Did anonymous make that security firm (HBGary) look stupid?

From what I understand, HBGary is security firm that seems to specialise in internet security.
Long story short: someone at HBGary said they knew who the “leaders” of anonymous are. 2 hours later anonymous wrecked HBGary’s website. Apparently they exposed internal documents and I saw something about porn pictures etc…

Does this mean that anonymous are a bunch of internet geniuses?
Does this mean that HBGary cannot even protect themselves so they cannot advise you on how to protect yourself?
Is it possible that HBGary allowed their security to be penetrated to gain some sort of intelligence against anonymous?

I guess no-one finds this interesting but me.
Just incase there are any security experts willing to answer, bump.

For one thing, without capitalizing Anonymous, it took me a bit to figure out what you were talking about.

For another: Anonymous don’t work like that. They wouldn’t get any info on the organization, just the individuals who broke the security. The whole point is to keep people from being blamed. AFAIK, there isn’t even really a head. It’s much more hodgepodge than that.

Plus, Anonymous use botnets, proxies, Wi-fi access points, etc, to keep people from identifying even the individuals. They know pretty much every identity hiding trick in the book, probably some that I’m unaware of.

I think it quite unlikely that HBGary could have done anything on purpose. They just taunted the group, so the group flexed their muscle. If HBGary had anything on Anonymous either before or after the attack, they would be giving it out now. Instead they are just trying to save face.

Finally, Anonymous are powerful enough that several boards forbid talking about them, for fear of an attack. It wouldn’t surprise me if some people are afraid to even talk about them. They put new malware writers to shame in how well they can break stuff.

The only way I would ever believe that Anonymous could be taken down is when I see it.

I find it fascinating. There really is a completely different world out there that we created, and this is the first war in it. Security firms never ‘allow’ anyone to compromise their data, it’s too risky. They definitely got a black eye because of some Anonymous upstarts. Personally, I liked the attacks they did on Scientology, and on the RIAA. I think the things they do can be cruel and heartless, but then sometimes they do actual good. Here’s more about what happened to HBGary(which is a stupid name for a security company, IMO).

Anonymous isn’t really some kind of organization. By it’s very nature it has no substance. A poor real world analogy would be like the insurgents in the wars the US is fighting. Anonymous can be anyone, the old man on the corner, the 18 year old girl working the fast food counter, the businessman in a $1200 suit. Anyone who frequents the 4chan boards can be a part of it, or not.

Here’s a good article on what Anonymous is all about.

Idiocy. The whole idea of Anonymous is that there are no actual leaders, no structure, just the end result of medium-to-large-scale mass movement. Like a sit-in at a lunch counter, it only works when large groups join in.

Mostly, they revealed multiple gigabytes of emails. Internal emails with embarrassing stuff, sure, but I’ve not heard anything about porn.

‘Genius’ is such a loaded term, and people toss it around so much when someone does anything they can’t understand. They just know Fudd’s First Law of Opposition: “If you push something hard enough, it will fall over.” A large number of websites aren’t coded that well, and will collapse if you push the right things hard enough. Anonymous pushed, and it fell over.

Most likely.

Who knows? This sounds like a fairly bizarre plot, but odd things have happened.

What I find amazing is that they can do this to a firm that markets itself as an internet security expert.
So did they manage this because HBGary is not as good as they would like people to believe?
Or is it possible for them to do this to any website?
Does anyone know how they managed it with HBGary?

EDIT: posted before Derleth who anwered most of my questions.

I should emphasize that “kill website, receive private emails” only works when the person responsible for the website and email storage is a moron: A security firm especially should have had a better-coded website, to begin with, and definitely should have been storing their emails on a different machine that you couldn’t access from the machine hosting the website.

made me think of this comic

Nope, not even close. We know the Americans claimed to have done a damn-damn on the Iraqi air defense network with a computer virus. This computer attack (nation on nation) was so conventional (unhip and square) as to be forgotten.

Then we had what seems to have been a war waged by Russia by proxies on Lithuania. (Latvia?) Faceless attack on a nation.

Then of course there is the suspected Israeli attack on the Iranian nuclear refining process. A remarkable attack in that it was backed up by special operations attacks on key people who blew up in downtown traffic. Brains + brawn.

