While it’s idiotic to refrain from updating your servers, it is doubly-idiotic to refuse to update your servers after they’ve been hacked.
Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but “had chosen not to update their applications,” Brubeck said.
via After first Anon hack, PR firm failed to update other .gov websites.
ars technica has a good introduction into the tools of Anonymous, covering LOIC, slowloris, HOIC, and VPN anonymizing services.
High Orbits and Slowlorises: understanding the Anonymous attack tools.
Anonymous again demonstrates the importance of strong passwords:
Along with the release of these e-mails, Anonymous also exposed the passwords of 78 accounts on the Ministry’s servers. Of the passwords revealed, 31 were “12345” and a number were minor variations on that. Some of the other passwords in the set included:
via Anonymous exposes e-mails of Syrian presidential aides.
So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.
The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.
The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties. But it’d be quite embarrassing for Bill if his site now has to post the “We’ve been hacked!” banner.
via Exclusive: How the FBI investigates the hacktivities of Anonymous.
Anonymous computer hackers broke into a BART website and revealed personal information on thousands of BART riders Sunday; part of a protest that could include a disruption of train service during the Monday afternoon commute.
Transit officials closed down the myBART website, which is run by an external vendor, and urged anyone who subscribed to the news alert service to change their passwords on other websites if they use the same password they used for myBART.
The information includes names, email addresses, myBART account passwords, and in some cases mailing addresses and phone numbers. BART officials emphasized that no financial information is stored in the affected database.
I wonder if the passwords were even encrypted.
via Computer hackers expose BART riders personal information – San Jose Mercury News.
I’m sure that the HBGary executives were thinking the same thing most of us do: “I’m kind of busy right now, and I’ll change it to something stronger when I have a little more time.” I’ve done that more times than I care to think about, as I noted in December when the Gawker story broke. Since then, I’ve become a little bit better at resisting the temptation to slap a quick and dirty password on an account. But I’m still doing it from time to time, as I realized the last time I ordered a cable from my new favorite vendor for such things.
Long ago, I came up with a system for creating and remembering unique credentials for sites, only to be stymied by sites that refused to allow non-alphanumeric characters in either the password or username field. Even now, there’s a surprising number of sites that refuse to accept the plus sign in a gmail address (ex: firstname.lastname@example.org) which is completely legitimate!
KeePass and similar utilities are a great help in this regard.
via Password Security, How Does It Work? – Security – News & Reviews – eWeek.com.
It’s been very interesting watching the HBGary vs Anonymous event unravel in such a public way, with such well-known hacker methodology used to compromise the systems of security specialists. Anonymous uses SQL injection on HBGary’s public CMS to find a few usernames and passwords, and with a non-privileged user account they were able to compromise an otherwise fairly secure Linux system that was behind on its patches:
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary’s system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron’s password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company’s mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company’s mail—not just his own. It’s this capability that yielded access to Greg Hoglund’s mail.
PCI DSS requires that patches be installed monthly. In addition, could Google Apps’ two-factor authentication have helped prevent that portion of the attack?
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren’t patched. And an astonishing willingness to hand out credentials over e-mail, even when the person asking for them should have realized something was up.
It’s not enough to know security if you don’t actually implement it.
via Anonymous speaks: the inside story of the HBGary hack.
This is amusing on so many levels… Remember! The only secure system is powered off and unplugged.
But within a day, Anonymous had managed to infiltrate HBGary Federal’s website and take it down, replacing it with a pro-Anonymous message (“now the Anonymous hand is bitch-slapping you in the face.”) Anonymous got into HBGary Federal’s e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data.
They even claimed to have wiped Barr’s iPad remotely.
The situation got so bad for the security company that HBGary, the company which partially owns HBGary Federal, sent its president Penny Leavy into the Anonymous IRC chat rooms to swim with the sharks—and to beg them to leave her company alone. (Read the bizarre chat log.) Instead, Anonymous suggested that, to avoid more problems, Leavy should fire Barr and “take your investment in aaron’s company and donate it to BRADLEY MANNINGS DEFENCE FUND.” Barr should cough off up a personal contribution, too; say, one month’s salary?
It’s not surprising how over-confident Barr was and that his systems were compromised, but it is amazing how bad his writing is.
via How one man tracked down Anonymous—and paid a heavy price.