Last Saturday, an article in the Financial Times featured Aaron Barr of cybersecurity firm HB Gary Federal, boasting that he had discovered the identities of key members of the hacking collective that calls itself Anonymous.
Any cybersecurity firm worth its salt should realize that this action would result in a reaction, and should create protocols and take precautions to avoid them.
Hmm. Apparently not.
In short order, Anonymous hacked them, printed "Fail" across Barr's photo, wrote him a scathing letter to accompany it, and released a compilation of 40,000+ of the company's files and memos to the public. Some of these concerned a presentation prepared for Bank of America last December on how the bank could protect itself against Wikileaks.
One of HB Gary Federal's bright ideas? Target Salon columnist Glenn Greenwald, who is also a New York Times best-selling author and attorney. Why? On the grounds that because Greenwald wants to make sure Bradley Manning isn't being mistreated and Manning is accused of leaking files to Anonymous, Greenwald therefore must be part of Anonymous.
From: Greg Hoglund ISun, Feb 6, 2011 at 1:59 PM To: jussi
im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks
From: jussi jaakonaho ISun, Feb 6, 2011 at 2:06 PM To: Greg Hoglund
hi, do you have public ip? or should i just drop fw? and it is w0cky - tho no remote root access allowed
From: Greg Hoglund ISun, Feb 6, 2011 at 2:08 PM To: jussi jaakonaho
no i dont have the public ip with me at the moment because im ready for a small meeting and im in a rush. if anything just reset my password to changeme123 and give me public ip and ill ssh in and reset my pw.
From: jussi jaakonaho ISun, Feb 6, 2011 at 2:10 PM To: Greg Hoglund
ok, takes couple mins, i will mail you when ready. ...
Anonymous used entry into a less-secure webserver to gain access to Barr's credentials as a sysadmin, and from there they went wherever they wanted.
I have to wonder just what kind of protocols and procedures HB Gary Federal has been using for internal security. That kind of call-in for a lost password wouldn't have been allowed when I worked in county government in a large metropolitan county more than 20 years ago. The computer security people I know these days tend to carry their passwords and other credentials in heavily encrypted files in thumb drives or other miniature media that don't leave their persons when they travel. I can't speak for all of them, but the ones I talked with while putting this together uniformly agreed that any security company employee who was out of town for a demo and was so unlucky as to forget his password would get this reaction if he called in: tough luck.
Quoting the letter Anonymous left for Barr:
Greetings HBGary (a computer "security" company),
Your recent claims of "infiltrating" Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself. How's this for attention?...
What you seem to have failed to realize is that, just because you have the title and general appearence of a "security" company, you're nothing compared to Anonymous. You have little to no security knowledge. Your business thrives off charging ridiclous prices for simple things like NMAPs, and you don't deserve praise or even recognition as security experts. And now you turn to Anonymous for fame and attention? You're a pathetic gathering of media-whoring money-grabbing sycophants who want to reel in business for your equally pathetic company.
Let us teach you a lesson you'll never forget: you don't mess with Anonymous. You especially don't mess with Anonymous simply because you want to jump on a trend for public attention, which Aaron Barr admitted to in the following email:
"But its not about them...its about our audience having the right impression of our capability and the competency of our research. Anonymous will do what every they can to discredit that. and they have the mic so to speak because they are on Al Jazeeera, ABC, CNN, etc. I am going to keep up the debate because I think it is good business but I will be smart about my public responses."
You've clearly overlooked something very obvious here: we are everyone and we are no one. If you swing a sword of malice into Anonymous' innards, we will simply engulf it. You cannot break us, you cannot harm us, even though you have clearly tried...
You think you've gathered full names and home addresses of the "higher-ups" of Anonymous? You haven't. You think Anonymous has a founder and various co-founders? False. You believe that you can sell the information you've found to the FBI? False. Now, why is this one false? We've seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you've "extracted" is publicly available via our IRC networks. The personal details of Anonymous "members" you think you've acquired are, quite simply, nonsense.
So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free. Your gloriously fallacious work can be a wonder for all to scour, as will all of your private emails (more than 44,000 beauties for the public to enjoy). Now as you're probably aware, Anonymous is quite serious when it comes to things like this, and usually we can elaborate gratuitously on our reasoning behind operations, but we will give you a simple explanation, because you seem like primitive people:
You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung.
