Security companies are not invincible, and they can fall prey to security attack like any other company or individual. They have humans that work there, and as such, these humans do not always practice good security practices. If you are in this class and you are not following the events that have unfolded with respect to HBGary Federal and Anonymous, you should be. The events that have unfolded brought to light a number of interesting perspectives and details that don’t often show themselves to the public.

One of the interesting items that came out of this event was the anatomy of their attack. The initial attack that got Anonymous into HB Gary Federal’s network is not unusual. In fact, this is a pretty standard MO that I have had to use during the course of a pen-test for organizations in the past. Find one vulnerability, gain access, mine as much pertinent information as possible, dump users and hashes, crack the passwords, and then identify other hosts and assets in the network. Then re-use the information I have on those hosts. In general, it takes only a few short steps to own the network.

The first vulnerability they found was SQL injection in a public facing web application. The silly part is the development of the application was outsourced, and there was no validation into the security of the application. This vulnerability was not the nail in the coffin though. The next major vulnerability were weak passwords and password reuse. Aaron Bar used a weak 6-letter password that was cracked using Rainbow Tables, and the nail in the coffin was his privileged (e.g. administrator) access to the e-mail appliance. This gave them access to the email of all the users on the appliance through password resets. There were some other elements too such as an unpatched server and social engineering, but the over all damage resulted from a poor over sight and security evaluation of outsourced work and then a poor choice of passwords by executives in the company.

I hope that all of you take time to read over and review the following article, because it serves as a very educational episode.

Anonymous speaks: the inside story of the HBGary hack

Researcher’s at the University of Minnesota have come up with a bot net attack that could theoretically take take a large portion of the internet. It is a scalable distributed denial of service attack that exploits the way routers send ouf BGP updates(border gateway protocol). It basically involves using the botnet to have send out a ton of BGP updates saying that a given router is dead, causing the other routers connected to it to have to recalculate the route for packets. As more and more routers are affected, the amount of computation each router has to do would sky rocket, causing each router to have more updates than it could handle. Apparently the attack is unlikely because the people malicious people with the technical knowledge to do it would be motivated by profit and have little interest in a DoS attack. Here’s the link to the article: link

Hey everyone,

If you have not started Lab 2 already you are going to be in a world of pain, so get started. Apart from that, Dan recommended a paper for us (us as in grad students, not you) to read. I am actually enjoying what I am reading, and I think it is pertinent to what we discussed in class today. If you have time and you are interested in current web security research, take a look at this paper

D. Akhawe, A. Barth, P. E. Lam, J. C. Mitchell, and D. Song. “Towards a Formal Foundation of Web Security.” In Proc. of the 23th IEEE Computer Security Foundations Symposium (CSF 2010).

Also, the streaming links for ShmooCon are posted. If you are interested, the conference is happening over the weekend, and you can watch from the comfort of your own home.

If you have any questions, feel free to email the TAs. Have a good weekend.

~dso

Homework 1 is posted.  Due 1/25/2011.

If you have free time, you should listen to Dan Bernstein Talk about securing the Internet:  27C3 Talk by Dan Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet. The talk was very interesting.  He talks about DNSSEC, why it is broken, how to break it, and why its is not feasible.  He then goes on to introduce his research and explains how encrypting almost all communication between a server and a client is feasible.  I enjoyed the talk.  Also, ShmooCon is happening next weekend (Jan 28- 30), and they have talks streaming live.  There was someone in class who asked  who got payed to break stuff.  This is a good opportunity to find out who, why, and how.  The Shmoo Group has not posted the live video details, but I imagine they will show up here when they are made public: ShmooNews.

Cheers.

I accidentally had the file where the output from the survey form goes marked as read-only. Unsurprisingly, I have no information on any of you. Please fill out the form one more time. Thanks.

Just fill out this convenient form. Once we have this, we’ll set up your accounts on the blog and the campus Subversion server, which we’ll use for you to submit your work.

Attention Comp327 students: make sure you subscribe to this blog.  This is where you’ll find class announcements, assignments, and everything else.