HBGary Attack Analysis
 

The original article on ars technica.

The Slashdot discussion


Seriously, the article is absolutely fascinating reading. It is a very detailed account of just how badly security can be managed.

FTFA:

It's rather painful, isn't it?

Painful with a massive dollop of irony. What's worse is that I suspect the way they ran things isn't all that unusual.

Quoting from the article: There is one other ingredient missing from this recipe: the company's top executives USER accounts were extremely privileged accounts that were capable of doing a great deal of damage. The very first, and only logical reason that comes to mind is pure hubris, but ... but ... but they are the CEO! Pathetic.

No need to voice suspicions: you know it is.

The good part is we can instill a sense of security and help improve things.

Someone should nominate Ars Technica for the Pulitzer
 

The stories (more than one) published by Ars Technica in the past week on the HBGary scandal are among the most important I have ever seen.

I think the scary, scary implications for citizens everywhere in the world go far, far beyond the object lessons in computer insecurity provided by the many blunders of this particular company. But this is probably not the place to discuss that.

Three thoughts
 

Can't help asking: am I really the only one to have noticed that Aaron and Julian share some psychological characteristics? I confess I feel sorry for them both right now...

Another thought which occurred to me as I contemplated the HBGary breach: I am soooo glad I am not a professional sysadmin, because I'd feel so awful about taking money for trying to do a job and failing*, because of course people want to simply have a secure system, period, but that goal appears to be receding ever faster into the realm of utopian fantasy.

[*I mean, even if I knew enough to try to work as a sysadmin, which I know I do not. I was thinking of Aaron Barr's comments that "we (security experts) are losing the fight".]

Another: Aaron Barr was

• struggling to contribute to a searchable malware catalog (sounds good for everyone everywhere, except that the US apparently didn't intend to share it with the world)
• trying to help reverse engineer Aurora and stuxnet (good, except that the US apparently had no intention of sharing any countermeasures with the world)
• trying to use the insights gained to develop his own rootkits (very very bad, reading somewhat into his frequent comments that like it or not, every citizen is involved in the new age of digital warlordism)

As the US economy worsens, doesn't this imply that struggling American security firms will start selling any of their malware which is rejected as substandard by the US government[*] to... Belarus? Libya? Malaysia? The mafia? Where does it end? And how can anyone trust his national CERT, if they are busy creating and unleashing malware?

[*The FBI rejected some HBGary products as--- does this sound familiar?--- all glitz and no actionable information.]

I am glad to see that I am not the only one who read the some of the articles as: "Malware to the highest bidder".

So in essence, we can thank this company for some of the programs that are used against our systems on a daily basis. We can be grateful that even though we watch and monitor our systems with dogged persistence that their company stands ready to ensure that we face an eternal threat to the integrity of data and private information that we have sworn to safeguard and keep confidential. We can take great comfort that in the face of catastrophe and loss that they, HBGary and its employees, are better off financially and sleeping soundly at night having helped to ensure their futures. We than thank them that through their efforts we have continued to grow and adapt to emerging and existing threats.

I think you're overstating this just a tad. The sad/funny/disturbing thing about HBGary is that a group of people who billed themselves as security experts (and probably do know a bit about security) got completely pwned because they couldn't be bothered to even do the basics. Everything Anonymous did to them could have been prevented by simply following a Security for Dummies book.

As for their other activities, yeah it is a bit disturbing, but I also think it is a good warning. The bad guys are almost certainly doing stuff similar to what HBGary was developing. Its been very clear for quite some time that the "malware to the highest bidder" has been the basic business model behind botnets. HBGary is just trying to make a "legitimate" business out of what has been happening in the shadows for a long time.

I know you're joking a bit here but one may ask why this sort of an attitude is needed only post-HBGary as opposed to being SOP. Certainly the bad guys are making enough money off of botnets that threats like what HBGary is developing are going to exist whether HBGary develops them or not.

