Attacks/Breaches
2/7/2011
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Anonymous' Hacks Security Company, Researcher

Breach that exposed sensitive email, personal, other information at HBGary Federal and HBGary raises concern over shift in approach by hacker group

The hacktivist Anonymous group best known for taking down high-profile websites with distributed denial-of-service attacks (DDoS) has now targeted a security researcher and his company, dumping the contents of the firm's email messages and other sensitive information online yesterday, as well as commandeering his Twitter account and posting his Social Security number and address.

Security researchers have been in the bull's eye before, but the loosely affiliated hacking group's skilled attack against HBGary Federal and HBGary has raised concerns of the potentially wider damage the group could wreak. It also has served as a chilling reminder of the risks faced by researchers investigating attack groups. The targeted attack on HBGary Federal appears to be a departure from the group's DDoS modus operandi, framed by its DDoS protests against PayPal, MasterCard, and Visa, among other organizations, in support of WikiLeaks and its founder in what the attackers had dubbed Operation Payback.

Anonymous broke into HBGary Federal's servers, as well as that of CEO Aaron Barr's Twitter account, in apparent retaliation for Barr's investigative research into the group and its leaders. It all started when Barr, who is scheduled to discuss his related social networking research at the BSides conference in San Francisco next week, said in a Financial Times article this weekend that he was able to get the names of some of the leaders of Anonymous, as well as some information on their locations -- in California, the U.K., Germany, The Netherlands, Italy, and Australia, he said.

Although Barr said he had no plans to hand over the names of individuals he had unmasked, that didn't dissuade the Anonymous group from striking out at him: "You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung," Anonymous said in an online posting in the attack.

Greg Hoglund, founder and CEO of HBGary, says the attack against HBGary and HBGary Federal constitutes a serious crime, not merely a hactivist statement. "They got our email, one of our tech support machines, and rootkit.com," which is Hoglund's research site, he says. "You could have said they were hactivists before this. But now they've committed federal crimes, stolen intellectual property, and posted it on the Internet. That's a whole different thing -- it's not altruistic. This is a criminal organization, and it borders on cyberterrorism.

"They had a platform before, DDoS ... but that pales in comparison to a data breach and stealing millions of dollars in damages and leaking IP [intellectual property]."

So far it doesn't appear that any of HBGary's technology was accessed or stolen by the group, he says. "They didn't get any source code. That's stored on a separate network," he says. But Hoglund's email spool that was breached includes a lot of sensitive information about customers, strategy, and marketing plans, which is intellectual property, he says.

The breach at HBGary -- which is a separate company from HBGary Federal -- appears to be collateral damage from the HBGary Federal hack, he says. "One of the individuals at HBGary Federal was an admin on our Google email system -- we use Google to host it all. They were able to get access to the entire account," he says.

And Anonymous socially engineered a systems administrator to provide them access to rootkit.com. "It wasn't an exploit," Hoglund says.

Security researchers know that potentially becoming the target of hackers goes with the territory. Researcher Dan Kaminsky was hit by a nasty hack two years ago on his Website, email, and Twitter accounts by a group of black hat hackers who stole passwords, emails, and instant message chats from Kaminsky. Other security figures, such as Kevin Mitnick, and security firms, including Matasano Security, have been targeted in the past. "Any of us could be targets," says Jack Daniel, one of the founders of BSides.

"It's the nature of people willing to do the research and speak on it: Largely, these people aren't going to be silenced," Daniel says. "So many people have been compromised over the past two years in the security community ... Hopefully people are smart enough to limit how much exposure" they have online, he says.

The HBGary hack exposed at least one common security weakness aside from social engineering risks: Hoglund says the attackers appear to have executed a SQL injection attack against HBGary Federal's website. They didn't hack HBGary's main website, but the company has taken its servers offline for clean-up and is investigating the breach.

Hoglund says he first got wind of the attacks yesterday afternoon at about 3 p.m. Pacific time. "But they had been in the systems longer than that, after they had gotten everything they wanted," he says.

Given Anonymous' global presence, it is difficult to catch or stop the attackers. "They've got people who are very skilled at computer hacking. They are a very serious threat," he says. "I just want law enforcement and citizens to take this threat seriously," Hoglund says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.