Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/7/2011
04:36 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Anonymous' Hacks Security Company, Researcher

Breach that exposed sensitive email, personal, other information at HBGary Federal and HBGary raises concern over shift in approach by hacker group

The hacktivist Anonymous group best known for taking down high-profile websites with distributed denial-of-service attacks (DDoS) has now targeted a security researcher and his company, dumping the contents of the firm's email messages and other sensitive information online yesterday, as well as commandeering his Twitter account and posting his Social Security number and address.

Security researchers have been in the bull's eye before, but the loosely affiliated hacking group's skilled attack against HBGary Federal and HBGary has raised concerns of the potentially wider damage the group could wreak. It also has served as a chilling reminder of the risks faced by researchers investigating attack groups. The targeted attack on HBGary Federal appears to be a departure from the group's DDoS modus operandi, framed by its DDoS protests against PayPal, MasterCard, and Visa, among other organizations, in support of WikiLeaks and its founder in what the attackers had dubbed Operation Payback.

Anonymous broke into HBGary Federal's servers, as well as that of CEO Aaron Barr's Twitter account, in apparent retaliation for Barr's investigative research into the group and its leaders. It all started when Barr, who is scheduled to discuss his related social networking research at the BSides conference in San Francisco next week, said in a Financial Times article this weekend that he was able to get the names of some of the leaders of Anonymous, as well as some information on their locations -- in California, the U.K., Germany, The Netherlands, Italy, and Australia, he said.

Although Barr said he had no plans to hand over the names of individuals he had unmasked, that didn't dissuade the Anonymous group from striking out at him: "You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung," Anonymous said in an online posting in the attack.

Greg Hoglund, founder and CEO of HBGary, says the attack against HBGary and HBGary Federal constitutes a serious crime, not merely a hactivist statement. "They got our email, one of our tech support machines, and rootkit.com," which is Hoglund's research site, he says. "You could have said they were hactivists before this. But now they've committed federal crimes, stolen intellectual property, and posted it on the Internet. That's a whole different thing -- it's not altruistic. This is a criminal organization, and it borders on cyberterrorism.

"They had a platform before, DDoS ... but that pales in comparison to a data breach and stealing millions of dollars in damages and leaking IP [intellectual property]."

So far it doesn't appear that any of HBGary's technology was accessed or stolen by the group, he says. "They didn't get any source code. That's stored on a separate network," he says. But Hoglund's email spool that was breached includes a lot of sensitive information about customers, strategy, and marketing plans, which is intellectual property, he says.

The breach at HBGary -- which is a separate company from HBGary Federal -- appears to be collateral damage from the HBGary Federal hack, he says. "One of the individuals at HBGary Federal was an admin on our Google email system -- we use Google to host it all. They were able to get access to the entire account," he says.

And Anonymous socially engineered a systems administrator to provide them access to rootkit.com. "It wasn't an exploit," Hoglund says.

Security researchers know that potentially becoming the target of hackers goes with the territory. Researcher Dan Kaminsky was hit by a nasty hack two years ago on his Website, email, and Twitter accounts by a group of black hat hackers who stole passwords, emails, and instant message chats from Kaminsky. Other security figures, such as Kevin Mitnick, and security firms, including Matasano Security, have been targeted in the past. "Any of us could be targets," says Jack Daniel, one of the founders of BSides.

"It's the nature of people willing to do the research and speak on it: Largely, these people aren't going to be silenced," Daniel says. "So many people have been compromised over the past two years in the security community ... Hopefully people are smart enough to limit how much exposure" they have online, he says.

The HBGary hack exposed at least one common security weakness aside from social engineering risks: Hoglund says the attackers appear to have executed a SQL injection attack against HBGary Federal's website. They didn't hack HBGary's main website, but the company has taken its servers offline for clean-up and is investigating the breach.

Hoglund says he first got wind of the attacks yesterday afternoon at about 3 p.m. Pacific time. "But they had been in the systems longer than that, after they had gotten everything they wanted," he says.

Given Anonymous' global presence, it is difficult to catch or stop the attackers. "They've got people who are very skilled at computer hacking. They are a very serious threat," he says. "I just want law enforcement and citizens to take this threat seriously," Hoglund says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.