An attack by Anonymous on security firm HBGary used a combination of software vulnerabilities and social engineering to pull off a highly sophisticated hack, it has emerged. A SQL injection weakness in a third-party content management product used to post content on HBGary's website allowed a cadre of hackers from Anonymous to …
''HBGary said the leaked documents might have been altered prior to publication.''
Is that the best defence they got?
This is what I will tell our sysop to prepare for and be able to weather during the next coffee & croissants meeting.
HBGary sez the EDITED those emails...?!
Uh huh, yeah... they edited and falsified over 70,000 emails in under a week. Nice try, HBGary.
Re: HBGary sez the EDITED those emails...?!
"Uh huh, yeah... they edited and falsified over 70,000 emails in under a week. Nice try, HBGary."
Did HBGary claim that all 70,000 emails were edited, or only a few? I haven't seen the source material so I can't say.
I read about this elsewhere
It's quite amusing, they got Penny (CEO) to go and speak to the Anonymous IRC and there's a log of the whole conversation - http://pastebin.com/x69Akp5L
I think more than anything this proves that corporations and organisations are just a bunch of people, and each and every one of them has their own opinions, they lie, they slander, but they're also truthful, witty & endearing. Every now and then there's a fuckwit who seems to value themselves over others though.
I pity Penny of HBGary, but the anonymous people have made fair points (albeit in a flippant and sonetimes surreal manner)
Aaron Barr seems in this case to be the fuckwit, claiming to have infiltrated anonymous, seems a bit like someone saying I've invaded Midgaard (all you mudders out there know what I'm talking about)
Re: I read about this elsewhere
"Aaron Barr seems in this case to be the fuckwit, claiming to have infiltrated anonymous, seems a bit like someone saying I've invaded Midgaard (all you mudders out there know what I'm talking about)"
That is a tad extreme, don't you think? After all, 'anonymous' is comprised of genuine corporeal beings. There's no question of Cartesian fairies at the bottom of the garden here; bodies can always be traced, unless of course we're talking 2600 style hacking, in which case the Feebs will have to stretch that extra mile to trace them.
While this Penny character may be endearing
It would seem that a total lack of technical knowledge is not the best standpoint from which to run any kind of IT company.
Maybe she was good at all of the other "boss" type things, who knows (who cares at this point), but if any of the more 'technical' employees and suppliers could simply bullshit her into believing that they're doing a good job... then something like this was going to happen sooner or later.
As it turns out her staff were riding the special bus in every day and she didn't even know it. Reminds me a lot of... every other company I've worked for actually.
It's a simile
It's an IRC channel.
The point of a loose collective is that it expands and contracts, leadership is transient and generally irrelevant. That's what anonymous is.
Trace a bunch of people logged on, a bunch of others log in, take them down another channel opens.
There will always be more to rage against the machine.
Can you understand the simile now?
@2600 style hacking
In old DIKU muds and most of their derivitives, Midgard was the city you started in, and re-popped in when you died. It has little to do with Faries. The allusion being made is that "Infiltrating" anonymous, is hardly a complex task. (In the same way as getting back inside Midgard could be done a number of ways, all trivial)
Sadly spend far too much time in my youth playing MUDS. Especially when i should have been doing collage work, even ported Merc 2.2 to my Amiga. (I had to re-write the sockets layer to use Amiga PORTS, as i couldnt afford a TCP/IP library)
Re: It's a simile
"It's an IRC channel.
The point of a loose collective is that it expands and contracts, leadership is transient and generally irrelevant. That's what anonymous is."
Contacts between real people can always be traced back, like following skeins of mixed up material. Similes are irrelevant. The physical world holds in principle no possibility of anonymity, and the LoIC sacrificial sheep are just the first round in gathering them all in, self deception notwithstanding. Everyone leaves a trace, unless they use 2600 methods but, even then, there are ways of tracking people down. Do you understand my points now?
