A company that is helping the federal government track down cyberactivists who have been attacking business which refused to support Wikileaks has itself been hacked by the very same activists.
At the center of the storm is a leaderless and anarchic Internet group called Anonymous, which more recently has been coordinating attacks against Egyptian government Web sites. Late last month, authorities in the U.K. and the U.S. moved against at least 45 suspected Anonymous activists. Then, on Saturday, the Financial Times ran a story quoting Aaron Barr, the head of security services firm HBGary Federal, saying he had uncovered the identities of Anonymous’ leaders using social networking sites. Barr said he planned to release his findings at a security conference in San Francisco next week.
Anonymous responded by hacking into HBGary’s networks and posting archives of company executive emails on file-trading networks. The group also hacked the firm’s Web site and replaced it with a message saying it was releasing Barr’s findings on its own because the group was confident Barr’s conclusions were wrong.
“We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve ‘extracted’ is publicly available via our IRC networks,” the statement reads. “The personal details of Anonymous ‘members’ you think you’ve acquired are, quite simply, nonsense. So why can’t you sell this information to the FBI like you intended? Because we’re going to give it to them for free.”
I tuned into this conflict late Sunday evening, after HBGary President Penny Leavy had waded into Anonymous’ public chat channel in an attempt to reason with the group. Earlier in the evening, Anonymous sympathizers hijacked several Twitter accounts belonging to HBGary employees, and used them to post offensive comments and personal information about the account holders.
The topic of the IRC channel Leavy joined said it all: “Mission: Aaron Bratt FIRED. His salary donated to Bradley Manning Defense Fund. Simple.” Leavy said the group was planning to publish online the entire email archive belonging to Greg Hoglund, the security researcher in California who co-founded HBGary, which is part owner of HBGary Federal.
A snippet from that conversation:
“[20:06:12] <+Penny> Guys, I can’t fire someone that owns a portion of the company What i can promise is we will have a meeting to discuss next steps”
In a phone interview late Sunday evening, Hoglund said that unlike the more traditional Web-site attacking activities of Anonymous, the hackers who infiltrated HBGary’s system showed real skills, even social engineering a network administrator into giving them complete control over rootkit.com, a security research site Hoglund has long maintained.
“They broke into one of HBGary’s servers that was used for tech support, and they got emails through compromising an insecure Web server at HBGary Federal,” Hoglund said. “They used that to get the credentials for Aaron, who happened to be an administrator on our email system, which is how they got into everything else. So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time.”
Hoglund said Anonymous had crossed a line, and that posting the company’s email online would expose internal, proprietary data that would likely cost HBGary millions of dollars. He added that Anonymous activists should be able to see — if they read the email they’ve stolen — that HBGary ultimately decided not to publicly name any of the members it had identified.
“Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistle blower. But now, we have a situation where they’re committing a federal crime, stealing private data and posting it on a torrent,” Hoglund said. “They didn’t just pick on any company, but we try to protect the US government from hackers. They couldn’t have chosen a worse company to pick on.”
And as more internal mails surface…
http://img823.imageshack.us/img823/7462/hbgary.jpg
http://img14.imageshack.us/img14/2475/pwntweet.jpg
To be honest, Hoglund, I’m disappointed – and in the light of all these revelations even more disappointed by the whining and tears in the interview on SC mag… Wow, a new low.
“They are causing me a great deal of pain right now,” he [Hoglund] said. “What they’re doing right now is not hacktivism, it’s terrorism. They’ve really crossed a line here. I’ve worked so many years on HBGary, and I don’t deserve this. I never did anything to those people. They completely overreacted to [the Financial Times article]. Why did they need to do that?”
http://www.scmagazineus.com/anonymous-takes-over-security-firm-in-vengeful-hack/article/195837/
Here we have it again. Somebody is STILL saying “we cannot use that foul, filthy OpenPGP encryption.” If they had been using OpenPGP encryption there would be no story. For those that are using the MOTB, first wait until the second release candidate is vetted:
http://gpg4win.org/
Does this mean that anarchism says it is okay to ddos WikiLeaks and to hack into it? Does it mean it is mandatory that this must be done? Enquiring minds want to know.
