The HBGary incident, reviewed and revised

After a more thorough review, the previous writeup i did on this incident had to be redacted. The course of events was incorrect, as it was merely assumptions on my part, based on the data i had read. Mail exchange between me and Jussi Jaakonaho forced a rethink of the whole issue, and hence, this rewrite.

It should be noted that very few parties have a full and accurate account of what went on, and this is still just a version of the events.

I will start by making a list of parties and persons involved:

  • HBGary – An American security company. Owns approx. 15% of HBGary Federal. CEO – Greg Hoglund, President – Penny Leavy
  • HBGary Federal – An American security company (a 2009 spinoff of HBGary) that deals with the federal government. CEO – Aaron Barr
  • rootkit.com – Not directly affiliated site, hosting a community of people discussing rootkits and security issues. Connection to HBGary is through CEO Greg Hoglund, also affiliated with rootkit.com. The site is not an official project of HBGary or HBGary Federal, though Greg is the founder of the site, and it is hosted by HBGary due to this fact.
  • Greg Hoglund – CEO at HBGary, affiliated with rootkit.com
  • Penny Leavy – President at HBGary
  • Aaron Barr – Security researcher and CEO of HBGary Federal
  • Ted Vera – COO at HBGary Federal
  • Jussi Jaakonaho – affiliated with rootkit.com, used to reset Hoglunds account and confirm current root password. Not affiliated with HBGary.

The sequence, as far as chronology is unclear, but here is a list of events, possibly in rough chronolgical order:

  1. Aaron Barr claims he has infiltrated Anonymous and has identities of organizers, leaders and founders. Discusses research with Financial Times, which acts as a trigger for Anonymous.
  2. Anonymous breaks into HBGary Federal server through SQL injection, gains accounts and emails of key figures.
  3. Either separately or as a consequence of, an HBGary tech support system is compromised
  4. Anonymous uses account of Aaron Barr, who had administrative privileges to HBGary e-mail systems to access further data
  5. Anonymous takes control numerous online presences of key HBGary and HBGary Federal executives and employees. Aaron Barr’s Twitter, Ted Vera’s Linkedin (now offline, he was renamed Colossal Faggot)
  6. At some point, Greg Hoglunds e-mail is also compromised and used to send e-mail to rootkit.com administrator, Jussi Jaakonaho, to reset Hoglunds account, and confirm root password. Link
  7. Rootkit.com is compromised, supposed password lists are leaked, sql database dumped
  8. At some point, HBGary Federal site is defaced, taken offline along with HBGary.com. HBGary later put back online with a short post on the events. HBGary Federal remains offline, as does rootkit.com

An important distinction to my earlier analysis is that rootkit.com was not the starting point of the attack, it would at least seem. This is because before the rootkit.com attack, Greg Hoglunds mail was already compromised, as evident in this “log“, also referenced earlier. Through this account, anonymous supposedly had knowledge of the previous and current root passwords at rootkit.com, and used the account as a platform to reset hoglunds account at rootkit.com, thereby gaining access, and root on the server. My previous supposition was that accounts found on rootkit.com were used to gain access to other sites (such as other HBGary and HBGary Federal servers). Although it is probable that accounts found on rootkit.com were tried on various other sites, no details have emerged over such usage. Rootkit.com was simply a footnote, with the simple connection of Greg Hoglund.

Anonymous, along with many reports seem to not understand the connection between HBGary and the spinoff, HBGary Federal. They are separate, though related (as evidenced by the IRC logs, see lines 2755 and 629, as well as HBGary main site) companies. Aaron Barr was working on his own researching anonymous, though knowledge of his research existed with HBGary as well. Anonymous, acting fast and wide, attacked both companies, as well as rootkit.com.

While rootkit.com is only fleetingly connected, i am mentioning it because of the local connection. The admin at rootkit.com used to reset the account of Greg Hoglund at the server, and to confirm the current root password is, admittedly, from Finland. The “research” done on his current employment status was poorly done, irrelevant,  and therefore best left unmentioned,  and was also included only as a local curiosity.

