Previous Newton's Third Law posts are Newton's Third Law, with two updates, written Wednesday and Thursday, posted Friday midday; and Newton's Third Law 3rd update, written and posted Friday. Now that it's Saturday, most of the new articles are roundups of older ones, but I've found (and been sent) some things that didn't surface before -- articles about methods, connections, ethical and legal questions and more. As in previous posts, all typos and bad grammar in original source material have been left unedited. I have also not corrected for variant spellings of HBGary.
Ars Technica: How One Man Tracked Down Anonymous And Paid a Heavy Price. (sent to me by liberal_japonicus). This is a look behind the scenes at Aaron Barr's actions at HBGary:
...Near the end of January, Barr began publicizing his information, though without divulging the names of the Anonymous admins. When the Financial Times picked up the story and ran a piece on it on February 4, it wasn't long before Barr got what he wanted—contacts from the FBI, the Director of National Intelligence, and the US military. The FBI had been after Anonymous for some time, recently kicking in doors while executing 40 search warrants against group members.
Confident in his abilities, Barr told one of the programmers who helped him on the project, "You just need to program as good as I analyze."
But on February 5, one day after the Financial Times article and six days before Barr's sit-down with the FBI, Anonymous did some "pwning" of its own. "Ddos!!! Fckers," Barr sent from his iPhone as a distributed denial of service attack hit his corporate network. He then pledged to "take the gloves off."
When the liberal blog Daily Kos ran a story on Barr's work later that day, some Anonymous users commented on it. Barr sent out an e-mail to colleagues, and he was getting worked up: "They think all I know is their irc names!!!!! I know their real fing names. Karen [HBGary Federal's public relations head] I need u to help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested. This battle between us will help spur publicity anyway."
Indeed, publicity was the plan. Barr hoped his research would "start a verbal braul between us and keep it going because that will bring more media and more attention to a very important topic."...
And then, within a day, Anonymous attacked, as we know. The fallout was intense:
The situation got so bad for the security company that HBGary, the company which partially owns HBGary Federal, sent its president Penny Leavy into the Anonymous IRC chat rooms to swim with the sharks—and to beg them to leave her company alone. (Read the bizarre chat log.) Instead, Anonymous suggested that, to avoid more problems, Leavy should fire Barr and "take your investment in aaron's company and donate it to BRADLEY MANNINGS DEFENCE FUND." Barr should cough off up a personal contribution, too; say, one month's salary?...
Barr's theory and tactics:
Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers—and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.
His curiosity about teasing out the webs of connections between people grew. By scraping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.
"The next step would be ok we have 24 people that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."
The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they associate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it…"
Not everyone at the company liked Barr's ideas:
His programmer had doubts, saying that the scraping and linking work he was doing was of limited value and had no commercial prospects. As he wrote in an e-mail:
Step 1 : Gather all the dataBut Barr was confident. "I will sell it," he wrote.
Step 2 : ???
Step 3 : Profit
To further test his ideas and to drum up interest in them, Barr proposed a talk at the BSides security conference in San Francisco, which takes place February 14 and 15. Barr's talk was titled "Who Needs NSA when we have Social Media?" and his plan to draw publicity involved a fateful decision: he would infiltrate and expose Anonymous, which he believed was strongly linked to WikiLeaks.
"I am going to focus on outing the major players of the anonymous group I think," he wrote. "Afterall - no secrets right? :) We will see how far I get. I may focus on NSA a bit to just so I can give all those freespeech nutjobs something… I just called people advocating freespeech, nutjobs - I threw up in my mouth a little."
With that, the game was afoot....
According to the article, Barr had originally admired Anonymous for its work in outing the killing of civilians by US military, but he changed his mind after the leak of the diplomatic cables. And then he set to work:
Barr created multiple aliases and began logging on to Anonymous IRC chat rooms to figure out how the group worked. He worked to link these IRC handles to real people, in part using his social networking expertise, and he created fake Twitter accounts and Facebook profiles. He began communicating with those he believed were leaders.
After weeks of this work, he reported back to his colleagues on how he planned to use his fake personas to drum up interest in his upcoming talk.
I have developed a persona that is well accepted within their groups and want to use this and my real persona against eachother to build up press for the talk.
I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media analysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations
I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press. This will then generate press about the talk, hopefully driving more people and more business to us.