It would appear that security experts are not expertly secured....
Barr told the Financial Times that he had discovered the identities of Anonymous members by 'monitoring' IRC channels said to be used by Anonymous and doing research in LinkedIn, Classmates.com, Facebook and other social networking sites.
In some accounts Barr planned to sell the supposed identification of Anonymous members to the FBI. However, he said on Monday that he wasn't going to give it to police "who would face hurdles in using some of the methods he employed, including creating false Facebook profiles."
On Feb 5, 2011, at 10:17 AM, Karen Burke wrote: Thanks — I just saw the tweets and thought they were great. Will you say that you’ve been contacted by FBI (or law enforcement) as result of story?
On Sat, Feb 5, 2011 at 7:15 AM, Aaron Barr wrote: ok Karen. I just tweeted a few posts on research and talk. This is the angle I want to stick with. If anyone asks about using this information for law enforcement I think we should say, well of course if law enforcement wants to discuss with me my research I will, its all open source, thats the thing, its all there. But my intent is not to do this work to put people in jail, my intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines).
...Mr Barr again said on Monday that he did not intend to publish the names of Anonymous leaders, adding that his research, to be presented later this month at a security conference in San Francisco, was part of a study on how social networking sites make it easier for hackers to penetrate secretive organisations.
In the Anonymous case, he matched Facebook log-in times with the times when group members signed in to Anonymous’s internet relay chat groups. At a nuclear plant and a US military outfit, he used LinkedIn, Classmates and Facebook to assume identities and build trust before inducing targets to click on internet links that could have infected their machines with spy software....
It seems to me that there should be other ways for a former Navy cryptologist to go about this research than lurking on Facebook. But to get back to the story:
HB Gary Federal and two other data security companies -- Palantir Technologies and Berico Technologies -- were contacted to create a strategy for use against Wikileaks by Hunton and Williams, a legal firm that advertises Bank of America as one of its clients, This occurred after a late-night Nov. 30 conference call among Bank of America officials who were nervous about Julian Assange's comment the day before that he would 'take down' a major bank. The three companies, collectively called Team Themis, quickly assembled a presentation that was shown to Bank of American on December 3.
Hunton and Williams were recommended to Bank of America’s general council by the Department of Justice, according to the email chain viewed by The Tech Herald. The law firm was using the meeting to pitch Bank of America on retaining them for an internal investigation surrounding WikiLeaks.
“They basically want to sue them to put an injunction on releasing any data,” an email between the three data intelligence firms said. “They want to present to the bank a team capable of doing a comprehensive investigation into the data leak.”
Hunton and Williams would act as outside counsel on retainer, while Palantir would take care of network and insider threat investigations. For their part, Berico Technologies and HBGary Federal would analyze WikiLeaks.
“Apparently if they can show that WikiLeaks is hosting data in certain countries it will make prosecution easier,” the email added.
In less than 24-hours, the three analytical companies created a presentation filled with publically available information and ideas on how the firms could be “deployed” against WikiLeaks “as a unified and cohesive investigative analysis cell.”
The plan is .... interesting. In many ways it reflects similar thinking to the DoD strategy for disrupting Wikileaks published in 2008. The proposal ranges from cyber-attacks against Wikileaks servers to mounting a campaign against Glenn Greenwald....
But there is something else important to note here as well. Generally, we view security researchers (consultants, etc.) as providing services to help companies secure their systems from exploit. Hackers try and compromise the system - admins and security professionals exist to keep them out. What we have here is a case where security researchers are actively marketing the service of leveraging security flaws found through their research on behalf of clients interested in *conducting* a cyber attack. It seems pretty difficult to interpret the BoA proposal as anything but an offer to conduct coordinated cyber attacks against Wikileaks.
I can't remember this type proposal ever being exposed before. IMO, this is the most unsettling part of the whole episode. It probably should not be viewed as a good thing.
(The discussion in comments on Dagblog is worth reading.)
... The proposal starts with an overview of WikiLeaks, including some history and employee statistics. From there it moves into a profile of Julian Assange and an organizational chart. The chart lists several people, including volunteers and actual staff.
One of those listed as a volunteer, Salon.com columnist, Glenn Greenwald, was singled out by the proposal. Greenwald, previously a constitutional law and civil rights litigator in New York, has been a vocal supporter of Bradley Manning, who is alleged to have given diplomatic cables and other government information to WikiLeaks. He has yet to be charged in the matter.
