In a previous post I explained what a botnet is and how criminals use them to attack certain targets on the Internet. In that article, I equated those botnets to the battle droids used in Star Wars Episode I: The Phantom Menace. In this article, I have an even more outlandish story to tell. The main character of this story is Aaron Barr, CEO of Security firm HBGary . He reminds me of the main character Tony Stark in the Iron Man movies. Sometimes you love him, sometimes you hate him, and sometimes you just feel sorry for him. While Tony Stark’s weakness was the shrapnel coursing through his veins, Aaron Barr’s weakness was his simple use of a single password between multiple online systems.
Aaron Barr thought he could track down the identity of hackers using social media. He thought if he did this, it would generate a lot of publicity for his company. In order to generate as much publicity as possible, he went after a hacker group called “Anonymous”. It is believed that this group orchestrated an attack on credit card companies in retaliation for blocking Wikileaks funding channels. The entire story can be read here, but suffice it to say, Aaron befriended some of the members of the group. He followed through with his plan by giving them reason to trust him, but then turned on them and threatened to expose what he believed to be their true identities. Aaron acted as a renegade in his investigation and even people within his own company were sometimes critical of his motives and actions . For instance, the way in which he was identifying the hackers using social media was unproven and undocumented. Aaron was unwilling to share details of how his system worked with anyone. He either didn’t know who to trust, or didn’t have the data to backup his claims.
In late January Aaron Barr started releasing non-specific information about what he found in an attempt to get some publicity. On February 4th the Financial Times wrote an article about what Aaron Barr was doing. Of course, the threat of being identified upset members of the Anonymous group. So the next day HBGary’s corporate network was hit by a distributed denial of service attack, which was presumably orchestrated by the Anonymous group. A day later the company’s network was infiltrated, all of the company’s e-mail was released publicly, its website was defaced, and over 1TB of backup data was deleted. Two weeks after the attack, the website for the Federal division of HBGary is still offline. How could this happen to a company that consults other companies and even the federal government on how to stay secure?
All of the destruction was the result of a poorly designed web application, a few people’s bad habits of using a common password between multiple systems, and some basic social engineering. One article documents the entire attack from beginning to end and reveals, in great detail, the very basic security holes that allowed the attackers to waltz right into the network and take over.
If you haven’t followed any of the links I have posted – follow this one. Then scroll down to the section titled “Password Problems”. Yikes. I don’t know about you, but that hits a little too close to home. After I read that, I went out and changed all of my passwords. But having all of those different passwords is difficult to manage. So I use a password manager to create and store all of my passwords. If you want something simple to use try Roboform. They even have an online version if you have multiple computers you need to sync between. Another good one is 1Password. If you want one a little less user friendly, but open source, then check out Keepass. Although I don’t recommend it, you can even use a paper notebook to keep your passwords in, just as long as you keep them different and you keep that notebook securely locked up.
The big takeaway from all of this is that no matter how invincible someone thinks they are, their most basic mistakes can be their downfall.