Sophos Cloud Optix
The Anonymous attack on HBGary may have amused some who enjoyed the sight of a security firm left embarrassed and exposed, but it should send a shiver down the spine of any IT administrator responsible for securing their own company.
Because can you honestly put your hand on your heart and say a hack like the one against HBGary couldn’t happen at your organisation too?
As Ars Technica explains, a weakness in a third-party CMS product used by HBGary’s website allowed Anonymous hackers to steal passwords that employees used to update the webpages.
Unfortunately they were passwords that weren’t encrypted strongly enough, and were possible to crack with a rainbow-table based attack. Amongst those exposed were CEO Aaron Barr and COO Ted Vera.
Worse still, it appears that Aaron Barr and Ted Vera were using the same passwords for their Twitter and LinkedIn accounts, and even for an account which administered the entire company’s email.
By exploiting software vulnerabilities, poor passwords and even some tried-and-trusted social engineering (see below) it was trivial for the hackers to steal the entire company’s email and deface its website.
As Chet explained in an earlier article, an employee not seeking proper verification when a company executive apparently asks for help can result in a corporate disaster.
But more than that, it’s also essential that all staff learn about how to use passwords properly.
For instance, don’t use easy-to-crack or obvious passwords. If you do, you’re asking for trouble.
And it’s critical that different passwords are used for different accounts. That way if your password gets exposed in one place, there won’t be a domino effect as a series of other accounts are unlocked by criminals using the same credentials.
Unconvinced by the scale of the problem? Well, Sophos’s research has found that 33% of people use the same password on every single website.
In wake of the attack, HBGary withdrew from the RSA Conference taking place in San Francisco this week, and replaced their booth with a sign:
Read the in-depth piece by Ars Technica now, investigating how the HBGary hack occurred, and learn lessons which you can apply inside your own company. After all, you don’t want to be the next firm to have to put up a sign like that.
HBGary sign image credit: Colbinator on TwitPic.
There is no question that, by following "best practices" as taught even in
Security 101 courses, any attack could have been blunted. From reading the various articles in the press, it would appear that HBGary/HBGary Federal made several fundamental mistakes:
* HBGary/HBGary Federal failed to employ defense-in-depth:
If HBGary had employed encryption on the email and file servers, Anonymous would never have succeeded in gaining any useful information, even if they managed to get access to the files/email, despite all other precautions to their gaining access having failed.
There are commercial, off-the-shelf (COTS) solutions available from a
variety of vendors, e.g. PGP, Inc. If cost was an issue, there are even open source, freely available PERL scripts which serve to public-key encrypt incoming email.
It would have been a trivial matter for all staff to have a PGP keypair — all incoming email could address-scanned to match-up with a PGP public key to encrypt to. If that would have been done, all incoming email would have been securely stored on the mail server, and all Anonymous would have gotten for their efforts would be 70K encrypted emails, and we would not be having this discussion right now.
Proper use of encryption/digital signing would also have prevented the
social-engineering hack perpetrated on the administrator of rootkit.com.
If HBGary had had a procedure in place, whereby the admin was required to challenge any such requests as were received, this could have been avoided. If the admin had asked Mr. Hoglund to PGP-sign his request by way of authentication, Anonymous could not have successfully impersonated him.
Similarly, if the password were sent public-key encrypted to Mr. Hoglund's
key, Anonymous would have been successfully thwarted. The emails reveal that several of the principals of the company actually had Gnu Privacy Guard (GPG), the open source equivalent of PGP, on their laptop computers, so this would have been trivial to implement. (GPG is free and open source software, so cost would not even enter into the equation.)
* HBGary suffered from terminal tunnel-vision:
There is an old saw that goes like this: "When all you have is a hammer,
everything looks like a nail." HBGary's expertise is in malware detection —
I'll grant you that malware is the latest form of threat, but it isn't the
only one, and HBGary forgot that simple fact.
Seriously? "it's critical that different passwords are used for different accounts" ?
What ever happened to usability? Real users are human beings, who have enough trouble remembering a single password that changes every couple of months, never mind 20 different passwords.
