Anatomy of the HBGary Hack - Slashdot

Slashdot is powered by your submissions, so send in your scoop

×

Anatomy of the HBGary Hack 220

Posted by samzenpus on Wednesday February 16, 2011 @10:49PM from the plan-of-attack dept.

PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"

This discussion has been archived. No new comments can be posted.

Anatomy of the HBGary Hack

Search 220 Comments Log In/Create an Account

Comments Filter:

Definitely interesting.... (Score:4, Interesting)

by jesseck ( 942036 ) writes: on Wednesday February 16, 2011 @10:56PM (#35227970)

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.

Share
twitter facebook
Re:Definitely interesting.... (Score:4, Interesting)

by nodwick ( 716348 ) writes: on Wednesday February 16, 2011 @11:23PM (#35228102)

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security).

Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:
Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer. Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.

Parent Share
twitter facebook
Re:Incompetent (Score:5, Interesting)

by jesseck ( 942036 ) writes: on Wednesday February 16, 2011 @11:58PM (#35228280)

I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email. Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".

Parent Share
twitter facebook
Re:Definitely interesting.... (Score:4, Interesting)

by Ihmhi ( 1206036 ) writes: <i_have_mental_health_issues@yahoo.com> on Thursday February 17, 2011 @12:05AM (#35228306)

What happened to HBGary is like a fire station burning down because the smoke alarms didn't work - you'd think they, of all people, would know better.

Parent Share
twitter facebook
Re:Morals? (Score:4, Interesting)

by Chas ( 5144 ) writes: on Thursday February 17, 2011 @04:11AM (#35229642) Homepage Journal

Who started with the vigilantism here?
Aaron Barr at HBGary. He's not law enforcement and as far as I know wasn't under contract by any law enforcement agency to root out the members of Anonymous.
Yet he's threatening to name names. To accuse people of participating in disruptive, possibly criminal activities.
Not in a court of law. But in public.
He's going all "Wild West" on people here and threatening to "pull his gun".
In this case, Anonymous responded in kind and Aaron Barr, shootist, is now laying in the street in a puddle of his own blood.
Unfortunately, Anonymous brought a gatling gun to a pistol fight. So lots of other people have huge bullet holes blown in them too.
Now I deplore "hacktivism" as the WORST possible way to convey one's message to people.
But I'm VERY familiar with the notion of making it painful for people who're harassing you to continue to do so.
What Anonymous did was wrong. Make no mistake about it.
But what did these jackholes THINK was going to happen?

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

390 comments32-Hour Workweek for America Proposed by Senator Bernie Sanders
358 commentsWhat Should Happen to Empty Downtown Office Spaces?
340 commentsHacktivism Erupts In Response To Hamas-Israel War
324 comments'Feedback' Is Now Too Harsh. The New Word is 'Feedforward'
248 commentsWorkers are Resisting Calls to Return to Offices

Always draw your curves, then plot your reading.