight and comments, then it's still a viable site. Note the crazy topsy-turvy world of Digg (talk about dupes and poor summaries), now there's Reddit, and others, and I guess Facebook, but as long as Slashdot attracts good readers, they'll do fine.

  10. Re:Coons by Anonymous Coward · · Score: 3, Funny

    "Why do you feel that Python is so bad? What do you find wrong with it?"

  11. Re:Coons by FatdogHaiku · · Score: 0

    "Why do you feel that Python is so bad? What do you find wrong with it?"

    If you had not AC'ed that I would have modded it funny.

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  12. Old news by aztektum · · Score: 1, Offtopic

    Seriously, Taco, just turn the site into an RSS portal with a comments section. The horrid summaries, old news and dupes are not helping.

    Slashdot was ahead of the game 12 years ago, but now it's a dying horse. Time to try something new.

    --
    :: aztek ::
    No sig for you!!
  13. little error in TFA by Anonymous Coward · · Score: 0

    Wrong:
    Hoglund's inbox contained the root password for his rootkit.com security web site

    Correct:
    Hoglund's inbox contained an old root password for his rootkit.com security web site

    So Anonymous also social-engineered the new root password. FTW!

  14. 1337 by SchmeeSquee · · Score: 1

    Doesnt this spark anything in the minds of the local hackers and crackers out there? security in buisnessess are low. why? The fear of being hacked is unfeasible because people who dont know what they are doing trust people who say they know what they are doing but accually are being payed to watch the "ping" and "pong" of packets between two servers in the company. Time to start hacking again...make the government quake at the mention of hackers like what used to happen. My suggestion....packet flood a net of IP addresses in your local area so the "geek squad" is focused on that then...your sort of free.

    --
    MMMMM....Linux -_-Trolling is and Art!!