Anonymous speaks: the inside story of the HBGary hack
hbgaryfederal.com site used a custom CMS susceptible to SQ@L injection
MD5 hash algorithm used in password hash creation (hashed passwords were grabbed as a result of the SQL injection). MD5 used badly.
Rainbow tables used to compare password hashes
Two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers.
These simple passwords were reused in different places, including e-mail, Twitter accounts, and LinkedIn.
One of these two reused his password in ssh, on a Linux computer.
HBGary server used passwords, and not public key cryptography, as is best practice
There was a system flaw on the Linux computer allowing privilege escalation. This was found Oct 2010 and fixed in most distributions by Nov 2010. HBGary system was still unpatched in February 2011.
HBGary used Google Apps for it's email system.
One of the simple passwords (see above) belonged to the administrator of this system. This ability gave the hackers wide access to the companies email, including access to owner Greg Hoglund's mail.
In this mail was the root password to the computer running Greg's rootkit.com site
Social engineering got the hackers another required login/password
So there you have it. Simple steps through simple, basic doors.
The feeling within the security industry is this breach may well be fatal to HBGary.
The final paragraphs of this story....
So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn't have caused the cascade of failures that followed.
The second lesson, however, is that the standard advice isn't good enough. Even recognized security experts who should know better won't follow it. What hope does that leave for the rest of us?