Deep Politics Forum
HBGary - Printable Version

+- Deep Politics Forum (https://deeppoliticsforum.com/fora)
+-- Forum: Deep Politics Forum (https://deeppoliticsforum.com/fora/forum-1.html)
+--- Forum: Organizations and Cults (https://deeppoliticsforum.com/fora/forum-13.html)
+--- Thread: HBGary (/thread-5814.html)

Pages: 1 2


HBGary - Magda Hassan - 11-02-2011

Firm targeting WikiLeaks cuts ties with HBGary - apologizes to reporter

by Steve Ragan - Feb 11 2011, 01:55


Firm targeting WikiLeaks cuts ties with HBGary.
Update 3:

[Note: Due to privacy concerns, Mathew Steckman's name was witheld in the original story. The following statement however was provided to The Tech Herald Monday evening, and is being posted in it's entirety due to the nature of the statement. - Steve]
Palantir is a data integration software company based in Silicon Valley. We make data integration software that is as useful for fighting food borne illness as it is to fighting fraud and terrorism. Palantir does not make software that has the capability to carry out the offensive tactics proposed by HBGARY. Palantir never has and never will condone the sort of activities recommended by HBGARY. As we have previously stated, Palantir has severed all ties with HBGARY going forward. To ensure that we are in complete compliance with our company's ethics and standards we have decided to place Matthew Steckman, 26 year old engineer, on leave pending a thorough review of his actions. Palantir was not retained by any party to develop such recommendations and indeed it would be contrary to Palantir's ethics, culture and policies to do so.
Update 2:
Palantir sent us some additional information. The blow points were emailed to us on Sunday.
Palantir never has and never will condone the sort of activities that HBGary recommended.
Specifically:
Palantir does not condone the recommendations in HBGary's presentations, proposals and emails. Moreover, the tactics proposed by HBGary were never accepted and never acted upon.
  • Palantir did not participate in the development of the recommendations that Palantir and others find offensive.
  • Palantir was NOT retained by any party to develop such recommendations and indeed it would be contrary to Palantir ethics, culture and policies to do so.
  • As we have previously stated, Palantir has severed all ties with HBGary going forward.
As you have probably already discovered in your research, there are two items we want to make very clear:
  • Palantir did not participate in any activities involving HBGary's proposed tactics.
  • The slide entitled 'Potential Proactive Tactics' was authored solely by HBGary.
  • The Palantir logo on the slide is the result of a collated deck and does not represent Palantir's position.
  • Content can be found verbatim in HBGary's email / powerpoint.
Update:
Berico Technologies has cut ties as well. More information is here.
The original article begins on page two.
Dr. Alex Karp, the Co-Founder and CEO of Palantir Technologies, one of three data intelligence firms who worked to develop a systematic plan of attack against WikiLeaks and their supporters, has severed all ties with HBGary Federal and issued an apology to reporter Glenn Greenwald.

The move comes just twenty-four hours after The Tech Herald reported on the plans, thanks to a tip from Crowdleaks.org

After the tip from Crowdleaks.org, The Tech Herald learned that Palantir Technologies, HBGary Federal, and Berico Technologies, worked together with law firm Hunton and Williams to develop a proposal for Bank of America in order to deal with the "WikiLeaks Threat."
Hunton and Williams were recommended to Bank of America's general counsel by the Department of Justice, according to the email chain viewed by The Tech Herald. The law firm was using the meeting to pitch Bank of America on retaining them for an internal investigation surrounding WikiLeaks.
"They basically want to sue them to put an injunction on releasing any data," an email between the three data intelligence firms said. "They want to present to the bank a team capable of doing a comprehensive investigation into the data leak."
Hunton and Williams would act as outside counsel on retainer, while Palantir would take care of network and insider threat investigations. For their part, Berico Technologies and HBGary Federal would analyze WikiLeaks.
Some of the things mentioned as potential proactive tactics against WikiLeaks include feeding the fuel between the feuding groups, disinformation, creating messages around actions to sabotage or discredit the opposing organization, and submitting fake documents to WikiLeaks and then calling out the error.
"Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward," the proposal said.
Moreover, reporter Glenn Greenwald, who writes for Salon.com, was singled out in the proposal as a person offering a level of support to WikiLeaks that needed to be disrupted. This disruption would include making Greenwald, and others in similar situations, choose between professional preservation and cause.
Our original coverage on this topic can be viewed here.
On Thursday evening, Dr. Alex Karp sent The Tech Herald a statement on the events and information presented in the story.
"As the Co-Founder and CEO of Palantir Technologies, I have directed the company to sever any and all contacts with HB Gary," the statement starts.
Dr. Karp explains that Palantir Technologies provides a software analytic platform for the analysis of data. They do not provide "nor do we have any plans to develop" offensive cyber capabilities.
In addition, the statement says that Palantir does not build software that is designed to allow private sector entities to obtain non-public information, engage in so-called cyber attacks, or take other offensive measures.
"I have made clear in no uncertain terms that Palantir Technologies will not be involved in such activities. Moreover, we as a company, and I as an individual, always have been deeply involved in supporting progressive values and causes. We plan to continue these efforts in the future," Dr. Karp added.
"The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters."
Palantir Technologies' statement comes at a time when HBGary has refused to talk about the WikiLeaks proposal, or any other topic for that matter, related to the security incident caused by Anonymous after HBGary Federal's Aaron Barr went to the press claiming he had infiltrated the loosely associative group.
The only statement from the company on the incident appeared on their website before it was fully restored.
"HBGary, Inc and HBGary Federal, a separate but related company, have been the victims of an intentional criminal cyberattack. We are taking this crime seriously and are working with federal, state, and local law enforcement authorities and redirecting internal resources to investigate and respond appropriately," the statement said at the time.
"To the extent that any client information may have been affected by this event, we will provide the affected clients with complete and accurate information as soon as it becomes available. Meanwhile, please be aware that any information currently in the public domain is not reliable because the perpetrators of this offense, or people working closely with them, have intentionally falsified certain data."
It is unlikely that Anonymous would forge thousands and thousands of emails or attachments. Yet, the complete severance of ties by Palantir Technologies, and the public apology to Greenwald, leaves little room for doubt that the information seen by The Tech Herald, Crowdleaks.org, and many others is legitimate.
http://www.thetechherald.com/article.php/201106/6804/Firm-targeting-WikiLeaks-cuts-ties-with-HBGary-apologizes-to-reporter


HBGary - Keith Millea - 12-02-2011

Glenn Greenwald has something to say about all this.


Friday, Feb 11, 2011 05:12 ET [Image: glenn_greenwald.png] Glenn Greenwald
The leaked campaign to attack WikiLeaks and its supporters

By Glenn Greenwald

[Image: md_horiz.jpg]
Aaron Barr, a top executive at computer security firm HB Gary.

There's been a very strange episode being written about the past couple of days involving numerous parties, including me, that I now want to comment on. The story, first reported by The Tech Herald, has been been written about in numerous places (see Marcy Wheeler, Forbes, The Huffington Post, BoingBoing, Matt Yglesias, Reason, Tech Dirt, and others), so I'll provide just the summary.

Last week, Aaron Barr, a top executive at computer security firm HB Gary, boasted to the Financial Times that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks on companies terminating services to the whistleblowing site (such as Paypal, MasterCard, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary, published 50,000 of their emails online, and also hacked Barr's Twitter and other online accounts.


Among the emails that were published was a report prepared by HB Gary -- in conjunction with several other top online security firms, including Palantir Technologies -- on how to destroy WikiLeaks. The emails indicated the report was part of a proposal to be submitted to Bank of America through its outside law firm, Hunton & Williams. News reports have indicated that WikiLeaks is planning to publish highly incriminating documents showing possible corruption and fraud at that bank, and The New York Times detailed last month how seriously top bank officials are taking that threat. The NYT article described that the bank's "counterespionage work" against WikiLeaks entailed constant briefings for top executives on the whistle-blower site, along with the hiring of "several top law firms" and Booz Allen (the long-time firm of former Bush DNI Adm. Michael McConnell and numerous other top intelligence and defense officials). The report prepared by these firms was designed to be part of the Bank of America's highly funded anti-WikiLeaks campaign.

The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal -- including planting fake documents with the group and then attacking them when published; "creat[ing] concern over the security" of the site; "cyber attacks against the infrastructure to get data on document submitters"; and a "media campaign to push the radical and reckless nature of wikileaks activities." Many of those proposals were also featured prongs of a secret 2008 Pentagon plan to destroy WikiLeaks.


One section of the leaked report focused on attacking WikiLeaks' supporters and it featured a discussion of me. A graph purporting to be an "organizational chart" identified several other targets, including former New York Times reporter Jennifer 8 Lee, Guardian reporter James Ball, and Manning supporter David House. The report claimed I was "critical" to WikiLeaks' public support after its website was removed by Amazon and that "it is this level of support that needs to be disrupted"; absurdly speculated that "without the support of people like Glenn, WikiLeaks would fold"; and darkly suggested that "these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause." As The Tech Herald noted, "earlier drafts of the proposal and an email from Aaron Barr used the word 'attacked' over 'disrupted' when discussing the level of support."

In the wake of the ensuing controversy caused by publication of these documents, the co-founder and CEO of Palantir Tech, Alex Karp, has now issued a statement stating that he "directed the company to sever any and all contacts with HB Gary."

The full statement -- which can be read here -- also includes this sentence: "personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters." Palantir has also contacted me by email to arrange for Dr. Karp to call me to personally convey the apology. My primary interest is in knowing whether Bank of America retained these firms to execute this proposal and if any steps were taken to do so; if Karp's apology is genuine, that information ought to be forthcoming (as I was finishing writing this, Karp called me, seemed sincere enough in his apology, vowed that any Palantir employees involved in this would dealt with the way they dealt with HB Gary, and commendably committed to telling me by the end of the week whether Bank of America or Hunton & Williams actually retained these firms to carry out this proposal).
* * * * *
My initial reaction to all of this was to scoff at its absurdity. Not being familiar with the private-sector world of internet security, I hadn't heard of these firms before and, based on the quality of the proposal, assumed they were just some self-promoting, fly-by-night entities of little significance. Moreover, for the reasons I detailed in my interview with The Tech Herald -- and for reasons Digby elaborated on here -- the very notion that I could be forced to choose "professional preservation over cause" is ludicrous on multiple levels. Obviously, I wouldn't have spent the last year vehemently supporting WikiLeaks -- to say nothing of aggressively criticizing virtually every large media outlet and many of their leading stars, as well as the most beloved political leaders of both parties -- if I were willing to choose "career preservation over cause."

But after learning a lot more over the last couple of days, I now take this more seriously -- not in terms of my involvement but the broader implications this story highlights. For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S.

Government and the nation's largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered that similar proposals were prepared for the Chamber of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.

That's why this should be taken seriously, despite how ignorant, trite and laughably shallow is the specific leaked anti-WikiLeaks proposal. As creepy and odious as this is, there's nothing unusual about these kinds of smear campaigns. The only unusual aspect here is that we happened to learn about it this time because of Anonymous' hacking. That a similar scheme was quickly discovered by ThinkProgress demonstrates how common this behavior is. The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it's being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.

But the real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former. The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.

That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented. And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its "private partners" able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity on lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks.

The exemption from the rule of law has been fully transferred from the highest level political elites to their counterparts in the private sector. "Law" is something used to restrain ordinary Americans and especially those who oppose this consortium of government and corporate power, but it manifestly does not apply to restrain these elites. Just consider one amazing example illustrating how this works.
After Anonymous imposed some very minimal cyber disruptions on Paypal, Master Card and Amazon, the DOJ flamboyantly vowed to arrest the culprits, and several individuals were just arrested as part of those attacks. But weeks earlier, a far more damaging and serious cyber-attack was launched at WikiLeaks, knocking them offline. Those attacks were sophisticated and dangerous. Whoever did that was quite likely part of either a government agency or a large private entity acting at its behest. Yet the DOJ has never announced any investigation into those attacks or vowed to apprehend the culprits, and it's impossible to imagine that ever happening.

Why? Because crimes carried out that serve the Government's agenda and target its opponents are permitted and even encouraged; cyber-attacks are "crimes" only when undertaken by those whom the Government dislikes, but are perfectly permissible when the Government itself or those with a sympathetic agenda unleash them. Whoever launched those cyber attacks at WikiLeaks (whether government or private actors) had no more legal right to do so than Anonymous, but only the latter will be prosecuted.

That's the same dynamic that causes the Obama administration to be obsessed with prosecuting WikiLeaks but not The New York Times or Bob Woodward, even though the latter have published far more sensitive government secrets; WikiLeaks is adverse to the government while the NYT and Woodward aren't, and thus "law" applies to punish only the former. The same mindset drives the Government to shield high-level political officials who commit the most serious crimes, while relentlessly pursuing whistle-blowers who expose their wrongdoing. Those with proximity to government power and who serve and/or control it are free from the constraints of law; those who threaten or subvert it have the full weight of law come crashing down upon them.
* * * * *
What is set forth in these proposals for Bank of America quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well.

Attacking WikiLeaks' computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws.

Yet these firms had no compunction about proposing such measures to Bank of America and Hunton & Williams, and even writing them down. What accounts for that brazen disregard of risk? In this world, law does not exist as a constraint. It's impossible to imagine the DOJ ever, ever prosecuting a huge entity like Bank of America for doing something like waging war against WikiLeaks and its supporters. These massive corporations and the firms that serve them have no fear of law or government because they control each. That's why they so freely plot to target those who oppose them in any way. They not only have massive resources to devote to such attacks, but the ability to act without limits. John Cole put it this way:
One thing that even the dim bulbs in the media should understand by now is that there is in fact a class war going on, and it is the rich and powerful who are waging it. Anyone who does anything that empowers the little people or that threatens the wealth and power of the plutocracy must be destroyed. There is a reason for these clowns going after Think Progress and unions, just like there is a reason they are targeting Wikileaks and Glenn Greenwald, Planned Parenthood, and Acorn. . . .
You have to understand the mindset- they are playing for keeps. The vast majority of the wealth isn't enough. They want it all. Anything that gets in their way must be destroyed. . . . And they are well financed, have a strong infrastructure, a sympathetic media, and entire organizations dedicated to running cover for them . . . .
I don't even know why we bother to hold elections any more, to be honest, the game is so rigged. We're a banana republic, and it is just a matter of time before we descend into necklacing and other tribal bullshit.
There are supposed to be institutions which limit what can be done in pursuit of those private-sector goals. They're called "government" and "law." But those institutions are so annexed by the most powerful private-sector elites, and so corrupted by the public officials who run them, that nobody -- least of all those elites -- has any expectation that they will limit anything. To the contrary, the full force of government and law will be unleashed against anyone who undermines Bank of America and Wall Street executives and telecoms and government and the like (such as WikiLeaks and supporters), and will be further exploited to advance the interests of those entities, but will never be used to constrain what they do. These firms vying for Bank of America's anti-WikiLeaks business know all of this full well, which is why they concluded that proposing such pernicious and possibly illegal attacks would be deemed not just acceptable but commendable.

http://www.salon.com/news/wikileaks/index.html?story=/opinion/greenwald/2011/02/11/campaigns


HBGary - Magda Hassan - 13-02-2011

HBGary wanted to suppress Stuxnet research

This article was written by laurelai [Image: HBGaryStuxnt.jpg] It is no secret that in recent days, Anonymous Operatives have released a cache of HBGary Federal internal emails to the public. Crowdleaks has discovered that within these communications, Aaron Barr received a copy of Stuxnet (a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities) from McAfee on July 28, 2010.
In an effort to confirm this was in fact Stuxnet, Crowdleaks has decompiled some of the source code, which can be found here. Throughout the following emails it is revealed that HBGary Federal may have been planning to use Stuxnet for their own purposes.
In a message sent to all email account holders at HBGary.com, Charles Copeland (Lead Support Engineer at HBGary, Inc.) writes:
from: Charles Copeland
to: all@hbgary.com
date: Sat, Sep 25, 2010 at 9:54 PM
subject: Stuxnet Worm Mailing List
Filter messages from this mailing list. mailed-byhbgary.com
hide details 9/25/10
Computerworld Officials in Iran have confirmed that the Stuxnet worm infected at least
30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.
http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industrial_systems
I've already got a email asking about stuxnet, this came out late Friday. Does anyone have a dropper I have been unable to find it.
In another email sent directly to Aaron Barr, David D. Merritt writes:
from: David D. Merritt
to: Aaron Barr
date: Sun, Oct 3, 2010 at 9:35 PM
subject: Re: Hunter Killer Insanity 285mailed-bygmail.com
hide details 10/3/10
contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec….
i'm seeing TSA becoming a malware testbed…
Aaron Barr responds:
On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote:
> Dave,
>
> We haven't but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though.
>
> In doing a little research:
> http://diocyde.wordpress.com/2010/03/12/ringy-ringy-beacon-callbacks-why-dont-you-just-tell-them-their-pwned/
>
> While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value.
>
> Aaron Barr
> CEO
> HBGary Federal, LLC
> 719.510.8478
In another message sent to all email account holders at HBGary.com by
Greg Hoglund,
it's made clear that HBGary wanted to hide their work on Stuxnet.
from: Greg Hoglund
to: all@hbgary.com
date: Sun, Sep 26, 2010 at 10:26 PM
subject: stuxnet mailing list
Filter messages from this mailing listmailed-byhbgary.com
hide details 9/26/10
All,
HBGary has no official position on Stuxnet. Please do not comment to the press on Stuxnet. We know nothing about Stuxnet.
-Greg Hoglund
CEO, HBGary, Inc.
In the most chilling strand of emails, we find that whatever HBGary was working on, it was in conjunction with the NSA.
Aaron Barr writes:
Hi Cheryl,
719.510.8478
Aaron
Sent from my iPad
Aaron Barr writes:
> From: Aaron Barr
> To: Peace, Cheryl D
> Sent: Mon Aug 09 13:54:23 2010
> Subject: Re: Number
>
> Hi Cheryl,
>
> It does. I haven't met him personally. Our sister company does work
> in a few different pockets on the bldg. And i am on the extended NANA
> team. I recently joined to stand up HBGary federal, a related but
> separate company. We manage all the work that requires clearances.
> We exchange some technologies, but we have some separate developments
> as well. Mostly around threat intelligence and CNO/social media.
>
> I think there are some enabling tech to your mission but really need
> that qualified.
>
> Interested to run some of the stuxnet stuff by u as well.
>
> Aaron
>
>
> Sent from my iPhone
Cheryl Peace writes:
On Aug 9, 2010, at 9:27 AM, "Peace, Cheryl D" wrote:
>
>> Aaron
>> Did a little checking and we already do busy with you guys. Does the name
>> Tony Seager ring a bell?
Aaron Barr writes:
>> Original Message
>> From: Aaron Barr [mailto:aaron@hbgary.com]
>> Sent: Friday, August 06, 2010 10:56 AM
>> To: Peace, Cheryl D
>> Subject: Re: Number
>>
>> OK. If interested do you have some time to get together when you get back?
>> either next Friday or early the following week?
>> Aaron
Cheryl Peace writes:
>> On Aug 6, 2010, at 10:44 AM, Peace, Cheryl D wrote:
>>
>>> I am in Europe till mid next week
Aaron Barr writes:
>>> Original Message
>>> From: Aaron Barr [mailto:aaron@hbgary.com]
>>> Sent: Thursday, August 05, 2010 10:57 PM
>>> To: Peace, Cheryl D
>>> Subject: Re: Number
>>>
>>> Hi Cheryl,
>>>
>>> Can I schedule an appointment with you to come by and chat for a few
>>> minutes?
>>>
>>> Aaron
Cheryl Peace writes:
>>> On Jul 30, 2010, at 10:41 PM, Peace, Cheryl D wrote:
>>>
>>>> I am at Rao at the bar if you want to come by for a few. Meeting friends
>>> for a cocktail in a few
>>>>
>>>> Sent using BlackBerry
Arron Barr writes:
>>>> Original Message
>>>> From: Aaron Barr
>>>> To: Peace, Cheryl D
>>>> Sent: Fri Jul 30 20:02:44 2010
>>>> Subject: Number
>>>>
>>>> Cheryl,
>>>>
>>>> Sorry to bother you but do you have a minute to talk. I don't have
>>>> your number handy. It will only take moment, but I have some
>>>> information for you.
>>>>
>>>> Aaron Barr
>>>> CEO
>>>> HBGary Federal
>>>> 7195108478
In a related internal email sent to Rich Cummings (CTO of HBGary, Inc.) Greg Hoglund writes:
from: Greg Hoglund
to: Rich Cummings
date: Mon, Nov 16, 2009 at 9:30 PM
subject: Govt dropper in this word DOC, zipped up for youmailed-byhbgary.com
hide details 11/16/09
Phil, Rich,
I got this word doc linked off a dangler site for Al Qaeda peeps. I think it has a US govvy payload buried inside. Would be neat to REcon it and see what it's about. DONT open it unless in a VM obviously. password is meatflower. Remove the .txt extension too. DONT let it FONE HOME unless you want black suits landing on your front acre. :-)
-Greg
[Image: why-god-why.png]
Crowdleaks.org had a software engineer (whose name has been withheld) look at the Stuxnet binaries inside of a debugger and offer some insight on the worm. She informed us that most of the worms' sources were using code similar to what is already publically available. She noted that the only remarkable thing about it was the 4 windows 0 days and the stolen certificates.
She says:
"A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it's unremarkable'. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints."
When asked what type of organization likely wrote it, she stated:
"Probably a corporation by request of a government, it was clearly tested and put together by pro's. It really looks like outsourced work."


http://crowdleaks.org/hbgary-wanted-to-suppress-stuxnet-research/




HBGary - Magda Hassan - 13-02-2011

HBGary Federal, provider of classified cybersecurity services to the Department of Defense, Intelligence Community and other US government agencies, has opted over the past months to go to war with the group of WikiLeaks supporters known as Anonymous. The Tech Herald reported today on HBGary Federal and two other data intelligence firms "strategic plan" for an attack against WikiLeaks.

The company is considered to be "a leading provider of best-in-class threat intelligence solutions for government agencies and Fortune 500 organizations." It provides "enhanced threat intelligence" so "the federal government can better protect our national cyber infrastructure."

Almost a year ago, the company received an extension to their contract with the US Department of Homeland Security to "conduct a series of hands-on memory forensics and malware analysis training events with local, state, and federal law enforcement officials around the country." A company contracted by the government to help out with cybersecurity initiatives for the United States is spending company time and resources and possibly even taxpayer money going after individuals who support WikiLeaks and spend lots of time in a chat room talking about what they can do to defend freedom of expression. The CEO of this cybersecurity service company is targeting a group that poses no threat to the government infrastructures it is supposed to be protecting from real cyber criminals.

Along with Palantir Technologies and Berico Technologies, which both have worked to help the government in some capacity, HBGary developed a proposal called "The WikiLeaks Threat." They requested that the law firm Hunton and Williams meet with Bank of America. The law firm held a meeting on December 3, and they began to plan against WikiLeaks. According to Tech Herald, Hunton and Williams would "act as outside council on retainer," Palantir would "take care of network and insider threat investigations" and Berico Technologies and HBGary would "analyze WikiLeaks" to find if "WikiLeaks was hosting data in certain countries and make prosecution easier." CEO Aaron Barr also led an infiltration into Anonymous, hoping to unearth identification information that could unveil who these people are that are operating in support of WikiLeaks.

