Part 4 (2/2)
Now, with the appearance of the note in their RSA booth, the team felt not just electronically exposed; they felt physically threatened and stalked. ”They decided to follow us to a public place where we were to do business and make a public mockery of our company,” b.u.t.terworth said. ”Our position was that we respected RSA and our fellow vendors too much to allow this spectacle to occur.”
Instead, HBgary Inc. pulled out of the conference. ZDNet journalist Ryan Naraine snapped a photo from the show floor: from the show floor: The attacks continue On Sunday, February 6, the electronic a.s.sault had begun in earnest. As America sat down to watch the Super Bowl kickoff, five ”members” of Anonymous infiltrated the website of security firm HBGary Federal. They had been probing HBGary Federal and related firm HBGary Inc. since Sat.u.r.day, but on Sunday they struck gold with an SQL injection attack on HBGary Federal's content management system.
They quickly grabbed and decrypted user pa.s.swords from the website, which they used to move into HBGary Federal's hosted Google e-mail. By the time the attack was through, the hackers had compromised HBGary Federal's website, deleted its backup data, took over Greg Hoglund's rootkit.com site, and locked both companies out of their e-mail accounts by changing the pa.s.swords.
While HBGary Federal was truly ”hacked,” HBGary Inc. was not; attackers simply used existing usernames and pa.s.swords to access key systems. HBGary had in fact hardened its Web defenses, fully patching them on the Thursday before the attack began in antic.i.p.ation of some unpleasantness. b.u.t.terworth told Ars that the company was able to bring down its compromised offsite Web servers within 42 minutes of the attack's beginning. (He also confirmed the accuracy of our earlier exclusive report on how Anonymous penetrated the two companies.) on how Anonymous penetrated the two companies.) Over the last week, this part of the story became well known. What was not visible outside the hallways of HBGary's Sacramento offices, however, was just how long the attacks continued. Indeed, although the electronic a.s.sault stopped soon after it began, the hara.s.sment has yet to end.
b.u.t.terworth sounded tired as he recounted the days for us-when we spoke, 17 days had pa.s.sed since the initial attack. Since then, HBGary has been flooded with phone calls and voicemails of the ”you should be ashamed of yourself” type and worse; the fax machines have been overwhelmed with Anonymous outpourings; people have been ”directly threatening our employees with extortion”; threats have been made. Then came RSA.
b.u.t.terworth, with a long career in military signals intelligence and private security firms, is no stranger to the dark world of cyberattacks, but he's used to adversaries who retreat after an electronic strike.
Instead, he believes that Anonymous has ”decided to continue their antics. They're in it for the laughs... this is a real funny game for them.” Not content with the damage they have inflicted, they ”hara.s.s a company that's trying to get back to work.” Each time a new story about the company appears in the press, b.u.t.terworth said that these attacks spike again.
”Millions in damages”
The fallout from the whole debacle endures. In the wake of the attack, HBGary's Penny Leavy and Greg Hoglund (they are married) entered the Anonymous IRC channel #ophbgary to plead in vain for Greg's e-mails to stay private. (Several less relevant remarks have been removed from the transcript for easier reading.) <+greg> so you got my email spool too then <&sabu> yes greg.
<@'k> greg we got everything <+agamemnon> Greg, I'm curious to know if you understand what we are about?
Do you understand why we do what we do?
<+greg> you realize that releasing my email spool will cause millions in damages to HBGary?
<@'k> yes <+c0s> greg: another reason its not out yet.
<+agamemnon> yes we do greg <@'k> greg is will be end of you :) and your company Asked if HBGary has in fact seen a financial impact from the Anonymous attack, b.u.t.terworth would only say, ”Time will tell.” He did admit that the hack had an impact on the company-”the tainting of a brand name, a company that has a very good product”-and that ”we've received indications that folks are having second thoughts” about working with the firm.
The company also had to devote nearly a week of its time to performing client notification, a job that must've been anything but pleasant. And b.u.t.terworth has been tasked with overseeing HBGary's internal forensic investigation into the attack. He hopes to compile enough information to eventually prosecute those responsible.
”A lot of federal crime has been committed,” he said.
Despite the fact that the attackers hid themselves behind Tor software and proxy servers, he believes the company stands a ”very good chance” of catching the perpetrators. software and proxy servers, he believes the company stands a ”very good chance” of catching the perpetrators.
But what has the attack meant for Anonymous, HBGary Federal's Aaron Barr, and the security companies linked with Barr's ideas?
Anonymous For Anonymous, the most obvious result of the hack was publicity, glorious publicity. The attack has been covered in every outlet from Ars to the BBC and back again, though the group was unbelievably lucky to stumble on a cache of e-mails involving dirty tricks against WikiLeaks and using intelligence a.s.sets against pro-union websites. Without those revelations, the hack and e-mail release might have looked far more self-interested-Anonymous protecting its mask.
Why have the attacks on HBGary Inc. continued? We spoke to people with knowledge of the initial Anonymous hack. All have denied the existence of continuing operations against HBGary and note that the IRC channel used for coordination, #ophbgary, has been shuttered; most expressed disbelief that these attacks are even happening.
We asked HBGary for a copy of some of the faxes received at its offices, but were told that the fax machines had been turned over to the authorities as part of the investigation. HBGary did pa.s.s along a representative e-mail that an employee received last week (all header information has been removed): Subject: Security Problem loooooooooooooooooool owned by anonymous. niiiice.
hope your strategy wont work and ppl of this planet will become free without beeing surpressed or monitored.
shame on you for your ”business” - it is ppl like you who try to stop human revelation all in the name of allmighty america.
nice to see you failing hard and getting exposed yourself. how does it feel, suckers ?
i am looking forward to see your next fail.
greets one of your monitored sheep that actually dont like to be monitored.
ps: please do us (the human race that is not trying to be n.a.z.is like you) a favor and get aids and die slow and painfull, thanks in advance.
The real impact of the attacks on Anonymous may not be felt for months, or even years. HBGary says it is working with the authorities on the case, and one presumes that the FBI is interested in busting those responsible. The FBI has previously arrested those a.s.sociated with mere denial of service attacks, and it recently executed 40 search warrants in connection with Anonymous' Operation Payback. in connection with Anonymous' Operation Payback.
In a press release regarding the search warrants, the FBI reminded Anonymous that ”facilitating or conducting a DDoS [Distributed denial of service] attack is illegal, punishable by up to 10 years in prison, as well as exposing partic.i.p.ants to significant civil liability.”
b.u.t.terworth, who touted his own (lengthy) list of advanced security credentials during our call, told us that based on his investigation so far, the Anonymous ”operational security was not that good... they're pretty dirty.”
If he's right, the Anonymous attack, so far free of consequences, might end with some serious ones indeed.
Palantir Those consequences have already been felt at the link a.n.a.lysis firm Palantir, based in Silicon Valley. The company was part of ”Team Themis,” a group comprised of Palantir, Berico, and HBGary Federal, which got involved with the DC law firm Hunton & Williams. Hunton & Williams was looking for ways to help the US Chamber of Commerce, and later a major US bank, deal with troublesome opponents (pro-union websites and WikiLeaks, respectively.) As a member of Team Themis, Palantir became part of Aaron Barr's plans to go after WikiLeaks, put pressure on commentators like Salon.com's Glenn Greenwald, and set up a surveillance cell for the Chamber of Commerce. No one in the e-mails that we saw objected to any of the proposed ideas.
When news of the proposals came out, Palantir said it was horrified. Dr. Alex Karp, the company's CEO, issued a statement: ”We make data integration software that is as useful for fighting food borne illness as it is to fighting fraud and terrorism. Palantir does not make software that has the capability to carry out the offensive tactics proposed by HBGary. Palantir never has and never will condone the sort of activities recommended by HBGary. As we have previously stated, Palantir has severed all ties with HBGary going forward.”
As we noted in our initial report on the situation, several of the key ideas had come from Aaron Barr-but they were quickly adopted by other team members, including Palantir. I asked the company for more information on why Barr's ideas had shown up in Palantir-branded material. The company's general counsel, Matt Long, supplied the following answer: We did make a mistake-one of a fast growing company with lots of decentralized decision making authority. Initial results of our ongoing internal diagnostic show that a junior engineer allowed offensive material auth.o.r.ed by HBGary to end up on a slide deck with Palantir's logo. The stolen emails conclusively show that Aaron Barr from HBGary auth.o.r.ed the content which was collated well past midnight for an early morning presentation the next day. This doesn't excuse the incident, but hopefully it brings much needed context to a context-less email dump.
