The HBGary Story

Michal Zalewski gives a biting commentary

…the purported details of the attack on HBGary – a horribly vulnerable, obscure CMS; unpatched internal systems; careless password reuse across corporate systems and Twitter or LinkedIn; and trivial susceptibility to e-mail phishing – are a truly fascinating detail. These tidbits seem to imply either extreme cynicism of their staff… or an ubelievable level of cluelessness. And from a broader perspective, both of these options are pretty scary.

Oh, the ironic part? Despite all the lofty rhetoric, looks like in the end, they have been undone by just a bunch of bored kids.

At least China is still off the hook…for now.

Couldn’t help but notice the breach report simplicity: a simple SQL query produced the password hashes and then an easy brute-force produced the passwords. The passwords were the same on many different sites.

The exact URL used to break into hbgaryfederal.com was

http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27.

[…]

[T]he hbgaryfederal.com CMS used MD5. What’s worse is that it used MD5 badly: there was no iterative hashing and no salting.

[…]

[And they] used passwords that were very simple; each was just six lower case letters and two numbers.

Yeah, oops on several counts.

Maybe, just maybe, this will help the PCI Council change their position on MD5. It would be great to get some pressure again to fix the ten-year old security flaws. Compliance regulations are one of the most effective ways to move that dial.

Updated to add: Colbert on HBGary — it was a government subversive plot to undermine journalists and proves they can’t get anything right:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.