Yesterday I took a trip to UNO to listen to a presentation from one of our bioinformatics professors on immunology. We’re working on some research proposals to develop network defense techniques based on biological immunity systems – why reinvent the wheel, if nature has some cool ideas eh? After the presentation we got to talking about HB Gary’s recent run in with Anonymous, and I thought I’d make some commentary which likely no one will read.
First, let me point to a couple posts I made in 2009 about social engineering and users being the weakest link:
Wikipedia has as good a definition of Social Engineering as any
Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
This is a “Term of Art” which has been popularized in security parlance, the first link to the <>< post has a youtube clip from the movie Hackers which illustrates this concept quite poignantly.
Anonymous is an ‘anonymous’ group of individuals who entered common cognizance with their exploits against Scientology. They’ve made recent headlines from Distributed Denial of Service attacks against companies and organizations which have attacked Wikileaks. Their tool of choice is actually an open source project, and allows anyone to join in or voluntarily turn control over to someone else in directing an attack. The merits and flaws of their political statements, the legality of their actions, and the technical analysis of the tool in particular are beyond my scope here, it suffices to understand that Anonymous is a group of individuals, who have been conducting DDoS attacks against third parties as retaliation for those parties being perceived as attacking Wikileaks in some manner.
HB Gary and HB Gary federal are security companies, the former dealt with reverse engineering tools for viral and malware analysis, and the latter did consulting work for the federal government. As I understand it the former owned a stake in the latter, and they were not a single company. In any event, HB Gary allegedly was attempting to de-anonymize Anonymous by linking back irc handles to social networking user names (facebook, twitter, etc) and was going to convey (there is confusion about if they were going to sell it vs give it etc) this information to the FBI. I have not personally seen the report, but if HB Gary would like to send me a copy I’d love to evaluate it myself. Some bloggers have been critical about the merits of this approach (and by critical I was being nice about their view point), but without seeing the data itself I can’t say for certain. I can say that methods similar to this have borne fruit in the past as people often use the same handles in different settings – you know, like everyone. Now, in this case Anonymous members are trying to stay anonymous so one would expect they would use something new, but who knows.
So what happened?
A lot of news sites are lean on details, I did find one which had a quote
“They broke into one of HBGary’s servers that was used for tech support, and they got emails through compromising an insecure Web server at HBGary Federal,” Hoglund said. “They used that to get the credentials for Aaron, who happened to be an administrator on our email system, which is how they got into everything else. So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time.”
This jives with what was discussed yesterday in the lab. My understanding is that the first server was compromised with an SQL injection, which got them into the internal network. The link above has a screenshot of an email exchange. In it the email account email@example.com sent an email to a gmail account for what I presume to be the administrator, this likely indicates the exchange occurred after the tech support web server (likely a ticketing system of some sort) and the email server (which I assume because they must have been intercepting greg’s email by that point to get the replies, elementary I know, but it needed to be stated as what I am assuming). The initial request lists two passwords asking the admin which is still valid – likely then, these passwords were culled from one of the other servers as a root password and the attacker was attempting to determine if the password was used globally. I would say it is likely those passwords were valid, as the admin did not question them – I know if I had a similar request and the company owner said “is the root password still purplejam123” I would be very curious and cautious if I had never used such a password. The reply from the admin asking if Greg had a public IP or if he should just drop the ‘fw’ (firewall) is telling – this means remote SSH access was likely restricted to specific known IP addresses, and if Greg had a public IP then the admin could have added it to the allow list – the alternative, to drop the firewall, would allow anyone to connect via remote SSH (provided they had the password and login of course.) The admin, after being given the excuse that Greg was in a rush and about to get into a meeting, reset the password to the one the attacker requested and provided them with the port the SSH daemon was running on (common practice is to run certain services on alternate ports to avoid port scanning for common open ports via nmap etc.) After that, I can’t say – I assume they obtained root access – Greg was likely able to sudo? – with root and SSH access, and no firewall – their network effectively had a big open wound into which anonymous flowed destroying data, deleting backups, compromising twitter accounts, etc.
Anonymous’ statement ended with “It would appear security experts are not expertly secure.” This wasn’t really a security issue, this was an individual’s blunder – and this is a conundrum too which was brought up in the lab. How many sys admins can say no to a direction from the CEO? I have done exactly that over the same kind of issue, no I will not give you an admin password over the phone, I will not do it in the rain, on a train yada yada – but I was lucky enough to be in a position where I had job security, and the CEO trusted my judgment and had long made peace with the fact I can be goofy paranoid when it comes to security. Even so, even the most adept security expert isn’t perfect, and the number of people looking for any weakness versus the finite effort an expert can put in to plug those holes is a losing game. The best we can hope for is to mitigate, repair, and restore.