Despite high-profile hacks, companies still aren’t behaving securely: ex-LulzSec hacker
- 14 June, 2019 11:58
A CEO’s poor password hygiene enabled an escalating series of attacks that capped off a 50-day hacking spree that sent several members of hacking group LulzSec to jail and caused significant financial and reputational damage for companies like Fox News, US broadcasters Fox News and PBS, and Sony’s PlayStation Network.
Those and other companies, the members argued, shouldn’t have been so easy to compromise – and in many cases, the group tried with varying degrees of success to point out the flaws to the victim companies’ security administrators. But that didn’t help them plead their case after an online row with security consultancy HBGary escalated in early 2011.
Lessons learned, but not by the victims
HBGary was targeted for its complicity with US government efforts to crack down on hackers using technology spruiked by CEO Aaron Barr. After launching a SQL injection attack on the company’s Web site content management system, Anonymous spinoff LulzSec was able to download the usernames and hashed passwords of everyone using the CMS – including Barr, whose 7-character password was obfuscated in the database using the now-deprecated MD5 hash.
A MD5 brute-force cracking tool soon revealed the password – which, LulzSec discovered, Barr was also using for his company email, World of Warcraft, PayPal, and even SSH remote access to company servers. By SSHing into those servers, the hackers found out the company was running an outdated version of Linux with a known privilege escalation vulnerability – which allowed them to access other employee emails and kick off a series of events that led to a massive attack on HBGary and an eventual US Congressional hearing into the matter.
Authorities pounced on the group in July 2011, and just two of the hackers escaped jail time: one, a New York programmer who went by the handle Sabu, secured immunity by flipping for the FBI.
The other, a British high-school student known online as Tflow, was just 16 at the time of his arrest – a fact that helped him avoid a custodial sentence despite earning a two-year complete ban on using Internet-connected devices that, he admits, made it tricky to complete his final exams.
The arrest – initially on 80 counts that were later consolidated into just two – marked the end of a months-long hacking spree for Tflow, who joined Anonymous on the back of that group’s 2010 assault on anti-piracy firm AiPlex Software.
“Back in 2010 it was seen as a virtual sit-in,” Tflow – whose real name is Mustafa Al-Bassam – told CSO Australia during a visit to Melbourne to deliver the keynote address at this month’s SecurIT conference.
“It did raise some awareness, and it probably did help some companies take security a little more seriously,” Al-Bassam said. “Whether it improved security in the long term, is hard to say.”
Learning the hard way – or not at all
Six years after his sentence was completed, Al-Bassam has moved on from the world of hacking and is currently researching cryptography and applications of blockchain technology as a PhD student at University College London.
Yet his role in the early days of organised, large-scale hacktivism remains pivotal – and, he said, many of the vulnerabilities that his group exploited so many years ago are still creating pain for companies today.
Antivirus software these days “is mostly snake oil”, he said. “It’s something that gives you a false sense of confidence but doesn’t actually do much.”
Many companies “hope there’s this thing they can install and make their security problems go away,” he added, “but that’s not really the case.”
Apart from improving cyber hygiene overall, simple practices such as the use of 2-factor authentication (2FA) offer the most protection against the types of attacks that helped LulzSec enjoy such strong success.
“People will always try to reuse passwords because it’s easy,” Al-Bassam said. “I think the solution is to design a system that is easy to use, in a secure way. 2FA definitely puts a stop to the barrage of password reuse, but the problem is that most people still aren’t using it.”
Given the commonness of these vulnerabilities, companies should be able to proactively identify and fix these problems through regular penetration testing and remediation. However, many were relying on occasional reviews by external companies that had little real-world effect.
“I have friends working in pen testing who complain that the companies they work for just never learn,” Al-Bassam explained, arguing that the pen-testing industry “is not sustainable in the long term”.
“It’s just not sustainable to have one group of people building systems and another group of people just trying to break them,” he said.
“It’s very important to pen-test your systems, but the people building the systems should be pen-testers themselves. You should be trying to train your developers and admins in a security-conscious manner.”
Instead, Al-Bassam said, many companies still take a mercenary approach to data protection that pits uses cost-benefit analyses to justify ineffectual security practices.
A significant part of these analyses is the fines attached to poorly managed data breaches, which are still managed by many companies as a form of financial exposure rather than something where the privacy breach impacts customers.
When LulzSec was hacking a flood of companies, “companies usually saw security as an overhead cost and only started to pay attention to the security issues we pointed out when they became a PR issue,” he explained. “That’s when customers start to think twice about using their service, and public perception changes.”
Emerging data breach reporting rules were “definitely a good thing”,” he added. “We should change the culture around that. If we recognise that every company that gets breached, we should see it as a good thing when a company notifies about that. It’s not something to be ashamed of.”
Yet many companies were still wearing breaches as a form of shame – and that meant the cause of transparency still has a way to go.
“If it’s not a PR issue and the vulnerability is in their systems,” he said, “and someone compromises that vulnerability and manages to get customer information, the customer isn’t really being hurt; the customers are being hurt.”
Two steps forward, one step back
Improvements in the design of development toolkits had helped eradicate common vulnerabilities like SQL injection – with modern environments like Python and Ruby on Rails, he said, providing “idiot-proof” libraries that protect developers from inadvertent SQL injection vulnerabilities.
However, new and increasingly sophisticated forms of attack were continuing to work around companies’ defences, targeting vulnerabilities in software or simply tricking ever-fallible humans into installing malware by clicking on email attachments.
“Hacking has always been a political fight,” Al-Bassam said, “but now nation-states are playing a much bigger role in it than in the past.”
Anonymous played a role in the discovery of early nation-state activity, in fact, when it hacked HBGary and published the user database of HBGary-owned rootkit.com – helping other researchers cross-correlate activity that pointed to APTs being used by Chinese hackers.
Yet with so many potential attack vectors, companies should focus on the basics and remember that hackers have a broad range of motivations.
Most “are not going to target you unless you are valuable to them in a specific way,” Al-Bassam said. “The trick isn’t necessarily to make it impossible for you to be hacked; the trick is to just make it slightly more expensive, and make it require slightly more resources to hack you, than anyone else.”