×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Anatomy of the HBGary Hack

samzenpus posted more than 3 years ago | from the plan-of-attack dept.

Security 220

PCM2 writes "Recently, Anonymous took down the Web sites of network security firm HBGary. Ars Technica has the scoop on how it happened. Turns out it wasn't any one vulnerability, but a perfect storm of SQL injection, weak passwords, weak encryption, password re-use, unpatched servers, and social engineering. The full story will make you wince — but how many of these mistakes is your company making?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

220 comments

Awesome (5, Funny)

cs668 (89484) | more than 3 years ago | (#35227952)

The story of their being hacked and how it was done has probably done more for systems security than they as a company ever have......

Re: SQL injection (4, Funny)

naz404 (1282810) | more than 3 years ago | (#35227998)

Looks like they got taken out by Little Bobby Tables...

http://xkcd.com/327 [xkcd.com]

Re: SQL injection (I'm confused) (1)

asifyoucare (302582) | more than 3 years ago | (#35228400)

From TFA : The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27 [hbgaryfederal.com] . The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.

What I don't get is how that URL is dangerous and how it could be classed as a SQL injection attack. Am I missing something, or is the article missing something?

Re: SQL injection (I'm confused) (0)

Anonymous Coward | more than 3 years ago | (#35228438)

One of the two parameters was changed to something that allowed an SQL injection attack.

Likely something like: pageNav=';SHOW TABLES;

Re: SQL injection (I'm confused) (2, Informative)

Anonymous Coward | more than 3 years ago | (#35228452)

You're missing something.

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27

Obviously the 2 and the 27 are not being validated before being appended into part of a larger SQL query, so construct your own URL substituting 2 (or 27) with something like 2';show tables; --

Find the one that looks like it contains user login information and then substitute again with 2';select * from user_table; --

Hey presto, you can now read all the user accounts and hashed passwords.

Re: SQL injection (I'm confused) (3, Funny)

Sulphur (1548251) | more than 3 years ago | (#35228904)

Watson: What is "http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27" Alex

Re: SQL injection (I'm confused) (2)

GNUALMAFUERTE (697061) | more than 3 years ago | (#35228500)

They are giving you the original URL where the injection was used, not a link to the actual injection.

They probably replaced some of those parameters with the injection code.

page is probably how many results per page they want, and pageNav is what page they want, so probably page landed straight into a LIMIT in a sql query, without any kind of treatment. Most likely, just passing that crap through mysql_real_escape_string() would have been enough.

Re: SQL injection (I'm confused) (0)

Anonymous Coward | more than 3 years ago | (#35228794)

Yeah, it's not a SQL injection. My reading of this is that the above URL produced an error message leaking useful information about table names, the DB server being used, possibly even the full query being executed etc. This would suggest the vulnerability and form the basis for devising the actual injection against pages.php.

because (0)

Anonymous Coward | more than 3 years ago | (#35227968)

Pride comes before a fall

Re:because (-1)

Anonymous Coward | more than 3 years ago | (#35227990)

No, it doesn't.

Definitely interesting.... (3, Interesting)

jesseck (942036) | more than 3 years ago | (#35227970)

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security). And the poor admin who gave out root, dropped firewalls, and gave up the correct username all via email- that's a bummer. I bet that will be among his "worse day ever" collection. As for shared passwords, I'm sure a lot of us work at guilty companies. Hell, active directory exists partially to address the need for multiple passwords. In all, I enjoyed reading how it was done- quick, efficient work.

Re:Definitely interesting.... (4, Insightful)

NevarMore (248971) | more than 3 years ago | (#35228080)

I like the idea of a custom CMS to avoid an open one (more security).

Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.

Re:Definitely interesting.... (0)

Anonymous Coward | more than 3 years ago | (#35228472)

I like the idea of a custom CMS to avoid an open one (more security).

Its far easier to audit existing code than it is to build your own code. Even if you write it yourself you have to do the same auditing and testing that you would against an existing product.

To add to your point.

The same vulnerability information that was available to Anonymous was available to the admin (if the admin had cared to look). This is not about open vs. closed source or security through obscurity - it's about taking security seriously.

Re:Definitely interesting.... (0)

Anonymous Coward | more than 3 years ago | (#35228898)

No you don't, even digital security experts don't audit their code.

Re:Definitely interesting.... (3, Interesting)

nodwick (716348) | more than 3 years ago | (#35228102)

I've been following this since I heard of it happening- definitely interesting. I like the idea of a custom CMS to avoid an open one (more security).

Sadly the moral of the story is the exact opposite - the custom CMS HBGary commissioned was actually less secure, as it appears not to have been subjected to proper security audits, nor was it being updated to patch discovered bugs. Direct from TFA:

Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer. Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The very thing you consider a disadvantage in an open software system - the fact that anyone can discover bugs in it - also helps ensure that such bugs are publicized and fixed. With HBGary's custom CMS, the bugs were still there, but the only people looking were the ones specifically trying to break into their system. There can be a case for code obscurity, but if that's all you're relying on to protect yourself, I'd say you're really just burying your head in the sand.

Re:Definitely interesting.... (4, Insightful)

jamienk (62492) | more than 3 years ago | (#35228204)

A non-custom CMS like WordPress is very often the target of massive automated attacks: a new bug is discovered in WP and a tool is written to seek out vulnerable installations and exploit that bug. If you have the skill or $$ to pour over the code, you can probably find your own bugs before they become publicly known.

On the other hand, if your site is specifically targeted, then your custom CMS is as vulnerable or more than the WordPresses out there. You might have a bit of security through obscurity (in a standard WP install, the attacker might know file names and locations, variable names, classes, etc.) but this will probably do you little good if you weren't able to harden the code.

Lesson: you are screwed if a rich, powerful, or smart attacker singles you out. A standard CMS can land you in hot water if you don't have a knowledgeable person administering it (and who has that?).

Re:Definitely interesting.... (2)

PitaBred (632671) | more than 3 years ago | (#35228314)

A custom CMS will protect you against most automated attacks against a "generic" CMS. But it will leave you more vulnerable to directed attacks, which is what happened here.

Re:Definitely interesting.... (1)

jamienk (62492) | more than 3 years ago | (#35228430)

But if you are vulnerable to automated attacks, then you most certainly are also vulnerable to directed attacks, no? The attacker can just use a known (or new) attack against WordPress once they see that that is what you are running:

"Aha! From the Meta Tags I can tell they're running WordPress. Looks like it's version X. I'll do a POST to site/wp-admin/tiny-mce/lang/en-us/takefile.php of a PHP script. If they didn't apply the patch that was released yesterday I should be able to upload my PHP script which will allow me write access or at least read access..." If you were not up-to-date in your install (or if you haven't audited any plugins you used), then the entire hack might takes just a few minutes, and could be done by someone with only rudimentary skills.

No?

Re:Definitely interesting.... (1)

nedlohs (1335013) | more than 3 years ago | (#35228492)

Sure, but the idea is that you do apply the patch that was released yesterday at some point in the very near future, so you are only vulnerable for a short time period. So most of the time you there aren't any known vilnerabilities that make you vulnerable and the direct attacker likely isn't going to find one right now.

Re:Definitely interesting.... (1)

CodeBuster (516420) | more than 3 years ago | (#35228810)

Another benefit of choosing the "generic" CMS solution is that even when a new exploit is discovered, it's highly unlikely that those in possession of such a valuable prize, a zero day vulnerability in a major CMS product, are going to waste in on a small security company like HBGary (high-profile antics of one ridiculously over the top CEO, Aaron Barr, not withstanding) or some random individual user. No, the exploit will be saved for a high value target or sold to the highest bidder. Writing your own CMS from scratch and then exposing it to the public Internet is like writing your own "killer" encryption algorithm, it just shouldn't be done. It's better to leave such concerns to established projects, both open source and proprietary, that have received ample scrutiny over the years by real experts, not the sort like Aaron Barr, and repeatedly probed for weaknesses in the wild.