Some additional points:

• Unfortunately, as other leaked documents attest, HBGary by no means an exceptional "rogue organization" inside the surveillance state; dozens of similar firms are doing similar malware development for active cyberwarfare by the US, to mention just one country which is devoting a huge sum of money annually to developing cyberware (in practice, not just in theory),
• nor are its security failures exceptional (as already noted above)
• the stuff causing problems TODAY for the average sysadmin probably does indeed originate with OC gangs who have indeed for years sold malware to the highest bidder--- the problem for TOMORROW is
  • far more sophisticated classes of malware
  • state-sponsored crackers will be trying to compromise everyone's network (what one happy proponent calls digital warlordism)
  • when "bottom feeder" spycos struggle financially, the temptation to sell their products to an ever wider circle of "clients" will become irresistable
• the HBGary material (more than 12 GB) is best studied together with other leaks published at crytome, old Wikileaks, and other sites
• the US intelligence state is the model for similar activities in other countries; to a considerable extent, the operatives of other countries (including many everyone would agree are repressive regimes) are trained in the same courses, use the same hardware/software, made by same vendors, as the US spyco contractors; fortunately for human rights activists, the US surveillance-industrial complex has proven to be fairly leaky, so material like the HBGary leak provides a glimpse into what other countries are doing to their own political dissidents, NGOs, journalists/bloggers.

Noway, glad to see you understand one of the most important implications of the activities of the eager US advocates of state-sponsored cyberterrorism bythe US: sysadmins have looked to US CERT, the FBI, and other such agencies for help in keeping data on your networks confidential (private medical data, personal financial data of ordinary citizens,...), but these very same agencies are deeply involved in "exfiltrating" data from your networks! For example, the HBGary leak shows that someone must have scraped user profiles from Facebook for Palantir's social network analysis, and Aaron Barr was teaching well-attended courses with pupils from FBI, NSA, other spyco contractors on stalking people at Facebook and other social media websites. Most strikingly, he was teaching intell operatives to stalk acquaintances, friends of friends, family members (including minor children) of "targets". He was teaching them to start several steps outside and gradually work their way towards the real target. Implication: everyone who uses social media websites can be a target of professional intell operatives. And not just the US, but those of other countries.

I agree that it should be SOP. For me personally, the HBGary incident has brought a new level of awareness to the situation. Much the same way that the realization that Stuxnet was undoubtedly state sponsored did. The problem I have with a company like HBGary developing and selling professional malware is a matter of degree. A large-cap company, especially one that it is nation-state sponsored can potentially bring a lot more resources to bear on a task than people operating in the shadows. The problem with computer 'viruses' is the same as with the biological kind. Chiefly, how do you contain it?

And for US servicepersons,
http://www.linuxquestions.org/questi...46#post4267746
is exactly the kind of shindig which US contract intell operatives monitor/infiltrate, so be careful what you do and say in LUGs. Your commander is likely to assume that any soldier who joins a LUG must be a secret anarchist.

The introduction of ipv6 and new alphabets which few US sysadmins can even transcribe into roman alphanumerics, unfixed DNS problems, novel classes of malware of unprecedented sophistication... is occuring at the very same time that all the advanced nations are rapidly developing (and practicing) cyberwarfare against networks inside and outside their own territories. A perfect storm of woe.

What chance do operators of small networks, much less the average citizen, have of protecting their computers against attack by such capable and well-funded attackers? Aaron Barr was no match for "Anonymous", but clearly the average journalist or human rights blogger is no match for he and his colleagues.