HBGary and Palantir are partners. Palantir Technologies has been sought by the CIA, DHS and FBI to help government analysts "integrate unstructured open source information with data from various agency databases to analyze them for outstanding correlations and connections in an attempt to mitigate the burden of rummaging around through the immense amount of information available to them." Either Palantir Technologies found the time to stop serving government and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.

Berico Technologies worked with the National Security Agency (NSA) to invent technology that "made finding roadside-bomb makers easier and helped stanch the number of casualties from improvised explosive." They also decided to participate in this initiative or, again, possibly someone in the US government suggested private corporations begin to go after WikiLeaks.

The three security service companies proposed the following tactics for going after WikiLeaks: "Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward." Part of their plan involves turning Salon's Glenn Greenwald against WikiLeaks.

HBGary counts as an advisor Andy Purdy, who was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace in 2003. He joined the Department of Homeland Security and served on "the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT)." He worked for three and a half years and spent the last two heading the NCSD and US-CERT as a "Cyber Czar." With HBGary he is involved in an Anonymous style hacktivist attack.
For fiscal year 2011, the federal budget for homeland security will provide "$364 million to the Department of Homeland Security to support the operations of the National Cyber Security Division which protects Federal systems as well as continuing efforts under the Comprehensive National Cybersecurity Initiative to protect our information networks from the threat of attacks or disruptions." Should companies engaged in this kind of conduct be allowed to take government money to fund their company's operations, which are supposed to protect government cyber infrastructure?

HBGary's infiltration led to the company "getting pwned." Anonymous figured out what was going on and seized HBGary's domain, temporarily posting this imagea letter with an opening line that reads "claims of 'infiltrating' Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself."

Even though Anonymous is known to have hacked into companies like PayPal and Visa, does HBGary or any other cybersecurity service have any business mounting operations to infiltrate or target anyone linked to Anonymous? Unless HBGary is working for the FBI, it does not seem as though they should be allowed to engage in such activity.

The president of HBGary, Penny Leavy, says, "Today's sophisticated cybercriminals require a sophisticated approach to network security." That may be true. But, one might ask Leavy, "Do today's sophisticated cyber activists require amateur cyber snoops?"

Update
Later in the day, WikiLeaks posted a .PDF file titled "The WikiLeaks Threat," which the three data intelligence firms put together to help guide a planned attack on WikiLeaks.

It was already reported that they were going to try to use disinformation, create messages around actions of sabotage, work to discredit opposing organizations, post fake documents and call out the errors, and work to feed a fuel between groups feuding around WikiLeaks operations. What wasn't initially reported on is all the people these firms wanted to ensnare in their scheme to take down WikiLeaks.

One slide shows that these were the people they aimed to involve: James Ball, Theodore Reppe, Jennifer Robinson, Julian Assange, John Shipton, Kristinn Hrafnsson, Jacob Appelbaum, David House, Daniel Mathews, Glenn Greenwald, Jennifer 8. Lee, Daniel Schmitt, Herbert Snorrason, Birgitta Jonsdottir.

Schmitt, Snorrason and Jonsdottir are marked as "disgruntled."

Why Lee is on there is a mystery. She has not done anything at all with WikiLeaks since the "Collateral Murder" video. Also, why didn't Greg Mitchell, who has been regularly blogging WikiLeaks for The Nation make the cut?

It's clear that those working with the firms to go after WikiLeaks were not only pining for adventure or attention but also have no idea how to even begin to do research.


HBGary - Magda Hassan - 13-02-2011

http://anonleaks.ru/
Only teaser here for the moment. All of them will be released here over the next little while.


HBGary - Magda Hassan - 15-02-2011

HBGary: Don't let this story die, it's big.

by furiousxxgeorge
permalink 257 Comments
Please don't let the HBGary story die. The importance of what Anonymous has discovered is not being paid an appropriate amount of media attention. Even here, I know everyone is super excited about world changing events in Egypt, but that situation is in celebration mode for now and we have our own crisis to deal with. Let me try and get you up to date if you have not been following this issue too closely.



Earlier this week the group known as Anonymous brutally hacked a security firm called HBGary in retaliation for an attempt to infiltrate the group and sell information about them to the FBI. It was a nice funny story of arrogance and comeuppance, but at the same time it was a criminal action.
However, the information Anonymous uncovered in the E-Mails they stole in their break-in make it clear their action wasn't a crime against an innocent. HBGary was planning criminal actions that make a simple hacking job look like nothing. This was more like a mob war than anything else.
Anonymous discovered that HBGary was conspiring with a law/lobbying firm known as Hunton and Williams to launch a highly sophisticated campaign to subvert and sabotage the enemies of their clients. In some cases these plans involved illegal actions. The targets were journalists, labor unions, and political opponents.
One client was Bank of America, who hired Hunton and Williams to launch a campaign against Wikileaks. At some point the list of targets was expanded to various other supporters of Wikileaks such as journalist Glenn Greenwald. The other client so far revealed was the Chamber of Commerce, which wished to target labor unions and a shockingly long list of their supporters.
The main tool of attack would be the use of the Palantir technology to analyze the network of support for the targets.
"Palantir offers a Java-based platform for analyzing, integrating, and visualizing data of all kinds, including structured, unstructured, relational, temporal, and geospatial."
This is what the chamber hoped to accomplish, from Mother Jones:
"Early emails sent between the security firms by Pat Ryan of Berico Technologies describe a conversatoin with the Chamber's law firm about the proposed project: "The problem that they've identified is this: A client of theirs is targeted by some other entity, specifically a labor union, that is trying to extract some kind of concession or favorable outcome. They suspect that this entity is running a public campaign against their client by coordinating the actions of hundreds of seemingly separate entities to create a negative public impression of the client. The ultimate goal would be to extract the concession under duress essentially extortion in their view.
They haven't told us the name or nature of the client, so I can only guess at what this means, but you can imagine for instance an environmental campaign targeted at an oil company as a notional example.
They seek to understand the true nature of the campaign and its command and control structure in order to expose the fact that the client is dealing with a single entity rather than a true "grassroots"campaign.
They further suspect that most of the actions and coordination take place through online means forums, blogs, message boards, social networking, and other parts of the "deep web." But they want to marry those online, "cyber" sources with traditional open source data, tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions."
This is a plan for a full scale frontal attack on all their union enemies and anyone who supports them. It would analyze their online activities, their personal finances...literally everything even down to independent bloggers.
How did Hunton and Williams convince the Chamber that HBGary were the people for the job? The e-mails reveal that a H&W attorney named Robert Quackenboss claimed the Chamber was convinced by the "Iranian Shipping Demo"
- Despite earlier conversations with John Woods (and/or Richard), H&W is unable/unwilling to pay any fees/costs to us for the "Phase I" demo build-out. Bob Q was under the impression we were willing to do this work at risk and then present jointly with H&W to the Chamber. I was very clear in telling him we had a different understanding based on multiple conversations with others at H&W. At the end of the day, though, they are at a point now where they won't commit any funds to this project until we've helped them earn buy-in from their Client (the Chamber). - Based on this, I said I would talk with you all and get buy-in for the following course of action:
1. Meet with Bob and team early next week (Mon/Tues) to get additional metadata and select focused topic(s) for the demo to the Chamber
2. Work as joint team to build 5-10 min demo (along the lines of the Iranian shipping demo which is what Bob Q said sold the Chamber in the first place great work Sam!)
3. Brief demo to the Chamber on 14 Feb (or potentially a few days later…based on confirming schedule for meeting with Chamber)
4. Once approved, begin enduring work at agreed upon rates (approx. $250-300k per month for the entire team both services and license fees)
Note the date, this was all going to the Chamber this Monday if not for Anonymous. Do we really believe they had no idea what the content of that briefing would be?
Here is the Iranian demo. The demo is about tracking Iranian arms smuggling, this is the type of technology they were going to bring to their campaign against their opponents. They mean business in a deadly serious way.
Quackenboss is an expert on union matters:
"Mr. Quackenboss is a trial lawyer whose practice focuses on complex labor and business disputes. He represents clients in federal and state courts nationwide, before the National Labor Relations Board, and in the tactical and public communications response to union-coordinated attack campaigns. He counsels employers on practical global labor relations strategies, collective bargaining and management of union elections. Mr. Quackenboss also co-chairs the firm's Unfair Competition and Information Protection Task Force, which coordinates the firm's resources on trade secret theft, restrictive covenant and non-competition matters."
The analysis abilities of HBGary and their use of Palantir software was, in the case of their actions against Anonymous, described by one of their own programmers as completely statically invalid.
"He's on a bad path. He's talking about his analytics and that he can prove things statistically but he hasn't proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It's irresponsible to make claims/accusations based off of a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it's been proven wrong. I feel his arrogance is catching up to him again and that has never ended well...for any of us."
This seems to be supported by the fact that even after Anonymous publicly released the data that had been gathered about them, the group still seems to be in perfect working order, releasing new leaked e-mails every day. In other words, whatever connections HBGary found to make about their labor and Wikileaks targets would likely be nothing more than a tenuous web of guilt by association that would serve only to slime the innocent. The ultimate high tech Glenn Beck chalk board.
In addition to the Palantir program, which is already of questionable legality for this application, H&W was conspiring with HBGary to perform several clearly illegal actions in their campaign. These actions included cyberstalking and cyber-attacks against their targets.
The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal -- including planting fake documents with the group and then attacking them when published; "creat[ing] concern over the security" of the site; "cyber attacks against the infrastructure to get data on document submitters"; and a "media campaign to push the radical and reckless nature of wikileaks activities."
So far, there is no evidence that the Department of Justice will start any sort of investigation into this matter. (Much like they utterly failed to investigate cyber attacks against Wikileaks in the past) In this case the reluctance may be because the Department of Justice itself is the one who recommended Hunton and Williams for the task of taking on Wikileaks. Hunton and Williams are the very definition of the corrupt culture the mixture of corporate and government power creates.
There are supposed to be institutions which limit what can be done in pursuit of those private-sector goals. They're called "government" and "law." But those institutions are so annexed by the most powerful private-sector elites, and so corrupted by the public officials who run them, that nobody -- least of all those elites -- has any expectation that they will limit anything. To the contrary, the full force of government and law will be unleashed against anyone who undermines Bank of America and Wall Street executives and telecoms and government and the like (such as WikiLeaks and supporters), and will be further exploited to advance the interests of those entities, but will never be used to constrain what they do. These firms vying for Bank of America's anti-WikiLeaks business know all of this full well, which is why they concluded that proposing such pernicious and possibly illegal attacks would be deemed not just acceptable but commendable.
The firms which worked alongside HBGary, Palintir and Berico, have already severed their relationship with HBGary. However, there has been zero pressure put on Bank of America or the Chamber of Commerce to distance themselves from the other conspirator in this matter, Hunton and Williams.
There has been no pressure to ask them to explain their relationship with the firm, or the degree of their knowledge about what was being planned. All the Chamber has done is issue a non-denial denial that claims they didn't pay HBGary, but in no way denies they were paying Hunton and Williams to negotiate on their behalf on this matter. The e-mails make it clear Hunton and Williams was aware of what was being planned.
Robert Quackenboss knew, other partners in the firm such as John Woods are mentioned as being involved in discussions as well.
Woods:
Mr. Woods' practice focuses on conducting internal investigations, advising on information security legal issues and representing corporations in government investigations and business crimes. He has a particular focus in advising corporations in the legal response to network security intrusions and data breaches. He regularly counsels clients on the related topics of electronic discovery and electronic surveillance.
What did this partner know?
The e-mails include what appears to be an exchange on Nov. 9, 2010, between Aaron Barr, HBGary Federal's chief executive, and John W. Woods, a Hunton & Williams partner who focuses on corporate investigations. Mr. Barr recounted biographical tidbits about the family of a one-time employee of a union-backed group that had challenged the chamber's opposition to Obama administration initiatives like health care legislation. "They go to a Jewish church in DC," Mr. Barr apparently wrote. "They have 2 kids, son and daughter."
A week later, Mr. Barr submitted a detailed plan to Hunton & Williams for an extensive investigation into U.S. Chamber Watch and other critics of the chamber, including the possible creation of "in-depth target dossiers" and the identification of vulnerabilities in their computer networks that might be exploited.
Obama's Justice Department will, in my opinion, absolutely not get involved in this unless the coverage gets much wider and much more loud. This is a Red Alert crisis for the labor movement. The Chamber declared total war on them using the same tools used to track terrorists and arms suppliers. Kossacks, don't let this story die. Contact Bank of America and demand an explanation. Contact the Chamber of Commerce and demand and explanation. Contact the media and demand they start asking questions.
There may be plausible deniability for the Chamber and the Bank because they used their law firm as a buffer, but there is absolutely none for Hunton and Williams. The evidence in the leaked e-mails makes it clear they were complicit in the conspiracy. Contact the media and demand they hold Hunton and Williams accountable. So far, they have not even issued a statement on these matters.
Contact Palantir technology, who claim to be a progressive company, and ask them if they will use their expertise to investigate right wing targets for us. Maybe using Palantir magic to look at the connection between Republicans and racist militia groups would be a nice start.Updated by furiousxxgeorge at Sun Feb 13, 2011, 06:17:55 PM