Re:Definitely interesting.... (3, Interesting)

Ihmhi (1206036) | more than 3 years ago | (#35228306)

What happened to HBGary is like a fire station burning down because the smoke alarms didn't work - you'd think they, of all people, would know better.

Re:Definitely interesting.... (5, Funny)

benjamindees (441808) | more than 3 years ago | (#35228426)

It's more like a fire station burning down because the fire chief was being paid by the mayor to make molotov cocktails and throw them at local teenagers and one day they decided to throw one back and instead of putting the fire out the firemen screamed and ran around in circles and poured gasoline on it and the fire station exploded. But, yeah.

Re:Definitely interesting.... (1)

Sulphur (1548251) | more than 3 years ago | (#35228616)

It's more like a fire station burning down because the fire chief was being paid by the mayor to make molotov cocktails and throw them at local teenagers and one day they decided to throw one back and instead of putting the fire out the firemen screamed and ran around in circles and poured gasoline on it and the fire station exploded. But, yeah.

In a WWII test of bat delivered incendiaries, the bats set fire to the base's wooden water tower and other locations. Further development was canceled.

Mistakes (5, Insightful)

codepunk (167897) | more than 3 years ago | (#35227974)

But how many of these mistakes is your company making?

Most companies probably make these mistakes, all except the biggest mistake which was poking a sleeping bear.

The real mistake (5, Insightful)

Fex303 (557896) | more than 3 years ago | (#35227986)

The full story will make you wince — but how many of these mistakes is your company making?

Well, we're not going after 4chan/anonymous, so we're probably in the clear.

I think the biggest security mistake it's possible to make is antagonizing the largest collection of bored hackers/crackers/script kiddies/associated hangers on that exists.

Anonymous (1)

Conrthomas (1993390) | more than 3 years ago | (#35227992)

As it turns out, Anonymous isn't a bunch of 16 year old Swedish kids in their moms' basements running the LOIC. No, my friends, Anonymous knows what they are doing, and God spare your soul if you provoke them.

Re:Anonymous (1)

Anonymous Coward | more than 3 years ago | (#35228038)

except if you read the IRC logs when the CEO of hbgary (penny something) went to talk to anon, it was mentioned that the sql portion of the hack was actually done by a 16 year old girl who goes by the handle kayla

Re:Anonymous (1)

HornWumpus (783565) | more than 3 years ago | (#35228194)

And they had dated pictures of her tits to prove that she was an actual girl?

Re:Anonymous (0)

Anonymous Coward | more than 3 years ago | (#35228684)

knowing what /b/ does, they have sharpie pictures too

Re:Anonymous (2)

the linux geek (799780) | more than 3 years ago | (#35228104)

Because social engineering is so totally an Uber Advanced Hacking Technique. Anyone who hands out a root password, enables remote root SSH access, and shuts off a firewall because of an email message is dangerously complacent.

Re:Anonymous (0)

Anonymous Coward | more than 3 years ago | (#35228174)

About as "talented" as Kevin Mitnick then?

Re:Anonymous (0)

Anonymous Coward | more than 3 years ago | (#35228250)

Yeah, he was pretty much a talentless asshole. Conning someone doesn't take any kind of special gifts even if he seems to think so.

Re:Anonymous (2)

CodeBuster (516420) | more than 3 years ago | (#35228940)

It's easy to monday morning quarterback this thing but consider the following two points (from TFA):

1. The social engineering portion of the attack originated from Aaron's company gmail account (HBGary used Google Apps for mail), which anonymous had gained access to through the gmail account of the admin who re-used his password from the hacked CMS. So the email to the Finnish sysadmin came from Aaron's gmail account (i.e. Anonymous was effectively impersonating Aaron using his own credentials).