Greenwald became a household name in December when he reported on the “inhumane conditions” of Bradley Manning’s confinement at the Marine brig in Quantico, Virginia. Since that report, Greenwald has reported on WikiLeaks and Manning several times.
“Glenn was critical in the Amazon to OVH transition,” the proposal says, referencing the hosting switch WikiLeaks was forced to make after political pressure caused Amazon to drop their domain.
[Earlier drafts of the proposal and an email from Aaron Barr used the word "attacked" over "disrupted" when discussing the level of support.]
The proposal continues by listing the strengths and weaknesses of WikiLeaks. For the strong points, there is the global WikiLeaks following and volunteers. Outlining the weaknesses, the proposal lists financial pressure - due to the companies refusing to process WikiLeaks’ donations at the time - and discord among some of the WikiLeaks members.
“Despite the publicity, WikiLeaks is NOT in a healthy position right now,” an early draft of the proposal noted. “Their weakness [sic] are causing great stress in the organization which can be capitalized on.”
Some of the things mentioned as potential proactive tactics include feeding the fuel between the feuding groups, disinformation, creating messages around actions to sabotage or discredit the opposing organization, and submitting fake documents to WikiLeaks and then calling out the error.
“Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.”
Anyone who thinks Glenn Greenwald "became a household name in December" hasn't been paying attention. He's been writing for Salon for years. He's published books listed as New York Times bestsellers. Before all this, he was a constitutional law and civil rights litigator in New York. He did not just emerge from the woodwork in December 2010 by writing about Bradley Manning. He's been reporting on Wikileaks all along.
And if concern about Bradley Manning's treatment at Guantanamo makes one a member of Anonymous, then my name should be on Barr's list, along with Congressman Dennis Kucinich and thousands of other people.
Greenwald's first reaction was published in the Tech Herald article:
The Tech Herald was able to get in touch with Glenn Greenwald for his reaction to being singled out in the WikiLeaks proposal. He called the report creepy and disturbing. Moreover, he commented that the suggestions for dealing with WikiLeaks, along with the assumption that the organization could be undermined, were “hard to take seriously.”
The listed mitigations, such as disinformation or submitting false documents, have been discussed before. In 2008, the Pentagon had similar ideas, so that aspect of the document was nothing new.
Greenwald, as a journalist, is a prolific writer on media topics. He is a harsh critic of political figures and the mainstream media. The suggestion made by the proposal that he would pick career over cause is “completely against” what he is about, he told us.
“The only reason I do what I do is because I'm free to put cause before career,” he said.
Pointedly, he reminded us that his work includes taking aim at political figures, which could be a source of professional leverage with scoops or favors, as well as news organizations who could offer him gainful employment. None of these actions paints a picture of a man who would pick career over his passion.
Greenwald wrote in Salon today:
In the wake of the ensuing controversy caused by publication of these documents, the co-founder and CEO of Palantir Tech, Alex Karp, has now issued a statement stating that he "directed the company to sever any and all contacts with HB Gary." The full statement -- which can be read here -- also includes this sentence: "personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters." Palantir has also contacted me by email to arrange for Dr. Karp to call me to personally convey the apology. My primary interest is in knowing whether Bank of America retained these firms to execute this proposal and if any steps were taken to do so; if Karp's apology is genuine, that information ought to be forthcoming (as I was finishing writing this, Karp called me, seemed sincere enough in his apology, vowed that any Palantir employees involved in this would dealt with the way they dealt with HB Gary, and commendably committed to telling me by the end of the week whether Bank of America or Hunton & Williams actually retained these firms to carry out this proposal).
* * * * *
My initial reaction to all of this was to scoff at its absurdity. Not being familiar with the private-sector world of internet security, I hadn't heard of these firms before and, based on the quality of the proposal, assumed they were just some self-promoting, fly-by-night entities of little significance. Moreover, for the reasons I detailed in my interview with The Tech Herald -- and for reasons Digby elaborated on here -- the very notion that I could be forced to choose "professional preservation over cause" is ludicrous on multiple levels. Obviously, I wouldn't have spent the last year vehemently supporting WikiLeaks -- to say nothing of aggressively criticizing virtually every large media outlet and many of their leading stars, as well as the most beloved political leaders of both parties -- if I were willing to choose "career preservation over cause."
