Mostly DDoS in the Past Scientology Censorship Egypt gov Big Biz etc
HBGary Inc. – Greg Hoglund, Founder and CEO – Penny Leavy-Hoglund, President – Products Responder – Analyze RAM, pagefiles, VMWare images, sort & display images, network links, etc Digital DNA, Active Defense – Detects malware via in-memory analysis HBGary Federal – Aaron Barr was the CEO – Site now says, “hbgaryfederal.com is currently offline. Please try again later”
Technical Details Time for an Injection – http://www.hbgaryfederal.com/pages.php?pageNav= 2&page=27 http://www.hbgaryfederal.com/pages.php?pageNav= 2&page=27 Got user database Rainbow tables – Non-iterative, unsalted MD5 == fairly easy to crack Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers – Allowed for hbgaryfederal website defacement
Technical Details Password Reuse – Ted’s was good on a HBGary Linux box, support.hbgary.com – Privilege Escalation Months old bug, with public exploit available Stealing of data, and “sharing” with the world – Makes me wonder what they found, but didn’t share....
Technical Details Using Google Apps for email – Aaron’s reused password lead to access to his company email, but he was also an admin, FTW – Reset Greg’s password to get his email too Found info about rootkit.com Social Engineering to pwn rootkit.com – Knew a couple things (actually just one, lolz) The root password to the machine running Greg's rootkit.com site was either "88j4bb3rw0cky88" or "88Scr3am3r88“ (so they thought) Jussi Jaakonaho, Chief Security Specialist at Nokia, had root access
Social Engineering “Greg” Subject: need to ssh into rootkit im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks Jussi hi, do you have public ip? or should i just drop fw? and it is w0cky - tho no remote root access allowed
Social Engineering “Greg” no i dont have the public ip with me at the moment because im ready for a small meeting and im in a rush. if anything just reset my password to changeme123 and give me public ip and ill ssh in and reset my pw. Jussi k, it should now accept from anywhere to 47152 as ssh. i am doing testing so that it works for sure. your password is changeme123 i am online so just shoot me if you need something. in europe, but not in finland? :-) _jussi
Social Engineering “Greg” if i can squeeze out time maybe we can catch up.. ill be in germany for a little bit. anyway I can't ssh into rootkit. you sure the ips still 220.127.116.11? Jussi does it work now?
Social Engineering “Greg” did you reset the user greg or? yup im logged in thanks ill email you in a few, im backed up thanks Jussi nope. your account is named as hoglund (later on…) did you open something running on high port?
Actual Documents http://publicintelligence.net/tag/hbgary/
Fallout March 1, 2011: 17 members of the United States Congress called for a congressional investigation for possible violation of federal law by Hunton & Williams and "Team Themis" Will Anonymous be help responsible for what they did?
On Oct. 3, 2010, HBGary CEO Greg Hoglund told Aaron that “we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn’t really been a success… You guys are basically out of money and none of the work you had planned has come in.” April 1 st, 2011 Defcon CTF Organizers: “HBGary is awarded contract to clean CTF sheep stalls!”
Damage to others? HBGary Hunton&Williams? – Kevin Zeese, a lawyer with the NGOs VelvetRevolution.us and StopTheChamber.com, filed a complaint with the Washington, D.C. Bar Association earlier this week against John Woods, Richard Wyatt Jr., and Robert Quackenboss Palantir? – "I have directed the company to sever any and all contacts with HB Gary," said the CEO of Palantir Berico Technologies? – "We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal." Maybe a bit to other DoD contractors? – Endgames, SRA, ManTech, GD, BAH, Symantec, QinetiQ, GD …
Technical Lessons Learned Don’t have SQL injections in your websites Use strong passwords – 14chars with mix of upper, lower, numbers » “MyTruckisC00l!!” – Or sentence style passwords for long passwords » “my super duper extra secretive password” Public key crypto on ssh 2 factor authentication – A good option to help with weak or lost passwords Social Engineering Training Patch systems very regularly Email Encryption – Shorter term storage of email as well
Moral Questions I think work should more then $$ – I doubt Mr. Barr started with this in mind… People need the right to free press – But where is that line when dealing with stolen documents? Should HBGary competitors study the stolen proposals and other documents? What about studying the emails … they’re public now? Does two wrongs make a right?