2. The email exchange, which is repeated in TFA, shows that Anonymous used information from Aaron's old emails, including two previous root passwords, to further reinforce the notion that the email did indeed come from Aaron Burr who was in a jam before meeting clients in Europe and needed root SSH access asap.

So while the method itself may not have been sophisticated, the wording of the spear phishing messages, carefully chosen to create just the right combination of credibility and urgency, really was a master stroke. Obviously Anonymous has a few people who have done this before. Besides, have you ever tried to make credible pretext emails or phone calls to social engineer information? It's harder than it looks.

Re:Anonymous (1)

Zironic (1112127) | more than 3 years ago | (#35228114)

I'm not sure, supposedly the girl that got the root password was 16 years and it's not like you have to be a hacking genius to exploit an SQL injection in their page URL and crack the MD5 through a free websites rainbow table.

Neither is it hardcore hacking to google "[Linux flavor vulnerability] and run it on an unpatched machine"

Incompetent (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35228002)

I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

How do these people even get security jobs and be negligent in even the simplest security practices?

Re:Incompetent (0)

Anonymous Coward | more than 3 years ago | (#35228144)

I'm just amazed at how completely oblivious "Chief Security Specialist" Jussi Jaakonaho was during the email correspondence, AND that he was perfectly fine with sharing root passwords via plaintext email.

How do these people even get security jobs and be negligent in even the simplest security practices?

Because they're smarmy yet personable little nothing bastards who can quickly make most people like them by playing the "life of the party" role, talking about themselves a lot, speaking much more loudly than what is necessary to guarantee that you can hear them, never shutting up, and generally bieng full of themselves. For some reason the more average people eat that shit up, perhaps because that's how they got where they are too and consider it a willingness to play the game, or a form of deference and flattery. Thus they get into the positions they have not because of merit and skill, but because they knew the right people.

People like that quite literally run the world. They love the sense of importance they get from positions of authority, mistaking that role for true inner meaning and purpose. Only enough is never enough when you do that the wrong way. So governments get bigger, corporations become more powerful and gain more political clout. They and the interests they represent so faithfully get to make all of the important decisions. That's why it does not matter for whom you vote, for anyone who gets into office will face the same pressures. Does that explain a few things for you?

This little hubris displayed by self-appointed experts HBGary is just a microcosm of far larger trends. It is only a matter of scale. Anonymous represents the growing numbers of people who are frustrated because there are few "working within the system" options that can address the problem. This kind of informational attack is far more civilized than the kind of terrible, physical rioting that is going on now in Egypt, making it easier for people to risk real jail time to engage in it. At least, I think that's why they are so willing to break the law. I'm not a member of Anonymous, I neither condemn nor condone their actions, I just see a lot of stories lately involving them. The above is my speculation about why they do what they do with such effectiveness and determination.

Re:Incompetent (0)

Anonymous Coward | more than 3 years ago | (#35228362)

Everyone is anonymous.
You simply choose not to recognize it at this time.

We are legion, etc etc.

Re:Incompetent (0)

Anonymous Coward | more than 3 years ago | (#35228688)

I'm Brian and so's my wife!

Re:Incompetent (1)

Flyerman (1728812) | more than 3 years ago | (#35228168)

Technically, his "boss" started it by putting the passwords in email, when he replied, he didn't use the full pass.

Changing his boss's pass and telling him the username was a bit silly, though.

Re:Incompetent (0)

Anonymous Coward | more than 3 years ago | (#35228480)

I don't know about you but we get weird questions like this all the time from upper management and it actually IS upper management. It look almost three days to convince the senior admins that allowing ssh with public key auth was secure. This is the same company that passes around passwords for 1500 servers in an Excel sheet with a three character password.