I will also address the fact that the anonymous who emailed Jussi is claimed to be a 16 year old girl known under the alias `k and kayla. There is, of course, no way of confirming this as fact, and I chose to include this because it is a funny footnote, if true.

As a fellow administrator, i have to also say that it’s quite hard to blame Jussi. The e-mail originated from Gregs e-mail, and i know for a fact, even though it is bad security practice to discuss passwords in emails, this happens on a daily basis in our industry. If the identity of Greg Hoglund could have been confirmed at this point, rootkit.com may have gone unscathed. I don’t have to stress the usage and importance of pgp, or ssh keys on servers, or good password policies in general, it’s a topic for another post.

Final thoughts

I still hold to my point that Aaron Barr’s demise was well deserved. If you do shoddy research and try to profit from that, you deserve to burn publicly. I also can’t say i have a strong sense of empathy towards HBGary or HBGary federal, as they have known about the research. HBGary Federal has shown it is not to be trusted with federal issues, or tax payers money, as the research it’s CEO has produced was nothing short of bullshit. Had this methodology spread to the federal government, the results may have been costly, and grossly inaccurate. Granted, there was collateral damage, but in the wide world, money is what talks. When a company such as HBGary or HBGary Federal gets plastered all over the news, and loses potentially millions, people tend to listen. This goes for the DDOS attacks on VISA, Mastercard and others last year. Big names, big losses, big headlines.

As an aside, Krebs on Security has a writeup of the events, but i’m left unclear as to how many of HBGary’s systems were compromised initially. Krebs quotes Greg Hoglund, who says that a system containing tech support for HBGary was compromised, as well as a web server used by HBGary Federal. The order of those compromises is not immediately clear, so one can only speculate as to whether one led to the other, or whether they were independent compromises.

The sheer misunderstanding of the “structure” of Anonymous is still prevalent in the media. I feel that the structure of Anonymous is grossly over-estimated. The arrests made so far have shown little to no effect in the actions of anonymous. The group is perhaps best described as a mob.. or a flash mob. An idea that people can stand behind. A form of neo-anarchism that anyone can join without an understanding of the technology, the issues or the ideology. Even the ideology is a curious concept as it chances as many times as the gasoline price at my local gas station.

Having been a bystander at 4chan and of the anonymous movement, i’m led to believe that there is very little in the way of organisers, leaders or founders. It just sort of came together. Sure, the IRC channel has Ops to keep the order and the peace, but they can hardly be concluded to be leaders or organisers of the group, not that there is such a thing. Barrs research contains gross inaccuracies, if it is indeed what anonymous released in the form of a pdf. Nicknames from the IRC-channel (which is completely public and requires no “infiltration”) were matched with nicknames used on Facebook for instance, in many case implicating completely unrelated people.This was said to be the main concern of anonymous, as voiced a number of times in the IRC logs referred to earlier. The list was so inaccurate, that anonymous supposedly sent it in to the FBI, to prove a point.

Also what is curious is that many people, that do have Op and seem to be “running things” on the IRC side of things were left completely un-identified in the “research”. This includes people who have not even made an effort into being anonymous, such as “press guy” Barret Brown, or joepie91. It also includes clear jokes, such as Guy Fawkes from London.

As a final, final thought, i would like to discuss the importance of research and sourcing, and the difficulty of online “journalism” (though i don’t view myself as such). Inaccuracies spread like wildfire. Content put online never comes back down. People and names get mixed up very easily, as online, anyone can be anyone. This is implied for both the personaliteis discussed here, and the personalities discussed in Barr’s “research”. Sourcing becomes a difficult thing in such sensitive issues, and this has been an important lesson for me as well; to strive to do even better research in the future. The problem is companies usually want to keep breaches a secret, and “attackers” like to add FUD and propaganda to their side of the story. Thus, forming a coherent picture of any event becomes challenging.So, as this has obviously been a lesson for many parties and many issues, including myself, i do hope people actually learn from this. I sure have.

