From what I understand, HBGary is security firm that seems to specialise in internet security.
Long story short: someone at HBGary said they knew who the "leaders" of anonymous are. 2 hours later anonymous wrecked HBGary's website. Apparently they exposed internal documents and I saw something about porn pictures etc...

Does this mean that anonymous are a bunch of internet geniuses?
Does this mean that HBGary cannot even protect themselves so they cannot advise you on how to protect yourself?
Is it possible that HBGary allowed their security to be penetrated to gain some sort of intelligence against anonymous?

I guess no-one finds this interesting but me.
Just incase there are any security experts willing to answer, bump.

For one thing, without capitalizing Anonymous, it took me a bit to figure out what you were talking about.

For another: Anonymous don't work like that. They wouldn't get any info on the organization, just the individuals who broke the security. The whole point is to keep people from being blamed. AFAIK, there isn't even really a head. It's much more hodgepodge than that.

Plus, Anonymous use botnets, proxies, Wi-fi access points, etc, to keep people from identifying even the individuals. They know pretty much every identity hiding trick in the book, probably some that I'm unaware of.

I think it quite unlikely that HBGary could have done anything on purpose. They just taunted the group, so the group flexed their muscle. If HBGary had anything on Anonymous either before or after the attack, they would be giving it out now. Instead they are just trying to save face.

Finally, Anonymous are powerful enough that several boards forbid talking about them, for fear of an attack. It wouldn't surprise me if some people are afraid to even talk about them. They put new malware writers to shame in how well they can break stuff.

The only way I would ever believe that Anonymous could be taken down is when I see it.

I find it fascinating. There really is a completely different world out there that we created, and this is the first war in it. Security firms never 'allow' anyone to compromise their data, it's too risky. They definitely got a black eye because of some Anonymous upstarts. Personally, I liked the attacks they did on Scientology, and on the RIAA. I think the things they do can be cruel and heartless, but then sometimes they do actual good. Here's more about what happened to HBGary (http://www.readwriteweb.com/archives/anonymous_hacks_security_company_hbgary_dumps_5000.php)(which is a stupid name for a security company, IMO).

Anonymous isn't really some kind of organization. By it's very nature it has no substance. A poor real world analogy would be like the insurgents in the wars the US is fighting. Anonymous can be anyone, the old man on the corner, the 18 year old girl working the fast food counter, the businessman in a $1200 suit. Anyone who frequents the 4chan boards can be a part of it, or not.

Here's a good article on what Anonymous (http://www.yalelawtech.org/anonymity-online-identity/we-are-anonymous-we-are-legion/) is all about.

From what I understand, HBGary is security firm that seems to specialise in internet security.
Long story short: someone at HBGary said they knew who the "leaders" of anonymous are.Idiocy. The whole idea of Anonymous is that there are no actual leaders, no structure, just the end result of medium-to-large-scale mass movement. Like a sit-in at a lunch counter, it only works when large groups join in.

2 hours later anonymous wrecked HBGary's website. Apparently they exposed internal documents and I saw something about porn pictures etc...Mostly, they revealed multiple gigabytes of emails. Internal emails with embarrassing stuff, sure, but I've not heard anything about porn.

Does this mean that anonymous are a bunch of internet geniuses?'Genius' is such a loaded term, and people toss it around so much when someone does anything they can't understand. They just know Fudd's First Law of Opposition (http://everything2.com/title/Fudd%2527s+First+Law+of+Opposition): "If you push something hard enough, it will fall over." A large number of websites aren't coded that well, and will collapse if you push the right things hard enough. Anonymous pushed, and it fell over.

Does this mean that HBGary cannot even protect themselves so they cannot advise you on how to protect yourself?Most likely.

Is it possible that HBGary allowed their security to be penetrated to gain some sort of intelligence against anonymous?Who knows? This sounds like a fairly bizarre plot, but odd things have happened.

What I find amazing is that they can do this to a firm that markets itself as an internet security expert.
So did they manage this because HBGary is not as good as they would like people to believe?
Or is it possible for them to do this to any website?
Does anyone know how they managed it with HBGary?

