Eight security tips from the HBGary Hack

Intimate details of the HBGary hack attack are now available, and they teach many lessons about how to protect your systems.

Thanks to Ars Technica and H-online.com, we now have intimate details of the Anonymous attack against security research company HBGary. There are no surprises in how the attacks where carried out, but we can draw many morals from the story, even if we've heard them time and time before.

Here's an executive summary of how the attack was carried out, and how you can defend against the same things happening to your systems.

1. Use Off-the-Shelf Software

HBGary Federal's Website ran a content management system (CMS) that was created especially for the company. There's a debate to be had as to whether off-the-shelf software is more secure that custom-made solutions.

On the one hand, exploits for off-the-shelf solutions are often published far and wide and, in the case of a zero-day exploit, can leave system administrators rushing to fix their systems as quickly as possible.

Commissioning custom software offers security via obscurity -- there isn't a body of knowledge about how to hack the system, and no source code to search through to find vulnerabilities. However, the system will need to be routinely audited for security -- a costly procedure but utterly necessary.

Had HBGary Federal gone for an off-the-shelf solution, it's arguable the first stage of the attack -- a simple SQL injection -- wouldn't have been possible. Most commercial CMS solutions are security audited at source, to avoid end-users having to do so, and are regularly patched when problems are found.

2. Patch Your Systems Regularly

Had HBGary Federal been using an off-the-shelf CMS, it might still have been vulnerable if the system wasn't regularly patched. So, assuming you're running an off-the-shelf system, patch your systems regularly -- both software and the underlying OS. If you haven't already, buy a support contract to make life significantly easier.

Patching a system can introduce problems, of course, but that's why you should be creating copies of your servers, where you can test the patches before rolling them out to your customer-facing systems. Virtualization offers a perfect method of doing this (especially if your original server runs in a virtualized instance), and you can even make use of cloud virtualization solutions to avoid the hassle of keeping a copy of your server locally.

Should the patch go wrong, virtualization lets you roll back to a working state. What more could you want?

3. Test For Really Obvious Holes

As mentioned, HBGary Federal's Website was hacked using an SQL injection attack (SQL being a type of database).

SQL injection involves a URL created by a hacker accessing data in the database underlying the Website. On most Websites this kind of attack is well-known and URLs are 'scrubbed' to ensure this can't happen, beyond and above official and necessary access. For whatever reason, HBGary Federal's site neglected to do this, and Anonymous was able to retrieve the username and password database from the site.

Wise-up on SQL injection techniques and give them a try on your systems (making sure not to use techniques that might involve data loss, of course). You should also learn all about cross-site scripting (XSS) attacks, if you haven't already.

4. Store Passwords Securely

With the username database now in their hands, Anonymous set about cracking it. They could have hit a brick wall but, again, poor security procedures made life easy for them. The HBGary Federal database stored passwords as simple MD5 hashes -- an unsophisticated form of encryption. This allowed Anonymous to use rainbow tables to uncover some passwords. Rainbow tables are 'ready made' databases of prehashed passwords. Put simply, the hashed password list is simply compared side-by-side with a rainbow table until a match is found.

Hashes can be made stronger by avoiding the use of MD5, which generates short password hashes that are relatively easy to crack, and are vulnerable to collision attacks. The government suggests everybody use the SHA-2 family of hashes, such as SHA-256 or SHA-512.

Additionally, or if MD5 just can't be avoided, the password should be iteratively hashed, which is to say, the hash is rehashed thousands of times. Known as key strengthening, this deliberately slows down the hash production, but also slows down attackers to the point of making attacks infeasible. Additionally, hashes can be salted, whereby random data is inserted into the hash to strengthen it. This makes rainbow attacks significantly more difficult, if not impossible.

5. Force Users to Create Complex Passwords

Anonymous was able to decode the passwords of two of HBGary's executive staff (Aaron Barr and Ted Vera). The passwords consisted of eight characters -- six lower-case letters and two numbers.

Had HBGary Federal's systems enforced more complicated passwords, it's less likely that Anonymous would have been able to uncover these passwords. Ideally, HBGary Federal's system should have enforced 10 or 12-character passwords, and insisted that lower and upper-case letters, numbers and symbols appear somewhere in the password.

6. Don't Reuse Passwords

Anonymous now had the username and password details of the executives, and found that the gentlemen concerned had reused the passwords in lots of other places: e-mail accounts, Twitter and a support server, in particular. Thus, Anonymous was able to access their e-mail.

The accounts on the support server were only those of ordinary users but the system wasn't patched against a vulnerability that allowed standard users to use privilege escalation to illicitly get superuser powers. The flaw was patched in November, but the hack took place three months later in February this year (see above -- regularly patch your systems!).

It might have been the case that HBGary admins thought they could trust their users. However, if that's the case, they obviously didn't anticipate a hack attack delivering users they couldn't trust in the slightest.

7. Delete Sensitive E-mails

One of the executives was the administrator of the entire e-mail system, so Anonymous now had control of all HBGary e-mail accounts. Using this they gained access to the account of another executive (Greg Hoglund), where they found an e-mail containing the root password for the rootkit.com site.

Delete any sensitive e-mails you receive, especially those containing passwords. Yes, it's nice to have this kind of info lingering around in your inbox in case you forget, but that's exactly the kind of laziness that hackers exploit.

8. Educate Against Social Engineering

Anonymous had a root password, but they couldn't access the rootkit.com server because it didn't allow root access from outside of the firewall -- a wise security move. They needed to be able to login as a standard user and then switch to root once logged in.

To get this, they used Greg Hoglund's e-mail account to make contact with somebody who had root access to the server. In an entertaining e-mail exchange, Anonymous first suggested they had problems logging in to the server, using their acquired knowledge of the root password to give themselves authority and credibility. Following this they manipulated the root admin into resetting Greg's password, and also revealing his username -- the two pieces of information they needed.

It was a classic example of social engineering. Clearly, the root admin shouldn't have sent the password or login name via e-mail, but "Greg" appeared to have started the trend by revealing the root password in his initial e-mail. This is a typical social engineering trick used to inspire confidence in the victim.

There are many books and articles out there on social engineering, and many consultants who will come in to teach staff all about it. Essentially, unless you're face to face with an individual, there's simply no way of knowing if the person you're speaking to is who they say they are.

Keir Thomas has been making known his opinion about computing matters since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com. His Twitter feed is @keirthomas.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags softwarenetwork securityapplicationsfirewallsonline security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?