A while back I posted an article, in which I mentioned that the next war is likely to have a significant cyber component to it. Yesterday, Mr. Universe touched on something that’s worth examining from this perspective.
HBGary, a computer security firm with extensive United States government contracts, was compromised a few weeks ago by the loosely affiliated group called “Anonymous.”
Fans of the graphic novel V for Vendetta (or the film adaptation) will recognize in the photo the use of the masks of anonymity associated with Guy Fawkes, who was part of a failed attempt to blow up the British Parliament in 1605. Fawkes made his attempt to overthrow the government under a false persona. Hence the use of the mask is often associated with attempts to overthrow totalitarian regimes through the use of anonymity and solidarity.
The trigger for Anonymous’s attack was a direct, public threat made by HBGary’s CEO, Aaron Barr, to the Anonymous group to expose their constituents. Two weeks ago, Peter Bright published an article on Ars Technica outlining how the attacks took place.
Every year, the Open Web Application Security Project (OWASP) produces a list of the top ten online security vulnerabilities. Any computer security professional worth hiring should be familiar with all ten of them, how they work, and how to defend against them.
HBGary was compromised first via a particular form of code injection (a means of sending commands to the server through data channels), which is #1 on the top ten list. This attack was used to collect usernames and passwords, which were insecurely stored on the server (#7 on the list). The account information was used to log into the server, where a widely-known exploit was used to gain administrative control, because the server was not up to date with the latest security patches (#6 on the list).
Yes, they had three of the top ten vulnerabilities on one, public-facing server. All were easy to find, and easy to prevent. And they had plenty of other issues outside of the list, which are outlined in the Ars Technica article.
The point is, this is a company paid large sums of money by our government to protect all of us from cyberattacks. Yet they didn’t manage even the security fundamentals on their own infrastructure. And our national security was compromised as a result.
Barr resigned this week, but it is hard for me to believe that this is an isolated case. How many more HBGarys are out there selling protection and security that are insufficient to protect us from our enemies? And what can we do about it?
- Anatomy of the HBGary Hack (it.slashdot.org)
- How Anonymous Cracked the HBGary Security Firm (theatlantic.com)
- Opening the Hive (skydancingblog.com)
- MarkJ: Anonymous Hack Brings Security Firm To Its Knees : The Two-Way : NPR (npr.org)
- More On The HBGary Hack (liquidmatrix.org)
- Anonymous vs HBGary (schneier.com)
- Anonymous Reveals How They Hacked HBGary (bobbydominguez.com)
I especially loved the way they extracted, via email, from IT admin, the ability to gain remote ssh access to rootkit.com. Pure comedy of errors.
It would make a fine libretto for a comic opera. (Please remember that I’m a Gilbert and Sullivan fan.)
What we need is an Alexander Hamiltan.
All government procurement should be tied to clearly defined benchmarks. If the contractor can meet those benchmarks in the initial application, and then survive periodic reviews, then the contract may continue.
In the instant case, it seems to me it would be a pretty simple matter to require a contractor such as HBGary to meet some minimal standards. The Air Force has a cyber-security Directorate and the students in that Directorate (with their security clearances) could be employed to attempt attacks on the HBGary servers. That would achieve two aims: 1) it would provide needed practice for those responsible for cyber-defense (every cop a criminal, etc.) and 2) it would ensure that contractors are meeting the benchmarks we set.
We shouldn’t need Anonymous to do our hacking for us. We should be demanding that our hackers do the job, a sort of internal security audit.
Makes sense to me, Monotreme.
As if on cue, three senators have introduced legislation to address this issue.
Good for Joe Lieberman, Susan Collins, and Tom Carper. Long overdue.
Why is it that our government is so reactive rather than proactive? It seems like there needs to be a major public crisis before they move on things that should be common sense.
Political darwinism. If you solve a problem before the public sees that it’s a problem, you get zero credit. Solve it after they see it, and you get the credit for fixing the problem. Therefore, the successful politicans are the ones who realize the proper time to strike is when the iron is hot, just as the public starts to yell “somebody oughta do something about it.”
I suppose that’s an argument in favor of Philosopher Kings instead of democratically elected leaders, eh?
Benevolent philosopher-kings are ALWAYS the best choice. Problem is they don’t exist.
Damn Plato for giving me all these unrealistic ideals!
These folks are calling for new spending for this effort? But we’re broke, according to Boehner, half the GOP caucus in the House, almost all the teaper caucus, most of the GOP governors, etc, etc.