EDIT: posted before Derleth who anwered most of my questions.

I should emphasize that "kill website, receive private emails" only works when the person responsible for the website and email storage is a moron: A security firm especially should have had a better-coded website, to begin with, and definitely should have been storing their emails on a different machine that you couldn't access from the machine hosting the website.

made me think of this comic (http://xkcd.com/834/)

I find it fascinating. There really is a completely different world out there that we created, and this is the first war in it.

Nope, not even close. We know the Americans claimed to have done a damn-damn on the Iraqi air defense network with a computer virus. This computer attack (nation on nation) was so conventional (unhip and square) as to be forgotten.

Then we had what seems to have been a war waged by Russia by proxies on Lithuania. (Latvia?) Faceless attack on a nation.

Then of course there is the suspected Israeli attack on the Iranian nuclear refining process. A remarkable attack in that it was backed up by special operations attacks on key people who blew up in downtown traffic. Brains + brawn.

The Chinese are almost certainly waging war against a number of countries, but there is no publiclly-known proof of that. The behavior of some Wall Street systems is spooky as heck.

Anonymous is waging something like a series of vendettas, or perhaps irregular warfare.

In any case, war in the cyber-sphere has been going on for long enough now that we can begin to see patterns and will soon need a first history to be written.

This article (http://www.thetechherald.com/article.php/201106/6785/Report-HBGary-used-as-an-object-lesson-by-Anonymous) has a brief description of how the attack on HBGary was carried out. (Note: they don't cite a source for their information, and I can't find any other sources to confirm their version of events. However, it sounds completely plausible).

The key part is this:

The attack against HBGary is a classic example of leverage. It started with an SQL Injection attack on hbgary.com. From there, Anonymous discovered and cracked the passwords used on the site. As it turns out, many of these passwords were used on GMail. Access to GMail, along with the use of shared passwords, led to the compromise Barr’s Twitter and LinkedIn accounts.

HBGary fired the company responsible for the flawed code that led to the SQL Injection attack.

While this was happening, Anonymous gained access to the email password used by Greg Hoglund, the co-founder of HBGary, and part owner of the Federal subsidiary run by Barr. With his account under their control, they sent an email to the admin of rootkit.com asking for the firewall to be opened and Hoglund’s password reset to “changeme123”.

It sounds like HBGary purchased a web-based application -- or outsourced the development of one -- and installed it on their site. That application was vulnerable to SQL injection (http://en.wikipedia.org/wiki/SQL_injection). The fact that the application was vulnerable to SQL injection was probably not HBGary's fault entirely, but if they're setting themselves up as security experts, they should have tested the application for this and other vulnerabilities before going live. If your whole line of business is security, there's really no excuse for standing up an application that is susceptible to SQL Injection. They should have done better.

Once the attacker(s) exploited the SQL vulnerability, they were able to get some passwords. The article isn't clear on whether the attackers got database passwords, server passwords, or what, but the fact that they were able to harvest passwords at all probably suggests that the installation of the database was not done very well. HBGary was probably letting the database store passwords in clear text (which some databases do by default), or it had set the database's service account to run with system privileges, or something like that. Those are obvious missteps they should have avoided.

Then, apparently, the attackers got into the email account of the co-founder of HBGary, Greg Hoglund. It looks like HBGary had its email hosted by Gmail, so the mail system was available anywhere on the internet. Once the attacker got Hoglund's password from the database server, it was a simple matter to get into his email account -- because he used the same password for his website admin account and his email account. This is another no-no, but one that many many people do. But again, especially if you're setting yourself up as a security company, you should use different passwords for administrative tasks and your day-to-day work. This is the third dumb mistake on HBGary's part.

Anyway, once the bad guy got into Hoglund's email, he was able to impersonate Hoglund and convince the adminsitrator of another HBGary network to reset Hoglund's password. This sounds like they didn't have a good process for resetting passwords. The guy who fell for the "password reset" trick should probably be slapped, but if the company didn't have an established process for verifying people's identities when they request password resets, the network administrator is in a tough spot when he gets an email apparently from the co-founder, asking for a new password.

