The inside story of the HBGary hack

[caissyd]

The Social Engineering part is especially good!  ;D

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/

[AndyB67]

A brilliant piece of work by Anon and a damming enditment of HBGary!

[alucian]

Uau!

Nicer than an action movie 🙂

[Anonymous]

I find this situation insanely entertaining, is that wrong? It appears the initial vectors of attack were pretty straight forward, the social engineering aspect of it is almost ridiculous. The biggest portion of this attack that is so alarming is how many private companies, government agencies and foreign interests had some involvement with HBGary, and now they are suddenly exposed…….the kinetic damage from the poor security practices by HBGary.

[maxpeck]

Like a guy that runs a Dojo getting his butt kicked by a group of 10 year olds 😉

[timmedin]

There have a number of security companies pwned in the last few years. I’d be shocked if a number of the bigger companies wouldn’t also be pwnable, especially when you count the SE attacks. The SE attacks aren’t a pass/fail, its a question of what percentage of the people will fall for it.

[digitalsecurity4u]

Making yourself the poster child of how not to run a security company, nice. If they ever recovery its going to be a while and no steak is going to remove that black eye. The using of the same password accross domains (company and internet) really kills me.

[timmedin]

@digitalsecurity4u wrote:

Making yourself the poster child of how not to run a security company, nice.

I actually appreciate someone trying to take on Anonymous. Whether you support the cause that Anonymous stands for, what they are doing *is* illegal. And we supporting an “ends justify the means” approach is very dangerous.

If they ever recovery its going to be a while and no steak is going to remove that black eye.

They are dead. My understanding is that they have two employees left.

The using of the same password accross domains (company and internet) really kills me.

Yeah, not a great idea, but I can guarantee they they aren’t the only security company doing it.

[lorddicranius]

@timmedin wrote:

If they ever recovery its going to be a while and no steak is going to remove that black eye.

They are dead. My understanding is that they have two employees left.

Aaron Barr has finally resigned.  When you say only 2 employees left, is that just HBGary Federal, or HBGary?  Reading the chat logs from when Penny Leavy was pleading with Anonymous in their IRC channel, she made it clear that HBGary had only invested money in HBGary Federal, that they were separate companies.  I haven’t heard much about HBGary and was wondering how they were doing compared to HBGary Federal.

[red rail]

It seems as though his compromise for usability vs security met a sad fate.  I assume that he set his websites/accounts up thinking that he had no reason to be excessively secure.  For a security company, this is unacceptable.  Most of us make these common mistakes in the sake of thinking, “Its good enough”…. and it usually is… because were not starting trouble for ourselves with a group known to be successful with disrupting services.  I still fail to see what he was trying to accomplish?  Even if he was completely secure (by theory), he would still be susceptible to DDoS attacks, that they are known to use, that would disrupt the day to day operations of his websites.. there really was no ‘winning’ outcome.  His arrogance caused his downfall.. and he will have that story to tell for the rest of his life.

[yatz]

Not to beat a dead horse, but I got a kick out of this one.  It came across Twitter this morning.

The HBGary saga, depicted as a Spy v. Spy cartoon.

http://www.businessweek.com/magazine/content/11_12/b4220066673859.htm

[caissyd]

Thanks yatz, it is very funny!!! 🙂

[tturner]

You guys see the email about Hbgary trying to out-nmap nmap?

http://seclists.org/nmap-dev/2011/q1/767

This scanner would not take us very long to write, and it would BLOW
THE BALLS OFF OF NMAP.

::)

[lorddicranius]

That cartoon and especially that email regarding nmap, too funny ;D

[dynamik]

Schneier put together a great list of Ars Technica articles that went in-depth and contain some pretty interesting information: http://www.schneier.com/blog/archives/2011/02/anonymous_vs_hb.html

[WCNA]

That out-nmapping-nmap article is pretty funny. Here’s something else I find odd about their proposed traceroute program:
“… we can send all TTL packets in one microsecond, instead of waiting for each one to come back before sending the next.”

Correct me if I’m wrong but doesn’t that presuppose that you know every route from anywhere to anywhere? If I ping some box (anywhere), won’t it most likely do this:
my box>default gw(dgw) >dgw >dgw >bgp (or MPLS)>bgp >routing lookup (rl) >rl >rl >mac lookup >target box

To send “all TTL packets in one microsecond” you would have to know all those addresses listed above beforehand.

So for a standalone, distributable program, it would 1)have to be huge to hold all routes (and probably slow) & 2)update its routes constantly. Anyone that has watched one of the realtime BGP looking glasses would see how often routes change, not to mention redundant connections and load balancing.

[Author]

Posts