Re:Incompetent (1)

HornWumpus (783565) | more than 3 years ago | (#35228180)

A quick Google reveals he apparently used to work for Nokia. First as a design engineer then as a 'Chief Security Specialist' (ether that or he is a Russian Guitarist).

It has no record of his having moved to a new job. Perhaps this was his first day?

He had reached his level of incompetence. I'm guessing he is now unemployed and very soon unemployable. Google hasn't indexed much of this yet.

Re:Incompetent (4, Interesting)

jesseck (942036) | more than 3 years ago | (#35228280)

I also wonder though, how much of that was brought on by the corporate culture. My boss doesn't know what SSH is, so him asking about it would be a red flag to me. But executives at HBGary may have used it all the time. And maybe the required root access frequently. All it takes is one previous time of Jussi refusing to pass that info out and resulting in a "we pay your ass, do it when I tell you to!" reprimand, and Jussi will have been changed by the corporate environment to jump when the COO or CEO says to via email. Poor security practices, definitely. But often corporate culture leads to these poor practices. Everyone tries to start out doing the right thing, but often push it aside in favor of "the easy way".

Re:Incompetent (1)

Steauengeglase (512315) | more than 3 years ago | (#35228484)

Reading through some of this, I got the impression that the problem has a lot more to do with making those above you happy, than anything else.

While Jussi's mistake was pretty damned boneheaded, how often do you do what your boss says, because they said so? Not from the perspective of "How I do my job right?", but "Will I get canned if I say no? I'm not going to tell my boss that he is too stupid to remember both his username and his password".

Granted, at that point, I'd probably just tell them, "I'll give you a ring, it'll clear things up quicker".

On the plus side, we now have a modern, real world, textbook case on how not to handle these things.

And What's next? (4, Insightful)

rueger (210566) | more than 3 years ago | (#35228026)

Gotta say, the linked article was a great education for me, one who's interested but never had time to dig into some of the arcana of stuff like SQL injection.

In watching Wikileaks, OpenLeaks, Egypt, the Palestine papers,and now HB Gary, I'm thinking that we're at the edge of something monumental. I expect we'll see a lot more formerly secret data become public, and see governments and corporations either clean up their acts, or become increasing desperate and hostile in trying to keep their inside info secret.

Either way we're in for a wild ride!

Re:And What's next? (0)

Anonymous Coward | more than 3 years ago | (#35228084)

I for one welcome our cyberpunk future!

Re:And What's next? (0)

Anonymous Coward | more than 3 years ago | (#35228088)

rueger:

I think we're in the middle of the 'increasing desperate and hostile' stage. HBGary is SO out of the picture that I'd guess the 'increasing desperate and hostile' behavior is coming from the 'collateral damage' department. The government agencies that condoned HBGary's tactics must just be in a tizzy! Can't put the genie back in the bottle though...

It takes a long time to earn trust... only a second to destroy it.

-t

Re:And What's next? (2)

gman003 (1693318) | more than 3 years ago | (#35228098)

Well, a Wikileak (that's the term for something Wikileaks leaks, right?) was one of the things that started the Tunisian revolution, which led to the revolt in Egypt, and protests in Algeria, Libya, Yemen, and Bahrain, and it seems to be spreading further, as far away as Iran, and Jordan. Add the fact that some pretty major corporations are also being attacked (), and this could be on the scale of 1848. I'm willing to bet that this chain of uprisings won't stop before it reaches Russia and Italy, and I'm hoping it goes all the way to the US.

We all know that America (hell, most of the world) has needed a major change in government for years now. Decades, even. It isn't bad enough that we need to start lining people against a wall, but at the very least, we need some changes that are big enough that the status quo would be upset.

Re:And What's next? (0)

Anonymous Coward | more than 3 years ago | (#35228124)

Wikileaks had nothing to do with the Tunisian revolution. That was due more to the state of the economy and the corruption. When a young man set himself alight that was the tipping point for the Tunisian revolution. Nothing whatsoever to do with Wikileaks.