So...bottom line for me... HBGary made a lot of mistakes they should have known to avoid. Especially if you're going to pick a fight with a bunch of people who know what they're doing, you have to have your shit in order. Based on the linked article, nothing that Anonymous did appears to be all that exotic or impressive. They made good use of a range of well-known attack techniques against a target that brought a knife to a gun fight.

To answer Saffer's question, "Or is it possible for them to do this to any website?" I think the short answer is "probably so." I think the great majority of websites, networks, etc., can eventually be breached by a skilled and determined attacker. If someone with enough determination and time wants to get in, they're probably going to get in eventually. If all the technical tricks at their disposal fail, they can always try "social engineering" -- find someone on the inside who will fall for a con trick and let you in. In any organization of more than a few people, social engineering will almost always work.

A big part of information security is the use of delaying strategies. You want your system to be hard enough to break into that the attacker loses interest and moves on to someone else. "You don't want to be the slowest Boy Scout running away from the bear." HBGary looks like a particularly slow Boy Scout who decided to poke his head into a whole heard of bears.

For some random company, this would be a little embarrassing but not particularly surprising (although probably a big economic hit).

For an internet security company faced with what was probably the most predictably timed hack in history? I'm not an expert but I'm not really seeing how people could take them seriously after this.

From other reports it does sound like they were way out of their depth, and possibly lying about the quality of the information they had and their "cooperation" with the FBI. Given that said information was a bunch of names that they were associating with criminal activity I'm not sure that they are going to get much sympathy over that either.

Anyone know anything about the company? I can't find much info about them that isn't related to this story so maybe they were just the naive new start up who picked a really dumb way to try and stir up some press attention.

You want to know how Anonymous works? There's a bunch of people in the world with essentially no connection to each other who all try to attack computers. Whenever one of them succeeds, presto, that was Anonymous. When (as is much more common) one of them (even one who succeeded before) fails, well, nobody hears about that. So Anonymous will never fail, by definition. But they're not only not an organization, they're not even a well-defined entity at all.

You want to know how Anonymous works? There's a bunch of people in the world with essentially no connection to each other who all try to attack computers. Whenever one of them succeeds, presto, that was Anonymous. When (as is much more common) one of them (even one who succeeded before) fails, well, nobody hears about that. So Anonymous will never fail, by definition. But they're not only not an organization, they're not even a well-defined entity at all.

IANAHG


Exactly. They would be connected only by the fact that they share what has worked. So when one succeeded in the SQL penetration, a select group received and spread that information. There were probably then hundreds of people working on various guesses and starting points, trying to spread the damage as far and deep into the system as possible.

Those who succeeded will recive only one reward: The respect of their fellows. Next time, they'll be among the first to get the penetration info.

Many among them have probably been quietly hacking systems and leaving themselves an entry point for years. Whenever the group wants to target a particular company/person/group, they'll put the word out and see who has an "in."

The question is how do they communicate?* If you can draw them out, as in Saffer's final query, it is just possible that you might trace back a little further each time. T'were I chasing these guys, I'd get the cooperation of a few high-profile companies/people to serially taunt them. Then I'd have a loosely organized group of law-enforcement agencies and security firms watching net traffic and attempting traces.

Note that my technical knowledge is quite low, I am thinking purely in terms of strategy. I do know enough about the US enforcement community to say that this is exactly the type of cooperation they fail miserably in every time. Whoever thought inserting Tom Ridge into the picture would fix that was nucking futs.

Re: Genius I think it's safe to say that this is the type of activity which would be very attractive to geniuses in general, and especially geniuses who have come up through the US school system. I also think anyone who was just average but highly dedicated, could build up a store of "in"s and make themselves quite useful at a strategic moment.

I worked with some hacker geniuses way back when, and they were a surprisingly diverse bunch. The only thing they all shared was a dedication to cotton-only clothing.

*I'm guessing they hide like leaves in the woods. Send out a spam to 35,000 people, with the necessary info to find the discussion hidden somewhere in the text.