And to amplify the points I made above:

• HBGary leaked a great deal of malware code, including MAGENTA, which is now available for, say, Chinese state-sponsored crackers to further "improve". From a human rights perspective, I am glad that the leak occurred because as I said it provides another invaluable glimpse into what countries everywhere are doing to us all, but it also shows that secret services often wind up helping their adversaries,
• Just one more reason why the very idea of trying to keep a malware database a state secret is a stupid idea,
• the HBGary leaks (in conjunction with several previous leaks) clearly show that the US cyber-intelligence machine (and similarly for other countries whose citizens have democratic ambitions) is finding it impossible to find a sufficient number of coders who are politically committed to the kind of paternalistic government ("don't look at us or question what we do, just let us keep you safe from what we consider to be dangers to the state, dangers which you citizens are too stupid and ignorant to appreciate") which is exemplified by the US TSA.

I tend to suspect that those who doubt the prognostications of people like Perle will be borne out in the near future are correct as far as that goes, but this misses another crucial point: the development of the surveillance-state is a huge bonanza for some people who stand to make a bundle. That is why they are happy to "collaborate" with the black hats in ensuring that an already severe "threat landscape" becomes much, much worse. Because this ensures that whether they like it or not, governments and corporations will have to hire their firms to try to protect against these new classes of threat which, in many cases, they themselves developed!

For the same reason, I think citizens of the "Western democracies" should be very concerned by the standard model (made in the USA) of CT investigations: sting operations in which the intelligence services actually create "managed" threats. That feeds the machine. The secret police imply that the militia movements, ecowarrior groups, anarchist groups cofounded by their operatives are "safe" since "under our control", but the fact remains: secret police operatives have a huge financial incentive to create a credible threat even where one did not previously exist, and they appear to be doing so. The "revolving door" cycle increasingly resembles law enforcement work -> domestic terror threat production and international cybersecurity threat production -> private security work. These guys should make Bernie Madoff proud. The US government is scamming itself, to the tune of 50 billion annually and rapidly growing.

My post is going a bit off topic here, but your post has been giving me a lot of cause to think over the last few days. The nutshell summary of the conclusion that I am coming to is that groups like Anonymous are examples of the beginnings of more modern forms of Democracy and that the emergence is in response to the natural evolution of the Corporate Nation-State. Below, I will try to spell my reasoning out but first I would like to say that my intent is to maintain an objective, academic view point. I neither want to condemn nor support either side's actions as I don't want take any sort of stance regarding the legality of either side's actions. This is neither my focus, nor a stance that I wish to put LQ into. So with that, I will begin.

The United States, which I will use as our example "Western democracy" was formed as a Constitutional Republic. Technically, it is not a Democracy, nor has it ever been. At the time of its founding, in the late 1700's communication was slow, taking several days to weeks to get a simple message to a recipient more than a few miles way. A message across the Ocean would take weeks to months. As a direct consequence, the only real way to have a government that represented the interests of the people was to bring those representatives to a common location: hence a Representative Republic.

About 100 years later (late 1800s to early 1900s), technological and economic advances started putting forward pressures on the society. There was desire and demand for advancement on a scale that goes beyond that of the individual entrepreneur. These forces, as well as others, gave rise to the corporation, where individuals could pool their resources and collectively act as a unit. This enabled the creation of the large companies of the industrial revolution that took place at that time. Examples, include, the light bulb, telegraph, telephone, rail roads, cars, etc. After World War Two, which brought massive breakthroughs in technology, this Corporate-Capitalist-Republic model became a dominant world force and a model of affluence. On the negative side, this also brought us the concept of the Military Industrial Complex and the Cold War, which brings us to our current state.

With the demise of the Soviet Union and a growing acceptance of non "Democratic" forms of governance (e.g. China and the monarchies of the mid east), the Military Industrial Complex - the Corporate-Capitalist-Nation-State needed another another target upon which to feed. Note, that two of the driving traits of Corporations is that they are classical psychopathic and paranoid (google can provide several references to this subject) with a relentless drive towards one goal: the accumulation of monetary wealth. One of the threats facing this drive is limitation and regulation imposed by the Democratic/Republic State which would by default likely be more neutral - representing both the people and the corporations. This brings us two effects: 1 - the turn towards terrorism and cyber-terrorism as threats that must be perpetually defended against, and 2 - the trend of corporations effectively buying the government via the politicians. Consequently, we have a Corporate-Republic-State that is both paranoid and has an insatiable desire for monetary gain. The corporations have continued to adapt and evolve, taking advantage of this fact in many ways. Into this environment rose the Internet, which for the first time in history, makes instantaneous communications on a global scale possible. It is also the reason we are seeing the emergence of what I believe to be more advanced forms of Democracy.

