Saturday 49

Black net ops

Filed under: Computers, Security — Tags: , , , , , , — zundel @ pm

Fascinating reading.

Anonymous cracking and publishing the email of Aaron Barr, Greg Hoglund, and HBGary has turned up all sorts of useful information. And Ars has done a very god job analyzing it and reporting.
Nothing unknown or unsuspected, but useful confirmation.

Black ops: how HBGary wrote backdoors for the government

Why you don’t want to use Outlook, ever.

The target user would preview a specially crafted e-mail message in Outlook that took advantage of an Outlook preview pane vulnerability to execute a bit of code in the background. This code would install a kernel driver, one operating at the lowest and most trusted level of the operating system […].

When installed in a target machine, the rootkit could record every keystroke that a user typed, linking it up to a Web browser history. This made it easy to see usernames, passwords, and other data being entered into websites; all of this information could be silently “exfiltrated” right through even the pickiest personal firewall.

“This is ideal because it’s trivial to remotely seed C&C messages into any networked Windows host,” noted Hoglund, “even if the host in question has full Windows firewalling enabled.”

HBGary stockpiled and sold zero-day exploits. Nice people.
Most experts try to help the community fix security vulnerabilities. These guys were finding them and selling them.

These guys were not very good. Anonymous penetrated them easily. And often seem really juvenile, like they wanted to be James Bond. (Shades of Ollie North.) Yet they sold ready exploits to defense contractors working for the government. Defense procurement is as sophisticated as ever. But also, most systems are easily compromised.

If you need security, don’t use anything these guys mentioned.


Wednesday 46

Supposed experts

Filed under: Computers, Security — Tags: , — zundel @ am

Oh, this is good reading.

Among the many joys of Anonymous taking down Aaron Barr and HBGary (haha, and mainline Schadenfreude) comes the joy of seeing the bullshit artists exposed.

So many in the computer security business (and SEO, and … etc) are just in business. They’re just out to make a buck in what looks like a lucrative field. They know nothing.

Old geeks find the success of this bullshit very annoying. But the worm turns, and we chortle with glee. (Old geeks chortle, you know.) Now, if we could just get businesses to stop buying this bs. But no, they want flash. Think it must be difficult and complicated, arcane and secretive. Not the simple and reliable systems we use. Sigh. It’s an old problem in many fields. What to do about the snake oil salesmen and the too many fools that buy it?

There is no magic diet pill or exercise machine, etc. Get off the couch, etc.

Anonymous speaks: the inside story of the HBGary hack by Peter Bright

For a security company to use a CMS that was so flawed is remarkable. Proper handling of passwords—iterative hashing, using salts and slow algorithms—and protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques.

Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers. [….] and so it was that their passwords were trivially compromised.

Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places, including e-mail, Twitter accounts, and LinkedIn. For both men, the passwords allowed retrieval of e-mail. However, that was not all they revealed.

By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.

The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems.

Ars has had some great coverage:

How one man tracked down Anonymous—and paid a heavy price

Spy games: Inside the convoluted plot to bring down WikiLeaks

Monday 44

H B Gary’s Zero-Days

Filed under: Computers, Security — Tags: — zundel @ pm

If HBGary advertised that they could attack them, you don’t want to use them.

Create a free website or blog at WordPress.com.

%d bloggers like this: