Wednesday 46

Supposed experts

Filed under: Computers, Security — Tags: , — zundel @ am

Oh, this is good reading.

Among the many joys of Anonymous taking down Aaron Barr and HBGary (haha, and mainline Schadenfreude) comes the joy of seeing the bullshit artists exposed.

So many in the computer security business (and SEO, and … etc) are just in business. They’re just out to make a buck in what looks like a lucrative field. They know nothing.

Old geeks find the success of this bullshit very annoying. But the worm turns, and we chortle with glee. (Old geeks chortle, you know.) Now, if we could just get businesses to stop buying this bs. But no, they want flash. Think it must be difficult and complicated, arcane and secretive. Not the simple and reliable systems we use. Sigh. It’s an old problem in many fields. What to do about the snake oil salesmen and the too many fools that buy it?

There is no magic diet pill or exercise machine, etc. Get off the couch, etc.

Anonymous speaks: the inside story of the HBGary hack by Peter Bright

For a security company to use a CMS that was so flawed is remarkable. Proper handling of passwords—iterative hashing, using salts and slow algorithms—and protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques.

Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers. [….] and so it was that their passwords were trivially compromised.

Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places, including e-mail, Twitter accounts, and LinkedIn. For both men, the passwords allowed retrieval of e-mail. However, that was not all they revealed.

By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.

The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems.

Ars has had some great coverage:

How one man tracked down Anonymous—and paid a heavy price

Spy games: Inside the convoluted plot to bring down WikiLeaks



  1. In a statement emailed to The Tech Herald, Anonymous called Barr’s actions media-whoring, and noted that his claims had amused them.

    “Let us teach you a lesson you’ll never forget: you don’t mess with Anonymous. You especially don’t mess with Anonymous simply because you want to jump on a trend for public attention,” the statement directed to HBGary and Barr said.

    “You have blindly charged into the Anonymous hive, a hive from which you’ve tried to steal honey. Did you think the bees would not defend it? Well here we are. You’ve angered the hive, and now you are being stung. It would appear that security experts are not expertly secured.”

    Too ignorant to know what he messed with. Too arrogant to realize his own vulnerability. Some security expert.

    Comment by zundel — Wednesday 46 @ am

  2. Comment by zundel — Wednesday 46 @ am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: