Anonymous makes a laughing stock of HBGary
by Jürgen Schmidt
Trying to explain Anonymous is a hopeless undertaking – as a first approximation you can view them as a group of anonymous internet activists. Anonymous has recently come to the public's attention through its support for WikilLeaks, which resulted in it overloading and bringing down the main web sites of PayPal, MasterCard and Swiss bank Postfinanz.
Operation Payback involved thousands of sympathisers transforming their computers into remotely-controlled bots using a modified version of the load-testing tool Low Orbit Ion Canon (LOIC), which then targeted particular web sites. LOIC was previously used in Anonymous' campaigns against Scientology.
In early February, the head of US security firm HBGary Federal told the Financial Times that, as part of a project to research the risks posed by social networks, he had infiltrated Anonymous and uncovered the identity of leading figures within the organisation. "As 1337 as these guys are supposed to be they don't get it. I have pwned them! :)," boasted Aaron Barr in an email to a member of the company's PR department.
He did not publish the names of the alleged anonymous activists at this point – he had assembled a dossier of online IDs, names and in some cases addresses and was saving these for a planned meeting with the FBI. A blog entry and press release had even been prepared, which boasted, "HBGary Federal […] flexes it's muscle today by revealing the identities of all the top management within the group Anonymous."
This was a press release Barr never got to send. One day after the Financial Times interview, Anonymous ran its own exposé of the security company and what it revealed was more than just a little embarrassing.
Unknown assailants were able to rapidly penetrate the security company's computer systems, from where they were able to access around 60,000 emails. Access was gained via HBGary Federal's public web site. The web site was managed using a proprietary content management system specially developed for the company and only the company's most senior employees had access to this CMS.
The CMS generated URLs such as /pages.php?pageNav=2&page=27. But – mistake number one – it failed to properly check the parameters fed into it, allowing injection of commands which the CMS passed on to the database. This SQL injection attack allowed the attackers to access the password hashes stored in the database.
The hashes were generated using the MD5 cryptographic hash function, but did not use any additional security. In particular, standard techniques for password strengthening, such as adding a random salt or using multiple iterations of the hash function, were not used. This second mistake made it easy to work back to plain text passwords by using rainbow tables.
The third mistake was the re-use of the same password for the CMS as for many other accounts – including email, Twitter and LinkedIn. This gave attackers access to several email accounts, including those of Barr and his Chief Operations Officer, Ted Vera.
Vera also had an account on support.hbgary.com which was accessible via SSH, which Anonymous was able to access using the same password. It ran a Linux system which – mistake number four – still contained a security vulnerability in the GNU-C loader, first disclosed back in October. This presented uninvited guests with root privileges, allowing them access to many gigabytes of backups and research data.
Because Barr was also an administrator on HBGary's Google Apps account, he had the rights to change other employees' email passwords. This gave Anonymous access to Greg Hoglund's inbox. Hoglund is a well-known rootkit expert and co-founder of parent company HBGary. Mistake number five was that Hoglund's inbox contained the root password for his rootkit.com security web site. With the help of this password, Anonymous was able to persuade another administrator to open a tunnel through the firewall to change Hoglund's supposedly forgotten user password. This was mistake number five and a half (only half a mistake as the emails were sent from the correct email address and the sender apparently already knew the root password). Using this SSH access, Anonymous was able to gain access to the server and to data in forum accounts, where once again unsalted and therefore rapidly crackable MD5 hashes were used.
All in all, for a security firm the level of security was shockingly low. Easy to avoid errors, such as obvious SQL injection vulnerabilities on the web site, unsalted passwords used for a number of different services and unpatched servers, shine a harsh light on a company which earns its bucks selling security software and consultancy. But it gets worse.
Following a failed attempt at mediation on IRC, Anonymous published both the alleged identities of its leading figures and HBGary's entire email archive online. And whilst the allegedly explosive data on Anonymous proved to be almost entirely without substance, the email archive painted a very detailed picture of the US security company's leading figures and their business dealings. Whilst it's worth bearing in mind that these emails could have been 'interfered with', plausibility checks offer no indication that this is the case.