Rice University logo
Top blue bar image Comp327: Introduction to Computer Security
Blog and homepage for Rice's Comp327

Lessons learned the hard way: HBGary Federal’s Security Short Comings

Security companies are not invincible, and they can fall prey to security attack like any other company or individual. They have humans that work there, and as such, these humans do not always practice good security practices. If you are in this class and you are not following the events that have unfolded with respect to HBGary Federal and Anonymous, you should be. The events that have unfolded brought to light a number of interesting perspectives and details that don’t often show themselves to the public.

One of the interesting items that came out of this event was the anatomy of their attack. The initial attack that got Anonymous into HB Gary Federal’s network is not unusual. In fact, this is a pretty standard MO that I have had to use during the course of a pen-test for organizations in the past. Find one vulnerability, gain access, mine as much pertinent information as possible, dump users and hashes, crack the passwords, and then identify other hosts and assets in the network. Then re-use the information I have on those hosts. In general, it takes only a few short steps to own the network.

The first vulnerability they found was SQL injection in a public facing web application. The silly part is the development of the application was outsourced, and there was no validation into the security of the application. This vulnerability was not the nail in the coffin though. The next major vulnerability were weak passwords and password reuse. Aaron Bar used a weak 6-letter password that was cracked using Rainbow Tables, and the nail in the coffin was his privileged (e.g. administrator) access to the e-mail appliance. This gave them access to the email of all the users on the appliance through password resets. There were some other elements too such as an unpatched server and social engineering, but the over all damage resulted from a poor over sight and security evaluation of outsourced work and then a poor choice of passwords by executives in the company.

I hope that all of you take time to read over and review the following article, because it serves as a very educational episode.

Anonymous speaks: the inside story of the HBGary hack

Comments are closed.