February 7, 2011

A company that is helping the federal government track down cyberactivists who have been attacking business which refused to support Wikileaks has itself been hacked by the very same activists.

At the center of the storm is a leaderless and anarchic Internet group called Anonymous, which more recently has been coordinating attacks against Egyptian government Web sites. Late last month, authorities in the U.K. and the U.S. moved against at least 45 suspected Anonymous activists. Then, on Saturday, the Financial Times ran a story quoting Aaron Barr, the head of security services firm HBGary Federal, saying he had uncovered the identities of Anonymous’ leaders using social networking sites. Barr said he planned to release his findings at a security conference in San Francisco next week.

Anonymous responded by hacking into HBGary’s networks and posting archives of company executive emails on file-trading networks. The group also hacked the firm’s Web site and replaced it with a message saying it was releasing Barr’s findings on its own because the group was confident Barr’s conclusions were wrong.

“We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve ‘extracted’ is publicly available via our IRC networks,” the statement reads. “The personal details of Anonymous ‘members’ you think you’ve acquired are, quite simply, nonsense. So why can’t you sell this information to the FBI like you intended? Because we’re going to give it to them for free.”

I tuned into this conflict late Sunday evening, after HBGary President Penny Leavy had waded into Anonymous’ public chat channel in an attempt to reason with the group. Earlier in the evening, Anonymous sympathizers hijacked several Twitter accounts belonging to HBGary employees, and used them to post offensive comments and personal information about the account holders.

The topic of the IRC channel Leavy joined said it all: “Mission: Aaron Bratt FIRED. His salary donated to Bradley Manning Defense Fund. Simple.” Leavy said the group was planning to publish online the entire email archive belonging to Greg Hoglund, the security researcher in California who co-founded HBGary, which is part owner of HBGary Federal.

A snippet from that conversation:

“[20:06:12] <+Penny> Guys, I can’t fire someone that owns a portion of the company  What i can promise is we will have a meeting to discuss next steps”

In a phone interview late Sunday evening, Hoglund said that unlike the more traditional Web-site attacking activities of Anonymous, the hackers who infiltrated HBGary’s system showed real skills, even social engineering a network administrator into giving them complete control over rootkit.com, a security research site Hoglund has long maintained.

“They broke into one of HBGary’s servers that was used for tech support, and they got emails through compromising an insecure Web server at HBGary Federal,” Hoglund said. “They used that to get the credentials for Aaron, who happened to be an administrator on our email system, which is how they got into everything else. So it’s a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time.”

Hoglund said Anonymous had crossed a line, and that posting the company’s email online would expose internal, proprietary data that would likely cost HBGary millions of dollars. He added that Anonymous activists should be able to see — if they read the email they’ve stolen — that HBGary ultimately decided not to publicly name any of the members it had identified.

“Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistle blower. But now, we have a situation where they’re committing a federal crime, stealing private data and posting it on a torrent,” Hoglund said. “They didn’t just pick on any company, but we try to protect the US government from hackers. They couldn’t have chosen a worse company to pick on.”


164 thoughts on “HBGary Federal Hacked by Anonymous

  1. nogero

    Can you all see the trend for stories about hacked websites? If the hackers don’t like the website than hacking into it is justified. It is also justified to reveal user ID’s and passwords of people who may have visited the website, even if that visitor didn’t know the website owner. It’s a ‘blame the victim’ mentality in here. No one stands up and objects to the scandalous illegal behavior.

    As one commenter said a few posts back, this place has become a cesspool. I am truly shocked so many condone or even support illegal hacking. Someday it may come back and bite you in the ass.

    1. Kamu

      “No one stands up and objects to the scandalous illegal behavior.”

      You mean the behaviour of HBGaryFed?

      1. Seikku

        Yeah, and feds pushing businesses like Visa and PayPal to terminate their agreements with (guilty until proved otherwise) customers (Assange’s accounts).

        Someone really should stand up and object to the scandalous illegal behavior …

    2. anonymous (yes, that anonymous - no, still not THE Anonymous)

      Hear, hear! Just because I sign up for the NAMBLA PickyNIC Newsletter, doesn’t mean I should suffer when they’re hacked.

    3. T.Anne

      I think you miss the point… now yes – many posts saying that the hackers are in the wrong have been down voted more than those praising the work of the hackers… BUT there are a few important things about the situation really…

      1) HBGary – they didn’t have the appropriate security, and should have been much harder to hack.
      2) HBGary – shouldn’t have been trying to sell the information if their intent was to help and if their information was credible
      3) HBGary – should’ve validated the info before offering to share (NOT SELL) the information
      4) HBGary – shouldn’t have had the press release and addressed the situation the way they did.