Barr then contacted another security company that specializes in botnet research. He suspected that top Anonymous admins like CommanderX had access to serious Internet firepower, and that this probably came through control of bots on compromised computers around the world.
Barr asked if the researchers could "search their database for specific targets (like the one below) during an operational window (date/time span) to see if any botnet(s) are participating in attacks? Below is an attack which is currently ongoing." (The attack in question was part of Anonymous' "Operation Payback" campaign and was targeted at the government of Venezuela.)
The report that came back focused on the Low Orbit Ion Cannon, a tool originally coded by a private security firm in order to test website defenses. The code was open-sourced and then abandoned, but someone later dusted it off and added "hivemind mode" that let LOIC users "opt in" to centralized control of the tool. With hundreds or thousands of machines running the stress-test tool at once, even major sites could be dropped quickly. (The company recorded only 1,200 machines going after MasterCard on December 11, for instance.)
To boost the credibility of his online aliases, Barr then resorted to a ruse. He asked his coder to grab the LOIC source code. "I want to add some code to it," Barr said. "I don't want to distribute that, it will be found and then my persona will be called out. I want to add it, distribute it under a persona to burn and then have my other persona call out the code."
The code to be added was an HTTP beacon that linked to a free website Barr had set up on Blogspot. He wanted a copy of the altered source and a compiled executable. His programmer, fearing Anonymous, balked.
Not everyone likes sock puppet tactics.
On January 20, the coder wrote back, "I'm not compiling that shit on my box!" He even refused to grab a copy of the source code from message boards or other IRC users, because "I ain't touchin' any of that shit as those are already monitored."
"Dude," responded Barr. "Anonymous is a reckless organization. C'mon I know u and I both understand and believe generally in their principles but they are not a focused and considerate group, the[y] attack at will and do not care of their effects. Do u actually like this group?"
The coder said he didn't support all they did, but that Anonymous had its moments. Besides, "I enjoy the LULZ."...
... But when WikiLeaks released its huge cache of US diplomatic cables, Barr came to believe "they are a menace," and that when Anonymous sprang to the defense of WikiLeaks, it wasn't merely out of principle. It was about power.
"When they took down MasterCard do u think they thought alright win one for the small guy!" he asked. "The first thought through most of their malcontented minds was a rush of power. That's not ideals."
He continued in this philosophical vein:
But dude whos evil?His coder asked Barr how he slept at night, "you military industrial machine capitalist."
US Gov? Wikileaks? Anonymous?
Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves.
I follow one law.
"I sleep great," Barr responded. "Of course I do indoor [enjoy?] the money and some sense of purpose. But I canget purpose a lot of places, few of which pay this salary."
The comments are over the top, of course. Elsewhere, Barr gets more serious. "I really dislike corporations," he says. "They suck the lifeblood out of humanity. But they are also necessary and keep us moving, in what direction I don't know.
"Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bullshit… Society needs some people in the know and some people not. These folks, these sheep believe that all information should be accessible. BS. And if they truly believe it then they should have no problem with me gathering information for public distribution."
But Anonymous had a bit of a problem with that....
And more on his methodology:
Barr would do things like correlate timestamps; a user in IRC would post something, and then a Twitter post on the same topic might appear a second later. Find a few of these links and you might conclude that the IRC user and the Twitter user were the same person.
Even if the content differed, what if you could correlate the times that someone was on IRC with the times a Facebook user was posting to his wall? "If you friend enough people you might be able to correlate people logging into chat with people logging into Facebook," Barr wrote.
The document contained a list of key IRC chatrooms and Twitter accounts. Facebook groups were included, as were websites. But then Barr started naming names. His notes are full of comments on Anonymous members. "Switch" is a "real asshole but knows what he's talking about," while "unbeliever" might be "alexander [last name redacted]."
In the end, Barr determined that three people were most important. A figure called Q was the "founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group." Another person called Owen is "almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks)." Finally, CommanderX can "manage some significant firepower." Barr believed he had matched real names to each of these three individuals.
After his not-altogether-successful IRC discussion with members of Anonymous, in which his pseudonym was Julian Goodspeak, someone from Anonymous apparently tried to recruit him for a job, though Anonymous later said this was a joke:
Then came an IRC log that Barr sent around, in which a user named Topiary tried to recruit him (under the name CogAnon) for "a new operation in the Washington area" where HBGary Federal has its headquarters. The target is "a security company."
