Wednesday, February 23, 2011

Security companies, social media, and hacktivism

On February 4th the Financial Times ran an article claiming that Aaron Barr, from HBGary Federal had unmasked key leadership in the Hacktivist group "Anonymous". Anonymous had garnered international attention for their attacks on groups opposed to Wikileaks (Mastercard, Visa, Sarah Palin, etc.) As a result of their activity the FBI had been kicking in doors attempting to arrest people, causing some concern at the group. HBGary Federal was also looking at ways to bring down Wikileaks and their support infrastructure. The Financial Times article claiming that Aaron Barr had specifics on their leadership caught the attention of Anonymous, who turned their attention to HBGary Federal and Mr. Barr. HBGary Federal was a sister company of HBGary, a computer security company from 2003 started by Greg Hoglund and his wife Penny Leavy.

On February 5th Anonymous went after HBGary Federal, starting off with a Distributed Denial of Service attack and moving from there as Aaron responded aggressively. They got into his Twitter account, Linkedin account, email account, and web administration accounts. They deleted backup accounts, wiped his iPad, and moved on to compromising HBGary and Rootkit.com (both run by Greg Hoglund, who was also part owner of HBGary Federal).

Because HBGary used a non-standard CMS (Content Management System) it had not been subjected to significant security review. Anonymous used a previously unknown SQL injection to download the password file which used MD5 hashes. Using a rainbow table they were able to quickly crack the simpler passwords, one of which was Aaron Barr's and another was his COO, Ted Vera. He also reused this password on multiple sites, making their life easier. They used another the password from Ted Vera to SSH into a Linux server that HBGary Federal used, and utilized a known vulnerability (that hadn't been patched) to escalate to root privileges.

Because Aaron was the administrator for their Google Apps account they were able to reset and access Greg Hoglund's mail, where they found administrative passwords for rootkit.com in plaintext. They then utilized some social engineering to the administrator to get an account they could login with remotely (can't use the root account). Once this was accomplished they published the entire rootkit.com password hash table and defaced all the sites. Some details of the attacks can be found here.

After pulling off the attack Anonymous was contacted by Penny Leavy, who owns part of HBGary and HBGary Federal to try to negotiate a truce. Anonymous wasn't particularly interested, and conditioned any actions on their part to Penny firing Aaron and a number of other steps she wasn't going to take. Shortly afterwards they began leaking both HBGary Federal and HBGary corporate emails in large quantities on the Piratebay and numerous other locations, to the enjoyment of voyeurs, reporters and the curious worldwide. (I've decided not to link to them or analyze the uploaded content and will focus on published stories instead). 

This story has caught the attention of many in the security community (and even more broadly) for a number of reasons. The tie-in to Wikileaks, the sensational nature of the story, the depth of the information available, the personalities involved. The fallout has been significant as well.  The leaked emails contain references to numerous other organizations with sensitivity concerns. The DailyKos points out Aaron's plan (and an associated published government solicitation) to create and manage an army of virtual personas should cause concern when considering people group's opinions and the ability for misrepresentation and influence. Ars Technica has had a number of good stories on the topic. The published this one, talking about their "Black Ops". Lots of sensational topics (0-days, rootkits, government "back doors", etc.) although it appears that there were no confirmed connections to any other government organization, a number of government and defense contractor groups are mentioned (like Northrop Grumman (Barr's old employer), Farallon Research, Mantech, GD-AISEndgames and many others) and thus impacted by this situation. As a result, some organizations (like Palantir and Berico) that they were involved with have severed all professional ties with HBGary in an attempt to separate themselves from the situation.

There was a fair amount of interest about their rootkit work, for obvious reasons (Greg runs Rootkit.com) They had proposed an interesting one called Magenta that received some attention.

Andy Greenberg believes that the attack could backfire on Wikileaks, as people confuse hacktivism with Wikileaks and realize that the attack on HBGary and the damage caused could happen to anyone. Personally I think that idea would have had merit if there wasn't so much dirt unearthed on Aaron and the company that captured the attention of the audience. Unfortunately the sensational nature of the story makes it easy to (at least currently) overlook the underlying issues of anonymity, free speech, corporate/organizational ethics, government and corporate relationships and what protest means in the digital domain.

Given the quantity of information that people are still going through (over 8GB available on various torrents) it appears likely that other stories will be forthcoming. A number of lessons are available. Here are a few of my immediate take aways:
  1. Criminal allegations, interactions, and investigations should not be taken lightly. Once you start interacting with groups like that your threat/risk profile changes significantly.
  2. Good reminder that multiple techniques (0-day, unpatched exploits, cracking passwords, social engineering, etc.) used in conjunction are extremely powerful and can lead to full and complete compromise. 
  3. Given point (2), perhaps people will finally start encrypting sensitive emails. You never know who could end up reading them. Also wise to ensure you do have robust passwords that are not reused, and critical systems are always fully patched. You can't stop 0-day (well), but you can certainly prevent known vulnerabilities from being exploited!
  4. Important to consider who your partners are. Any behavior on their part could affect you in a blowback situation. Obviously you can't run a background investigation on everyone you interact with, but look at those opaque, back room deals and consider how they would be perceived in the transparency of the Internet.
  5. Good reminder about starting a business... probably best to figure out what you're going to be the best at and focus on doing that... and have a clear plan for how to get there. Front loading your investment/risk and chasing ambiguous, frequently delayed government contracts is a risky position that can lead to sub-optimal situations and decisions made under pressure down the road.
I'll update this post as particularly interesting parts of the story come to light. Will be interesting to see if the FBI ends up getting any traction bringing anonymous to trial, if HBGary faces any charges or impact other than relational/financial, and how the other stakeholders in this affair are impacted in the short and long term.

Update (March 2nd, 2011): Stephen Colbert did a segment on the Colbert Report on the topic that was amusing. Aaron Barr has resigned. And House Democrats are calling for an investigation, focused on the "reconnaissance cell" that HBGary was discussing to target union members.