If you follow security news, then you’ve surely heard about the recent drama between “Anonymous” and the HBGary security firm (more on who Anonymous is below), which took place over the past few weeks. While I’ve personally followed this fiasco with great interest, I’ve avoided commenting about it here, since most of our customers and readers are network administrators who are more concerned with practical business solutions than melodramatic cyber-quarrels. However, recently I read a fantastic article sharing the technical details of the HBGary breach, which I believe is a must-read for any computer security practitioner.
I’ll come back to that article in a minute, but first let me summarize the Anonymous/HBGary saga for those that may not have heard about it (if you have heard about it, feel free to skip to “Learning from Others’ Mistakes”).
I assume most of you are aware of the Wikileaks Cablegate story, since it’s made worldwide news. You know, that incident where Wikileaks — a non-profit organization that shares private or classified information with the press — publicly released some embarrassing U.S. diplomatic cables and royally peeved off the U.S. government. I don’t really want to recap the whole Wikileaks incident. I only bring it up to remind you that some camps oppose Wikileaks’ mission of “outing” sensitive information, while others camps fully endorse it.
Enter the mysterious Internet entity called “Anonymous.”
Who are Anonymous?
If you follow technology news, you’ve probably heard the “Anonymous” name in headlines before. They’re a group attributed for a wide-range of Internet incidents; from attacking Scientology to YouTube porn day (and many in between). However, in my talks with peers, I’ve found that many IT folks don’t really know who or what “Anonymous” is. Some may imagine “Anonymous” as a specific group of attackers, but that’s not really the case. In a nutshell, Anonymous is a random group of users tied strongly with popular image forums, like 4chan.
Occasionally, this group of random anonymous users decides to take on some fight, and loosely organizes what is essentially a virtual flash mob. For example, someone might post that they dislike Scientology, and ask other users to start figuring out ways to mess with Scientology, online. From there, chaos ensues. This means, the “Anonymous” group is not a specific group of people; rather it is a random group of users that happens to rally behind one cause or another; in other words, “hacktivists.”
Over the last few weeks, Wikileaks was one of those causes. I won’t pretend to speak for Anonymous, but I think it’s pretty safe to say that most 4chan users are pro-Wikileaks. Once the U.S. government started going after Wikileaks and its founder, an “Anonymous” group formed to start “fighting back” in Operation Avenge Assange. Using some very basic attack tools (Low Orbit Ion Canon), Anonymous began launching fairly successful Distributed Denial of Service (DDoS) attacks against various high-profile targets like Visa and MasterCard.
What’s this have to do with HBGary?
That’s the background story, but you might now be wondering where HBGary comes into the situation. HBGary is a security company that provides various security services to customers. It also has an offshoot company called HBGary Federal, which provides those services to the government.
Early on in the Wikileaks battle, HBGary threw its gauntlet into the fight, going after Wikileaks donors. Furthermore, the COO of HBGary Federal, Aaron Barr, thought it would be interesting to infiltrate the Anonymous group and try to find who its leaders were (assuming it has any). He seems to have attempted this by lurking on forums and IRC. Eventually, Barr started sharing his findings with the press, and intended to present them at a security conference. This, of course, set Anonymous off. They had a new target and cause… take out HBGary.
And that they did! Not to mince words, but Anonymous pretty much decimated HBGary’s defenses one brick at a time. By leveraging some very basic security issues in a number of systems, Anonymous was able to deface HBGary’s web site, delete 1 TB of backups, and steal tens of thousands of critical and sensitive emails (including some very embarrassing ones). I’ll get into more detail on how Anonymous did this below, but suffice to say a company, especially one focused on security, couldn’t suffer a more embarrassing public breach. In fact, HBGary was so affected by this attack that they even pulled out of the RSA conference.
So now you’re up-to-date with HBGary internet soap-opera, but why should you care? Well, this incident leads to a fairly obvious question. How did a respected security firm get hacked so quickly and easily?