Random & The HBGary Federal stuff – redacted for now

I was recently contacted by Jussi, who stated that i have things backwards. I have redacted the post, and i’m trying to find out the real course of events, if i indeed got things the wrong way.

My goal is not to publish faulty information, and as i stated, this post was an analysis by me, of how i thought the events unfolded.

 

Ah frack it.. Google cache was faster.

Random & The HBGary Federal stuff

Disclaimer – This was an earlier post, with a lot of speculation on my part, in regards to the HBGary hack by Anonymous. After more thorough research, a revised post was released here. Please refer to this if you are looking for a hopefully more accurate account

 

So the last few days, weeks, whatever have been a bit quiet. So i’ll just take this time off and talk about some of the issues i’ve been thinking about.

First of all, i need to get rid of a bunch of hardware, so if you need anything like memory, or servers (without their harddrives), or regular desktop machines.. or i suppose i might even have a few smaller lcd screens, hit me up with a comment or an email. I’ll post a better list later, but here’s some of the stuff:

  • Two HP DL380 tower servers, i don’t have the specs on hand, one was i think a dual processor and the other single. RAM included
  • An IBM xSeries tower server, which is actually pretty compact and not too loud, but also, it’s not very fast
  • Various desktop towers
  • RAM: DDR1, DDR2 (1GB and smaller sticks), and various DDR1 and DDR2 SO-DIMMs for laptops
  • I may also be selling two 17″ LCD screens
  • Various expansion cards and what-have-you

I’d also be interested in finding a pair of 2GB non-ECC DDR2 for my desktop, since running multiple virtual machines is putting a strain on my current 6GB configuration.

Currently i’m on an Oracle 11g course, which lasts five days. I’m not really going to be a database guy, and frankly i’m not too interested in this either. I do it from a pure carreer perspective, and because i know that we have a lack of Oracle knowledgeable people where i work.

Also, this morning i realized we live in a world where few clocks ever tell the same time. Waking up, eating breakfast and walking to the train station, i was confronted with at least 8 different versions of what the time currently was. Bewildering.

Anonymous owns HBGary and HBGary Federal

Disclaimer – This was an earlier post, with a lot of speculation on my part, in regards to the HBGary hack by Anonymous. After more thorough research, a revised post was released here. Please refer to this if you are looking for a hopefully more accurate account

And i don’t mean they bought the fuckers. So here’s the story as i’ve been able to patch it together: HBGary Federal (a separate corporate entity working under the HBGary name, providing infosec research and such for government) CEO and Co(?)-owner Aaron Barr decided he was going to blow this whole anonymous case wide open. Now as i’ve discussed in multiple posts, this stems from the clear stupidity and thick-headedness of people, refusing to understand what and how anonymous works. Barr had the brilliant idea of “infiltrating” the anonymous networks (err.. i mean the public irc-channels at anonops.ru #anonops #anonymous #reporters etc.) and find out as much as he could about the leadership of anonymous. He then compiled in data from various social networks, simply taking a persons IRC identity or other available data, and connecting it to mostly random people using the same nicknames or such on Facebook, for instance. You should now be able to see how faulty his methodology is to begin with. He then boasted that he has the identities of most of anonymous’ leadership and organisers. He made up roles and titles for various people, like “co-founder of anonymous”. Anonymous caught wind of this, and decided to have a look at the list.

Supposedly 16 year old female hacker ‘kayla’, known on the IRC channel as `k, social-engineered an admin at rootkit.com, Jussi Jaakonaho (who is also a chief researcher at Nokia, incidentally) pretending to be Greg Hoglund, CEO at the main company HBGary. Note that HBGary is not directly affiliated with HBGary Federal, though it carries a 15% share of HBGary Federal in the form of investments. Through Jussi, she was able to get root access to the servers at rootkit.com. From there the problems escalated, and while i don’t have the full details, i suspect credentials or data found on rootkit.com were used to compromise Barr’s account on HBGary Federal, and numerous other locations, such as Twitter.