This bill is DOA.
They could take the $$ out of the Defense budget. (CyberChina is skulking in the wings, waiting…..)
That’s right, Tea Party people would never suggest we spend more money.
Like Michele Bachmann introducing a bill in Congress to spend $700 million on building a new bridge over the St Croix River, just to piss off environmentalists. That would never happen.
Three thoughts here.
1. I’m having a hard time figuring out why you would want to go after Anonymous. They’ve done more good than harm, making them one of the more benign things to come out of 4chan. I wouldn’t be particularly surprised if the Church of Scientology had contracted out HBGary – they have more money than Croesus and Anonymous has done serious damage to them recently. If this was US government-driven, the announcement would have come in the form of Anonymous being rolled up by the FBI, and I doubt we would have outsourced the intel work.
2. I somehow doubt compromising a company’s email server constitutes a national security-level breach, beyond revealing that a particular company that has done work for the US government (and who hasn’t?) is unbelievably sloppy with their own security.
3. I’m finding the outrage over the US government wanting sockpuppet-generating software kind of amusing. This kind of thing is a weapon to be used against America’s enemies – it is precisely the same as the US government buying guns and its use would be governed by the same set of laws.
1. He went after Anonymous because of their support of WikiLeaks, near as I can tell. That makes them no-so-benign to some.
2. The compromise of the email server doesn’t constitute a national security breach. But the compromise of government employees’ passwords, many of which are used in common on other sites (nearly everyone does this), is dangerous indeed.
3. It’s a modern-day Hanoi Hannah technique. Not outrageous, per se, but it can be used as a propaganda machine for the US government against its own people. That’s distasteful, much as it was when Bush (or his administration, anyway) hired people to publish propaganda as mainstream press articles.
1. WikiLeaks appeals to a certain kind of internet activist, which Anonymous is almost entirely composed of. Taking the range of activities Anonymous is involved in, most of which are beneficial or neutral to us.gov interests, it’s very hard to see them as a hostile organization. Let alone one which should be persecuted. I think the Scientology angle bears investigating, if only because they’re the only people out there with a serious bone to pick with Anonymous.
2. Beyond maybe getting Anonymous onto AKO I’m not sure how this is helpful. And good luck if you’re trying to get anything useful out of AKO. 😉
3. This basically comes down to how much you trust the US government. Why people are willing trust the government with single-payer health care but not with weapons to defend them from our enemies abroad is beyond me. Contrary to popular belief the federal government is not actively evil.
I trust any part of the government just as far as I see the willingness of the other parts of the government to fulfill their duties of checks and balances.
I frankly see too little in the way of checks and balances on the military-industrial complex. The Congress, which ought to be reining it in, is instead shoveling more money than it asked for into the coffers. With great power comes great responsibility and a requirement for firm oversight — and the military is not getting the latter, except maybe from Mother Jones.
As for single-payer, well, I don’t see problems for the individuals in Medicare, except that some people are getting more care than they want. That’s a problem I, as an individual, know how to cope with. You just tell the doctorsthat the patient doesn’t want the procedure with sufficient firmness, and the doctors will back off.
I also see Anonymous and Wikileaks as checks and balances on the power of the federal (and other) governments. As such, I support them.
We’re in agreement for the most part about #1. But I’m a little wary about how well their beliefs line up with mine.
As for the password issue (#2), humans will leak information, regardless of the rules. It’s just what happens. So I don’t think the limited access to AKO matters as much as you do.
As for #3, my issue is about the government using those weapons agains their citizens. It’s the same issue as Qadhafi using his air force against Libyans. Distasteful at best.
I think you misread me on AKO. It’s so user-unfriendly that anyone trying to extract information from it would quickly give up in frustration, and nothing on it is classified anyways. 😉
The US military has a very solid legal framework governing the its use and extensive internal oversight to ensure relevant laws and regulations are followed. People go to jail over this stuff. So, really, if you’re worried about the government doing information operations against the American people the best place for those kind of weapons is at Cyber Command rather than outside of the military.
Congress, by its nature, is not going to exercise effective oversight over anything. Even most military-related GAO reports I’ve seen aren’t exactly blockbusters. The DoD’s internal oversight is, however, very extensive. It helps to remember that the individual services, let alone the DoD as a whole, are not monolithic.
NGOs like Anonymous, Wikileaks or the news media are not checks and balances on governmental power – they are independent players with their own agendas. I’m suggest you take a hard look at their agenda and ideology before deciding to support them.