Learning from Others’ Mistakes
That’s brings us full circle, to the article I mentioned at the beginning of this post. Last week, Ars Technica published an article detailing exactly how Anonymous broke into HBGary’s network (which they learned by talking to those who participated in the attack). This real world incident is a perfect example of how seemingly small chinks in different parts of your defenses can add up to gaping holes that totally compromise your system. Furthermore, it illustrates how not following some of the most basic best practices could land you in a heap of trouble. If you haven’t read the article, I highly recommend you go do so now. I’ll wait…
Ok, you’re back?
As you read, HBGary surprisingly fell victim to some of the most basic security mistakes one could make. To accomplish all of the mayhem I mentioned earlier, Anonymous’ attack included the following components:
- A SQL injection on a badly coded custom CMS
- A cracking attack (using rainbow tables) on badly encrypted passwords
- The discovery of some embarrassingly weak passwords used by high value targets
- The discovery of rampant password reuse (again, by high value targets)
- An elevation of privilege attack due to an very unpatched system
- …and some basic social engineering
None of those attacks are new, nor particularly extraordinary or complex. In fact, some are as old as hacking itself. All security professionals know basic security best practices to safeguard against them. That’s why this incident should wave a big red flag in the security community. How could such a well-respected security firm, who knows the right things to do, fall victim to such basic attacks? In his article, Peter Bright offers a potential answer to that question. He suggests that, “the standard advice isn’t good enough.”
I don’t think Bright means that the industry’s best practices are wrong; especially considering he also says standard advice would have protected HBGary. Rather, I believe Bright means that if our standard advice is too hard or time consuming for normal people to follow, they will ignore it. I agree with this sentiment. Few will follow technically sound best practices if they are impractical.
Let’s take the whole password reuse issue. Every security practitioner knows you should not reuse the same password at multiple sites. If you do reuse your password and an attacker gains access to it via one insecure site, then the attacker has the keys to your entire kingdom. Obviously, you should use different passwords everywhere, which is the industry best practice. However, following this best practice isn’t easy. At the very least, it takes extra time and thought. Most normal users don’t know about the password vault or keychain software that might help them manage multiple passwords, Even when they do, users don’t always use them because they adds extra steps, or roadblocks to their daily processes. As a result, many people reuse passwords.
This is the crux of the problem; the industry’s technically correct advice may not be “good enough” if normal people find it impractical. Security experts, in their white towers, often forget that security is not the core mission of most businesses. Many administrators consider security a necessary chore; something they have to do, but don’t really want to spend time on. The average user cares even less. No one like roadblocks that make doing their job harder, and users often see security controls as roadblocks.
Unfortunately, there is no easy answer to this dilemma. In order to secure things, you have to put access controls in front of them. However, I see Bright’s comment as a call to arms for the security industry. The best security mechanism in the world won’t do a thing if your users turn it off. So we need to design our security controls with ease of use in mind, which is something WatchGuard is focused on. We need to protect networks, while still facilitating business.
My second takeaway seems obvious in its simplicity, yet many people don’t really do it. That is, “Do what you know.” Over the last few years, my cohorts and I have ended many of our security presentations sharing a statistic we learned from a study done by the Verizon RISK team. Over the years, the RISK team has researched real world security breaches to study why the breach happened, and how it could have been prevented. They found that in almost 90% of the cases, the victim organization had the proper policies and technologies to have prevented the breach; they just didn’t follow their own policies, or configure their technology properly. This is what happened with HBGary. They obviously know how to prevent the simple attacks that succeeded against them; they just didn’t.
I’m not pointing fingers at HBGary. As the Verizon RISK team found, it seems like most organizations don’t follow through with best security practice. However, if we want to avoid security incidents, this is something we need to improve. When I was a kid, I remember fondly watching the G.I. Joe cartoon that always ended by saying, “and knowing is half the battle.” We need to remember that doing what you know is the other, arguably more important, half of that battle.
Learn from HBGary, and do what you know.
February 24, 2011 
WatchGuard Security Center 