Cleveland: Keeping Christmas at Home
Ramona: The War on Happy Holidays
Richard Day: Cold in Minnesota, and in the Hearts of Men
A conflict between everyone's favorite hacktivists and an obscure security research company has just gotten interesting. HB Gary Federal is a cyber-security company run by Aaron Barr who has been researching individuals he believes are associated with Anonymous. Specifically he has been trying to link the handles of IRC participants to real people. When he decided to publicize his findings in the Financial Times last Saturday, it touched off a very interesting series of events which are still unfolding.
Some of the best reporting on what came next is provided by The Tech Herald. Using an impressive array of tactics, hackers managed to breach every aspect of the HB Gary Federal infrastructure. All of it. Even the phone system. They also breached the infrastructure of the parent company HB Gary (which holds a minor stake in Federal). The only data released so far has been 50,000+ emails from Barr's account.
After the Financial Times story broke, including Barr’s claims of infiltration, Anonymous responded. The response was brutal, resulting in full control over hbgary.com and hbgaryfederal.com. They were also able to compromise HBGary’s network, including full access to all their financials, software products, PBX systems, Malware data, and email, which they released to the public in a 4.71 GB Torrent file.
Apparently what they found when rifling the network just made the hackers more angry. This became rather clear in IRC communications between Anon participants and the principals of HB Gary which included: HBGary President Penny Leavy, founder Greg Hoglund and Aaron Barr who runs HBG Federal (this conversation even happening is worthy of discussion in it's own right).
Most of the anger was directed at Barr’s list of names and their alleged connections to Anonymous operations. Several Anons commented that the list includes fake names, reporters, and others who are in no way connected to any role in Anonymous. Its existence means that it “…could have and might still get innocent people in trouble for no reason at all.”
There is some dispute about Barr's intent. He claims that he never intended to actually reveal the names, certainly not to the FBI. Reports at Crowdleaks.org highlight this exchange lifted from Barr's Email that seems to indicate, at the very least, he wouldn't protect the data:
On Feb 5, 2011, at 10:17 AM, Karen Burke wrote:
Thanks — I just saw the tweets and thought they were great. Will you say that you’ve been contacted by FBI (or law enforcement) as result of story?
On Sat, Feb 5, 2011 at 7:15 AM, Aaron Barr wrote:
ok Karen. I just tweeted a few posts on research and talk. This is the angle I want to stick with. If anyone asks about using this information for law enforcement I think we should say, well of course if law enforcement wants to discuss with me my research I will, its all open source, thats the thing, its all there. But my intent is not to do this work to put people in jail, my intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines).
This in itself makes a pretty good story, I had intended to link it earlier in the week. But now the next shoe has dropped. Within the 50,000-odd emails released was a presentation crafted for Bank of America regarding how to effectively deal with Wikileaks. The plan is .... interesting. In many ways it reflects similar thinking to the DoD strategy for disrupting Wikileaks published in 2008. The proposal ranges from cyber-attacks against Wikileaks servers to mounting a campaign against Glenn Greenwald.
Over at FDL, Marcy Wheeler has been following the story. With proper scorn for the quality of the plan, and special focus on the Glenn Greenwald-centric parts of the strategy. I imagine a bit of digital ink might be spilled on the implications of BoA exploring the tactics in the first place.
But there is something else important to note here as well. Generally, we view security researchers (consultants, etc.) as providing services to help companies secure their systems from exploit. Hackers try and compromise the system - admins and security professionals exist to keep them out. What we have here is a case where security researchers are actively marketing the service of leveraging security flaws found through their research on behalf of clients interested in *conducting* a cyber attack. It seems pretty difficult to interpret the BoA proposal as anything but an offer to conduct coordinated cyber attacks against Wikileaks.
I can't remember this type proposal ever being exposed before. IMO, this is the most unsettling part of the whole episode. It probably should not be viewed as a good thing.