"What happened to Barr? Anonymous loudly and angrily demanded that Penny Leavy fire him, since his list of Anonymous names could allegedly have gotten "innocent people" into serious trouble. Leavy made clear that HBGary Federal was a separate company from HBGary, one in which she owned only a 15 percent stake, and that she couldn't simply "fire" the CEO."
"They claimed that the company was under separate management, and that HBGary, Inc. only had a 15% stake in the company. However, the Operating Agreement for HBGary Federal, LLC, reveals that Greg Hoglund and Penny Leavy were two of the original six Founding Directors of HBGary Federal. Futher, Penny Leavy herself signed the incorporation application with the California Secretary of State. This Operating Agreement confims the 15% stake held by HBGary, Inc. in HBGary Federal, but it also reveals that Penny Leavy herself holds a 48% share in the company. Her 48% share, plus that of HBGary, Inc. (15%) puts their combined ownership stake at 63%. In terms of dollars invested, their investment in HBGary Federal amounts to some 87.5% of the total monies invested.
From what I've read elsewhere, in terms of online crimes, the FBI is treating Anonymous second only to child porn (http://www.dailycampus.com/mobile/news/fbi-raids-house-on-n-...). Probably a function of the power and money behind the people they've attacked (the Visa/Mastercard DDoSes in particular).
The characterization of Anonymous as some single or unique entity is misleading. The sign at the booth and the fax HBGary received were (likely) not perpetrated by the hackers who did the damage. Anyone in the right mood might have gone through with it, fueled by the success of the original attack. And the point made at the end of the article that Barr's list of supposed identities contained many innocent people was very true.
I would expect hijinks from the guys at Mandiant or any other exhibitor constituting even tangential competition (or anyone from Palantir for that matter) could include something like that sign.
There's something clearly going on that we're not being told - but then again, bear in mind that they're a private company so it's not like there's an obligation to disclose.
..."they struck gold with an SQL injection attack on HBGary Federal's content management system. [...]
They quickly grabbed and decrypted user passwords from the website"
A security firm cracked by scriptkiddie tricks? Storing passwords in the database, instead of hashes? Hmmm...
Salts won't give you that much greater security these days. Password-cracking GPGPU hardware is already well into the consumer domain. Using a pair of AMD's HD 5970, you can get cranking to just over 1bn SHA256 hashes/s.
There's some remarkably complete rainbow tables out there for MD5... Last time I heard any details, every 11char string and every combination of dictionary words including letter/number substitutions out to 16chars is now just a lookup away...
Any password small enough to remember is probably vulnerable if stored as an unsalted MD5 hash.
From the available info there were indeed simple passwords and password reuse between systems of different security levels.
openssl speed md5
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
md5 23895.04k 85345.30k 231322.03k 412608.40k 546306.56k
If you look at the openssl numbers from my workstation, you'll find I can generate hashes for 1.5 million 16 byte passwords per second. The nice part about rainbow tables is that they are easy to compute in a distributed nature. Take a couple hundred EC2 boxes and you can generate HUGE tables, if you're smart with how you use S3 you can write the tables directly to S3. Cracking unsalted passwords is a very simple time/memory trade off. Given the issues with MD5 with a good math background you might even be able to reverse the password. (eg. create a known password that computes to the same hash)
If you got creative with some FPGAs or GPUs you could do far better.
I think you may be thinking bits not bytes. The typical ASCII/UTF-8 char is 8 bits. UTF-16 doesn't really get used outside of Windows, I'm unsure if Windows hashes on char or wchar. I don't think anything uses UTF-32 other than to make string searching simple in regard to texts containing characters outside the BMP.
Please don't downvote the OP, it's a simple mistake.
Regarding what I mean by 16 byte passwords, MD5 requires computation on a fixed block size. If your password is not a multiple of block size it needs to be padded before it can be hashed. IIRC, the usual thing to do for MD5 is a simple zero pad, because you never have to produce the plaintext so you'd never bother writing the algorithm to put number of padded bytes in the pad. IIRC the MD5 block size is 64 bits (8 bytes), so you usually have to do two invocations to compute the hash for a 16 byte password. From a hashing speed perspective an 0-16 byte passwords take roughly the same time to hash. It really depends on your cache line size as MD5 doesn't have any branches, and your hashing speed is dominated by memory access. If you look at the perfomance numbers you can see that as you increase block size your hashing speed increases drastically, but unfortunately passwords are short so you need a mechanism for generating passwords with out having to hit the L2 cache. Luckily, this is fairly easy to do so if you used something like jack the ripper to generate/hash passwords you'll see much better performance than openssl.
@com, on a purely technical level UTF-8 gets all of ASCII in one byte, only extended ASCII requires multiple bytes. In practice ASCII is extended ASCII / ISO-8859-1, almost all of extended ascii fits into two bytes, but some require 3.
Not much substance in the article, but: HBG come across as whiny little losers ("oh noes! we are being threatened!!"), and Anon seems to have gotten bored and moved on.
HBGary have some friends in government - Anon do not (some may, but most of them are kids). HBGary was being extremely naughty and now need to divert attention. It's in the mutual interest of "adults" to step together sweep everything under the rug and go after the "kids".
They will again make the mistake of assuming that anon is an organized entity, anon (as hive mind) has probably already lost interest in HBG and moved on. The harassment if indeed true is probably coming from fans and sympathizers of anonymous - so the government will probably go after some people who are not but indeed are members of anonymous (this phrase can only make sense in the context of anon's nature).
Or as my dear Machiavelli put it: "Though Men make Mistakes about Things in General, they do not make Mistakes about Particulars". I believe that this quote sums mob ethos fantastically. The anon might be goalless, formless group. But their targets tend to be worthy of targeting.
