Here’s an interesting twist to the story about HBGary Federal, the computer security firm whose computers were hacked into recently. The larger story involves WikiLeaks, Paypal, Amazon, Bank of America and others — you can read more about it here.
The twist is that the techniques that were used to hack into HBGary Federal were run-of-the-mill hacking techniques using well-known exploits and techniques. This is ironic, because HBGary Federal is a computer security firm, and one of the most well known in the business. They work with the NSA and Interpol. They offer products and services to stop exactly the kind of attacks to which their own site was vulnerable.
Initial entrance to their site was through an SQL injection attack, something that was done to this blog site a while ago and which I’ve subsequently protected against. But HBGary’s website was vulnerable to this kind of attack. They also didn’t secure their passwords properly, so their passwords were insecure. Their top corporate officers used passwords that were too short and easy to crack. And the same passwords that were used on their insecure website were also used on their other computers, so once the hackers broke into their web server, they could access any machine they wanted. The hackers also took advantage of a server operating system security flaw that allowed them to gain superuser privileges — even though that flaw was well known and had been fixed last year, but HBGary Federal had not bothered to install the patch yet.
It is awfully embarrassing when one of the top computer security firms has their systems broken into, but even worse when it is revealed that it didn’t even take that much work or sophistication to break into them. Techniques available to any kid with an internet connection worked just fine. HBGary knew all about this kind of problem, but didn’t protect themselves.
The moral of this story has good news and bad news. The good news is that it would not have been that hard for HBGary Federal to have protected themselves from this attack if they had followed their own advice. This gives hope to the rest of us who want to make our systems more secure. The bad news is that they didn’t follow their own advice.