Back to what I was saying at first, that the nation was out of necessity formed as a Constitutional Republic with communications being a limitation. This limitation no longer exists. As a direct result we are seeing corporations becoming multi-national and people all over the globe are communicating, pooling and sharing resources like never before: think Linux as a prime example (which is also a strategic threat to corporations like Microsoft). An effect of this is that we are seeing the traditional identity as a Nation-State breaking down and people are starting to identify themselves in terms of common goals, beliefs, and socio-economic conditions. The founders of the current Western Democracies could not foresee this evolution and could not design for its inception.

At the same time in these Western Democracies, contrary to the rhetoric and the founders intentions, 'the People' have little voice anymore: it is the Corporations that control what is on the media and make the policies of the politicians. The advance of the Internet is changing that. We are seeing people on a global scale people pooling and joining on the basis of common goals and beliefs, pooling their small resources to counter the voice of the large Corporations. In essence, we are seeing the emergence of what I would call a Virtual Democracy. Continuing to set aside the legal implications of groups such as Anonymous and the sale of high-grade malware by companies like HBGary... What we have is a group, Anonymous, where people can opt-in "to vote" and express their opinion in instantaneous time, not the weeks, months, and years associated with traditional political cycles. As the Ars Technica articles pointed out, the leaders emerge based upon the merit and persuasiveness of their arguments, not on the fact that they have been appointed or elected. This gives them a great strength of adaptability and a sense of morality - both of which are traits that are lacking in the Corporate-Republic model.

In Search of a Philosophy
 

Noway2, I've been thinking too, and after spending all day yesterday drafting responses, I've given up on trying to express more than a small fraction of my thoughts. So here's a random sample of ideas which have occurred to me, popped off the stack in pseudorandom order:

