In an e-mail announcing Barr"s move, HBGary CEO Greg Hoglund told his company that "these two are A+ players in the DoD contracting s.p.a.ce and are able to "walk the halls" in customer s.p.a.ces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. "A" players attract "A" players."
Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the "3rd night in a row I have woken up in the middle of the night and can"t sleep because my mind is racing. It"s nice to be excited about work, but I need some sleep."
Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.
On October 3, 2010, HBGary CEO Greg Hoglund told Aaron that "we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn"t really been a success... You guys are basically out of money and none of the work you had planned has come in."
Aaron agreed. "This has not worked out as any of us have planned to date and we are nearly out of money," he said.
While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.
The training sessions, following the old "scare the sh*t out of them" approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter, and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts contracts were needed, preferably multi-year ones. were needed, preferably multi-year ones.
The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg"s wife), sent an e-mail to her sales team, telling them "to work a quota and to bring in revenue in a timely manner. It"s not "optional" as to when it needs to close, if you haven"t met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT... Guys, no one is making their quota."
She concluded darkly, "I have some serious doubts about some people"s ability to do their job. There will be changes coming shortly and those decisions will be new people"s to make."
And then, unexpectedly, came the hope of salvation.
"Bond, Q, and Monneypenny"
By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.
On October 19, a note arrived. HBGary Federal might be able to provide part of "a complete intelligence solution to a law firm that approached us." That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.
Palantir would provide its expensive link a.n.a.lysis software running on a hosted server, while Berico would "prime the contract supplying the project management, development resources, and process/methodology development." HBGary Federal would come alongside to provide "digital intelligence collection" and "social media exploitation"-Barr"s strengths.
The three companies needed a name for their joint operation. One early suggestion: a "Corporate Threat a.n.a.lysis Cell." Eventually, a s.e.xier name was chosen: Team Themis.
Barr went to work immediately, tracking down all the information he could find on the team"s H&W contact. This was the result of few hours" work: A bit of what I have on [redacted]. He was hard to find on Facebook as he has taken some precautions to be found. He isn"t even linked with his wife but I found him. I also have a list of his friends and have defined an angle if I was to target him. He has attachment to UVA, a member of multiple a.s.sociations dealing with IP, e-discovery, and nearly all of this facebook friends are of people from high school. So I would hit him from one of these three angles. I am tempted to create a person from his highschool and send him a request, but that might be overstepping it. I don"t want to embarra.s.s him, so I think I will just talk about it and he can decide for himself if I would have been successful or not.
Team Themis didn"t quite understand what H&W wanted them to do, so Barr"s example was simply a way to show "expertise." But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were "astroturf" groups funded by the large unions.
"They further suspect that most of the actions and coordination take place through online means-forums, blogs, message boards, social networking, and other parts of the "deep web,"" a team member explained later. "But they want to marry those online, "cyber" sources with traditional open source data-tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions."
H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.) Barr"s plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums, and Web searches and dump it into Palantir for a.n.a.lysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.
Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of "sample reports" filled with action ideas like: - Create a false doc.u.ment, perhaps highlighting periodical financial information, and monitor to see if US Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual doc.u.ments at a specified time and explain the activity as a CtW contrived operation.
- If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions US Chamber Watch will likely ask.
- Create a humor piece about the leaders of CtW.
The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The att.i.tude could be seen in e-mails which exhorted Team Themis to "make [H&W] think that we are Bond, Q, and money penny [sic] all packaged up with a bow."
Two million a month But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, "Their client is loaded!" Besides, that money would buy access to Palantir, Berico, and "super sleuth Aaron Barr."
As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might "freak out" the partner.
If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. "This will put us in a healthy position to chart our direction with a healthy war chest," he wrote.
Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal"s pocket.
But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go "way up the chain (as you can imagine)," wrote the Palantir contact for Team Themis. "The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let"s demonstrate success and then take over this market :))."
The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn"t kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who "ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks."
(Update: a reader points to additional emails which suggest that the "foreign fighter campaign" operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as "key personnel," drawing on their "creds to show our strengths," but might actually staff the project with others.) "I don"t think we can make it any further"
But the cash, which "will seem like money falling from the sky for those of us used to working in the govt sector," was not forthcoming. H&W didn"t make a decision in November. Barr began to worry.
"All things we are chasing continue to get pushed to the right or just hang in limbo," he wrote. "I don"t think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough." He noted that Palantir was asking "way too much money" from H&W.
As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were "prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original "Phase I" proposed costs). Does this sound like a more reasonable range in terms of pricing?"
But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major US bank had come to H&W seeking help against WikiLeaks (the bank has been widely a.s.sumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.) "We want to sell this team as part of what we are talking about," said the team"s H&W contact. "I need a favor. I need five to six slides on Wikileaks-who they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon."
