Wednesday, March 09, 2011

HBGary: Password-Weak

J'aime l'ironie, not arf!

Firstly, you have to know a little about HBGary.

HBGary is a technology security company. Two distinct but affiliated firms carry the name: HBGary Federal, which sells its products to the US Federal Government,and HB Gary, Inc. Its other clients include information assurance companies, computer emergency response teams, and computer forensic investigators. Wiki

And perhaps listen to a few brief notes from its own trumpet. I can't offer you more, because for some strange reason everything HBGary seems to be offline.

HBGary Federal - Defeat Tomorrow's Threats Today
12 Oct 2010 ... As a nation we are hemorrhaging; our government, military, corporate, and financial institutions are being robbed of their intellectual ...

HBGary :: Detect. Diagnose. Respond.
HBGary Unveils Razor: Most Powerful Weapon Against Today's Targeted Attacks. HBGary unveils Razor, a stand-alone appliance that automatically detects ...


Then three reports courtesy of The Register, oldest first.





Anonymous security firm hack used every trick in book

SQL injection, weak password security, social engineering - oh my!
17 February 2011

An attack by Anonymous on security firm HBGary used a combination of software vulnerabilities and social engineering to pull off a highly sophisticated hack, it has emerged.

A SQL injection weakness in a third-party content management product used to post content on HBGary's website allowed a cadre of hackers from Anonymous to steal hashed versions of passwords used to update its website.

A brute force dictionary-based attack on these passwords allowed the miscreants to work out the login credentials used by HBGary Federal employees, including chief exec Aaron Barr and COO Ted Vera. Barr and Vera made the mistake of using the same passwords for their Twitter and LinkedIn accounts.

Crucially the same password was also used to administer a corporate email account, a failing seized upon by Anonymous to extract a cache of corporate emails which were subsequently posted as a torrent, exposing confidential emails. The emails, in turn, revealed who had access to the rootkit.com research site maintained by HBGary, and the probable root access password of the machine hosting the site.

Using this information Anonymous was able to hoodwink an associate of HBGary into dropping firewall defences and allowing remote access to the site under the pretext that the message came from Barr, who was supposedly on the road at a security conference at the time. The credentials were handed over, allowing Anonymous to deface the website.

A detailed analysis of the hack by Ars Technica, based on interviews with members of Anonymous and other research, can be found here.

HBGary had intended to reveal its research into the senior members of Anonymous at the BSides San Francisco conference, which runs parallel to this week's RSA Conference. In the wake of the hack (and "numerous threats of violence") HBGary withdrew from the RSA show, replacing their booth with a forlorn sign recorded in a blog post by Sophos here.

The leaked emails detail a supposed business proposal by HBGary to assist Bank of America's law firm, Hunton & Williams, in a dirty tricks campaign aimed at discrediting WikiLeaks in the run-up to the expected publication of confidential bank documents. The leaked documents detail supposed plans to dig up dirt and apply pressure to key WikiLeaks supporters as well as proposals to submit false documents in a bid to discredit the whistle-blowing website.

HBGary said the leaked documents might have been altered prior to publication. "Given that Anonymous has had these emails for days I would be highly suspect [sic] of them," the president of HBGary Penny Leavy told the BBC.





HBGary 'puppets' FAIL to convince

Leaked doc outlines dumb rep management strategy
20 February 2011

It looks like we should all learn Homer Simpson’s sock-puppet phobia.

If this blog post is accurate, then corporates aren’t just briefing social media teams to “manage” their reputation on services like Twitter. They’re creating armies of software-driven sock-puppets to gang up on bloggers and commenters to swamp negative comment.

The Daily Kos poster is particularly offended that HBGary, the company that embarrassed itself by taking on “hacktivist” group Anonymous and being hacked in return, would be deploying such tactics against its critics.

The technique is based on creating a kind of meta-manager of online personae, to make sure (as the HBGary document puts its) that the person hired to massage their employers’ online reputation doesn’t “accidentally cross-contaminate personas during use”.

“Get over it” is one reasonable response. The only thing revealed by HBGary is that the business of sock-puppet management should be more sophisticated than, perhaps, “real” people might expect. But it should not be surprising: people have been prepared to pay for competitive advantage in the world of “reputation management”, and where there’s money, there will always be someone to provide their own innovations to grab a slice.

So in this iteration of the online arms race that I’m tempted to call “The King’s Shilling” (except I suppose that’s too awful a pun), someone’s realized that instead of a social media team sharing one account so as to keep the flow of up-vibe posts flowing, they can have one social media sow in a stall suckling lots of Facebook and Twitter piglets all at once.

It’s hard to work up a good imitation of surprise at this. It’s also hard to see such a strategy working.

No matter the advances in artificial intelligence over the years, “real” people remain good at identifying fakes. If you watch even a couple of contentious hashtags – in Australia, #nbn (the hashtag Aussies use to discuss the National Broadband Network) will do as an example – the auto-Tweets stand out as if lit by neon.

For a start, telling a machine to throw a couple of links, RSS feeds or pre-canned responses in the direction of any given hashtag results in giveaway howlers: “watch this!” messages turning up with links to American news programming.

