The HBGary incident, reviewed and revised
After a more thorough review, the previous writeup i did on this incident had to be redacted. The course of events was incorrect, as it was merely assumptions on my part, based on the data i had read. Mail exchange between me and Jussi Jaakonaho forced a rethink of the whole issue, and hence, this rewrite.
It should be noted that very few parties have a full and accurate account of what went on, and this is still just a version of the events.
I will start by making a list of parties and persons involved:
- HBGary – An American security company. Owns approx. 15% of HBGary Federal. CEO – Greg Hoglund, President – Penny Leavy
- HBGary Federal – An American security company (a 2009 spinoff of HBGary) that deals with the federal government. CEO – Aaron Barr
- rootkit.com – Not directly affiliated site, hosting a community of people discussing rootkits and security issues. Connection to HBGary is through CEO Greg Hoglund, also affiliated with rootkit.com. The site is not an official project of HBGary or HBGary Federal, though Greg is the founder of the site, and it is hosted by HBGary due to this fact.
- Greg Hoglund – CEO at HBGary, affiliated with rootkit.com
- Penny Leavy – President at HBGary
- Aaron Barr – Security researcher and CEO of HBGary Federal
- Ted Vera – COO at HBGary Federal
- Jussi Jaakonaho – affiliated with rootkit.com, used to reset Hoglunds account and confirm current root password. Not affiliated with HBGary.
The sequence, as far as chronology is unclear, but here is a list of events, possibly in rough chronolgical order:
- Aaron Barr claims he has infiltrated Anonymous and has identities of organizers, leaders and founders. Discusses research with Financial Times, which acts as a trigger for Anonymous.
- Anonymous breaks into HBGary Federal server through SQL injection, gains accounts and emails of key figures.
- Either separately or as a consequence of, an HBGary tech support system is compromised
- Anonymous uses account of Aaron Barr, who had administrative privileges to HBGary e-mail systems to access further data
- Anonymous takes control numerous online presences of key HBGary and HBGary Federal executives and employees. Aaron Barr’s Twitter, Ted Vera’s Linkedin (now offline, he was renamed Colossal Faggot)
- At some point, Greg Hoglunds e-mail is also compromised and used to send e-mail to rootkit.com administrator, Jussi Jaakonaho, to reset Hoglunds account, and confirm root password. Link
- Rootkit.com is compromised, supposed password lists are leaked, sql database dumped
- At some point, HBGary Federal site is defaced, taken offline along with HBGary.com. HBGary later put back online with a short post on the events. HBGary Federal remains offline, as does rootkit.com
An important distinction to my earlier analysis is that rootkit.com was not the starting point of the attack, it would at least seem. This is because before the rootkit.com attack, Greg Hoglunds mail was already compromised, as evident in this “log“, also referenced earlier. Through this account, anonymous supposedly had knowledge of the previous and current root passwords at rootkit.com, and used the account as a platform to reset hoglunds account at rootkit.com, thereby gaining access, and root on the server. My previous supposition was that accounts found on rootkit.com were used to gain access to other sites (such as other HBGary and HBGary Federal servers). Although it is probable that accounts found on rootkit.com were tried on various other sites, no details have emerged over such usage. Rootkit.com was simply a footnote, with the simple connection of Greg Hoglund.
Anonymous, along with many reports seem to not understand the connection between HBGary and the spinoff, HBGary Federal. They are separate, though related (as evidenced by the IRC logs, see lines 2755 and 629, as well as HBGary main site) companies. Aaron Barr was working on his own researching anonymous, though knowledge of his research existed with HBGary as well. Anonymous, acting fast and wide, attacked both companies, as well as rootkit.com.
While rootkit.com is only fleetingly connected, i am mentioning it because of the local connection. The admin at rootkit.com used to reset the account of Greg Hoglund at the server, and to confirm the current root password is, admittedly, from Finland. The “research” done on his current employment status was poorly done, irrelevant, and therefore best left unmentioned, and was also included only as a local curiosity.
I will also address the fact that the anonymous who emailed Jussi is claimed to be a 16 year old girl known under the alias `k and kayla. There is, of course, no way of confirming this as fact, and I chose to include this because it is a funny footnote, if true.
As a fellow administrator, i have to also say that it’s quite hard to blame Jussi. The e-mail originated from Gregs e-mail, and i know for a fact, even though it is bad security practice to discuss passwords in emails, this happens on a daily basis in our industry. If the identity of Greg Hoglund could have been confirmed at this point, rootkit.com may have gone unscathed. I don’t have to stress the usage and importance of pgp, or ssh keys on servers, or good password policies in general, it’s a topic for another post.
I still hold to my point that Aaron Barr’s demise was well deserved. If you do shoddy research and try to profit from that, you deserve to burn publicly. I also can’t say i have a strong sense of empathy towards HBGary or HBGary federal, as they have known about the research. HBGary Federal has shown it is not to be trusted with federal issues, or tax payers money, as the research it’s CEO has produced was nothing short of bullshit. Had this methodology spread to the federal government, the results may have been costly, and grossly inaccurate. Granted, there was collateral damage, but in the wide world, money is what talks. When a company such as HBGary or HBGary Federal gets plastered all over the news, and loses potentially millions, people tend to listen. This goes for the DDOS attacks on VISA, Mastercard and others last year. Big names, big losses, big headlines.
As an aside, Krebs on Security has a writeup of the events, but i’m left unclear as to how many of HBGary’s systems were compromised initially. Krebs quotes Greg Hoglund, who says that a system containing tech support for HBGary was compromised, as well as a web server used by HBGary Federal. The order of those compromises is not immediately clear, so one can only speculate as to whether one led to the other, or whether they were independent compromises.
The sheer misunderstanding of the “structure” of Anonymous is still prevalent in the media. I feel that the structure of Anonymous is grossly over-estimated. The arrests made so far have shown little to no effect in the actions of anonymous. The group is perhaps best described as a mob.. or a flash mob. An idea that people can stand behind. A form of neo-anarchism that anyone can join without an understanding of the technology, the issues or the ideology. Even the ideology is a curious concept as it chances as many times as the gasoline price at my local gas station.
Having been a bystander at 4chan and of the anonymous movement, i’m led to believe that there is very little in the way of organisers, leaders or founders. It just sort of came together. Sure, the IRC channel has Ops to keep the order and the peace, but they can hardly be concluded to be leaders or organisers of the group, not that there is such a thing. Barrs research contains gross inaccuracies, if it is indeed what anonymous released in the form of a pdf. Nicknames from the IRC-channel (which is completely public and requires no “infiltration”) were matched with nicknames used on Facebook for instance, in many case implicating completely unrelated people.This was said to be the main concern of anonymous, as voiced a number of times in the IRC logs referred to earlier. The list was so inaccurate, that anonymous supposedly sent it in to the FBI, to prove a point.
Also what is curious is that many people, that do have Op and seem to be “running things” on the IRC side of things were left completely un-identified in the “research”. This includes people who have not even made an effort into being anonymous, such as “press guy” Barret Brown, or joepie91. It also includes clear jokes, such as Guy Fawkes from London.
As a final, final thought, i would like to discuss the importance of research and sourcing, and the difficulty of online “journalism” (though i don’t view myself as such). Inaccuracies spread like wildfire. Content put online never comes back down. People and names get mixed up very easily, as online, anyone can be anyone. This is implied for both the personaliteis discussed here, and the personalities discussed in Barr’s “research”. Sourcing becomes a difficult thing in such sensitive issues, and this has been an important lesson for me as well; to strive to do even better research in the future. The problem is companies usually want to keep breaches a secret, and “attackers” like to add FUD and propaganda to their side of the story. Thus, forming a coherent picture of any event becomes challenging.So, as this has obviously been a lesson for many parties and many issues, including myself, i do hope people actually learn from this. I sure have.