"Attack their weak points"
By 11:30pm on the evening of December 2, Barr had cranked out a PowerPoint presentation. It called for "disinformation," "cyber attacks," and a "media campaign" against WikiLeaks.
What could HBGary Federal do?
- Computer Network Attack/Exploitation - Influence and Deception Operations - Social Media Collection, a.n.a.lysis, Exploitation - Digital Media Forensic a.n.a.lysis This attack capability wasn"t mere bl.u.s.ter. HBGary had long publicized to clients its cache of 0-day exploits-attacks for which there is no existing patch. A slide from a year earlier showed that HBGary claimed unpublished 0-day exploits in everything from Flash to Java to Windows 2000.
Another slide made clear that the company had expertise in "computer network attack," "custom malware development," and "persistent software implants."
In October 2010, HBGary CEO Greg Hoglund had tossed out a random idea for Barr, one that did not apparently seem unusual: "I suggest we create a large set of unlicensed windows-7 themes for video games and movies appropriate for middle east & asia. These theme packs would contain back doors."
Barr"s ideas about WikiLeaks went beyond attacks on their infrastructure. He wrote in a separate doc.u.ment that WikiLeaks was having trouble getting money because its payment sources were being blocked. "Also need to get people to understand that if they support the organization we will come after them," he wrote. "Transaction records are easily identifiable."
As an idea that Barr knew was being prepared for a major US bank, the suggestion is chilling. Barr also reiterated the need to "get to the Swedish doc.u.ment submission server" that allowed people to upload leaked doc.u.ments.
At 7:30am the next morning, Barr had another great idea-find some way to make WikiLeaks supporters like Glenn Greenwald feel like their jobs might be at stake for supporting the organization.
"One other thing," he wrote in his morning message. "I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH [data center] transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack. These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn WikiLeaks would fold."
This seems an absurd claim on a number of levels, but it also upped the "creep factor" dramatically. Barr was now suggesting that a major US corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the US right to freedom of speech, had no apparent qualms about his idea.
"Discontinued all ties with HBGary Federal"
The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main partic.i.p.ants in the Anonymous hacker collective-and by doing so to drum up business.
The decision seems to have stemmed from Barr"s work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its US nuclear plants. "I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them," he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere: Example. If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link a.n.a.lysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.
I can and have gained access to various government and government contractor groups in the social media s.p.a.ce using this technique (more detailed but you get the point). Given that people work from home, access home services from work-getting access to the target is just a matter of time and nominal effort.
Knowing about a target"s spouse and college and business and friends makes it relatively easy to engage in a "spear phishing" attack against that person-say, a fake e-mail from an old friend, in which the target eventually reveals useful information.
Ironically, when Anonymous later commandeered Greg Hoglund"s separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund"s site administrator-who promptly turned off the site"s defenses and issued a new pa.s.sword ("Changeme123") for a user he believed was Hoglund. Minutes later, the site was compromised.
After the Anonymous attacks and the release of Barr"s e-mails, his partners furiously distanced themselves from Barr"s work. Palantir CEO Dr. Alex Karp wrote, "We do not provide-nor do we have any plans to develop-offensive cyber capabilities... The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters."
Berico said (PDF) that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal." (PDF) that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
But both of the Team Themis leads at these companies knew exactly what was being proposed (such knowledge may not have run to the top). They saw Barr"s e-mails, and they used his work. His ideas on attacking WikiLeaks made it almost verbatim into a Palantir slide about "proactive tactics."
And Palantir had no problem sc.r.a.ping tweets from union supporters and creating linkages from them.
As for targeting American organizations, it was a Berico a.n.a.lyst who sent out the Team Themis "sample reports," the doc.u.ments suggesting that the US Chamber of Commerce create false doc.u.ments and false personae in its effort to "discredit the organization" US Chamber Watch.
The US Chamber of Commerce expressed shock when the Team Themis work came to light. "We"re incredulous that anyone would attempt to a.s.sociate such activities with the Chamber as we"ve seen today from the Center for American Progress," said Tom Collamore on February 10. "The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber"s behalf. We have never seen the doc.u.ment in question nor has it ever been discussed with us." on February 10. "The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber"s behalf. We have never seen the doc.u.ment in question nor has it ever been discussed with us."
Indeed, the meeting between H&W and the Chamber on this issue was set to take place today, February 14. On February 11, the Chamber went further, issuing a new statement saying that "it never hired or solicited proposals from HBGary, Palantir or Berico, the security firms being talked about on the Web... The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary"s e-mails leaked." saying that "it never hired or solicited proposals from HBGary, Palantir or Berico, the security firms being talked about on the Web... The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary"s e-mails leaked."
"No money, for any purpose, was paid to any of those three private security firms by the Chamber, or by anyone on behalf of the Chamber, including Hunton & Williams."