It's better to:
(a) synchronize passwords
(b) make the single password strong
(c) change the single password often
(d) find and replace applications where the password database might be compromised
The real problem at HBGary (aside from the unpleasant contract they took on) was their use of a vulnerable CMS. Come on guys – that's just dumb. Ever heard of vulnerability management? HIDS? NIDS? *That* is where the domino effect started.
Who said anything about remembering passwords? 🙂 As security blogger Kurt Wismer has remarked on a number of occasions, that's a solution that simply doesn't scale.
I don't know the password that I use to log into Twitter, or into PayPal, or even into the administration panel that we use to run the Naked Security site!
Instead I use a password management solution to both generate hard-to-guess, hard-to-crack passwords and to do the remembering for me. Other computer users would be wise to do something similar in my opinion. Products include KeePass, 1Password and LastPass.
And, yes I agree, there is more to protecting your company than proper password security.
.. and in doing so you introduce a new single point of failure: Attack on the password management system. Are you sure it this software encrypting your passwords well? Where is the password DB stored? On your hard disk – or on the Internet? How to you migrate your passwords to another machine? Who has access to your hard drive? Is that USB key you used for transferring data securely erased? And wasn't it still in your pocket when you left the office yesterday, and where is it now?
You see: one problem solved, a dozen new ones pop up.
The most secure storage is still your own brain. Unfortunately, this brain is attached to a human being, and these are known to err occasionally.
Suggest a piece of paper or cardboard kept in your pocket. Seriously. Today the threat usually is not someone spying on your papers, but doing it comfortably via the net. A piece of paper does not have an IP address you can attack…
>> A piece of paper does not have an IP address you can attack…
…yet.
Two thoughts on passwords:
1) A password management system resides on your local device, and while it essentially has "one password to rule them all," this is more secure than using that same password on multiple sites.
Why? Because the attacker has to break into YOUR machine and crack the password, instead of having to break into one of who knows how many target systems that you don't control.
2) That said, it's still less secure than using a unique strong password for each account you have.
This doesn't have to be difficult; I use unique ~21 character passwords for each account I have, and find it trivial to remember them.
How? Well, the base password is a passphrase used across all accounts.
Then, a section of that passphrase is hashed in an easy to remember way against something contextual to that account that is somewhat unique. So now, instead of having to remember some random string, I have to remember a base passphrase that is used repeatedly, a hashing method that is used repeatedly, and something contextual. So unless the context changes, "remembering" the password is simple.
It's possible that I have a few password collisions across my accounts, but not very likely — and 21 character passwords, while not quite as strong as a 256-bit hash, is close enough in my books.
So for those of you whose password is some variant on F1do-R0cks, try something stronger, like taking:
My little puppy Fido is the best!
and for a site like this, do something like: Mnya kleidt tsleec upruiptpyy Fido is the best!
or even better: M6y1 8l3i3t2t3l3e7 4p8u5p6py Fido is the best!
(a real hash method like I use is even better, but it takes more time to memorize).
Think this is too inconvenient? If you use it for all your passwords, you'll find it becomes really easy to do very quickly.
I think that the issue's above all have merit, and here's the but.
I've worked the last year for a Large IT Company as a contracter and everytime i've asked someone for a password for their Laptop or remote access or admin account etc, by either face to face, e-mail or by phone.
I always get the same response.
I cannot give you that information because it would be a security breach.
If i challenge them again saying i'm someone important their response is.
I deffinately cannot give you the information as this could be a security test.
I am then passed onto someone further up the chain and i have to go through a number of processors to get me authenticated and authorised.
The point i'm trying to make is this.
You have to remove the fear from the company staff at all levels and give them a way out without being pressured by senior management.
I could not agree more with Simon. I sat in on the weekly IT Help Desk meetings at a Fortune 500 company, the one where the technicians learn and discuss issues. It was hard to listen to the occasional negative feedback from someone with “position power” who would occasionally ask for, and not receive, exceptions to the password reset rules. Those young, fresh faces around the table are the FRONT LINE in IT security.
The best way to crack a password is to step into someone’s office or sneak a peak at the dayplanner. If you ask people to change passwords frequently, they have to write them down. Heck I have clients who call ME for their passwords.
This continues to be a problem and a proper solution seems very tardy to me.