Re:And What's next? (2)

gman003 (1693318) | more than 3 years ago | (#35228256)

Quoth Wikipedia [wikipedia.org] : "Another cause for the uprising has been attributed to the inability of the Tunisian government from being able to censor information from reaching the Tunisian people, such as information from WikiLeaks describing rampant corruption in the Tunisian government."

Main cause? No. Contributing factor? Yes. At the very least, it seems like it was the spark that brought all the other factors into focus.

Re:And What's next? (1)

Flyerman (1728812) | more than 3 years ago | (#35228198)

Wikileaks is more effective at regime change in the middle east than WBush. News at 11, on the BBC.

Re:And What's next? (0)

Anonymous Coward | more than 3 years ago | (#35228372)

Revolution is much better than war.

This in itself makes wikileaks a force of good.

Re:And What's next? (1)

jrumney (197329) | more than 3 years ago | (#35228510)

...Yemen, and Bahrain, and it seems to be spreading further, as far away as Iran, and Jordan.

Jordan is much closer to Tunisia than Yemen and Bahrain.

Re:And What's next? (2)

LordLucless (582312) | more than 3 years ago | (#35228142)

That's the end goal Assange always envisaged for Wikileaks. He wanted to make governments either become more open, or become so inefficient due to the security needed to hold their secrets, that Darwin would see them replaced with a more open one.

Was talked about in one of the interviews he gave.

Re:And What's next? (1)

Anonymous Coward | more than 3 years ago | (#35228786)

Right. Keep up with the mental masturbation until you see the promised unicorns and rainbows. Wikileaks has caused a stir - little else. OpenLeaks has yet to do anything. Egypt was 30 years in the making. The Palestine papers are a cruel joke. And HB Gary, while becoming a punch line, is little more than a curiosity (and a handy "this is why we can't have nice things" example for IT meetings everywhere). But hey - Anonymous, Assange / Wikileaks... they'll all point out how they're personally leading us to a new dawn. You can even toast to it while drinking the cool-aid. Just don't look too closely at what it's made of.

Shorter version. (0)

Anonymous Coward | more than 3 years ago | (#35228030)

Greedy fake security guy tries to troll a large group of random strangers for money.
Large group of strangers punk him hard.

Profit for the news media!

Attack Summary (4, Informative)

Anonymous Coward | more than 3 years ago | (#35228068)

  1. SQL Injection

    The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27 [hbgaryfederal.com] . The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS...

  2. Password Hashes didn't use salts etc.
  3. Password hashing was done using MD5.
  4. Password complexity policy was crap anyway.
  5. Password recovery policy was vulnerable to social engineering (insider attack).

Re:Attack Summary (2)

Flyerman (1728812) | more than 3 years ago | (#35228190)

You forgot the part where the CEO of HBGFed used the same six letter pass in the CMS, his email, twitter, facebook...

Basically step 4->5 went lousy password to same password used for the email admin to another user's email account to the social engineering.

Re:Attack Summary (2)

dwarfsoft (461760) | more than 3 years ago | (#35228428)

6. After targetting Anonymous they didn't invest in curtains.

7. After targetting Anonymous they didn't invest in a dog.

Surely they saw the FOX11 story on Anonymous when checking out the background of their quarry?

Seriously (1)

drwhite (456200) | more than 3 years ago | (#35228132)

Why would Jussi Jaakonaho share sensitive info over e-mail? MEMO to Jussi the "Security" in Chief Security Specialist means just that. Not Chief Shithead Specialist.

They will be famous for a long time (4, Insightful)

RelaxedTension (914174) | more than 3 years ago | (#35228158)

They are the Tacoma Narrows bridge of the IT security world now. They will be the textbook case example of the generations of students, with the entire repertoire of what not to do every step of the way, especially the one about not pissing-off a malevolent, anonymous mass.

