I wanted to take alittle time to quickly analyze the compromise of HBGary Federal that was all over the news in Feb and Mar. It is somewhat infuriating to see these same types of basic errors from companies that specialize in security.
From all the reports online the initial entry was SQL injection on the HBGary Federal website which lead to the necessary access, now rather than just being limited to the webserver privilege escalation vulnerabilities were not patched for over a year on the server powering the HBGary Federal website. What’s more is this lead to access to the google apps account as employees re-used the same passwords and this ultimately lead to the email spool dump.
After the emails were accessed a simple bit of social engineering (although probably the most impressive part of the entire drama) was used to gain access to the servers for rootkit.com. Then the entire rootkit.com database was published online, there also is a website at http://dazzlepod.com/rootkit/ which contains large portions of the database passwords in plain text.
Now there are lots of aspects that could be covered on this but I do not particularly want to give this much attention and only had a few things to say on the matter. There is a serious of basic errors that are frankly unacceptable from any company, let alone a company specializing in security, from re-using passwords, utilizing simple passwords, not patching servers, password authentication being used and SQL injection on their web application, just to name a few.
The very fact that Aaron Barr, and others, re-used passwords is simply unforgivable and they should not be allowed in the security industry. These are the very people that have the nerve to preach security to others. Given the type of media whore Aaron Barr is and wanted to become one has to wonder just how many articles, whitepapers and talks he has given to others on password security. I find this to be stupidity of the highest order and while I do not wish to see anyones career ruined, frankly in this instance it was deserved.
Obviously it’s not possible to audit every single last line of every single last piece of software that is utilized across the entire stack (from the application itself, the interpreter, the webserver, the os and all modules/etc in between) so had undisclosed vulnerabilities been used and a bit of effort needed to mitigate defenses then fair enough give kudos to whomever carried it out. Thats the real thing that grates on me, the ease of which it was possible to jump from A->B->C when basic defenses would have made this much more difficult to achieve and be more isolated.
The last paragraph was the entire purpose of this entry. The most basic of errors allowing for these situations to happen. Companies specializing in security should know all about segregation, patching, passwords and heck – auditing (Where in amongst all of this did they audit their own systems…….. it’s frankly pathetic).
In summary, while the HBGary Federal compromise basically was allowed to occur in the same manner as ones like Gawker, it has to be treated in a league of it’s own for the fact they provide security services to Governments and others. The sheer stupidity of not auditing your own systems, not having basic policies and allowing this incident to occur is mind blowing. The only thing worse is clients, governments that continue to use HBGary/HBGary Federal after this.
[...] HBGary Compromise Review We will analyze what we believe happened from what documentation is available. How it could have been prevented and it’s impacts. [...]