90% of success is salesmanship, not ability. I have run across quite a few companies, from little 1-man startups all the way up, where the person who started it and calls the shots is nowhere near as tech-savvy as you would expect someone in the business to be. Either their work quality is crap, or more likely, they find employees of variable quality that produce passable results. Especially in the late 1990's, it was easy for a company (or an employee) to coast from contract to contract and by the time the employer figured out they were not getting the expected results, the perp had made their wad of cash and moved on.

It sounds like HBGary purchased a web-based application -- or outsourced the development of one -- and installed it on their site. That application was vulnerable to SQL injection (http://en.wikipedia.org/wiki/SQL_injection). The fact that the application was vulnerable to SQL injection was probably not HBGary's fault entirely, but if they're setting themselves up as security experts, they should have tested the application for this and other vulnerabilities before going live. If your whole line of business is security, there's really no excuse for standing up an application that is susceptible to SQL Injection. They should have done better.

Once the attacker(s) exploited the SQL vulnerability, they were able to get some passwords. The article isn't clear on whether the attackers got database passwords, server passwords, or what, but the fact that they were able to harvest passwords at all probably suggests that the installation of the database was not done very well. HBGary was probably letting the database store passwords in clear text (which some databases do by default), or it had set the database's service account to run with system privileges, or something like that. Those are obvious missteps they should have avoided.

Right now their site is Wordpress. You can tell just by looking at the source. I wonder if that's what their hacked site was, or if they just threw this up in the interim. If their original site was Wordpress, then shame on them. I'm sure whoever hacked them simply got ahold of their Wordpress user data, and the head guy's Gmail address was his login, and his password was the same as his Gmail password.

I totally don't trust a custom Wordpress installation on a site (see here (http://boards.straightdope.com/sdmb/showthread.php?t=596342)) and I wouldn't trust those folks with my site's security if this is how they roll.

[B]Bayard[B], you just warmed the cockles of my InfoSec geek heart. Amen to all that you wrote.

SQL injection vulnerabilities (for a security company, especially) are inexcusable, easily tested for, and easily remediated. Hell, SQL isn't exactly a new thing... and we've known about crap like dropping tables for 20+ years.

Sadly... many of my past clients and employers were huge fail whales in this and similar regards.

Thanks, GiantRat. I'm an InfoSec guy by profession too. I love what I do, but sometimes I just want to clout my coworkers over the head.

Quoth TruCelt:
The question is how do they communicate?* What makes you think they do? Oh, the general principles, they share, but there's no need to do that clandestinely: You can look it all up on Google. But no particular coordination is required to do something like the OP is describing.

Plus, Anonymous use botnets, proxies, Wi-fi access points, etc, to keep people from identifying even the individuals. They know pretty much every identity hiding trick in the book, probably some that I'm unaware of.Well, maybe some members of Anonymous can do those things. But they released the LOIC (http://en.wikipedia.org/wiki/LOIC)(Low Orbit Ion Cannon) DDOS tool, which does none of those things. Anyone who used it during the Wikileaks-triggered attacks (Operation Payback) on Visa, Amazon, etc was capable of being identified and a number of people in the UK and US have been arrested and charged. They also rely on co-operative DDOS attacks, but do not have anywhere near the coordinated capacity to hurt a big internet site (you need a coordinated botnet strike with hundreds of thousands of nodes to do any real damage these days).

Si

Great new Wired article about the saga here (http://www.wired.com/threatlevel/2011/02/anonymous/?utm_source=twitterfeed&utm_medium=twitter). Much more details about the CEO guy who decided to stir up the Anon hornets nest in the first place and how he got royally owned.

Great new Wired article about the saga here (http://www.wired.com/threatlevel/2011/02/anonymous/?utm_source=twitterfeed&utm_medium=twitter). Much more details about the CEO guy who decided to stir up the Anon hornets nest in the first place and how he got royally owned.

That is an awesome article. Thanks! And, I love the professionalism of those emails between the HBGary staff. They just seem like a bunch of unserious, ill-prepared bozos.

Yeah, when I stumbled across that article (before seeing this thread), I thought for sure it was some kind of joke, like it was too good to be true. I'd love to know what's the deal with Barr and his personal coder. I can't imagine saying some of the stuff the coder said to even my lowest level manager, let alone to the CEO of the company. Geez.

