The thing about the HBGary Federal hack is that there is no part of it that should have worked. There is a custom CMS with a SQL-injection bug — not WordPress, not Drupal, not anything you can argue was inevitable, but a thing that someone wrote in PHP for the company website and someone else signed off as ready for production. There are unsalted MD5 password hashes in the database, eight-character passwords made of six lowercase letters and two numbers, and a password reuse pattern that runs across the company website, the support Linux box, Aaron Barr's Twitter, his LinkedIn, his Yahoo, and — most damningly — Google Apps administration for the company's email. There is a stale, unpatched Linux box you can root with a kernel exploit that is two years old by the time it is used. There is a sysadmin at the sister site, rootkit.com, who hands over root credentials over IM to someone he believes is Greg Hoglund because the message arrived from Hoglund's compromised Gmail. By the time you stack the failures up, the question is not how Anonymous broke in. The question is how anything HBGary Federal touched stayed standing as long as it did.
Peter Bright's piece at Ars Technica earlier this week is, as far as I can tell, the definitive walk-through. It is also the rare example of journalism on a hacker incident that names the technical errors precisely enough that the operator community can use them in their own work — not as gloating but as a checklist of "things we cannot have happen". I have already cited it in two pen-test reports going out this week.
The proximate cause was Aaron Barr, the chief executive of HBGary Federal, telling Joseph Menn at the Financial Times on the fourth of this month that he had identified the leadership of Anonymous and would be presenting his analysis at B-Sides San Francisco on the fourteenth. The talk did not happen. Anonymous-aligned operators broke in on the night of the fifth, dumped seventy thousand of HBGary Federal's emails on a public mirror over the next week, defaced hbgaryfederal.com with a press release of their own, and put up the rootkit.com site as a defaced trophy. They also took, as a side effect, the entire HBGary Federal client and proposal archive.
What was in the emails is the part of this story that will outlast the technical analysis. The largest single thread was Team Themis — a proposal HBGary Federal had been developing jointly with Palantir Technologies and Berico Technologies for the lawyers Hunton & Williams, on behalf of Bank of America. The proposal, which Glenn Greenwald has now written up at length, set out a programme of intelligence activity against WikiLeaks supporters and journalists — including, by name, Greenwald himself — designed to discredit them and apply pressure to their employers. Whether or not Bank of America had given the green light is a question I will defer to the people doing the legal reporting; the existence of the proposal in a polished and circulated form is the thing that should worry anyone who thought HBGary Federal was just a small US government contractor of the standard kind. It was apparently quite happy to do oppositional research against journalists for corporate clients with disputes.
I am dwelling on the technical errors because I want to be honest with myself and with the people I work with. The same errors are present in the engagements I run through Hedgehog. Not all of them in any one place, and rarely all five at the worst level, but at least three of: a custom CMS with a SQL-injection vulnerability that has been there for years; password hashes without salt; passwords reused across the corporate site, the SaaS layer, and the personal services of the people with admin rights; a Linux server inside the perimeter that has not been patched in eighteen months; and a culture of administrative credentials being handed around between the people who actually keep things running, on the implicit trust that a request that comes from inside the team is from inside the team. I have seen the third item — the credential-reuse pattern from corporate identity into Google Apps administration — at three engagements in the last twelve months, and at all three the conversation about resolving it was of the form "yes we know, it is on the list". HBGary Federal is the cost of leaving it on the list.
The rootkit.com angle deserves its own note. Jussi Jaakonaho, who handed over the root password and SSH access on the believed-Hoglund email, was not stupid and did not act without thinking. The transcript of the IM exchange — which is in the email dump — has him asking for confirmation, asking what work needed doing, expressing some confusion about why the credentials were being requested in this way, and then, after several minutes of hesitation, providing them. This is the part that maps directly onto the social-engineering work I have been doing more of in pen-test engagements. The defence against this is not "train people to recognise phishing", which is the usual answer, because the people who get caught in the well-resourced versions of this attack are not the people who would fall for a Nigerian-prince mail. The defence is procedural: there should be no path from "compromised email account" to "production credentials handed over via a chat message" without one or two steps in between that an attacker who has only the email cannot fake. We talk about this in pen-test reports as "out-of-band verification for high-value administrative requests" and clients hate it because it slows down the work of actually running the company. The HBGary Federal incident is the example I will be using to argue the point in 2011.
The piece I do not yet know how to frame is what the existence of HBGary Federal as a company tells us about the wider sector. There is now a reasonably substantial industry of small US firms doing reputation work, opposition research, social-media manipulation and, in the worse cases, what the Themis proposal was reaching towards. They sell to corporate legal departments. They sell, sometimes, to law-enforcement-adjacent customers. They are largely below the threshold at which the press notices them. Aaron Barr's mistake was to try to step up from that quiet adjacent world into a public profile, against an opponent who was not going to engage on the terms he expected, and the company did not survive the encounter. There will be other Aaron Barrs through 2011. They will probably be a bit quieter about it.
Next post will probably be the Themis material in more detail, depending on what comes out as the email dump gets more thoroughly read. Or Operation Tunisia's successor in Cairo, depending on which moves first.