And another observation - the people who are harassing HBG now are the IMHO the kind of people that are usually so risk averse that they won't participate in anything that might endanger their comfortable existence. Yet here they throw themselves into action to serve as cannon fodder for the core Anon group :).
I have somewhat mixed feelings about it, but I think I like it how, with modern technology, civilian semi-organized groups can challenge and shame such shady and clearly power obsessed companies. It feels like a kind of balancing force against the most dystopian possible future.
That's because it's a followup to half a dozen Ars articles on the spat (see the "The HBGary Saga" insert halfway down the page), 3 of which were 3 pages long and one reached 5 pages ("Black ops: how HBGary wrote backdoors for the government").
The biggest worry here is that HBGary is not being held accountable for their criminal activities. They have been using tools and psy-ops practices developed for the military against U.S. political targets. That is against the law.
"Instead, he believes that Anonymous has "decided to continue their antics. They're in it for the laughs… this is a real funny game for them." Not content with the damage they have inflicted, they "harass a company that's trying to get back to work." Each time a new story about the company appears in the press, Butterworth said that these attacks spike again."
If the press is bad for HBGary why do they participate in it? A no comment would have been sufficient. I think HB Gary is participating in the press to incite attacks so they can present themselves as victims, collect evidence, have someone charged, and declare victory. Seriously, a sheet of paper written in sharpie. They're expecting me to believe that the RSA holds a security conference with out badges, with out video monitoring and that some anon in a Guy Fawkes mask walks up to the table and places a threatening did it for the LULZ paper on their booth with no one noticing. Maybe, V for Vendetta is a real movie and such a person really exists who can easily pass through intelligence services and evade video monitoring. If I was HB Gary I'd have extensive surveillance on the booth to catch just such a thing. I'll use the Aaron Barr method of finding anons and assume the anon who placed the paper is employed by HB Gary. This from a company whose services are retained for their ability to plant false documents. The sign should read 'We got laughed out of the security conference for using weak passwords, storing them weakly, and reusing passwords in addition to being vulnerable to basic SQL injection.'
In my opinion, officers of HBGary Federal were engaged in stalking people online and selling private information about individuals for commercial purposes, as well as engaged in defaming these individuals with false information to the FBI. Given the demographic of anonymous it's quite likely that some of these individuals were children. I'm not sure if this is illegal in the US, but if they collected and prepared to sell personal information without consent about Canadian citizens they'd likely be in violation of Federal Law. (PIPEDA)
Also, regarding the millions of dollars in damages, these claims would be impossible to verify with a private company. Public companies on the other hand are required to file damages to the company both tangible and intangible. In a lot of hacking cases you'll see millions of dollars claimed, but if you look at the 10-Qs (SEC Required docs) you'll see no such filing. If you want a case to look at in particular for this, look at what happened to Kevin Mitnick. Why is it ok for HBGary to take money to compromise computers, but when Anonymous engaged in expression of speech they are targetted by federal investigators?
This is a company that used intelligence assets against pro-union websites. My personal feelings regarding unions aside, this is attempting to violate the rights of individuals to peaceably assemble. Even if it isn't illegal per se, it's highly unethical.
If HB Gary only engaged in ethical business practices there would be little damage from the disclosure of the emails. The damage results from the conspiracy to commit activities that are likely criminal.
A better question to ask is given the emails why Federal charges have not been laid against HBGary?
Why is it ok for HBGary to take money to compromise computers, but when Anonymous engaged in expression of speech they are targetted by federal investigators?
Or why weren't criminal charges laid against the responsibles at Sony BMG after illicitly infecting thousands of computers with malware, (http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...), while a pimply faced teenager in Wyoming pulling such a stunt would still be rotting in jail?
I'm pretty sure at any given RSA conference there are multiple folks who might personally/privately identify as members of anonymous, ie. they wouldn't need to "sneak in" to the conference b/c they are already there as legitimate members of the security community. <pure-speculation> Hell, there could be employees of HB Gary who think of themselves at anonymous. This would support your speculation that HB Gary made the sign, but complicate the motivations. </pure-speculation>
I do agree that HB Gary should be investigated as much as–if not more than–anonymous since there is some evidence of illegal or unethical business practices in the released email. I would like to think that we hold corporate security companies up to a higher standard of practice...
Yes, the references to "V for Vendetta" aren't incidental. Many of the ideas in that graphic novel are an important component of the Anonymous ideology.
the more i read about this HBGary the more i feel that justice is being served. These fat and lazy morons thought that because they've been doing dirty things for government they are above the law and basic ethical rules ... Of course, they are above the law that enforced by their government friends, yet there is the Karma law and "we the People".
I found the comments on this article interesting: http://threatpost.com/en_us/blogs/rsa-2011-winning-war-losin...
"They claimed that the company was under separate management, and that HBGary, Inc. only had a 15% stake in the company. However, the Operating Agreement for HBGary Federal, LLC, reveals that Greg Hoglund and Penny Leavy were two of the original six Founding Directors of HBGary Federal. Futher, Penny Leavy herself signed the incorporation application with the California Secretary of State. This Operating Agreement confims the 15% stake held by HBGary, Inc. in HBGary Federal, but it also reveals that Penny Leavy herself holds a 48% share in the company. Her 48% share, plus that of HBGary, Inc. (15%) puts their combined ownership stake at 63%. In terms of dollars invested, their investment in HBGary Federal amounts to some 87.5% of the total monies invested.
"This operating agreement can be downloaded from: http://cryptome.org/0003/hbg/HBG-Fed-OA.pdf "
Exhibit B in the Cryptome PDF (page 31) does indeed show Penelope Christine Leavy with 48%, in addition to HB Gary Inc's 15%.