HBGary Compromise Debriefing

A web application SQL injection vulnerability disclosed accounts and passwords.

Mitigation: Test, sanitize input, use library routines instead of creating your own sanitization routines.

Passwords were encrypted with an MD5 hash and no salt. This enables unencrypted passwords to be determined offline, using rainbow tables.

Mitigation: MD5 is broken. Salt to make the use of precomputed password hashes (rainbow tables) impractical.

The accounts and passwords were used for initial access to a server.

Two-factor authentication would mitigate this.

A local vulnerability on the server enabled root access to the server.

Patch deployment would mitigate this.

The content management system password was the same as the email management service.

Do not reuse passwords.

Control of the email system enabled social engineering access to other vendors. You appear to be their trusted partner.

Comments are closed.