The result was an onslaught of defacement and luls from Anonymous, as they downloaded over 50 000 internal e-mails from HBGary and HBGary Federal employees and executives. These were subsequently published as a torrent, which can be found with little to no trouble. To add insult to injury, Anonymous sent the “brilliantly” collected (and false) data that Barr was supposedly going to sell to the FBI (as evidenced by an 11 AM meeting on monday 7th February found in his e-mails) to the FBI for free. Barr claims he was never going to sell the data, or that he was going to redact the names, but that’s really irrelevant at this point. He also claims it was only for research purposes, but internal emails show he was clearly going to profit in a business sense either directly through selling the data/research or through PR he would have gotten for “exposing” the “leaders” of Anonymous. All of which is total and utter bullshit. Most of the people on the list have little or no affiliation to anonymous, and could have gotten into serious trouble had this data not come out in time.

Barr’s twitter account was owned, adding “raging homogay” to his about-box, and posting various lewd comments on his feed. His new Twitter avatar is also a variation of a classic 4chan meme, “Forever Alone”, modified to “Forever Barrlone”. You should really check it out, it’s quite funny if you are into this whole meme business. Also read all the tweets from the past few days, as they provide some insight into what went on.

Ted Vera’s (COO / President at HBGary) Linked in profile was also defaced to change his name to Colossal Faggot, though i doubt it’s still out there. Google cache might still have it, plus i suppose screenshots exist.

All in all i can’t say i give a flying fuck about any of these people or their respective companies. If you are in the security business, and particulary in the business of selling research and data to the federal government (thank god it’s not mine), then you need to be competetent and know what the hell it is you are doing. If you are an incompetent asswipe, then bad things may happen to you. You don’t deserve your job, your bonuses, your cushy little office and the notion of job security. You deserve to go back to school, admit your failures and start over. Though that might be a bit hard at this point, seeing as i would find it very unlikely that the likes of Barr would ever be hired to do anything with computers ever again.

Anonymous has stated they have in ther posession more emails that are as of yet unpublished, and they have had negotiations with the owner and CEO of HBGary as to the next steps in this whole debacle . The IRC logs of that are quite .. a read. Anonymous demanded that for the rest of the data to stay secret (this is called extortion), they need to see Aaron Barr stripped of his job, and all future investments to HBGary Federal. Also they requested that all such funds instead be diverted to the Bradley Manning defense fund, the EFF and other such causes. HBGary is in the process of thinking about things.

Quite a thing to see the CEO of a multi-million dollar company on IRC, begging these anonymous types not to release more mails, as they would cause millions in damage. “Think about what this will do to your reputation”, HBGary urged. Anonymous replied with “What reputation, and why should we care?”

It has to be rather bewildering for your average corporate type to face an adversary that does not care for the traditional things. Reputation is irrelevant. Possible consequences, irrelevant. Legal threats, irrelevant. Sure, you can (and they have) caught a number of people associated with anonymous, but there are tens, maybe hundreds of thousands of people ready to take their place, if they feel like it will get them the laugh of the day.

I’ll end with another paraphrasing from the IRC logs, where one Anonymous stated, after just saying he knows this will cost HBGary millions, and that he doesn’t care, that he will now go play Fallout.

Oh and one more thing…

I have to really hand it to both Greg Hoglund, and especially Penny Leavy, who is president of HBGary. She took time out of a nightmarish day, to go on IRC and talk to anonymous. She tried to talk to these people, and she tried to grasp the concepts. Aaron Barr however, who also appeared on the channel under the alias CogAnon, was less than courteous. He talked trash and left without answering any questions, clinging to the one sentence he thinks will save him: “I did it all for research”. That’s like pissing on an angry mob, who has already burned down your house, broken your car and kidnapped your cat.