The Sad Saga of HBGary
Yesterday I took a trip to UNO to listen to a presentation from one of our bioinformatics professors on immunology. We’re working on some research proposals to develop network defense techniques based on biological immunity systems – why reinvent the wheel, if nature has some cool ideas eh? After the presentation we got to talking about HB Gary’s recent run in with Anonymous, and I thought I’d make some commentary which likely no one will read.
First, let me point to a couple posts I made in 2009 about social engineering and users being the weakest link:
<>< [Phish / Fish] ing attacks are still viable
Wikipedia has as good a definition of Social Engineering as any
Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
This is a “Term of Art” which has been popularized in security parlance, the first link to the <>< post has a youtube clip from the movie Hackers which illustrates this concept quite poignantly.
Anonymous is an ‘anonymous’ group of individuals who entered common cognizance with their exploits against Scientology. They’ve made recent headlines from Distributed Denial of Service attacks against companies and organizations which have attacked Wikileaks. Their tool of choice is actually an open source project, and allows anyone to join in or voluntarily turn control over to someone else in directing an attack. The merits and flaws of their political statements, the legality of their actions, and the technical analysis of the tool in particular are beyond my scope here, it suffices to understand that Anonymous is a group of individuals, who have been conducting DDoS attacks against third parties as retaliation for those parties being perceived as attacking Wikileaks in some manner.
Homeland Security & Technology’s Role
UNO was given a few tickets to the homeland security event tomorrow from the Louisiana Technology Council, and I managed to obtain one. The event schedule looks like it has some interesting topics: Continue reading
HBGary.* part II
More information, or at least a more coherent complete set of information, is available as of this morning from Ars Technica. They have done a really good job of putting the pieces into a clear picture. What I heard in passing seems to be correct, the initial compromise was a SQL injection and the rest of the time line goes from there. The hackers in question apparently compromised the mail server for a number of hours before moving further and monitored email communications for over 30 hours undetected.
The HB Gary, Inc. CEO tried to reason with anonymous to avoid the email disclosures (IRC Log while it remains up). This part was a little painful to read because it is easy to empathize with someone whose company’s value is essentially being destroyed because someone else stirred the hornet nest – but once data like that has made it into multiple hands, distributed technology is distributed technology, there really is no going back.
Aaron Barr – the individual from HB Gary Federal whose ‘research’ started this mess – was looking to do primitive data mining and correlation with social networking data to identify individuals from anonymous as well as geographic regions they were located in. According to the quotes and excepts on Ars, his hypothesis was (a) individuals friended by his targets would be less likely to secure or censor identifying information, (b) that someone’s location could be extrapolated by looking at the general geographic locations of their friends (I assume his idea was most friends would be local friends), and (c) by correlating activity times of posts to social networking sites with presence in IRC channels a connection could be drawn from IRC handle to real life identity. He appears to have had something similar to success as the chat logs indicate he had identified people connected to Anonymous members, but some of those individuals were innocent (e.g. false positives) – one of the individuals in the chat logs’ girlfriend was identified, for example. Continue reading →