Here’s an interesting twist to the story about HBGary Federal, the computer security firm whose computers were hacked into recently. The larger story involves WikiLeaks, Paypal, Amazon, Bank of America and others — you can read more about it here.
The twist is that the techniques that were used to hack into HBGary Federal were run-of-the-mill hacking techniques using well-known exploits and techniques. This is ironic, because HBGary Federal is a computer security firm, and one of the most well known in the business. They work with the NSA and Interpol. They offer products and services to stop exactly the kind of attacks to which their own site was vulnerable.
Initial entrance to their site was through an SQL injection attack, something that was done to this blog site a while ago and which I’ve subsequently protected against. But HBGary’s website was vulnerable to this kind of attack. They also didn’t secure their passwords properly, so their passwords were insecure. Their top corporate officers used passwords that were too short and easy to crack. And the same passwords that were used on their insecure website were also used on their other computers, so once the hackers broke into their web server, they could access any machine they wanted. The hackers also took advantage of a server operating system security flaw that allowed them to gain superuser privileges — even though that flaw was well known and had been fixed last year, but HBGary Federal had not bothered to install the patch yet.
It is awfully embarrassing when one of the top computer security firms has their systems broken into, but even worse when it is revealed that it didn’t even take that much work or sophistication to break into them. Techniques available to any kid with an internet connection worked just fine. HBGary knew all about this kind of problem, but didn’t protect themselves.
The moral of this story has good news and bad news. The good news is that it would not have been that hard for HBGary Federal to have protected themselves from this attack if they had followed their own advice. This gives hope to the rest of us who want to make our systems more secure. The bad news is that they didn’t follow their own advice.
7 Comments
I’m reading “The Broken Window” by Jeferrey Deaver addressing the protection issues on the Internat in a Lincoln Rhyme mystery.
“The hackers also took advantage of a server operating system security flaw that allowed them to gain superuser privileges.”
That’s why I’m a proponent of capability-based operating systems, and why it’s an area of research that I love. They don’t rely on run-time checks of privilege level, making these types of security flaws significantly less likely to occur. Identity-based OS just can’t cut it for real security.
One of the points I was trying to make was that is not technology that makes systems secure. Here is a company with all the technology they needed, but they didn’t use it.
Second, I’ve worked with capability-based operating systems in the past, and they are not exempt from the old truism that the only way to make an information system completely secure is to make it unusable. A corollary is the more security measures you put in place to protect a system, the harder it is to use, so the more workarounds people come up with to get around the inconvenience of the security.
I’ve seen secured rooms that had so much security installed on the entrance that the workers left the door propped open so they could get in and out easier.
I’ll go with our security group’s motto: “If we’re doing our job, you can’t do yours.”
LOL 1032
Also note that the hackers used some social engineering to fool an administrator into bypassing some of their security. No amount of technology can solve human stupidity.
Quite entertaining. People are the weak link to any security system.
“[It] is not technology that makes systems secure.”
I absolutely agree. PEBKAC and all that. I’m actually a proponent of “good enough” security for most things, meaning security that balances the goals of the organization with the incentives of likely attackers. And for general purpose, end-user computing, yeah, capability-based systems are not (at least right now) a consideration because the systems that exist are very challenging (to put it VERY mildly). For back-end and embedded systems, I think capability systems have a lot to offer. They’re not there yet, but I think there’s potential.