His programmer had doubts, saying that the scraping and linking work he was doing was of limited value and had no commercial prospects. As he wrote in an e-mail:
Step 1 : Gather all the data
Step 2 : ???
Step 3 : Profit
But Barr was confident. “I will sell it,” he wrote.


I loved that too. I wish I trusted my employees to be that honest with me.

made me think of this comic (http://xkcd.com/834/)

Heh. In reading above comments about fighting it, I thought of this (http://xkcd.com/591/)one.

Hell, SQL isn't exactly a new thing... and we've known about crap like dropping tables for 20+ years.
...and then there's Little Bobby Tables (http://xkcd.com/327/).

Great new Wired article about the saga here (http://www.wired.com/threatlevel/2011/02/anonymous/?utm_source=twitterfeed&utm_medium=twitter). Much more details about the CEO guy who decided to stir up the Anon hornets nest in the first place and how he got royally owned.
After reading that article, I am reminded of a quote from that famous American Philosopher Harry Callahan (http://www.imdb.com/title/tt0070355/) A mans got to know his limitations!

For anyone who's still interested, this article (http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/) goes into much more detail on how the attack was carried out, step by step. The writer makes the same point that a couple of us in this thread made -- namely, that HBGary made stupid mistakes and should have known better.

The long and the short of it is that they didn't use some kind of super-duper whizz-kid code hacks. They pretty much just exploited the laziness and/or stupidity of HBGary employees who didn't bother to follow proper security protocols.

That "Wired" article is really an Ars Technica article (they're both Conde Nast, so the distinction is a bit muddled, but they've been on the story with more depth). Here's yet another piece (http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars)(older) that gets into the chat log details.

For some reason I keep imagining this guy as Fisher Stevens.

The more I read about this Aaron Barr (the above Wired/ars technica article, also this (http://www.wired.com/threatlevel/2011/02/spy/all/1) one from Wired), the happier I am that he got pwned. After reading the linked Wired article, it seems his big idea was to charge companies $2 million per month to stalk their potential enemies on Facebook. He clearly thought of himself as some kind of super cyber-sleuth, when in reality he was basically using the same tactics used by 16-year-olds to get info on/pictures of their current crush. A favorite tactic of his was to FB-stalk CEOs of potential clients, then shock them with the info he was able to gather. One example in the linked article includes the person's name, where they went to school, that they ran in a particular 5K race, and has a picture of his kids. But it didn't take some $2 million per month super sleuthing outfit working around the clock to get that data; about 20 seconds with Google would probably be plenty.

As others have explained more lengthily, HBGary used a web platform that was easily hackable, and Anonymous was able to hack other stuff involving the same people because they didn't bother using different passwords for other accounts.

I don't think Anonymous is as guerilla and faceless as others suggest though. HBGary claims to have figured out the identities of some of the major players. And personally, I don't doubt that as much. Anonymous is largely based in 4chan, and it's not unreasonable to think that while the mass of A is more or less random, the initiative for projects are on the whole started by a limited subset of that mass.

On top of the fact that, if HBGary hadn't struck a real nerve, why would Anonymous bother with such a retaliation?

For the lulz.

On top of the fact that, if HBGary hadn't struck a real nerve, why would Anonymous bother with such a retaliation?
If HBGary actually had identified the major players behind Anonymous, do you really think they'd fuck with them and take the risk of being exposed?

That "Wired" article is really an Ars Technica article (they're both Conde Nast, so the distinction is a bit muddled, but they've been on the story with more depth). Here's yet another piece (http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars)(older) that gets into the chat log details.

For some reason I keep imagining this guy as Fisher Stevens.

Wow, you want to talk about a dumbass move. Granted the news was already out, via the Financial Times, that Barr was investigating them. But for him to go on to their chat sites, to try to reason with and basically plead for them not to "get too aggressive" was only going to inflame them further and I'm stunned he didn't realize that. I'm not saying the guy deserved to have his privacy invaded, but I can't say feel too sorry for him.