Re:They will be famous for a long time (1)

DNS-and-BIND (461968) | more than 3 years ago | (#35228292)

not pissing-off a malevolent, anonymous mass
Yeah, the wrong sort of people pissed off a malevolent, anonymous mass before. [mtsu.edu] In order for vigilantism to win, good people need only do nothing.

Re:They will be famous for a long time (0)

Anonymous Coward | more than 3 years ago | (#35228844)

not pissing-off a malevolent, anonymous mass
  Yeah, the wrong sort of people pissed off a malevolent, anonymous mass before. [mtsu.edu] In order for vigilantism to win, good people need only do nothing.

Strikes me, that they actually pissed off an indifferent, anonymous mass, thereby making it subsequently, malevolent.

Poking hornet nests has a habit of doing that, you know.

I'll drop my webapp sec researcher hat... (1)

Zapotek (1032314) | more than 3 years ago | (#35228202)

... and look at this as a layman.
OK, they chose a closed/custom CMS in hopes of security through obscurity, fair enough.
Ok, the guy thought he was talking to the boss and gave away the credentials, fair enough.

But how the HELL did they thought that such weak passwords, an out-of-date system and no SSH keys were fine?
Granted that all of their mistakes look unforgivable to me since I'm in the business but I simply can't wrap my head around the ones I mentioned.

Strong passwords aren't an inconvenience, damn let your browser remember them; why not keep an updated a system in the first place? And passwordless SSH logins are more secure and more convinient.
And an SQL injection? Even an automated scan would have found that! (No offence to scanner developers, I'm one myself)
This is amateurish to say the least....

Re:I'll drop my webapp sec researcher hat... (0)

Anonymous Coward | more than 3 years ago | (#35228566)

You know the tech industry is 50% marketing. Selling to clueless purchasing managers, making false presentations to people who will never use the service, stoking fanboyism and spreading FUD is part of the game. Now imagine how much of a clue local and federal government have in evaluating how well you're securing their system. Aggressive marketing wins the contract, skill can always be subcontracted in later, who'll notice.

Re:I'll drop my webapp sec researcher hat... (1)

AHuxley (892839) | more than 3 years ago | (#35228608)

Classic MS like group think? With the US and UK .gov..edu .com crypto circles they lived in/sold to ... whats to worry about?
A very MS focused team to offer deep MS related solutions?

Help me out here (1)

EW87 (951411) | more than 3 years ago | (#35228270)

I followed the article very well but I still don't quite understand what a SQL injection is...Can someone explain it a bit better?

Re:Help me out here (1)

clarkkent09 (1104833) | more than 3 years ago | (#35228450)

If user input is not cleaned up before being used in a query, attacker can possibly execute some arbitrary SQL on your db. For example userName is passed in from the login form. Script uses it in a query:

SELECT * FROM customers WHERE name = '{$userName}'

Say if you pass in this as your username: \''; DROP TABLE customers; The query becomes:

SELECT * FROM customers WHERE name = ''; DROP TABLE customers;

or passing is ' OR 1=1; will find a match when there isn't one etc

Re:Help me out here (1)

oliverthered (187439) | more than 3 years ago | (#35228482)

put simply, when I submit this post it will go into a database.

There are characters such as ' or whatever that need to be escaped if for instance, the SQL is built up, say, by concatenating strings.

SQL = "INSERT INTO Post_Table (text,username) '" + PostData + "', '"+ username + "'";

In this case single quotes represent the start and end of string data in the SQL statement.

So if I put a single quote in some data I post, and it's not escaped in the SQL statement then I can craft a post that would allow me to execute another SQL statement afterwards, say the DBMS uses ; as a statement terminator

So say I post the data

foobar' , 'he he a pretend username'; DROP DATABASE;

well you get the idea.

There's more to it and more ways than that, stored procedures etc.... but that's the general idea, that if the data being posted isn't sent to or worked on in the DMBS properly, it's possible to add your own custom SQL statements that can do pretty much anything you like to the DBMS, and even get out onto the local network and then mess around with that yada yada....

