View Full Version : HBGary

Magda Hassan
02-11-2011, 07:48 AM
Firm targeting WikiLeaks cuts ties with HBGary - apologizes to reporter

by Steve Ragan - Feb 11 2011, 01:55

Firm targeting WikiLeaks cuts ties with HBGary.

Update 3:

[Note: Due to privacy concerns, Mathew Steckman's name was witheld in the original story. The following statement however was provided to The Tech Herald Monday evening, and is being posted in it's entirety due to the nature of the statement. - Steve]
Palantir is a data integration software company based in Silicon Valley. We make data integration software that is as useful for fighting food borne illness as it is to fighting fraud and terrorism. Palantir does not make software that has the capability to carry out the offensive tactics proposed by HBGARY. Palantir never has and never will condone the sort of activities recommended by HBGARY. As we have previously stated, Palantir has severed all ties with HBGARY going forward. To ensure that we are in complete compliance with our company’s ethics and standards we have decided to place Matthew Steckman, 26 year old engineer, on leave pending a thorough review of his actions. Palantir was not retained by any party to develop such recommendations and indeed it would be contrary to Palantir’s ethics, culture and policies to do so.
Update 2:
Palantir sent us some additional information. The blow points were emailed to us on Sunday.
Palantir never has and never will condone the sort of activities that HBGary recommended.
Palantir does not condone the recommendations in HBGary's presentations, proposals and emails. Moreover, the tactics proposed by HBGary were never accepted and never acted upon.

Palantir did not participate in the development of the recommendations that Palantir and others find offensive.
Palantir was NOT retained by any party to develop such recommendations and indeed it would be contrary to Palantir ethics, culture and policies to do so.
As we have previously stated, Palantir has severed all ties with HBGary going forward.

As you have probably already discovered in your research, there are two items we want to make very clear:

Palantir did not participate in any activities involving HBGary's proposed tactics.
The slide entitled 'Potential Proactive Tactics' was authored solely by HBGary.
The Palantir logo on the slide is the result of a collated deck and does not represent Palantir's position.
Content can be found verbatim in HBGary's email / powerpoint.

Berico Technologies has cut ties as well. More information is here (http://www.thetechherald.com/article.php/201106/6810/Berico-Technologies-severs-ties-with-HBGary-over-WikiLeaks-plot).
The original article begins on page two.
Dr. Alex Karp, the Co-Founder and CEO of Palantir Technologies, one of three data intelligence firms who worked to develop a systematic plan of attack against WikiLeaks and their supporters, has severed all ties with HBGary Federal and issued an apology to reporter Glenn Greenwald.

The move comes just twenty-four hours after The Tech Herald reported on the plans, thanks to a tip from Crowdleaks.org

After the tip from Crowdleaks.org (http://crowdleaks.org/), The Tech Herald learned that Palantir Technologies (http://www.palantir.com/), HBGary Federal (http://hbgary.com/), and Berico Technologies (http://www.bericotechnologies.com/), worked together with law firm Hunton and Williams to develop a proposal for Bank of America in order to deal with the “WikiLeaks Threat.”
Hunton and Williams (http://www.hunton.com/firm/firm.aspx?id=5114) were recommended to Bank of America’s general counsel by the Department of Justice, according to the email chain viewed by The Tech Herald. The law firm was using the meeting to pitch Bank of America on retaining them for an internal investigation surrounding WikiLeaks.
“They basically want to sue them to put an injunction on releasing any data,” an email between the three data intelligence firms said. “They want to present to the bank a team capable of doing a comprehensive investigation into the data leak.”
Hunton and Williams would act as outside counsel on retainer, while Palantir would take care of network and insider threat investigations. For their part, Berico Technologies and HBGary Federal would analyze WikiLeaks.
Some of the things mentioned as potential proactive tactics against WikiLeaks include feeding the fuel between the feuding groups, disinformation, creating messages around actions to sabotage or discredit the opposing organization, and submitting fake documents to WikiLeaks and then calling out the error.
“Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward,” the proposal said.
Moreover, reporter Glenn Greenwald, who writes for Salon.com, was singled out in the proposal as a person offering a level of support to WikiLeaks that needed to be disrupted. This disruption would include making Greenwald, and others in similar situations, choose between professional preservation and cause.
Our original coverage on this topic can be viewed here (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks).
On Thursday evening, Dr. Alex Karp sent The Tech Herald a statement on the events and information presented in the story.
“As the Co-Founder and CEO of Palantir Technologies, I have directed the company to sever any and all contacts with HB Gary,” the statement starts.
Dr. Karp explains that Palantir Technologies provides a software analytic platform for the analysis of data. They do not provide – “nor do we have any plans to develop” – offensive cyber capabilities.
In addition, the statement says that Palantir does not build software that is designed to allow private sector entities to obtain non-public information, engage in so-called cyber attacks, or take other offensive measures.
“I have made clear in no uncertain terms that Palantir Technologies will not be involved in such activities. Moreover, we as a company, and I as an individual, always have been deeply involved in supporting progressive values and causes. We plan to continue these efforts in the future,” Dr. Karp added.
“The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters.”
Palantir Technologies’ statement comes at a time when HBGary has refused to talk about the WikiLeaks proposal, or any other topic for that matter, related to the security incident caused by Anonymous after HBGary Federal’s Aaron Barr went to the press claiming he had infiltrated the loosely associative group.
The only statement from the company on the incident appeared on their website before it was fully restored.
“HBGary, Inc and HBGary Federal, a separate but related company, have been the victims of an intentional criminal cyberattack. We are taking this crime seriously and are working with federal, state, and local law enforcement authorities and redirecting internal resources to investigate and respond appropriately,” the statement said at the time.
“To the extent that any client information may have been affected by this event, we will provide the affected clients with complete and accurate information as soon as it becomes available. Meanwhile, please be aware that any information currently in the public domain is not reliable because the perpetrators of this offense, or people working closely with them, have intentionally falsified certain data.”
It is unlikely that Anonymous would forge thousands and thousands of emails or attachments. Yet, the complete severance of ties by Palantir Technologies, and the public apology to Greenwald, leaves little room for doubt that the information seen by The Tech Herald, Crowdleaks.org, and many others is legitimate.

Keith Millea
02-12-2011, 03:40 AM
Glenn Greenwald has something to say about all this.

Friday, Feb 11, 2011 05:12 ET http://www.salon.com/img/squib/glenn_greenwald.png (http://www.salon.com/news/opinion/glenn_greenwald/index.html) Glenn Greenwald (http://www.salon.com/news/opinion/glenn_greenwald/index.html)
The leaked campaign to attack WikiLeaks and its supporters

By Glenn Greenwald (http://www.salon.com/author/glenn_greenwald/index.html)

Aaron Barr, a top executive at computer security firm HB Gary.

There's been a very strange episode being written about the past couple of days involving numerous parties, including me, that I now want to comment on. The story, first reported by The Tech Herald (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks), has been been written about in numerous places (see Marcy Wheeler (http://emptywheel.firedoglake.com/2011/02/09/security-firms-pitching-bank-of-america-proposed-targeting-glenn-greenwald/), Forbes (http://blogs.forbes.com/andygreenberg/2011/02/09/did-security-firms-pitch-bank-of-america-on-sabotaging-wikileaks/), The Huffington Post (http://www.huffingtonpost.com/2011/02/10/wikileaks-glenn-greenwald-bofa-neutralizing_n_821510.html), BoingBoing (http://www.boingboing.net/2011/02/10/disgraced-security-f.html), Matt Yglesias (http://yglesias.thinkprogress.org/2011/02/get-greenwald/), Reason (http://reason.com/blog/2011/02/10/get-glenn-greenwald), Tech Dirt (http://www.techdirt.com/articles/20110209/22340513034/leaked-hbgary-documents-show-plan-to-spread-wikileaks-propaganda-bofa-attack-glenn-greenwald.shtml), and others (http://www.boomantribune.com/story/2011/2/9/155232/4102)), so I'll provide just the summary.

Last week, Aaron Barr, a top executive at computer security firm HB Gary (http://www.hbgary.com/), boasted to the Financial Times (http://www.v3.co.uk/v3/news/2274613/anonymous-hbgary-federal-ft) that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks (http://abcnews.go.com/Technology/wikileaks-anonymous-cyber-attacks/story?id=12355960) on companies terminating services to the whistleblowing site (such as Paypal, MasterCard, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary (http://nakedsecurity.sophos.com/2011/02/07/hbgary-federal-hacked-and-exposed-by-anonymous/), published 50,000 of their emails online, and also hacked Barr's Twitter and other online accounts.

Among the emails that were published was a report prepared by HB Gary (http://wikileaks.ch/IMG/pdf/WikiLeaks_Response_v6.pdf) -- in conjunction with several other top online security firms, including Palantir Technologies (http://www.palantirtech.com/) -- on how to destroy WikiLeaks. The emails indicated the report was part of a proposal to be submitted to Bank of America through its outside law firm, Hunton & Williams (http://www.hunton.com/). News reports have indicated that WikiLeaks is planning to publish highly incriminating documents showing possible corruption and fraud at that bank, and The New York Times detailed last month (http://www.nytimes.com/2011/01/03/business/03wikileaks-bank.html?_r=1) how seriously top bank officials are taking that threat. The NYT article described that the bank's "counterespionage work" against WikiLeaks entailed constant briefings for top executives on the whistle-blower site, along with the hiring of "several top law firms" and Booz Allen (the long-time firm of former Bush DNI Adm. Michael McConnell and numerous other top intelligence and defense officials (http://www.salon.com/news/feature/2007/01/08/mcconnell)). The report prepared by these firms was designed to be part of the Bank of America's highly funded anti-WikiLeaks campaign.

The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal -- including planting fake documents with the group and then attacking them when published; "creat concern over the security" of the site; "cyber attacks against the infrastructure to get data on document submitters"; and a "media campaign to push the radical and reckless nature of wikileaks activities." Many of those proposals were also featured prongs of a secret 2008 Pentagon plan (http://www.salon.com/news/opinion/glenn_greenwald/2010/03/27/wikileaks) to destroy WikiLeaks.

One section of the leaked report focused on attacking WikiLeaks' supporters and it featured a discussion of me (http://yglesias.thinkprogress.org/2011/02/get-greenwald/). A graph purporting to be an "organizational chart" identified several other targets, including former [I]New York Times reporter Jennifer 8 Lee, Guardian reporter James Ball, and Manning supporter David House. The report claimed I was "critical" to WikiLeaks' public support after its website was removed by Amazon and that "it is this level of support that needs to be disrupted"; absurdly speculated that "without the support of people like Glenn, WikiLeaks would fold"; and darkly suggested that "these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause." As The Tech Herald noted, "earlier drafts of the proposal and an email from Aaron Barr used the word 'attacked' over 'disrupted' when discussing the level of support."

In the wake of the ensuing controversy caused by publication of these documents, the co-founder and CEO of Palantir Tech, Alex Karp (http://www.palantirtech.com/about/letter), has now issued a statement (http://www.thetechherald.com/article.php/201106/6804/Firm-targeting-WikiLeaks-cuts-ties-with-HBGary-apologizes-to-reporter) stating that he "directed the company to sever any and all contacts with HB Gary."

The full statement -- which can be read here (http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/Alex_Karp_Statement.pdf) -- also includes this sentence: "personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters." Palantir has also contacted me by email to arrange for Dr. Karp to call me to personally convey the apology. My primary interest is in knowing whether Bank of America retained these firms to execute this proposal and if any steps were taken to do so; if Karp's apology is genuine, that information ought to be forthcoming (as I was finishing writing this, Karp called me, seemed sincere enough in his apology, vowed that any Palantir employees involved in this would dealt with the way they dealt with HB Gary, and commendably committed to telling me by the end of the week whether Bank of America or Hunton & Williams actually retained these firms to carry out this proposal).
* * * * *
My initial reaction to all of this was to scoff at its absurdity. Not being familiar with the private-sector world of internet security, I hadn't heard of these firms before and, based on the quality of the proposal, assumed they were just some self-promoting, fly-by-night entities of little significance. Moreover, for the reasons I detailed in my interview with The Tech Herald (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks) -- and for reasons Digby elaborated on here (http://digbysblog.blogspot.com/2011/02/tit-for-tat-and-hack-for-hack.html) -- the very notion that I could be forced to choose "professional preservation over cause" is ludicrous on multiple levels. Obviously, I wouldn't have spent the last year vehemently supporting WikiLeaks -- to say nothing of aggressively criticizing virtually every large media outlet and many of their leading stars, as well as the most beloved political leaders of both parties -- if I were willing to choose "career preservation over cause."

But after learning a lot more over the last couple of days, I now take this more seriously -- not in terms of my involvement but the broader implications this story highlights. For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work (http://emptywheel.firedoglake.com/2011/02/10/palantir-tries-to-preserve-their-government-contracts/) for both the U.S.

Government and the nation's largest private corporations (as but one example, see this email from a Stanford computer science student (http://utdocuments.blogspot.com/2011/02/email-from-stanford-student-re-palantir.html) about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered (http://thinkprogress.org/2011/02/10/lobbyists-chamberleaks/) that similar proposals were prepared for the Chamber of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.

That's why this should be taken seriously, despite how ignorant, trite and laughably shallow is the specific leaked anti-WikiLeaks proposal. As creepy and odious as this is, there's nothing unusual about these kinds of smear campaigns. The only unusual aspect here is that we happened to learn about it this time because of Anonymous' hacking. That a similar scheme was quickly discovered by ThinkProgress demonstrates how common this behavior is. The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it's being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.

But the real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres (http://www.salon.com/news/opinion/glenn_greenwald/2010/03/29/mcconnell) -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State (http://projects.washingtonpost.com/top-secret-america/articles/national-security-inc/), the powers of the state have become largely privatized (http://www.salon.com/news/opinion/glenn_greenwald/2007/10/15/amnesty). There is very little separation between government power and corporate power (http://www.salon.com/news/opinion/glenn_greenwald/2010/07/19/secrecy). Those who wield the latter intrinsically wield the former. The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.

That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation (http://nyjobsource.com/banks.html)). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented (http://www.nytimes.com/2010/03/18/us/18wiki.html). And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its "private partners" able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity on lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks (http://www.project-syndicate.org/commentary/stiglitz131/English).

The exemption from the rule of law has been fully transferred from the highest level political elites to their counterparts in the private sector. "Law" is something used to restrain ordinary Americans and especially those who oppose this consortium of government and corporate power, but it manifestly does not apply to restrain these elites. Just consider one amazing example illustrating how this works.
After Anonymous imposed some very minimal cyber disruptions on Paypal, Master Card and Amazon, the DOJ flamboyantly vowed to arrest the culprits (http://www.bloomberg.com/news/2010-12-09/holder-says-u-s-is-looking-into-wikileaks-tied-cyber-attacks.html), and several individuals were just arrested as part of those attacks (http://www.digitaltrends.com/computing/london-police-arrest-five-possible-anonymous-hackers/). But weeks earlier, a far more damaging and serious cyber-attack was launched at WikiLeaks (http://news.yahoo.com/s/ap/20101203/ap_on_hi_te/wikileaks), knocking them offline. Those attacks were sophisticated and dangerous. Whoever did that was quite likely part of either a government agency or a large private entity acting at its behest. Yet the DOJ has never announced any investigation into those attacks or vowed to apprehend the culprits, and it's impossible to imagine that ever happening.

Why? Because crimes carried out that serve the Government's agenda and target its opponents are permitted and even encouraged; cyber-attacks are "crimes" only when undertaken by those whom the Government dislikes, but are perfectly permissible when the Government itself or those with a sympathetic agenda unleash them. Whoever launched those cyber attacks at WikiLeaks (whether government or private actors) had no more legal right to do so than Anonymous, but only the latter will be prosecuted.

That's the same dynamic that causes the Obama administration to be obsessed with prosecuting WikiLeaks but not The New York Times or Bob Woodward, even though the latter have published far more sensitive government secrets; WikiLeaks is adverse to the government while the NYT and Woodward aren't, and thus "law" applies to punish only the former. The same mindset drives the Government to shield high-level political officials who commit the most serious crimes (http://www.nytimes.com/2009/01/12/us/politics/12inquire.html), while relentlessly pursuing whistle-blowers who expose their wrongdoing (http://www.huffingtonpost.com/2010/06/11/obama-whistleblowers_n_609787.html). Those with proximity to government power and who serve and/or control it are free from the constraints of law; those who threaten or subvert it have the full weight of law come crashing down upon them.
* * * * *
What is set forth in these proposals for Bank of America quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well.

Attacking WikiLeaks' computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws.

Yet these firms had no compunction about proposing such measures to Bank of America and Hunton & Williams, and even writing them down. What accounts for that brazen disregard of risk? In this world, law does not exist as a constraint. It's impossible to imagine the DOJ ever, ever prosecuting a huge entity like Bank of America for doing something like waging war against WikiLeaks and its supporters. These massive corporations and the firms that serve them have no fear of law or government because they control each. That's why they so freely plot to target those who oppose them in any way. They not only have massive resources to devote to such attacks, but the ability to act without limits. John Cole put it this way (http://www.balloon-juice.com/2011/02/10/more-fallout-from-anonymous/):

One thing that even the dim bulbs in the media should understand by now is that there is in fact a class war going on, and it is the rich and powerful who are waging it. Anyone who does anything that empowers the little people or that threatens the wealth and power of the plutocracy must be destroyed. There is a reason for these clowns going after Think Progress and unions, just like there is a reason they are targeting Wikileaks and Glenn Greenwald, Planned Parenthood, and Acorn. . . .
You have to understand the mindset- they are playing for keeps. The vast majority of the wealth isn't enough. They want it all. Anything that gets in their way must be destroyed. . . . And they are well financed, have a strong infrastructure, a sympathetic media, and entire organizations dedicated to running cover for them . . . .
I don't even know why we bother to hold elections any more, to be honest, the game is so rigged. We’re a banana republic, and it is just a matter of time before we descend into necklacing and other tribal bullshit.
There are supposed to be institutions which limit what can be done in pursuit of those private-sector goals. They're called "government" and "law." But those institutions are so annexed by the most powerful private-sector elites, and so corrupted by the public officials who run them, that nobody -- least of all those elites -- has any expectation that they will limit anything. To the contrary, the full force of government and law will be unleashed against anyone who undermines Bank of America and Wall Street executives and telecoms and government and the like (such as WikiLeaks and supporters), and will be further exploited to advance the interests of those entities, but will never be used to constrain what they do. These firms vying for Bank of America's anti-WikiLeaks business know all of this full well, which is why they concluded that proposing such pernicious and possibly illegal attacks would be deemed not just acceptable but commendable.


Magda Hassan
02-13-2011, 12:03 PM
HBGary wanted to suppress Stuxnet research

This article was written by laurelai http://crowdleaks.org/wp-content/uploads/HBGaryStuxnt.jpg It is no secret that in recent days, Anonymous Operatives have released a cache of HBGary Federal internal emails to the public. Crowdleaks has discovered that within these communications, Aaron Barr received a copy of Stuxnet (http://antivirus.about.com/od/virusdescriptions/p/Stuxnet-Worm.htm) (a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities) from McAfee on July 28, 2010.
In an effort to confirm this was in fact Stuxnet, Crowdleaks has decompiled some of the source code, which can be found here (https://github.com/Laurelai/decompile-dump/tree/master/output.). Throughout the following emails it is revealed that HBGary Federal may have been planning to use Stuxnet for their own purposes.
In a message sent to all email account holders at HBGary.com, Charles Copeland (Lead Support Engineer at HBGary, Inc.) writes:

from: Charles Copeland
to: all@hbgary.com
date: Sat, Sep 25, 2010 at 9:54 PM
subject: Stuxnet Worm Mailing List
Filter messages from this mailing list. mailed-byhbgary.com
hide details 9/25/10
Computerworld – Officials in Iran have confirmed that the Stuxnet worm infected at least
30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.
http://www.computerworld.com/s/article/9188018/Iran_confirms_massive_Stuxnet_infection_of_industr ial_systems
I’ve already got a email asking about stuxnet, this came out late Friday. Does anyone have a dropper I have been unable to find it.
In another email sent directly to Aaron Barr, David D. Merritt writes:

from: David D. Merritt
to: Aaron Barr
date: Sun, Oct 3, 2010 at 9:35 PM
subject: Re: Hunter Killer Insanity 285mailed-bygmail.com
hide details 10/3/10
contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec….
i’m seeing TSA becoming a malware testbed…
Aaron Barr responds:

On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote:
> Dave,
> We haven’t but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though.
> In doing a little research:
> http://diocyde.wordpress.com/2010/03/12/ringy-ringy-beacon-callbacks-why-dont-you-just-tell-them-their-pwned/
> While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value.
> Aaron Barr
> HBGary Federal, LLC
> 719.510.8478
In another message sent to all email account holders at HBGary.com by
Greg Hoglund, it’s made clear that HBGary wanted to hide their work on Stuxnet.

from: Greg Hoglund
to: all@hbgary.com
date: Sun, Sep 26, 2010 at 10:26 PM
subject: stuxnet mailing list
Filter messages from this mailing listmailed-byhbgary.com
hide details 9/26/10
HBGary has no official position on Stuxnet. Please do not comment to the press on Stuxnet. We know nothing about Stuxnet.
-Greg Hoglund
CEO, HBGary, Inc.
In the most chilling strand of emails, we find that whatever HBGary was working on, it was in conjunction with the NSA (http://en.wikipedia.org/wiki/National_Security_Agency).
Aaron Barr writes:

Hi Cheryl,
Sent from my iPad
Aaron Barr writes:

> From: Aaron Barr
> To: Peace, Cheryl D
> Sent: Mon Aug 09 13:54:23 2010
> Subject: Re: Number
> Hi Cheryl,
> It does. I haven’t met him personally. Our sister company does work
> in a few different pockets on the bldg. And i am on the extended NANA
> team. I recently joined to stand up HBGary federal, a related but
> separate company. We manage all the work that requires clearances.
> We exchange some technologies, but we have some separate developments
> as well. Mostly around threat intelligence and CNO/social media.
> I think there are some enabling tech to your mission but really need
> that qualified.
> Interested to run some of the stuxnet stuff by u as well.
> Aaron
> Sent from my iPhone
Cheryl Peace writes:

On Aug 9, 2010, at 9:27 AM, “Peace, Cheryl D” wrote:
>> Aaron
>> Did a little checking and we already do busy with you guys. Does the name
>> Tony Seager ring a bell?
Aaron Barr writes:

>> —–Original Message—–
>> From: Aaron Barr [mailto:aaron@hbgary.com]
>> Sent: Friday, August 06, 2010 10:56 AM
>> To: Peace, Cheryl D
>> Subject: Re: Number
>> OK. If interested do you have some time to get together when you get back?
>> either next Friday or early the following week?
>> Aaron
Cheryl Peace writes:

>> On Aug 6, 2010, at 10:44 AM, Peace, Cheryl D wrote:
>>> I am in Europe till mid next week
Aaron Barr writes:

>>> —–Original Message—–
>>> From: Aaron Barr [mailto:aaron@hbgary.com]
>>> Sent: Thursday, August 05, 2010 10:57 PM
>>> To: Peace, Cheryl D
>>> Subject: Re: Number
>>> Hi Cheryl,
>>> Can I schedule an appointment with you to come by and chat for a few
>>> minutes?
>>> Aaron
Cheryl Peace writes:

>>> On Jul 30, 2010, at 10:41 PM, Peace, Cheryl D wrote:
>>>> I am at Rao at the bar if you want to come by for a few. Meeting friends
>>> for a cocktail in a few
>>>> ————————–
>>>> Sent using BlackBerry
Arron Barr writes:

>>>> —– Original Message —–
>>>> From: Aaron Barr
>>>> To: Peace, Cheryl D
>>>> Sent: Fri Jul 30 20:02:44 2010
>>>> Subject: Number
>>>> Cheryl,
>>>> Sorry to bother you but do you have a minute to talk. I don’t have
>>>> your number handy. It will only take moment, but I have some
>>>> information for you.
>>>> Aaron Barr
>>>> CEO
>>>> HBGary Federal
>>>> 7195108478
In a related internal email sent to Rich Cummings (CTO of HBGary, Inc.) Greg Hoglund writes:

from: Greg Hoglund
to: Rich Cummings
date: Mon, Nov 16, 2009 at 9:30 PM
subject: Govt dropper in this word DOC, zipped up for youmailed-byhbgary.com
hide details 11/16/09
Phil, Rich,
I got this word doc linked off a dangler site for Al Qaeda peeps. I think it has a US govvy payload buried inside. Would be neat to REcon it and see what it’s about. DONT open it unless in a VM obviously. password is meatflower. Remove the .txt extension too. DONT let it FONE HOME unless you want black suits landing on your front acre. :-)

Crowdleaks.org had a software engineer (whose name has been withheld) look at the Stuxnet binaries inside of a debugger and offer some insight on the worm. She informed us that most of the worms’ sources were using code similar to what is already publically available. She noted that the only remarkable thing about it was the 4 windows 0 days and the stolen certificates.
She says:

“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”
When asked what type of organization likely wrote it, she stated:

“Probably a corporation by request of a government, it was clearly tested and put together by pro’s. It really looks like outsourced work.”


Magda Hassan
02-13-2011, 12:32 PM
HBGary Federal, provider of classified cybersecurity services to the Department of Defense, Intelligence Community and other US government agencies, has opted over the past months to go to war with the group of WikiLeaks supporters known as Anonymous. The Tech Herald reported today on HBGary Federal and two other data intelligence firms “strategic plan” for an attack against WikiLeaks.

The company is considered to be “a leading provider of best-in-class threat intelligence solutions for government agencies and Fortune 500 organizations.” It provides (http://www.dfinews.com/news/enhanced-cyber-based-threat-intelligence) "enhanced threat intelligence" so "the federal government can better protect our national cyber infrastructure."

Almost a year ago, the company received an extension (http://www.darkreading.com/security/news/223100881/hbgary-awarded-contract-extension-by-department-of-homeland-security-for-forensics-training.html) to their contract with the US Department of Homeland Security to “conduct a series of hands-on memory forensics and malware analysis training events with local, state, and federal law enforcement officials around the country.” A company contracted by the government to help out with cybersecurity initiatives for the United States is spending company time and resources and possibly even taxpayer money going after individuals who support WikiLeaks and spend lots of time in a chat room talking about what they can do to defend freedom of expression. The CEO of this cybersecurity service company is targeting a group that poses no threat to the government infrastructures it is supposed to be protecting from real cyber criminals.

Along with Palantir Technologies and Berico Technologies, which both have worked to help the government in some capacity, HBGary developed (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks) a proposal called “The WikiLeaks Threat.” They requested that the law firm Hunton and Williams meet with Bank of America. The law firm held a meeting on December 3, and they began to plan against WikiLeaks. According to Tech Herald, Hunton and Williams would “act as outside council on retainer,” Palantir would “take care of network and insider threat investigations” and Berico Technologies and HBGary would “analyze WikiLeaks” to find if “WikiLeaks was hosting data in certain countries and make prosecution easier.” CEO Aaron Barr also led an infiltration into Anonymous, hoping to unearth identification information that could unveil who these people are that are operating in support of WikiLeaks.

HBGary and Palantir are partners. Palantir Technologies has been sought by the CIA, DHS and FBI to help government analysts “integrate unstructured open source information with data from various agency databases to analyze them for outstanding correlations and connections in an attempt to mitigate the burden of rummaging around through the immense amount of information available to them.” Either Palantir Technologies found the time to stop serving government (http://csis.org/blog/palantir-private-sector-solution-public-sector-problem) and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.

Berico Technologies worked (http://jacksonville.com/news/national/2010-07-20/story/top-secret-america-national-security-inc) with the National Security Agency (NSA) to invent technology that “made finding roadside-bomb makers easier and helped stanch the number of casualties from improvised explosive.” They also decided to participate in this initiative or, again, possibly someone in the US government suggested private corporations begin to go after WikiLeaks.

The three security service companies proposed the following tactics for going after WikiLeaks: “Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.” Part of their plan involves turning Salon's Glenn Greenwald against WikiLeaks.

HBGary counts (http://www.securityinfowatch.com/Newsmakers/andy-purdy-joins-hbgary) as an advisor Andy Purdy, who was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace in 2003. He joined the Department of Homeland Security and served on “the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT).” He worked for three and a half years and spent the last two heading the NCSD and US-CERT as a “Cyber Czar.” With HBGary he is involved in an Anonymous style hacktivist attack.
For fiscal year 2011, the federal budget (http://www.whitehouse.gov/omb/factsheet_key_homeland/) for homeland security will provide “$364 million to the Department of Homeland Security to support the operations of the National Cyber Security Division which protects Federal systems as well as continuing efforts under the Comprehensive National Cybersecurity Initiative to protect our information networks from the threat of attacks or disruptions.” Should companies engaged in this kind of conduct be allowed to take government money to fund their company’s operations, which are supposed to protect government cyber infrastructure?

HBGary's infiltration led to the company "getting pwned." Anonymous figured out what was going on and seized HBGary's domain, temporarily posting this image (http://img838.imageshack.us/img838/2294/internetsanon.jpg)—a letter with an opening line that reads "claims of 'infiltrating' Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself."

Even though Anonymous is known to have hacked into companies like PayPal and Visa, does HBGary or any other cybersecurity service have any business mounting operations to infiltrate or target anyone linked to Anonymous? Unless HBGary is working for the FBI, it does not seem as though they should be allowed to engage in such activity.

The president of HBGary, Penny Leavy, says, “Today’s sophisticated cybercriminals require a sophisticated approach to network security.” That may be true. But, one might ask Leavy, "Do today’s sophisticated cyber activists require amateur cyber snoops?"

Later in the day, WikiLeaks posted a .PDF file (http://wikileaks.ch/IMG/pdf/WikiLeaks_Response_v6.pdf) titled "The WikiLeaks Threat," which the three data intelligence firms put together to help guide a planned attack on WikiLeaks.

It was already reported that they were going to try to use disinformation, create messages around actions of sabotage, work to discredit opposing organizations, post fake documents and call out the errors, and work to feed a fuel between groups feuding around WikiLeaks operations. What wasn't initially reported on is all the people these firms wanted to ensnare in their scheme to take down WikiLeaks.

One slide shows that these were the people they aimed to involve: James Ball, Theodore Reppe, Jennifer Robinson, Julian Assange, John Shipton, Kristinn Hrafnsson, Jacob Appelbaum, David House, Daniel Mathews, Glenn Greenwald, Jennifer 8. Lee, Daniel Schmitt, Herbert Snorrason, Birgitta Jonsdottir.

Schmitt, Snorrason and Jonsdottir are marked as "disgruntled."

Why Lee is on there is a mystery. She has not done anything at all with WikiLeaks since the "Collateral Murder" video. Also, why didn't Greg Mitchell, who has been regularly blogging WikiLeaks for The Nation make the cut?

It's clear that those working with the firms to go after WikiLeaks were not only pining for adventure or attention but also have no idea how to even begin to do research.

Magda Hassan
02-13-2011, 01:44 PM
Only teaser here for the moment. All of them will be released here over the next little while.

Magda Hassan
02-15-2011, 07:56 AM
HBGary: Don't let this story die, it's big. (http://www.dailykos.com/story/2011/02/13/943139/-HBGary:-Dont-let-this-story-die,-its-big-)

by furiousxxgeorge (http://www.dailykos.com/user/furiousxxgeorge)

permalink (http://www.dailykos.com/story/2011/02/13/943139/-HBGary:-Dont-let-this-story-die,-its-big-) 257 Comments (http://www.dailykos.com/story/2011/02/13/943139/-HBGary:-Dont-let-this-story-die,-its-big-#comments)
Please don't let the HBGary (http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-working-with-fbi-youve-angered-the-hive.ars) story die. The importance of what Anonymous has discovered is not being paid an appropriate amount of media attention. Even here, I know everyone is super excited about world changing events in Egypt, but that situation is in celebration mode for now and we have our own crisis to deal with. Let me try and get you up to date if you have not been following this issue too closely.

Earlier this week the group known as Anonymous brutally hacked a security firm called HBGary in retaliation for an attempt to infiltrate (http://uk.finance.yahoo.com/news/Cyberactivists-warned-arrest-ftimes-3487898538.html?x=0) the group and sell information about them to the FBI. It was a nice funny story of arrogance and comeuppance (http://img838.imageshack.us/img838/2294/internetsanon.jpg), but at the same time it was a criminal action.
However, the information Anonymous uncovered in the E-Mails they stole in their break-in make it clear their action wasn't a crime against an innocent. HBGary was planning criminal actions that make a simple hacking job look like nothing. This was more like a mob war than anything else.
Anonymous discovered that HBGary was conspiring with a law/lobbying firm known as Hunton and Williams (http://en.wikipedia.org/wiki/Hunton_%26_Williams) to launch a highly sophisticated campaign to subvert and sabotage the enemies of their clients. In some cases these plans involved illegal actions. The targets were journalists, labor unions, and political opponents.
One client was Bank of America, who hired Hunton and Williams to launch a campaign against Wikileaks (http://www.escapistmagazine.com/news/view/107699-Anonymous-Target-Planned-to-Take-Down-WikiLeaks). At some point the list of targets was expanded to various other supporters of Wikileaks such as journalist Glenn Greenwald. The other client so far revealed was the Chamber of Commerce, which wished to target labor unions (http://emptywheel.firedoglake.com/2011/02/10/will-the-chamber-continue-wits-hbgary-work-now-that-theyve-been-hacked/) and a shockingly long list of their supporters.
The main tool of attack would be the use of the Palantir (http://en.wikipedia.org/wiki/Palantir_Technologies) technology to analyze the network of support for the targets.

“Palantir offers a Java-based platform for analyzing, integrating, and visualizing data of all kinds, including structured, unstructured, relational, temporal, and geospatial.” This is what the chamber hoped to accomplish, from Mother Jones (http://motherjones.com/mojo/2011/02/chamberleaks-strategies-defame-foes-us-chamber-revealed?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed:+Motherjones/mojoblog+%28MotherJones.com+%7C+MoJoBlog%29):

“Early emails sent between the security firms by Pat Ryan of Berico Technologies describe a conversatoin with the Chamber’s law firm about the proposed project: “The problem that they’ve identified is this: A client of theirs is targeted by some other entity, specifically a labor union, that is trying to extract some kind of concession or favorable outcome. They suspect that this entity is running a public campaign against their client by coordinating the actions of hundreds of seemingly separate entities to create a negative public impression of the client. The ultimate goal would be to extract the concession under duress – essentially extortion in their view.
They haven’t told us the name or nature of the client, so I can only guess at what this means, but you can imagine for instance an environmental campaign targeted at an oil company as a notional example.
They seek to understand the true nature of the campaign and its command and control structure in order to expose the fact that the client is dealing with a single entity rather than a true “grassroots”campaign.
They further suspect that most of the actions and coordination take place through online means – forums, blogs, message boards, social networking, and other parts of the “deep web.” But they want to marry those online, “cyber” sources with traditional open source data, tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions.”
This is a plan for a full scale frontal attack on all their union enemies and anyone who supports them. It would analyze their online activities, their personal finances...literally everything even down to independent bloggers.
How did Hunton and Williams convince the Chamber that HBGary were the people for the job? The e-mails reveal that a H&W attorney named Robert Quackenboss claimed the Chamber was convinced by the “Iranian Shipping Demo” (http://emptywheel.firedoglake.com/2011/02/10/from-the-chamberpot-a-carefully-worded-nondenial-denial/)

- Despite earlier conversations with John Woods (and/or Richard), H&W is unable/unwilling to pay any fees/costs to us for the “Phase I” demo build-out. Bob Q was under the impression we were willing to do this work at risk and then present jointly with H&W to the Chamber. I was very clear in telling him we had a different understanding based on multiple conversations with others at H&W. At the end of the day, though, they are at a point now where they won’t commit any funds to this project until we’ve helped them earn buy-in from their Client (the Chamber). - Based on this, I said I would talk with you all and get buy-in for the following course of action:
1. Meet with Bob and team early next week (Mon/Tues) to get additional metadata and select focused topic(s) for the demo to the Chamber
2. Work as joint team to build 5-10 min demo (along the lines of the Iranian shipping demo – which is what Bob Q said sold the Chamber in the first place – great work Sam!)
3. Brief demo to the Chamber on 14 Feb (or potentially a few days later…based on confirming schedule for meeting with Chamber)
4. Once approved, begin enduring work at agreed upon rates (approx. $250-300k per month for the entire team – both services and license fees)
Note the date, this was all going to the Chamber this Monday if not for Anonymous. Do we really believe they had no idea what the content of that briefing would be?
Here is the Iranian demo. (http://www.youtube.com/watch?v=xfWrm0uD2II) The demo is about tracking Iranian arms smuggling, this is the type of technology they were going to bring to their campaign against their opponents. They mean business in a deadly serious way.
Quackenboss is an expert on union matters (http://www.hunton.com/bios/bio.aspx?id=14693):

“Mr. Quackenboss is a trial lawyer whose practice focuses on complex labor and business disputes. He represents clients in federal and state courts nationwide, before the National Labor Relations Board, and in the tactical and public communications response to union-coordinated attack campaigns. He counsels employers on practical global labor relations strategies, collective bargaining and management of union elections. Mr. Quackenboss also co-chairs the firm's Unfair Competition and Information Protection Task Force, which coordinates the firm's resources on trade secret theft, restrictive covenant and non-competition matters.” The analysis abilities of HBGary and their use of Palantir software was, in the case of their actions against Anonymous, described by one of their own programmers (http://www.net-security.org/secworld.php?id=10572) as completely statically invalid.

"He's on a bad path. He's talking about his analytics and that he can prove things statistically but he hasn't proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It's irresponsible to make claims/accusations based off of a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it's been proven wrong. I feel his arrogance is catching up to him again and that has never ended well...for any of us." This seems to be supported by the fact that even after Anonymous publicly released the data that had been gathered about them, the group still seems to be in perfect working order (http://twitter.com/AnonymousLeaks#), releasing new leaked e-mails every day. In other words, whatever connections HBGary found to make about their labor and Wikileaks targets would likely be nothing more than a tenuous web of guilt by association that would serve only to slime the innocent. The ultimate high tech Glenn Beck chalk board.
In addition to the Palantir program, which is already of questionable legality for this application, H&W was conspiring with HBGary to perform several clearly illegal actions (http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns) in their campaign. These actions included cyberstalking and cyber-attacks against their targets.

The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal -- including planting fake documents with the group and then attacking them when published; "creat[ing] concern over the security" of the site; "cyber attacks against the infrastructure to get data on document submitters"; and a "media campaign to push the radical and reckless nature of wikileaks activities." So far, there is no evidence that the Department of Justice will start any sort of investigation into this matter. (Much like they utterly failed to investigate cyber attacks against Wikileaks in the past) In this case the reluctance may be because the Department of Justice itself is the one who recommended Hunton and Williams (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks) for the task of taking on Wikileaks. Hunton and Williams are the very definition of the corrupt culture the mixture of corporate and government power creates (http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns).

There are supposed to be institutions which limit what can be done in pursuit of those private-sector goals. They're called "government" and "law." But those institutions are so annexed by the most powerful private-sector elites, and so corrupted by the public officials who run them, that nobody -- least of all those elites -- has any expectation that they will limit anything. To the contrary, the full force of government and law will be unleashed against anyone who undermines Bank of America and Wall Street executives and telecoms and government and the like (such as WikiLeaks and supporters), and will be further exploited to advance the interests of those entities, but will never be used to constrain what they do. These firms vying for Bank of America's anti-WikiLeaks business know all of this full well, which is why they concluded that proposing such pernicious and possibly illegal attacks would be deemed not just acceptable but commendable. The firms which worked alongside HBGary, Palintir (http://www.bizjournals.com/sanfrancisco/blog/2011/02/palantir-sorry-for-anti-wikileaks-plan.html) and Berico (http://www.thetechherald.com/article.php/201106/6810/Berico-Technologies-severs-ties-with-HBGary-over-WikiLeaks-plot), have already severed their relationship with HBGary. However, there has been zero pressure put on Bank of America or the Chamber of Commerce to distance themselves from the other conspirator in this matter, Hunton and Williams.
There has been no pressure to ask them to explain their relationship with the firm, or the degree of their knowledge about what was being planned. All the Chamber has done is issue a non-denial denial that claims they didn't pay HBGary, but in no way denies they were paying Hunton and Williams to negotiate on their behalf on this matter. The e-mails make it clear Hunton and Williams was aware of what was being planned.
Robert Quackenboss knew, other partners in the firm such as John Woods (http://firedoglake.com/documents/wikileaks-documents-show-chamber-paid-hbgary-to-spy-on-unions/) are mentioned as being involved in discussions as well.
Woods: (http://www.hunton.com/bios/bio.aspx?id=16017&tab=0013)

Mr. Woods' practice focuses on conducting internal investigations, advising on information security legal issues and representing corporations in government investigations and business crimes. He has a particular focus in advising corporations in the legal response to network security intrusions and data breaches. He regularly counsels clients on the related topics of electronic discovery and electronic surveillance. What did this partner know? (http://www.nytimes.com/2011/02/12/us/politics/12hackers.html)

The e-mails include what appears to be an exchange on Nov. 9, 2010, between Aaron Barr, HBGary Federal’s chief executive, and John W. Woods, a Hunton & Williams partner who focuses on corporate investigations. Mr. Barr recounted biographical tidbits about the family of a one-time employee of a union-backed group that had challenged the chamber’s opposition to Obama administration initiatives like health care legislation. “They go to a Jewish church in DC,” Mr. Barr apparently wrote. “They have 2 kids, son and daughter.”
A week later, Mr. Barr submitted a detailed plan to Hunton & Williams for an extensive investigation into U.S. Chamber Watch and other critics of the chamber, including the possible creation of “in-depth target dossiers” and the identification of vulnerabilities in their computer networks that might be exploited.
Obama's Justice Department will, in my opinion, absolutely not get involved in this unless the coverage gets much wider and much more loud. This is a Red Alert crisis for the labor movement. The Chamber declared total war on them using the same tools used to track terrorists and arms suppliers. Kossacks, don't let this story die. Contact Bank of America and demand an explanation. Contact the Chamber of Commerce and demand and explanation. Contact the media and demand they start asking questions.
There may be plausible deniability for the Chamber and the Bank because they used their law firm as a buffer, but there is absolutely none for Hunton and Williams. The evidence in the leaked e-mails makes it clear they were complicit in the conspiracy. Contact the media and demand they hold Hunton and Williams accountable. So far, they have not even issued a statement on these matters.
Contact Palantir technology, who claim to be a progressive company (http://blogs.forbes.com/andygreenberg/2011/02/11/palantir-apologizes-for-wikileaks-attack-proposal-cuts-ties-with-hbgary/), and ask them if they will use their expertise to investigate right wing targets for us. Maybe using Palantir magic to look at the connection between Republicans and racist militia groups would be a nice start.Updated by furiousxxgeorge at Sun Feb 13, 2011, 06:17:55 PM

I want to emphasize something. The deal with the Chamber was deep in to negotiations before the Bank of America and Wikileaks thing began. It was Hunton and WIlliams who put the entire Bank of America chain of events in motion, not not HBGary (http://hbgary.operationfreedom.ru/aaron_hbgary_com/5844.html).

On Dec 2, 2010, at 3:55 PM, "Woods, John" wrote:
Richard and I am meeting with senior executives at a large US Bank tomorrow

regarding Wikileaks. We want to sell this team as part of what we are

talking about. I need a favor. I need five to six slides on Wikileaks -

who they are, how they operate and how this group may help this bank.

Please advise if you can help get me something ASAP. My call is at noon.

These guys have to go down.
Social networking and cyber security, a CIA presentation given to HBGary in 2009. (http://luxembourg.cryptoanarchy.org/greg_hbgary_com/3416.html)
Well, I'm certainly glad the CIA was around to give them the skills they would later use to go after organized labor.
Here is the searchable database of e-mails. (http://hbgary.crowdleaks.org/)
Absolute must-read e-mail. (http://hbgary.operationfreedom.ru/aaron_hbgary_com/5523.html) Even HBGary knew what they were doing to workers and free speech activists was wrong. Anything for a buck in modern America, I guess.

Magda Hassan
02-15-2011, 08:01 AM
Spy games: Inside the convoluted plot to bring down WikiLeaks

By Nate Anderson (http://arstechnica.com/author/nate-anderson/) | Last updated February 14, 2011 1:32 PM
When Aaron Barr was finalizing a recent computer security presentation for the US Transportation Security Administration, a colleague had a bit of good-natured advice for him: "Scare the sh*t out of them!"
In retrospect, this may not have been the advice Barr needed. As CEO of the government-focused infosec company HBGary Federal, Barr had to bring in big clients—and quickly—as the startup business hemorrhaged cash. To do so, he had no problem with trying to "scare the sh*t out of them." When working with a major DC law firm in late 2010 on a potential deal involving social media, for instance, Barr decided that scraping Facebook to stalk a key partner and his family might be a good idea. When he sent his law firm contact a note filled with personal information about the partner, his wife, her family, and her photography business, the result was immediate.
"Thanks. I am not sure I will share what you sent last night—he might freak out."
This rather creepy behavior became common; Barr used it as a sign of his social media prowess. Another target of his investigations went to "a Jewish Church in DC, the Temple Micah." Someone else "married @ the Inn at Perry Cabin in St. Michaels, MD (non-denominational ceremony)." Barr was even willing to helpfully guesstimate the ages of children in photographs ("they have 2 kids, son and daughter look to be 7 and 4").
Barr's rundown on his H&W contact

With one potential client, Barr sifted the man's social media data and then noted that "I am tempted to create a person from his highschool and send him a request, but that might be overstepping it."
As the money ran out on HBGary Federal, Barr increasingly had no problem "overstepping it." In November, when a major US bank wanted a strategy for taking down WikiLeaks, Barr immediately drafted a presentation in which he suggested "cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France, putting a team together to get access is more straightforward."
HBGary's "special ops," from an early slide

Faking documents seemed like a good idea, too, documents which could later be "called out" so as to make WikiLeaks look unreliable.
And Barr wanted to go further, pushing on people like civil liberties Salon.com columnist Glenn Greenwald—apparently hoping to threaten their livelihoods. "These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals," he wrote. "Without the support of people like Glenn WikiLeaks would fold."
When the US Chamber of Commerce wanted to look into some of its opponents, Barr teamed with two other security companies and went nuts, proposing that the Chamber create an absurdly expensive "fusion cell" of the kind "developed and utilized by Joint Special Operations Command (JSOC)"—and costing $2 million a month. And if the fusion cell couldn't turn up enough opposition research, the security firms would be happy to create honeypot websites to lure the Chamber's union-loving opponents in order to grab more data from them.
The security companies even began grabbing tweets from liberal activists and mapping the connections between people using advanced link analysis software most often used by the intelligence community. (Some of the Chamber material was unearthed by ThinkProgress (http://thinkprogress.org/2011/02/10/lobbyists-chamberleaks/) and other liberal bloggers (http://emptywheel.firedoglake.com/2011/02/10/will-the-chamber-continue-wits-hbgary-work-now-that-theyve-been-hacked/), while The Tech Herald (http://www.thetechherald.com/article.php/201106/6798/Data-intelligence-firms-proposed-a-systematic-attack-against-WikiLeaks) and Crowdleaks.org (http://crowdleaks.org/) first wrote about the proposed WikiLeaks attacks.)
While waiting to see if his proposals would result in work for HBGary Federal, Barr turned in January to unmask the leadership of the hacker collective Anonymous (http://www.ft.com/cms/s/0/87dc140e-3099-11e0-9de3-00144feabdc0.html). This part of the story is well known by now (read our investigative feature (http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars)): when Barr went public with his findings, Anonymous took down his website, stole his e-mails, deleted the company's backup data, trashed Barr's Twitter account, and remotely wiped his iPad.
In the days since the attack and the publication of Barr's e-mails, his partners at other security firms threw him under the bus. "I have directed the company to sever any and all contacts with HB Gary," said the CEO of Palantir.
Berico Technologies, another private security firm, said that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
Glenn Greenwald unleashed both barrels (http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/index.html) of his own, claiming that "what is set forth in these proposal... quite possibly constitutes serious crimes. Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion and, depending on the specific means to be used, constitutes other crimes as well. Attacking WikiLeaks' computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws."
How did Barr, a man with long experience in security and intelligence, come to spend his days as a CEO e-stalking clients and their wives on Facebook? Why did he start performing "reconnaissance" on the largest nuclear power company in the US? Why did he suggest pressuring corporate critics to shut up, even as he privately insisted that corporations "suck the lifeblood out of humanity"? And why did he launch his ill-fated investigation into Anonymous, one which may well have destroyed his company and damaged his career?
Thanks to his leaked e-mails, the downward spiral is easy enough to retrace. Barr was under tremendous pressure to bring in cash, pressure which began on November 23, 2009.
"A" players attract "A" players

That's when Barr started the CEO job at HBGary Federal. Its parent company, the security firm HBGary, wanted a separate firm to handle government work and the clearances that went with it, and Barr was brought in from Northrup Grumman to launch the operation.
In an e-mail announcing Barr's move, HBGary CEO Greg Hoglund told his company that "these two are A+ players in the DoD contracting space and are able to 'walk the halls' in customer spaces. Some very big players made offers to Ted and Aaron last week, and instead they chose HBGary. This reflects extremely well on our company. 'A' players attract 'A' players."
Barr at first loved the job. In December, he sent an e-mail at 1:30am; it was the "3rd night in a row I have woken up in the middle of the night and can't sleep because my mind is racing. It's nice to be excited about work, but I need some sleep."
Barr had a huge list of contacts, but turning those contacts into contracts for government work with a fledgling company proved challenging. Less than a year into the job, HBGary Federal looked like it might go bust.
On October 3, 2010, HBGary CEO Greg Hoglund told Aaron that "we should have a pow-wow about the future of HBGary Federal. [HBGary President] Penny and I both agree that it hasn't really been a success... You guys are basically out of money and none of the work you had planned has come in."
Aaron agreed. "This has not worked out as any of us have planned to date and we are nearly out of money," he said.
While he worked on government contracts, Barr drummed up a little business doing social media training for corporations using, in one of his slides, a bit of research into one Steven Paul Jobs.
Steve Jobs is certainly cool with this

The training sessions, following the old "scare the sh*t out of them" approach, showed people just how simple it was to dredge up personal information by correlating data from Facebook, LinkedIn, Twitter, and more. At $1,000 per person, the training could pull in tens of thousands of dollars a day, but it was sporadic. More was needed; contracts were needed, preferably multi-year ones.
Social media training bill

The parent company also had issues. A few weeks after the discussions about closing up HBGary Federal, HBGary President Penny Leavy-Hoglund (Greg's wife), sent an e-mail to her sales team, telling them "to work a quota and to bring in revenue in a timely manner. It's not 'optional' as to when it needs to close, if you haven't met your number, the closing needs to happen now, not later. You need to live, eat, breath and ensure you meet your number, not kind of hit it, MEET IT... Guys, no one is making their quota."
She concluded darkly, "I have some serious doubts about some people's ability to do their job. There will be changes coming shortly and those decisions will be new people's to make."
And then, unexpectedly, came the hope of salvation.
"Bond, Q, and Monneypenny"

By October 2010, Barr was under considerable stress. His CEO job was under threat, and the e-mails show that the specter of divorce loomed over his personal life.
On October 19, a note arrived. HBGary Federal might be able to provide part of "a complete intelligence solution to a law firm that approached us." That law firm was DC-based powerhouse Hunton & Williams, which boasted 1,000 attorneys and terrific contacts. They had a client who wanted to do a little corporate investigative work, and three small security firms thought they might band together to win the deal.
Palantir would provide its expensive link analysis software running on a hosted server, while Berico would "prime the contract supplying the project management, development resources, and process/methodology development." HBGary Federal would come alongside to provide "digital intelligence collection" and "social media exploitation"—Barr's strengths.
Team Themis logo

The three companies needed a name for their joint operation. One early suggestion: a "Corporate Threat Analysis Cell." Eventually, a sexier name was chosen: Team Themis.
Barr went to work immediately, tracking down all the information he could find on the team's H&W contact. This was the result of few hours' work:

A bit of what I have on [redacted]. He was hard to find on Facebook as he has taken some precautions to be found. He isn't even linked with his wife but I found him. I also have a list of his friends and have defined an angle if I was to target him. He has attachment to UVA, a member of multiple associations dealing with IP, e-discovery, and nearly all of this facebook friends are of people from high school. So I would hit him from one of these three angles. I am tempted to create a person from his highschool and send him a request, but that might be overstepping it. I don't want to embarrass him, so I think I will just talk about it and he can decide for himself if I would have been successful or not.
Team Themis didn't quite understand what H&W wanted them to do, so Barr's example was simply a way to show "expertise." But it soon became clear what this was about: the US Chamber of Commerce wanted to know if certain groups attacking them were "astroturf" groups funded by the large unions.
"They further suspect that most of the actions and coordination take place through online means—forums, blogs, message boards, social networking, and other parts of the 'deep web,'" a team member explained later. "But they want to marry those online, 'cyber' sources with traditional open source data—tax records, fundraising records, donation records, letters of incorporation, etc. I believe they want to trace all the way from board structure down to the individuals carrying out actions."
H&W was putting together a proposal for the Chamber, work that Team Themis hoped to win. (It remains unclear how much the Chamber knew about any of this; it claimed later never to have paid a cent either to Team Themis or to H&W in this matter.)
Barr's plan was to dig up data from background checks, LexisNexis, LinkedIn, Facebook, Twitter, blogs, forums, and Web searches and dump it into Palantir for analysis. Hopefully, the tool could shed light on connections between the various anti-Chamber forces.
An early version of the Team Themis goal

Once that was done, Team Themis staffers could start churning out intelligence reports for the Chamber. The team wrote up a set of "sample reports" filled with action ideas like:

Create a false document, perhaps highlighting periodical financial information, and monitor to see if US Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual documents at a specified time and explain the activity as a CtW contrived operation.
If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions US Chamber Watch will likely ask.
Create a humor piece about the leaders of CtW.

The whole team had been infected with some kind of spy movie virus, one which led them to think in terms of military intelligence operations and ham-handed attacks. The attitude could be seen in e-mails which exhorted Team Themis to "make [H&W] think that we are Bond, Q, and money penny [sic] all packaged up with a bow."
Two million a month

But what to charge for this cloak-and-dagger work? Some team members worried that the asking price for an initial deployment was too high for H&W; someone else fired back, "Their client is loaded!" Besides, that money would buy access to Palantir, Berico, and "super sleuth Aaron Barr."
As the Team Themis proposal went to one of the top H&W lawyers for potential approval, Barr continued his social media dumpster diving. He dug up information on H&W employees, Chamber opponents, even the H&W partner whose approval was needed to move this proposal forward. That last bit of data collection, which Barr sent on to H&W, led to the e-mail about how it might "freak out" the partner.
Barr's investigation in an H&W partner

If the deal came through, Barr told his HBGary colleagues, it might salvage the HBGary Federal business. "This will put us in a healthy position to chart our direction with a healthy war chest," he wrote.
Indeed it would; Team Themis decided to ask for $2 million per month, for six months, for the first phase of the project, putting $500,000 to $700,000 per month in HBGary Federal's pocket.
But the three companies disagreed about how to split the pie. In the end, Palantir agreed to take less money, but that decision had to go "way up the chain (as you can imagine)," wrote the Palantir contact for Team Themis. "The short of it is that we got approval from Dr. Karp and the Board to go ahead with the modified 40/30/30 breakdown proposed. These were not fun conversations, but we are committed to this team and we can optimize the cost structure in the long term (let's demonstrate success and then take over this market :))."
The leaders at the very top of Palantir were aware of the Team Themis work, though the details of what was being proposed by Barr may well have escaped their notice. Palantir wasn't kidding around with this contract; if selected by H&W and the Chamber, Palantir planned to staff the project with an experienced intelligence operative, a man who "ran the foreign fighter campaign on the Syrian border in 2005 to stop the flow of suicide bombers into Baghdad and helped to ensure a successful Iraqi election. As a commander, [he] ran the entire intelligence cycle: identified high-level terrorists, planned missions to kill or capture them, led the missions personally, then exploited the intelligence and evidence gathered on target to defeat broader enemy networks."
(Update: a reader points to additional emails which suggest that the "foreign fighter campaign" operative would not actually be working on the Team Themis project. Instead, Berico and Palantir would list him and another top person as "key personnel," drawing on their "creds to show our strengths," but might actually staff the project with others.)
"I don't think we can make it any further"

But the cash, which "will seem like money falling from the sky for those of us used to working in the govt sector," was not forthcoming. H&W didn't make a decision in November. Barr began to worry.
"All things we are chasing continue to get pushed to the right or just hang in limbo," he wrote. "I don't think we can make it any further. We are behind in our taxes trying to keep us afloat until a few things came through, but they are not happening fast enough." He noted that Palantir was asking "way too much money" from H&W.
As the weeks dragged on, Team Themis decided to lower its price. It sent an e-mail to H&W, saying that the three companies were "prepared to offer our services as Team Themis at a significantly lower cost (much closer to the original "Phase I" proposed costs). Does this sound like a more reasonable range in terms of pricing?"
But before H&W made a decision on Chamber of Commerce plan, it had another urgent request for Team Themis: a major US bank had come to H&W seeking help against WikiLeaks (the bank has been widely assumed to be Bank of America, which has long been rumored to be a future WikiLeaks target.)
"We want to sell this team as part of what we are talking about," said the team's H&W contact. "I need a favor. I need five to six slides on Wikileaks—who they are, how they operate and how this group may help this bank. Please advise if you can help get me something ASAP. My call is at noon."
"Attack their weak points"

By 11:30pm on the evening of December 2, Barr had cranked out a PowerPoint presentation. It called for "disinformation," "cyber attacks," and a "media campaign" against WikiLeaks.
What could HBGary Federal do?

Computer Network Attack/Exploitation
Influence and Deception Operations
Social Media Collection, Analysis, Exploitation
Digital Media Forensic Analysis

This attack capability wasn't mere bluster. HBGary had long publicized to clients its cache of 0-day exploits—attacks for which there is no existing patch. A slide from a year earlier showed that HBGary claimed unpublished 0-day exploits in everything from Flash to Java to Windows 2000.
HBGary's 0-day exploits

Another slide made clear that the company had expertise in "computer network attack," "custom malware development," and "persistent software implants."

In October 2010, HBGary CEO Greg Hoglund had tossed out a random idea for Barr, one that did not apparently seem unusual: "I suggest we create a large set of unlicensed windows-7 themes for video games and movies appropriate for middle east & asia. These theme packs would contain back doors."
Barr's ideas about WikiLeaks went beyond attacks on their infrastructure. He wrote in a separate document that WikiLeaks was having trouble getting money because its payment sources were being blocked. "Also need to get people to understand that if they support the organization we will come after them," he wrote. "Transaction records are easily identifiable."
As an idea that Barr knew was being prepared for a major US bank, the suggestion is chilling. Barr also reiterated the need to "get to the Swedish document submission server" that allowed people to upload leaked documents.
Barr's initial ideas to attack WikiLeaks

At 7:30am the next morning, Barr had another great idea—find some way to make WikiLeaks supporters like Glenn Greenwald feel like their jobs might be at stake for supporting the organization.
"One other thing," he wrote in his morning message. "I think we need to highlight people like Glenn Greenwald. Glenn was critical in the Amazon to OVH [data center] transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack. These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn WikiLeaks would fold."
This seems an absurd claim on a number of levels, but it also upped the "creep factor" dramatically. Barr was now suggesting that a major US corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the US right to freedom of speech, had no apparent qualms about his idea.
"Discontinued all ties with HBGary Federal"

The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main participants in the Anonymous hacker collective—and by doing so to drum up business.
The decision seems to have stemmed from Barr's work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its US nuclear plants. "I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them," he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere:

Example. If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link analysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.
I can and have gained access to various government and government contractor groups in the social media space using this technique (more detailed but you get the point). Given that people work from home, access home services from work—getting access to the target is just a matter of time and nominal effort.
Knowing about a target's spouse and college and business and friends makes it relatively easy to engage in a "spear phishing" attack against that person—say, a fake e-mail from an old friend, in which the target eventually reveals useful information.
Ironically, when Anonymous later commandeered Greg Hoglund's separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund's site administrator—who promptly turned off the site's defenses and issued a new password ("Changeme123") for a user he believed was Hoglund. Minutes later, the site was compromised.
After the Anonymous attacks and the release of Barr's e-mails, his partners furiously distanced themselves from Barr's work. Palantir CEO Dr. Alex Karp wrote (http://www.palantirtech.com/statement-from-dr-alex-karp), "We do not provide—nor do we have any plans to develop—offensive cyber capabilities... The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters."
Berico said (http://www.bericotechnologies.com/releases/berico-statement-02-11-2011.pdf) (PDF) that it "does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal."
But both of the Team Themis leads at these companies knew exactly what was being proposed (such knowledge may not have run to the top). They saw Barr's e-mails, and they used his work. His ideas on attacking WikiLeaks made it almost verbatim into a Palantir slide about "proactive tactics."
Palantir used Barr's ideas

And Palantir had no problem scraping tweets from union supporters and creating linkages from them.
The Team Themis Palantir instance with Twitter import module

As for targeting American organizations, it was a Berico analyst who sent out the Team Themis "sample reports," the documents suggesting that the US Chamber of Commerce create false documents and false personae in its effort to "discredit the organization" US Chamber Watch.
The US Chamber of Commerce expressed shock when the Team Themis work came to light. "We’re incredulous that anyone would attempt to associate such activities with the Chamber as we’ve seen today from the Center for American Progress," said Tom Collamore (http://www.chamberpost.com/2011/02/more-baseless-attacks-on-the-chamber/) on February 10. "The security firm referenced by ThinkProgress was not hired by the Chamber or by anyone else on the Chamber’s behalf. We have never seen the document in question nor has it ever been discussed with us."
Indeed, the meeting between H&W and the Chamber on this issue was set to take place today, February 14. On February 11, the Chamber went further, issuing a new statement (http://www.chamberpost.com/2011/02/another-smear-from-the-center-for-american-progress/) saying that "it never hired or solicited proposals from HBGary, Palantir or Berico, the security firms being talked about on the Web... The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary’s e-mails leaked."
"No money, for any purpose, was paid to any of those three private security firms by the Chamber, or by anyone on behalf of the Chamber, including Hunton & Williams."
As for Hunton & Williams, they have yet to comment publicly. On February 7, however, the firm celebrated its top ranking (http://www.hunton.com/news/news.aspx?tab=0003&gen_H4ID=17552) in Computerworld's report on "Best Privacy Advisers."

Magda Hassan
02-16-2011, 01:51 PM
Anonymous speaks: the inside story of the HBGary hack

By Peter Bright (http://arstechnica.com/author/peter-bright/) | Last updated February 15, 2011 8:00 PM
It has been an embarrassing week for security firm HBGary and its HBGary Federal offshoot. HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous (http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars) and was preparing to name and shame those responsible for co-ordinating the group's actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.
When Barr told (http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars) one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary's servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced. As an added bonus, a second site owned and operated by Greg Hoglund, owner of HBGary, was taken offline and the user registration database published.
Over the last week, I've talked to some of those who participated in the HBGary hack to learn in detail how they penetrated HBGary's defenses and gave the company such a stunning black eye—and what the HBGary example means for the rest of us mere mortals who use the Internet.
Anonymous: more than kids

HBGary and HBGary Federal position themselves as experts in computer security. The companies offer both software and services to both the public and private sectors. On the software side, HBGary has a range of computer forensics and malware analysis tools to enable the detection, isolation, and analysis of worms, viruses, and trojans. On the services side, it offers expertise in implementing intrusion detection systems and secure networking, and performs vulnerability assessment and penetration testing of systems and software. A variety of three letter agencies, including the NSA, appeared to be in regular contact with the HBGary companies, as did Interpol, and HBGary also worked with well-known security firm McAfee. At one time, even Apple expressed an interest in the company's products or services.
Greg Hoglund's rootkit.com is a respected resource for discussion and analysis of rootkits (software that tampers with operating systems at a low level to evade detection) and related technology; over the years, his site has been targeted by disgruntled hackers aggrieved that their wares have been discussed, dissected, and often disparaged as badly written bits of code.
One might think that such an esteemed organization would prove an insurmountable challenge for a bunch of disaffected kids to hack. World-renowned, government-recognized experts against Anonymous? HBGary should be able to take their efforts in stride.
Unfortunately for HBGary, neither the characterization of Anonymous nor the assumption of competence on the security company's part are accurate, as the story of how HBGary was hacked will make clear.
Anonymous is a diverse bunch: though they tend to be younger rather than older, their age group spans decades. Some may still be in school, but many others are gainfully employed office-workers, software developers, or IT support technicians, among other things. With that diversity in age and experience comes a diversity of expertise and ability.
It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline.
According to the leaked e-mails, Aaron Barr believed that HBGary's website was itself subject to a denial-of-service attack shortly after he exposed himself to someone he believed to be a top Anonymous leader. But the person I spoke about this denied any involvement in such an attack. Which is not to say that the attack didn't happen—simply that this person didn't know about or participate in it. In any case, the Anonymous plans were more advanced than a brute force DDoS.
Time for an injection

HBGary Federal's website, hbgaryfederal.com, was powered by a content management system (CMS). CMSes are a common component of content-driven sites; they make it easy to add and update content to the site without having to mess about with HTML and making sure everything gets linked up and so on and so forth. Rather than using an off-the-shelf CMS (of which there are many, used in the many blogs and news sites that exist on the Web), HBGary—for reasons best known to its staff—decided to commission a custom CMS system from a third-party developer.
Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.
The custom solution on HBGary's site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability assessment of the software—which is, after all, one of the services the company offers—then its assessment overlooked a substantial flaw.
The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection (http://en.wikipedia.org/wiki/SQL_injection). In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixed—an integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally passed from the Web front-end to the CMS.
SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pass the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers' own choosing.
The exact URL used to break into hbgaryfederal.com was http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27. The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.

Rainbow tables

Specifically, the attackers grabbed the user database from the CMS—the list of usernames, e-mail addresses, and password hashes for the HBGary employees authorized to make changes to the CMS. In spite of the rudimentary SQL injection flaw, the designers of the CMS system were not completely oblivious to security best practices; the user database did not store plain readable passwords. It stored only hashed passwords—passwords that have been mathematically processed with a hash function (http://en.wikipedia.org/wiki/Hash_function) to yield a number from which the original password can't be deciphered.
The key part is that you can't go backwards—you can't take the hash value and convert it back into a password. With a hash algorithm, traditionally the only way to figure out the original password was to try every single possible password in turn, and see which one matched the hash value you have. So, one would try "a," then "b," then "c"... then "z," then "aa," "ab," and so on and so forth.
To make this more difficult, hash algorithms are often quite slow (deliberately), and users are encouraged to use long passwords which mix lower case, upper case, numbers, and symbols, so that these brute force attacks have to try even more potential passwords until they find the right one. Given the number of passwords to try, and the slowness of hash algorithms, this normally takes a very long time. Password cracking software to perform this kind of brute force attack has long been available (http://www.openwall.com/john/), but its success at cracking complex passwords is low.
However, a technique first published in 2003 (http://lasecwww.epfl.ch/pub/lasec/doc/Oech03.pdf) (itself a refinement of a technique described in 1980 (http://www-ee.stanford.edu/%7Ehellman/publications/36.pdf)) gave password crackers an alternative approach. By pre-computing large sets of data and generating what are known as rainbow tables (http://en.wikipedia.org/wiki/Rainbow_table), the attackers can make a trade-off: they get much faster password cracks in return for using much more space. The rainbow table lets the password cracker pre-compute and store a large number of hash values and the passwords that generated them. An attacker can then look up the hash value that they are interested in and see if it's in the table. If it is, they can then read out the password.
To make cracking harder, good password hash implementations will use a couple of additional techniques. The first is iterative hashing: simply put, the output of the hash function is itself hashed with the hash function, and this process is repeated thousands of times. This makes the hashing process considerably slower, hindering both brute-force attacks and rainbow table generation.
The second technique is salting (http://en.wikipedia.org/wiki/Salt_%28cryptography%29); a small amount of random data is added to the password before hashing it, greatly expanding the size of rainbow table that would be required to get the password.
In principle, any hash function can be used to generate rainbow tables. However, it takes more time to generate rainbow tables for slow hash functions than it does for fast ones, and hash functions that produce a short hash value require less storage than ones that produce long hash values. So in practice, only a few hash algorithms have widely available rainbow table software available. The best known and most widely supported of these is probably MD5 (http://en.wikipedia.org/wiki/MD5), which is quick to compute and produces an output that is only 128 bits (16 bytes) per hash. These factors together make it particularly vulnerable to rainbow table attacks. A number of software projects (http://project-rainbowcrack.com/) exist that allow the generation or downloading of MD5 rainbow tables, and their subsequent use to crack passwords.
As luck would have it, the hbgaryfederal.com CMS used MD5. What's worse is that it used MD5 badly: there was no iterative hashing and no salting. The result was that the downloaded passwords were highly susceptible to rainbow table-based attacks, performed using a rainbow table-based password cracking website. And so this is precisely what the attackers did; they used a rainbow table cracking tool to crack the hbgaryfederal.com CMS passwords.
Even with the flawed usage of MD5, HBGary could have been safe thanks to a key limitation of rainbow tables: each table only spans a given "pattern" for the password. So for example, some tables may support "passwords of 1-8 characters made of a mix of lower case and numbers," while other can handle only "passwords of 1-12 characters using upper case only."
A password that uses the full range of the standard 95 typeable characters (upper and lower case letters, numbers, and the standard symbols found on a keyboard) and which is unusually long (say, 14 or more characters) is unlikely to be found in a rainbow table, because the rainbow table required for such passwords will be too big and take too long to generate.
Alas, two HBGary Federal employees—CEO Aaron Barr and COO Ted Vera—used passwords that were very simple; each was just six lower case letters and two numbers. Such simple combinations are likely to be found in any respectable rainbow table, and so it was that their passwords were trivially compromised.

For a security company to use a CMS that was so flawed is remarkable. Proper handling of passwords—iterative hashing, using salts and slow algorithms—and protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques. And though not all the passwords were retrieved through the rainbow tables, two were, because they were so poorly chosen.
HBGary owner Penny Leavy said in a later IRC chat with Anonymous that the company responsible for implementing the CMS has since been fired (http://pastebin.com/x69Akp5L).
Password problems

Still, badly chosen passwords aren't such a big deal, are they? They might have allowed someone to deface the hbgaryfederal.com website—admittedly embarrassing—but since everybody knows that you shouldn't reuse passwords across different systems, that should have been the extent of the damage, surely?
Unfortunately for HBGary Federal, it was not. Neither Aaron nor Ted followed best practices. Instead, they used the same password in a whole bunch of different places, including e-mail, Twitter accounts, and LinkedIn. For both men, the passwords allowed retrieval of e-mail. However, that was not all they revealed. Let's start with Ted's password first.
Along with its webserver, HBGary had a Linux machine, support.hbgary.com, on which many HBGary employees had shell accounts with ssh access, each with a password used to authenticate the user. One of these employees was Ted Vera, and his ssh password was identical to the cracked password he used in the CMS. This gave the hackers immediate access to the support machine.
ssh doesn't have to use passwords for authentication. Passwords are certainly common, but they're also susceptible to this kind of problem (among others). To combat this, many organizations and users, particularly those with security concerns, do not use passwords for ssh authentication. Instead, they use public key cryptography: each user has a key made up of a private part and a public part. The public part is associated with their account, and the private part is kept, well, private. ssh then uses these two keys to authenticate the user.
Since these private keys are not as easily compromised as passwords—servers don't store them, and in fact they never leave the client machine—and aren't readily re-used (one set of keys might be used to authenticate with several servers, but they can't be used to log in to a website, say), they are a much more secure option. Had they been used for HBGary's server, it would have been safe. But they weren't, so it wasn't.
Although attackers could log on to this machine, the ability to look around and break stuff was curtailed: Ted was only a regular non-superuser. Being restricted to a user account can be enormously confining on a Linux machine. It spoils all your fun; you can't read other users' data, you can't delete files you don't own, you can't cover up the evidence of your own break-in. It's a total downer for hackers.
The only way they can have some fun is to elevate privileges through exploiting a privilege escalation vulnerability. These crop up from time to time and generally exploit flaws in the operating system kernel or its system libraries to trick it into giving the user more access to the system than should be allowed. By a stroke of luck, the HBGary system was vulnerable to just such a flaw. The error was published in October last year (http://seclists.org/fulldisclosure/2010/Oct/257), conveniently with a full, working exploit. By November, most distributions had patches available, and there was no good reason to be running the exploitable code in February 2011.
Exploitation of this flaw gave the Anonymous attackers full access to HBGary's system. It was then that they discovered many gigabytes of backups and research data, which they duly purged from the system.
Aaron's password yielded even more fruit. HBGary used Google Apps for its e-mail services, and for both Aaron and Ted, the password cracking provided access to their mail. But Aaron was no mere user of Google Apps: his account was also the administrator of the company's mail. With his higher access, he could reset the passwords of any mailbox and hence gain access to all the company's mail—not just his own. It's this capability that yielded access to Greg Hoglund's mail.
And what was done with Greg's mail?
A little bit of social engineering, that's what.

A little help from my friends

Contained within Greg's mail were two bits of useful information. One: the root password to the machine running Greg's rootkit.com site was either "88j4bb3rw0cky88" or "88Scr3am3r88". Two: Jussi Jaakonaho, "Chief Security Specialist" at Nokia, had root access. Vandalizing the website stored on the machine was now within reach.
The attackers just needed a little bit more information: they needed a regular, non-root user account to log in with, because as a standard security procedure, direct ssh access with the root account is disabled. Armed with the two pieces of knowledge above, and with Greg's e-mail account in their control, the social engineers set about their task. The e-mail (http://pastebin.com/kN04jpXu) correspondence (http://pastebin.com/tSiQevxe) tells the whole story:

From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw. ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure.
your password is changeme123

i am online so just shoot me if you need something.

in europe, but not in finland? :-)

_jussi ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
if i can squeeze out time maybe we can catch up.. ill be in germany
for a little bit.

anyway I can't ssh into rootkit. you sure the ips still

thanks ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
does it work now? ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yes jussi thanks

did you reset the user greg or? ------------------------------------- From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
nope. your account is named as hoglund ------------------------------------- From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
yup im logged in thanks ill email you in a few, im backed up

thanks Thanks indeed. To be fair to Jussi, the fake Greg appeared to know the root password and, well, the e-mails were coming from Greg's own e-mail address. But over the course of a few e-mails it was clear that "Greg" had forgotten both his username and his password. And Jussi handed them to him on a platter.
Later on, Jussi did appear to notice something was up:

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
did you open something running on high port? As with the HBGary machine, this could have been avoided if keys had been used instead of passwords. But they weren't. Rootkit.com was now compromised.
Standard practice


Once the username and password were known, defacing the site was easy. Log in as Greg, switch to root, and deface away! The attackers went one better than this, however: they dumped the user database for rootkit.com, listing the e-mail addresses and password hashes for everyone who'd ever registered on the site. And, as with the hbgaryfederal.com CMS system, the passwords were hashed with a single naive use of MD5, meaning that once again they were susceptible to rainbow table-based password cracking. So the crackable passwords were cracked, too.
So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.
The thing is, none of this is unusual. Quite the opposite. The Anonymous hack was not exceptional: the hackers used standard, widely known techniques to break into systems, find as much information as possible, and use that information to compromise further systems. They didn't have to, for example, use any non-public vulnerabilities or perform any carefully targeted social engineering. And because of their desire to cause significant public disruption, they did not have to go to any great lengths to hide their activity.
Nonetheless, their attack was highly effective, and it was well-executed. The desire was to cause trouble for HBGary, and that they did. Especially in the social engineering attack against Jussi, they used the right information in the right way to seem credible.
Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn't actually use them. Everybody knows you don't use easy-to-crack passwords, but some employees did. Everybody knows you don't re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn't.
And HBGary isn't alone. Analysis (http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use-empirically/) of the passwords leaked from rootkit.com and Gawker shows that password re-use is extremely widespread, with something like 30 percent of users re-using their passwords. HBGary won't be the last site to suffer from SQL injection, either, and people will continue to use password authentication for secure systems because it's so much more convenient than key-based authentication.
So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn't have caused the cascade of failures that followed.
The second lesson, however, is that the standard advice isn't good enough. Even recognized security experts who should know better won't follow it. What hope does that leave for the rest of us?

