Monday, June 04, 2012

Anonymous Skullduggery

I just love Anonymous skullduggery! For the most part, they are hitting hard exactly the sort of people who need to be hit hard. I would like to aid them myself (except my heavy-handed all-thumbs Web skills would quickly expose the entire collective):
Though its job was to help other companies protect themselves from cyber attacks, HBGary Federal itself was vulnerable to a simple attack method called SQL injection, which targeted databases. Databases were one of the many key technologies powering the Internet. They stored passwords, corporate emails, and a wide variety of other types of data. The use of Structured Query Language (SQL, commonly mispronounced “sequel”) was a popular way to retrieve and manipulate the information in databases. SQL injection worked by “injecting” SQL commands into the server that hosted the site to retrieve information that should be hidden, essentially using the language against itself. As a result, the server would not recognize the typed characters as text, but as commands that should be executed. Sometimes this could be carried out by simply typing out commands in the search bar of a homepage. The key was to find the search bar or text box that represented a weak entry point.

...Now that they were in, the hackers had to root around for the names and passwords of people like Barr and Hoglund, who had control of the site’s servers. Jackpot again. They found a list of usernames and passwords for HBGary employees. But here was a stumbling block. The passwords were encrypted, or “hashed,” using a standard technique called MD5. If all the administrative passwords were lengthy and complicated, it might be impossible to crack them, and the hackers’ fun would have come to an end.

Sabu picked out three hashes, long strings of random numbers corresponding to the passwords of Aaron Barr, Ted Vera, and another executive named Phil Wallisch. He expected them to be exceptionally tough to unlock, and when he passed them to the others on the team, he wasn’t surprised to find that no one could crack them. In a last-ditch attempt, he uploaded them to a Web forum for password cracking that was popular among hackers — Hashkiller.com. Within a couple of hours all three hashes had been cracked by random anonymous volunteers. The result for one of them looked exactly like this: 4036d5fe575fb46f48ffcd5d7aeeb5af:kibafo33

Right there at the end of the string of letters and numbers was Aaron Barr’s password. When they tried using kibafo33 to access his HBGary Federal emails hosted by Google Apps, they got in. The group couldn’t believe their luck. By Friday night they were watching an oblivious Barr exchange happy emails with his colleagues about the Financial Times article.

On a whim, one of them decided to check to see if kibafo33 worked anywhere else besides Barr’s email account. It was worth a try. Unbelievably for a cyber security specialist investigating the highly volatile Anonymous, Barr had used the same easy-to-crack password on almost all his Web accounts, including Twitter, Yahoo!, Flickr, Facebook, even World of Warcraft. This meant there was now the opportunity for pure, unadulterated “lulz.”

No comments:

Post a Comment