Wednesday, 23 February 2011
C'est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

Last week, while at the RSA show, I made a point of seeking out the HBGary booth;  I had previously been aware of their good technical reputation through webinars.  Booth #556 was there, but not HBGary.  Searching online I then learned that they had pulled out after being hacked by Anonymous.  This event was possibly the most significant at the entire show.  After all, the company states that its Razor product is the "Most Powerful Weapon Against Today's Targeted Attacks".  At first glance, that a security technology company gets hacked might be strange.  But, then again, this is just confirmation technology does not secure data.  People and process secure data, along with partners where needed.  Technology automation can help.


The best review of the HBGary attack I have seen is at Ars Technica (  What lessons can be learned from this?


1.  Test your applications.  The HBGary hack originated via a SQL injection attack.  Guess what the #1 OWASP vulnerability is:  SQL injection.  Go back to 2005 when the FTC filed suit against computer forensics company Guidance Software.  The complaint:  loss of confidential information through a SQL injection attack.  Maybe coincidence, but three HBGary executives came from Guidance.  Again:  test your applications.

2.  Use complex passwords;  use different passwords for each application.  The next steps in the HBGary exploit included guessing passwords retrieved through the injection attack, and then using those to access other systems incorporating the same passwords.  Since the 8 character passwords used by some HBGary executives included only lowercase letters and numbers, it was relatively easy for the Anonymous Group to guess those passwords using pre-computed Rainbow tables.  Depending on the information being accessed, we need to make it easy for users to employ complex passwords using all 95 characters on the keyboard.  Even worse, HBGary executives used the same 8 character password for other sensitive systems, thus exposing company emails and other sensitive data.   While some people argue for short simple passwords...claiming that users will just write complex passwords on Post-it notes... the HBGary hack show clearly the risks of using passwords that can be guessed.  It also shows that security rules need to apply to executives as well as to the rest of the firm employees.

3.  Patch systems in a timely way.  Another critical step in the hack was moving from user to administrator on a Linux support server.  This was accomplished through a published vulnerability that had not been patched.   Maybe this step in the hack was an exception.  According to the 2010 Verizon Data Breach Report, none of the intrusions they investigated resulted from a patchable vulnerability.

4.  Monitor Intrusion Detection systems.  Although there is no mention of this in the Ars Technica analysis, we have to ask the question, who was monitoring the web server, email server and other platforms that were hacked?  Each layer of HBGary's defenses had vulnerabilities.  The only way to keep intruders out in this situation will be via monitoring and rapid reporting of incidents.  This may be a difficult lesson to learn, since we all tend to rely on technical defenses as impermeable.

5.  Train and retrain users about social engineering.  One of the most fascinating parts of the hack was the email exchange between the Anomymous hacker and an HBGary user requesting Greg Hogland's user ID AND password.  This was willingly sent over the Internet.  The moral here is:  never send this information without speaking directly to the recipient.

6.  Carefully monitor your business partners.  This incident spilled over to other firms, in particular the law firm Hunton & Williams.  A number of the emails hacked at HBGary were to and from Hunton & Williams discussing the use of HBGary Federal security services.  These were from H&W partners and never intended to be aired to the public.  Ironically, H&W advertises itself on its website to "have an internationally known, superb team of privacy professionals at the firm who understand the maze of privacy and data security issues facing global companies."  A lesson learned from this is:  know who your business partners are, what data they have access to and work through risks to that data with them face to face.


In summary, good security is not about technical controls or architecture.  It is about execution and monitoring of execution.

As Emmy Lou Harris sang:  "C'est La Vie, You Never Can Tell"

Posted on 02/23/2011 10:38 AM by Frederick Scholl
Thursday, 10 February 2011
DDOS Tutorial

A very good tutorial on DDOS attacks, much in the news in the past few months, was posted by the Berkman Center at Harvard University in December.  The research is entitled:  "Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites", December 2010.  The first part of this report outlines DDOS attacks in general, while the last half presents research on attacks against human rights sites around the globe. 

DDOS statistics in the report, quoted from Arbor Networks, include:  1300+ DDOS attacks per day in the global Internet, 49Gbps maximum aggregate attack traffic;  botnets with up to 1 million nodes.  According to Arbor's February 1st report, DDOS attacks have now exceeded 100Gbps.  Mid-sized firms, connected through Tier 3 ISP's are the most vulnerable.  Those connected to Tier 1 or Tier 2 providers can take advantage of those providers' expertise in mitigating DDOS attacks.

I believe we will have more of this type of attack against commercial businesses.  As more enterprises move into the clould, are they more at risk from DDOS attacks against a fellow tenant in that cloud?  Or will the superior skills of the cloud provider be able to mitigate that risk?

Posted on 02/10/2011 12:39 PM by Frederick Scholl
Thursday, 3 February 2011
The future of information technology

We live in a time when information technology is turning everything inside out.  This presents challenges and opportunities for information security professionals.  I had the pleasure this week of listening to a presentation by Michael Rogers at LegalTech in NYC.  The subject of his talk was information technology in 2020.  Mr. Rogers designates himself as a "practical futurist" and can found at  Here are my security related takeaways from his comments:


1.  Everything will be more mobile.  Although the size limitations of smart phone and portable computers might be seen to be a limitation, new input and output devices will be included to facilitate the concept of work anywhere.  These include picoprojectors to project screens on the wall and heads-up goggles.  These devices will continue to make securing the enterprise and home more difficult.

2.  More and more relationships and business will be done virtually.  While traditional business has been done through face to face handshakes, the millennial generation and succeeding generations are now more comfortable with the virtual relationship.  We need to come up with something to facilitate online trust.  Can we create a federal standard for a secure legal identity?

3.  Mr. Rogers talks about the "Internet of things", where everything has an IP address.  More IP addresses means more entry points for hackers, whether it be through Internet connected cars or even Internet connected dumpsters.  The Internet connected car could facilitate pay as you go insurance, but could also be a target for fraudsters.  I'm not sure about risks associated with Internet connected dumpsters!


The convergence of social media, mobility and cloud is going to challenge security professionals in these areas and many others!




Posted on 02/03/2011 10:48 AM by Frederick Scholl