Thursday, March 3, 2011

The Whole HBGary v Anonymous Scenario

So it's a bit old news now, but it just doesn't seem to quit, and it's all rather interesting. And that is, of course, HBGary Federal (and HBGary's Greg Hoglund) being thoroughly smacked around by hacker group Anonymous. Ars Technica has some very in-depth coverage of the whole situation, with looks at what led up to it as well the aftermath.

Obviously there's a whole slew of questions about how a security company could have such seemingly glaring lapses in best practices, all the way around the board. But then too, it's easy to play armchair quarterback in hindsight. While I scratch my head about it, that's not why I'm posting.

From what Ars Technica has posted, there would also seem to be a lot of questions about ethical/moral considerations for other HBGary Federal activities. These things, when seen from the outside (again) and not knowing the whole facts/truth, would seem to be likely to lead to investigations into HBGary Federal by law enforcement as well as into Anonymous' activities. However, that's also not the reason for my post.

I'm posting because of the way the attacks got pulled off. Nothing fancy, cutting edge, or unique. Just a good old-fashioned SQL injection made possible by a lack of whitelisting. Password hashes extracted, cracked, and found to have multiple uses. Greg Hoglund's email being compromised and used to gain remote root access to through social engineering. Classic stuff, and (seemingly) fairly well executed - at least based on the results. Ars Technica published the email exchange between an Anonymous member posing as Hoglund, and Jussi Jaakonaho, wherein Jaakonaho was played in order to give Anonymous root access over ssh to take over the server.

To me, that last social engineering bit is the "sweet" piece. No, I'm not supporting Anonymous' actions, I'm just looking in through a window and thinking that from a technical standpoint, they did a good job. Once they got a foot in the door, they quickly went through a series of steps gaining more and more control over their target environment. Looking back at it, from the outside, it would appear that there were several opportunities for Jaakonaho to get suspicious and try to confirm through some other channel, but he didn't. All the other aspects - gaining access to the CMS, email, data storage, defacing websites, and so on, are all simply technical skills if you will.

The social engineering bit, though, stands out (to me). It was (virtually) face to face. They had to pretend to be Hoglund and communicate with someone who knew him, then try to get that person to do something that would seem to be against the very nature of a security-focused person. I mean, getting Jaakonaho to take down the firewall to open up ports for ssh access, reset passwords, hand out user names and public IP address - wow! To me, even trying to pull that off takes some serious guts. But the fact is, it worked, and quite nicely.

I don't condone what they did at all, but I guess I would have to say that I admire - at least that one piece, at least to an extent - *how* they did it.

In case anyone hasn't read about it and wants to, here are some of the Ars Technica links:

The Inside Story
The Aftermath
The Meet
The Email Revelation

One last little thought on the matter. A part of me can't help but wonder, is it possible that Aaron Barr/HBGary (Federal or otherwise) could have faked out Anonymous, and gave them a carefully orchestrated scenario? You know, a really seriously elaborate honeypot? Surely not. But I do wonder...


No comments:

Post a Comment