I want to emphasize something. The deal with the Chamber was deep in to negotiations before the Bank of America and Wikileaks thing began. It was Hunton and WIlliams who put the entire Bank of America chain of events in motion, not not HBGary.
On Dec 2, 2010, at 3:55 PM, "Woods, John" wrote:
Richard and I am meeting with senior executives at a large US Bank tomorrow

regarding Wikileaks. We want to sell this team as part of what we are

talking about. I need a favor. I need five to six slides on Wikileaks -

who they are, how they operate and how this group may help this bank.

Please advise if you can help get me something ASAP. My call is at noon.
These guys have to go down.
Social networking and cyber security, a CIA presentation given to HBGary in 2009.
Well, I'm certainly glad the CIA was around to give them the skills they would later use to go after organized labor.
Here is the searchable database of e-mails.
Absolute must-read e-mail. Even HBGary knew what they were doing to workers and free speech activists was wrong. Anything for a buck in modern America, I guess.
http://www.dailykos.com/story/2011/02/13/943139/-HBGary:-Dont-let-this-story-die,-its-big-


HBGary - Magda Hassan - 15-02-2011

Spy games: Inside the convoluted plot to bring down WikiLeaks

By Nate Anderson | Last updated February 14, 2011 1:32 PM
[Image: aaron-barr-too-little-intro-thumb-640xauto-19601.jpg]
When Aaron Barr was finalizing a recent computer security presentation for the US Transportation Security Administration, a colleague had a bit of good-natured advice for him: "Scare the sh*t out of them!"
In retrospect, this may not have been the advice Barr needed. As CEO of the government-focused infosec company HBGary Federal, Barr had to bring in big clientsand quicklyas the startup business hemorrhaged cash. To do so, he had no problem with trying to "scare the sh*t out of them." When working with a major DC law firm in late 2010 on a potential deal involving social media, for instance, Barr decided that scraping Facebook to stalk a key partner and his family might be a good idea. When he sent his law firm contact a note filled with personal information about the partner, his wife, her family, and her photography business, the result was immediate.
"Thanks. I am not sure I will share what you sent last nighthe might freak out."
This rather creepy behavior became common; Barr used it as a sign of his social media prowess. Another target of his investigations went to "a Jewish Church in DC, the Temple Micah." Someone else "married @ the Inn at Perry Cabin in St. Michaels, MD (non-denominational ceremony)." Barr was even willing to helpfully guesstimate the ages of children in photographs ("they have 2 kids, son and daughter look to be 7 and 4").
[Image: john-info.jpg]
Barr's rundown on his H&W contact


With one potential client, Barr sifted the man's social media data and then noted that "I am tempted to create a person from his highschool and send him a request, but that might be overstepping it."
As the money ran out on HBGary Federal, Barr increasingly had no problem "overstepping it." In November, when a major US bank wanted a strategy for taking down WikiLeaks, Barr immediately drafted a presentation in which he suggested "cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France, putting a team together to get access is more straightforward."
[Image: HBgary-special-ops.jpg]
HBGary's "special ops," from an early slide


Faking documents seemed like a good idea, too, documents which could later be "called out" so as to make WikiLeaks look unreliable.
And Barr wanted to go further, pushing on people like civil liberties Salon.com columnist Glenn Greenwaldapparently hoping to threaten their livelihoods. "These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals," he wrote. "Without the support of people like Glenn WikiLeaks would fold."
When the US Chamber of Commerce wanted to look into some of its opponents, Barr teamed with two other security companies and went nuts, proposing that the Chamber create an absurdly expensive "fusion cell" of the kind "developed and utilized by Joint Special Operations Command (JSOC)"and costing $2 million a month. And if the fusion cell couldn't turn up enough opposition research, the security firms would be happy to create honeypot websites to lure the Chamber's union-loving opponents in order to grab more data from them.
The security companies even began grabbing tweets from liberal activists and mapping the connections between people using advanced link analysis software most often used by the intelligence community. (Some of the Chamber material was unearthed by ThinkProgress and other liberal bloggers, while The Tech Herald and Crowdleaks.org first wrote about the proposed WikiLeaks attacks.)
While waiting to see if his proposals would result in work for HBGary Federal, Barr turned in January to unmask the leadership of the hacker collective Anonymous. This part of the story is well known by now (read our investigative feature): when Barr went public with his findings, Anonymous took down his website, stole his e-mails, deleted the company's backup data, trashed Barr's Twitter account, and remotely wiped his iPad.
In the days since the attack and the publication of Barr's e-mails, his partners at other security firms threw him under the bus. "I have directed the company to sever any and all contacts with HB Gary," said the CEO of Palantir.
Berico Technologies, another private security firm, said that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
Glenn Greenwald unleashed both barrels of his own, claiming that "what is set forth in these proposal... quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well. Attacking WikiLeaks' computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws."
How did Barr, a man with long experience in security and intelligence, come to spend his days as a CEO e-stalking clients and their wives on Facebook? Why did he start performing "reconnaissance" on the largest nuclear power company in the US? Why did he suggest pressuring corporate critics to shut up, even as he privately insisted that corporations "suck the lifeblood out of humanity"? And why did he launch his ill-fated investigation into Anonymous, one which may well have destroyed his company and damaged his career?
Thanks to his leaked e-mails, the downward spiral is easy enough to retrace. Barr was under tremendous pressure to bring in cash, pressure which began on November 23, 2009.
"A" players attract "A" players

That's when Barr started the CEO job at HBGary Federal. Its parent company, the security firm HBGary, wanted a separate firm to handle government work and the clearances that went with it, and Barr was brought in from Northrup Grumman to launch the operation.
In an e-mail announcing Barr's move, HBGary CEO Greg Hoglund told his company that "these two are A+ players in the DoD contracting space and are able to 'walk the halls' in customer spaces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. 'A' players attract 'A' players."
Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the "3rd night in a row I have woken up in the middle of the night and can't sleep because my mind is racing. It's nice to be excited about work, but I need some sleep."
Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.
On October 3, 2010, HBGary CEO Greg Hoglund told Aaron that "we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn't really been a success... You guys are basically out of money and none of the work you had planned has come in."
Aaron agreed. "This has not worked out as any of us have planned to date and we are nearly out of money," he said.
While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.
[Image: steve-jobs-background-search.jpg]
Steve Jobs is certainly cool with this


The training sessions, following the old "scare the sh*t out of them" approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter, and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts were needed, preferably multi-year ones.
[Image: social-media-bill.png]
Social media training bill


The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg's wife), sent an e-mail to her sales team, telling them "to work a quota and to bring in revenue in a timely manner. It's not 'optional' as to when it needs to close, if you haven't met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT... Guys, no one is making their quota."
She concluded darkly, "I have some serious doubts about some people's ability to do their job. There will be changes coming shortly and those decisions will be new people's to make."
And then, unexpectedly, came the hope of salvation.
"Bond, Q, and Monneypenny"

By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.
On October 19, a note arrived. HBGary Federal might be able to provide part of "a complete intelligence solution to a law firm that approached us." That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.
Palantir would provide its expensive link analysis software running on a hosted server, while Berico would "prime the contract supplying the project management, development resources, and process/methodology development." HBGary Federal would come alongside to provide "digital intelligence collection" and "social media exploitation"Barr's strengths.
[Image: themis-logo.png]
Team Themis logo


The three companies needed a name for their joint operation. One early suggestion: a "Corporate Threat Analysis Cell." Eventually, a sexier name was chosen: Team Themis.
Barr went to work immediately, tracking down all the information he could find on the team's H&W contact. This was the result of few hours' work:
A bit of what I have on [redacted]. He was hard to find on Facebook as he has taken some precautions to be found. He isn't even linked with his wife but I found him. I also have a list of his friends and have defined an angle if I was to target him. He has attachment to UVA, a member of multiple associations dealing with IP, e-discovery, and nearly all of this facebook friends are of people from high school. So I would hit him from one of these three angles. I am tempted to create a person from his highschool and send him a request, but that might be overstepping it. I don't want to embarrass him, so I think I will just talk about it and he can decide for himself if I would have been successful or not.
Team Themis didn't quite understand what H&W wanted them to do, so Barr's example was simply a way to show "expertise." But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were "astroturf" groups funded by the large unions.
"They further suspect that most of the actions and coordination take place through online meansforums, blogs, message boards, social networking, and other parts of the 'deep web,'" a team member explained later. "But they want to marry those online, 'cyber' sources with traditional open source datatax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions."
H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.)
Barr's plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums, and Web searches and dump it into Palantir for analysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.
[Image: intelligence-cell-purpose.jpg]
An early version of the Team Themis goal


Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of "sample reports" filled with action ideas like:
  • Create a false document, perhaps highlighting periodical financial information, and monitor to see if US Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual documents at a specified time and explain the activity as a CtW contrived operation.
  • If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions US Chamber Watch will likely ask.
  • Create a humor piece about the leaders of CtW.
The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The attitude could be seen in e-mails which exhorted Team Themis to "make [H&W] think that we are Bond, Q, and money penny [sic] all packaged up with a bow."
Two million a month

But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, "Their client is loaded!" Besides, that money would buy access to Palantir, Berico, and "super sleuth Aaron Barr."
As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might "freak out" the partner.
[Image: richard-wife-info.jpg]
Barr's investigation in an H&W partner


If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. "This will put us in a healthy position to chart our direction with a healthy war chest," he wrote.
Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal's pocket.
But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go "way up the chain (as you can imagine)," wrote the Palantir contact for Team Themis. "The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let's demonstrate success and then take over this market Smile)."
The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn't kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who "ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks."
(Update: a reader points to additional emails which suggest that the "foreign fighter campaign" operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as "key personnel," drawing on their "creds to show our strengths," but might actually staff the project with others.)
"I don't think we can make it any further"

But the cash, which "will seem like money falling from the sky for those of us used to working in the govt sector," was not forthcoming. H&W didn't make a decision in November. Barr began to worry.
"All things we are chasing continue to get pushed to the right or just hang in limbo," he wrote. "I don't think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough." He noted that Palantir was asking "way too much money" from H&W.
As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were "prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original "Phase I" proposed costs). Does this sound like a more reasonable range in terms of pricing?"
But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major US bank had come to H&W seeking help against WikiLeaks (the bank has been widely assumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.)
"We want to sell this team as part of what we are talking about," said the team's H&W contact. "I need a favor. I need five to six slides on Wikileakswho they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon."
"Attack their weak points"