Re: @2600 style hacking
It's not so much the frequency as the anonymity it appears to afford. It can be done from a public phone box in the middle of nowhere, or in a relatively busy area. Pop up, do a brief job, disappear, reappear somewhere else. The problems come when people start to work out the time period online from a specified phone and look for other correlated clues, and modern technology is alarmingly sophisticated when it comes to this. In addition identification of techniques that are peculiar to one individual, as happened in WWII with signalling. Just one identifying clue is all that is needed to begin the process of unravelling the skeins, of making a pattern, and then the whole house of cards falls. Positions of phone boxes/phones would be a start. There are geo location tricks for finding most offenders.
Anyhow, old fashioned hacking techniques or modern, governments have spent vast amounts on precisely this sort of elint. People can kid themselves that they are indetectable, and the odds are that one or two will hold out for a year or two, but they will slowly and inevitably be reeled in.
Suddenly it is not so funny, especially when the door caves in.
Remember how people used to assume how big and bad the CIA was and how it could do anything? Funny how they can't even kill or locate a 6'5" Saudi goat farmer looking dude who only threatens the entire west. Yes US signal intel is second to none but when a Jordanian doctor can blow up our top 5 experts on the baddies with one bomb you know our people based intel sucks. Morale of story to stay anon avoid creating any electronic signals and live in a cave (or cabin in Montana and get your damn brother to shut up) I guess.
"It has little to do with Faries."
My point exactly, although the irony seems to have zinged over you.
The point is that, wherease corporeal bodies do not interact with some immaterial soul, leaving no energy trace (see Helmholtz' principle of the conservation of energy for more on that story), *always* leaving evidence of their activities, the same applies to people online. There is always an entry point to trace back to, and of course there is always chat. (If the fool from HBGary had kept his mouth shut and had good security we'd probably be responding to a completely different story.). It is impossible for a corporeal *not* to leave some form of trace of their activities behind them. Only fairies at the bottom of the garden can do such a thing. They leave so little trace that, when prompted to produce replicable hard evidence the proponents fail every time. It's a bit like the homeopathy debate. You do not get something for nothing in the world of physics unless you are not a corporeal entity but, once again, no evidence has been adduced to support such claims.
Re: funny that
"Remember how people used to assume how big and bad the CIA was and how it could do anything? Funny how they can't even kill or locate a 6'5" Saudi goat farmer looking dude who only threatens the entire west."
AIUI the American special forces followed bin Laden's mobile phone signal, but he'd given it to an assistant and that was all they got. You see bin Laden didn't hang around.
Elint is good, but imagination is priceless. Isn't it? Look at the Russian example; they homed in on Dudayev's (it'll be on Wikipedia if you're too young to remember) sat phone signal and dropped two laser guided bombs on him. A contrast in methodology; the Russians did not for one second assume that he could be apprehended, nor did they assume that he had yuman rights. They just killed him, and that is what Clinton could have done in his time, but refused to authorise a Cruise missile attack on bin Laden.
However, the lessons do appear to have been learned. Old counter insurgency and Elint methodologies are being wheeled out, because people have woken up to the fact that truths are not fashionable, relative, they just are, and good practise is unavoidable.
The irony of the situation? Dudayev, a former Russian general, was the Russian's best hope at the time, someone with whom the like of General Lebed could have done business, whereas bin Laden is another kettle of philosophical fish altogether. He is unreasonable.
Your point, Scorchio, would seem to be that people on the internet can be tracked. I do not dispute that.
My point is that Aaron Barr and yourself seem to have the (in my opinion misguided) impression that the Anonymous collective is a hierarchy and that in determining who the leaders of this hierarchy are is to have infiltrated Anonymous.
I don't think Anonymous works that way and that if ultimately you removed what you consider to be "the head" that the body would not die, it would just grow another head.
If the fool had kept his mouth shut...
