The embattled CEO of HBGary Federal has resigned his post three weeks after Anonmyous hacked into the company’s network and stole thousands of e-mail messages. The ease Anonymous conducted the attack left the company that provides security services to the federal government red-faced.
CEO Aaron Barr told Threatpost on Feb. 28 that he’s stepping down to help the company regain its reputation and to improve his own.
“[G]iven that I’ve been the focus of much bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm,” Barr told Threatpost.
HBGary Federal declined comment.
At least one member of Anonymous saw it as a victory. “Aaron Barr has quit! Join our party on IRC,” Topiary, an Anonymous “supporter” posted on Twitter. “It seems Aaron’s fate currently lies in a trash can, reminiscing of the times he thought he took down Anon,” Topiarty added, referring to a “Where will Aaron Barr be in 6 months time?” online poll. The comments left on AnonNewsSite were far more gleeful. “At least we destroyed him in anonymous style,” wrote one commenter.
Barr had bragged to the Financial Times on Feb. 4 that the company had identified some “leaders” of the hacktivist group behind several denial-of-service attacks on Visa, MasterCard and PayPal. He’d planned to unmask them at B-Sides Security Conference, a parallel event to the RSA Conference in San Francisco.
Anonmyous retaliated Feb. 7 by exploiting weak passwords and unpatched servers to steal 71,000 e-mails from both HBGary Federal and its sister firm HBGary. Using both a SQL injection attack and social engineering, the hackers gained access to the Web and e-mail servers as well as the Rootkit.com domain, a site launched by HBGary founder Greg Hoaglund for discussion and analysis of rootkits and related technology.
The attackers deleted gigabytes of research and support documentation, defaced Barr’s Twitter account and grabbed a decompiled copy of Stuxnet which the researchers had been analyzing. The e-mails have been posted for public viewing, WikiLeaks-style, at anonleaks.ch and a Github repository was created for the “first public Stuxnet decompile.”
HBGary offers a range of computer forensics products, malware analysis tools and security services such as implementing intrusion prevention systems, performing vulnerability assessment and penetration testing. Anonymous highlighted that even security experts can make basic mistakes when securing their environment, according to the attack details outlined by Ars Technica.
The Ars Technica article listed basic mistakes that contradicted best practices, such as unpatched servers and using easily-compromised hashes to store passwords. Even more tellingly, Barr and Ted Vera, the chief operating officer of HBGary Federal, had been re-using a simple password across multiple systems.
Senior executives should be held to the same level of security as regular employees, Andrew Jaquith, CTO of another security firm, Perimeter E-Security, recently told eWEEK. Executives actually “need to be safer than most,” he said.
In this case, Anonymous had used a SQL injection attack to compromise the custom content management system powering HBGary Federal’s Web site. The attack URL contained two parameters the CMS handled incorrectly, allowing hackers to retrieve the list of usernames, e-mail addresses and MD5 password hashes from the user database. Attackers were able to crack passwords belonging to Barr and Vera because the passwords were too weak with six lower case letters and two numbers, reported Ars Technica.
Gawker Lessons Not Learned
The massive data breach on Gawker in December revealed nearly 30 percent people tended to use the same password across multiple sites, a security no-no. It turned out both Barr and Vera were no better, using the same password for e-mail, Twitter, and other systems. Barr had used the same password for his e-mail account, and as the administrator, had access to all the company’s mail and other users’ mailboxes, giving Anonymous full access to all the e-mails.
Vera had also used the same password on the company’s support server. The attack could have easily stalled there as Vera didn’t have any administrative rights, except the IT team had not patched the privilege escalation vulnerability in the Linux kernel. The flaw had been identified in October, and patches released a month later. With full access on the box, the attackers discovered gigabytes of backups and research data, which they promptly deleted.
The Anonymous hack used standard, widely known techniques to compromise a system, collect information and use the collected data to compromise additional systems. It didn’t matter if most of the employees had complex passwords, because the attackers needed to crack just one password to gain access.
Barr and HBGary Federal was embroiled in another controversy as the contents of its e-mails were publicized, revealing various dirty tricks the company engaged on behalf of clients such as law firms, banks, and the U.S. Chamber of Commerce. Some of the proposals listed borderline illegal tactics aimed at discrediting WikiLeaks, including cyberattacks, forged documentation, and blackmailing WikiLeaks supporter and Salon journalist Glenn Greenwald.
“I need to focus on taking care of my family and rebuilding my reputation,” Barr said. Stephen Colbert had mocked Barr’s World of Warcraft account and referenced some of the more embarrassing e-mails on The Colbert Report last week.