I wanted to take alittle time to quickly analyze the compromise of HBGary Federal that was all over the news in Feb and Mar.  It is somewhat infuriating to see these same types of basic errors from companies that specialize in security.

From all the reports online the initial entry was SQL injection on the HBGary Federal website which lead to the necessary access,   now rather than just being limited to the webserver privilege escalation vulnerabilities were not patched for over a year on the server powering the HBGary Federal website.    What’s more is this lead to access to the google apps account as employees re-used the same passwords and this ultimately lead to the email spool dump.

After the emails were accessed a simple bit of social engineering (although probably the most impressive part of the entire drama) was used to gain access to the servers for rootkit.com.   Then the entire rootkit.com database was published online,  there also is a website at http://dazzlepod.com/rootkit/ which contains large portions of the database passwords in plain text.

Now there are lots of aspects that could be covered on this but I do not particularly want to give this much attention and only had a few things to say on the matter.   There is a serious of basic errors that are frankly unacceptable from any company, let alone a company specializing in security,  from re-using passwords, utilizing simple passwords,   not patching servers,  password authentication being used and  SQL injection on their web application,  just to name a few.

The very fact that Aaron Barr, and others, re-used passwords is simply unforgivable and they should not be allowed in the security industry.  These are the very people that have the nerve to preach security to others.   Given the type of media whore Aaron Barr is and wanted to become one has to wonder just how many articles, whitepapers and talks he has given to others on password security.  I find this to be stupidity of the highest order and while I do not wish to see anyones career ruined,  frankly in this instance it was deserved.

Obviously it’s not possible to audit every single last line of every single last piece of software that is utilized across the entire stack (from the application itself,  the interpreter,  the webserver,   the os and all modules/etc in between) so had undisclosed vulnerabilities been used and a bit of effort needed to mitigate defenses then fair enough give kudos to whomever carried it out.  Thats the real thing that grates on me, the ease of which it was possible to jump from A->B->C when basic defenses would have made this much more difficult to achieve and be more isolated.

The last paragraph was the entire purpose of this entry.  The most basic of errors allowing for these situations to happen.  Companies specializing in security should know all about segregation,  patching,  passwords and heck – auditing (Where in amongst all of this did they audit their own systems……..  it’s frankly pathetic).

In summary,  while the HBGary Federal compromise basically was allowed to occur in the same manner as ones like Gawker,  it has to be treated in a league of it’s own for the fact they provide security services to Governments and others.  The sheer stupidity of not auditing your own systems,  not having basic policies and allowing this incident to occur is mind blowing.   The only thing worse is clients, governments that continue to use HBGary/HBGary Federal after this.

It’s 2011,   7 years after HostGeekZ was created.   The old site has not been updated since 2006 so rather than just refresh content we have went for a complete change.    We needed a home for a new blog for our linux server management company and this seems like the perfect place.

Alittle bit of history,   HostGeekZ was created in 2004 as a web hosting news,   server management tutorials and documentation source.   Up until 2006 we did keep this updated regularly with new content,  useful and helpful guides and our most popular RoundCube Patch for cPanel (This was before this was available as standard with cPanel).

In 2006 due to demand we launched a new business offering Linux Server Management, mySQL DBA, Infrastructure Management which taken the focus away from HostGeekZ and this ultimately what the last 5 years have been spent on.    As the focus was lost on commenting/analyzing on hosting industry news and was solely tutorials, combined with the fact they have not been updated since 2006 we have just decided to retire the old content and archive it,  the useful entries we shall rewrite and update for the blog but from here on in this will be the blog for our business.

Some topics we will cover,

Backup Management and Maintenance
CDN Implementation,  Benefits and Cost
Cloud Management
Cloud Challenges
Distributed Monitoring
Hosting Industry Acquisitions
Hosting Industry Proucts
Infrastructure Budgeting
Infrastructure Management
LAMP Scaling
Most Recent IT Related News
mySQL Performance Optimization
New Ideas
noSQL movement
Outages
Performance Benchmarks
Security Topics

The coming entries will be,

HBGary Compromise Review
We will analyze what we believe happened from what documentation is available.   How it could have been prevented and it’s impacts.

Filtering DDoS with nginx proxy
This shall be a 2 part entry on how to use proxys to filter HTTP floods with nginx using javascript cookies.

Filtering iframe DDoS with nginx
Following on from the first entry we will cover how to adapt this to filter iframe DDoS which loads a javascript engine to mitigate the previous solution.

OpenStacks Future and Rackspace Support
We will discuss the future for OpenStack and the benefits of the new announcement of RackSpaces new division “Cloud Builders”