1 / 26

Anonymous vs. HBGary

Anonymous vs. HBGary. Jared DeMott Principle Security Researcher Crucial Security, Inc. Sample Topology of Computer Crime. A Message to HBGary after Anonymous Hack. Even at the expense of some country laws and possible safety of others?. Anarchy is best?. Mostly DDoS in the Past.

muriel
Download Presentation

Anonymous vs. HBGary

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymous vs. HBGary Jared DeMott Principle Security Researcher Crucial Security, Inc.

  2. Sample Topology of Computer Crime

  3. A Message to HBGary after Anonymous Hack

  4. Even at the expense of some country laws and possible safety of others?

  5. Anarchy is best?

  6. Mostly DDoS in the Past Scientology Censorship Egypt gov Big Biz etc

  7. HBGary Inc. • Greg Hoglund, Founder and CEO • Penny Leavy-Hoglund, President • Products • Responder • Analyze RAM, pagefiles, VMWare images, sort & display images, network links, etc • Digital DNA, Active Defense • Detects malware via in-memory analysis • HBGary Federal • Aaron Barr was the CEO • Site now says, • “hbgaryfederal.com is currently offline. Please try again later”

  8. The Buildup

  9. How did Barr get into this mess? ? 1 2 1.1, 2.1, pwned $$ issues!

  10. Technical Details • Time for an Injection • http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27 • Got user database • Rainbow tables • Non-iterative, unsalted MD5 == fairly easy to crack • Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers • Allowed for hbgaryfederal website defacement

  11. Technical Details • Password Reuse • Ted’s was good on a HBGary Linux box, support.hbgary.com • Privilege Escalation • Months old bug, with public exploit available • Stealing of data, and “sharing” with the world • Makes me wonder what they found, but didn’t share....

  12. Technical Details • Using Google Apps for email • Aaron’s reused password lead to access to his company email, but he was also an admin, FTW • Reset Greg’s password to get his email too • Found info about rootkit.com • Social Engineering to pwn rootkit.com • Knew a couple things (actually just one, lolz) • The root password to the machine running Greg's rootkit.com site was either "88j4bb3rw0cky88" or "88Scr3am3r88“ (so they thought) • JussiJaakonaho, Chief Security Specialist at Nokia, had root access

  13. Social Engineering “Greg” Jussi hi, do you have public ip? or should i just drop fw? and it is w0cky - tho no remote root access allowed Subject: need to ssh into rootkit imin europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks

  14. Social Engineering “Greg” Jussi k, it should now accept from anywhere to 47152 as ssh. i am doing testing so that it works for sure. your password is changeme123 i am online so just shoot me if you need something. in europe, but not in finland? :-) _jussi no i dont have the public ip with me at the moment because im ready for a small meeting and im in a rush. if anything just reset my password to changeme123 and give me public ip and ill ssh in and reset my pw.

  15. Social Engineering “Greg” Jussi does it work now? if i can squeeze out time maybe we can catch up.. ill be in germany for a little bit. anyway I can't ssh into rootkit. you sure the ips still 65.74.181.141?

  16. Social Engineering “Greg” Jussi nope. your account is named as hoglund (later on…) did you open something running on high port? did you reset the user greg or? yup im logged in thanks ill email you in a few, im backed up thanks

  17. Actual Emails • http://hbgary.anonleaks.ch/

  18. Actual Documents • http://publicintelligence.net/tag/hbgary/

  19. Fallout Will Anonymous be help responsible for what they did? March 1, 2011: 17 members of the United States Congress called for a congressional investigation for possible violation of federal law by Hunton & Williams and "Team Themis"

  20. On Oct. 3, 2010, HBGary CEO Greg Hoglund told Aaron that “we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn’t really been a success… You guys are basically out of money and none of the work you had planned has come in.” April 1st, 2011 Defcon CTF Organizers: “HBGary is awarded contract to clean CTF sheep stalls!”

  21. Damage to others? • HBGary • Hunton&Williams? • Kevin Zeese, a lawyer with the NGOs VelvetRevolution.us and StopTheChamber.com, filed a complaint with the Washington, D.C. Bar Association earlier this week against John Woods, Richard Wyatt Jr., and Robert Quackenboss • Palantir? • "I have directed the company to sever any and all contacts with HB Gary," said the CEO of Palantir • BericoTechnologies? • "We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal." • Maybe a bit to other DoD contractors? • Endgames, SRA, ManTech, GD, BAH, Symantec, QinetiQ, GD …

  22. Comedy • http://www.colbertnation.com/the-colbert-report-videos/375428/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks

  23. Technical Lessons Learned • Don’t have SQL injections in your websites • Use strong passwords • 14chars with mix of upper, lower, numbers • “MyTruckisC00l!!” • Or sentence style passwords for long passwords • “my super duper extra secretive password” • Public key crypto on ssh • 2 factor authentication • A good option to help with weak or lost passwords • Social Engineering Training • Patch systems very regularly • Email Encryption • Shorter term storage of email as well

  24. Moral Questions • I think work should more then $$ • I doubt Mr. Barr started with this in mind… • People need the right to free press • But where is that line when dealing with stolen documents? • Should HBGary competitors study the stolen proposals and other documents? • What about studying the emails … they’re public now? • Does two wrongs make a right?

More Related