By late afternoon on the 5th, Barr was angry and perhaps a little scared, and he asked his PR person to "help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested." It's not clear that Barr ever did this, however; he admitted in another e-mail that he could get a bit "hot" in private, though he would generally cool down before going public.
Topiary: We're recruiting for a new operation in the Washington area; interested?
CogAnon: potentially depends on what it is...
Topiary: I take it from your host that you're near where our target is. We could use local publicity.
CogAnon: Is it physical or virtual?
CogAnon: ah yeah...I am close...
Topiary: Virtual. Everything is in place.
CogAnon: I can be in the city within a few hours...depending on trafficlol.
CogAnon: oh ok.
CogAnon: ok so what do u need from me?
Topiary: Our target is a security company. We may need local help on information gathering.
CogAnon: ok well just let me know.
CogAnon: not sure how I can help still though?
Hours later, the attack escalated from some odd DDoS traffic to a full-scale break-in of HBGary Federal systems, one that showed tremendous skill. "What amazes me is, for a security company - you had such a basic SQL vulnerability on your website," wrote one Anonymous member later.
Days afterward, the company has still not managed to restore its complete website.
The coder he worked with continued to object to his methods:
Later, when Barr talks about some "advanced analytical techniques" he's been pondering for use on the Anonymous data, the coder replies with apparent frustration, "You keep saying things about statistics and analytics but you haven't given me one algorithm or SQL query statement."
Privately, the coder then went to another company official with a warning. "He's on a bad path. He's talking about his analytics and that he can prove things statistically but he hasn't proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It's irresponsible to make claims/accusations based off of a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it's been proven wrong. I feel his arrogance is catching up to him again and that has never ended well...for any of us."
Others made similar dark warnings. "I don't really want to get DDOS'd, so assuming we do get DDOS'd then what? How do we make lemonade from that?" one executive asked Barr. The public relations exec warned Barr not to start dropping real names: "Take the emotion out of it -> focus on the purpose. I don't see benefit to you or company to tell them you have their real names -- published or not."
Another internal warning ended: "Danger Will Robinson. You could end up accusing a wrong person. Or you could further enrage the group. Or you could be wrong, and it blows up in your face, and HBGary's face, publicly."...
And then it all blew up:
The hack unfolded at the worst possible time for HBGary Federal. The company was trying to sell, hopefully for around $2 million, but the two best potential buyers started to drag their heels. "They want to see delivery on pipeline before paying those prices," [HBGary president Penny] Leavy wrote to Barr. "So initial payout is going to be lower with both companies I am talking with. That said our pipeline continues to drag out as customers are in no hurry to get things done quickly so if we dont sell soon and our customers dont come through soon we are going to have cash flow issues."
And being blasted off the 'Net by Anonymous is practically the last thing a company in such a situation needs. After the attacks, Leavy told the Financial Times that they cost HBGary millions of dollars....
And who were Barr and his company up against in all this? According to Anonymous, a five-member team took down HBGary Federal and rootkit.com, in part through the very sort of social engineering Barr had tried to employ against Anonymous.
One of those five was allegedly a 16-year old girl, who "social engineered your admin jussi and got root to rootkit.com," one Anonymous member explained in IRC...
New York Times: Hackers Reveal Offers to Spy on Corporate Rivals. This is a good rundown of the whole situation; what I find most interesting is the correction appended to the later edition:
HB Gary Federal and HB Gary are two related companies that share some of the same owners and have shared the same offices as their California headquarters. But they are distinct entities. An earlier version of the story was not clear on this distinction.
Hoovers.com, which provides detailed research on companies and their officers for sale or subscription, shows no company named HB Gary or HB Gary Federal. The limited information available for free (company names, addresses, type of company, some corporate officers' names and emails) includes two listings each for HBGary and HBGary Federal; none of the officers listed at any of them have the same names as anyone mentioned in any of the news reports or articles I've seen, online or off. It's possible that Hoovers' website hasn't been updated recently, though research-by-subscription sites tend to do their best to stay on top of all information. I may be wrong, but I'm under the impression that Hoovers is a standard reference used by government purchasing agents in connection with bids or contracts with private industry; that's what it was used for when I used to work in government. Perhaps a different source is considered authoritative now?
