How one man tracked down Anonymous—and paid a heavy pricehttp://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars/
QuoteAaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online identities to real-world names and locations proved daunting. Barr found a way to crack the code.
In a private e-mail to a colleague at his security firm HBGary Federal, which sells digital tools to the US government, the CEO bragged about his research project.
"They think I have nothing but a heirarchy based on IRC [Internet Relay Chat] aliases!" he wrote. "As 1337 as these guys are suppsed to be they don't get it. I have pwned them! :)"
But had he?
"We are kind of pissed at him right now" (http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars/)
(http://static.arstechnica.com/02-09-2011/anon-internet-is-here.jpg)
I read about this in relation to Glenn Greenwald.
It looks like a major private security firm working in alliance with a group linked to the Chamber of Commerce were paid by the Bank of America to come up with a plan to neutralize both Anonymous and major supporters of Wikileaks in the media, such as Greenwald, to further a delegitimization of Wikileaks as a whole.
This is a major fucking scoop.
That article put a smile on my face. :)
I like it how it never once entered this dude's mind that it was probably a really bad idea, as his coder told him repeatedly.
Wow this was a really interesting story. :)
Quote from: Doktor Blight on February 12, 2011, 05:07:04 PM
I like it how it never once entered this dude's mind that it was probably a really bad idea, as his coder told him repeatedly.
His picture suggests he's a smug little fucker who thinks he can get away from these kinds of things.
To fuck around with 4chan is truly an act of hubris. Ever thus to media moguls.
so I did finally dig into this and I have to say.. what a fucking dumbass. I applaud everything that's happened to him.
he made his bed.
I really like the IRC logs, where he comes in to, once again, let Anonymous know that they've broken the law... still failing to understand his position there.
Also, this is the social engineering they pulled to get root on rootkit.com:
http://dazzlepod.com/site_media/txt/rootkit.com.txt
Classic textbook social engineering.
Quote from: Triple Zero on February 14, 2011, 04:28:41 PM
Also, this is the social engineering they pulled to get root on rootkit.com:
http://dazzlepod.com/site_media/txt/rootkit.com.txt
Classic textbook social engineering.
That was disturbingly easy.
They don't allow remote root but root superuser works? WTF?
Also the complete and utter lack of wetware control is kinda scary, no way in hell would I reset a password to what they requested unless they were standing in front of me (and I knew them personally). Password resets are random and go over encrypted emails ffs.
Quote from: LMNO, PhD on February 14, 2011, 04:32:09 PM
Quote from: Triple Zero on February 14, 2011, 04:28:41 PM
Also, this is the social engineering they pulled to get root on rootkit.com:
http://dazzlepod.com/site_media/txt/rootkit.com.txt
Classic textbook social engineering.
That was disturbingly easy.
Keep in mind that the hacker already managed to send email from greg@hbgary.com , helps on the credibility part.
HOWEVER, doing that is really easy and requires no "real hacking" whatsoever. The email protocol specifies you can write whatever you like in the "From:" field in an email header. Sometimes your ISP would block emails with a different host domain in the header, but I found just as often they don't.
It is relatively easy to detect though. Most email clients have a "view source" or "display all headers" option, if you do that, and know what you're looking at, it'll be obvious something's not right.
But then, if the recipient has no reason to suspect foul play, he's never going to know.
So in this case, I don't know if the hacker has already read other bits of Greg Hoglund's writing, since he's transmitting a very distinct tone of voice and writing style (lowercase "im", "or something vague", etc), also mentioning those two other root passwords ("jabberwocky" in l33t, really?).
Or maybe he's just assuming that this Jussi never really talked to Greg before and is bluffing really, really hard. But in that case, a bell would ring for any sysadmin worth their salt and they'd check a few things or other.
Which is why the hacker used the "I'm in a rush" gambit.
If you like these sorts of things, check out the classic "Art of Deception" by Kevin Mitnick and another book called "Low Tech Hacking" (or Lo-Tech, I forget--I believe it was in one of the large book collections posted many years ago, both of them possibly, but you can find AoD simply by Googling a bit, even though it's copyrighted, loads of hacker websites have it up as text format)
Oh and of course it could also be that the hacker had indeed already hacked Greg's email account and is not just faking the header.
Either way, these mistakes should definitely NOT be made by companies that are pretty much in the business of educating other companies how NOT to make these mistakes (which is probably the No.1 task of most security consulting agencies).
So yeah, if this hack really did cost HBGary millions of dollars (releasing 60k emails and a corporate database full of sensitive non-disclosure-agreement data can do that), Anonymous definitely did a public service. Cause the US gov was wasting loads of tax dollars on these schmucks. As well as their future non-government clients are better off for not going into business with these charlatans.
Only thing that I personally consider unethical about it (not talking about legality here) is that the leaks contain NDA data from
other companies. They didn't do anything wrong, and any damage there is collateral. Not very nice of Anonymous, but it spells the end for HBGary since NDA is nothing to fuck with, and it was their responsibility to keep that data safe (come on, a security company getting owned like this, I still can't believe it) and the NDA contracts probably don't have an "unless you get 0wned by Anonymous" clause.
Quote from: Requia ☣ on February 14, 2011, 05:16:56 PMAlso the complete and utter lack of wetware control is kinda scary, no way in hell would I reset a password to what they requested unless they were standing in front of me (and I knew them personally). Password resets are random and go over encrypted emails ffs.
You seem to gloss over the social engineering aspects a littlebit.
While I agree with LMNO that it seemed disturbingly easy, after reading Cialdini's
Influence, I'm very hesitant to say things like "no way in hell [I would fall for that]". Book quotes some interesting statistics about people saying "no way I would fall for that" about the typical psychological influence tricks. When faced with such a situation a bit later on, unexpectedly and in a (set up) real life scenario, they are
still very likely to fall for it. Admittedly, less so than people that did not boast their resilience, but it was more like they fell for it 90% and the sure-of-themselves crowd still a fat 75%. More than enough for me to stop thinking "Ha! I'd never do something that dumb".
See, what you're forgetting is that this is his BOSS emailing him, and he is in a HURRY. Apparently that was enough for this guy to drop protocol (if there was any). And before you say you'd never drop protocol no matter what somebody would say, re-read the above paragraph :)
If you're just counting on your natural resilience against social engineering, you're going to fall into the 75% category. The only way to do better than that is
training. Real simple, just some basic exercises where somebody asks for the password and you say "no" :) Best if they're obviously not real, not your actual boss's name, not even the same company cause that way they won't get mixed up for the real thing (remember all the movie plots where *whatever* got exploited or broken into because of a faked training exercise or fire drill? yeah). You just need to take your mind through the movements a few times, so it etches out the pattern.
Anybody who worked in a call-center probably has done similar exercises (training). Often even with hired actors.
Really really good security consultancy firms provide this sort of training. But it's hard to sell, so it's not much of them. The bullshit spouted by Aaron Barr sells a lot better.
I have been in that same situation, so no, I'm not speculating.
Also, you don't need proper training for this, what you need is a password reset policy for the employee to hide behind. Hell with proper policy that SE attack isn't even possible, the guy would have switched over to encrypted emails and locked the attacker out of the conversation.
IT GETS BETTER!
http://blogs.computerworld.com/17827/hbgary_federal_quits_rsa_over_anonymous_wikileaks_email
Boys and Girls, this is just further proof that the internet is no longer for lulz. Your mild-mannered fap page is now a battleground.
I applaud.
Couple Comments:
1. Password Rules!!! FFS!!! A password that is alphanumeric is no longer acceptable. A password that is less that 10 characters and is only alphanumeric AND is only hashed with straight MD5 (no salt?!?!?!) is absurd.
2. Password Reset via Social Engineering = Oldest trick in the book. I was rooting companies with that trick last century. For a security firm not to have controls in place for that is nothing more than complete negligence.
3. HOW FAR BEHIND ARE YOU ON PATCHING?!?!?!?!
4. A SQL injection attack? Really, a SQL Injection attack on an external facing server...
:facepalm:
This isn't even "Ooohhh, look at Anonymous' 31337 5ki11Z!!!!" this is textbook, first year hacker level stuff. All I can say is that HB Gary is gonna have a hard time recovering their reputation after this!!
Quote from: Ratatosk on February 17, 2011, 07:19:14 PM
This isn't even "Ooohhh, look at Anonymous' 31337 5ki11Z!!!!" this is textbook, first year hacker level stuff. All I can say is that HB Gary is gonna have a hard time recovering their reputation after this!!
Most of Anonymous(the ones in the IRC channels that get stuff done) are social engineers with a few skiddies sprinkled in. Of course that doesnt mean they wont use this opportunity to bolster their own egos (lol we h4xX0red a security company look at how 1337 we r)
Quote from: Lord Glittersnatch on February 17, 2011, 08:39:30 PM
Quote from: Ratatosk on February 17, 2011, 07:19:14 PM
This isn't even "Ooohhh, look at Anonymous' 31337 5ki11Z!!!!" this is textbook, first year hacker level stuff. All I can say is that HB Gary is gonna have a hard time recovering their reputation after this!!
Most of Anonymous(the ones in the IRC channels that get stuff done) are social engineers with a few skiddies sprinkled in. Of course that doesnt mean they wont use this opportunity to bolster their own egos (lol we h4xX0red a security company look at how 1337 we r)
True, but honestly, 9 times out of 10, a successful attack on a target looks a lot like what happened here. Its often about configuration, social engineering and old 'shouldabeen patched' vulnerabilities.
w00t!
I just had to write a position paper on this attack for the company. Apparently I'm also going to be in a meeting to "Explain this Anonymous thing to Executives".
:lulz: :lulz: :lulz: :lulz:
Start with "Wise Beard Man Is Wise", and work backwards from there.
Quote from: LMNO, PhD on February 18, 2011, 03:46:09 PM
Start with "Wise Beard Man Is Wise", and work backwards from there.
First Draft just went out...
First response from CISO:
"So how many of these 'Stand Alone Complex' groups are out there now... and do we need to be concerned?"
:lulz:
Quote from: Ratatosk on February 18, 2011, 04:35:09 PM
Quote from: LMNO, PhD on February 18, 2011, 03:46:09 PM
Start with "Wise Beard Man Is Wise", and work backwards from there.
First Draft just went out...
First response from CISO:
"So how many of these 'Stand Alone Complex' groups are out there now... and do we need to be concerned?"
:lulz:
Answer. "Lots. And, Not as long as we don't piss any of them off. And we will. So... Yes."
Quote from: Ratatosk on February 18, 2011, 04:35:09 PM
Quote from: LMNO, PhD on February 18, 2011, 03:46:09 PM
Start with "Wise Beard Man Is Wise", and work backwards from there.
First Draft just went out...
First response from CISO:
"So how many of these 'Stand Alone Complex' groups are out there now... and do we need to be concerned?"
:lulz:
Tell them theres thousands, more then they could ever imagine.
(http://i109.photobucket.com/albums/n62/anansi210/The_Laughing_Man.gif)
For anyone thinking Anonymous went too far, also Wired does WOMP:
(http://static.arstechnica.net/assets/2011/02/aaron-barr-too-little-intro-thumb-640xauto-19601.jpg)
http://www.wired.com/threatlevel/2011/02/spy/all/1
Seriously that Aaron is one fucked up fucker. Scary calls to his family? Well he did at least as worse. Sure, his family had nothing to do with it, but in the same sense as somebody married to a organised crime member doesn't really deserve it when work is brought home. Okay that's a bit harsh, I don't really believe that. But it does clear some of Anonymous's actions a littlebit IMO.
Also, Glenn Greenwald wrote yet another summary with some new insights, especially on the subject of hypocrisy, how it's perfectly okay to do this when it's in line with Gov./Inc. and abhorrent when you're not.
http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/index.html
Quote from: Ratatosk on February 18, 2011, 04:35:09 PM
Quote from: LMNO, PhD on February 18, 2011, 03:46:09 PM
Start with "Wise Beard Man Is Wise", and work backwards from there.
First Draft just went out...
First response from CISO:
"So how many of these 'Stand Alone Complex' groups are out there now... and do we need to be concerned?"
:lulz:
Warn him about HIMEOBS.
Oh yes. Please, yes.
Quote from: LMNO, PhD on February 18, 2011, 05:58:36 PM
Oh yes. Please, yes.
The beauty of this is that HIMEOBS has an ED entry, etc, so he can make up any ridiculous shit he likes, with no chance of getting in trouble.
"Nobody is sure what HIMEOBS stands for. One rumor is "His Imperial Majesty's Elite Orbital Bombing Squadron", while others say it means "Hate Is Making Every One Better Soldiers". Regardless, they are a distinct cyber threat, as they conduct all manner of attacks without claiming credit, and solely for the chaos created by the attack...Ergo, they cannot be bought off or placated, since they have no actual agenda other than mayhem for its own sake."
Quote from: The Good Reverend Roger on February 18, 2011, 06:03:54 PM
Quote from: LMNO, PhD on February 18, 2011, 05:58:36 PM
Oh yes. Please, yes.
The beauty of this is that HIMEOBS has an ED entry, etc, so he can make up any ridiculous shit he likes, with no chance of getting in trouble.
"Nobody is sure what HIMEOBS stands for. One rumor is "His Imperial Majesty's Elite Orbital Bombing Squadron", while others say it means "Hate Is Making Every One Better Soldiers". Regardless, they are a distinct cyber threat, as they conduct all manner of attacks without claiming credit, and solely for the chaos created by the attack...Ergo, they cannot be bought off or placated, since they have no actual agenda other than mayhem for its own sake."
Hide HIMEOBS Propeganda around office for maximum power.
Quote from: Triple Zero on February 18, 2011, 05:50:33 PM
Also, Glenn Greenwald wrote yet another summary with some new insights, especially on the subject of hypocrisy, how it's perfectly okay to do this when it's in line with Gov./Inc. and abhorrent when you're not.
http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/index.html
ZOW - that was a really powerful article
Quote from: The Good Reverend Roger on February 18, 2011, 06:03:54 PM
Quote from: LMNO, PhD on February 18, 2011, 05:58:36 PM
Oh yes. Please, yes.
The beauty of this is that HIMEOBS has an ED entry, etc, so he can make up any ridiculous shit he likes, with no chance of getting in trouble.
"Nobody is sure what HIMEOBS stands for. One rumor is "His Imperial Majesty's Elite Orbital Bombing Squadron", while others say it means "Hate Is Making Every One Better Soldiers". Regardless, they are a distinct cyber threat, as they conduct all manner of attacks without claiming credit, and solely for the chaos created by the attack...Ergo, they cannot be bought off or placated, since they have no actual agenda other than mayhem for its own sake."
Oh, we totally need to start claiming that Mayhem is one of ours that we hired out to Allstate Insurance.
(http://www.funnycommercialsworld.com/wp-content/uploads/2010/09/dean-winters-mayhem-is-coming.jpg)
http://www.funnycommercialsworld.com/mayhem-is-coming-tv-campaing-from-allstate-insurance-4227.html
Quote from: Telarus on February 18, 2011, 10:15:30 PM
Quote from: The Good Reverend Roger on February 18, 2011, 06:03:54 PM
Quote from: LMNO, PhD on February 18, 2011, 05:58:36 PM
Oh yes. Please, yes.
The beauty of this is that HIMEOBS has an ED entry, etc, so he can make up any ridiculous shit he likes, with no chance of getting in trouble.
"Nobody is sure what HIMEOBS stands for. One rumor is "His Imperial Majesty's Elite Orbital Bombing Squadron", while others say it means "Hate Is Making Every One Better Soldiers". Regardless, they are a distinct cyber threat, as they conduct all manner of attacks without claiming credit, and solely for the chaos created by the attack...Ergo, they cannot be bought off or placated, since they have no actual agenda other than mayhem for its own sake."
Oh, we totally need to start claiming that Mayhem is one of ours that we hired out to Allstate Insurance.
http://www.funnycommercialsworld.com/mayhem-is-coming-tv-campaing-from-allstate-insurance-4227.html
That gives me an idea. What if we claimed that we had all sorts of sleeper cells EVERYWHERE. In ever facet of the company, as well as rival companies.
Would that not scare the shit out of them?
http://crowdleaks.org/hbgary-wanted-to-suppress-stuxnet-research/