Magda Hassan
02-20-2011, 08:05 AM
Black ops: how HBGary wrote backdoors for the government

By Nate Anderson (http://arstechnica.com/author/nate-anderson/) | Last updated February 19, 2011 3:05 PM
On November 16, 2009, Greg Hoglund, a cofounder of computer security firm HBGary, sent an e-mail to two colleagues. The message came with an attachment, a Microsoft Word file called AL_QAEDA.doc, which had been further compressed and password protected for safety. Its contents were dangerous.
The HBGary saga: Anonymous to security firm working with FBI: "You've angered the hive" (http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-working-with-fbi-youve-angered-the-hive.ars) How one security firm tracked down Anonymous—and paid a heavy price (http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars) (Virtually) face to face: how Aaron Barr revealed himself to Anonymous (http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars) Spy games: Inside the convoluted plot to bring down WikiLeaks (http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars) Anonymous speaks: the inside story of the HBGary hack (http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars) Black ops: How HBGary wrote backdoors for the government (http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars)
"I got this word doc linked off a dangler site for Al Qaeda peeps," wrote Hoglund. "I think it has a US govvy payload buried inside. Would be neat to [analyze] it and see what it's about. DONT open it unless in a [virtual machine] obviously… DONT let it FONE HOME unless you want black suits landing on your front acre. :-)"
The attached document, which is in English, begins: "LESSON SIXTEEN: ASSASSINATIONS USING POISONS AND COLD STEEL (UK/BM-154 TRANSLATION)."
It purports to be an Al-Qaeda document on dispatching one's enemies with knives (try "the area directly above the genitals"), with ropes ("Choking… there is no other area besides the neck"), with blunt objects ("Top of the stomach, with the end of the stick."), and with hands ("Poking the fingers into one or both eyes and gouging them.").
But the poison recipes, for ricin and other assorted horrific bioweapons, are the main draw. One, purposefully made from a specific combination of spoiled food, requires "about two spoonfuls of fresh excrement." The document praises the effectiveness of the resulting poison: "During the time of the destroyer, Jamal Abdul Nasser, someone who was being severely tortured in prison (he had no connection with Islam), ate some feces after losing sanity from the severity of the torture. A few hours after he ate the feces, he was found dead."
The purported Al-Qaeda document

According to Hoglund, the recipes came with a side dish, a specially crafted piece of malware meant to infect Al-Qaeda computers. Is the US government in the position of deploying the hacker's darkest tools—rootkits, computer viruses, trojan horses, and the like? Of course it is, and Hoglund was well-positioned to know just how common the practice had become. Indeed, he and his company helped to develop these electronic weapons.
Thanks to a cache of HBGary e-mails leaked by the hacker collective Anonymous (http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars), we have at least a small glimpse through a dirty window into the process by which tax dollars enter the military-industrial complex and emerge as malware.
Task B

In 2009, HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as "Task B." The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner's knowledge.
HBGary white paper on exploiting software

They focused on ports—a laptop's interfaces to the world around it—including the familiar USB port, the less-common PCMCIA Type II card slot, the smaller ExpressCard slot, WiFi, and Firewire. No laptop would have all of these, but most recent machines would have at least two.
The HBGary engineering team broke this list down into three categories. First came the "direct access" ports that provided "uninhibited electronic direct memory access." PCMCIA, ExpressCard, and Firewire all allowed external devices—say a custom piece of hardware delivered by a field operative—to interact directly with the laptop with a minimum amount of fuss. The direct memory access provided by the controllers for these ports mean that devices in them can write directly to the computer's memory without intervention from the main CPU and with little restriction from the operating system. If you want to overwrite key parts of the operating system to sneak in a bit of your own code, this is the easiest way to go.
The second and third categories, ports that needed "trust relationships" or relied on "buffer overflows," included USB and wireless networking. These required more work to access, especially if one wanted to do so without alerting a user; Windows in particular is notorious for the number of prompts it throws when USB devices are inserted or removed. A cheerful note about "Searching for device driver for NSA_keylogger_rootkit_tango" had to be avoided.
So HBGary wanted to go the direct access route, characterizing it as the "low hanging fruit" with the lowest risk. General Dynamics wanted HBGary to investigate the USB route as well (the ports are more common, but an attack has to trick the operating system into doing its bidding somehow, commonly through a buffer overflow).
The team had two spy movie scenarios in which its work might be used, scenarios drafted to help the team think through its approach:
1) Man leaves laptop locked while quickly going to the bathroom. A
device can then be inserted and then removed without touching the laptop
itself except at the target port. (i.e. one can't touch the mouse,
keyboard, insert a CD, etc.)
2) Woman shuts down her laptop and goes home. One then can insert a
device into the target port and assume she will not see it when she
returns the next day. One can then remove the device at a later time
after she boots up the machine.
Why would the unnamed client for Task B—which a later e-mail makes clear was for a government agency—want such a tool? Imagine you want access to the computer network used in a foreign government ministry, or in a nuclear lab. Such a facility can be tough to crack over the Internet; indeed, the most secure facilities would have no such external access. And getting an agent inside the facility to work mischief is very risky—if it's even possible at all.
But say a scientist from the facility uses a memory stick to carry data home at night, and that he plugs the memory stick into his laptop on occasion. You can now get a piece of custom spyware into the facility by putting a copy on the memory stick—if you can first get access to the laptop. So you tail the scientist and follow him from his home one day to a local coffee shop. He steps away to order another drink, to go to the bathroom, or to talk on his cell phone, and the tail walks past his table and sticks an all-but-undetectable bit of hardware in his laptop's ExpressCard slot. Suddenly, you have a vector that points all the way from a local coffee shop to the interior of a secure government facility.
The software exploit code actually delivered onto the laptop was not HBGary's concern; it needed only to provide a route through the computer's front door. But it had some constraints. First, the laptop owner should still be able to use the port so as not to draw attention to the inserted hardware. This is quite obviously tricky, but one could imagine a tiny ExpressCard device that slid down into the slot but could in turn accept another ExpressCard device on its exterior-facing side. This sort of parallel plugging might well go unnoticed by a user with no reason to suspect it.
HBGary's computer infiltration code then had to avoid the computer's own electronic defenses. The code should "not be detectable" by virus scanners or operating system port scans, and it should clean up after itself to eliminate all traces of entry.
Greg Hoglund was confident that he could deliver at least two laptop-access techniques in less than a kilobyte of memory each. As the author of books like Exploiting Software: How to Break Code, Rootkits: Subverting the Windows Kernel, and Exploiting Online Games: Cheating Massively Distributed Systems, he knew his way around the deepest recesses of Windows in particular.
Hoglund's special interest was in all-but-undetectable computer "rootkits," programs that provide privileged access to a computer's innermost workings while cloaking themselves even from standard operating system functions. A good rootkit can be almost impossible to remove from a running machine—if you could even find it in the first place.
Just a demo

Some of this work was clearly for demonstration purposes, and much of it was probably never deployed in the field. For instance, HBGary began $50,000 of work for General Dynamics on "Task C" in June 2009, creating a piece of malware that infiltrated Windows machines running Microsoft Outlook.
The target user would preview a specially crafted e-mail message in Outlook that took advantage of an Outlook preview pane vulnerability to execute a bit of code in the background. This code would install a kernel driver, one operating at the lowest and most trusted level of the operating system, that could send traffic over the computer's serial port. (The point of this exercise was never spelled out, though the use of serial ports rather than network ports suggest that cutting-edge desktop PCs were not the target.)
HBGary's expertise

Once installed, the malware could execute external commands, such as sending specific files over the serial port, deleting files on the machine, or causing the infamous Windows "blue screen of death." In addition, the code should be able to pop open the computer's CD tray and blink the lights on its attached keyboards—another reminder that Task C was, at this stage, merely for a demo.
General Dynamics would presumably try to interest customers in the product, but it's not clear from the e-mails at HBGary whether this was ever successful. Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks (http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars) in the first place.
But that doesn't mean specific information is hard to come by—such as the fact that rootkits can be purchased for $60,000.
Step right up!

Other tools were in use and were sought out by government agencies. An internal HBGary e-mail from early 2010 asks, "What are the license costs for HBGary rk [rootkit] platform if they want to use it on guardian for afisr [Air Force Intelligence, Surveillance, and Reconnaissance]?"
The reply indicates that HBGary has several tools on offer. "Are you asking about the rootkit for XP (kernel driver that hides in plain sight and is a keylogger that exfiltrates data) or are you asking about 12 Monkeys? We've sold licenses of the 1st one for $60k. We haven't set a price on 12 Monkeys, but can."
The company had been developing rootkits for years. Indeed, it had even developed a private Microsoft Word document outlining its basic rootkit features, features which customers could have (confirming the e-mail listed above) for $60,000.
Description of the basic rootkit platform

That money bought you the rootkit source code, which was undetectable by most rootkit scanners or firewall products when it was tested against them in 2008. Only one product from Trend Micro noticed the rootkit installation, and even that alert was probably not enough to warn a user. As the HBGary rootkit document notes, "This was a low level alert. TrendMicro assaults the user with so many of these alerts in every day use, therefore most users will quickly learn to ignore or even turn off such alerts."
When installed in a target machine, the rootkit could record every keystroke that a user typed, linking it up to a Web browser history. This made it easy to see usernames, passwords, and other data being entered into websites; all of this information could be silently "exfiltrated" right through even the pickiest personal firewall.
But if a target watched its outgoing traffic and noted repeated contacts with, say, a US Air Force server, suspicions might be aroused. The rootkit could therefore connect instead to a "dead drop"—a totally anonymous server with no apparent connection to the agency using the rootkit—where the target's keyboard activity could be retrieved at a later time.
But by 2009, the existing generic HBGary rootkit package was a bit long in the tooth. Hoglund, the rootkit expert, apparently had much bigger plans for a next-gen product called "12 monkeys."
12 Monkeys

The 12 Monkeys rootkit was also a contract paid out by General Dynamics; as one HBGary e-mail noted, the development work could interfere with Task B, but "if we succeed, we stand to make a great deal of profit on this."
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit for Windows XP, which was "unique in that the rootkit is not associated with any identifiable or enumerable object. This rootkit has no file, named data structure, device driver, process, thread, or module associated with it."
How could Hoglund make such a claim? Security tools generally work by scanning a computer for particular objects—pieces of data that the operating system uses to keep track of processes, threads, network connections, and so on. 12 Monkeys simply had nothing to find. "Since no object is associated with the objectless rootkit, detection will be very difficult for a security scanner," he wrote. In addition, the rootkit would encrypt itself to cloak itself further, and hop around in the computer's memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit's buyer, Hoglund had a clever idea: he disguised the outgoing traffic by sending it only when other outbound Web traffic was being sent. Whenever a user sat down at a compromised machine and started surfing the Web, their machine would slip in some extra outgoing data "disguised as ad-clicks" that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12 Monkeys for much more: "around $240k."

The goal of this sort of work is always to create something undetectable, and there's no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are "0-day" exploits—exploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the company's internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.
The company had exploits "on the shelf" for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver a "payload" of any size onto the target machine using a heap exploit. "The payload has virtually no restrictions" on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, "the highest user-mode operating system defined level" available.
These exploits were sold to customers. One email, with the subject "Juicy Fruit," contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Fake Facebook friends


In June 2010, the government was expressing real interest in social networks. The Air Force issued a public request (https://www.fbo.gov/index?s=opportunity&mode=form&id=d88e9d660336be91552fe8c1a51bacb2&tab=core&_cview=1) for "persona management software," which might sound boring until you realize that the government essentially wanted the ability to have one agent run multiple social media accounts at once. It wanted 50 software licenses, each of which could support 10 personas, "replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent."
The software would allow these 50 cyberwarriors to peer at their monitors all day and manipulate these 10 accounts easily, all "without fear of being discovered by sophisticated adversaries." The personas would appear to come from all over the world, the better to infiltrate jihadist websites and social networks, or perhaps to show up on Facebook groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their computers would helpfully provide "real-time local information" so that they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that could mask the IP addresses behind all of this persona traffic. Every day, each user would get a random IP address to help hide "the existence of the operation." The network would further mask this persona work by "traffic mixing, blending the user's traffic with traffic from multitudes of users from outside the organization. This traffic blending provides excellent cover and powerful deniability."
This sort of work most interested HBGary Federal's Aaron Barr, who was carving out a niche for himself as a social media expert. Throughout late 2010 and early 2011, he spent large chunks of his time attempting to use Facebook, Twitter, and Internet chat to map the network of Exelon nuclear plant workers in the US and to research the members of Anonymous. As money for his company dried up and government contracts proved hard to come by, Barr turned his social media ideas on pro-union forces, getting involved in a now-controversial project with two other security firms.
But e-mails make clear that he mostly wanted to sell this sort of capability to the government. "We have other customers, mostly on offense, that are interested in Social Media for other things," he wrote in August 2010. "The social media stuff seems like low hanging fruit."
How does one use social media and fake "personas" to do anything of value? An e-mail from Barr on August 22 makes his thinking clear. Barr ponders "the best way to go about establishing a persona to reach an objective (in this case ft. belvoir (http://www.belvoir.army.mil/)/INSCOM/1st IO)."
The Army's Fort Belvoir, like any secretive institution, might be more easily penetrated by pretending to be an old friend of a current employee. "Make your profile swim in a large sea," Barr wrote. "Pick a big city, big high school, big company. Work your way up and in. Recreate your history. Start by friending high school people. In my case I am in the army so after you have amassed enough friends from high school, then start friending military folks outside of your location, something that matches the area your in, bootcamp, etc. Lastly start to friend people from the base, but start low and work your way up. So far so good."
Once the persona had this network of friends, "I will start doing things tricky. Try to manipulate conversations, insert communication streams, etc," said Barr. This sort of social media targeting could also be used to send your new "friend" documents or files (such as the Al-Qaeda poison document discussed above) [that] come complete with malware, or by directing them to specially-crafted websites designed to elicit some specific piece of information: directed attacks known as "spear phishing."
But concerns arose about obtaining and using social media data, in part because sites like Facebook restricted the "scraping" of its user data. An employee from the link analysis firm Palantir (http://www.palantirtech.com/) wrote Barr at the end of August, asking, "Is the idea that we'd want to ingest all of Facebook's data, or just a targeted subset for a few users of interest?"
The more data that was grabbed from Facebook, the more chance a problem could arise. The Palantir employee noted that a researcher had used similar tools to violate Facebook's acceptable use policy on data scraping, "resulting in a lawsuit when he crawled most of Facebook's social graph to build some statistics. I'd be worried about doing the same. (I'd ask him for his Facebook data—he's a fan of Palantir—but he's already deleted it.)"
Still, the potential usefulness of sites like Facebook was just too powerful to ignore, acceptable use policy or not.
Feeling twitchy

While Barr fell increasingly in love with his social media sleuthing, Hoglund still liked researching his rootkits. In September, the two teamed up for a proposal to DARPA (http://www.darpa.mil/), the Defense Advanced Research Projects Agency that had been instrumental in creating the Internet back in the 1960s.
DARPA didn't want incrementalism. It wanted breakthroughs (one of its most recent projects is the "100-Year Starship Study"), and Barr and Hoglund teamed up for a proposal to help the agency on its Cyber Insider Threat (CINDER) program. CINDER was an expensive effort to find new ways to watch employees with access to sensitive information and root out double agents or disgruntled workers who might leak classified information.
So Barr and Hoglund drafted a plan to create something like a lie detector, except that it would look for signs of "paranoia" instead.
"Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong," said the proposal. "Our solution is to develop a paranoia-meter to measure these observables."
The idea was to take an HBGary rootkit like 12 Monkeys and install it on user machines in such a way that users could not remove it and might not even be aware of its presence. The rootkit would log user keystrokes, of course, but it would also take "as many behavioral measurements as possible" in order to look for suspicious activity that might indicate wrongdoing.
What sort of measurements? The rootkit would monitor "keystrokes, mouse movements, and visual cues through the system camera. We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc."
The rootkit would also keep an eye on what files were being accessed, what e-mails were being written, and what instant messages were being sent. If necessary, the software could record a video of the user's computer screen activity and send all this information to a central monitoring office. There, software would try to pick out employees exhibiting signs of paranoia, who could then be scrutinized more closely.
Huge and obvious challenges presented themselves. As the proposal noted:

Detecting insider threat actions is highly challenging and will require a sophisticated monitoring, baselining, analysis, and alerting capability. Human actions and organizational operations are complex. You might think you can just look for people that are trying to gain access to information outside of their program area of expertise. Yet there are legitimate reasons for accessing this information. In many cases the activity you might call suspicious can also be legitimate. Some people are more or less inquisitive and will have different levels of activity in accessing information outside their specific organization. Some of the behaviors on systems vary widely depending on function. Software developer behavior will be very different than an HR person or senior manager. All of these factors need to be taken into account when developing detection capabilities for suspicious activity. We cannot focus on just [whether] a particular action is potentially suspicious. Instead we must quantify the legitimate reasons for the activity and whether this person has a baseline, position, attributes, and history to support the activity.
DARPA did not apparently choose to fund the plan.
Grey areas

The ideas got ever more grandiose. Analyzing malware, HBGary's main focus, wasn't enough to keep up with the hackers; Hoglund had a plan to get a leg up on the competition by getting even closer to malware authors. He floated an idea to sniff Russian GSM cell phone signals in order to eavesdrop on hackers' voice calls and text messages.
"GSM is easily sniffed," he wrote to Barr. "There is a SHIELD system for this that not only intercepts GSM 5.1 but can also track the exact physical location of a phone. Just to see what's on the market, check [redacted]… these have to be purchased overseas obviously."
The note concluded: "Home alone on Sunday, so I just sit here and sharpen the knife."
Barr, always enthusiastic for these kinds of ideas, loved this one. He wanted to map out everything that would be required for such an operation, including "personas, sink holes, honey nets, soft and hard assets… We would want at least one burn persona. We would want to sketch out a script to meet specific objectives.
And, he noted, "We will likely ride in some grey areas."
Back to basics

In January 2011, Barr had moved on to his research into Anonymous—research that would eventually do his company in. Over at HBGary, Hoglund continued his pursuit of next-gen rootkits. He had hit on a new approach that he called "Magenta."
This would be a "new breed of Windows-based rootkit," said a Magenta planning document, one that HBGary called a "multi-context rootkit."
Slava Markeyev (http://www.flickr.com/photos/stlava/5392873461/sizes/z/in/photostream/)

The Magenta software would be written in low-level assembly language, one step up from the ones and zeroes of the binary code with which computers do their calculating. It would inject itself into the Windows kernel, and then inject itself further into an active process; only from there would the main body of the rootkit execute.
Magenta would also inject itself routinely into different processes, jumping around inside the computer's memory to avoid detection. Its command-and-control instructions, telling the rootkit exactly what to do and where to send the information, wouldn't come from some remote Internet server but from the host computer's own memory—where the control instructions had been separately injected.
"This is ideal because it’s trivial to remotely seed C&C messages into any networked Windows host," noted Hoglund, "even if the host in question has full Windows firewalling enabled."
Nothing like Magenta existed (not publicly, at least), and Hoglund was sure that he could squeeze the rootkit code into less than 4KB of memory and make it "almost impossible to remove from a live running system." Once running, all of the Magenta files on disk could be deleted. Even the best anti-rootkit tools, those that monitored physical memory for signs of such activity, "would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context."
Hoglund wanted to build Magenta in two parts: first, a prototype for Windows XP with Service Pack 3—an old operating system but still widely installed. Second, if the prototype generated interest, HBGary could port the rootkit "to all current flavors of Microsoft Windows."
Shortly thereafter, Anonymous broke into HBGary Federal's website, cracked Barr's hashed password using rainbow tables, and found themselves in a curious position; Barr was also the administrator for the entire e-mail system, so they were able to grab e-mail from multiple accounts, including Hoglund's.
A world awash in rootkits

The leaked e-mails provide a tantalizing glimpse of life behind the security curtain. HBGary and HBGary Federal were small players in this space; indeed, HBGary appears to have made much of its cash with more traditional projects, like selling anti-malware defense tools to corporations and scanning their networks for signs of infection.
If rootkits, paranoia monitors, cartoons, and fake Facebook personas were being proposed and developed here, one can only imagine the sorts of classified projects underway throughout the entire defense and security industry.
Whether these programs are good or bad depends upon how they are used. Just as Hoglund's rootkit expertise meant that he could both detect them and author them, 0-day exploits and rootkits in government hands can be turned to many uses. The FBI has had malware like CIPAV (http://www.wired.com/threatlevel/2007/07/fbi-spyware-how/) (the Computer and Internet Protocol Address Verifier) for several years, and it's clear from the HBGary e-mail leak that the military is in wide possession of rootkits and other malware of its own. The Stuxnet virus widely believed to have at least damaged (http://arstechnica.com/tech-policy/news/2010/12/report-strengthens-suspicions-that-stuxnet-harmed-irans-nuke-plant.ars) Iranian nuclear centrifuge operations is thought to have originated in the US or Israeli governments (http://arstechnica.com/tech-policy/news/2011/01/did-a-us-government-lab-help-israel-develop-stuxnet.ars), for instance.
But the e-mails also remind us how much of this work is carried out privately and beyond the control of government agencies. We found no evidence that HBGary sold malware to nongovernment entities intent on hacking, though the company did have plans to repurpose its DARPA rootkit idea for corporate surveillance work. ("HBGary plans to transition technology into commercial products," it told DARPA.)
And another document, listing HBGary's work over the last few years, included this entry: "HBGary had multiple contracts with a consumer software company to add stealth capability to their host agent."
The actions of HBGary Federal's Aaron Barr also serve as a good reminder that, when they're searching for work, private security companies are more than happy to switch from military to corporate clients—and they bring some of the same tools to bear.
When asked to investigate pro-union websites and WikiLeaks, Barr turned immediately to his social media toolkit and was ready to deploy personas, Facebook scraping, link analysis, and fake websites; he also suggested computer attacks on WikiLeaks infrastructure and pressure be brought upon journalists like Glenn Greenwald.
His compatriots at Palantir and Berico (http://www.bericotechnologies.com/) showed, in their many e-mails, few if any qualms about turning their national security techniques upon private dissenting voices. Barr's ideas showed up in Palantir-branded PowerPoints and Berico-branded "scope of work" documents. "Reconnaissance cells" were proposed, network attacks were acceptable, "target dossiers" on "adversaries" would be compiled, and "complex information campaigns" involving fake personas were on the table.
Critics like Glenn Greenwald contend that this nexus of private and public security power is a dangerous mix. "The real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power," he wrote last week (http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/index.html).

Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former.
The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.
Even if you don't share this view, the e-mails provide a fascinating glimpse into the origins of government-controlled malware. Given the number of rootkits apparently being developed for government use, one wonders just how many machines around the globe could respond to orders from the US military. Or the Chinese military. Or the Russian military.
While hackers get most of the attention for their rootkits and botnets and malware, state actors use the same tools to play a different game—the Great Game—and it could be coming soon to a computer near you.
Opening photo illustration contains elements from Shutterstock (http://www.shutterstock.com/).

Rootkit 2009 *
The e-mail talks only about "tools," not about 0-day exploits, though that appears to be what was at issue; the list of software here matches HBGary's own list of its 0-day exploits. And the asterisk beside some of the names "means the tool has been sold to another customer on a non-exclusive basis and can be sold again."
HBGary's 0-day exploits

References to Juicy Fruit abound in the leaked e-mails. My colleague Peter Bright and I have spent days poring through the tens of thousands of messages; we believe that "Juicy Fruit" is a generic name for a usable 0-day exploit, and that interest in this Juicy Fruit was high.
"[Name] is interested in the Juicy Fruit you told him about yesterday," one e-mail reads. "Next step is I need to give [name] a write up describing it." That writeup includes the target software, the level of access gained, the max payload size, and "what does the victim see or experience."
Aaron Barr, who in late 2009 was brought on board to launch the separate company HBGary Federal (and who provoked this entire incident by trying to unmask Anonymous), wrote in one e-mail, "We need to provide info on 12 monkeys and related JF [Juicy Fruit] asap," apparently in reference to exploits that could be used to infect a system with 12 Monkeys.
HBGary also provided some Juicy Fruit to Xetron (http://www.es.northropgrumman.com/by_division/landforces/xetron/), a unit of the massive defense contractor Northrop Grumman that specialized in, among other things, "computer assault." Barr wanted to "provide Xetron with some JF code to be used for demonstrations to their end customers," one e-mail noted. "Those demonstrations could lead to JF sales or ongoing services work. There is significant revenue potential doing testing of JF code acquired elsewhere or adding features for mission specific uses."
As the deal was being worked out, HBGary worked up an agreement to "provide object code and source code for this specific Juicy Fruit" to Xetron, though they could not sell the code without paying HBGary. The code included with this agreement was a "Adobe Macromedia Flash Player Remote Access Tool," the "HBGary Rootkit Keylogger Platform," and a "Software Integration Toolkit Module."
The question of who might be interested in these tools largely remains an unknown—though Barr did request information on HBGary's Juicy Fruit just after asking for contacts at SOCOM, the US Special Operations Command.
But HBGary Federal had ideas that went far beyond government rootkits and encompassed all facets of information warfare. Including, naturally, cartoons. And Second Life.

In mid-2010, HBGary Federal put together a PSYOP (psychological operations) proposal for SOCOM, which had issued a general call for new tools and techniques. In the document, the new HBGary Federal team talked up their past experience as creators of "multiple products briefed to POTUS [President of the United States], the NSC [National Security Council], and Congressional Intelligence committees, as well as senior intelligence and military leaders."
The document focused on cartoons and the Second Life virtual world. "HBGary personnel have experience creating political cartoons that leverage current events to seize the target audience's attention and propagate the desired messages and themes," said the document, noting that security-cleared cartoonists and 3D modelers had already been lined up to do the work if the government wanted some help.
Cartoon example of Ahmadinejad with a puppet ayatollah

The cartooning process "starts with gathering customer requirements such as the target audience, high level messages and themes, intended publication mediums… Through brainstorming sessions, we develop concept ideas. Approved concepts are rough sketched in pencil. Approved sketches are developed into a detailed, color end product that is suitable for publishing in a variety of mediums."
A sample cartoon, of Iranian President Ahmadinejad manipulating a puppet Ayatollah, was helpfully included.
The document then went on to explain how the US government could use a virtual world such as Second Life to propagate specific messages. HBGary could localize the Second Life client, translating its menu options and keyboard shortcuts into local dialects, and this localized client could report "valuable usage metrics, enabling detailed measures of effects." If you want to know whether your message is getting out, just look at the statistics of how many people play the game and for how long.
As for the messages themselves, those would appear within the Second Life world. "HBGary can develop an in-world advertising company, securing small plots of virtual land in attractive locations, which can be used to promote themes using billboards, autonomous virtual robots, audio, video, and 3D presentations," said the document.
They could even make a little money while they're at it, by creating "original marketable products to generate self-sustaining revenue within the virtual space as well as promote targeted messaging."
We found no evidence that SOCOM adopted the proposal.
But HBGary Federal's real interest had become social media like Facebook and Twitter—and how they could be used to explore and then penetrate secretive networks. And that was exactly what the Air Force wanted to do.

Magda Hassan
03-02-2011, 01:43 AM
1 March 2011. Add list of high-risk (http://cryptome.org/0003/hbg-trickery.htm#high-risk) files found by Norton AV in the HBG-Stuxnet-Raw file.
28 February 2011
Add two messages (http://cryptome.org/0003/hbg-trickery.htm#separate) and Cryptome note of appreciation for HBGary emails as a source of valuable technical information.

HBGary Suspected Trickery

The AV warning below appeared six days after the HBGary Stuxnet Raw Data file was offered and has been added to the Zipped file.
http://cryptome.org/0003/hbg/HBG-Stuxnet-Raw.zip (7.5MB)
Twelve Norton AV quick scans during the period failed to spot the intruder; a full scan on 28 February 2011 found it inside a HBGary Zipped file which was inside a Cryptome Zipped file. No other of the 33 HBGary files posted to Cryptome have been reported by Norton AV as a risk -- so far. Some intruders are designed to remain out of sight until a particular time or circumstance, or never revealed, quietly doing their job like Stuxnet and its kin in malware, copyright policing, cyberspying and cyberwar, all HBGary and its kin specialization in trickery.
While the warning may be due to the illicit characteristics of Stuxnet, there has been speculation that HBGary salted its files with hidden bait and markers for tracking thieves and invaders. The "Stuxnet" in this file may be bait for a trap or a phony virus-warning generator to scare off transgressors. HBGary researched, designed and deployed bait to test security risks as well as covertly installed security breachers using common deception techniques such as giving files popular names. HBGary emails describe measures taken when examining illicit programs on isolated machines with tools designed to avoid contamination, knowing that invaders themselves often set bait for outsmarting and entrapping researchers.
Unanswered still is what countermeasures the targets of Stuxnet have designed to use the program for counterattack such as unleashing a modified Stuxnet version with hidden features. This appears to be one of the purposes for HBGary to research the program for McAfee and others. HBGary laying low at the moment may be attributed to its harvesting results of the all-too-easy email hack, or if it did not facilitate the hack by lowering the security bar for Anonymous social engineering, to take advantage of the credulity and unwariness of its email consumers to well-known security deceptions, such as social engineering and facilitated hacks for covert release of bait, tracers and markers.
Bear in mind that there has been speculation that files submitted to Wikileaks, TOR and others have been used for this purpose. Heeding security wizards such HBGary, Cryptome regularly warns of its being used for this common ruse. The best security wizards never tell the whole truth, stating there is no such thing, there is only trickery -- that is no doubt adept social engineering of marketing. Good buddy of HBGary, Palantir, is reported today intending to replace Google as the premier Internet spying trickster.

A sends:
When I read your post above, I went to run a quick scan on the zip file only to find that the AV program could not be started. The error message went something like 'try re-installing'. I then noticed there was no AVG icon bottom bottom right. I immediately checked the Windows CP security centre which reported the AV program installed and running OK - but it wasn't.
I ran the repair utility on the AV prog and restarted. All then appeared - and appears OK. Running a scan on the HBG-Stuxnet-Raw.zip file then produced 26 infections in the file - per attached screenshot.
I've moved the file to a virgin thumb drive. A full scan on the original machine says its clean but I get more paranoid by the month these days.

A2 sends:
Please, tell me you didn't see that coming. Welcome to asymmetrical warfare: and you just thought you were in the middle. I was really scratching my head when I saw the file. Now you really have something to write about.

Appreciating HBGary Emails
Cryptome: After reading several hundreds of HBGary emails and attachments, many of them not in the news due to the excessive coverage of Aaron Barr and HBGary Federal, the material offers impressive information about the dark side of cyberworld and the technological battles going on worldwide. The emails of Greg Hoglund and his correspondents are chock full of useful information about contending with ever-growing malware and designing defenses against it. Research, details, tests, failures and successes are bountiful. Emails about trying to market products based on years of diligent work to customers less technically capable are highly instructive. The foolishness of Barr and cohorts should not be a reason to avoid learning from and appreciating the skills of the parent firm disclosed in its emails.

High-risk files found by Norton AV in the HBG-Stuxnet-Raw file:

Magda Hassan
03-14-2011, 01:04 PM
Pursuant to our ongoing investigation into the various intelligence contractors who worked in conjunction with the Department of Justice and other agencies to commit unethical and possibly illegal acts against Wikileaks, Glenn Greenwald, and Anonymous, I placed a call this morning to William Wansley, senior vice president of Booz Allen Hamilton. I asked Mr. Wansley about his relationship to incompetent federal contractor and former HBGary CEO Aaron Barr, who himself was fundamental to the conspiracy linking his company to Palantir, Hunton Williams, Bank of America, the Chamber of Commerce, Endgame Systems, and other entities, including Booz. He said he had no relationship with HBGary, which is odd insomuch as that this e-mail would seem to indicate otherwise (http://hbgary.anonleaks.ch/aaron_hbgary_com/9061.html).
Incidentally, I made the call from a one-party consent wiretapping state - good old Texas - pursuant to an investigation by Anonymous Holdings Company LLC/Anonymous Institute of the Rule of LAWL, which is to say it is entirely legal for me to record such a conversation and, say, upload it to the internet (http://www.mediafire.com/?zzpb7ccu5sdjfeu).

A bit of inside baseball background on Booz Allen Hamilton's interest in Anonymous is provided by way of this other e-mail thread, also taken from HBGary's servers in pursuit of etc etc etc lol:
I forgot to mention. I had a meeting yesterday with Bill Wansley over at Booz yesterday. He said Mike McConnell is walking around like the cat that got the canary because their is something to happen or be released soon that is very significant in the cyber arena. Any knowledge? Aaron
Sent from my iPhone
On Jan 29, 2011, at 7:58 AM, Tom Conroy wrote:
> Aaron -
> Here is the note I sent to a senior at USCYBERCOM. I'll let you know if I hear back.
> As you can see, I took off your email address to protect you from immediate attention, though it would be easy to identify you by checking the speakers at the conference you reference. Let's see what they do with our offer.
> BTW, if they do research your identity by going to the online B-Sides agenda, what are they going to think of you when they see the title you've chosen? You have certainly chosen a topic that will generate lots of interest.
> Name: Aaron Barr
> Talk: Who Needs NSA when we have Social Media
> Tom
> -------- Original Message --------
> Subject: Fwd: Ongoing Research
> Date: Sat, 29 Jan 2011 07:48:35 -0500
> From: Tom Conroy
> To: Dave
> Dave -
> This comes to me from someone I trust deeply and who has developed some
> extraordinarily valuable and effective capabilities for our former
> agency. He is fully SCI cleared. When I first heard of Aaron's work I
> figured you, or someone in your organization, would or should be
> extremely interested in learning about his work before he takes it public.
> When Aaron first mentioned his research, he told me that the "Anonymous"
> group has also been directly involved in Cyber attacks on MasterCard,
> and the governments and nations of Venezuela, Tunisia, and Egypt. That,
> it seems to me, would make them of high interest to the State Department
> and FBI as well as your organization. Please let me know if you would
> like to meet him.
> Tom
> P.S. I have also encouraged him to offer his research to ODNI and to
> others. In response to my encouragement he has reached out to Dawn
> Meyerriecks at ODNI as well as others whom I don't know.
> -------- Original Message --------
> Subject: Ongoing Research
> Date: Sat, 29 Jan 2011 01:23:57 -0500
> From: Aaron
> To: Tom Conroy
> Tom,
> I have been researching the Anonymous group over the last few weeks in
> preparation for a social media talk I will be giving at the BSIDES
> conference in San Francisco on Feb. 14th. My focus is to show the power
> of social media analytics to derive intelligence and for potential
> exploitation. In the talk I will be focusing how effective it is to
> penetrate three organizations, one military (INSCOM), one Critical
> Infrastructure (Nuclear Power Plant in PA), and the Anonymous Group.
> All penetrations passed social media exploitation are inferred (i.e. I
> am not delivering any payload).
> I am surprised at the level of success I am having on the Anonymous
> group. I am able to tie IRC Alias to Facebook account to real people.
> I have laid out the organizations communications and operational
> structure. Determined the leadership of the organization (mostly - some
> more work here to go).
> I have to believe this data would be valuable to someone in government,
> and if so I would like to get this data in front of those that are
> interested prior to my talk, as I imagine I will get some press around
> the talk and the group will likely change certain TTP's afterwards.
> Thanks for your help.
> Aaron


Magda Hassan
03-18-2011, 10:31 PM
Congress Opens Investigation Into HBGary Federal Scandal


Mar. 17 2011 - 7:38 pm | 1,951 views | 0 recommendations | 1 comment (http://blogs.forbes.com/parmyolson/2011/03/17/congress-opens-investigation-into-hbgary-scandal/#post_comments)
==UPDATE===: Following a query (http://twitter.com/Shoq/status/48544474435043329) by Twitter user @Shoq, here are the 16 other Congressmen/women who signed Rep. Hank Johnson’s (http://hankjohnson.house.gov/) letter (http://www.scribd.com/doc/49777524/Hunton-Williams-Investigation-letter) seeking an investigation into HBGary Federal and others, via Salon (http://www.salon.com/news/politics/war_room/2011/03/01/hunton_williams_investigation/): Keith Ellison, Luis Gutierrez, Jesse Jackson Jr., Sheila Jackson Lee, Chris Murphy, Edolphus Towns, Betty Sutton, Peter Welch, Raul Grijalva, Bruce Braley, Mike Honda, Barbara Lee, Jim McDermott, Tim Ryan, Pete Stark and Maxine Waters.
The U.S. Congress is stepping into the continuing HBGary Federal scandal (http://blogs.forbes.com/andygreenberg/2011/02/15/hbgary-execs-run-for-cover-as-hacking-scandal-escalates/) after global hacktivist group Anonymous exposed (http://blogs.forbes.com/andygreenberg/2011/02/14/hbgary-ceo-also-suggested-tracking-intimidating-wikileaks-donors/) proposals by the government-contracted software security firm to damage WikiLeaks and other organizations.
The House Armed Services Subcommittee on Emerging Threats and Capabilities (http://armedservices.house.gov/index.cfm/emerging-threats-and-capabilities) on Wednesday asked the Defence Department and National Security Agency (NSA) to hand over all contracts they had signed with HBGary Federal, Palantir Technologies and Berico Technologies, Wired reports (http://www.wired.com/threatlevel/2011/03/congress-and-hbgary/).
It comes after about a dozen members of Congress sent a letter to several subcommittees (http://www.scribd.com/doc/49777524/Hunton-Williams-Investigation-letter) calling for an investigation into HBGary Federal’s proposals, in league with other companies, to law firm Hunton & Williams to probe and discredit WikiLeaks with a “dirty tricks campaign that included possible illegal actions against citizens engaged in free speech.”
Last month a small team of Anonymous supporters hacked into HBGary Federal’s servers, then stole and published (http://blogs.forbes.com/parmyolson/2011/02/06/anonymous-takes-revenge-on-security-firm-for-trying-to-sell-supporters-details-to-fbi/) 71,800 emails from the security firm on the Internet (http://hbgary.anonleaks.ch/). In the fallout, the e-mails revealed that HBGary Federal, had proposed together with Palantir and Berico, cyber attacks against WikiLeaks, a misinformation campaign against the group and intimidation tactics against Salon reporter Glenn Greenwald who has supported WikiLeaks.
The letter said that the HBGary Federal emails also revealed that the security contractors along with Hunton & Williams had also “planned a campaign to sabotage and discredit critics of the U.S. Chamber of COmmerce,” as well as the trade union federation Change to Win, the Center for American Progress and other organizations.
The e-mails showed that one of the contractors’ proposals was to mine social networking sites like Facebook and Twitter for information on Chamber critics, then plant false documentation using “fake insider personas” to discredit the group. They also discussed using malicious software (or malware) to steal private information.
Following press reports into these proposals, Palantir and Berico publicly distanced themselves (http://blogs.forbes.com/andygreenberg/2011/02/11/palantir-apologizes-for-wikileaks-attack-proposal-cuts-ties-with-hbgary/) from HBGary Federal, while HBGary Federal’s CEO Aaron Barr, who was a central character in last month’s hacking incident, resigned (http://blogs.forbes.com/andygreenberg/2011/02/28/hbgary-federals-aaron-barr-resigns-after-anonymous-hack-scandal/).
Via Wired (http://www.wired.com/threatlevel/2011/03/congress-and-hbgary/), here’s a video of the Congressional subcommittee hearing in which Rep. Hank Johnson questions NSA director Keith Alexander and James Miller, deputy under secretary of defence for policy, on the nature of the HBGary Federal contracts.

