Learn a few lessons from a high profile hack

If you haven’t already, you should take a moment to read the story of how the group named Anonymous was able to hack, compromise, and deface computer security firm HBGary.  A must read for…well, just about anyone.

The techniques used by Anonymous were not new. In fact, it is alarming that the simple approach used to gain access would be so successful against a security and defense company.

Many of the exploits used for the intrusion were well known. Information gathered from one attack would be used in other attacks or used in spoofs to gain futher informaiton. The success of the social engineering tactics resulted from a general lack of security best practices.

The steps taken are typical of hackers trying to gain access to a system: seek, exploit, gain control, repeat. The Anonymous attack in a nutshell (read the Ars Technica story for the full details):

1. SQL Injection on Web CMS to gain user information

First, an attack against the CMS tool used as web front end gives access to usernames, emails, and passwords stored in the database. Fortunately, the passwords were encrypted using MD5. Unfortunately, the passwords were not salted or iteratively encrypted. They could be broken.

Lesson: SQL injection! Test your software – don’t take someones word it has been tested or is secure. Try to break it and gain access.

2. Weak Passwords Broken using Rainbow Tables

The password data recovered needed to be cracked. To do this, Anonymous used Rainbow Tables, a pre-computed lookup table to find weakly encrypted passwords. This method works best on weak or unsalted passwords. Two high profile employees (The CEO and COO) had weak passwords that could be cracked using the rainbow tables. Now, Anonymous had usernames, emails, and passwords.

Lesson:  Enforce a strong password policy. Don’t salt your friends, but salt your passwords.

3. Re-use of passwords on personal and business accounts

Ouch – this is where it starts to really hurt.

With the usernames, emails, and passwords of two high profile users, Anonymous exploited the fact that many people re-use credentials on multiple systems. To make matters worse, it is also common for people to use the same credentials on personal accounts and business accounts.

Anonymous was able to gain access to both servers and personal email accounts of both the CEO and COO and begin spoofing to gain more information and access rights.

Lesson:  Don’t get lazy – Use separate usernames and passwords for personal and business accounts. Use different usernames and passwords for different systems.

4. Accessing an Unpatched Server – Root privileges

Anonymous then did some recon and found a Linux server used for support services. They were able to login using the credentials recovered. Once logged in, Anonymous used a known vulnerability that allowed a user to run arbitrary code as root on the machine. From this compromised machine Anonymous was able to access research data and customer data using this method.

Lesson: Stay up-to-date with patches on servers with business critical information.

5. Social Engineering – Spoofing

In addition to servers, Anonymous was also able to access the personal email accounts of high level executives using the credentials recovered. From those accounts, emails were spoofed requesting further passwords and access. Since the emails came from VIP’s, others were quick to hand over information and grant access to the resources requested.

Beyond spoofing,  Anon was also able to read emails. Including emails that contained additional usernames/passwords to other systems. One of those systems was a website which was quickly defaced.

Lesson: Organizations need a policy or process that should be followed when giving sensitive information via email…even for VIP’s.

20/20 Hindsight

In the end, this hack is more of a reminder than a case study. The hack reminds us why we have security best practices and policies. The hack reminds us we should not get comfortable or lazy. This hack reminds us it can happen to anyone.

More

Read Full Story on Ars Technica

Results of hacked EBGary Site (image)

4 Reviews

  1. Welcome we’re Hacksomeone and we could get a kick out of any chance to present you some revamped hacks! Hacksomeone is an every day upgraded homepage who hunt the web down you! We’re not prefer most hacksites sharp at one sort of hack. We actually hu…

    […]HelpDeskReport » Software User Reviews and Ratings » Learn a few lessons from a high profile hack – Helpdesk software reviews, ratings, and information[…]…

    Was this review helpful? Yes   No

  2. HDR says:

    Interesting coverage of the now infamous Anonymous. Explains and links to pas operations such as Chanology, Payback, and Sony (which Anonymous denies).
    http://www.guardian.co.uk/technology/2011/may/11/anonymous-behind-the-mask

    Was this review helpful? Yes   No

  3. sqlinjection says:
    Feedback: 1 positive

    SQL injection still a huge problem. Most recently, sql injection attack compromising 4 million websites.
    It still happens way more than it should.

    Was this review helpful? Yes   No

Leave a comment

You must login to post a comment.

Social Login (Preferred)

Why do I have to login?