I just want to point out that most security guys don’t practice what they preach. The fact that they got hacked means diddle about them as a company. It just means they didn’t eat their own dog food. They should have been encrypting their email using PGP. They should have been scanning their servers and making sure all version of software were up to date. Anything public facing also should be considered to them at some point it will get hacked. They should have had their public email server on a DMZ limiting access and their email store on a back end server that is protected from the internet. They should be using a secure VPN to get into the secondary server to check email. If you notice all these should have’s keep popping up. They just didn’t practice their same security to themselves. It happens a lot, just like that joke that the mechanics car is always the one that’s broken down. If their PR had any sense they would admit to this and let the media know they are not idiots. Crying about the fact that they got hacked will do nothing, and kind of proves they know nothing.
@WilliamB
You’re absolutely correct. I was going to post something like that but I would be called a blood thirsty “weasel”. It’s the old adage, “Doctors make the worst patients,” at work I suspect.
So, you address the issue of weasel behavior here, instead of answering the issue directly. Does your coat moult to white during the winter?
“The fact that they got hacked means diddle about them as a company.”
William, buddy… from the mouth of the president of HBGary… ALL of HBGary was compromised through a simple hole in a web server. In combination with the exploitation of Mr. Barr’s system, these guys have EVERYTHING. Anon, a group from who knows which countries, who knows what contacts, has all their source. So much for HBGary’s “ground breaking security solution”, apparently they can’t secure their own systems and I am supposed to drop a cool million plus on their garbage? Seriously, we actually vet our vendors and these jokers just moved, not to the bottom of the list, but completely off the list. Really, not securing your own assets is up to you, but your financial, customer data, customer financial info and YOUR SOURCE CODE???? why would anyone purchase a product that is days away from compromise itself? Good luck with the fire sale.
Krebs, it’s time for another Adobe Reader/Acrobat security post, more remote exploits:
http://www.securityfocus.com/bid/46199
http://www.securityfocus.com/bid/46201
http://www.securityfocus.com/bid/46208
http://www.securityfocus.com/bid/46209
http://www.securityfocus.com/bid/46210
http://www.securityfocus.com/bid/46211
http://www.securityfocus.com/bid/46213
http://www.securityfocus.com/bid/46219
krebs, see securityfocus dot com, a slew of new remote exploits for Adobe Reader!
Anonymous has stated they are going to release the information that Barr has on the individuals that make up Anonymous. Where is it posted? I haven’t seen that yet.
I got a copy, not great thing. But the link is down for the moment. Google it or search it in the piratebay
Go to the aaronbarr Twitter account and follow the Tweets. There are links to the SQL database, the pretend “dosier” that the stupid wannabe wrote about Anonymous, and some 66,000 emails that were seized from HBGary since the incompetent fake “security company” clowns couldn’t be trusted with their own data. LOL.
It’s like one of those old movies where the main character is the jewel thief defeating the defenses of a museum with a massive diamond on display.
It’s not that you’re in favor of grand larceny, but it’s just entertaining to watch someone doing a job really, really well … as long as it’s not *your* family jewels he’s got hold of.
@John:
“krebs, see securityfocus dot com, a slew of new remote exploits for Adobe Reader!”
No idea why they are voting your post down, the security concerns and suggestion to cover the remote exploits should be taken seriously.
Are Adobe employees or stockholders viewing these messages?
They are voting it down because it is in the wrong place. He/she should have used the contact form for Krebs.
Wow,
I surely had hoped that Brian Kreb’s esteemed audience would have at LEAST one useful comment to say that adds a single ounce of intelligence to this thread. All I have heard is blah blah HBgary pwned, they deserved it, ABars stoopid, we rule, anarchy rules, yada yada.
From a pyschology perspective since I come from the old school of INETS, I kind of respect the roving vigilantism of this amorphus group. The Internet is still the wild wild west. However the group philosophy seems to mirror the rabble rousing unorganized throes of the antiglobalism movement that tends to rile things up but not really have any major impacts. However I would be very wrong in this case.
The REAL story here is that a company (bad/good/incompetent or otherwise) has lost COUNT 66,000 emails of which can be blended a massive social networking picture of how the entire military/LE/Intel/Federal goverment and its military industrial complex, develop, compete, and build complex cyber defense and offensive systems. Right now the goverment is dupliciative, all with their own rice bowls, instead of completely behind the development of National level capabilities to defend the United States and its Western allies future interests from a locuststorm of maraduing, pillaging highly focused cyber intelligence gatherers tasked by the PRC and the PLA.
