HBGary

**DrunkenArse** · 02-19-2011 09:00 AM

So for those of you that haven't been following the story, here's a quick recap.

Aaron Barr (CEO of tech security company HBGary Federal) was working on spying on people using social media and decided to find the "leaders" of Anonymous.
He goes into their IRC channel and privately makes the claims to one of the people that he thinks is their leader that he's uncovered who they are and that he has a meeting with the FBI.
Anonymous breaks into their server ¹, defaced the website, deleted a whole bunch of backup data and released all of their internal emails as a torrent.
Hilarity ensued. The whole story is here.

Funny stuff. The emails were Juicy. HBGary Federal and HBGary (partial owner of the former) are/were involved in things like writing rootkits and other malware and selling them to federal agencies. Many details are discussed in the emails. I haven't been bothered to take the 30 seconds to track down the torrent and read them myself but journalists have done that for us.

They talk about doing things like spying on and discrediting political enemies of the US Chamber of Commerce, taking down Wikileaks by breaking into their servers, etc.

Full details here and here.

This is awesome.

They used a "sql injection" attack (although it doesn't seem like a proper sql injection attack to me. More like a page that should have been password protected wasn't and the attacker was able to exploit that using the usual GET parameters) on the CMS to get the hashed passwords. The hashed passwords were hashed once with MD5 and unsalted, and so vulnerable to a dictionary attack using rainbow tables. Aaron Barr and one other person used the same passwords everywhere allowing access to the servers. Full details here.

**tommo** · 02-19-2011 01:13 PM

This IS awesome.

**stormcrow** · 02-21-2011 10:36 PM

When is Anonymous just gonna take over the world? I heart them.

**Xaqaria** · 02-22-2011 03:08 AM

technically, anonymous doesn't have to take over the world. Anonymous is everyone, and no one.

I think the major implication of this whole thing is now we know that you basically cannot trust popular opinion online when it is aligned with the government or big business since that popular opinion is probably fabricated by someone using the same techniques that HBGary was caught using.

**OldNutter** · 02-22-2011 04:13 AM

Did they ever release Gary's emails? Cause I know Penny(Head of marketing) was talking to Anon on IRC about not releasing ALL of the emails.

**zebrah** · 02-23-2011 06:57 AM

Lol Anonymous cracks me up. I just read about this yesterday. It's hard to believe a group of "hacktavists" could expose so much information.... From a security company.

**tommo** · 02-23-2011 08:51 AM

Originally Posted by Zebrah

Lol Anonymous cracks me up. I just read about this yesterday. It's hard to believe a group of "hacktavists" could expose so much information.... From a security company.

It is ironic. Ego I guess.

**DrunkenArse** · 02-23-2011 09:08 AM

The funny thing is that the vulnerability was incredibly naive two times over. First the passwords (even in hashed form) should *never* have been available through an (S)/HTTP request. A hashed password should *never* leave the system. In the article I linked to that gave the details of the breakin, they published URL that gave access to the passwords. It was something like www.example.com?page=21&something_else=2. This means that the CMS was set up to serve the passwords. Bad idea.

Second, even if the passwords do leave the system (which again, should never happen) they should be hashed multiple times (sha1 please, not md5 which they were) and salted, which means that 'password' becomes something like 'psasswaltord' (here, I've interpolated 'salt' into 'password') before they're hashed. The salt should never leave the system and then the attacker has to try all salts in all positions with each password. They didn't even hash it multiple times let alone salt it. I develop custom content management systems and I would *never* think about doing that.

So their job was to do stuff like audit code to make sure it's secure. It's funny that they didn't audit their own CMS. And it's exra funny that the CEO used the same password for the server and the CMS. If he hadn't done that, they would have been okay and only had their website trashed. This is too funny.

**tommo** · 02-23-2011 09:23 AM

What your post looks like to me:

Originally Posted by PhilosopherStoned

*unintelligible computer speak* *(S)/HTTP request. hashed password IANA — Example domains CMS
sha1 please, not md5 and salted, hashed. CMS.*

This is too funny.

haha

Nah I think I get it on a basic level, but it just reminded me of Big Bang Theory (the show) lol

Thread: HBGary

LinkBack

Thread Tools

Display

HBGary

Bookmarks

Bookmarks

Posting Permissions