HBGary Federal Security Fail... Again

Thursday, March 17, 2011

J. Oquendo


After taking the time to read: "HBGary's Hoglund identifies lessons in Anonymous hack" via CSOOnline [1], it occurred to me that even high caliber security professionals still don't get it.

In the article, Greg Hoglund was asked about suggestions he would have for other companies. I say: FAIL. There is still no mention of encryption which would have saved him and his colleagues (current and former) plenty of headaches.

By using an application such as Pretty Good Privacy or GNU Privacy Guard (open source equivalent), HB Gary's e-mails, at least the most secretive and crucial correspondences, would have been downloaded in encrypted format rendering them useless without the PGP key required to unencrypt them.

Far too many companies, including heavyweight security companies, often forget that there are plenty of options available (even freely) that can help them keep their data secure.

Further, Greg makes a semi-compelling argument to avoid "the cloud" in his statement: "don't store your entire e-mail archive in the cloud," which makes some sense, yet makes little sense at the same time. In storing e-mails in the cloud, a company has a higher likelihood of avoiding "e-discovery" pitfalls if they immediately cannot pinpoint e-mails locally.


At the same time, there is the alternative that if compromised (the cloud connection), someone may be able to read those e-mails. Yet ultimately, had anyone in HB Gary signed and encrypted those e-mails, the e-mails would be as useful as cobwebs in a basement. They would have been encrypted.

The mention of two factor authentication is an entirely different ballgame and would likely not have averted the disaster at any point in time, although the SLA argument Greg made may have saved perhaps a portion of his mailbox from hitting the web. That too (SLA) is rather confusing as Greg calls this a Software License Agreement.

I am unsure if he is confused between Service Level Agreements. Who knows how a software license agreement would have helped: "Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority, security hotline so that when there is a security event you have priority support" I wonder what someone in the Cloud Security Alliance would say to this statement.

Furthermore, IP based authentication is somewhat helpful but can be hurtful. While an administrator can define who can and cannot visit locations, servers, pages (htaccess, mod_security), this can become a cumbersome process when there are road workers involved. It also does little against a potential client side attack where an attacker accesses a trusted machine.

Finally, "It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool."

Such a sad statement considering that mailservers are rather easy to configure, deploy and maintain. Not to forget to mention that no one will give you the security levels and comfort you need so it is often better to maintain your own systems rather than rely on a third party who will never be able to give you security sanity slash piece of mind.

[1] http://www.csoonline.com/article/677340/hbgary-s-hoglund-identifies-lessons-in-anonymous-hack

Possibly Related Articles:
Network Access Control
Email Encryption Authentication Cloud Security SLAs HBGary Federal
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.