ArsTech reveals the technical details of the Anonymous hack on HBGary

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
S

shabby

Diamond Member
Oct 9, 1999
5,782
45
91
TheTony said:
Anyone who enjoyed the linked article should check out the rest in the series they did. They were even better.
Click to expand...

Here are 4 more.
http://arstechnica.com/tech-policy/...-tracked-anonymousand-paid-a-heavy-price.ars/
http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars
http://arstechnica.com/tech-policy/...ace-to-face-when-aaron-barr-met-anonymous.ars
http://arstechnica.com/tech-policy/...m-working-with-fbi-youve-angered-the-hive.ars

One of those five was allegedly a 16-year old girl, who "social engineered your admin jussi and got root to rootkit.com," one Anonymous member explained in IRC.

Another, pleased with power, harrassed Penny Leavy and her husband, who sat beside her during the chat: "How does it feel to get hacked by a 16yr old girl?" One can almost hear the taunt echoing from some kind of grade school playground.
Click to expand...

Thats gold baby!
 
L

Lifted

Diamond Member
Nov 30, 2004
5,748
2
0
I'm no expert, but I was hoping for a cliffs version half way through the first page, especially since we already knew 80% of this. Here are the main bits of new material, for those that have been following this.

Cliffs:


  1. CMS for hbgaryfederal.com was a custom job, outsourced to some incompetent unnamed company, though the code was never reviewed by HBGary so boohoo for them.
  2. Article provides the SQL injection that was allegedly used access the db, but doesn't go into enough detail about it.
  3. No salt used with the MD5 hash (article went on and on and on about this and rainbow tables... could have just linked to wikipedia IMO)
  4. CEO and COO passwords consisted of few lowercase letters and some numbers w/ no special characters - GOTO 3 for pwnage.
  5. Article didn't state if same password was used for google-apps email, but it appears CEO did that, and was also the administrator for the company account there.
  6. The sysadmin was not an HBGary employee, but a Nokia employee (Chief Security Specialist) who had root access to the site. A friend or consultant - what's the relationship?. Again, no details in the article.
That's the info that was new to me, and I've only read the first synopsis of events that came out of this.

Worst part was reading through some of the Anonymous IRC channel logs to see what the owner of HBGary, Penny Leavy, had said. Picture all the 15 year olds from 4chan gone amok on an IRC channel. Either the channel ops there purposely allowed this to hide their identities, or they are actually 15 year olds from 4chan. There is also the possibility that they are actually intelligent adults who unfortunately resemble "comic book guy" / WOW player stereotype, and thus have no social skills to speak of.
 
M

mcmilljb

Platinum Member
May 17, 2005
2,144
2
81
Codewiz said:
Here is the hilarious part to me. My wife has a master's in chemistry and a minor in computer science. A bunch of our friends decided to have a college pick'em league. My wife took the time to write an web app for selecting the games and letting everyone pick the games and keeping score.

What did she do? She protected against SQL injection as it is a common issue. She salted and hashed the passwords using SHA-512. She also required 8 character complex passwords including upper,lower, numbers, and special characters.

This was all for a stupid little web app. Why? Because she knew the risk that if someone hacked this stupid little website, they would have email addresses and if someone reused a password, then that would be really bad. We also didn't want to know that information anyways.

It is sad that my wife took those precautions and these "security" numbnuts didn't practice any of the basic crap.
Click to expand...

Dude, that is a keeper! I am jealous ;)

I have some ideas about the sql injection. You can tell from the url they were using php. When you use php, the server is going to take the input from php request, process it through php, and then excute the sql statement. Their CMS probably had most pages go through the pages.php, but it did not check the parameters while processing the request. If you want to get a better idea how this works, lets use AT's forum's url as an example.

forums.anandtech.com/forumdisplay.php?f=14 - That takes you to OT
forums.anandtech.com/forumdisplay.php?f=24 - That takes you to P&N

Obviously the f variable tells the server which thread to go to. You could change the value to something else and try sending it to the server and see if it parses it correctly and checks for valid input. Do not actually try that here, but that's essentially what they did to HBGary's website. What does "pages.php?pageNav=2&page=27" mean? I have no clue. However it brought up data that they wanted, and they grabbed it out of the web server's response.
 
Cogman

Cogman

Lifer
Sep 19, 2000
10,286
147
106
mcmilljb said:
Dude, that is a keeper! I am jealous ;)

I have some ideas about the sql injection. You can tell from the url they were using php. When you use php, the server is going to take the input from php request, process it through php, and then excute the sql statement. Their CMS probably had most pages go through the pages.php, but it did not check the parameters while processing the request. If you want to get a better idea how this works, lets use AT's forum's url as an example.

forums.anandtech.com/forumdisplay.php?f=14 - That takes you to OT
forums.anandtech.com/forumdisplay.php?f=24 - That takes you to P&N

Obviously the f variable tells the server which thread to go to. You could change the value to something else and try sending it to the server and see if it parses it correctly and checks for valid input. Do not actually try that here, but that's essentially what they did to HBGary's website. What does "pages.php?pageNav=2&page=27" mean? I have no clue. However it brought up data that they wanted, and they grabbed it out of the web server's response.
Click to expand...
It won't work here. And even if it did, the administration would be happy to know about a security hole.
 
M

mcmilljb

Platinum Member
May 17, 2005
2,144
2
81
Cogman said:
It won't work here. And even if it did, the administration would be happy to know about a security hole.
Click to expand...

I figured it would not, but I did not want to make it sound like I was encouraging someone to actually try something. I'm sure they have enough bad guys trying things.
 
Gooberlx2

Gooberlx2

Lifer
May 4, 2001
15,381
6
91
Cogman said:
It won't work here. And even if it did, the administration would be happy to know about a security hole.
Click to expand...

LOL, that's a little debatable, considering some history here. Who was it that:

1. discovered a security hole in the at forums
2. mod forum something
3. ....
4. went out with a bang
 
silverpig

silverpig

Lifer
Jul 29, 2001
27,703
12
81
SQL injection, in comic form:

exploits_of_a_mom.png
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,385
10,778
126
mcmilljb said:
I figured it would not, but I did not want to make it sound like I was encouraging someone to actually try something. I'm sure they have enough bad guys trying things.
Click to expand...

If you wanted to try to see what happens, Google "hack vbforums 3.8.6". That should bring up potential vulnerabilities, and how to exploit them. The flaws have likely been patched, but if not, I'm sure someone here would like to know that.
 
Aikouka

Aikouka

Lifer
Nov 27, 2001
30,383
912
126
SQL Injection hacks are kind of annoying... usually caused when people don't validate data properly. The worst is when you don't validate a field at all (or adding escape characters), so all the person has to do is end your current SQL command and start another inside the entry field.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom