Anatomy of the HBGary Hack

PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"

Attack Summary

[Anonymous Coward]

1. SQL Injection

   The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27 [hbgaryfederal.com]. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS...

2. Password Hashes didn't use salts etc.
3. Password hashing was done using MD5.
4. Password complexity policy was crap anyway.
5. Password recovery policy was vulnerable to social engineering (insider attack).

Re: SQL injection (I'm confused)

[Anonymous Coward]

You're missing something.

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

Obviously the 2 and the 27 are not being validated before being appended into part of a larger SQL query, so construct your own URL substituting 2 (or 27) with something like 2';show tables; --

Find the one that looks like it contains user login information and then substitute again with 2';select * from user_table; --

Hey presto, you can now read all the user accounts and hashed passwords.