The Chinese are almost certainly waging war against a number of countries, but there is no publiclly-known proof of that. The behavior of some Wall Street systems is spooky as heck.

Anonymous is waging something like a series of vendettas, or perhaps irregular warfare.

In any case, war in the cyber-sphere has been going on for long enough now that we can begin to see patterns and will soon need a first history to be written.

This article has a brief description of how the attack on HBGary was carried out. (Note: they don’t cite a source for their information, and I can’t find any other sources to confirm their version of events. However, it sounds completely plausible).

The key part is this:

It sounds like HBGary purchased a web-based application – or outsourced the development of one – and installed it on their site. That application was vulnerable to SQL injection. The fact that the application was vulnerable to SQL injection was probably not HBGary’s fault entirely, but if they’re setting themselves up as security experts, they should have tested the application for this and other vulnerabilities before going live. If your whole line of business is security, there’s really no excuse for standing up an application that is susceptible to SQL Injection. They should have done better.

Once the attacker(s) exploited the SQL vulnerability, they were able to get some passwords. The article isn’t clear on whether the attackers got database passwords, server passwords, or what, but the fact that they were able to harvest passwords at all probably suggests that the installation of the database was not done very well. HBGary was probably letting the database store passwords in clear text (which some databases do by default), or it had set the database’s service account to run with system privileges, or something like that. Those are obvious missteps they should have avoided.

Then, apparently, the attackers got into the email account of the co-founder of HBGary, Greg Hoglund. It looks like HBGary had its email hosted by Gmail, so the mail system was available anywhere on the internet. Once the attacker got Hoglund’s password from the database server, it was a simple matter to get into his email account – because he used the same password for his website admin account and his email account. This is another no-no, but one that many many people do. But again, especially if you’re setting yourself up as a security company, you should use different passwords for administrative tasks and your day-to-day work. This is the third dumb mistake on HBGary’s part.

Anyway, once the bad guy got into Hoglund’s email, he was able to impersonate Hoglund and convince the adminsitrator of another HBGary network to reset Hoglund’s password. This sounds like they didn’t have a good process for resetting passwords. The guy who fell for the “password reset” trick should probably be slapped, but if the company didn’t have an established process for verifying people’s identities when they request password resets, the network administrator is in a tough spot when he gets an email apparently from the co-founder, asking for a new password.

So…bottom line for me… HBGary made a lot of mistakes they should have known to avoid. Especially if you’re going to pick a fight with a bunch of people who know what they’re doing, you have to have your shit in order. Based on the linked article, nothing that Anonymous did appears to be all that exotic or impressive. They made good use of a range of well-known attack techniques against a target that brought a knife to a gun fight.

To answer Saffer’s question, “Or is it possible for them to do this to any website?” I think the short answer is “probably so.” I think the great majority of websites, networks, etc., can eventually be breached by a skilled and determined attacker. If someone with enough determination and time wants to get in, they’re probably going to get in eventually. If all the technical tricks at their disposal fail, they can always try “social engineering” – find someone on the inside who will fall for a con trick and let you in. In any organization of more than a few people, social engineering will almost always work.

A big part of information security is the use of delaying strategies. You want your system to be hard enough to break into that the attacker loses interest and moves on to someone else. “You don’t want to be the slowest Boy Scout running away from the bear.” HBGary looks like a particularly slow Boy Scout who decided to poke his head into a whole heard of bears.

For some random company, this would be a little embarrassing but not particularly surprising (although probably a big economic hit).

For an internet security company faced with what was probably the most predictably timed hack in history? I’m not an expert but I’m not really seeing how people could take them seriously after this.

From other reports it does sound like they were way out of their depth, and possibly lying about the quality of the information they had and their “cooperation” with the FBI. Given that said information was a bunch of names that they were associating with criminal activity I’m not sure that they are going to get much sympathy over that either.

Anyone know anything about the company? I can’t find much info about them that isn’t related to this story so maybe they were just the naive new start up who picked a really dumb way to try and stir up some press attention.

