Source: ThreatPost.com

February 28, 2011, 12:54PM

HBGary Federal CEO Aaron Barr Steps Down

By Paul Roberts

Embattled CEO Aaron Barr says he is stepping down from his post at HBGary Federal to allow the company to move on after an embarassing data breach.

The announcement comes three weeks after Barr became the target of a coordinated attack by members of the online mischief making group Anonymous, which hacked into HBGary Federal's computer network and published tens of thousands of company e-mail messages on the Internet. HBGary did not respond to telephone and e-mail requests for comments on Barr's resignation.

- snip -

The group conducted a preemptive strike on HBGary after Barr was quoted in a published article saying that he had identified the leadership of the group and planned to disclose their identities at the B-Sides Security Conference in San Francisco.

By combining a SQL injection attack on HBGary's Web site with sophisticated social engineering attacks, the group gained access to the company's Web- and e-mail servers as well as the Rootkit.com Web site, a site also launched by HBGary founder Greg Hoaglund. Ultimately, the group defaced HBGary's Web site and disgorged the full contents of e-mail accounts belonging to Barr, Hoglund and other company executives.

Read more: http://threatpost.com/en_us/blogs/hbgary-federal-ceo-aaron-barr-steps-down-022811?utm_source=feedburner&utm_medium=twitter&utm_campaign=Feed:+hackernewsyc+(Hacker+News+YC)

And the guy's company PROMOTES Web Security!

one word describes this guy... "PAWNED!"

b a d l y...... :dunce:

one of us isn't up on our memes.

and i'll be damned if i know which one it is.

Like in "The Girl with the Dragon Tattoo"? Lisbeth is Anonymous.

They're finished and they know it.

They pretty much admitted as much when they ran away from the RSA conference with their tail between their legs.

are not going to change their business model though they may change their name. They will lay low and hope the spotlight goes elsewhere.

According to ars technica, one of HBGary's Vice Presidents, said:



Consider... if this is what they're willing to put on the record, you have to wonder just how bad the real state of affairs must be. Robert X. Cringely nailed it when he said:

"I'll bet within a year that if parent company HBGary survives this debacle, it decides on a name change. There's no getting the stink off now."

rec'cing and sharing and etc.

Hissyspit, have ya had a hug today?
You deserve one for this story alone!

:hug:

O.K... :hug:

LOL

Too awesome for coherent speech.

Splishy, splashy!

PB

Shareware numbers, spendy enterprise software numbers, and a shit-ton of numbers used by HBGary's clients calling about support for their products....

Also, love letters, breakup threats, office gossip, names and sites of security personnel that "didn't exist".

"SCIF"

...sparkly things, the real meat of it all could use a lot of analysis. Do you know if anyone's even attempting to break all this down and see what deeper things might be going on? And if so, where can I read or participate in that analysis?

Wondering how many CISSP's broke their oath, if any. You can't throw a rock through that e-mail pile and not hit one and I would like to help burn one if they did break it.

PB

Lots of red meat has been rolling out. *LOTS*.

As far as places to read/participate, it's a bit decentralized. For some reason. :eyes:

As far as CISSP, I'm SAGE (http://www.sage.org/), not CISSP, so I'm not familiar with their rules, but these folks were making a mockery of their profession either way.

https://www.isc2.org/ethics/default.aspx

Yeah, a bunch of people are toast.

:)

... Have a thread suggesting what their new business venture might be... you know... to help them out with the next vision and mission... :P

I suggest they move their operations to Nevada. They can always open up a brothel, seeing as they're all too familiar with the concept of screwing-over the customers. Aaron could always serve as the bus-boy/dishwasher...

According to the Washington Post:

Democrats call for an investigation of law firm, 3 tech companies
By Dan Eggen
Monday, February 28, 2011; 10:26 PM

A group of House Democrats is calling on Republican leaders to investigate a prominent Washington law firm and three federal technology contractors, who have been shown in hacked e-mails discussing a "disinformation campaign" against foes of the U.S. Chamber of Commerce.

