Announcement

Collapse
No announcement yet.

HBGary

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    HBGary

    Can't believe there's not a thread on this...

    HBGary Federal has pretty much instantly become the textbook example for how not to run a security firm.

    http://blogs.forbes.com/andygreenber...dal-escalates/

    Last week, the hacker group Anonymous released more than 40,000 of HBGary Federal’s emails, followed by another 27,000 from its sister company, HBGary, over the weekend. Those files, stolen in retaliation for an attempt by HBGary Federal CEO Aaron Barr to penetrate Anonymous and identify its members, revealed a long list of borderline illegal tactics. Ars Technica has posted a well-constructed narrative of the firm’s bad behavior. The short version: It proposed services to clients like a law firm working with Bank of America and the U.S. Chamber of Commerce that included cyberattacks and misinformation campaigns, phishing emails and fake social networking profiles, pressuring journalists and intimidating the financial donors to clients’ enemies including WikiLeaks, unions and non-profits that opposed the Chamber.
    My general perception has been that infosec companies pay considerable attention to honing their offensive capabilities and too little attention to how vulnerable their own information is... HBGary is perhaps a textbook example of this, and obviously a big group of fucktards.

    I've seen this sort of thing at Defcon before though... StillSecure comes to mind.

    I'm sure lots of people have opinions about HBGary, but some immediate discussion topics might be people's opinions of HBGary, their practices (or perhaps more specifically "how much they fail"), whether the reciprocity from Anonymous is actually deserved, and the relationship between offense and defense when you're running a security firm.
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]
    Tags: None
  • #2
    Re: HBGary

    Ars had a pretty in-depth story today about how HBGary was hacked:

    http://arstechnica.com/tech-policy/n...gary-hack.ars/

    In short, they had a crappy custom CMS for their web site which was vulnerable to SQL injection. After retrieving a hashed password and running that through some rainbow tables, they tried that password against their Google Apps account. Surprise! It's the same.

    Google has recently launched 2-factor authentication for your Google Account. This is a great example of why you should probably enable that.
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

    Comment

    • #3
      Re: HBGary

      There was a social engineering element to the break-ins also, where they had fooled the sysadmin to give up passwords and account names.

      Comment

      • #4
        Re: HBGary

        wow what kind of people do they hire there that the sys admin will just give you the info with out some kind of ID what a fail :P
        What's this "any" key I'm supposed to press?

        Comment

        • #5
          Re: HBGary

          Forbes is claiming that HBGary was hacked by a 16-year-old girl:

          http://blogs.forbes.com/parmyolson/2...hacked-hbgary/

          Although they give this caveat: "Kayla flits around the web with so covert an identity that I cannot fully verify her age or gender."
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
          45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
          [ redacted ]

          Comment

          Previous template Next
          Working...
          X