More background on the US security firm break-in
Ars Technica has documented the background of the break-in at the US security firm that tried to expose Anonymous but ended up being taken apart itself. The report explains that the attackers' point of entry was a proprietary CMS which was custom-designed for HBGary. The CMS reportedly failed to sufficiently check certain input parameters and this enabled the attackers to send SQL commands to the database via specially crafted URLs. This apparently allowed them to retrieve the CMS users' password hashes, which turned out to be simple, unsalted MD5 hashes that presented an easy target for a rainbow table attack.
The attackers subsequently found that at least HBGary Federal's CEO Aaron Barr and COO Ted Vera used their CMS passwords for various other services, including their email access and Twitter. Vera also had an account at the support.hbgary.com site, where Anonymous managed to log in via SSH using the same password. The site ran a Linux system that was still vulnerable to a security hole in the GNU C loader, disclosed last October. Ars Technica said that the vulnerability presented the uninvited guests with the opportunity to obtain root privileges on the system, which gave them access to several gigabytes of backup and research data they reportedly deleted.
The attackers also found further use for Barr's password. Being the administrator of HBGary's access to Google Apps, Barr had the right to reset other users' email passwords. This capability enabled Anonymous to access Greg Hoglund's mail box. There, the attackers found two potential root passwords for the Rootkit.com security site also operated by Hoglund. With these passwords, Anonymous managed to convince another administrator to open up the firewall and reset the user password. Using the SSH access and root password information, Anonymous then managed to access, for instance, the entire user database, which again used simple, unsalted MD5-hashed passwords.
In summary, it can be said that the level of security at HBGary was not particularly high. The break-in seems to have been successful due to a multitude of flaws that could easily have been avoided: SQL injection on the website, unsalted passwords that were used for multiple services at the same time, and unpatched servers. All this doesn't exactly cast a good light on a company that earns its money from security software and consulting. HBGary has since all but disappeared; the company's stall reservation and presentations at the current RSA conference have been cancelled.
Meanwhile, there is agitated discussion in the security community about a patent that was awarded to HBGary founder Greg Hoglund and others in 2007 and involves the deliberate injection of faulty parameters for testing a target. The described method is a very basic technique for finding security holes that has been in use for a long time and is, for example, known as fuzzing.