• Anyone who has read the Ars Technica coverage must be wondering: What dark demons drove Aaron Barr to taunt "Anonymous" in such a self-destructive way? Had he simply forgotten that the HBGary servers under his untender care had so many unpatched vulnerabilities? That he had stored unencrypted in the file server his own (meticulously filled out) government vetting form? Which exposes deeply personal information about not only himself but his friends and family? The mind boggles. What in the world was the man thinking?
• Despite all those vaunted software tools, what impresses me above all in Barr's "research" is the crudity and apparent unreliability of his cyberstalking methods and his so-called "analysis" of Wikileaks and "Anonymous". This is what American taxpayers are funding, to the tune of 50 billion per year, and growing? I know Wikipedians who could have done better in a Sunday afternoon, for free. Do Americans really want to be wasting that kind of money at this moment in their history?
• Some of the most bizarre material in the leaked documents may be partially explicable by the fact that Barr was deeply involved in the NSA's ReBl (Red Team/Blue Team) exercises. But not the febrile hysteria I hear in his boasts to another HBGary employee, Ted Vera, who seems to have been his particular friend inside the company, about his various cyberstalking projects, most of which directly targeted American citizens.
• Iranian nuclear technicians frustrated by the alleged success of Stuxnet will no doubt experience a frisson of malicious delight at the astonishing spectacle of an American cyberspook describing his plan to cyberstalk and ultimately subvert key employees of Exelon, which he describes as the largest operator of nuclear power plants in the USA. Apparently Barr's intention was to
  • use Facebook pages to identify acquaintances, friends, and family members of reactor technicians, starting on the periphery and working inward,
  • create numerous fake on-line personas, employing software provided by Berico Technologies to simultaneously operate his sockpuppets without confusing any of his multiple false identities,
  • use social engineering and other criminal techniques to compromise on-line accounts and computers used by his targets,
  • gradually burrow deep into the innermost personal lives of his targets,
  • try to uncover compromising personal information,
  • "sting" the targets with demands to sabotage a reactor,
  • write up his exploits and make a bundle extorting money from Exelon.
  I am reading somewhat between the lines here, but not so very much--- if anyone doubts my interpretation, I encourage you to read the original emails and to make of them what you will! If my interpretation is even halfway correct, I believe that Barr's mad ambition can only be characterized as a government sponsored protection racket.
• I just keep coming back to this: American proponents of clandestine public/private partnerships in pursuing eternal global total cyberwarfare, such as Aaron Barr, insist that whether we like it or not (and I have the impression he likes it very much indeed, or did until the HBGary servers were breached), everyone in the world who uses a computer or smart phone or whatever is on the front lines of a global cyberwar, even a cybercrusade. And if this isn't really true (yet), these people are evidently determined to MAKE it true, by cyberstalking ordinary persons (including ordinary American citizens) who simply happen to be casual acquaintances, friends, or relations of "persons of interest" such as soliders posted at Fort Belvoir, reactor technicians employed by Exelon, and of course, anyone who "followed" the Facebook pages put up by "organizations" (disorganizations?) like "Anonymous".
• I keep coming back to the fact that Barr seems to imply that
  • he or an associate had scraped Facebook for user profiles, almost certainly in violation of US law,
  • he was using LOIC, the very same software tool allegedly employed by "Anonymous" to pursue DDOS atacks on Paypal and Mastercard, to attack servers he thought were being used by "Anonymous", maybe even servers used by opposing spycos.
  If so, this begs the question: with "cyberlaw enforcement" like this, who needs cybercrooks?
• And I keep coming back to the fact that in recent years I have become increasingly reluctant to share disturbing network insecurity discoveries with national CERTs, because of my sense (amply confirmed by the HBGary documents) that the very same agencies tasked with ENFORCING the law are also BREAKING the law, targeting not just suspected "cybercriminals" but ordinary citizens who are simply in the wrong place at the wrong time, somewhere in cyberspace. Or people who know too much, or fear that they might know too much--- who knows what the amerispooks are capable of? But historical precedents such as Operation Northwood bely the myth that Americans enjoy some magical immunity against the temptations to fanatics of the fascistic impulse to engineer an American Krystallnacht.
• Do I overstep the bounds of credibility? Maybe so, but I shivered when I read Aaron Barr's "jocose" plaint, in one of his Powerpoint presentations, that he does not (yet) know how to provide "missile coordinates" of his "targets". And let us not forget that in recent years the US has very publically acted repeatedly on the claimed right and duty to commit extrajudicial executions by aerial drone strike, and collateral damage be damned. Not even American citizens are immunized against such actions, with (so far, perhaps) one exception: assasinations of American citizens inside America's borders are apparently still proscribed by presidential proclamation. Is it really such a stretch to be concerned that American spooks may be no less willing than the Putinites to pursue clandestine political assasination of "dissident elements" inside the territory of the "Western democracies"? Given the expense and uncertainty of the presumed alternative, a criminal trial? (Not an option, I presume, in cases such as the editorials of Glenn Greenwald.) There are further precedents. Some decades ago, the US government apparently connived at political assasinations carried out by Latin American agents inside American cities, all the name of "combating communism". Did that end really justify the means? What might the surveillance state not justify, in secret deliberations behind the triple fence, in the name of "combating terrorism"?