Also, I just love the picture of Aaron Barr (http://www.switched.com/2011/02/11/aaron-barr-infiltrated-anonymous-how-and-why/) that keeps showing up in news stories about this. The man just screams douchebag.

The details may be different, but the basic tactics and techniques Anonymous used are no different than what was going on 15 years ago. Buffer overruns, re-used passwords, social engineering, DDoS, hash table cracking; there's absolutely nothing new, complicated, or fancy here.

I wouldn't think any less of Bob's Pizza Company or Sue's eBay Store for being taken down by this kind of attack, but an IT security company? That's just flat-out pathetic.

On top of the fact that, if HBGary hadn't struck a real nerve, why would Anonymous bother with such a retaliation?

Nerd rage.

Underestimate it at your peril.

Nerd rage.

Underestimate it at your peril.

QFT just for example, if the dopers took on a combined effort to really screw with a company using the kinds of brainpower, time, access, and resources available to us as a group I would be willing to bet we could give decent sized company a bloody nose in some way shape or form.

Well, maybe some members of Anonymous can do those things. But they released the LOIC (http://en.wikipedia.org/wiki/LOIC)(Low Orbit Ion Cannon) DDOS tool, which does none of those things. Anyone who used it during the Wikileaks-triggered attacks (Operation Payback) on Visa, Amazon, etc was capable of being identified and a number of people in the UK and US have been arrested and charged. They also rely on co-operative DDOS attacks, but do not have anywhere near the coordinated capacity to hurt a big internet site (you need a coordinated botnet strike with hundreds of thousands of nodes to do any real damage these days).

Si

The way Anonymous is set up, if one person knows it, then Anonymous knows it. All it takes to be in Anonymous is to hack something that fits into Anonymous's creed, and then say you are in Anonymous. It's that loosely organized.

Yes, that one guy actually did find an IRC that the founder uses, so there is some sort of communication. But the founder is no more the leader than anyone else. He said in that article (or another one I read) that he specifically wanted Anonymous to get out of his control.

That said, I understand what you are getting at. I was over-sensationalizing it. It's a bad habit I picked up a while back. But, still, the good hackers at least know how to execute everything remotely so they won't get caught. It's the noobs that are usually found.

Just saw an interesting article in business week on this whole affair. Worth a read. (http://www.businessweek.com/magazine/content/11_12/b4220066790741.htm)

Then we had what seems to have been a war waged by Russia by proxies on Lithuania. (Latvia?) Faceless attack on a nation.


Estonia, where the Russian minority is mighty unpopular. If I remember correctly it was over the Estonians tearing down an old Soviet statue commemorating Russian fallen during the Great Patriotic War.

I doubt that the Russian state was behind the attack though, several DDOSNets have their origins in the Russian Federation.

I love how it was the DOJ who recommended that Bank of America should hire the law firm that tapped HBGary to engage in cyber shenanigans against Wikileaks and critics of the Chamber of Commerce.

Nuclear death for Washington, D.C.

I love how it was the DOJ who recommended that Bank of America should hire the law firm that tapped HBGary to engage in cyber shenanigans against Wikileaks and critics of the Chamber of Commerce.

Nuclear death for Washington, D.C.

:eek::confused::eek: A little notice, please?!?

Damn interesting stuff. I gotta root for Anonymous on this one. Barr tried to use them to enrich himself and got burned. I hope he never works in cybersecurity again.

The only guy I really feel bad for here is Greg Hoglund. The only thing he was guilty of was having a laughably insecure database.

The full list of (completely fantastic) articles from Ars Technica about this hack can be found here (http://arstechnica.com/tech-policy/news/2011/03/hbgaryanonymous-special-report.ars). (A few of these have already been linked to.)

I believe Stephen Colbert had the best analogy to describe this situation, but I'm not going to find that clip on YouTube while at work. :)

The social engineering is the most dangerous aspect of this. I've been doing temp jobs for three years. I make minimum wage at most of these jobs or around a dollar more.

Yet I have access to data or have easy access to people who have the data. For all the brilliance of hacking it's still easy to simply offer low level employees $50.00 to give you the info.