Wednesday, February 16, 2011

HBGary vs Anonymous

HBGary is a computer security company that does penetration testing, intrusion detection and worm detection, quarantine, and analysis. They present themselves as experts in the computer security field, but recently they were successfully compromised by basic well known techniques.

Aaron Barr was conducting what he called "just research" on information gathering through social media. He would use Facebook, Twitter, Lindedin, and other social networks to gather data about his target and their family and friends. He claims he could find his target's real name as well as where they were from just from publicly available information on social media sites.

He decided that he wanted to go after what he saw as "the leaders" of Anonymous. This did not turn out well for Mr. Barr. He claimed to have found the real names of these so called leaders of Anonymous and was in talks with the FBI to gain a contract between them and HBGary Federal, that's right Aaron Barr was the CEO of HBGary Federal. HBGary Federal is a branch of HBGary that was to handle all federal contracts, but was falling short of it's goal and running out of money. This made Barr anxious to close a deal by any means neccessary.



Barr later claimed that he wasn't going to release the names, he just wanted them for his research and his talk he planned to give at the BSides security conference in San Fransisco. Anonymous responded with a swift attack. They began with a DDoS against the HBGary website, and then moved on to compromise the website using a simple SQL injection exploit.

How could an expert security company that specializes in penetration testing allow such a gaping whole to exist in it's companies website?

They used this exploit to gain access to the users database and got all the username and passwords for the system. Now, the passwords were stored encrypted so you'd think that they were safe, but not the way that HBGary had implemented their encryption.

They used only one pass MD5 encryption without adding any SALT (random data appended to the password to make it harder to crack) to the passwords first. Anonymous only had to use a widely available rainbow table generator to crack any weak passwords.

Surely, these security experts at least have strong passwords, that they don't reuse on multiple systems right? Wrong. None other than Aaron Barr himself was one of the two users with weak passwords that were cracked. And Barr reused this password for Twitter, Linkedin, ssh access to another server, and his email. It is the ssh access and his email that proved the two fatal blows to HBGary's system.

First, the ssh access allowed anonymous members to log into the support.hbgary.com linux server and from there they were able to use a known and already patched exploit to elevate their user privileges. It is surprising that not only did Aaron Barr reuse his weak password on multiple systems, but on a system that was sitting open to exploits that had a readily available patch for months.

Once the attackers had elevated access they found backup data, and research files that they then promptly erased from the system. This was a huge blow to the company as a whole. Not only because of lose of time and data, but because it damages their reputation in the security community that they left such basic wholes open in their systems.

The second fatal blow was when the attackers gained access to Aaron's Google Apps account with the same weak password. Google Apps is where HBGary kept their email services. Aaron was also the administer of this mail service and had the power to reset anyones password. This allowed the attackers to not only download gigabytes worth of private company emails, but also use legitimate email addresses to social engineer access to another system.

The attackers sent emails from Greg Hoglund's (Founder of HBGary) email address to the system administrator for his website rookit.com. They were able to gain remote root access to the web server from the admin and from there they were able to deface and damage the server.

All of this because a desperate man wanted a high value target to prove his research worked. Aaron Barr kicked the hornet's nest and did not relent. I have to say for now, Anonymous is winning the battle. As for the war, we will have to see how Anonymous they really are.

To read more about these attacks and the story behind Aaron Barr's shady actions, and my sources of information on this topic, you can read these news reports:

http://www.networkworld.com/news/2011/021611-rsa-hbgary.html
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars
http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars

3 comments:

  1. this is really scary. Ill be sure to keep up with tech security news through this blog... the only one ive ever seen dealing exclusively with tech security. great idea! following/morning coffee-d

    ReplyDelete

Praise me or Flame me, I appreciate the feedback.