A while back I posted an article, in which I mentioned that the next war is likely to have a significant cyber component to it. Yesterday, Mr. Universe touched on something that’s worth examining from this perspective.
Fans of the graphic novel V for Vendetta (or the film adaptation) will recognize in the photo the use of the masks of anonymity associated with Guy Fawkes, who was part of a failed attempt to blow up the British Parliament in 1605. Fawkes made his attempt to overthrow the government under a false persona. Hence the use of the mask is often associated with attempts to overthrow totalitarian regimes through the use of anonymity and solidarity.
The trigger for Anonymous’s attack was a direct, public threat made by HBGary’s CEO, Aaron Barr, to the Anonymous group to expose their constituents. Two weeks ago, Peter Bright published an article on Ars Technica outlining how the attacks took place.
Every year, the Open Web Application Security Project (OWASP) produces a list of the top ten online security vulnerabilities. Any computer security professional worth hiring should be familiar with all ten of them, how they work, and how to defend against them.
HBGary was compromised first via a particular form of code injection (a means of sending commands to the server through data channels), which is #1 on the top ten list. This attack was used to collect usernames and passwords, which were insecurely stored on the server (#7 on the list). The account information was used to log into the server, where a widely-known exploit was used to gain administrative control, because the server was not up to date with the latest security patches (#6 on the list).
Yes, they had three of the top ten vulnerabilities on one, public-facing server. All were easy to find, and easy to prevent. And they had plenty of other issues outside of the list, which are outlined in the Ars Technica article.
The point is, this is a company paid large sums of money by our government to protect all of us from cyberattacks. Yet they didn’t manage even the security fundamentals on their own infrastructure. And our national security was compromised as a result.
Barr resigned this week, but it is hard for me to believe that this is an isolated case. How many more HBGarys are out there selling protection and security that are insufficient to protect us from our enemies? And what can we do about it?
- Anatomy of the HBGary Hack (it.slashdot.org)
- How Anonymous Cracked the HBGary Security Firm (theatlantic.com)
- Opening the Hive (skydancingblog.com)
- MarkJ: Anonymous Hack Brings Security Firm To Its Knees : The Two-Way : NPR (npr.org)
- More On The HBGary Hack (liquidmatrix.org)
- Anonymous vs HBGary (schneier.com)
- Anonymous Reveals How They Hacked HBGary (bobbydominguez.com)