You want to know how Anonymous works? There’s a bunch of people in the world with essentially no connection to each other who all try to attack computers. Whenever one of them succeeds, presto, that was Anonymous. When (as is much more common) one of them (even one who succeeded before) fails, well, nobody hears about that. So Anonymous will never fail, by definition. But they’re not only not an organization, they’re not even a well-defined entity at all.

IANAHG

Exactly. They would be connected only by the fact that they share what has worked. So when one succeeded in the SQL penetration, a select group received and spread that information. There were probably then hundreds of people working on various guesses and starting points, trying to spread the damage as far and deep into the system as possible.

Those who succeeded will recive only one reward: The respect of their fellows. Next time, they’ll be among the first to get the penetration info.

Many among them have probably been quietly hacking systems and leaving themselves an entry point for years. Whenever the group wants to target a particular company/person/group, they’ll put the word out and see who has an “in.”

The question is how do they communicate?* If you can draw them out, as in Saffer’s final query, it is just possible that you might trace back a little further each time. T’were I chasing these guys, I’d get the cooperation of a few high-profile companies/people to serially taunt them. Then I’d have a loosely organized group of law-enforcement agencies and security firms watching net traffic and attempting traces.

Note that my technical knowledge is quite low, I am thinking purely in terms of strategy. I do know enough about the US enforcement community to say that this is exactly the type of cooperation they fail miserably in every time. Whoever thought inserting Tom Ridge into the picture would fix that was nucking futs.

Re: Genius I think it’s safe to say that this is the type of activity which would be very attractive to geniuses in general, and especially geniuses who have come up through the US school system. I also think anyone who was just average but highly dedicated, could build up a store of "in"s and make themselves quite useful at a strategic moment.

I worked with some hacker geniuses way back when, and they were a surprisingly diverse bunch. The only thing they all shared was a dedication to cotton-only clothing.

*I’m guessing they hide like leaves in the woods. Send out a spam to 35,000 people, with the necessary info to find the discussion hidden somewhere in the text.

90% of success is salesmanship, not ability. I have run across quite a few companies, from little 1-man startups all the way up, where the person who started it and calls the shots is nowhere near as tech-savvy as you would expect someone in the business to be. Either their work quality is crap, or more likely, they find employees of variable quality that produce passable results. Especially in the late 1990’s, it was easy for a company (or an employee) to coast from contract to contract and by the time the employer figured out they were not getting the expected results, the perp had made their wad of cash and moved on.

Right now their site is Wordpress. You can tell just by looking at the source. I wonder if that’s what their hacked site was, or if they just threw this up in the interim. If their original site was Wordpress, then shame on them. I’m sure whoever hacked them simply got ahold of their Wordpress user data, and the head guy’s Gmail address was his login, and his password was the same as his Gmail password.

I totally don’t trust a custom Wordpress installation on a site (see here) and I wouldn’t trust those folks with my site’s security if this is how they roll.

Bayard, you just warmed the cockles of my InfoSec geek heart. Amen to all that you wrote.

SQL injection vulnerabilities (for a security company, especially) are inexcusable, easily tested for, and easily remediated. Hell, SQL isn’t exactly a new thing… and we’ve known about crap like dropping tables for 20+ years.

Sadly… many of my past clients and employers were huge fail whales in this and similar regards.

Thanks, GiantRat. I’m an InfoSec guy by profession too. I love what I do, but sometimes I just want to clout my coworkers over the head.

Quoth TruCelt:

What makes you think they do? Oh, the general principles, they share, but there’s no need to do that clandestinely: You can look it all up on Google. But no particular coordination is required to do something like the OP is describing.

Well, maybe some members of Anonymous can do those things. But they released the LOIC(Low Orbit Ion Cannon) DDOS tool, which does none of those things. Anyone who used it during the Wikileaks-triggered attacks (Operation Payback) on Visa, Amazon, etc was capable of being identified and a number of people in the UK and US have been arrested and charged. They also rely on co-operative DDOS attacks, but do not have anywhere near the coordinated capacity to hurt a big internet site (you need a coordinated botnet strike with hundreds of thousands of nodes to do any real damage these days).

Si

Great new Wired article about the saga here. Much more details about the CEO guy who decided to stir up the Anon hornets nest in the first place and how he got royally owned.