HBGary Attack Analysis
The original article on ars technica.
The Slashdot discussion Seriously, the article is absolutely fascinating reading. It is a very detailed account of just how badly security can be managed. FTFA: Quote:
|
It's rather painful, isn't it?
|
Painful with a massive dollop of irony. What's worse is that I suspect the way they ran things isn't all that unusual.
|
Quoting from the article:
Quote:
|
Quote:
The good part is we can instill a sense of security and help improve things. |
Someone should nominate Ars Technica for the Pulitzer
The stories (more than one) published by Ars Technica in the past week on the HBGary scandal are among the most important I have ever seen.
I think the scary, scary implications for citizens everywhere in the world go far, far beyond the object lessons in computer insecurity provided by the many blunders of this particular company. But this is probably not the place to discuss that. |
Three thoughts
Can't help asking: am I really the only one to have noticed that Aaron and Julian share some psychological characteristics? I confess I feel sorry for them both right now...
Another thought which occurred to me as I contemplated the HBGary breach: I am soooo glad I am not a professional sysadmin, because I'd feel so awful about taking money for trying to do a job and failing*, because of course people want to simply have a secure system, period, but that goal appears to be receding ever faster into the realm of utopian fantasy. [*I mean, even if I knew enough to try to work as a sysadmin, which I know I do not. I was thinking of Aaron Barr's comments that "we (security experts) are losing the fight".] Another: Aaron Barr was
[*The FBI rejected some HBGary products as--- does this sound familiar?--- all glitz and no actionable information.] |
I am glad to see that I am not the only one who read the some of the articles as: "Malware to the highest bidder".
So in essence, we can thank this company for some of the programs that are used against our systems on a daily basis. We can be grateful that even though we watch and monitor our systems with dogged persistence that their company stands ready to ensure that we face an eternal threat to the integrity of data and private information that we have sworn to safeguard and keep confidential. We can take great comfort that in the face of catastrophe and loss that they, HBGary and its employees, are better off financially and sleeping soundly at night having helped to ensure their futures. We than thank them that through their efforts we have continued to grow and adapt to emerging and existing threats. |
Quote:
As for their other activities, yeah it is a bit disturbing, but I also think it is a good warning. The bad guys are almost certainly doing stuff similar to what HBGary was developing. Its been very clear for quite some time that the "malware to the highest bidder" has been the basic business model behind botnets. HBGary is just trying to make a "legitimate" business out of what has been happening in the shadows for a long time. Quote:
|
Some additional points:
Noway, glad to see you understand one of the most important implications of the activities of the eager US advocates of state-sponsored cyberterrorism bythe US: sysadmins have looked to US CERT, the FBI, and other such agencies for help in keeping data on your networks confidential (private medical data, personal financial data of ordinary citizens,...), but these very same agencies are deeply involved in "exfiltrating" data from your networks! For example, the HBGary leak shows that someone must have scraped user profiles from Facebook for Palantir's social network analysis, and Aaron Barr was teaching well-attended courses with pupils from FBI, NSA, other spyco contractors on stalking people at Facebook and other social media websites. Most strikingly, he was teaching intell operatives to stalk acquaintances, friends of friends, family members (including minor children) of "targets". He was teaching them to start several steps outside and gradually work their way towards the real target. Implication: everyone who uses social media websites can be a target of professional intell operatives. And not just the US, but those of other countries. |
Quote:
|
And for US servicepersons,
http://www.linuxquestions.org/questi...46#post4267746 is exactly the kind of shindig which US contract intell operatives monitor/infiltrate, so be careful what you do and say in LUGs. Your commander is likely to assume that any soldier who joins a LUG must be a secret anarchist. The introduction of ipv6 and new alphabets which few US sysadmins can even transcribe into roman alphanumerics, unfixed DNS problems, novel classes of malware of unprecedented sophistication... is occuring at the very same time that all the advanced nations are rapidly developing (and practicing) cyberwarfare against networks inside and outside their own territories. A perfect storm of woe. What chance do operators of small networks, much less the average citizen, have of protecting their computers against attack by such capable and well-funded attackers? Aaron Barr was no match for "Anonymous", but clearly the average journalist or human rights blogger is no match for he and his colleagues. And to amplify the points I made above:
I tend to suspect that those who doubt the prognostications of people like Perle will be borne out in the near future are correct as far as that goes, but this misses another crucial point: the development of the surveillance-state is a huge bonanza for some people who stand to make a bundle. That is why they are happy to "collaborate" with the black hats in ensuring that an already severe "threat landscape" becomes much, much worse. Because this ensures that whether they like it or not, governments and corporations will have to hire their firms to try to protect against these new classes of threat which, in many cases, they themselves developed! For the same reason, I think citizens of the "Western democracies" should be very concerned by the standard model (made in the USA) of CT investigations: sting operations in which the intelligence services actually create "managed" threats. That feeds the machine. The secret police imply that the militia movements, ecowarrior groups, anarchist groups cofounded by their operatives are "safe" since "under our control", but the fact remains: secret police operatives have a huge financial incentive to create a credible threat even where one did not previously exist, and they appear to be doing so. The "revolving door" cycle increasingly resembles law enforcement work -> domestic terror threat production and international cybersecurity threat production -> private security work. These guys should make Bernie Madoff proud. The US government is scamming itself, to the tune of 50 billion annually and rapidly growing. |
My post is going a bit off topic here, but your post has been giving me a lot of cause to think over the last few days. The nutshell summary of the conclusion that I am coming to is that groups like Anonymous are examples of the beginnings of more modern forms of Democracy and that the emergence is in response to the natural evolution of the Corporate Nation-State. Below, I will try to spell my reasoning out but first I would like to say that my intent is to maintain an objective, academic view point. I neither want to condemn nor support either side's actions as I don't want take any sort of stance regarding the legality of either side's actions. This is neither my focus, nor a stance that I wish to put LQ into. So with that, I will begin.
The United States, which I will use as our example "Western democracy" was formed as a Constitutional Republic. Technically, it is not a Democracy, nor has it ever been. At the time of its founding, in the late 1700's communication was slow, taking several days to weeks to get a simple message to a recipient more than a few miles way. A message across the Ocean would take weeks to months. As a direct consequence, the only real way to have a government that represented the interests of the people was to bring those representatives to a common location: hence a Representative Republic. About 100 years later (late 1800s to early 1900s), technological and economic advances started putting forward pressures on the society. There was desire and demand for advancement on a scale that goes beyond that of the individual entrepreneur. These forces, as well as others, gave rise to the corporation, where individuals could pool their resources and collectively act as a unit. This enabled the creation of the large companies of the industrial revolution that took place at that time. Examples, include, the light bulb, telegraph, telephone, rail roads, cars, etc. After World War Two, which brought massive breakthroughs in technology, this Corporate-Capitalist-Republic model became a dominant world force and a model of affluence. On the negative side, this also brought us the concept of the Military Industrial Complex and the Cold War, which brings us to our current state. With the demise of the Soviet Union and a growing acceptance of non "Democratic" forms of governance (e.g. China and the monarchies of the mid east), the Military Industrial Complex - the Corporate-Capitalist-Nation-State needed another another target upon which to feed. Note, that two of the driving traits of Corporations is that they are classical psychopathic and paranoid (google can provide several references to this subject) with a relentless drive towards one goal: the accumulation of monetary wealth. One of the threats facing this drive is limitation and regulation imposed by the Democratic/Republic State which would by default likely be more neutral - representing both the people and the corporations. This brings us two effects: 1 - the turn towards terrorism and cyber-terrorism as threats that must be perpetually defended against, and 2 - the trend of corporations effectively buying the government via the politicians. Consequently, we have a Corporate-Republic-State that is both paranoid and has an insatiable desire for monetary gain. The corporations have continued to adapt and evolve, taking advantage of this fact in many ways. Into this environment rose the Internet, which for the first time in history, makes instantaneous communications on a global scale possible. It is also the reason we are seeing the emergence of what I believe to be more advanced forms of Democracy. Back to what I was saying at first, that the nation was out of necessity formed as a Constitutional Republic with communications being a limitation. This limitation no longer exists. As a direct result we are seeing corporations becoming multi-national and people all over the globe are communicating, pooling and sharing resources like never before: think Linux as a prime example (which is also a strategic threat to corporations like Microsoft). An effect of this is that we are seeing the traditional identity as a Nation-State breaking down and people are starting to identify themselves in terms of common goals, beliefs, and socio-economic conditions. The founders of the current Western Democracies could not foresee this evolution and could not design for its inception. At the same time in these Western Democracies, contrary to the rhetoric and the founders intentions, 'the People' have little voice anymore: it is the Corporations that control what is on the media and make the policies of the politicians. The advance of the Internet is changing that. We are seeing people on a global scale people pooling and joining on the basis of common goals and beliefs, pooling their small resources to counter the voice of the large Corporations. In essence, we are seeing the emergence of what I would call a Virtual Democracy. Continuing to set aside the legal implications of groups such as Anonymous and the sale of high-grade malware by companies like HBGary... What we have is a group, Anonymous, where people can opt-in "to vote" and express their opinion in instantaneous time, not the weeks, months, and years associated with traditional political cycles. As the Ars Technica articles pointed out, the leaders emerge based upon the merit and persuasiveness of their arguments, not on the fact that they have been appointed or elected. This gives them a great strength of adaptability and a sense of morality - both of which are traits that are lacking in the Corporate-Republic model. |
In Search of a Philosophy
Noway2, I've been thinking too, and after spending all day yesterday drafting responses, I've given up on trying to express more than a small fraction of my thoughts. So here's a random sample of ideas which have occurred to me, popped off the stack in pseudorandom order:
|
Quote:
|
All times are GMT -5. The time now is 02:27 PM. |