The biggest story coming out of the RSA show this week has been the public embarrassment suffered by the security firm HBGary Federal. If current reporting is accurate, it’s a sobering story of online dangers and unprofessional behavior on the part of the company.
The hacker group Anonymous penetrated the computers of HBGary Federal on February 6, defacing the web site and releasing over 40,000 internal emails onto the Internet. The email exchanges reveal a running feud between Anonymous and Aaron Barr, the CEO of HBGary. Barr claimed to have discovered the real identities of members of the group, which has conducted pro-WikiLeaks attacks on Visa and Mastercard and is under FBI investigation. Here’s background from Ars Technica.
When Barr threatened to reveal these identities, Anonymous instead took out HBGary Federal. Here are my three takeaways of mistakes made by the company — again, based on reporting to date.
- Security firms need to practice what they preach — Basically, HBGary Federal made three security mistakes they most certainly counsel clients not to do. They used a custom Content Management System (CMS) for their site that was very susceptible to a SQL injection attack. They used a weak algorithm to protect their passwords, and finally the passwords themselves were very short and simple, and were used for multiple applications. Very basic, best practice type stuff. Here’s Ars Technica again with full detail.
- Business is business, not personal — It’s clear CEO Barr took this online contest too personally. If some reports are to be believed, he was doing this to drum up publicity for an upcoming conference address. Even if those reports are incorrect, Barr did not seem to consider how his actions could damage the company he led.
- Compete fiercely, but don’t cross the line — After studying the leaked HBGary Federal documents, the New York Times reported that documents suggest HBGary Federal and two other companies offered to target critics of Bank of America and the U.S. Chamber of Commerce. Methods included using online research to discover embarrassing personal information about opponents, and the release of falsified information.
The Internet is a dangerous place for sure, as I wrote about recently. There’s nothing wrong with being passionate about what you do (you’d better be), or with competing fiercely or even with opposition research, up to a point.
Perhaps more facts will emerge around this story. For now it seems Barr acted irresponsibly- by not following security best practices, and by losing his emotional and moral perspective. Unfortunately, everyone at HBGary Federal is now paying the price.