This type of data leakage sh!tstorm apacolypse will inevitably contribute to the enemys operations in further undermining the advantages that innovation has developed over the last 100 years.
The real issue here is that this release exposes hundreds of cyber industry contacts that will inevitably be targeted in future cyber attacks. The exposure of a plethora of Private/Sensitive/proprietary bid / proposal / competitive information in the development of these key programs will unfortately hurt our nation.
DISCLAIMER: I clearly understand that most members of a self avowed anarchist group could give 2 bits about the US Goverment or its future and they have a highly foreign membership, however not everything is always bad in the US. There is much good. Additionally the REAL threats we face have targeted most every other Western country here, in Europe, exploit south american and africa, and target their neighbors in the PAC rim as well as Pakistan and India. If fact, the motto of China is simply hack and steal as much as the possibly effing can.
Companies like HBgary have potential to focus talent and experitise on the real things that matter, unfortunately they have burned themselves badly, looked like idiots, and now as a consequence, will be wrapped up for the next year in damage control, rebuilding, thats if they survive.
Unfortunately knowing how the FBI is, they will be ALL over this like WHITE on rice. Opening up field investigations all over the place, putting valuable and scarce resources towards investigating these kiddie highjinks were black hats and white hats are sticking their dicks in each other eyes for the fun of it.
The real war is going on behind the scenes. And most of you have no idea, or involvement which is a shame because our goverment (even though it doesnt think so) assymetric irregular cyber forces to wage chaotic and unattributable attacks on its enemys.
Heres my advice to the Feds
-clearly there was a crime here
– triage this and ask your self if its really worth it to use our tax dollars and investigative resources chasing a fart in the wind/ghost in the shell. You might get 5 -10 arrests tops. what range from probation to 5 years maybe for the most egregious of actions.
– In comparsion with WEAK ass sentenceing currently being applied to REAL cyber criminals such as Zeus and others, (see sentences like 8 months, 1 year for the PALIN hacker, ectera the Deterrence impact is clearly not working)
– they will of course ignore this and hunt down after much effort the people behind this. They are smart and will most likely yeild results.
– It certainly didnt help they this group basically didnt just f7ck HBgary but the NSA/DHS/MIL/INTEl and just about 80 percent of the freaking military industrial cyber complex in the process. This i predict will not go well for Anonymous and will no doubt be Reverse LoLz when they are in serious kimchee in jail and with bankrupting fines and the only electronic devices they can use is a broken lightbulb to pick their toes.
– The door usually swings both ways.
For more Strategy and how to do real attribution…..
http://www.conanthedestroyer.net – Diocyde
Maybe rapid catz can be mobilized towards something fun that actually doesnt hurt the US (Whats your Going hourly rates btw… 😉
Well – DIOCYDE – that is certainly calling a spade a spade; at least as far as you measure it. I have no love for Chinese crackers, I’ve been fighting them for three years.
The flipping government could care less; but I haven’t exactly been trying to beat down their doors either. I’m just waiting for the other shoe to drop, and add my guffaws later. With the high incidence of DOD and D.A.R.P.A break-ins, in the news; it is just a matter of time – a very short time.
Commercial interests, with real solutions are wary of doing business with a government that tends to confiscate intellectual property in the name of national security. They don’t really want to come to uncle sugar’s defense. I can’t blame them.
I’m going to have to agree with you there, DIOCYDE. In their PR response, HBGary said that Anonymous couldn’t have picked on a worse company. I don’t think they were framing themselves as vengeful (although I’m sure they are). I think that they were referring to all the other companies and (more pressingly) government agencies that were affected.
Citizens have the right not to incriminate themselves. This means no matter the sentencing, thye have a right to refuse turning over the keys to theirs tools.
I’m sure the weak sentencing came from making a bargain behind the scenes.