But after learning a lot more over the last couple of days, I now take this more seriously -- not in terms of my involvement but the broader implications this story highlights. For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation's largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered that similar proposals were prepared for the Chamber of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.
That's why this should be taken seriously, despite how ignorant, trite and laughably shallow is the specific leaked anti-WikiLeaks proposal. As creepy and odious as this is, there's nothing unusual about these kinds of smear campaigns. The only unusual aspect here is that we happened to learn about it this time because of Anonymous' hacking. That a similar scheme was quickly discovered by ThinkProgress demonstrates how common this behavior is. The very idea of trying to threaten the careers of journalists and activists to punish and deter their advocacy is self-evidently pernicious; that it's being so freely and casually proposed to groups as powerful as the Bank of America, the Chamber of Commerce, and the DOJ-recommended Hunton & Williams demonstrates how common this is. These highly experienced firms included such proposals because they assumed those deep-pocket organizations would approve and it would make their hiring more likely.
But the real issue highlighted by this episode is just how lawless and unrestrained is the unified axis of government and corporate power. I've written many times about this issue -- the full-scale merger between public and private spheres -- because it's easily one of the most critical yet under-discussed political topics. Especially (though by no means only) in the worlds of the Surveillance and National Security State, the powers of the state have become largely privatized. There is very little separation between government power and corporate power. Those who wield the latter intrinsically wield the former. The revolving door between the highest levels of government and corporate offices rotates so fast and continuously that it has basically flown off its track and no longer provides even the minimal barrier it once did. It's not merely that corporate power is unrestrained; it's worse than that: corporations actively exploit the power of the state to further entrench and enhance their power.
That's what this anti-WikiLeaks campaign is generally: it's a concerted, unified effort between government and the most powerful entities in the private sector (Bank of America is the largest bank in the nation). The firms the Bank has hired (such as Booz Allen) are suffused with the highest level former defense and intelligence officials, while these other outside firms (including Hunton & Williams and Palantir) are extremely well-connected to the U.S. Government. The U.S. Government's obsession with destroying WikiLeaks has been well-documented. And because the U.S. Government is free to break the law without any constraints, oversight or accountability, so, too, are its "private partners" able to act lawlessly. That was the lesson of the Congressional vesting of full retroactive immunity on lawbreaking telecoms, of the refusal to prosecute any of the important Wall Street criminals who caused the 2008 financial crisis, and of the instinctive efforts of the political class to protect defrauding mortgage banks....
Palantir has publicly severed its ties to HB Gary. Aaron Barr has not been fired because he owns part of the company Penny Leavy, president of HB Gary, has said that she was unaware of the plan to sell the information to the FBI and that to her knowledge this was only supposed to be used in theoretical research.
UPDATE, 5:09 p.m. EDT:
In a USA Today article, Bank of America is denying any connection with HB Gary, the presentation discussed above, or the tactics it discusses.
"We've never seen the presentation, never evaluated it, and have no interest in it," BofA spokesman Scott Silvestri told Technology Live late Thursday.
From the same article:
"It's a soap opera of the highest degree," says Josh Shaul, vice president of product management at database security firm Application Security.
Shaul's daily duties include monitoring the activities of hacking groups and analyzing sensitive material released on WikiLeaks and other websites. Says Shaul:
Aaron Barr put his head into the lion's mouth. He goes to one of the most powerful hacking groups in the world, breaks into their inner circle and then publicly announces it. It's one of the dumbest things I've ever seen a senior security person do. Within 24 hours, Anonymous attacks HBGary Federal, and gets into Aaron Barr's personal e-mail. They pull out documents from HBGary e-mail archives, including all of the go-between about this plan to shut down WikiLeaks. They make HBGary look foolish, which in turn makes Bank of America look bad for going out and trying to use any means necessary to shut down Wikileaks.
HBGary has posted a statement saying it has been the victim of an "intentional criminal cyberattack" and is taking steps to respond.
Karen Burke, HBGary's director of marketing and communication, declined to elaborate. "The investigation is ongoing so it would be premature to comment any further at this time," she told Technology Live on Thursday night...
In a flurry of e-mail exchanges between Dec. 2 and Dec. 3, the three firms refine several drafts of the slide deck, says Steve Ragan, Security Editor at The Tech Herald.