Ed Jewett
11-27-2011, 07:06 PM
Palantir, the War on Terror's Secret Weapon

A Silicon Valley startup that collates threats has quietly become indispensable to the U.S. intelligence community

By Ashlee Vance (http://www.businessweek.com/bios/ashlee-vance-283.html) and Brad Stone (http://www.businessweek.com/bios/brad-stone-411.html)
In October, a foreign national named Mike Fikri purchased a one-way plane ticket from Cairo to Miami, where he rented a condo. Over the previous few weeks, he’d made a number of large withdrawals from a Russian bank account and placed repeated calls to a few people in Syria. More recently, he rented a truck, drove to Orlando, and visited Walt Disney World by himself. As numerous security videos indicate, he did not frolic at the happiest place on earth. He spent his day taking pictures of crowded plazas and gate areas.
None of Fikri’s individual actions would raise suspicions. Lots of people rent trucks or have relations in Syria, and no doubt there are harmless eccentrics out there fascinated by amusement park infrastructure. Taken together, though, they suggested that Fikri was up to something. And yet, until about four years ago, his pre-attack prep work would have gone unnoticed. A CIA analyst might have flagged the plane ticket purchase; an FBI agent might have seen the bank transfers. But there was nothing to connect the two. Lucky for counterterror agents, not to mention tourists in Orlando, the government now has software made by Palantir Technologies, a Silicon Valley company that’s become the darling of the intelligence and law enforcement communities.
The day Fikri drives to Orlando, he gets a speeding ticket, which triggers an alert in the CIA’s Palantir system. An analyst types Fikri’s name into a search box and up pops a wealth of information pulled from every database at the government’s disposal. There’s fingerprint and DNA evidence for Fikri gathered by a CIA operative in Cairo; video of him going to an ATM in Miami; shots of his rental truck’s license plate at a tollbooth; phone records; and a map pinpointing his movements across the globe. All this information is then displayed on a clearly designed graphical interface that looks like something Tom Cruise would use in a Mission: Impossible movie.
As the CIA analyst starts poking around on Fikri’s file inside of Palantir, a story emerges. A mouse click shows that Fikri has wired money to the people he had been calling in Syria. Another click brings up CIA field reports on the Syrians and reveals they have been under investigation for suspicious behavior and meeting together every day over the past two weeks. Click: The Syrians bought plane tickets to Miami one day after receiving the money from Fikri. To aid even the dullest analyst, the software brings up a map that has a pulsing red light tracing the flow of money from Cairo and Syria to Fikri’s Miami condo. That provides local cops with the last piece of information they need to move in on their prey before he strikes.
Fikri isn’t real—he’s the John Doe example Palantir uses in product demonstrations that lay out such hypothetical examples. The demos let the company show off its technology without revealing the sensitive work of its clients. Since its founding in 2004, the company has quietly developed an indispensable tool employed by the U.S. intelligence community in the war on terrorism. Palantir technology essentially solves the Sept. 11 intelligence problem. The Digital Revolution dumped oceans of data on the law enforcement establishment but provided feeble ways to make sense of it. In the months leading up to the 2001 attacks, the government had all the necessary clues to stop the al Qaeda perpetrators: They were from countries known to harbor terrorists, who entered the U.S. on temporary visas, had trained to fly civilian airliners, and purchased one-way airplane tickets on that terrible day.
An organization like the CIA or FBI can have thousands of different databases, each with its own quirks: financial records, DNA samples, sound samples, video clips, maps, floor plans, human intelligence reports from all over the world. Gluing all that into a coherent whole can take years. Even if that system comes together, it will struggle to handle different types of data—sales records on a spreadsheet, say, plus video surveillance images. What Palantir (pronounced Pal-an-TEER) does, says Avivah Litan, an analyst at Gartner (IT (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=IT)), is “make it really easy to mine these big data sets.” The company’s software pulls off one of the great computer science feats of the era: It combs through all available databases, identifying related pieces of information, and puts everything together in one place.
Depending where you fall on the spectrum between civil liberties absolutism and homeland security lockdown, Palantir’s technology is either creepy or heroic. Judging by the company’s growth, opinion in Washington and elsewhere has veered toward the latter. Palantir has built a customer list that includes the U.S. Defense Dept., CIA, FBI, Army, Marines, Air Force, the police departments of New York and Los Angeles, and a growing number of financial institutions trying to detect bank fraud. These deals have turned the company into one of the quietest success stories in Silicon Valley—it’s on track to hit $250 million in sales this year—and a candidate for an initial public offering. Palantir has been used to find suspects in a case involving the murder of a U.S. Immigration and Customs Enforcement special agent, and to uncover bombing networks in Syria, Afghanistan, and Pakistan. “It’s like plugging into the Matrix,” says a Special Forces member stationed in Afghanistan who requested anonymity out of security concerns. “The first time I saw it, I was like, ‘Holy crap. Holy crap. Holy crap.’ ”

Palantir’s engineers fill the former headquarters of Facebook along University Avenue in the heart of Palo Alto’s main commercial district. Over the past few years, Palantir has expanded to four other nearby buildings as well. Its security people—who wear black gloves and Secret Service-style earpieces—often pop out of the office to grab their lunch, making downtown Palo Alto feel, at times, a bit like Langley.
Inside the offices, sweeping hand-drawn murals fill the walls, depicting tributes to Care Bears and the TV show Futurama. On one floor, a wooden swing hangs from the ceiling by metal chains, while Lord of the Rings knickknacks sit on desks. T-shirts with cutesy cartoon characters are everywhere, since the engineers design one for each new version of their software. Of late, they’ve run out of Care Bears to put on the shirts and moved on to My Little Ponies.
The origins of Palantir go back to PayPal, the online payments pioneer founded in 1998. A hit with consumers and businesses, PayPal also attracted criminals who used the service for money laundering and fraud. By 2000, PayPal looked like “it was just going to go out of business” because of the cost of keeping up with the bad guys, says Peter Thiel, a PayPal co-founder.
The antifraud tools of the time could not keep up with the crooks. PayPal’s engineers would train computers to look out for suspicious transfers—a number of large transactions between U.S. and Russian accounts, for example—and then have human analysts review each flagged deal. But each time PayPal cottoned to a new ploy, the criminals changed tactics. The computers would miss these shifts, and the humans were overwhelmed by the explosion of transactions the company handled.
PayPal’s computer scientists set to work building a software system that would treat each transaction as part of a pattern rather than just an entry in a database. They devised ways to get information about a person’s computer, the other people he did business with, and how all this fit into the history of transactions. These techniques let human analysts see networks of suspicious accounts and pick up on patterns missed by the computers. PayPal could start freezing dodgy payments before they were processed. “It saved hundreds of millions of dollars,” says Bob McGrew, a former PayPal engineer and the current director of engineering at Palantir.
After EBay (EBAY (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=EBAY)) acquired PayPal in 2002, Thiel left to start a hedge fund, Clarium Capital Management. He and Joe Lonsdale, a Clarium executive who’d been a PayPal intern, decided to turn PayPal’s fraud detection into a business by building a data analysis system that married artificial intelligence software with human skills. Washington, they guessed, would be a natural place to begin selling such technology. “We were watching the government spend tens of billions on information systems that were just horrible,” Lonsdale says. “Silicon Valley had gotten to be a lot more advanced than government contractors, because the government doesn’t have access to the best engineers.”
Thiel, Lonsdale, and a couple of former colleagues officially incorporated Palantir in 2004. Thiel originally wanted to hire a chief executive officer from Washington who could navigate the Byzantine halls of the military-industrial complex. His co-founders resisted and eventually asked Alex Karp, an American money manager living in Europe who had been helping raise money for Clarium, to join as temporary CEO.
It was an unlikely match. Before joining Palantir, Karp had spent years studying in Germany under Jürgen Habermas, the most prominent living representative of the Frankfurt School, the group of neo-Marxist philosophers and sociologists. After getting a PhD in philosophy from the University of Frankfurt—he also has a degree from Stanford Law School—Karp drifted from academia and dabbled in stocks. He proved so good at it that, with the backing of a handful of European billionaires, he set up a money management firm called the Caedmon Group. His intellect, and ability to solve a Rubik’s Cube in under a minute, commands an awed reverence around the Palantir offices, where he’s known as Dr. Karp.
In the early days, Palantir struggled to sell its message and budding technology to investors. Big-name venture capital firms such as Kleiner Perkins Caufield & Byers, Sequoia Capital, and Greylock Partners all passed. Lonsdale says one investor, whom he won’t name, actually started laughing on the phone at Karp’s nonbusiness academic credentials. Overlooked by the moneyed institutions on Sand Hill Road, Thiel put up the original funds before enticing In-Q-Tel, the investment arm of the CIA, to invest as well. Karp says the reason VC firms “passed was that enterprise technology was not hot. And the government was, and still is, anti-hot.”
Michael E. Leiter, the former head of the National Counterterrorism Center, recalls being skeptical when Karp arrived to sell Palantir’s system to the NCTC, created by President George W. Bush after the attacks. “There’s Karp with his hair and his outfit—he doesn’t look like me or the other people that work for me,” he says. But Leiter soon discovered that Palantir’s software cost a fraction of competing products and actually worked. Palantir not only made the connections between the data sets but also drew inferences based on the clues and empowered the analysts. Leiter is now a Palantir consultant.

At 44, Karp has a thin, sinewy physique—the result of a strict 1,200-calorie-a-day diet—and an angular face that gives way to curly brown, mad-scientist hair. On a November visit at Palantir’s headquarters, he’s wearing purple pants and a blue and orange athletic shirt. As he does every day, he walked to work. “I never learned to drive because I was busy reading, doing things, and talking to people,” he says. “And I’m coordinated enough to bike, but the problem is that I will start dreaming about the business and run into a tree.”
During the era of social networks, online games, and Web coupons, Karp and his engineers have hit on a grander mission. “Our primary motivation,” Karp says, “is executing against the world’s most important problems in this country and allied countries.” That’s an unusual pitch in Silicon Valley, where companies tend to want as little to do with Washington as possible and many of the best engineers flaunt their counterculture leanings.
Palantir’s name refers to the “seeing stones” in Lord of the Rings that provide a window into other parts of Middle-earth. They’re magical tools created by elves that can serve both good and evil. Bad wizards use them to keep in touch with the overlord in Mordor; good wizards can peer into them to check up on the peaceful, innocent Hobbits of the Shire. As Karp explains with a straight face, his company’s grand, patriotic mission is to “protect the Shire.”
Most of Palantir’s government work remains classified, but information on some cases has trickled out. In April 2010, security researchers in Canada used Palantir’s software to crack a spy operation dubbed Shadow Network that had, among other things, broken into the Indian Defense Ministry and infiltrated the Dalai Lama’s e-mail account. Palantir has also been used to unravel child abuse and abduction cases. Palantir “gives us the ability to do the kind of link-and-pattern analysis we need to build cases, identify perpetrators, and rescue children,” says Ernie Allen, CEO of the National Center for Missing and Exploited Children. The software recently helped NCMEC analysts link an attempted abduction with previous reports of the suspect to the center’s separate cyber-tip line—and plot that activity on a map. “We did it within 30 seconds,” Allen says. “It is absolutely a godsend for us.”
In Afghanistan, U.S. Special Operations Forces use Palantir to plan assaults. They type a village’s name into the system and a map of the village appears, detailing the locations of all reported shooting skirmishes and IED, or improvised explosive device, incidents. Using the timeline function, the soldiers can see where the most recent attacks originated and plot their takeover of the village accordingly. The Marines have spent years gathering fingerprint and DNA evidence from IEDs and tried to match that against a database of similar information collected from villagers. By the time the analysis results came back, the bombers would be long gone. Now field operatives are uploading the samples from villagers into Palantir and turning up matches from past attacks on the spot, says Samuel Reading, a former Marine who works in Afghanistan for NEK Advanced Securities Group, a U.S. military contractor. “It’s the combination of every analytical tool you could ever dream of,” Reading says. “You will know every single bad guy in your area.”
Palantir has found takers for its data mining system closer to home, too. Wall Street has been particularly receptive. Every year, the company holds a conference to promote its technology, and the headcount swelled from about 50 people at past events to 1,000 at the most recent event in October. “I saw bankers there that don’t go to any other conferences,” says Gartner’s Litan. The banks have set Palantir’s technology loose on their transaction databases, looking for fraudsters, trading insights, and even new ways to price mortgages. Guy Chiarello, chief information officer for JPMorgan Chase (JPM (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=JPM)), says Palantir’s technology turns “data landfills into gold mines.” The bank has a Palantir system for fraud detection and plans to use the technology to better tailor marketing campaigns to consumers. “Google (GOOG (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=GOOG)) unlocked the Internet with its search engine,” Chiarello says. “I think Palantir is on the way to doing a similar thing inside the walls of corporate data.”
One of the world’s largest banks has used Palantir software to break up a popular scam called BustOut. Criminals will steal or purchase access to thousands of people’s online identities, break into their bank and credit-card accounts, then spend weeks watching. Once they spot a potential victim purchasing a plane ticket or heading out on a holiday, they siphon money out of the accounts as fast as they can while the mark is in transit. The criminals hide their trails by anonymizing their computing activity and disabling alert systems in the bank and credit-card accounts. When the bank picks up on a few compromised accounts, it uses Palantir to uncover the network of thousands of other accounts that have to be tapped.
A Palantir deal can run between $5 million and $100 million. The company asks for 20 percent of that money up front and the rest only if the customer is satisfied at the end of the project. Typically, it’s competing against the likes of Raytheon (RTN (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=RTN)), Lockheed Martin (LMT (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=LMT)), Northrop Grumman (NOC (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=NOC)), andIBM (IBM (http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?ticker=IBM)), along with a scattering of less prominent data mining startups. “We can be up and running in a bank in eight weeks,” Karp says. “You will be getting results right away instead of waiting two to three years with our competitors.”

Palantir has been doubling headcount every year to keep up with business. To get a job at the company, an applicant must pass a gauntlet of brain teasers. An example: You have 25 horses and can race them in heats of 5. You know the order the horses finished in, but not their times. How many heats are necessary to find the fastest? First and second? First, second, and third? (Answers: six, seven, and seven.) If candidates are able to prove themselves as what Karp calls “a software artist,” they’re hired. The company gives new arrivals some reading material, including a guide to improvisational acting, a lecture by the entrepreneur Steve Blank on Silicon Valley’s secret history with the military, and the book The Looming Tower: Al-Qaeda and the Road to 9/11. They’re also rewarded with a low wage by Silicon Valley standards: Palantir caps salaries at $127,000.
Instead of traditional salespeople, Palantir has what it calls forward deployed engineers. These are the sometimes awkward computer scientists most companies avoid putting in front of customers. Karp figures that engineers will always tell the truth about the pros and cons of a product, know how to solve problems, and build up a strong reputation with customers over time. “If your life or your economic future is on the line,” he says, “and there is one company where people are maybe kind of suffering from Asperger’s syndrome, but they have always been accurate, you end up trusting them.”
The director of these forward deployed engineers is Shyam Sankar, a Palantir veteran. In his corner office there’s a Shamu stuffed animal, an antique Afghan rifle hanging overhead, and a 150-year-old bed frame decorated with a wild, multicolored comforter. The bed comes in handy during an annual team-building exercise: For one week, employees live in the Palantir offices; the bedless make shantytown houses out of cardboard boxes. Sankar celebrates Palantir’s mix of office frivolity and low salaries. “We will feed you, clothe you, let you have slumber parties, and nourish your soul,” he says. “But this is not a place to come to get cash compensation.”
Like many of the young engineers, Sankar recounts a personal tale that explains his patriotic zeal. When he was young, his parents moved from India to Nigeria, where Sankar’s father ran a pharmaceutical plant. One night, burglars broke into their home, pistol-whipped his dad, and stole some valuables. After that traumatic event, the family moved to Florida and started over, selling T-shirts to theme parks. “To come to a place and not have to worry about such bad things instilled a sense of being grateful to America,” Sankar says. “I know it sounds corny, but the idea here is to save the Shire.”
Karp acknowledges that to outsiders, Palantir’s Middle-earth-meets-National Security Agency culture can seem a bit much. “One of my investors asked me, ‘Is this a company or a cult?’ ” he says. “Well, I don’t seem to be living like a cult leader.” Then he begins a discourse on how Palantir’s unusual ways serve the business. “I tend to think the critiques are true,” Karp says. “To make something work, it cannot be about the money. I would like to believe we have built a culture that is about a higher purpose that takes the form of a company. I think the deep character anomalies of the company are the reasons why the numbers are so strong.”

Using Palantir technology, the FBI can now instantly compile thorough dossiers on U.S. citizens, tying together surveillance video outside a drugstore with credit-card transactions, cell-phone call records, e-mails, airplane travel records, and Web search information. Christopher Soghoian, a graduate fellow at the Center for Applied Cybersecurity in the School of Informatics and Computing at Indiana University, worries that Palantir will make these agencies ever hungrier consumers of every piece of personal data. “I don’t think Palantir the firm is evil,” he says. “I think their clients could be using it for evil things.”
Soghoian points out that Palantir’s senior legal adviser, Bryan Cunningham, authored an amicus brief three years ago supporting the Bush Administration’s position in the infamous warrantless wiretapping case and defended its monitoring domestic communication without search warrants. Another event that got critics exercised: A Palantir engineer, exposed by the hacker collective Anonymous earlier this year for participating in a plot to break into the PCs of WikiLeaks supporters, was quietly rehired by the company after being placed on leave.
Karp stresses that Palantir has developed some of the most sophisticated privacy protection technology on the market. Its software creates audit trails, detailing who has seen certain pieces of information and what they’ve done with it. Palantir also has a permission system to make sure that workers in agencies using its software can access only the data that their clearance levels allow. “In the pre-Palantir days, analysts could go into file cabinets and read whatever they want,” says former NCTC director Leiter. “Nobody had any idea what they had seen.” Soghoian scoffs at the privacy-protecting features Palantir builds into its software. “If you don’t think the NSA can disable the piece of auditing functionality, you have to be kidding me,” he says. “They can do whatever they want, so it’s ridiculous to assume that this audit trail is sufficient.”
Thiel, who sits on the board and is an avowed libertarian, says civil liberties advocates should welcome Palantir. “We cannot afford to have another 9/11 event in the U.S. or anything bigger than that,” he says. “That day opened the doors to all sorts of crazy abuses and draconian policies.” In his view, the best way to avoid such scenarios in the future would be to provide the government the most cutting-edge technology possible and build in policing systems to make sure investigators use it lawfully.
After Washington and Wall Street, Karp says the company may turn its attention to health care, retail, insurance, and biotech. The thinking is that Palantir’s technology can illuminate health insurance scams just as well as it might be able to trace the origin of a virus outbreak. Despite all this opportunity, and revenue that is tripling every year, Karp insists that Palantir will remain grounded. An IPO, while not out of the question, “dilutes nonmonetary motivation,” he says.
One higher purpose in the coming year will be rescuing strapped companies and government bodies from the brink of financial ruin. Karp lists fraud, Internet security issues, Europe’s financial woes, and privacy concerns as possible drivers for Palantir’s business. For anyone in peril, the message is clear: Give us a signal and a forward deployed engineer will be at your doorstep. “There are some people out there that don’t think to pick up the phone and call us,” Karp says. “By next year, many of those people will.”
Vance (avance3@bloomberg.net) is a technology writer for Bloomberg Businessweek. Stone is a senior writer for Bloomberg Businessweek.

