[PWNAGE] Anonymous speaks: the inside story of the HBGary hack

[Flubber]

Exact! HBGary. Nici eu nu stiam cine dracu o fi si asta, pana ce am citit tot articolul (aproape) primit prin RSS; este epic. Este exact ce au descris membrii old school din scena. Mai tineti minte? Si citez:

The fact is that hackers, mostly on an individual basis, decided to

use their passion as a source of income. Whether this is good, bad,

or just pragmatic is completely irrelevant. Nearly all the hackers that

could get jobs did. For the individuals that decision has been made (for

better or worse), and in general there's nothing that will change this.

This was a hacker exodus. What really mattered was not the loss of any

individuals, but the cumulative effect this had on the underground. The

more hackers that left the underground for a corporate life, the fewer

that came in. And those who stayed became entrenched, increasingly

disconnected.

Ca cei din Anonymous s-au folosit de o vulnerabilitate SQLi in CMS pentru a realiza deface-ul respectiv, nu este o scuza pentru un 'super expert in securitate' ce lucreaza la o firma care are contracte cu FBI,NSA etc. Partea si mai interesanta este cand practica social engineering pe unul din angajatii respectivi, care a muscat momeala,si a DEZACTIVAT FIREWALL-UL permitand accesul SSH DE ORIUNDE. Fail.

Din acest articol:

Anonymous: more than kids

HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware analysis tools to enable the detection, isolation, and analysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company's products or services.

[...]

Time for an injection

HBGary Federal's website, hbgaryfederal.com, was powered by a content management system (CMS). CMSes are a common component of content-driven sites; they make it easy to add and update content to the site without having to mess about with HTML and making sure everything gets linked up and so on and so forth. Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer.

Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The custom solution on HBGary's site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability assessment of the software—which is, after all, one of the services the company offers—then its assessment overlooked a substantial flaw.

The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection. In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixed—an integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally passed from the Web front-end to the CMS.

SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pass the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers' own choosing.

The exact URL used to break into hbgaryfederal.com was www.hbgaryfederal.com is offline. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.

Sursa: Full Disclosure: What the f*** is going on? (destul de amuzant cum se enerveaza cei de genul)

Articol complet (3 pagini): Anonymous speaks: the inside story of the HBGary hack

// LE: Am uitat sa mentionez ca mega expertul in securitate taxa sume imense de bani pentru niste simple scan-uri cu NMAP!

[luke999]

buna noutate...ce prost o fost ala care o dezactivat firewallu'

[m0rphic]

// LE: Am uitat sa mentionez ca mega expertul in securitate taxa sume imense de bani pentru niste simple scan-uri cu NMAP!

Cat costa un scann cu nmap ?

Interesanta e chestia ca de foarte multe ori cei mai mari experti,fac si cele mai mari greseli.