By 11:30pm on the evening of December 2, Barr had cranked out a PowerPoint presentation. It called for "disinformation," "cyber attacks," and a "media campaign" against WikiLeaks.
What could HBGary Federal do?
  • Computer Network Attack/Exploitation
  • Influence and Deception Operations
  • Social Media Collection, Analysis, Exploitation
  • Digital Media Forensic Analysis
This attack capability wasn't mere bluster. HBGary had long publicized to clients its cache of 0-day exploitsattacks for which there is no existing patch. A slide from a year earlier showed that HBGary claimed unpublished 0-day exploits in everything from Flash to Java to Windows 2000.
[Image: o-day-exploits.jpg]
HBGary's 0-day exploits


Another slide made clear that the company had expertise in "computer network attack," "custom malware development," and "persistent software implants."
[Image: hbgary-expertise.jpg]

In October 2010, HBGary CEO Greg Hoglund had tossed out a random idea for Barr, one that did not apparently seem unusual: "I suggest we create a large set of unlicensed windows-7 themes for video games and movies appropriate for middle east & asia. These theme packs would contain back doors."
Barr's ideas about WikiLeaks went beyond attacks on their infrastructure. He wrote in a separate document that WikiLeaks was having trouble getting money because its payment sources were being blocked. "Also need to get people to understand that if they support the organization we will come after them," he wrote. "Transaction records are easily identifiable."
As an idea that Barr knew was being prepared for a major US bank, the suggestion is chilling. Barr also reiterated the need to "get to the Swedish document submission server" that allowed people to upload leaked documents.
[Image: wikileaks-attack-ppt.jpg]
Barr's initial ideas to attack WikiLeaks


At 7:30am the next morning, Barr had another great ideafind some way to make WikiLeaks supporters like Glenn Greenwald feel like their jobs might be at stake for supporting the organization.
"One other thing," he wrote in his morning message. "I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH [data center] transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack. These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn WikiLeaks would fold."
This seems an absurd claim on a number of levels, but it also upped the "creep factor" dramatically. Barr was now suggesting that a major US corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the US right to freedom of speech, had no apparent qualms about his idea.
"Discontinued all ties with HBGary Federal"

The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main participants in the Anonymous hacker collectiveand by doing so to drum up business.
The decision seems to have stemmed from Barr's work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its US nuclear plants. "I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them," he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere:
Example. If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link analysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.
I can and have gained access to various government and government contractor groups in the social media space using this technique (more detailed but you get the point). Given that people work from home, access home services from workgetting access to the target is just a matter of time and nominal effort.
Knowing about a target's spouse and college and business and friends makes it relatively easy to engage in a "spear phishing" attack against that personsay, a fake e-mail from an old friend, in which the target eventually reveals useful information.
Ironically, when Anonymous later commandeered Greg Hoglund's separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund's site administratorwho promptly turned off the site's defenses and issued a new password ("Changeme123") for a user he believed was Hoglund. Minutes later, the site was compromised.
After the Anonymous attacks and the release of Barr's e-mails, his partners furiously distanced themselves from Barr's work. Palantir CEO Dr. Alex Karp wrote, "We do not providenor do we have any plans to developoffensive cyber capabilities... The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters."
Berico said (PDF) that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
But both of the Team Themis leads at these companies knew exactly what was being proposed (such knowledge may not have run to the top). They saw Barr's e-mails, and they used his work. His ideas on attacking WikiLeaks made it almost verbatim into a Palantir slide about "proactive tactics."
[Image: palantir-wikileaks-attack-slide.jpg]
Palantir used Barr's ideas


And Palantir had no problem scraping tweets from union supporters and creating linkages from them.
[Image: palantirs-tweet-follower.jpg]
The Team Themis Palantir instance with Twitter import module


As for targeting American organizations, it was a Berico analyst who sent out the Team Themis "sample reports," the documents suggesting that the US Chamber of Commerce create false documents and false personae in its effort to "discredit the organization" US Chamber Watch.
The US Chamber of Commerce expressed shock when the Team Themis work came to light. "We're incredulous that anyone would attempt to associate such activities with the Chamber as we've seen today from the Center for American Progress," said Tom Collamore on February 10. "The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber's behalf. We have never seen the document in question nor has it ever been discussed with us."
Indeed, the meeting between H&W and the Chamber on this issue was set to take place today, February 14. On February 11, the Chamber went further, issuing a new statement saying that "it never hired or solicited proposals from HBGary, Palantir or Berico, the security firms being talked about on the Web... The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary's e-mails leaked."
"No money, for any purpose, was paid to any of those three private security firms by the Chamber, or by anyone on behalf of the Chamber, including Hunton & Williams."
As for Hunton & Williams, they have yet to comment publicly. On February 7, however, the firm celebrated its top ranking in Computerworld's report on "Best Privacy Advisers."
http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars/3


HBGary - Magda Hassan - 16-02-2011

Anonymous speaks: the inside story of the HBGary hack

By Peter Bright | Last updated February 15, 2011 8:00 PM
[Image: feat-anonymous-fire-list-thumb-640xauto-19615.jpg]
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
Over the last week, I've talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary's defenses and gave the company such a stunning black eyeand what the HBGary example means for the rest of us mere mortals who use the Internet.
Anonymous: more than kids

HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware analysis tools to enable the detection, isolation, and analysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company's products or services.
Greg Hoglund's rootkit.com is a respected resource for discussion and analysis of rootkits (software that tampers with operating systems at a low level to evade detection) and related technology; over the years, his site has been targeted by disgruntled hackers aggrieved that their wares have been discussed, dissected, and often disparaged as badly written bits of code.
One might think that such an esteemed organization would prove an insurmountable challenge for a bunch of disaffected kids to hack. World-renowned, government-recognized experts against Anonymous? HBGary should be able to take their efforts in stride.
Unfortunately for HBGary, neither the characterization of Anonymous nor the assumption of competence on the security company's part are accurate, as the story of how HBGary was hacked will make clear.
Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. With that diversity in age and experience comes a diversity of expertise and ability.
It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline.
According to the leaked e-mails, Aaron Barr believed that HBGary's website was itself subject to a denial-of-service attack shortly after he exposed himself to someone he believed to be a top Anonymous leader. But the person I spoke about this denied any involvement in such an attack. Which is not to say that the attack didn't happensimply that this person didn't know about or participate in it. In any case, the Anonymous plans were more advanced than a brute force DDoS.
Time for an injection

HBGary Federal's website, hbgaryfederal.com, was powered by a content management system (CMS). CMSes are a common component of content-driven sites; they make it easy to add and update content to the site without having to mess about with HTML and making sure everything gets linked up and so on and so forth. Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGaryfor reasons best known to its staffdecided to commission a custom CMS system from a third-party developer.
Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regardsecurity flaws crop up in all of them from time to timebut it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.
The custom solution on HBGary's site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability assessment of the softwarewhich is, after all, one of the services the company offersthen its assessment overlooked a substantial flaw.
The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection. In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixedan integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally passed from the Web front-end to the CMS.
SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pass the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers' own choosing.
The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.


Rainbow tables

Specifically, the attackers grabbed the user database from the CMSthe list of usernames, e-mail addresses, and password hashes for the HBGary employees authorized to make changes to the CMS. In spite of the rudimentary SQL injection flaw, the designers of the CMS system were not completely oblivious to security best practices; the user database did not store plain readable passwords. It stored only hashed passwordspasswords that have been mathematically processed with a hash function to yield a number from which the original password can't be deciphered.
The key part is that you can't go backwardsyou can't take the hash value and convert it back into a password. With a hash algorithm, traditionally the only way to figure out the original password was to try every single possible password in turn, and see which one matched the hash value you have. So, one would try "a," then "b," then "c"... then "z," then "aa," "ab," and so on and so forth.
To make this more difficult, hash algorithms are often quite slow (deliberately), and users are encouraged to use long passwords which mix lower case, upper case, numbers, and symbols, so that these brute force attacks have to try even more potential passwords until they find the right one. Given the number of passwords to try, and the slowness of hash algorithms, this normally takes a very long time. Password cracking software to perform this kind of brute force attack has long been available, but its success at cracking complex passwords is low.
However, a technique first published in 2003 (itself a refinement of a technique described in 1980) gave password crackers an alternative approach. By pre-computing large sets of data and generating what are known as rainbow tables, the attackers can make a trade-off: they get much faster password cracks in return for using much more space. The rainbow table lets the password cracker pre-compute and store a large number of hash values and the passwords that generated them. An attacker can then look up the hash value that they are interested in and see if it's in the table. If it is, they can then read out the password.
To make cracking harder, good password hash implementations will use a couple of additional techniques. The first is iterative hashing: simply put, the output of the hash function is itself hashed with the hash function, and this process is repeated thousands of times. This makes the hashing process considerably slower, hindering both brute-force attacks and rainbow table generation.
The second technique is salting; a small amount of random data is added to the password before hashing it, greatly expanding the size of rainbow table that would be required to get the password.
In principle, any hash function can be used to generate rainbow tables. However, it takes more time to generate rainbow tables for slow hash functions than it does for fast ones, and hash functions that produce a short hash value require less storage than ones that produce long hash values. So in practice, only a few hash algorithms have widely available rainbow table software available. The best known and most widely supported of these is probably MD5, which is quick to compute and produces an output that is only 128 bits (16 bytes) per hash. These factors together make it particularly vulnerable to rainbow table attacks. A number of software projects exist that allow the generation or downloading of MD5 rainbow tables, and their subsequent use to crack passwords.
As luck would have it, the hbgaryfederal.com CMS used MD5. What's worse is that it used MD5 badly: there was no iterative hashing and no salting. The result was that the downloaded passwords were highly susceptible to rainbow table-based attacks, performed using a rainbow table-based password cracking website. And so this is precisely what the attackers did; they used a rainbow table cracking tool to crack the hbgaryfederal.com CMS passwords.
Even with the flawed usage of MD5, HBGary could have been safe thanks to a key limitation of rainbow tables: each table only spans a given "pattern" for the password. So for example, some tables may support "passwords of 1-8 characters made of a mix of lower case and numbers," while other can handle only "passwords of 1-12 characters using upper case only."
A password that uses the full range of the standard 95 typeable characters (upper and lower case letters, numbers, and the standard symbols found on a keyboard) and which is unusually long (say, 14 or more characters) is unlikely to be found in a rainbow table, because the rainbow table required for such passwords will be too big and take too long to generate.
Alas, two HBGary Federal employeesCEO Aaron Barr and COO Ted Veraused passwords that were very simple; each was just six lower case letters and two numbers. Such simple combinations are likely to be found in any respectable rainbow table, and so it was that their passwords were trivially compromised.
[Image: anonymous-shadowfolk1.png]

For a security company to use a CMS that was so flawed is remarkable. Proper handling of passwordsiterative hashing, using salts and slow algorithmsand protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques. And though not all the passwords were retrieved through the rainbow tables, two were, because they were so poorly chosen.
HBGary owner Penny Leavy said in a later IRC chat with Anonymous that the company responsible for implementing the CMS has since been fired.
Password problems

Still, badly chosen passwords aren't such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com websiteadmittedly embarrassingbut since everybody knows that you shouldn't reuse passwords across different systems, that should have been the extent of the damage, surely?
Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places, including e-mail, Twitter accounts, and LinkedIn. For both men, the passwords allowed retrieval of e-mail. However, that was not all they revealed. Let's start with Ted's password first.
Along with its webserver, HBGary had a Linux machine, support.hbgary.com, on which many HBGary employees had shell accounts with ssh access, each with a password used to authenticate the user. One of these employees was Ted Vera, and his ssh password was identical to the cracked password he used in the CMS. This gave the hackers immediate access to the support machine.
ssh doesn't have to use passwords for authentication. Passwords are certainly common, but they're also susceptible to this kind of problem (among others). To combat this, many organizations and users, particularly those with security concerns, do not use passwords for ssh authentication. Instead, they use public key cryptography: each user has a key made up of a private part and a public part. The public part is associated with their account, and the private part is kept, well, private. ssh then uses these two keys to authenticate the user.
Since these private keys are not as easily compromised as passwordsservers don't store them, and in fact they never leave the client machineand aren't readily re-used (one set of keys might be used to authenticate with several servers, but they can't be used to log in to a website, say), they are a much more secure option. Had they been used for HBGary's server, it would have been safe. But they weren't, so it wasn't.
Although attackers could log on to this machine, the ability to look around and break stuff was curtailed: Ted was only a regular non-superuser. Being restricted to a user account can be enormously confining on a Linux machine. It spoils all your fun; you can't read other users' data, you can't delete files you don't own, you can't cover up the evidence of your own break-in. It's a total downer for hackers.
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year, conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary's system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron's password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company's mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company's mailnot just his own. It's this capability that yielded access to Greg Hoglund's mail.
And what was done with Greg's mail?
A little bit of social engineering, that's what.