We wouldn't be hearing about any story at all, because either a) the FBI would have had their real professionals look over his research and shown him the door, or b) he would have wowed some suits well enough to apply buy it and waste millions of dollars and thousands of man hours figuring out it was a waste of time.
I'm not arguing with the basic notion that real people leave traces coming and going online, but a) if done intelligently, they are faint, and b) even done stupidly, it doesn't matter re: Barr's "research." Just from what is available publicly at this point any qualified statistician can tell you - it was flawed from the ground up. You can't run such a project on gut feelings and guess work, and Barr's own internal staff were telling him that that was all he had. The only things he did get right are so basic that there are already hundreds, if not thousands, of people researching based off of those starting points.
Perhaps if Barr had kept his mouth shut, kept his head down and NOT tried to rush off to the FBI or BoA, and gotten in someone with real CS and statistics background, he would have gotten somewhere. Of course, that's a lot like saying that if someone would just give me billions of dollars, I could start up my own search engine to rival google - just hire all the talent I need. Not particularly relevant, is it?
P.S. - On the other hand, the FBI may have welcomed a tool that they could use to justify getting warrants based on nothing more than the very vaguest of guilt by association (the very core of Barr's "technique"). You get a lot of flotsam in the net, but do they care how many innocents they trample? Does anyone in our government care these days?
Re: If the fool had kept his mouth shut...
"I'm not arguing with the basic notion that real people leave traces coming and going online"
Good, one of the first signs of sense I've read yet. It is impossible to NOT leave a trace unless you are not corporeal but incorporeal actors are an impossibility as modern physics shows. This is not a theological forum, but one founded on technology that came from western physics and philosophy (e.g., Wittgenstein). There are ALWAYS traces. Faint or not they are there. People who deceive themselves into believing otherwise (how can someone deceive themselves I ask rhetorically) are no better than the LoIC sheep, and dream about a spirit world segregated from the reality of physics. Both the US and UK governments have insisted that ISPs and other organisations preserve logs for a long time, and the police don't have to work hard to access the data. These things - plus the extra special measures that will have been worked up in response to recent 'developments' - are likely to ensure a series of very fucking hard punishments, and no end in sight for the process. A special effort will be made to squash this, do not kid yourself otherwise; for each new serious crime an equivalent unit is normally formed, and the laws tend to reflect determination to quash the act. This will happen. People will watch with horror as their friends go down for a long stretch, with restrictions on their release, and they will decide to give the whole thing a body swerve.
Give me braggadocio, ignore or laugh at my words, but this will happen. Anyone who thinks that any government is going to sit there and let this happen without giving those who do these things a good smack on the muzzle has to be numbing their minds with something I don't want to find in my coffee beans tomorrow.
So just wake up is all.
The sad thing is that this abuse will curtail all of our freedoms:
These people have made our lives harder with their stupidity. I would like to seem them in the stocks. That is a gag worthy experience that might make the silly twats think.
Re: Your point
"My point is that Aaron Barr and yourself seem to have the (in my opinion misguided) impression that the Anonymous collective is a hierarchy and that in determining who the leaders of this hierarchy are is to have infiltrated Anonymous."
Never assume anything about someone like me, not least because when you assume you make an ass out of you.
Passive intelligence techniques have a lot of mileage in them. It is possible to leave a movement riddled with pain and angst by using them, and appropriately punishing those who act in the way that we have seen. Believe me it is coming. If you are so naive as to believe otherwise, well have a good one. Don't read something into my words that is not there. Your preconceptions are wasted, worthless, deceive you.
As to heads and bodies, do grow up. I could not GAD what sort of cell structure they are using. Sufficient pain, repeatedly applied for a sufficient duration has a marked effect on the CNS. Just watch, and make sure that you have ordered a LOT of popcorn. Pain's a coming, believe me.
Re: If the fool had kept his mouth shut...
I'm just about to go away for a week and packing. As I did so a passage from your response continually resurfaced in my mind:
"I'm not arguing with the basic notion that real people leave traces coming and going online, but a) if done intelligently, they are faint"
Existence is like pregnancy; you cannot be a "little bit pregnant" or "faintly pregnant", and you cannot faintly exist, either on or off line. In the world of bits and bytes, of zeros and ones, you are either a number or you are not present. There's no such thing as being slightly existent, or a little bit pregnant, and it is this that will cause a lot of agony for any sloppy thinker who nurtures such fond silliness.
They'll use a number of attacks to find offenders, starting with offline profiling, matching online behaviour with the profile, basic police work (listening carefully in meat space for dissent that matches the target behaviour) and so on. This will probably roll on for years, like Carlos, the Unabomber, and plenty of others, but, and be sure of this, revenge will be unstoppable, harsh and unrelenting. It's coming.
As to caring, don't make the mistake of believing that the things you think matter are the things that really do matter. What we have here, as Bill Thompson correctly identified, is democracy's 'Napster moment' ( http://www.bbc.co.uk/news/technology-12007616 ). Freedom of information, the culture of FOIA which engendered the MP3 and digital book rip off culture, following the collapse of the Soviet Union and a mistaken belief that everything can be peace and love if only we let everything go, these are mistaken and resemble a headlong plunge off the cliff. People working in this way face bloody noses, if only because irresponsible governments do not pay attention to core state functions - security and defence being particularly important - and wake up to find the new international bodies at their heels. You can include billionaire drug dealers with large arsenals, and other individuals with private armies, including bin Laden clones. It also goes without saying that, as each international body succumbs to attacks on it, other regional powers will fill the vacuum left by them. So, Iran is now free to pursue the paths we have seen, and, having spread its commercial and military tentacles throughout the world (Military? Remember Sri Lanka) China will happily fill any space left by other, weakened states.
Arriving at the conclusion that secrecy must be overturned because it's not conducive to peace of mind is a non sequitur. It's taken the violent creature, homo sapiens, far longer than history to arrive here, fully tooled up and aggressive. No amount of wishy washy thinking is going to change that, because it is hard wired. In fact the act of destructive, digital pissing about with other organisations/countries is aggressive, and it will reap pain. I see a failure to apprehend this, and it is at best naive. It will leave a lot of people behind bars for a long time.
They call themselves security professionals?
You know I was going to try and write something insightful here but really there is nothing insightful that can be said about this group of useless slackers. The only white hats they own must taper to a sharp point at the end and sport the capital letter 'D'.
"It could be that the destiny of your company is only to serve as a warning to others."
I wouldn't say they used every trick in the book
What about Rubber hose cryptography?
Anyway, it seems a straightforward (but multi-vectored) hack. Now, if you want a sophisticated attack, have a look at the Stuxnet analysis:
Now *that* really did use every trick in the book, and then some.
Read arstechnica again
Did you read the ars story? Highly sophisticated attack? We are not talking stuxnet here with multiple 0-day exploits...
They got in through SQL injection - the haxors best friend. But hardly difficult given the level of knowledge here. HBGary really should not have been vulnerable especially since they supposedly provide services to test for these vulns!
Rainbow tables to hack MD5 hashed passwords is not hard when they were not encrypted properly. No salting or iterative hashing used to make it difficult.
They used a flaw in linux to get root - should have been patched. Again not that hard if you know how - it was well documented.
They used social engineering... Well they had control of an email account so would look to almost anyone like the actual owner of said email account. Not quite at the level of the best cold-calling social engineering exploits.
So really... Hard for me or anyone not in the hacking fraternity but I doubt it would get max points at any hackfest. The main point of the story is how come HBGary were so easy to get into when they are a bleedin security firm!!
"I doubt it would get max points at any hackfest."
I don't think the Anon's are claiming that it was sophisticated, however results do count, and this was a clean hit.