Magda Hassan
02-29-2012, 07:55 AM
Feb. 27, 2012, 8:36 p.m. EST
ManTech Enhances Cyber Security Solutions with Acquisition of Business of HBGaryAcquisition expands cyber security solutions offering to commercial market



FAIRFAX, Va., Feb 27, 2012 (BUSINESS WIRE) -- ManTech International Corporation MANT +0.11% (http://www.marketwatch.com/investing/stock/MANT?link=MW_story_quote) has signed a definitive agreement to acquire the business of HBGary, Inc. of Sacramento, Ca. The transaction, structured as an asset purchase and subject to certain closing conditions, is expected to be completed in March.
HBGary provides a comprehensive suite of software products to detect, analyze, and diagnose Advanced Persistent Threats (APT) and targeted malware. The company has an impressive list of commercial customers in the financial services, energy, critical infrastructure and technology sectors. The business will be an integral part of ManTech's broad cyber security offering.
"This acquisition enhances our capabilities in the growing cyber security market," said L. William Varner, president and chief operating officer of ManTech's Mission, Cyber and Technology Solutions group. "Our recent hire of Ken Silva, who will lead this new business unit, was instrumental in enabling ManTech to further develop its cyber security strategy. The HBGary leadership team are recognized thought leaders in this market. The combination of ManTech and HBGary will create a broader cyber security solution capability for both our commercial and government customers."
"ManTech will give HBGary significant and positive growth, expanding our opportunities," said HBGary CEO Greg Hoglund. "HBGary's commercial customers will benefit from the addition of ManTech's world-class incident response services, and ManTech's government business will be bolstered with a cutting edge set of products to protect mission-critical IT assets."
"We're taking steps to expand in new growth markets, just as we have always done," said ManTech Chairman and CEO George J. Pedersen. "ManTech has a history of taking the skills we have gained in our core business and applying it to new customers and new missions. We look forward to adding HBGary into the ManTech family as we apply our combined cyber capabilities to important commercial customers."
About ManTech International Corporation: ManTech is a leading provider of innovative technologies and solutions for mission-critical national security programs for the intelligence community; the departments of Defense, State, Homeland Security, Energy and Justice, including the Federal Bureau of Investigation; the space community; the National Oceanic and Atmospheric Administration; and other U.S. federal government customers. We provide support to critical national security programs through 1,000 current contracts. ManTech's expertise includes command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) lifecycle support, cyber security, global logistics support, intelligence/counter-intelligence support, information technology modernization and sustainment, systems engineering, and test and evaluation. ManTech supports major national missions, such as military readiness, terrorist threat detection, information security and border protection. Additional information on ManTech can be found at www.mantech.com .
Forward-Looking Information
Statements and assumptions made in this press release, which do not address historical facts, constitute "forward-looking" statements that ManTech believes to be within the definition in the Private Securities Litigation Reform Act of 1995 and involve risks and uncertainties, many of which are outside of our control. Words such as "may," "will," "expect", "intend," "anticipate," "believe," "estimate," or "continue," or the negative of these terms or words of similar import are intended to identify forward-looking statements.
These forward-looking statements are inherently subject to risks and uncertainties, and actual results and outcomes may differ materially from the results and outcomes we anticipate. Factors that could cause actual results to differ materially from the results we anticipate, include, but are not limited to, the following: failure to successfully integrate recently acquired companies or businesses into our operations or to realize any accretive or synergistic effects from such acquisitions; failure to identify, execute or effectively integrate future acquisitions; adverse changes in U.S. government spending priorities; failure to retain existing U.S. government contracts, win new contracts or win recompetes; adverse changes in future levels of expenditures for programs we support caused by budgetary pressures facing the federal government and changing mission priorities; failure to obtain option awards, task orders or funding under contracts; failure to maintain strong relationships with other contractors; adverse changes in our mix of contract types; adverse results of U.S. government audits of our government contracts; risk of contract performance, modification or termination; and risks associated with complex U.S. government procurement laws and regulations; and competition. These and other risk factors are more fully discussed in the section entitled "Risks Factors" in ManTech's Annual Report on Form 10-K previously filed with the Securities and Exchange Commission on Feb. 24, 2012, Item 1A of Part II of our Quarterly Reports on Form 10-Q, and, from time to time, in ManTech's other filings with the Securities and Exchange Commission.
The forward-looking statements included herein are only made as of the date of this press release, and ManTech undertakes no obligation to publicly update any of the forward-looking statements made herein, whether as a result of new information, subsequent events or circumstances, changes in expectations or otherwise.
SOURCE: ManTech International Corporation

ManTech International Corporation Lauren Kushin, 703-218-6406 Lauren.kushin@mantech.com ManTech-F

Magda Hassan
03-04-2012, 01:49 AM
Media articles are at the bottom of this pad


Odious corporate spying firms enjoy epic bad publicity day

What's outlined in these sets of proposals, as Glenn points out, "quite possibly constitutes serious crimes." And as it relates to Glenn and the others, it constitutes an unconscionable attempt to silence journalists doing their jobs.

One nice point about the criminality is that (at least in my jurisdiction) the confidential information regimes are an outspring of the law of equity, and one of the core equitable maxims is those who come to equity must do so with clean hands (ie, the law won't recognise your rights where they protect unconscionable conduct)

Aaron Barr vs Barret Brown Phone Conference

Internal Email lulz:

Aaron VS WinMark Emails:

Aaron> Anonymous group and comments on Goverment talks

From Greg - Jamie is a fuck-tard

Bank of the West / Botnet

Citibank have been using falsified documents!!!

It appears penny was in the know about Aaron's bullshit all along

Interesting resume of former U.S. military intel officer who applied for gig with HBGary

Direct deposit information for their bank account. Routing and account number

Can debatably be construed as the advocation of illegal activities

HBGary Patent Info (with doc)

http://search.hbgary.anonleaks.ru/index.php?id=30571 Pull the paystub out, I bet its got his SSN on it

Internal company conflict

Arguments between Aaron and his wife

Here's Greg when he's mad

"Penny Leavy-Hoglund" <3 Greg

Visited the Pentagon in January

Ted H. Vera >President | COO >HBGary Federal >719-237-8623 http://search.hbgary.anonleaks.ru/index.php?id=37018

76-thousand+ cracked username/password combinations in a table called MEMBERS

Aaron>Sooooo...using the google hack string

Checklist for New Facility Security Clearances

Aaron>Ted: pointabout.com. I am partnering with them to go after some work and develop some capabilities. Specifically look at their tech appmakr.com.

Social Media Data Collection and Persona Development

Provisional Industrial Security Approval Sponsorship Program - NSA/CSS

Nmap host scan

There were emails about the NSA PISA [http://www.nsa.gov/business/programs/pisa.shtml program, and getting free certification through Aaron's connections

Others that maybe of interest:

I think these guys are going to get arrested, it would be interesting
to leave the soft impression that Aaron is the one that got them, and
that without Aaron the Feds would have never been able to get out of
their own way. So, position Aaron as a hero to the public. At this
point they are going to get arrested anyway. But, Aaron has some
concerns on how that might affect commerical business (although I'm
not clear on why yet)

Dated 1/18/2011
Greetings Aaron,

Congratulations - your talk "Who Needs NSA when we have Social Media?" has
been selected for the B-Sides San Francisco event. Please take a few
minutes to fill out the speaker questionnaire located here:https://spreadsheets.google.com/viewform?formkey=dHhoaWo2TXg2dkgtSWF1d2lpb1pJY1E6M Q

I will also send an invite to the form separately in case you have any

Please let me know if you have any questions.

Thank you,

Amber Wolf
Event Organizer
Security B-Sides

I wanted to give u some information and see if you thought any of your customers might have some interest in the data.
I am not sure if you have been following. There is a group called Anonymous, that started supporting Wikileaks by attacking cyber targets, such as Mastercard and VIsa. I am doing research for a talk I am giving in San Francisco next month. The focus of my research is this group, identifying key players, organizational structure. I am doing a pretty good job identifying key people and illuminating how they work. All of this I am doing using social
If you think any of your customers might be interested let me know.


HBGary Federal Flexes Private Intelligence Muscle.

HBGary Federal, the specialized and classified services arm of HBGary,
flexes its muscle today by revealing the identities of all the top
management within the group Anonymous, the group behind the DDOS
attacks associated with Wikileaks. HBGary Federal constructed and
maintained multiple digital identities and penetrated the upper
management of Anonymous, and was subsequently able to learn actual
identities of the primary management team – BUILDING A COMPLETE ORG
CHART. This information was critical for law enforcement, yet all the
intelligence work was done without law enforcement or government
involvement. Only after achieving the mission did Aaron Barr, the CEO
of HBGary Federal, reveal this information to the Feds. This
underscores the need for new blood in the intelligence community and
the abilities of small agile teams that are unhindered by the
bureaucratic machine.
what do you think? too negative on intel community?


From: Greg Hoglund greg@hbgary.com
To: Aaron Barr aaron@hbgary.com

HBGAry Federal Pwns Anonymous
This is a proud day. HBGAry Federal, lead by Aaron Barr, has made ppublic their long term penetration of the anonymous groupp, the DDOS group associated with Wikileaks.
They were able to penetrate the group to the highest levell, gaining the trust of the inner circle.

The HBGary Federal team was able to learn the identities of all the key key pplayers - appproximately 10 people. Now these individuals are being arrested by the FBI. Aaron and his team were also able to learn the identities of approx. 30 liutenants. The Feds are finally taking down Anonymous, but, it should be noted that HBGary Federal perfromed this entire operation without law enforcement or government invollvement.


So how I would pitch an increased price
1. First HBGary and the other investors will not be participating in the
earn out and we've invested in giving you services work to jump start and
give references.
2. HBGary would have hired three developers to complete the work and we'd
still have that investment
3. HBGary is being courted by large software vendors and they would be
interested in HBGary Federal for the pipeline of business. Since HBGary is
an investor, we'd need to recoup costs we've put out that are around $82K
plus a good return.



Aaron Barr to Mark

But dude whos evil?

US Gov? Wikileaks? Anonymous?

Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves.

I follow one law.


from Mark:
Our entire government was set up on the idea of "trying to take power from others and give it to themselves" The founders stated it implicitly. The idea was for the states to fight the federal gov and to fight amongst themselves so nothing would every be accomplished except for when it absolutely needed to be. That's why the government is told what it can do not what it can not. Anything not stated is suppose to be out of the governments hands. Where any law to a citizen is suppose to be what you can't do so that you can do whatever you want without infringing apon the freedoms and liberties of other citizens. A non transparent government does nothing but keep the citizens uninformed and unable to make an educated vote. Your one law statement makes it sound like you believe you know what's best. That's a slippery slope.

Jefferson was an idealist that lived in a very different time.
And he had slaves...
- Aaron's response


Yeah, how did that work out the first time. You wanted Dan to be your engineer not me. Want me to check that facebook page "I listened to Aaron Barr and now I'm under investigation". Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types. - Mark
(Do we want awesome Mark quotes or just Aaron idiot quotes?) go to town on it
the more the better imo


I'm not doubting that you're doing analysis. I'm doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate. - Mark


I made some significant progress last night on my understanding of the group. I feel I have nearly every one of the leadership, administrators and operators identified to a real person.

First a clarification.
Q - Founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group.
Owen - Almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks).
Most of the people in the IRC channel are zombies to inflate the numbers. At any given time there are probably no more than 20-40 people active, accept during hightened points of activity like Egypt and Tunisia where the numbers swell but mostly by trolls.

Now for a description of roles. The administrators run the show. The operators are there to answer questions, manage tasks, such as the mass faxing and sms spamming efforts during OpEgypt. They also manage the bots. I believe most of their DDOS capability comes from a small subset of people like CommanderX that manage some significant firepower.
Most of the operational leadership with US based with some measurable support from some of their old 4chan friends in UK, France, Germany, Netherlands. I have these people identified as well.
The communications outgrowth in FB and twitter is a different structure. The leadership of operations and those that manage the communications talk and share information but act autonomously. Operation Egypt FB page was a significant conduit of information during the operation and has more people that follow that page than any of the official Anonops pages on FB.
Any other questions let me know.


Hmm. Don't know what impact will be there.
Story should go online in a few hours.
Focus is on Anonymous structure, handles of leaders, inroads by law enforcement, and your work.
As long as I leave my specific irc amd FB alias out of the conversation I should be ok.


The conversation was very interesting today. The admit they had no idea this was happening until it hit the streets. They have no idea how to manage things like this in the future. And the agree they are not capable of doing the right activities (like I did) to be better prepared in the future because of authority and policy restrictions.
So I gave them a model that might work. I will do the work based on my understanding of need on my dime... put together a report... and sell them the report.
They liked that. I am working up 5 slides to hopefully brief Glenn next Friday.


karen, aaron,
60 minutes wants to do a segment with Aaron about penetrating anonymous.
- Greg

You are the dark star. Oh, I'm afraid the deflector shield will be
quite operational when your friends arrive....
jesus say it aint so
- Greg


Any group of people with a common goal is reckless. No one knows the effects of an attack or it's outcome. May I point your direction to the Middle East since it was Persia and Mesopotamia.
I don't believe the ACLU or PETA or Greenpeace are always focused and cosiderate groups, but occasionally the do raise some good points.
I enjoy the LULZ
- Mark


When these groups speak of free information, including the open source groups, they mean governments and organizations, people have a right to privacy, governements, organizations, and corporations are not people. The supreme court can keep trying to say they are so that corps can give money to politicians but they are not people. They can not be harmed in the same manners. Their freedom to exist can not be taken away in the same way.
That's what they mean they just suck at saying it.
- Mark

This group has some good points but is acting very recklessly I think. So if I can help to be a small balance, and get some press and customers in the process...yeah! - Aaron, in response.


Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bullshit. - Aaron


With wikileaks and anonymous they corrupted faster. O believed in what wikileaks did when they released the helicopter video. I now believe they are a menace. Anonymous employees. - Aaronfag


When u figure out how to scrape the people who have liked a particular page or group then tackle this one.
I would like to be able to scrape all the people who have clicked like on a comment or posted a comment to a post.
For example.
Take the Anonops facebook page.
I would like a ranking list of the active participants on this page in ranking order of likes and comments. I would like to collect those comments and post them under the actual UID that posted them.
So then we could go to one page for a person in our system. See what their friends tell about them and what they post and like that tells about them. :)
Am I stretching the boundaries of possibility yet?


I have thought about going to a particular organization, government agency. Here is my one concern. I am still somewhat of an unknown in the social space, a space that I see as increasingly important. I am afraid that if I go to one organization the information will be walled and I will continue to be an unknown and have to claw my way to noteriety. I know that seems incredibly self-serving, but I am a small business. I have the opportunity to ga
- Aaron


I wanted to inform you of my research and content for the talk at Bsides. I have focused some of my research and talk around the anonymous group, a supposed loose collection of freedom of speech enthusiasts, anarchists, etc. They used to target the RIAA with DDOS attacks now they have taken up the cause of wikileaks, tunisia, venezuela, algeria, etc. They have received a decent amount of press about this.
I am enumerating their communications infrastructure and plan to brief this as well as outing many of the major players within the group. This will likely make HBGary Federal, and likely HBGary a target.
I have developed a persona that is well accepted within their groups and want to use this and my real persona against eachother to build up press for the talk. Pre-talk plan.
I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media analysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations
I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press. This will then generate press about the talk, hopefully driving more people and more business to us.

But it will also make us a target.

reply: Well,
I don't really want to get DDOS'd, so assuming we do get DDOS'd then
what? How do we make lemonade from that?
- Greg


Way cool on anonymous
I am actually a bit nervous.
I am going to make a lot of people angry. Including some US govies that probably would have wished I had brought the matieral to them first.


One thing of note. I know there are a few task forces looking at this in gov. What I can do is tie irc alias all the way to real person and have defined the communication and operations infrastructure of the organization. Of there are gaps in this data in government I can help and probably should before my talk when they will likely tighten things down a bit.
They may have it covered but they may not.


Thank you Tom.
As to the title. I thought about it hard. Unfortunately these conference like some sensationalism. I have tried the nuts and bolts submission and been declined. And being one that likes to take some risks chose a title that would generate more interest. During the talk I will discuss how the resources required to conduct intelligence work have lessened.


"They are completely pwnd. our sales rep in dc, one of the founders of HBGary, called to reassure us that none of our data or any federal agency or SI"s data has been compromised. Only their email, financials and source code. Source Code! i said, and he said it was no big deal, i am seeing the same info on the blogs and in comments on some of the articles i have been reading. pretty bad stuff, because if they have their source code, then they can develop countermeasures for their products. We are ripping out ur hbgary products until everything can be verified, thankfully we only have three small licenses."

- ???


Got to be honest. This response made me angry. This thing has drug out and drug out. I am in the middle of a very big event for us that will keep me very busy until the 14th. No one can expect me to drop what is likely one of the biggest events we will have this year for a "possible". I expect some flexibility given the contribution I have made thus far.
- Aaron


We should post this on the front page, throw out some tweets "HBGary Federal sets a new bar as private intelligence agency". The pun on bar is intentional.


December 13, 2010
Blogtopic/media pitch ideas:
· The Hackers Are Coming, The Hackers Are Coming!: Today there is a flurry of breaking news stories about hacks i.e. Gawker, McDonald’s, etc. Don’t spread FUD, but underscore why companies need to be prepared -> the Importance of Incident Response
· Critical Infrastructure Protection in 2011 and Beyond: What should “critical infrastructure” organizations -- and security vendors – need to be thinking about in the new year


Also, cocks.



EXOSED: Attacks on Wikileaks (RT Interview): http://www.youtube.com/watch?v=ExL4KQ3noOI

HBGary Anonymous investigation News Article

Hackers Reveal Offers to Spy on Corporate Rivals

Anonymous' Target Planned to "Take Down" WikiLeaks

Palantir Tries to Preserve Their Government Contracts

Berico Technologies severs ties with HBGary
Press statement from Berico: http://bericotech.com/press/

Palantir Apologizes for Wikileaks Attack Proposal, Cuts Ties with HBGary
Press statement from Palantir: http://palantirtech.com/statement-from-dr-alex-karp

HBGary Fees: “Dam It Feels Good to Be a Gangsta"

Hacked Documents Show Chamber Engaged HBGary to Spy on Unions

Anonymous Claims Possession Of Insidious Stuxnet Virus

Magda Hassan
09-28-2013, 07:19 AM
Palantir just raised a massive $196M, filing showsPalantir
Palantir investor Peter Thiel speaking to a roomful of interns at the San Francisco Exploratorium.

September 27, 2013 2:03 PM
Christina Farr (http://venturebeat.com/author/christinafarr/)

2 Comments (http://venturebeat.com/2013/09/27/palantir-just-raised-a-massive-196m-filing-shows/#disqus_thread)

Shadowy data-mining startup Palantir (http://palantir.com/) closed over $196 million in funding,according to an SEC filing. (http://www.sec.gov/Archives/edgar/data/1321655/000132165513000002/xslFormDX01/primary_doc.xml)
The startup is notoriously press-shy, as it mines highly sensitive data for pharmaceutical companies and government agencies. The San Jose Mercury News reported (http://www.mercurynews.com/business/ci_24188550/exclusive-palantir-technologies-latest-funding-round-could-top) that the company would raise a huge chunk of funding, but it was not clear on the specifics.
The Palo Alto, Calif.-based Palantir boasts an unrivaled engineering and data science team. It handles messy swamps of data and turns it into data visualizations and maps. The company has built up a reputation in Silicon Valley for recruiting some of the most talented engineers from nearby Stanford University.
The rumored value of Palantir is at over $8 billion, and its chief executive, Alex Karp, told Forbes that it’s likely to close $1 billion in contracts (http://www.forbes.com/sites/andygreenberg/2013/08/14/agent-of-intelligence-how-a-deviant-philosopher-built-palantir-a-cia-funded-data-mining-juggernaut/) next year.
Its seed investor is Peter Thiel, who is an early investor in Facebook and a cofounder of PayPal. The company was founded by Karp, Joe Lonsdale (also cofounder of fin-tech startup Addepar), Stephen Cohen, and Nathan Gettings.
It also counts the CIA’s venture arm, In-Q-Tel (http://en.wikipedia.org/wiki/In-Q-Tel), among its early investors.
Palantir was recently named by the Telegraph as the “creepiest startup ever,” (http://blogs.telegraph.co.uk/technology/micwright/100010629/is-shadow-the-creepiest-startup-ever-no-cia-investment-palantir-still-owns-that-crown/) as it counts the U.S. Army and an array of intelligence agencies among its customers. It doesn’t hurt that the company was rumored to play a hand in the black ops initiative to kill Osama Bin Laden.
Palantir is one of Silicon Valley’s most well-funded startups. The company has raised over $500 million to date from venture firms like Founders Fund as well as private individuals like Yelp CEO Jeremy Stoppelman and former Square CTO Keith Rabois.
http://venturebeat.com/2013/09/27/palantir-just-raised-a-massive-196m-filing-shows (http://venturebeat.com/2013/09/27/palantir-just-raised-a-massive-196m-filing-shows/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Venturebeat+%28VentureBeat%29 )