I could for instance put
foobar' + (SELECT blah from blip) + 'rab
and then when my post get returned back to me it would contain whatever the select statement contained as well as the post.

Re:Help me out here (1)

EW87 (951411) | more than 3 years ago | (#35228544)

Ok I'm kind of getting it. I wish I knew more about Databases. I am a hardware/Network systems guy. As I understand it your adding your own information into a line of SQL. Umm...is it like when I was 13 and used to go through porn sites free tours and when they ended on "Freepic13.jpg" I changed it to freepic14.jpg and found the hidden images? Or am I missing the point about adding your own text to the SQL?

Re:Help me out here (1)

EW87 (951411) | more than 3 years ago | (#35228676)

I promise I'm not trolling I just don't understand how accessing a file that's published TO BE accessed allows someone into your system.

imagine a conical bath... (2)

decora (1710862) | more than 3 years ago | (#35228526)

ok actually.

websites take input from users. like when i log in to slashdot, it asks me for input.

it will run the input through a program, which will talk to a database.

how does it talk to the database? it runs an SQL command, like 'SELECT * FROM TABLE USERS WHERE NAME=$username'

$username for me is 'decora' because thats what i type into my little login box.

but lets say i uhm, type into the 'username' box something like 'decora OR name=cmdrtaco'.

now, instead of just getting my info, it might spit back all of cmdrtacos info too! maybe even his hashed password.

to protect against this, most programs will take measures like:

0. validate input (does the username have spaces in it? reject if so)
1. check the SQL query to make sure its 'safe' and contains no parsable SQL commands.
2. dont write stuff like 'SELECT * FROM', only read stuff you need.
3. validate data returned from the SQL query before printing it to an html page.
  ie. if yr supposed to get one 5 datums back per user and instead you get 10, somethings wrong.

then again all that takes time and money and effort to do.
why bother, if nobody will ever care? the company that made the CMS for HBGary probably
contracted out the programming to some other company that hired people off a website,
(i have no evidence of course).

Re:imagine a conical bath... (1)

EW87 (951411) | more than 3 years ago | (#35228718)

OK that makes more sense now. I am sure I am oversimplifying it, but I assumed SQL Databases were like giant spreadsheets that contained columns like "Username" and were populated by forms and radio buttons. This makes me want to learn SQL.

Re:imagine a conical bath... (1)

EW87 (951411) | more than 3 years ago | (#35228838)

You really simplified it with the cmdrtaco example. Thank you.

Re:Help me out here (0)

Anonymous Coward | more than 3 years ago | (#35228748)

i'm 12 years old and what is this

Ego (1)

dark grep (766587) | more than 3 years ago | (#35228446)

The start of the problem was Barr mouthing off to the Anonymous contact about what he was going to do. Clearly, his ego is to blame for the trouble it caused his company.

Morals? (0)

Anonymous Coward | more than 3 years ago | (#35228454)

On the one hand, the more I read the more it sounds like HBGary had it coming (and was sloppy and inept).

But on the other, will we have no discussion of whether a vigilante retaliation is appropriate? Logging in, maybe some embarassing modifications to the web site, sure. Publishing all the employee's e-mails and deleting backups, too? (If someone had come and broken Barr's legs in an alley, would we be so ready to gobble up the technical details of how it'd been done?)

Or, for a third argument, is it the right response because Anonymous –fighting the battle the government is failing to pick up –has no recourse but itself? I don't know: I'm asking; but I'm asking because I'm surprised not to see it as part of current discussion.

I'll tell you the #1 mistake we aren't making... (0)

Anonymous Coward | more than 3 years ago | (#35228636)

My company isn't pissing off a buncha teenage hackers.

We (0)

Anonymous Coward | more than 3 years ago | (#35228646)

We are Anonymous.

We are legion.

(surprised no one has done this yet) :)

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...