As for Hunton & Williams, they have yet to comment publicly. On February 7, however, the firm celebrated its top ranking in Computerworld"s report on "Best Privacy Advisers."
It has been an embarra.s.sing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group"s actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year. and was preparing to name and shame those responsible for co-ordinating the group"s actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming expose, the Anonymous response was swift and humiliating. HBGary"s servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published. one of those he believed to be an Anonymous ringleader about his forthcoming expose, the Anonymous response was swift and humiliating. HBGary"s servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
Over the last week, I"ve talked to some of those who partic.i.p.ated in the HBGary hack to learn in detail how they penetrated HBGary"s defenses and gave the company such a stunning black eye-and what the HBGary example means for the rest of us mere mortals who use the Internet.
Anonymous: more than kids HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware a.n.a.lysis tools to enable the detection, isolation, and a.n.a.lysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability a.s.sessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company"s products or services.
Greg Hoglund"s rootkit.com is a respected resource for discussion and a.n.a.lysis of rootkits (software that tampers with operating systems at a low level to evade detection) and related technology; over the years, his site has been targeted by disgruntled hackers aggrieved that their wares have been discussed, dissected, and often disparaged as badly written bits of code.
One might think that such an esteemed organization would prove an insurmountable challenge for a bunch of disaffected kids to hack. World-renowned, government-recognized experts against Anonymous? HBGary should be able to take their efforts in stride.
Unfortunately for HBGary, neither the characterization of Anonymous nor the a.s.sumption of competence on the security company"s part are accurate, as the story of how HBGary was hacked will make clear.
Anonymous is adiverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. With that diversity in age and experience comes a diversity of expertise and ability.
It"s true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline.
According to the leaked e-mails, Aaron Barr believed that HBGary"s website was itself subject to a denial-of-service attack shortly after he exposed himself to someone he believed to be a top Anonymous leader. But the person I spoke to about this denied any involvement in such an attack. Which is not to say that the attack didn"t happen-simply that this person didn"t know about or partic.i.p.ate in it. In any case, the Anonymous plans were more advanced than a brute force DDoS.
Time for an injection HBGary Federal"s website, hbgaryfederal.com, was powered by a content management system (CMS). CMSes are a common component of content-driven sites; they make it easy to add and update content to the site without having to mess about with HTML and making sure everything gets linked up and so on and so forth. Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary-for reasons best known to its staff-decided to commission a custom CMS system from a third-party developer.
Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard-security flaws crop up in all of them from time to time-but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.
The custom solution on HBGary"s site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability a.s.sessment of the software-which is, after all, one of the services the company offers-then its a.s.sessment overlooked a substantial flaw.
The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection. In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixed-an integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally pa.s.sed from the Web front-end to the CMS.
SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pa.s.s the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pa.s.s in specially crafted parameters that cause the database to execute queries of the attackers" own choosing.
The exact URL used to break into hbgaryfederal.com was The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn"t have been able to get.
Rainbow tables Specifically, the attackers grabbed the user database from the CMS-the list of usernames, e-mail addresses, and pa.s.sword hashes for the HBGary employees authorized to make changes to the CMS. In spite of the rudimentary SQL injection flaw, the designers of the CMS system were not completely oblivious to security best practices; the user database did not store plain readable pa.s.swords. It stored only hashed pa.s.swords-pa.s.swords that have been mathematically processed with a hash function to yield a number from which the original pa.s.sword can"t be deciphered. to yield a number from which the original pa.s.sword can"t be deciphered.
The key part is that you can"t go backwards-you can"t take the hash value and convert it back into a pa.s.sword.With a hash algorithm, traditionally the only way to figure out the original pa.s.sword was to try every single possible pa.s.sword in turn, and see which one matched the hash value you have. So, one would try "a," then "b," then "c"... then "z," then "aa," "ab," and so on and so forth.
To make this more difficult, hash algorithms are often quite slow (deliberately), and users are encouraged to use long pa.s.swords which mix lower case, upper case, numbers, and symbols, so that these brute force attacks have to try even more potential pa.s.swords until they find the right one. Given the number of pa.s.swords to try, and the slowness of hash algorithms, this normally takes a very long time. Pa.s.sword cracking software to perform this kind of brute force attack has long been available, but its success at cracking complex pa.s.swords is low.
However, a technique first published in 2003 (itself a refinement of a technique described in (itself a refinement of a technique described in 1980) gave pa.s.sword crackers an alternative approach. By pre-computing large sets of data and generating what are known as rainbow tables, the attackers can make a trade-off: they get much faster pa.s.sword cracks in return for using much more s.p.a.ce. The rainbow table lets the pa.s.sword cracker pre-compute and store a large number of hash values and the pa.s.swords that generated them. An attacker can then look up the hash value that they are interested in and see if it"s in the table. If it is, they can then read out the pa.s.sword.
