Despite high-profile hacks, companies still aren’t behaving securely: ex-LulzSec hacker

A CEO’s poor password hygiene enabled an escalating series of attacks that capped off a 50-day hacking spree that sent several members of hacking group LulzSec to jail and caused significant financial and reputational damage for companies like Fox News, US broadcasters Fox News and PBS, and Sony’s PlayStation Network.

Those and other companies, the members argued, shouldn’t have been so easy to compromise – and in many cases, the group tried with varying degrees of success to point out the flaws to the victim companies’ security administrators. But that didn’t help them plead their case after an online row with security consultancy HBGary escalated in early 2011.

Lessons learned, but not by the victims

HBGary was targeted for its complicity with US government efforts to crack down on hackers using technology spruiked by CEO Aaron Barr. After launching a SQL injection attack on the company’s Web site content management system, Anonymous spinoff LulzSec was able to download the usernames and hashed passwords of everyone using the CMS – including Barr, whose 7-character password was obfuscated in the database using the now-deprecated MD5 hash.

A MD5 brute-force cracking tool soon revealed the password – which, LulzSec discovered, Barr was also using for his company email, World of Warcraft, PayPal, and even SSH remote access to company servers. By SSHing into those servers, the hackers found out the company was running an outdated version of Linux with a known privilege escalation vulnerability – which allowed them to access other employee emails and kick off a series of events that led to a massive attack on HBGary and an eventual US Congressional hearing into the matter.

Authorities pounced on the group in July 2011, and just two of the hackers escaped jail time: one, a New York programmer who went by the handle Sabu, secured immunity by flipping for the FBI.