I don’t know about all of this, I admit, but from what I read about all of this the anonymous guys aren’t the bad guys here. They aren’t hitting anyone who doesn’t start it, by either attacking or threatening them or some other defender of freedom. I mean WikiLeaks???Anyone who looks beyond the butt hurt rhetoric of the politicians to what they are doing can see what they do helps us all in the long run. So when the anonymous guys defend WikiLeaks, I applaud. If the idiots would realize this and do the right thing in the first place then none of them would be targeted. I do enjoy watching all of this though…Now that football season is over.
That is correct in a number of arenas. The Anonymous Collective are not the bad guys when it comes to acts and efforts like this. They address the hive mind on targets that are richly deserving.
Anonymous has been providing mobile cell towers for the people of Egypt in addition to Tor onion routers, proxy servers, and anonymous remailers and such.
Everything that Anonymous has done has had some benefit to society.
What about the Non-Hacking, non-DDoSing, individuals that he and the other company’s bid to destroy via a misinformation campain?
What about those that were only guilty of exercising their first amendment rights!
I think these companies should be sued for the attempt to destroy live for a paycheck.
These 3 company’s which HBGary was one of were attempting to BID for a contract to LIE and plant false information! Folks the powerpoint proposal they created is on the web!
Where else have HBGary, Palantir et. al. been operating?
Anonymous has 50,000+ emails from this guy. What other crimes is this firm implicated in? What other nations and causes have been subverted at the payment of corporate interests?
Who else are their clients?
And how did BoA find these guys to begin with?
And …how many corporations like this are there? Does the Federal government use these firms? How much of a merry-go-round is there between these “computer and infrastructure security firms” and public jobs in DOJ, FBI, CIA, NSA, CIA, the military defense units, and all the other taxpayer-funded positions?
What does the American public do when it finds out just how fundamentally it’s been played, deceived and robbed over the past thirty years?
Thirty years? Try hundred years.
“If fact, the motto of China is simply hack and steal as much as the possibly effing can.”
Wow, I’m glad you’re around to keep a weather eye on the Yellow Peril.
@John:
“krebs, see securityfocus dot com, a slew of new remote exploits for Adobe Reader!”
No idea why they are voting your post down, the security concerns and suggestion to cover the remote exploits should be taken seriously.
Are Adobe employees or stockholders viewing these messages?
They’re working to bury your message, too… how communist!
I don’t know how many follow the Washington Post (WP), but I sure get a uneasy feeling about federal government incompetence when I read the FUD fed to WP by very large corporations like Booze-Allen, etc. who just hire incompetent former government employees to get themselves in the backdoor. They are not the least bit encouraging. They are great at scaring the congress and readers, spending huge bundles of federal dollars for IT security with huge amounts spun off as profit to fat cats in D.C. milking the cow. All this so the private in the nuclear missile silo has internet access to twitter his hot date for the night and look at porn.
You get it wrong, it is all lulz. And even I am just a lurker this was way better than watching the superball
Is everyone forgetting that this whole thing was started by a bogus inaccurate report which Aaron Barr had reckless put together from taking down names off of Facebook?
He made up fake back stories about who they were, he dug into their profiles and took all their emails and info and then was going to try to sell this fraud to the feds as the “inside scoop on Anonymous”.
What about lives of these innocent people that HBGary seemed to have no issue what so ever in slandering, distorting and destroying with no back up evidence to their claims in this lame report.
These are all people with families and children and homes and jobs too!
While Aaron Barr is living in a million $ home in Northern Virginia, he and his ilk have discarded the rights, privacy and liberties of the people with no care or shame!
They can dish it but the cowards can’t take it when the people are finally standing up and saying “we aren’t going to take this anymore”.
PAY BACKS A BITCH!
But wait there is more. To show the public how bad this firm and others like them are:
Data intelligence firms proposed a systematic attack against WikiLeaks
http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks
“After a tip from Crowdleaks.org, The Tech Herald has learned that HBGary Federal, as well as two other data intelligence firms, worked to develop a strategic plan of attack against WikiLeaks. The plan included pressing a journalist in order to disrupt his support of the organization, cyber attacks, disinformation, and other potential proactive tactics.
The tip from Crowdleaks.org is directly related to the highly public attack on HBGary, after Anonymous responded to research performed by HBGary Federal COO, Aaron Barr. Part of Anonymous’ response included releasing more than 50,000 internal emails to the public. For more information, the initial coverage is here.