      HOWEVER… it’s not all HBGary either…
      5) Anon – shouldn’t have publicly posted private, confidential data… releasing the list to make a point of it’s invalidity is one thing… releasing everything else, quite different.
      6) Anon – did find a flaw that HBGary should have protected against, in that sense – the hack may have been beneficial
      7) Anon – crossed the line into illegal activity with how far they took the retaliation. they reacted more from a personal (you’ve insulted me, now I’ll crush you) mentality, instead of standing by what they supposidly stand for
      8) Anon – since it is no one particular person, and everyone views different actions necessary or unnecessary – the only ones truly in the wrong here (from Anon’s side) are those who participated and allowed it to go as far as it did… the whole of Anon is not responsible for the actions of the few.

      1. T.Anne

        sorry – that should be an 8 ) not an 8)… forgot about the smiley option 🙂

      2. anonymous (yes, that anonymous - no, still not THE Anonymous)

        I’ll skip the inherently foolish “arguments” (“straw man” or “article of faith” resolves to the same).

        There is, however, one claim that could be argued: that publicizing previously un-publicized data was wrong.

        You need to look at the context of the acquisition, and release.

        If we sit down to an evening of social gaming, and I lose based on points, and suffer great emotional distress, then we’re both within “bounds”. If I take some of your points, so you go outside and stab a screwdriver into my tires, then boundaries have been crossed. If you take some of my points, so I take your wallet, then boundaries have been crossed.

        On the other hand, if the game is, in fact, gambling – then trading points for money moves back “in bounds”. But, stabbing tires after losing money is still “out of bounds”.

        So, HBGary duplicated online bits, and sought to distribute allegedly accurate copies of those bits to the detriment of some people. Anonymous (apparently, The Anonymous) duplicated online bits, and sought to distribute allegedly accurate copies of those bits to the detriment of some people. Have boundaries been crossed? Or, did a number of parties “ante up” to the same game, and the worst “hand” now wants a “do over”?

        And, before some of the “local” “defenders of the innocent” begin mewling about the “victims” outside of HBGary – To the best of my knowledge, HBGary never spoofed PayPal, nor even NAMBLA. Everybody whose bits might be publicized by the incident knew who HBGary is (was?). If I invite Uncle Ernie, a known NAMBLA member (yes /that/ NAMBLA, not the other NAMBLA), to take my children camping for the weekend, I can, in fact, regret whatever happens. I can not, however (except absurdly), blame it on Chris Hansen, because he videoed the event. If I invite Uncle Ernie to spend the weekend with me, knowing his proclivities, I can be outraged at Mr. Hansen pounding on my door at 3 A.M. to interview me about my houseguest. I can’t (barring mental disease or defect) express surprise at seeing Hansen and crew across the street, videoing the activity.

        1. T.Anne

          So then I guess the question is whether or not ALL the informaion anon leaked were part of the “online bits” that were being used in this gambling type analogy… I’d argue that they did more of one of the following, “If I take some of your points, so you go outside and stab a screwdriver into my tires, then boundaries have been crossed. If you take some of my points, so I take your wallet, then boundaries have been crossed.” Both of which crossed boundaries. Had the whole thing been over the points that were part of the game – then no, boundaries would have been crossed. But I can gamble and not put all the money I own into the game, can’t I? And unless I put it into the game – it can’t be taken from me simply because I’m in the game – can it?

          Here’s another way to look at it… if I take something that’s supposed to be public knowledge – and you copy that public knowledge back from me and talk about it first AND then go after my confidential data and make that public as well – boundaries are crossed, aren’t they? They’ve now taken something that wasn’t part of the “game”. Yes, sometimes public knowledge + public knowledge can add up to private information… but they didn’t just go after public knowledge and connect the dots to the private information – they went straight for the private information and made it public without consent or authorization from the party who’s private information it was.

          It’s like if I stole something from you – and you stole it back… is that really stealing? It was your’s from the beginning… BUT if you steal it back AND take something from me, haven’t you stolen from me? Or does me stealing from you justify you stealing something of mine in retaliation? It goes back to the old question – do two wrongs make a right?

          1. anonymous (yes, that anonymous - no, still not THE Anonymous)

            If you take my “stuff”, and I take it back, then, maybe, the universe is, again, in balance.

            But, what if you come in to my yard and molest my schnauzer? How do we “unmolest” her? (cf. the phrase “straw man” above).

            If the purpose of distributing copies of bits is to cause physical harm, even through an intermediary, then it would seem Anonymous’ attempt at “balancing the universe” has scored an epic fail. I haven’t seen the documents, myself, but I haven’t seen any complaints of Anonymous’ duplicated(?) bits listing all the nifty swag HBGary folks have at their various addresses, especially home addresses, in an effort to set them up for armed break-ins, abduction, or just simple killing – as a warning to others who might fail to bow deeply enough in Anonymous’ presence (if you fail to apprehend what that has to do with HBGary, cf. the phrase “article of faith” above).

  2. MadMike

    I laughed, I cried. It was the best.. Being in the security field, I know better than to use the same password for everything. I also know not to put anything on-line that I may later find to bite me in the ass. Security is all about foresight.

    Not only that, but I LOVE to see a cocky self-important ass get their come-uppance. Especially if the rumors about making “less than above board” deals turn out to be true. I also believe (anon are you reading this?…) if the deals were being made with tax-paid officials, their names, titles and the person they report to should all be reported as well.

    Not just reported, but BLARED all over the internet so the only real possible outcome can be investigation.

    AS far as whining about “illegal activities”, I’ll stop my illegal activities when the hungry are fed, the homeless are housed, and the illiterate are educated. Isn’t that where you tell me my tax dollars go? Oh wait, yeah that’s right , you need your Hawaii vacation and limo ride to the airport where you board your tax-paid jet.. Especially since you’re working so hard to protect me from myself.. I sure don’t know what’s right for me.

    1. anonymous (yes, that anonymous - no, still not THE Anonymous)

      Tone’s hard to transcribe in Roman orthography American, so maybe I’m mis-“hearing” you.

      You seem to take umbrage at paying for your betters’ (appropriate) life styles, yet you want them to expend more of your money on “investigations”? Couldn’t you just buy them prepaid World of Warcraft gift cards? They’re obviously busy, and you’ve obviously got too much money to know what to do with, but why make the rest of us play along?

  3. Alan

    Back to square 1. the cats out of the bag. Forget Julian Assange , If it was’nt him it would have eventually have been somebody else who would have received & released leaks. What the hell was the government thinking giving a private in Afghanistan access to all this stuff..? Absolutely unbelievable. Millions spent on security & they left the doors wide open & the night light on. A Lady Gaga CD for chrissake. Have not heard of any government heads rolling yet, there should be a crescendo of them. Hopefully its a wake up call..

  4. Anonymous

    What anonymous did here is so full of epic win a new word has to be invented, “win” is no longer sufficient. I don’t know what that word is, it may not even be pronounceable in the english language but oh my goodness did they wtfpwn this guy so hard his head spun.

  5. Rich Cummings

    Email sent by Rich Cummings to all HBGary staff on the 10th of February 2009 about the
    Kaspersky labs Hack:

    From: rich@hbgary.com
    To: all@hbgary.com
    Subject: Kaspersky labs website hacked
    Date: Tue, 10 Feb 2009 19:51:04 +0000

    Simple Sql injection was the attack vector… Does our new website have a sql backend?

    1. JCitizen

      Figures; like they didn’t have a heads up!?

  6. MadMike

    Wow!! How’s that for an admission of “we know we F**cked Up bigtime. Do you HAVE to tell the world?”

    Asking “where did you get that email” Adimts you know it was there.

    So Doubtful Guest, what life been like at HBGary since the big break-in. I’ll bet it’s been like life in the Nixon administration in it’s final days. “Quick, who can we throw under the bus?” I wonder who’ll be HBGary’s Ollie North? Except one thing. I’ll bet as soon as they’re under the bus, they’ll start singing like an opera star… Ollie North’s dedication to Nixon was beyond belief. And probably still is.. But that’s another story…

    I can hardly wait to see this one unfold.. The anticipation makes my stomach do flips..

  7. MadMike

    Sergio, go back & re-read your history.. Ollie was invovled in the Watergate thingy, as well as the Iran Contra affair (which involved Saddam Hussein as well..) He did time for the Iran Contra, but not for Watergate. .. After being thrown under the bus both times…

    But that’s NOT what this discussion is about… Damn internet nit-pickers… Did I spell everything correctly, and have all my grammar in the right tenses? More important do you still feel superior?

Comments are closed.