Interpreting the HBGary Federal security breach

In February, security firm FBGary Federal was hacked by Anonymous. HBGary Federal is a security firm that offers services such as rootkit detection, incident response, malware reverse engineering, and computer forsenics. They have also given presentations at conferences such Black Hat Briefings and the RSA Conference.

Anonymous hacked HBGary Federal quickly and catastrophically. Anonymous released ~60,000 internal emails, released an easily cracked database full of hashed passwords, and severely hurt business (several companies are considering buying out HBGary Federal). Even worse, the hacks were performed using well-known security flaws. Some of the vulnerabilities that were exploited include badly-hashed passwords (no salting or multiple hasing used), easily cracked passwords (simple to guess), a SQL injection flaw, and social engineering (passwords were emailed around, among other things).

All of this activity is illegal; HGBary Federal was (at the time) a respected security company, employed by governments and companies around the world. Yet Anonymous did not hack HBGary Federal without provocation: CEO Aaron Barr was investigating the collective, and preparing to release names, online IDs, and addresses of members. Aaron Barr _told_ an anonymous ringleader about the forthcoming dump of information.

That alone is food for thought; an anonymous collective was able to carry out a form of vigilante justice. It brings to mind the famous letter by John Perry Barlow entitled “A Declaration of the Independence of Cyberspace”. “[…]you weary giants of slesh and steel[…]”.

But it gets weirder. In the email dump, it was revealed that HBGary Federal was itself selling rootkit software ($60,000) and 0-day security exploits, pursuing a plan to sniff cell phones to collect personal data, and was being paid to investigate Wikileaks by Bank of America.

This serves to show that security is not a black-and-white affair. A respected company was itself performing a variety of sketchy services, and the collective that unmasked it looks innocent by comparison. It’s an odd reversal of roles.

NOTES:

https://projects.eff.org/~barlow/Declaration-Final.html

http://www.pcworld.com/businesscenter/article/221504/8_security_tips_from_the_hbgary_hack.html

http://www.h-online.com/security/features/Anonymous-makes-a-laughing-stock-of-HBGary-1198176.html

http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/3

http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/

http://en.wikipedia.org/wiki/HBGary

Advertisements

The Internet Is In Danger!

GO HERE, READ THIS: http://americancensorship.org/

Time is running out ladies and gentlemen. You need to ACT NOW, TODAY,  to prevent censorship of the internet in America. The Great China Firewall has already demonstrated how devastating to free speech this policy would be, and if we do nothing the United States will  pass 2 bills that bring us much closer to a China style internet. so WHAT CAN YOU DO?

Paste this code into your website, prefereably in the <head></head> section:

<script type=”text/javascript” src=”http://americancensorship.org/js”></script&gt;

Write to your congressman, tell everyone you know (even your enemies) to go to americancensorship.org and let the government know what you think about censorship!

Facebook Porn Attack!

Recently Facebook had an attack happen to them, this attack involved violent and pornographic images being uploaded to Facebook. Facebook claimed that the vulnerability was not on there shoulders but the browser which the user was using. Facebook did not claim to say what the browser was but blamed it on “self-XSS” its a user executed scripting agent that uses social engineering to trick the user to copy something and then post to Facebook.

 

 

http://www.informationweek.com/news/security/attacks/231903115

Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Android Updates taking to long?

Through some searching online and reading multiple articles I found that many users are not on the latest Android version. This can obviously be seen as a security problem. As with many different software updates often include important security fixes. I doubt Android is any different. Although phones are shipped with a fairly recent version of the Android OS, the problem seems to be with how long it takes before the user even gets an update to the latest version. It can be a long process before the provider offers the update to its users. An article on computer world explained it better:

Google releases code that is in turn adapted by hardware manufacturers, and that in turn is adapted by various service providers. The software release latency from Google to device is long in the best of situations, and insurmountably long in many others.

With smart phone becoming some of the more popular devices to target for attacks, I feel this long process for updates could soon become a big issue. That is if it’s not already.

http://www.computerworld.com/s/article/9221844/Kenneth_Van_Wyk_The_security_implications_of_being_stuck_with_an_old_Android_OS