What was pointed out by Crowdleaks is a proposal titled “The WikiLeaks Threat” and an email chain between three data intelligence firms. The proposal was quickly developed by Palantir Technologies, HBGary Federal, and Berico Technologies, after a request from Hunton and Williams, a law firm that currently counts Bank of America as a client.”
HBGary Federal = assholes
in this war, you’re traitors
wish you bankruptcy
HBGary opened their firewall,
HBGary took a great cyberfall,
All Aaron’s resources and all of his men,
Couldn’t put HBGary together again.
What I found exemplary about this thread has nothing to do with technology, but a parable that reflects my dotage:
A knight rides into town in a suit of shiny armor, swinging a sword, and smashing about. There are all sorts of responses that all sorts of townsfolk may make. But, let’s look at a simple square: Some may run over to the knight with a refreshing cup of water. Some may vainly throw stones at him. Some may hunker down, and hope for the best for they, and theirs. And some may grab what they can and run away (run away).
But, why the outrage (honest or feigned), by those proffering cups of water when struck by their neighbors’ stones? Why the regret for the slaughter of the cupbearer’s family while trying to assist his stoned self, when the arrows of the knight’s enemies rain down on them, all?
How on earth can anyone support HBGary for listing a bunch of first amendment supporters that never ddosed or hacked? The list was soooo bad it listed people that have never downloaded loic much less hacked anything. I know this for a fact because the list was so pathetic that I MADE THE LIST! Wow. I am so flattered! I have exercised 1st amendment rights and attended an anonymous rally in support of Assange and Bradley Manning. He should be sued. Personally, I think he’s not worth bother but some are talking about getting lawyers.
Whoa Marian, sucks to be you. Sorry to hear it.
Our favorite wannabe narc’s been quiet lately. Guess he’s hoping the world will forget him. Not surprising considering the investigative & security skills down at HBGary turned out to be on par with those of Koko the sign language proficient gorilla.
A SNAFU of this magnitude – false accusations, bare-faced lying, peddling gratuitously false data to the Feds, AND the toe-curling shame of the security meltdown and pending corporate implosion we all laughed about – confirms that these aren’t exactly the top players in the industry.
The shame is so great for Barr and Hoglund that they may literally have to swap coasts, get plastic surgery, and start life all over again under aliases.
Mind you, these folks are shameless, so who knows? We might get to see them at the RSA conference in five days. Can’t wait.
Indeed, Marian
Just yesterday I read this AP story
http://news.yahoo.com/s/ap/20110209/ap_on_go_ot/us_cia_accountability#mwpphu-container
about a guy who was abducted from a bus, based on faulty inteligence, tortured for 5 months in a secret prison and then silently released when overwhelming evidence he was the wrong guy, could not be suppressed anymore. It seems to me HBGary was preparing to do just the same, ruin lives of many innocent individuals based on a list they produced with “professionalism”. There are two consequences emerging from here, one scary and one bad. The scary one is that any of us could find ourselves on such a list (an subsequently on who knows what no-fly list) added by some incompetent and recourse to this is hard, you might not even know what’s going on, not have access to a lawyer, etc. The bad consequence is that, unlike Marian, many of us will freak out and not sign any list of support, attend any support rally, etc being afraid this can get you on one of those dreaded lists. This is an effective way to kill democracy, you don’t have to deport or kill 100.000 people like they did in Cambodia, is more effective to deport 100 and somehow create the impression that any statement you make in support of something or someone might add your name to the list that will follow the first 100 – depending on which incompetent contractor or employee concocted the list. Hats off Marian, I hope this event did not silence you and next time you decide to support a cause not to hold off because of fear you might “make again to the list”.
Thank you George for your kind words. I am still fighting. Just fought my city council this week and it ended in a very productive agreement to try to strengthen relations between local cops and artists. But this is a serious threat and people need to react to it. My husband was a crypto-ranger during Viet-nam and he thinks if guys like Palanrir are making such presentations to get Government contracts to create disinformation, then there HAS to be a market for it. What do we do? We can’t let this happen! America will be wrecked if the Government starts hiring people to tell lies for a living.
Marion- lawyer up and get’m for slander!
In order to sue the incompetent wannabes, one would have to show malice and would also have to show some significant loss, either financial or in reputation.
