Anonymous no more: HBGary goes down

Emails released by 'hacktivist' group Anonymous show federal security firm to be dangerously arrogant and hopelessly inept

1 2 Page 2
Page 2 of 2

ITworld's Thank You for Not Sharing blogger Dan Tynan spoke with one of those accused of being not only part of Anonymous, but its alleged kingpin, Commander X. It turns out that Ben de Vries is just an organic gardener in San Francisco who happened to run a Facebook group where alleged Anons liked to gather. Yet that was enough for HBGF's Barr to conclude that de Vries was the mysterious X and to discuss with his boss submitting that info to the FBI.

A handful of commenters weighed in saying that they too had been named by Barr, incorrectly, as members of Anonymous -- so much for Barr's theory that he could penetrate the innards of a supersecret org through the magic of social media and his own innate brilliance.

Ars Technica, which has been all over this story in a way nobody else can touch, has a detailed account of how the Anons managed to pwn this alleged security firm. It used a standard weapon from the hacker arsenal, an SQL Injection, to penetrate HBGF's custom content management system. That in turn allowed access to HBGF's database of user names and passwords, which the Anons quickly cracked. It turns out that the principals at HBGF used simple passwords -- and recycled them for Twitter, Facebook, email, and so on.

That, as they say, was the ballgame. Per Ars:

For a security company to use a CMS that was so flawed is remarkable…. Proper handling of passwords—iterative hashing, using salts and slow algorithms—and protection against SQL injection attacks are basic errors. …And though not all the passwords were retrieved … two were, because they were so poorly chosen.

Meanwhile, HBGary Federal -- a division of HBGary -- is all but dead. It slunked out of the RSA conference with its tail behind its legs. I'll bet within a year that if parent company HBGary survives this debacle, it decides on a name change. There's no getting the stink off now.

As for Barr, he's a victim of his own hubris. I'd be surprised (and, really, appalled) if he's still employed in any capacity within a month. He thought he could fly with the gods; instead he crashed and burned.

You might call it a classic geek tragedy.

What's your take on HBGF, Anonymous, et al? Post your thoughts below or email me: I'll feature the best and brightest in a future post.

This article, "Anonymous no more: HBGary goes down," was originally published at Track the crazy twists and turns of the tech industry with Robert X. Cringeley's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a low-code development platform