A little help from my friends

Contained within Greg's mail were two bits of useful information. One: the root password to the machine running Greg's rootkit.com site was either "88j4bb3rw0cky88" or "88Scr3am3r88". Two: Jussi Jaakonaho, "Chief Security Specialist" at Nokia, had root access. Vandalizing the website stored on the machine was now within reach.
The attackers just needed a little bit more information: they needed a regular, non-root user account to log in with, because as a standard security procedure, direct ssh access with the root account is disabled. Armed with the two pieces of knowledge above, and with Greg's e-mail account in their control, the social engineers set about their task. The e-mail correspondence tells the whole story:
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw. ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123

i am online so just shoot me if you need something.

in europe, but not in finland? :-)

_jussi ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
if i can squeeze out time maybe we can catch up.. ill be in germany
for a little bit.

anyway I can't ssh into rootkit. you sure the ips still
65.74.181.141?

thanks ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
does it work now? ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yes jussi thanks

did you reset the user greg or? ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
nope. your account is named as hoglund ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yup im logged in thanks ill email you in a few, im backed up

thanks
Thanks indeed. To be fair to Jussi, the fake Greg appeared to know the root password and, well, the e-mails were coming from Greg's own e-mail address. But over the course of a few e-mails it was clear that "Greg" had forgotten both his username and his password. And Jussi handed them to him on a platter.
Later on, Jussi did appear to notice something was up:
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
did you open something running on high port?
As with the HBGary machine, this could have been avoided if keys had been used instead of passwords. But they weren't. Rootkit.com was now compromised.
Standard practice

[Image: anonymous-shadowfolk2.png]

Once the username and password were known, defacing the site was easy. Log in as Greg, switch to root, and deface away! The attackers went one better than this, however: they dumped the user database for rootkit.com, listing the e-mail addresses and password hashes for everyone who'd ever registered on the site. And, as with the hbgaryfederal.com CMS system, the passwords were hashed with a single naive use of MD5, meaning that once again they were susceptible to rainbow table-based password cracking. So the crackable passwords were cracked, too.
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.
The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems. They didn't have to, for example, use any non-public vulnerabilities or perform any carefully targeted social engineering. And because of their desire to cause significant public disruption, they did not have to go to any great lengths to hide their activity.
Nonetheless, their attack was highly effective, and it was well-executed. The desire was to cause trouble for HBGary, and that they did. Especially in the social engineering attack against Jussi, they used the right information in the right way to seem credible.
Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn't actually use them. Everybody knows you don't use easy-to-crack passwords, but some employees did. Everybody knows you don't re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn't.
And HBGary isn't alone. Analysis of the passwords leaked from rootkit.com and Gawker shows that password re-use is extremely widespread, with something like 30 percent of users re-using their passwords. HBGary won't be the last site to suffer from SQL injection, either, and people will continue to use password authentication for secure systems because it's so much more convenient than key-based authentication.
So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn't have caused the cascade of failures that followed.
The second lesson, however, is that the standard advice isn't good enough. Even recognized security experts who should know better won't follow it. What hope does that leave for the rest of us?
P
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/3


HBGary - Magda Hassan - 20-02-2011

Black ops: how HBGary wrote backdoors for the government

By Nate Anderson | Last updated February 19, 2011 3:05 PM
[Image: black-ops-12-monkeys-list-thumb-640xauto-19679.jpg]
On November 16, 2009, Greg Hoglund, a cofounder of computer security firm HBGary, sent an e-mail to two colleagues. The message came with an attachment, a Microsoft Word file called AL_QAEDA.doc, which had been further compressed and password protected for safety. Its contents were dangerous.
The HBGary saga: Anonymous to security firm working with FBI: "You've angered the hive" How one security firm tracked down Anonymousand paid a heavy price (Virtually) face to face: how Aaron Barr revealed himself to Anonymous Spy games: Inside the convoluted plot to bring down WikiLeaks Anonymous speaks: the inside story of the HBGary hack Black ops: How HBGary wrote backdoors for the government
"I got this word doc linked off a dangler site for Al Qaeda peeps," wrote Hoglund. "I think it has a US govvy payload buried inside. Would be neat to [analyze] it and see what it's about. DONT open it unless in a [virtual machine] obviously… DONT let it FONE HOME unless you want black suits landing on your front acre. :-)"
The attached document, which is in English, begins: "LESSON SIXTEEN: ASSASSINATIONS USING POISONS AND COLD STEEL (UK/BM-154 TRANSLATION)."
It purports to be an Al-Qaeda document on dispatching one's enemies with knives (try "the area directly above the genitals"), with ropes ("Choking… there is no other area besides the neck"), with blunt objects ("Top of the stomach, with the end of the stick."), and with hands ("Poking the fingers into one or both eyes and gouging them.").
But the poison recipes, for ricin and other assorted horrific bioweapons, are the main draw. One, purposefully made from a specific combination of spoiled food, requires "about two spoonfuls of fresh excrement." The document praises the effectiveness of the resulting poison: "During the time of the destroyer, Jamal Abdul Nasser, someone who was being severely tortured in prison (he had no connection with Islam), ate some feces after losing sanity from the severity of the torture. A few hours after he ate the feces, he was found dead."
[Image: Untitled.png]
The purported Al-Qaeda document


According to Hoglund, the recipes came with a side dish, a specially crafted piece of malware meant to infect Al-Qaeda computers. Is the US government in the position of deploying the hacker's darkest toolsrootkits, computer viruses, trojan horses, and the like? Of course it is, and Hoglund was well-positioned to know just how common the practice had become. Indeed, he and his company helped to develop these electronic weapons.
Thanks to a cache of HBGary e-mails leaked by the hacker collective Anonymous, we have at least a small glimpse through a dirty window into the process by which tax dollars enter the military-industrial complex and emerge as malware.
Task B

In 2009, HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as "Task B." The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner's knowledge.
[Image: 69NPP.png]
HBGary white paper on exploiting software


They focused on portsa laptop's interfaces to the world around itincluding the familiar USB port, the less-common PCMCIA Type II card slot, the smaller ExpressCard slot, WiFi, and Firewire. No laptop would have all of these, but most recent machines would have at least two.
The HBGary engineering team broke this list down into three categories. First came the "direct access" ports that provided "uninhibited electronic direct memory access." PCMCIA, ExpressCard, and Firewire all allowed external devicessay a custom piece of hardware delivered by a field operativeto interact directly with the laptop with a minimum amount of fuss. The direct memory access provided by the controllers for these ports mean that devices in them can write directly to the computer's memory without intervention from the main CPU and with little restriction from the operating system. If you want to overwrite key parts of the operating system to sneak in a bit of your own code, this is the easiest way to go.
The second and third categories, ports that needed "trust relationships" or relied on "buffer overflows," included USB and wireless networking. These required more work to access, especially if one wanted to do so without alerting a user; Windows in particular is notorious for the number of prompts it throws when USB devices are inserted or removed. A cheerful note about "Searching for device driver for NSA_keylogger_rootkit_tango" had to be avoided.
So HBGary wanted to go the direct access route, characterizing it as the "low hanging fruit" with the lowest risk. General Dynamics wanted HBGary to investigate the USB route as well (the ports are more common, but an attack has to trick the operating system into doing its bidding somehow, commonly through a buffer overflow).
The team had two spy movie scenarios in which its work might be used, scenarios drafted to help the team think through its approach:
1) Man leaves laptop locked while quickly going to the bathroom. A
device can then be inserted and then removed without touching the laptop
itself except at the target port. (i.e. one can't touch the mouse,
keyboard, insert a CD, etc.)
2) Woman shuts down her laptop and goes home. One then can insert a
device into the target port and assume she will not see it when she
returns the next day. One can then remove the device at a later time
after she boots up the machine.
Why would the unnamed client for Task Bwhich a later e-mail makes clear was for a government agencywant such a tool? Imagine you want access to the computer network used in a foreign government ministry, or in a nuclear lab. Such a facility can be tough to crack over the Internet; indeed, the most secure facilities would have no such external access. And getting an agent inside the facility to work mischief is very riskyif it's even possible at all.
But say a scientist from the facility uses a memory stick to carry data home at night, and that he plugs the memory stick into his laptop on occasion. You can now get a piece of custom spyware into the facility by putting a copy on the memory stickif you can first get access to the laptop. So you tail the scientist and follow him from his home one day to a local coffee shop. He steps away to order another drink, to go to the bathroom, or to talk on his cell phone, and the tail walks past his table and sticks an all-but-undetectable bit of hardware in his laptop's ExpressCard slot. Suddenly, you have a vector that points all the way from a local coffee shop to the interior of a secure government facility.
The software exploit code actually delivered onto the laptop was not HBGary's concern; it needed only to provide a route through the computer's front door. But it had some constraints. First, the laptop owner should still be able to use the port so as not to draw attention to the inserted hardware. This is quite obviously tricky, but one could imagine a tiny ExpressCard device that slid down into the slot but could in turn accept another ExpressCard device on its exterior-facing side. This sort of parallel plugging might well go unnoticed by a user with no reason to suspect it.
HBGary's computer infiltration code then had to avoid the computer's own electronic defenses. The code should "not be detectable" by virus scanners or operating system port scans, and it should clean up after itself to eliminate all traces of entry.
Greg Hoglund was confident that he could deliver at least two laptop-access techniques in less than a kilobyte of memory each. As the author of books like Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel, and Exploiting Online Games: Cheating Massively Distributed Systems, he knew his way around the deepest recesses of Windows in particular.
Hoglund's special interest was in all-but-undetectable computer "rootkits," programs that provide privileged access to a computer's innermost workings while cloaking themselves even from standard operating system functions. A good rootkit can be almost impossible to remove from a running machineif you could even find it in the first place.
Just a demo

Some of this work was clearly for demonstration purposes, and much of it was probably never deployed in the field. For instance, HBGary began $50,000 of work for General Dynamics on "Task C" in June 2009, creating a piece of malware that infiltrated Windows machines running Microsoft Outlook.
The target user would preview a specially crafted e-mail message in Outlook that took advantage of an Outlook preview pane vulnerability to execute a bit of code in the background. This code would install a kernel driver, one operating at the lowest and most trusted level of the operating system, that could send traffic over the computer's serial port. (The point of this exercise was never spelled out, though the use of serial ports rather than network ports suggest that cutting-edge desktop PCs were not the target.)
[Image: hbgary-expertise.jpg]
HBGary's expertise


Once installed, the malware could execute external commands, such as sending specific files over the serial port, deleting files on the machine, or causing the infamous Windows "blue screen of death." In addition, the code should be able to pop open the computer's CD tray and blink the lights on its attached keyboardsanother reminder that Task C was, at this stage, merely for a demo.
General Dynamics would presumably try to interest customers in the product, but it's not clear from the e-mails at HBGary whether this was ever successful. Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks in the first place.
But that doesn't mean specific information is hard to come bysuch as the fact that rootkits can be purchased for $60,000.
Step right up!

Other tools were in use and were sought out by government agencies. An internal HBGary e-mail from early 2010 asks, "What are the license costs for HBGary rk [rootkit] platform if they want to use it on guardian for afisr [Air Force Intelligence, Surveillance, and Reconnaissance]?"
The reply indicates that HBGary has several tools on offer. "Are you asking about the rootkit for XP (kernel driver that hides in plain sight and is a keylogger that exfiltrates data) or are you asking about 12 Monkeys? We've sold licenses of the 1st one for $60k. We haven't set a price on 12 Monkeys, but can."
The company had been developing rootkits for years. Indeed, it had even developed a private Microsoft Word document outlining its basic rootkit features, features which customers could have (confirming the e-mail listed above) for $60,000.
[Image: rootkit-platform.png]
Description of the basic rootkit platform


That money bought you the rootkit source code, which was undetectable by most rootkit scanners or firewall products when it was tested against them in 2008. Only one product from Trend Micro noticed the rootkit installation, and even that alert was probably not enough to warn a user. As the HBGary rootkit document notes, "This was a low level alert. TrendMicro assaults the user with so many of these alerts in every day use, therefore most users will quickly learn to ignore or even turn off such alerts."
When installed in a target machine, the rootkit could record every keystroke that a user typed, linking it up to a Web browser history. This made it easy to see usernames, passwords, and other data being entered into websites; all of this information could be silently "exfiltrated" right through even the pickiest personal firewall.
But if a target watched its outgoing traffic and noted repeated contacts with, say, a US Air Force server, suspicions might be aroused. The rootkit could therefore connect instead to a "dead drop"a totally anonymous server with no apparent connection to the agency using the rootkitwhere the target's keyboard activity could be retrieved at a later time.
But by 2009, the existing generic HBGary rootkit package was a bit long in the tooth. Hoglund, the rootkit expert, apparently had much bigger plans for a next-gen product called "12 monkeys."
12 Monkeys

The 12 Monkeys rootkit was also a contract paid out by General Dynamics; as one HBGary e-mail noted, the development work could interfere with Task B, but "if we succeed, we stand to make a great deal of profit on this."
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit for Windows XP, which was "unique in that the rootkit is not associated with any identifiable or enumerable object. This rootkit has no file, named data structure, device driver, process, thread, or module associated with it."
How could Hoglund make such a claim? Security tools generally work by scanning a computer for particular objectspieces of data that the operating system uses to keep track of processes, threads, network connections, and so on. 12 Monkeys simply had nothing to find. "Since no object is associated with the objectless rootkit, detection will be very difficult for a security scanner," he wrote. In addition, the rootkit would encrypt itself to cloak itself further, and hop around in the computer's memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit's buyer, Hoglund had a clever idea: he disguised the outgoing traffic by sending it only when other outbound Web traffic was being sent. Whenever a user sat down at a compromised machine and started surfing the Web, their machine would slip in some extra outgoing data "disguised as ad-clicks" that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12 Monkeys for much more: "around $240k."
0-day

The goal of this sort of work is always to create something undetectable, and there's no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are "0-day" exploitsexploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the company's internal presentations showed that the company had 0-day exploits for which no patch yet existedbut these 0-day exploits had not yet even been published. No one knew about them.
The company had exploits "on the shelf" for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver a "payload" of any size onto the target machine using a heap exploit. "The payload has virtually no restrictions" on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, "the highest user-mode operating system defined level" available.
These exploits were sold to customers. One email, with the subject "Juicy Fruit," contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Win2K3 MSRPC
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Fake Facebook friends

[Image: facebook_head.jpg]

In June 2010, the government was expressing real interest in social networks. The Air Force issued a public request for "persona management software," which might sound boring until you realize that the government essentially wanted the ability to have one agent run multiple social media accounts at once. It wanted 50 software licenses, each of which could support 10 personas, "replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent."
The software would allow these 50 cyberwarriors to peer at their monitors all day and manipulate these 10 accounts easily, all "without fear of being discovered by sophisticated adversaries." The personas would appear to come from all over the world, the better to infiltrate jihadist websites and social networks, or perhaps to show up on Facebook groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their computers would helpfully provide "real-time local information" so that they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that could mask the IP addresses behind all of this persona traffic. Every day, each user would get a random IP address to help hide "the existence of the operation." The network would further mask this persona work by "traffic mixing, blending the user's traffic with traffic from multitudes of users from outside the organization. This traffic blending provides excellent cover and powerful deniability."
This sort of work most interested HBGary Federal's Aaron Barr, who was carving out a niche for himself as a social media expert. Throughout late 2010 and early 2011, he spent large chunks of his time attempting to use Facebook, Twitter, and Internet chat to map the network of Exelon nuclear plant workers in the US and to research the members of Anonymous. As money for his company dried up and government contracts proved hard to come by, Barr turned his social media ideas on pro-union forces, getting involved in a now-controversial project with two other security firms.
But e-mails make clear that he mostly wanted to sell this sort of capability to the government. "We have other customers, mostly on offense, that are interested in Social Media for other things," he wrote in August 2010. "The social media stuff seems like low hanging fruit."
How does one use social media and fake "personas" to do anything of value? An e-mail from Barr on August 22 makes his thinking clear. Barr ponders "the best way to go about establishing a persona to reach an objective (in this case ft. belvoir/INSCOM/1st IO)."
The Army's Fort Belvoir, like any secretive institution, might be more easily penetrated by pretending to be an old friend of a current employee. "Make your profile swim in a large sea," Barr wrote. "Pick a big city, big high school, big company. Work your way up and in. Recreate your history. Start by friending high school people. In my case I am in the army so after you have amassed enough friends from high school, then start friending military folks outside of your location, something that matches the area your in, bootcamp, etc. Lastly start to friend people from the base, but start low and work your way up. So far so good."
Once the persona had this network of friends, "I will start doing things tricky. Try to manipulate conversations, insert communication streams, etc," said Barr. This sort of social media targeting could also be used to send your new "friend" documents or files (such as the Al-Qaeda poison document discussed above) [that] come complete with malware, or by directing them to specially-crafted websites designed to elicit some specific piece of information: directed attacks known as "spear phishing."
But concerns arose about obtaining and using social media data, in part because sites like Facebook restricted the "scraping" of its user data. An employee from the link analysis firm Palantir wrote Barr at the end of August, asking, "Is the idea that we'd want to ingest all of Facebook's data, or just a targeted subset for a few users of interest?"
The more data that was grabbed from Facebook, the more chance a problem could arise. The Palantir employee noted that a researcher had used similar tools to violate Facebook's acceptable use policy on data scraping, "resulting in a lawsuit when he crawled most of Facebook's social graph to build some statistics. I'd be worried about doing the same. (I'd ask him for his Facebook datahe's a fan of Palantirbut he's already deleted it.)"
Still, the potential usefulness of sites like Facebook was just too powerful to ignore, acceptable use policy or not.
Feeling twitchy

While Barr fell increasingly in love with his social media sleuthing, Hoglund still liked researching his rootkits. In September, the two teamed up for a proposal to DARPA, the Defense Advanced Research Projects Agency that had been instrumental in creating the Internet back in the 1960s.
DARPA didn't want incrementalism. It wanted breakthroughs (one of its most recent projects is the "100-Year Starship Study"), and Barr and Hoglund teamed up for a proposal to help the agency on its Cyber Insider Threat (CINDER) program. CINDER was an expensive effort to find new ways to watch employees with access to sensitive information and root out double agents or disgruntled workers who might leak classified information.
So Barr and Hoglund drafted a plan to create something like a lie detector, except that it would look for signs of "paranoia" instead.
"Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong," said the proposal. "Our solution is to develop a paranoia-meter to measure these observables."
The idea was to take an HBGary rootkit like 12 Monkeys and install it on user machines in such a way that users could not remove it and might not even be aware of its presence. The rootkit would log user keystrokes, of course, but it would also take "as many behavioral measurements as possible" in order to look for suspicious activity that might indicate wrongdoing.
What sort of measurements? The rootkit would monitor "keystrokes, mouse movements, and visual cues through the system camera. We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc."
The rootkit would also keep an eye on what files were being accessed, what e-mails were being written, and what instant messages were being sent. If necessary, the software could record a video of the user's computer screen activity and send all this information to a central monitoring office. There, software would try to pick out employees exhibiting signs of paranoia, who could then be scrutinized more closely.
Huge and obvious challenges presented themselves. As the proposal noted:
Detecting insider threat actions is highly challenging and will require a sophisticated monitoring, baselining, analysis, and alerting capability. Human actions and organizational operations are complex. You might think you can just look for people that are trying to gain access to information outside of their program area of expertise. Yet there are legitimate reasons for accessing this information. In many cases the activity you might call suspicious can also be legitimate. Some people are more or less inquisitive and will have different levels of activity in accessing information outside their specific organization. Some of the behaviors on systems vary widely depending on function. Software developer behavior will be very different than an HR person or senior manager. All of these factors need to be taken into account when developing detection capabilities for suspicious activity. We cannot focus on just [whether] a particular action is potentially suspicious. Instead we must quantify the legitimate reasons for the activity and whether this person has a baseline, position, attributes, and history to support the activity.
DARPA did not apparently choose to fund the plan.
Grey areas

The ideas got ever more grandiose. Analyzing malware, HBGary's main focus, wasn't enough to keep up with the hackers; Hoglund had a plan to get a leg up on the competition by getting even closer to malware authors. He floated an idea to sniff Russian GSM cell phone signals in order to eavesdrop on hackers' voice calls and text messages.
"GSM is easily sniffed," he wrote to Barr. "There is a SHIELD system for this that not only intercepts GSM 5.1 but can also track the exact physical location of a phone. Just to see what's on the market, check [redacted]… these have to be purchased overseas obviously."
The note concluded: "Home alone on Sunday, so I just sit here and sharpen the knife."
Barr, always enthusiastic for these kinds of ideas, loved this one. He wanted to map out everything that would be required for such an operation, including "personas, sink holes, honey nets, soft and hard assets… We would want at least one burn persona. We would want to sketch out a script to meet specific objectives.
And, he noted, "We will likely ride in some grey areas."
Back to basics

In January 2011, Barr had moved on to his research into Anonymousresearch that would eventually do his company in. Over at HBGary, Hoglund continued his pursuit of next-gen rootkits. He had hit on a new approach that he called "Magenta."
This would be a "new breed of Windows-based rootkit," said a Magenta planning document, one that HBGary called a "multi-context rootkit."
[Image: assembly2_ars.jpg]
Slava Markeyev


The Magenta software would be written in low-level assembly language, one step up from the ones and zeroes of the binary code with which computers do their calculating. It would inject itself into the Windows kernel, and then inject itself further into an active process; only from there would the main body of the rootkit execute.
Magenta would also inject itself routinely into different processes, jumping around inside the computer's memory to avoid detection. Its command-and-control instructions, telling the rootkit exactly what to do and where to send the information, wouldn't come from some remote Internet server but from the host computer's own memorywhere the control instructions had been separately injected.
"This is ideal because it's trivial to remotely seed C&C messages into any networked Windows host," noted Hoglund, "even if the host in question has full Windows firewalling enabled."
Nothing like Magenta existed (not publicly, at least), and Hoglund was sure that he could squeeze the rootkit code into less than 4KB of memory and make it "almost impossible to remove from a live running system." Once running, all of the Magenta files on disk could be deleted. Even the best anti-rootkit tools, those that monitored physical memory for signs of such activity, "would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context."
Hoglund wanted to build Magenta in two parts: first, a prototype for Windows XP with Service Pack 3an old operating system but still widely installed. Second, if the prototype generated interest, HBGary could port the rootkit "to all current flavors of Microsoft Windows."
Shortly thereafter, Anonymous broke into HBGary Federal's website, cracked Barr's hashed password using rainbow tables, and found themselves in a curious position; Barr was also the administrator for the entire e-mail system, so they were able to grab e-mail from multiple accounts, including Hoglund's.
A world awash in rootkits