What the incompetent morons at HBGary did was destroy *their* already shoddy reputation.
Legitimate security companies and people don’t do what HBGary does.
HBGary, with the tagline – Detect. Diagnose. Respond – quite simply weren’t doing their job properly.
@DIOCYDE
From a security perspective you can do what you want to the people who stole the data; the damage is done… and the damage would not have happened if HBGary had been diligent in their work.
My guess is that the execs at HBGary were too busy managing their pay checks provided by US taxpayers to worry about US security.
What matrix/grid/standard should be used to determine who was right and wrong? As the U.S. culture is becoming more relativistic. Anything goes. Morality is private. Obedience to laws (speeding, copywrite) is an option. There is no accountability to God and no virtue seen in obeying the rule of law.
Where there is no accountability to God and no objective standard for truth and morality, then any law can be disobeyed if someone decides it’s wrong or inconvenient. If the law is evil according to God’s revealed standard, it can be disobeyed with a clear conscience. If the law is not good public policy, it should be changed within our political and legal system. Othewise, God expects the laws to be obeyed. And he expects his commandments to be obeyed as well.
Otherwise, life becomes a free-for-all.
So, you’re saying freedom’s just a deicide away?
It’s a good thing that truth isn’t found in a popularity contest. Truth has never been popular. “People love the darkness because their deeds are evil.”
Truth can never be popular, because it doesn’t care what you think of it. However, most “People love the darkness because their dates are ugly.”
@Gary H.
Like it or not, life has always been a free for all- god was invented by those who would have you controlled. And somehow, it’s the oldest remaining shroud over people’s eyes.
Morality is in our genes, not our faith.
Point being, life is and always has been a free-for-all, it’s just up to you to choose whether or not to be like anonymous and stand up for yourself and do what you feel and know is right, or do what god/ government/society deign is acceptable.
This whole clusterfuck isn’t some moral dilemma, it’s what has been happening for years. The government did some shit that people didn’t like- only this time, they can’t quiet the people.
Anonymous won again and they will always win.
th3j3t3r.wordpress
Who needs a rootkit these days with clever social engineering:
Haxor: Please lower your shields. I am not a haxor.
Security ExpErt Admin: OK
LOLOLOL
HBGary Federal, as well as two other data intelligence firms, worked to develop a plan of attack which included pressing a journalist in order to disrupt his support of the wikileaks, cyber attacks, disinformation, and other potential proactive tactics against wikileaks and anonymous. The document, a bid for a government contract to CREATE LIES for Government MONEY.. was all over the web!
Bear in mind that SOME PARTIES listed never committed crimes other that exercising freedom of speech (which I could SWEAR is a crime lately)…
Should these companies be sued for the attempt to ruin the lives of those that DIDN’T hack, DDoS or commit any crimes? Class-action lawsuit?
The more I read about HBGary the more I side with their hackers.
Cleartext rootkit.com passwords published at http://dazzlepod.com/rootkit/.
Many passwords appear to be reused @ twitter, facebook, gmail, etc. Reminder to users to keep password unique to the site where it is used.
Why release all those names and passwords? Those are just users. Why are you trying to harm them? Are you going to tell me you have never used the same password for multiple websites?
You all belong in jail.
I would hope that HBGary has already notified them to start changing those passwords. It’s interesting that a search on “.gov” returns only 45 usernames, many of which are either foreign government email addresses or obvious fake email addresses. HBGary was promoting itself as being really tight with U.S. government agencies?
You hackers are completely full of yourselves. Pathetic, absolutely pathetic.
Possibly, but doesn’t this make for one hell of a show :).
Pooooooor HBGary. You get what you put out. Karma is alive and well. Shape up or continue getting fucked. By the way, I’m not a part of the hacking and whacking. I just like seeing degenerate companies get what they’ve given out to those who are powerless and poor.
Whats very troubling about this is that it appears that HBGary
was trying to sell false un-vetted information to the US Government.
It will be interesting to see if the Government will request a
complete re-fund of any monies paid to HBGary.
BS -//-
Atrocious! Truly atrocious! If you’re going to collect a paycheck to “disappear” and torture people to death, the least you can do is have reliable rumor and innuendo to target them.