I recall a colleague who boasted to me and the resident security bod who said he had set up his home system on the end of a VPN and that it was impregnable and actually challenged us to break into it when we laughed at him.
When we got him to log in after his lunch break to look at the little text file we'd put in with root priveledges telling him he owed us a pint he went fucking ballistic. Especially when we didn't tell how we did it for three days, he was already losing his hair but by the end of it he hardly had any left and had bags under his eyes.
When we finally took pity on him and told him how we'd done it he claimed that we had 'cheated' and not really hacked into his system at all. He didn't like us any more for laughing again though :)
(The silly sod went and left his laptop unlocked when he went to lunch. I installed a keylogger which emailed me all the details. Whilst we were telling him we had broken in, he logged in to verify what we had done. I was IM'ing my mate all the login details and whilst I was talking to him he logged in and left the text file. Simple and fun, but no way to make friends.*
*parenthesis missing to cause mild stress levels in coders.
Ah, the evil maid trick. Autoruns should be disabled, a good HIPS should prevent an unauthorised package from running, a registry protector should prevent alterations to the registry and BIOS password/boot settings should prevent a USB stick from booting, though a BIOS transplant is always a possibility. There are other precautions.
Whoa? He *left the machine unguarded*? The fucking idiot.
@Sir Runcible Spoon
I was asked by a colleague to test the security of his application by trying to break into it.
Only I was logged in (as a privileged user) even before he had finished his smug explanation of how there was no chance of me getting in.
Dude *always* used the same user name and password for his login credentials, so it only took me one guess. He called that 'cheating', I called it 'social engineering'.
Re: @Sir Runcible Spoon
I am amazed even now at the number of people who think that a windows password is sufficient to protect a system (though a BIOS password only lives for as long as the BIOS itself). Booting up with a CD-ROM that has password cracking tools on it is simple. No skills needed. As I say, amazed, and sometimes gratified when I pull someone's arse out of the fire.
@Runcible - I like your VPN hack story...
But you did not get the point of my post - Anon did not claim the hack was hard they made the same point as me, how did they get in so easily to a security companies system? I'm criticizing the article (Not anonymous) as the author obviously did not even bother to read the arstechnica article he ripped off and pick up that salient point.
"I'm criticizing the article (Not anonymous)"
Good point. I wasn't having a digg-1 at your position, just trying to clarify that the people who were claiming they used every trick in the book, or tried to make out it was a sophisticated attack, wasn't the people who performed the attack.
My point was that whether it was sophisticated or not is irrelevant as long as the result was a hit.
So, we are agreeing, I think :)
very james bond.. especially the spoofing an email to get someone to reveal details... I await the (TV) movie
On the positive side, HBGary will probably have lost a great deal of future business; not even competent to manage their own web site (combined with easily identified personal boo boos by senior members of staff). Title says it all......
Re: What losers
"On the positive side, HBGary will probably have lost a great deal of future business; not even competent to manage their own web site (combined with easily identified personal boo boos by senior members of staff). Title says it all......"
The passwords, goddamit, the frigging passwords. Even a kid could do better. It doesn't take much to use a password package, and then perhaps lock it up in an encrypted container and/or drive. If their clients have any sense they will find someone else.
Well they would say that, wouldn't they?
Big Big BIG FAIL
HBGary said the leaked documents might have been altered prior to publication. "Given that Anonymous has had these emails for days I would be highly suspect [sic] of them," the president of HBGary Penny Leavy told the BBC.
He has the emails, either HE KNOWS they changed them or HE KNOWS they didn't.
He practically admits they didn't.
Who to believe?
Even if HBGary have originals which are safe to publish, they've "had these emails for days": which is the fake?
As ars technica points out, Anonymous used nothing but standard, well known techniques. HBGary left the door wide open by making all the stupid security errors in the book:
A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.
Don't give the clowns at HBGary the satisfaction of thinking that the enemy that brought them down was the least bit sophisticated in their attack.