The leaked e-mails provide a tantalizing glimpse of life behind the security curtain. HBGary and HBGary Federal were small players in this space; indeed, HBGary appears to have made much of its cash with more traditional projects, like selling anti-malware defense tools to corporations and scanning their networks for signs of infection.
If rootkits, paranoia monitors, cartoons, and fake Facebook personas were being proposed and developed here, one can only imagine the sorts of classified projects underway throughout the entire defense and security industry.
Whether these programs are good or bad depends upon how they are used. Just as Hoglund's rootkit expertise meant that he could both detect them and author them, 0-day exploits and rootkits in government hands can be turned to many uses. The FBI has had malware like CIPAV (the Computer and Internet Protocol Address Verifier) for several years, and it's clear from the HBGary e-mail leak that the military is in wide possession of rootkits and other malware of its own. The Stuxnet virus widely believed to have at least damaged Iranian nuclear centrifuge operations is thought to have originated in the US or Israeli governments, for instance.
But the e-mails also remind us how much of this work is carried out privately and beyond the control of government agencies. We found no evidence that HBGary sold malware to nongovernment entities intent on hacking, though the company did have plans to repurpose its DARPA rootkit idea for corporate surveillance work. ("HBGary plans to transition technology into commercial products," it told DARPA.)
And another document, listing HBGary's work over the last few years, included this entry: "HBGary had multiple contracts with a consumer software company to add stealth capability to their host agent."
The actions of HBGary Federal's Aaron Barr also serve as a good reminder that, when they're searching for work, private security companies are more than happy to switch from military to corporate clientsand they bring some of the same tools to bear.
When asked to investigate pro-union websites and WikiLeaks, Barr turned immediately to his social media toolkit and was ready to deploy personas, Facebook scraping, link analysis, and fake websites; he also suggested computer attacks on WikiLeaks infrastructure and pressure be brought upon journalists like Glenn Greenwald.
His compatriots at Palantir and Berico showed, in their many e-mails, few if any qualms about turning their national security techniques upon private dissenting voices. Barr's ideas showed up in Palantir-branded PowerPoints and Berico-branded "scope of work" documents. "Reconnaissance cells" were proposed, network attacks were acceptable, "target dossiers" on "adversaries" would be compiled, and "complex information campaigns" involving fake personas were on the table.
Critics like Glenn Greenwald contend that this nexus of private and public security power is a dangerous mix. "The real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power," he wrote last week.
Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former.
The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.
Even if you don't share this view, the e-mails provide a fascinating glimpse into the origins of government-controlled malware. Given the number of rootkits apparently being developed for government use, one wonders just how many machines around the globe could respond to orders from the US military. Or the Chinese military. Or the Russian military.
While hackers get most of the attention for their rootkits and botnets and malware, state actors use the same tools to play a different gamethe Great Gameand it could be coming soon to a computer near you.
Opening photo illustration contains elements from Shutterstock.
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/5


Rootkit 2009 *
The e-mail talks only about "tools," not about 0-day exploits, though that appears to be what was at issue; the list of software here matches HBGary's own list of its 0-day exploits. And the asterisk beside some of the names "means the tool has been sold to another customer on a non-exclusive basis and can be sold again."
[Image: o-day-exploits.jpg]
HBGary's 0-day exploits


References to Juicy Fruit abound in the leaked e-mails. My colleague Peter Bright and I have spent days poring through the tens of thousands of messages; we believe that "Juicy Fruit" is a generic name for a usable 0-day exploit, and that interest in this Juicy Fruit was high.
"[Name] is interested in the Juicy Fruit you told him about yesterday," one e-mail reads. "Next step is I need to give [name] a write up describing it." That writeup includes the target software, the level of access gained, the max payload size, and "what does the victim see or experience."
Aaron Barr, who in late 2009 was brought on board to launch the separate company HBGary Federal (and who provoked this entire incident by trying to unmask Anonymous), wrote in one e-mail, "We need to provide info on 12 monkeys and related JF [Juicy Fruit] asap," apparently in reference to exploits that could be used to infect a system with 12 Monkeys.
HBGary also provided some Juicy Fruit to Xetron, a unit of the massive defense contractor Northrop Grumman that specialized in, among other things, "computer assault." Barr wanted to "provide Xetron with some JF code to be used for demonstrations to their end customers," one e-mail noted. "Those demonstrations could lead to JF sales or ongoing services work. There is significant revenue potential doing testing of JF code acquired elsewhere or adding features for mission specific uses."
As the deal was being worked out, HBGary worked up an agreement to "provide object code and source code for this specific Juicy Fruit" to Xetron, though they could not sell the code without paying HBGary. The code included with this agreement was a "Adobe Macromedia Flash Player Remote Access Tool," the "HBGary Rootkit Keylogger Platform," and a "Software Integration Toolkit Module."
The question of who might be interested in these tools largely remains an unknownthough Barr did request information on HBGary's Juicy Fruit just after asking for contacts at SOCOM, the US Special Operations Command.
But HBGary Federal had ideas that went far beyond government rootkits and encompassed all facets of information warfare. Including, naturally, cartoons. And Second Life.
Psyops

In mid-2010, HBGary Federal put together a PSYOP (psychological operations) proposal for SOCOM, which had issued a general call for new tools and techniques. In the document, the new HBGary Federal team talked up their past experience as creators of "multiple products briefed to POTUS [President of the United States], the NSC [National Security Council], and Congressional Intelligence committees, as well as senior intelligence and military leaders."
The document focused on cartoons and the Second Life virtual world. "HBGary personnel have experience creating political cartoons that leverage current events to seize the target audience's attention and propagate the desired messages and themes," said the document, noting that security-cleared cartoonists and 3D modelers had already been lined up to do the work if the government wanted some help.
[Image: puppet-cartoon.png]
Cartoon example of Ahmadinejad with a puppet ayatollah


The cartooning process "starts with gathering customer requirements such as the target audience, high level messages and themes, intended publication mediums… Through brainstorming sessions, we develop concept ideas. Approved concepts are rough sketched in pencil. Approved sketches are developed into a detailed, color end product that is suitable for publishing in a variety of mediums."
A sample cartoon, of Iranian President Ahmadinejad manipulating a puppet Ayatollah, was helpfully included.
The document then went on to explain how the US government could use a virtual world such as Second Life to propagate specific messages. HBGary could localize the Second Life client, translating its menu options and keyboard shortcuts into local dialects, and this localized client could report "valuable usage metrics, enabling detailed measures of effects." If you want to know whether your message is getting out, just look at the statistics of how many people play the game and for how long.
As for the messages themselves, those would appear within the Second Life world. "HBGary can develop an in-world advertising company, securing small plots of virtual land in attractive locations, which can be used to promote themes using billboards, autonomous virtual robots, audio, video, and 3D presentations," said the document.
They could even make a little money while they're at it, by creating "original marketable products to generate self-sustaining revenue within the virtual space as well as promote targeted messaging."
We found no evidence that SOCOM adopted the proposal.
But HBGary Federal's real interest had become social media like Facebook and Twitterand how they could be used to explore and then penetrate secretive networks. And that was exactly what the Air Force wanted to do.


HBGary - Magda Hassan - 02-03-2011

1 March 2011. Add list of high-risk files found by Norton AV in the HBG-Stuxnet-Raw file.
28 February 2011
Add two messages and Cryptome note of appreciation for HBGary emails as a source of valuable technical information.

[B]HBGary Suspected Trickery [/B]

The AV warning below appeared six days after the HBGary Stuxnet Raw Data file was offered and has been added to the Zipped file.
http://cryptome.org/0003/hbg/HBG-Stuxnet-Raw.zip (7.5MB)
Twelve Norton AV quick scans during the period failed to spot the intruder; a full scan on 28 February 2011 found it inside a HBGary Zipped file which was inside a Cryptome Zipped file. No other of the 33 HBGary files posted to Cryptome have been reported by Norton AV as a risk -- so far. Some intruders are designed to remain out of sight until a particular time or circumstance, or never revealed, quietly doing their job like Stuxnet and its kin in malware, copyright policing, cyberspying and cyberwar, all HBGary and its kin specialization in trickery.
While the warning may be due to the illicit characteristics of Stuxnet, there has been speculation that HBGary salted its files with hidden bait and markers for tracking thieves and invaders. The "Stuxnet" in this file may be bait for a trap or a phony virus-warning generator to scare off transgressors. HBGary researched, designed and deployed bait to test security risks as well as covertly installed security breachers using common deception techniques such as giving files popular names. HBGary emails describe measures taken when examining illicit programs on isolated machines with tools designed to avoid contamination, knowing that invaders themselves often set bait for outsmarting and entrapping researchers.
Unanswered still is what countermeasures the targets of Stuxnet have designed to use the program for counterattack such as unleashing a modified Stuxnet version with hidden features. This appears to be one of the purposes for HBGary to research the program for McAfee and others. HBGary laying low at the moment may be attributed to its harvesting results of the all-too-easy email hack, or if it did not facilitate the hack by lowering the security bar for Anonymous social engineering, to take advantage of the credulity and unwariness of its email consumers to well-known security deceptions, such as social engineering and facilitated hacks for covert release of bait, tracers and markers.
Bear in mind that there has been speculation that files submitted to Wikileaks, TOR and others have been used for this purpose. Heeding security wizards such HBGary, Cryptome regularly warns of its being used for this common ruse. The best security wizards never tell the whole truth, stating there is no such thing, there is only trickery -- that is no doubt adept social engineering of marketing. Good buddy of HBGary, Palantir, is reported today intending to replace Google as the premier Internet spying trickster.
[Image: hbg-stuxnet-raw-1.jpg]


A sends:
When I read your post above, I went to run a quick scan on the zip file only to find that the AV program could not be started. The error message went something like 'try re-installing'. I then noticed there was no AVG icon bottom bottom right. I immediately checked the Windows CP security centre which reported the AV program installed and running OK - but it wasn't.
I ran the repair utility on the AV prog and restarted. All then appeared - and appears OK. Running a scan on the HBG-Stuxnet-Raw.zip file then produced 26 infections in the file - per attached screenshot.
[Image: hbg-stuxnet-raw-2.jpg]
I've moved the file to a virgin thumb drive. A full scan on the original machine says its clean but I get more paranoid by the month these days.

A2 sends:
Please, tell me you didn't see that coming. Welcome to asymmetrical warfare: and you just thought you were in the middle. I was really scratching my head when I saw the file. Now you really have something to write about.

Appreciating HBGary Emails
Cryptome: After reading several hundreds of HBGary emails and attachments, many of them not in the news due to the excessive coverage of Aaron Barr and HBGary Federal, the material offers impressive information about the dark side of cyberworld and the technological battles going on worldwide. The emails of Greg Hoglund and his correspondents are chock full of useful information about contending with ever-growing malware and designing defenses against it. Research, details, tests, failures and successes are bountiful. Emails about trying to market products based on years of diligent work to customers less technically capable are highly instructive. The foolishness of Barr and cohorts should not be a reason to avoid learning from and appreciating the skills of the parent firm disclosed in its emails.

High-risk files found by Norton AV in the HBG-Stuxnet-Raw file:
[Image: hbg-stuxnet-bad-files.jpg]