HBGary: Security Firm Investigating ‘Anonymous’ Hacked and Exposed
“Do not meddle in the affairs of hackers, for they are subtle and quick to anger.”
Following last week’s hacking of shamed LIGATT CEO Gregory D Evans, this week it was the turn of security firm HBGary to get exposed. HBGary have been aiding the FBI with their investigations into members of Anonymous. Although Anonymous isn’t a centralised ‘group’, their recent DDoS attacks and hacks of oppressive governments and anti-wikileaks organisations (including PayPal, MasterCard and VISA), have made them a target of the US Federal Government.
HBGary were allegedly preparing to hand over information about certain members of Anonymous to the FBI, who have already made several arrests in the US and UK, and obtained over 40 search warrants in an attempt to shut down Anonymous (probably not possible imo). Angered by CEO Aaron Barr and HBGary’s involvement in FBI investigations, members of Anonymous compromised a number of HBGary servers, defacing their website, gaining access to CEO Aaron Barr’s Twitter account, and obtaining a large number of emails. In what seems to be the popular punishment at the moment, over 50,000 corporate emails were released in a torrent. Anonymous also stated, on one of their many Twitter accounts, that the source code of HBGary’s security products was also obtained – although these don’t appear to have been released (yet?).
“You’ve angered the hive, and now you are being stung.”
Anonymous posted a message to HBGary on their defaced website, where they mock the firm for their lack of security and the unsubstantial ‘public’ information that was going to be handed sold to the FBI.
Hit the jump for Anonymous’ full message.
Ars Technica has a good review of how this all went down, and a step-by-step account of how the hack was possible.
[Update] Aaron Barr steps down as CEO of HBGary Federal
Finding Security Bugs in Gawker Source Code
With the recent high-profile Gawker compromise, their entire source code and user database are available as a torrent. Some people have taken to cracking the (weak) password hashes, whilst others are looking for bugs in the source.
Mike Bailey has started Gawker Bug of the Day (@gawkerbugs), and will be disclosing security vulnerabilities in their source code… presumably for funsies.
GBOTD#1 is a XSS found in the first 3 lines of the first file:
http://gawker.com/at.js.php?country=%3Cimg%20src%3D.%20onerror%3Dalert%28document.cookie%29%20%3E
According to Mike, he’s already found over 30 bugs after just a few hours of hunting.
Gawker Media Hacked and Accounts Compromised
Gawker Media, who run many other sites including Lifehacker, Gizmodo and io9, have had their servers and databases hacked by a group called Gnosis. This results in over 1.3 million user accounts being compromised, across their various websites. Part of the issue is the fact that Gawker were using the outdated DES algorithm to secure passwords in the database, making it trivial for the hackers to crack the hashes. To make matters worse, many Gawker admins have also been using extremely weak passwords for their accounts. A full account from the hackers’ perspective can be found here, and there is clearly some beef between them and Nick Denton (owner of Gawker) who appears to have been baiting 4chan (baad idea).
The 1.3 million user accounts, together with Gawker Media’s source code, have been made available in a torrent posted on The Pirate Bay. You can quickly check whether your account is one of those by checking out this spreadsheet (Google). It’s safe to say that if you have any accounts on websites run by Gawker Media, you’re going to want to change your password. If you happen to reuse passwords a lot, then you’ll want to change your password everywhere… isn’t password reuse a joy?
ProFTPD 1.3.3c Briefly Backdoored by Hackers
Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.
The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.
If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit. Read more
JailbreakMe and the PDF Exploit
[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!
JailbreakMe.com by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.
The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.
Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.
Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.
Here’s a video of someone jailbreaking Apple Stores for fun.
[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.
[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.
[Update 12/8/10] comex has released the source code for the jailbreak exploit.
Loading ...