Titled "The WikiLeaks Threat," the 6th and final version of the slide deck [the presentation discussed above] summarizes WikiLeaks' strengths and weaknesses, outlines "proactive tactics" including fueling feuds, spreading disinformation and releasing faked documents through Wikileaks, then calling out errors. Other recommendations include:
Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done . . Cyber attacks against the infrastructure to get data on document submitters. This would kill the project . . . Media campaign to push the radical and reckless nature of wikileaks activities . . .Use social media to profile and identify risky behavior of employees
"If Bank of America agreed completely with the presentation it looks as if they were planning on systematically going after WikiLeaks," says Ragan....
Asked specifically about the slide deck, BofA spokesman Silvestri said: "Neither Bank of America, nor any of its vendors, have engaged HBGary Federal in this matter. We have not engaged in, nor do we have any plans to, the practices discussed in recent press reports involving HBGary Federal."
Ars Technica: How Aaron Barr revealed himself to Anonymous -- by talking with someone he'd been surveiling without using a pseudonym:
...The encounter began on February 5. Barr had managed to get his work written up in a Financial Times story the day before, and now strange traffic was pouring in to HBGary Federal. With his research done and his story in print, Barr needed only to work up some conference slides and prepare for a meeting with the FBI, which had been tracking Anonymous for some time. So Barr ditched the covert identities he had been using to watch the group, and on February 5 he approached a person on Facebook whom he believed was the powerful CommanderX.
Barr's apparent motives were multiple: to mitigate any revenge upon his company, but also to meet as equals with his hacker subjects. No harm, no foul, right? Anonymous didn't agree. (Quotes in this article are provided verbatim, typos and all.)
Barr: CommanderX. This is my research… I am not going to release names I am merely doing security research to prove the vulnerability of social media so please tell [redacted] and [redacted] or whoever else is hitting our site to stop.
CommanderX: Uhhh…. not my doing! Just as a thought… wouldn't that be valuable data to your research?
Barr: I am done with my research…doing my slides…I am not out to gut u guys. My focus is on social media vulnerabilities only. So please tell the folks there that I am not out to get you guys… I knew you guys were a risky target but nothing risked nothing gained. People can show their bravado thats fine I can deal with that. Just want the 'leadership' to know what my intent is…that will filter as it needs to I am sure.
CommanderX: 'Leadership' lmao [laughing my ass off] it has grown beyond my control, just as I intended.
Barr: … I will talk about aliases. I won't talk about names. But please don't play me a chump any more than you have to to protect anons cred. I know more than IRC aliases…. u have a lot of firepower and know how in some dark corners…hell some of them may even know Greg Hoglund the CEO of our other company. So if it is some of your guys just want to make sure they don't get too aggressive.
CommanderX: Which website?
CommanderX … I warn you that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly. I hope you are being paid well....
Barr then entered an Anonymous IRC chat room, where his "CogAnon" profile had already been exposed. When he showed up, this is what greeted him. (Anonymous handles have been altered in this non-public section of chat.)
guys I'll tell you...it was only research...it has now become a criminal matter...
our website was hacked...twitter account... email.... ok...guys if thats the way u want to play it.
CogAnon: come at us bro
CogAnon: nice screencap earlier by the way, did Ted and [HBGary CEO] Penny enjoy it, faggot?
not sure why u had to make it personal...I had 2 other usecases...
but ok... I figured this might happen...I am not upset... it just takes a differnt path...
ok see you guys later...not even close to end of career... :) need to finish my talk.
maybe CogAnon will enjoy what's uploading right now
[00:18] * CogAnon is now known as AaronBarr
The material "uploading right now" was apparently Barr's private e-mails; Anonymous had infiltrated his company e-mail server, where Barr was the admin, and had taken more than 40,000 messages from three top execs. They were then uploaded to The Pirate Bay....
Anonymous has also released the archives of all HB Gary's conversations with the FBI, CIA, NSA, House, Senate and Army, at this link.
UPDATE #2, 5:30 p.m. EDT:
ThinkProgress: Aaron Barr complains about losing his privacy; Hunter & Williams, the go-betweens for HB Gary and Bank of America, are named the 'top firm for privacy' by Computerworld Magazine; and Berico Technologies distances itself from HB Gary. Here's Berico's press release (pdf).