Salon.com: A disturbing threat against one of our own.
...But what the authors of the report meant when they plotted how Glenn and the others could be "disrupted" or "pushed" is as unclear as it is ominous -- and has us deeply concerned. The report was exposed by Anonymous, the pro-WikiLeaks hackers who went after the companies that dropped services to the whistle-blowing organization last year. Anonymous was apparently acting in retaliation to HBGary, whose head of security services, Aaron Barr, had earlier claimed to have infiltrated the Anonymous network. HBGary has since responded, claiming that "information currently in the public domain" from the leak "is not reliable because the perpetrators of this offense, or people working closely with them, have intentionally falsified certain data."
But the security firm Palantir wasted little time severing all relations with HBGary, with Palantir CEO Alex Karp issuing a statement saying that "I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters." Karp also reached out and apologized directly to Glenn.
We have no reason not to take the report seriously. As a result, I've asked both Hunton and Williams and Bank of America to explain any role they played and address whether HB Gary (or any of the firms) were being paid, or promised payment, for its development. I'll update this post when we hear their responses.
As bumbling as this whole saga sounds -- Internet security firm can't keep its shadowy dirty tricks campaign from being hacked -- what's outlined in these sets of proposals, as Glenn points out, "quite possibly constitutes serious crimes." And as it relates to Glenn and the others, it constitutes an unconscionable attempt to silence journalists doing their jobs. We'll continue to stay on this story until we get some real answers.
At the time I write this, Berico, its CEO Guy Filippelli and COO Nick Hallam have formally severed ties with HBGary and issued a statement (at the Salon link.) Bank of America spokesman Scott Silvestry denied seeing the presentation, denied engaging HBGary Federal, and denied interest in any practices "discussed in recent press reports involving HBGary Federal." Salon editor-in-chief Kerry Lauerman has not at this point received answers to her questions regarding the targeting of Glenn Greenwald.
USA Today: The US Chamber of Commerce has joined Bank of America in denying any ties to disinformation campaigns against Anonymous. This article describes the actual attack by Anonymous:
[Gregg] Housh [described earlier in the article as "a well-known activist and close observer of Anonymous"] emphasized that he does not participate in Anonymous' attacks, nor is he a spokesman for the hacking group, which may be best known for seeking revenge on corporations that attempted to cripple WikiLeaks.
But Housh regularly hangs around public Internet Relay Chat rooms where Anonymous members are known to congregate. He was in such a chat room with about 100 others last weekend when the HBGary hack was hatched. So he had a ring side seat.
Housh says a 16- year-old girl who part of a team of five elite hackers that conducted the hack played a pivotal role. She tricked a systems administrator into giving her access deep inside the company's network by persuading the admin into letting her use a temporary password: changeme123.
The team then swooped in to quickly deface the company's website and destroy data and applications, including wiping out back-up programs. They broke into the company's Google Enterprise cloud-based e-mail service and spent several hours downloading e-mail from Barr and five other senior employees. The entire hack took about eight or nine hours, with most of that time spent downloading emails, estimates Housh.
About 50,000 of Barr's e-mails very quickly got released on the Internet. But roughly 27,000 e-mails from the account of HBGary co-founder Greg Hoglund were held in reserve.
Anonymous group members who did not participate in the hack, along with a handful of reporters, began poring through Barr's email....
And on Thursday, Feb. 10, Lee Fang, a reporter for ThinkProgress.org, published this story tying the U.S. Chamber to preparations for a $2 million dirty-tricks campaign to undermine non-profit and labor groups who oppose the chamber's lobbying missions on behalf of large corporations.
Barr's e-mails contained details of plans to create faked personas to try to infiltrate such groups. One tactic discussed was how to entice opponent groups to go public with the bogus documents smearing the chamber, then exposing the documents as erroneous.
Even more worrisome were plans to harvest and circulate sensitive and unflattering information about spouses and children of progressive group leaders, says ThinkProgress reporter Scott Keyes....
"It's important to note that the smears and disinformation plans only saw the light of day because these e-mails were leaked," says Keyes. "Otherwise all this stuff very likely would have ended up in the mainstream dialogue, without people realizing that this was a smear plot deliberately hatched by the U.S. Chamber of Commerce."