In a letter to be released Tuesday, Rep. Hank Johnson (D-Ga.) and more than a dozen other lawmakers wrote that the e-mails appear "to reveal a conspiracy to use subversive techniques to target Chamber critics," including "possible illegal actions against citizens engaged in free speech."

The lawmakers say it is "deeply troubling" that "tactics developed for use against terrorists may have been unleashed against American citizens."

Read the entire story at: http://www.washingtonpost.com/wp-dyn/content/article/2011/02/28/AR2011022805810.html

Snagglepuss2

investigate too! Lawmakers from our own party might be able to put some pressure where it could do some good.

:wtf:

They got control of an email account.

Using that email account, they found old passwords, and asked another admin if the passwords still worked... the admin answered in the affirmative. Then they changed the password, I kid you not, to:

changeme123

Then even they asked for the account name... and the admin gave it to them.

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3

Nothing "sophisticated" about it.

You're absolutely right--there was nothing sophisticated about it. However, that says rather less about Anonymous, and rather more about HBGary. Remember, HBGary is/was a security company, and one that advised sensitive government and military installations about computer security. The mistakes they made are all those warned about in Security 101 courses.

The really funny thing is, that the computer systems belonging to the Westboro Baptist Church (WBC) were more difficult for Anonymous to get into than those of 'security' firm HBGary Federal. According to media reports, the WBC's computers required making use of a 0-day exploit to penetrate.

There were (on average) 10-15 new 0-day exploits... per day. Every day.

My job was to write POC exploits, based on provided data, and the detection code to monitor it.

While it is amusing that Anonymous got in on a 0-day, I don't view it as all that different from social engineering. It's basic, simple, code work, and any site under threat (be they HBGary or WBC or the CIA) should have (or contract) folks who watch for the exploits that just came out... 20 minutes ago.

Fair enough. What you also have to realize here is that HBGary's own documentation states that penetration of one's systems is inevitable -- they even quoted an NSA study to that effect. A fair number of their employees are ex-military -- you would think that defence in depth would be as natural as breathing to them.

Consider this: if Anonymous had succeeded in getting access to the mail server and, once there, found that all the emails were PGP-encrypted, we would not likely be having this exchange right now. Some of HBGary's staff obviously knew about encryption -- a very small number of the emails were PGP-encrypted, and one or more of the parties were using GPG (Gnu Privacy Guard). I'll grant you that some of their staff/principals were not terribly technically-inclined; HBGary President Penny Leavy was still using Outlook as an email client, and she furthermore expressed her admiration for the Geek Squad(!).

To accomodate people like her, PGP, Inc. sells software allowing for server-based automatic email encryption, so does Astaro, which manufactures a gateway appliance for just that purpose. Hell they could have setup a server and used readily-available PERL scripts to carry out the encryption, if they wanted to do it on the cheap.

If HBGary had had a policy in place (and enforced it) requiring:

1) That all emails stored on the server be PGP-encrypted; and

2) Mandating the use of PGP for authentication/transmission of sensitive materials (i.e. user-IDs/passwords);

then Anonymous would have been prevented from gaining control of rootkit.org, and they could not read the stolen email.

One of these emails that I read was written by Greg Hoglund, and it described how their email could be secured. He was describing the mandatory use of VPNs, and virtual machines, but I don't recall any mention of end-to-end encryption. He was describing a setup that he said would cost about $100,000.

They appear to be suffering from a terminal case of tunnel-vision -- I guess that old saw is correct: "When all you have is a hammer, everything looks like a nail." (HBGary writes malware detection/remediation software.)

HBGary seems to be fixated on malware, almost the exclusion of everything else. Even in this email wherein he outlines his $100K security solution, he is still obsessed with malware infecting even the virtual machines used to access the company VPN. I'm certainly not denying that malware is a threat, but as experience has shown, it is not the only threat. (Even the Maginot line was by-passed, after all.)

You make some great points, but in the end, these folks were kiddies.

"A fair number of their employees are ex-military -- you would think that defence in depth would be as natural as breathing to them. "

How many soldiers think about setting an arming trigger on each and every round they send downrange? Not much.

Sure, the Q folks think about it, but for the most part, that level of depth isn't considered.

Like the traitor?

Or, exactly like the traitor?