“There are a variety of social media tricks we can use to add a level of realness to fictitious personas,” says one of the HBGary documents. It may be so: but I don’t see any evidence that people's Twitter-bots have passed the Turing test yet.

While it looks a little like the corporate threat to democracy and free discussion that the Daily Kos believes it to be, it’s also a completely self-destructive strategy. The personas will invade any and every conversation they’re instructed to, acting like over-indulged toddlers and yelling “want #banana NOW!” across grown-up conversations.

Instead of creating an illusion of consensus, they’ll either be blocked by people who want to talk like adults, or where they can’t be blocked, they’ll drive users away from the medium they seek to dominate.

And they’ll be deploying their bots and “social media experts” into a world in which an army of amateur – but frequently effective – sleuths will be ready to unmask and pounce upon their inept attempts to manage conversations in their direction.





HBGary chief exec resigns over Anon hack

Barr falls on sword
1 March 2011

HBGary Federal chief exec Aaron Barr has resigned in a bid to allow the firm to draw a line under the continuing revelations from the Anonymous hack attack.

Barr was the prime mover in plans to out senior members of Anonymous at the B-Sides security conference last month. But hunter became hunted after the more skilled members of Anonymous hacked into HBGary Federal's computer network before publishing its email database.

The emails included the revelation that Morgan Stanley, a HBGary client, was hit by the Operation Aurora attacks of late 2009, as well as messages that purported to show HBGary was planning a dirty tricks campaign against WikiLeaks.

HBGary, while admitting it was hacked and not denying the authenticity of any particular message, has said that the notorious mischief maker at Anonymous had plenty of opportunity to alter the published emails. Nonetheless the hack itself, to say nothing of the range of circumstances that allowed the breach (insecure web apps, weak passwords and social engineering) would be hugely embarrassing for any firm, much less a small outfit that sells its white hat hacker expertise to government agencies and banks.

Adding insult to injury, HBGary has become the topic of comedy sketches, with comedian Stephen Colbert devoting a segment of the Colbert Report to the hack on 24 January. The sketch mocked both Barr ("master of counter-hacking" and World of Warcraft "level 90 night-elf druid") and "global hacker nerd brigade" Anonymous. According to Colbert: "Anonymous is a hornets' nest and Barr said I'm gonna stick my penis in that thing."

With such unwanted and high-profile media attention, to say nothing of the doubtless awkward private exchanges between HBGary and its client in private, it comes as little surprise that Barr has decided to fall on his sword.

"I need to focus on taking care of my family and rebuilding my reputation," Barr told Threatpost in a phone interview. "It’s been a challenge to do that and run a company. And, given that I’ve been the focus of much of bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm."

HBGary is yet to comment officially on the resignation, which renews questions about its plans to move on from the hugely embarrassing Anonymous hack. We've put in a query to the firm and will update this story as and when we hear more. The Register, links at the bottom of the page.

Lastly, a little on sock-puppets, and given what I used to blog about, has a certain familiarity about it.

A sockpuppet is an online identity used for purposes of deception within an online community. In its earliest usage, a sockpuppet was a false identity through which a member of an Internet community speaks with or about himself or herself, pretending to be a different person, like a ventriloquist manipulating a hand puppet.

In current usage, the perception of the term has been extended beyond second identities of people who already post in a forum or blog to include other uses of misleading online identities. For example, a New York Times article claims that "sockpuppeting" is defined as "the act of creating a fake online identity to praise, defend or create the illusion of support for one's self, allies or company."

The key difference between a sockpuppet and a regular pseudonym (sometimes termed an "alt" which is short for alternate, as in alternate identity) is the pretense that the puppet is a third party who is not affiliated with the puppeteer or acting under their control for their benefit. Wiki


11 comments:

Anonymous said...

http://twitter.com/#!/anonymousirc

Anonymous said...

bit.ly/L77C8M

Twittering world leaders: #boring

What do they know

Following world bloke: #addictive

Follow the leader

Himself said...

I just checked Hugo out, but as you would expect, all in Spanish.

I guess there are hundreds of interesting people to follow if one only put one's mind to it.

I follow Richard Dawkins, he's fine. Salman Rushdie is a bit boring, but I find it's the common folk who are invariably more interesting than those on the A list.

Still not tempted to get an account?

Anonymous said...

I love my own account. x
(no ism intended)

Himself said...

A bit cryptic lass.

Tell me something, if I had written "Bit cryptic lass" instead, would you have recognised it straight away as meaning the same thing?

Just wondered.

Anonymous said...

Z x

Himself said...

What's bin-a-goin' on 'ere, then? lol bit.ly/QFExur

Firstly, Blogger thinks you're spam.

Secondly, I don't know, who is she?

I followed her back after doing what I do with all followers, I read a few tweets first; she seemed ok.

The face looks familiar though I must say.

Anonymous said...

I don't know who she is, but the twitter page introduction refers to a porn site.

"Her" tweets are ok.

Himself said...

I didn't actually notice that at the time.

Honest.

Tits oot for lads!

Anonymous said...

http://www.wnd.com/2012/11/petraeuss-gmail-account-a-national-security-issue/?cat_orig=us

Himself said...

Tweeted, thanks.