14 DAY TRIAL // A recently published detailed account of how the attack on HBGary went down, revealed numerous insecure practices used by both the company and its employees.
According to Ars Technica, which spoke with Anonymous members and has all the details, the original point of entry was an SQL injection vulnerability on the company's website.
SQL injection is a type of attack which results in unauthorized database access and is pretty common on the Web today.
Having an SQL injection in one's website is certainly not a good thing, but not something that can easily be avoided either.
Many security companies have been caught with such vulnerabilities on their websites, but what's important is to limit their impact by using Web application firewalls (WAFs) and other methods, something which HBGary failed to do.
The second mistake made the company was using the MD5 hashing algorithm to store passwords inside the website's database.
MD5 has been proven vulnerable for years, but it has the benefit of being fast, so developers might still feel compelled to use it.
However, if such a decision is taken, then additional methods like salting can be used to make password brute forcing much more difficult. HBGary didn't use any.
The third security error that led to the compromise was the use of weak 6-character single-case alpha-numeric passwords by the company's CEO, Aaron Barr, and COO, Ted Vera.
Furthermore, the two engaged in password reuse, meaning that the cracked website passwords gave attackers access to a whole bunch of other accounts belonging to the two executives.
Ted Vera's password gave Anonymous SSH access to a server housing a lot of company research data and other documents, demonstrating why it's better to use public key cryptography for SSH authentication rather than passwords.
Vera had a limited account, so the attackers were restricted to his home dir. That was until they figured out that the Linux system was not up to date with patches and they could exploit a privilege escalation vulnerability and get root access.
This brings us to another recommendation. Keep your operating system up to date -- always -- regardless of whether it's Windows, Linux, Mac OS X or some other flavor.
Meanwhile, Barr's password gave attackers access to his email account and also the company's Google Apps account, since he was listed as administrator. This shows why it's better to use a completely different account for administrative purposes.
With Google Apps admin rights, Anonymous members had the power to reset the password for any of the company's email accounts, and they choose that of HBGary co-founder Greg Hoglund.
Inside, they found older emails containing passwords for the root account on rootkit.com, a research website Hoglund owns, however, they couldn't connect remotely to the Web server.
Using pieces of information gathered from older emails they socially engineered the rootkit.com administrator to give them the current root password and drop the firewall so they can connect.
There are two lessons to learn from this part of the attack. One is to delete older emails that might contain passwords and other sensitive information.
The other is to be suspicious of all unusual requests received via email, even when they originate from a trusted source. Use a secondary method of verification, such as a phone call to determine the legitimacy of the request.
All in all, the HBGary hack was not very sophisticated. Attackers did not use any advanced techniques or leveraged any zero-day vulnerabilities. The only thing that was exploited is the fact that HBGary and its employees were not practicing what they preach.