The Sad Saga of HBGary
Yesterday I took a trip to UNO to listen to a presentation from one of our bioinformatics professors on immunology. We’re working on some research proposals to develop network defense techniques based on biological immunity systems – why reinvent the wheel, if nature has some cool ideas eh? After the presentation we got to talking about HB Gary’s recent run in with Anonymous, and I thought I’d make some commentary which likely no one will read.
First, let me point to a couple posts I made in 2009 about social engineering and users being the weakest link:
<>< [Phish / Fish] ing attacks are still viable
Wikipedia has as good a definition of Social Engineering as any
Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
This is a “Term of Art” which has been popularized in security parlance, the first link to the <>< post has a youtube clip from the movie Hackers which illustrates this concept quite poignantly.
Anonymous is an ‘anonymous’ group of individuals who entered common cognizance with their exploits against Scientology. They’ve made recent headlines from Distributed Denial of Service attacks against companies and organizations which have attacked Wikileaks. Their tool of choice is actually an open source project, and allows anyone to join in or voluntarily turn control over to someone else in directing an attack. The merits and flaws of their political statements, the legality of their actions, and the technical analysis of the tool in particular are beyond my scope here, it suffices to understand that Anonymous is a group of individuals, who have been conducting DDoS attacks against third parties as retaliation for those parties being perceived as attacking Wikileaks in some manner.
Wikileaks – NeoNazi Forum Dumps
Wikileaks has data from several Neo Nazi forums. The information includes user lists, private message histories, forum posts, etc. I’ve been pouring over the data since yesterday. They seem to be using SMF and phpBB primarily between the sites – some with modified fields. I’m currently looking at the communication patterns for the private messages. When I analyzed the user lists, I found a good number of overlap users between the sites – users who were members of multiple websites. What I’m doing now is cross referencing the private messages to and from the individuals with multiple memberships. I’m hoping this reveals who the significant actors are, what individuals form subgroups, and how different subgroups are linked between the sites through the multiple membership users.
This is all very preliminary, but should make for some fascinating observations later. After I am done with the communication patterns, I’m going to take a look at word frequencies in the forum posts. I might make one of those weighted word clouds, those always make for intriguing eye candy.
Respondus LockDown Browser
The Respondus LockDown Browser is an application designed to “lock down” a system for the duration of an exam. It claims to display a full screen browser that cannot be minimized, prevents task switching, stops “over 400 screen capture, messaging, screen-sharing and network monitoring applications” from running, blocks external links to avoid compromising the “locked testing environment”, and so forth. The application is intended to (1) stop students from accessing external material while taking the exam, (2) stop students from recording the examination quesitons, and (3) stop students from communicating with others – all in an effort to stop cheating.
I learned about this application over the weekend when an online exam for a class I am taking this semester required its use. I was quite annoyed to learn it did not have a linux client and relied on Internet Explorer. Using linux as my primary OS, I naturally loaded it into a VMWare copy of Windows XP only to discover it refuses to run in a virtual machine. Not wanting to go all the way to campus to take the exam, I fired up IDAPro and decided to take a look at the VM detection mechanisms – needless to say I was unimpressed.
HBGary.* part II
More information, or at least a more coherent complete set of information, is available as of this morning from Ars Technica. They have done a really good job of putting the pieces into a clear picture. What I heard in passing seems to be correct, the initial compromise was a SQL injection and the rest of the time line goes from there. The hackers in question apparently compromised the mail server for a number of hours before moving further and monitored email communications for over 30 hours undetected.
The HB Gary, Inc. CEO tried to reason with anonymous to avoid the email disclosures (IRC Log while it remains up). This part was a little painful to read because it is easy to empathize with someone whose company’s value is essentially being destroyed because someone else stirred the hornet nest – but once data like that has made it into multiple hands, distributed technology is distributed technology, there really is no going back.
Aaron Barr – the individual from HB Gary Federal whose ‘research’ started this mess – was looking to do primitive data mining and correlation with social networking data to identify individuals from anonymous as well as geographic regions they were located in. According to the quotes and excepts on Ars, his hypothesis was (a) individuals friended by his targets would be less likely to secure or censor identifying information, (b) that someone’s location could be extrapolated by looking at the general geographic locations of their friends (I assume his idea was most friends would be local friends), and (c) by correlating activity times of posts to social networking sites with presence in IRC channels a connection could be drawn from IRC handle to real life identity. He appears to have had something similar to success as the chat logs indicate he had identified people connected to Anonymous members, but some of those individuals were innocent (e.g. false positives) – one of the individuals in the chat logs’ girlfriend was identified, for example. Continue reading →