Email transcript @ arstechnica
"Jussi" should be for the high jump IMHO - revealing usernames and passwords like that via email. If it absolutely had to be done ASAP, he should have called him. Even if it was really Greg, having that info sittting in his mailbox is a bad idea.
I am also quite surprised that some of the grammar did not raise eyebrows; "no i dont have the public ip with me at the moment" sounds very suspect. Unless of course Greg normally says things in such odd ways.
Anyway, you reap what you sow fellas !
Unless of course Greg normally says things in such odd ways.
he reused that password on his Twitter account and yeah, let's say he was not exactly el maestro when it comes to TEH GRAMMARZ.
Took about a quarter of an hour to make something that looked like his style. Not difficult.
The best implementation plan is one that involves common sense.
Every trick? hardly
Seriously, HBGary have only got themselves to blame. Re-using the same passwords for Facebook, twitter and corporate emails?? The CEO of a "security" company?
They deserve to be a smoking hole in the ground (in corporate terms) after this. They have proved themselves incompetent at doing exactly what they declared themselves to be the experts at.
Barr proceeded from a set of false assumptions
and got his ass handed to him as a consequence. Ars' coverage of the whole affair has been superb, and should be required reading for anyone who thinks they know anything about Anonymous. Far from the "hackers on steroids" mythology, but nonetheless decentralized and quite happy to sit around taking not just individuals but a whole company to pieces just because they've been prodded with a stick.
Just goes to show that no one is 100% safe, 100% of the time.
Reminds me of Monty Python's "How Not To Be Seen".
Hardly 'every trick in the book', hardly any challenge at all
Strange to say most people seem to think this was an easy hack, mainly because HBGary were so damn lax about security best practice. A simple sequence of basic methods, I'd bet anonymous wasted more time wondering when they were going to hit the real security measures than on the actual job.
3rd party? That's not what Ars techwhatever reported
"a third-party content management product "
What Ars ..... reported is that it was written specifically for them by a 3rd party because the didn't like the ?security? of the original? I don't know, I've been laughing all day.
A firm handshake... Maintain eye contact... Confident...
"Given that Anonymous has had these emails for days I would be highly suspect [sic] of them"
Admit nothing. Deny everything. Make counter-accusations.
Cloaked Crooks r Us percolate through everything and offer Nothing of Value.
"Admit nothing. Deny everything. Make counter-accusations." .... tom 24 Posted Friday 18th February 2011 00:17 GMT ....... Now that is a great meal ticket methodology for dodgy law firms/ambulance chasers/failed businesses/laundering banks.
And in a complicated, open and shut case such as this one .... http://www.bbc.co.uk/news/business-12502786 ...... it appears that the defendant does not control anything, and it is now to be turned into a media circus with lawyers starring, and billing, of course, although where the money is coming from, other than out of thin air, and someone else's pocket, is disappointing familiar and not at all dissimilar to a Ponzi, which is that which one team in the case above is defending as legit, with another team prosecuting as criminal, with Justice the stoolie sat in the middle, dispensing rules and regulations.
"Last month, a US federal judge ruled that Mr Stanford was unfit to stand trial.
District Judge David Hittner ruled that he did not have the mental capacity to assist his lawyers. " .... An odd declaration about someone who once ran a very lucrative business and private bank, but whenever you know too much for you own good and not enough for your own good is it best to the dumb,mad fool and useless tool.
threat of physical harm?
more like threat from dying of embarrassment.
There's Pork and there's Easy Meat and then Government Pork with ITs Special Strings Attached
"HBGary had intended to reveal its research into the senior members of Anonymous at the BSides San Francisco conference..."
Presumably, considering their little difficulty, is that research completely discredited and just part of a federal funding scam if it were to be presented as kosher.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- BBC suspends CTO after it wastes £100m on doomed IT system
- Peak Facebook: British users lose their Liking for Zuck's ad empire