That junior engineer, a 26-year-old, has been put on leave while his actions are being reviewed.
”We should have cut ties with HBGary sooner and raised internal concerns about this sooner,” Long told me. ”This is a huge mistake for sure; we aren't making excuses. But our company never approved hacking or carrying out dirty tricks on anyone.”
As for the engineer's e-mail in which he said that the Team Themis project ”got approval from Dr. Karp and the Board” on a new revenue sharing plan, Long said that it was simply ”cla.s.sic salesmans.h.i.+p ('I need to get my manager's permission for that. I really argued hard for you and got you this deal'). In our case we don't have sales people so it is very transparent/obvious coming from a 26-year-old engineer. Dr. Karp and the Board did not know about the specifics of the proposal-including pricing.”
Berico Berico, one of the three companies involved with Team Themis, initially promised a response to our questions about its handling of the situation. The company later changed its mind and declined to comment.
Berico did issue one public statement back on February 11, saying that it ”does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal.” back on February 11, saying that it ”does not condone or support any effort that proactively targets American firms, organizations or individuals. We find such actions reprehensible and are deeply committed to partnering with the best companies in our industry that share our core values. Therefore, we have discontinued all ties with HBGary Federal.”
The company added that it was ”conducting a thorough internal investigation to better understand the details of how this situation unfolded and we will take the appropriate actions within our company.”
Aaron Barr HBGary Federal was in the process of selling itself after the company couldn't meet revenue projections and had difficulty paying taxes and salaries. On January 19, Penny Leavy (the largest single investor in HBGary Federal) suggested in an e-mail to Aaron Barr that he give the two companies considering a purchase a set of deadlines. Under her projected scenario, the two firms would bid on February 4 and HBGary Federal would make a final decision on February 7. On February 6, Anonymous attacked.
What happened to Barr? Anonymous loudly and angrily demanded that Penny Leavy fire him, since his list of Anonymous names could allegedly have gotten ”innocent people” into serious trouble. Leavy made clear that HBGary Federal was a separate company from HBGary, one in which she owned only a 15 percent stake, and that she couldn't simply ”fire” the CEO.
Barr, too, had a stake in HBGary Federal. He couldn't just be fired-but he told Ars that he has taken a leave of absence from the company in order to focus on some other things.
When he finally regained control of his Twitter account last week, Barr's first new message since the attack said just about all there was left to say: ”My deepest personal apology to all those that were negatively effected [sic] by the release of my e-mail into the public.”
Embattled HBGary Federal CEO Aaron Barr quit his job yesterday as the prospect of a Congressional investigation loomed. A dozen Democrats in Congress asked various Republican committee chairs to launch probes of HBGary Federal's idea for a ”reconnaissance cell” targeting pro-union organizers. of HBGary Federal's idea for a ”reconnaissance cell” targeting pro-union organizers.
HBGary Federal was hacked last month by Anonymous after Aaron Barr believed he had unmasked much of the group's leaders.h.i.+p-and Barr's entire cache of corporate e-mails was made public. Those messages after Aaron Barr believed he had unmasked much of the group's leaders.h.i.+p-and Barr's entire cache of corporate e-mails was made public. Those messages revealed that Barr had joined up with two other security firms, Palantir and Berico, to pitch the powerhouse DC law firm of Hunton & Williams on an idea to go after union-backed websites who opposed the US Chamber of Commerce. The scheme, if adopted, would have cost the Chamber up to $2 million a month. that Barr had joined up with two other security firms, Palantir and Berico, to pitch the powerhouse DC law firm of Hunton & Williams on an idea to go after union-backed websites who opposed the US Chamber of Commerce. The scheme, if adopted, would have cost the Chamber up to $2 million a month.
The three companies called themselves Team Themis, and instead of providing simple ”business intelligence,” they had a few other ideas: Create a false doc.u.ment, perhaps highlighting periodical financial information, and monitor to see if US Chamber Watch acquires it. Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with [union-backed Change to Win]. Afterward, release the actual doc.u.ments at a specified time and explain the activity as a CtW contrived operation.
- If needed, create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second. Such work is complicated, but a well-thought out approach will give way to a variety of strategies that can sufficiently aid the formation of vetting questions US Chamber Watch will likely ask.
<script>