To make cracking harder, good pa.s.sword hash implementations will use a couple of additional techniques. The first is iterative hashing: simply put, the output of the hash function is itself hashed with the hash function, and this process is repeated thousands of times. This makes the hashing process considerably slower, hindering both brute-force attacks and rainbow table generation.
The second technique is salting; a small amount of random data is added to the pa.s.sword before hashing it, greatly expanding the size of rainbow table that would be required to get the pa.s.sword.
In principle, any hash function can be used to generate rainbow tables. However, it takes more time to generate rainbow tables for slow hash functions than it does for fast ones, and hash functions that produce a short hash value require less storage than ones that produce long hash values. So in practice, only a few hash algorithms have widely available rainbow table software available. The best known and most widely supported of these is probably MD5, which is quick to compute and produces an output that is only 128 bits (16 bytes) per hash. These factors together make it particularly vulnerable to rainbow table attacks. A number of software projects exist that allow the generation or downloading of MD5 rainbow tables, and their subsequent use to crack pa.s.swords. exist that allow the generation or downloading of MD5 rainbow tables, and their subsequent use to crack pa.s.swords.
As luck would have it, the hbgaryfederal.com CMS used MD5. What"s worse is that it used MD5 badly: there was no iterative hashing and no salting. The result was that the downloaded pa.s.swords were highly susceptible to rainbow table-based attacks, performed using a rainbow table-based pa.s.sword cracking website. And so this is precisely what the attackers did; they used a rainbow table cracking tool to crack the hbgaryfederal.com CMS pa.s.swords.
Even with the flawed usage of MD5, HBGary could have been safe thanks to a key limitation of rainbow tables: each table only spans a given "pattern" for the pa.s.sword. So for example, some tables may support "pa.s.swords of 1-8 characters made of a mix of lower case and numbers," while other can handle only "pa.s.swords of 1-12 characters using upper case only."
A pa.s.sword that uses the full range of the standard 95 typeable characters (upper and lower case letters, numbers, and the standard symbols found on a keyboard) and which is unusually long (say, 14 or more characters) is unlikely to be found in a rainbow table, because the rainbow table required for such pa.s.swords will be too big and take too long to generate.
Alas, two HBGary Federal employees-CEO Aaron Barr and COO Ted Vera-used pa.s.swords that were very simple; each was just six lower case letters and two numbers. Such simple combinations are likely to be found in any respectable rainbow table, and so it was that their pa.s.swords were trivially compromised.
For a security company to use a CMS that was so flawed is remarkable. Improper handling of pa.s.swords-iterative hashing, using salts and slow algorithms-and lack of protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques. And though not all the pa.s.swords were retrieved through the rainbow tables, two were, because they were so poorly chosen.
HBGary owner Penny Leavy said in a later IRC chat with Anonymous that the company responsible for implementing the CMS has since been fired.
Pa.s.sword problems Still, badly chosen pa.s.swords aren"t such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com website-admittedly embarra.s.sing-but since everybody knows that you shouldn"t reuse pa.s.swords across different systems, that should have been the extent of the damage, surely?
Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same pa.s.sword in a whole bunch of different places, including e-mail, Twitter accounts, and LinkedIn. For both men, the pa.s.swords allowed retrieval of e-mail. However, that was not all they revealed. Let"s start with Ted"s pa.s.sword first.
Along with its webserver, HBGary had a Linux machine, support.hbgary.com, on which many HBGary employees had sh.e.l.l accounts with ssh access, each with a pa.s.sword used to authenticate the user. One of these employees was Ted Vera, and his ssh pa.s.sword was identical to the cracked pa.s.sword he used in the CMS. This gave the hackers immediate access to the support machine.
ssh doesn"t have to use pa.s.swords for authentication. Pa.s.swords are certainly common, but they"re also susceptible to this kind of problem (among others). To combat this, many organizations and users, particularly those with security concerns, do not use pa.s.swords for ssh authentication. Instead, they use public key cryptography: each user has a key made up of a private part and a public part. The public part is a.s.sociated with their account, and the private part is kept, well, private. ssh then uses these two keys to authenticate the user.
Since these private keys are not as easily compromised as pa.s.swords-servers don"t store them, and in fact they never leave the client machine-and aren"t readily re-used (one set of keys might be used to authenticate with several servers, but they can"t be used to log in to a website, say), they are a much more secure option. Had they been used for HBGary"s server, it would have been safe. But they weren"t, so it wasn"t.
Although attackers could log on to this machine, the ability to look around and break stuff was curtailed: Ted was only a regular non-superuser. Being restricted to a user account can be enormously confining on a Linux machine. It spoils all your fun; you can"t read other users" data, you can"t delete files you don"t own, you can"t cover up the evidence of your own break-in. It"s a total downer for hackers.
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary"s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.