The e-mail revelations may not be over. Housh says Anonymous members late Friday were pushing ahead with plans to begin releasing Hoglund's e-mails -- on a user-friendly web page.
"So now they're working on a searchable, web-based interface that allows anyone to go through and categorize 27,000 more pieces of e-mail," says Housh. "They're saying very clearly that some of this next stuff to come out is worse. We'll see."
Firedoglake: Security Contractor HBGary Tries to Protect US from Anonymous, WikiLeaks This article considers possible implications of government connections with or consent to Barr's work for HBGary Federal, and asks relevant ethical and legal questions:
...HBGary and Palantir are partners. Palantir Technologies has been sought by the CIA, DHS and FBI to help government analysts “integrate unstructured open source information with data from various agency databases to analyze them for outstanding correlations and connections in an attempt to mitigate the burden of rummaging around through the immense amount of information available to them.” Either Palantir Technologies found the time to stop serving government and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.
Berico Technologies worked with the National Security Agency (NSA) to invent technology that “made finding roadside-bomb makers easier and helped stanch the number of casualties from improvised explosive.” They also decided to participate in this initiative or, again, possibly someone in the US government suggested private corporations begin to go after WikiLeaks....
HBGary counts as an advisor Andy Purdy, who was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace in 2003. He joined the Department of Homeland Security and served on “the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT).” He worked for three and a half years and spent the last two heading the NCSD and US-CERT as a “Cyber Czar.” With HBGary he is involved in an Anonymous style hacktivist attack.
For fiscal year 2011, the federal budget for homeland security will provide “$364 million to the Department of Homeland Security to support the operations of the National Cyber Security Division which protects Federal systems as well as continuing efforts under the Comprehensive National Cybersecurity Initiative to protect our information networks from the threat of attacks or disruptions.” Should companies engaged in this kind of conduct be allowed to take government money to fund their company’s operations, which are supposed to protect government cyber infrastructure?...
NetworkWorld: The Year Hacking Goes Mainstream. After summarizing the Story Thus Far:
...It seems HBGary was working with Bank of America on a plan to take down WikiLeaks -- and, strangely, CNN and Salon commentator Glenn Greenwald, whom it deemed instrumental to WikiLeaks' continued existence, along with a handful of other prominent journalists.
HBGary was one of five firms allegedly involved in the discussion, along with law firm Hunton & Williams, data-gathering firms Palantir and Berico, and consultants Booz Allen Hamilton. Business Insider published the slides this group prepared for BofA. It's pretty chilling.
...That presentation [for Bank of America] suggests strategies such as sowing dissension within the WikiLeaks org, disinformation (submitting false documents to WikiLeaks in order to discredit it), cyber attacks against WikiLeaks' service providers, a media smear campaign, and "using social media to profile and identify risky behavior of [WikiLeaks] employees."
Does that last one sound like blackmail to you?
HBGary is trying to sell the idea that Anonymous falsified some of the documents, but I doubt anyone's buying it. Palantir has already publicly apologized to Greenwald and severed its ties with HBGary, which suggests the information contained in that leak is accurate.
To recap: A massive U.S. corporation is targeting whistleblowing websites and mainstream American journalists, with the help of several data/security/consulting firms with strong ties to the U.S. government. It sounds like the plot of a Hollywood summer blockbuster. It's not.
So tell me: Who are the white hats and who are the black hats here?
Fasten your seatbelts. It's going to get a lot more bumpy from here on out.
CSO Online: Lessons of the HBGary Hack This is a guest post by Nick Selby, who is "CEO of a stealth-mode technology start-up. He is a sworn law enforcement officer in Texas, and will speak at BSIdes San Francisco on February 14th about ways in which information security professionals can work with law enforcement.":
...Now, I don't know much about law enforcement, but I do think that, if you're planning, say, to serve a felony warrant, it's a bad idea to phone ahead and let the guy know you'll be by in 15 minutes. If?
A good rule of thumb is that you don't tip your hand about the specifics of your work on any case for any reason. And drumming up business through publicizing your specific public service is as bad a reason as any.
Reasons for this fall into two categories. The first is that fighting crime is, you know, dangerous. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. This is not fair or just, but it is so.
Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of "standing between a criminal and his goal." That's a tip, kids. Write it down. To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid....