http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

Very well written article from ARS on how Anonymous was able to destroy HBGary.

This should be required reading for any I.T. Geek.

2/16/2011 12:06:55 AM

TL;DR: MD5hit and SQLOL injection

2/16/2011 2:31:41 AM

Don't forget "social engineering."

Pretty interesting read. Thanks

2/16/2011 2:59:22 AM

No salting either.

I just sent this to my team. I've been handling a lot of security lately, so some of this seems down right retarded (especially for a security company). Here's a good article on rainbow tables... every other place I've seen it explained incorrectly:
http://kestas.kuliukas.com/RainbowTables/

2/16/2011 9:39:28 AM

Quote :

"No salting either."

hah, really? 'twas asking for it

2/16/2011 9:44:07 AM

I had to brush my shoulders off after reading that. We look like fort knox compared to a government security company .

Some of this stuff is just plain DUMB. I use the crap out of some MD5, but for nothing security related - it's packed with holes - just to verify file transfer integrity. And keys for SSH? Then sending the root passwords over plain email? Geez.

2/16/2011 9:58:27 AM

Yeah that was probably the most egregious of a laundry list of negligent failures.

2/16/2011 10:19:27 AM

Very interesting article -- thanks for the link.

2/16/2011 10:27:49 AM

As dumb as it was in hindsight, I feel bad for Jussi. If the CEO or president of the company is emailing me from his addy asking for his login credentials, I would have given them to him too.

2/16/2011 11:16:23 AM

^you make a valid point

However, our CEO/President is pretty clueless. If he was asking for that level of credential I'd be monitoring it like a hawk. He wouldn't waste time doing it himself, he'd have me retrieve it and send it to him.

Of course I'd never open a hole in a firewall for almost any purpose (well, on anything production.) We've got VPN for a reason.

Many, many failures here - just a perfect storm for the hackers.

2/16/2011 12:14:52 PM

Also, I feel like any form of 'jabberwocky' is a pretty common password. I think it was used at some point at my work for something.

2/16/2011 12:40:09 PM

2/16/2011 12:50:22 PM

I wonder how many of those security shortcomings TWW is vulnerable to?

2/16/2011 4:31:38 PM

^ It would take a pretty bored hacker to attack TWW. Besides, I doubt there are any blatant security holes.

DISREGARD THAT, I SUCK COCKS.

2/16/2011 4:46:37 PM

Sounds like a well executed hack on a deserving target.

2/17/2011 6:09:02 AM

HACK THE PLANET

2/17/2011 10:36:13 AM

Sounds like a well executed hack on a deserving target.

Indeed....seems some media outlets out there are portraying this situation as "EVIL ANONYMOUS hacks poor
innocent defenseless little pride of America HBGary".

I am glad that company is ruined. And the fact that that arrogant prick Aaron Barr will now be reduced to working
the drive through at Wendys gives me a certain satisfaction.

2/17/2011 5:52:52 PM

It should serve as a reality check, a wake up call.

2/17/2011 6:29:09 PM