• Lest it be said that I offer no constructive suggestion: what about a leak site operated by the Ars Technica journalists which encourages the anonymous submission of apparent "zero day" security vulnerabilities?
• Question: if the NSA and FBI are working closely with rogue spycos like HBGary, how can any American (much less anyone overseas who shares the goal of protecting confidential information from public exposure) possibly trust these agencies? Whose agents access the same databases, enroll in the same courses, read the same white papers, use the same analytical software, even share the same mailservers with the spyco operatives?
• And I keep coming back to the entrenched paranoia within the American surveillance state. It seems that just because spyco employees are professionally paranoid does not mean that someone is not out to get them. Someone like "Anonymous"? No, someone like their competitors! The HBGary documents certainly seem to contain some very strong suggestions that HBGary employees were applying their vaunted expertise and supposedly sophisticated software to gathering "intelligence" on the exploits of competing companies such as Mandiant, companies which seem to have been spying in turn on HBGary. An edifying spectacle indeed.
• And the picture which emerges from the HBGary documents, of a "benevolent" police state run amok, is entirely consistent with dozens of previously leaked documents. I keep coming back to the conclusion that the only possible explanation for such bizarre and dramatically self-injurious behavior on the part of the millions of Americans who work inside the surveillance state, is an unexamined failed ideology. It seems that the "outsourcing" of domestic espionage to companies whose activities appear on close examination to be all but indistinguishable from organized crime groups, can be explained only on the basis of free market capitalism taken to an extreme of perfect absurdity.
• And what of the alternative? I confess that I have never taken anarchism seriously, and even worse, I have never bothered to wonder why. Until now. Despite having used every opportunity to challenge western cyberspooks to explain their political philosophy (responses received consisted of either blank stares or citations of the English philosophers, devoted monarchists all, who argued AGAINST the American revolution), I have not attempted to ask members of "Anonymous" to explain their own ideology. Perhaps their political philosophy has not yet been written down--- although I note that Daniel Domscheit-Berg has cited Proudhon, an author whom I have resolved to seek out and read. Perhaps I have simply not understood what "Anonymous" means by the term "anarchy"? But whether "Anonymous" acts on the basis of a coherent philosophy or not, one things seems clear: their opposing numbers inside the American surveillance state lack any coherent philosophy of their own.
• Aaron Barr is clearly a dangerous man, and I don't wish to needlessly offend him or his colleagues. It seems that one inescapable lesson of this affair is that the spycos pose a clear and present danger to ordinary citizens resident on our little blue marble, and the documents certainly suggest that anyone (such as Salon writer Glenn Greenwald) who dares to criticize the US surveillance state is likely to attract some serious retribution from the spyco operatives. But as an amateur historian, I consider myself familiar with precedents from the 20th century which coupled vast warmaking power with a stunning paucity of political thought. I point at both the Japanese militarists and the Nazi regime.
• I know this will dangerously offend the embittered secret agents of the failing American war machine, but I really think the parallel needs to drawn. In 1941, the Japanese cabinet said, in effect, "Roosevelt has put us in a situation where we have no choice but to start a war which our admirals tell us we have little chance of winning." At the same time, they insisted that Japan is a great nation with a divinely authorized destiny. But great nations may be recognized as great by never having only one choice, and above all, by never making choices which are tantamount to national suicide.
• Now read again Barr's admission, in several of his presentations, that the American cyberspooks fear that they are losing the cyberwar (to China, and it seems, to "Anonymous"). And who started that war? Was it not the Americans themselves who fired the first cybersalvo, during the first Gulf War? What will American leaders not justify, on the basis of keeping the gas pumps flowing? Have they not proven themselves capable of destroying America in order to save it? Is cheap gasoline really worth paying even that price?
• Maybe Corinne Liddy should stop organizing ReBl conferences, and organize a philosophy conference? Because it seems to me that those 13 US intelligence agencies desperately need to figure out in what, if anything, they truly, deeply believe. And whether they can just possibly identify a better choice than systematic destruction, in the name of "security", of the civil liberties upon which their nation was founded by the greatest generation of Americans, those revolutionary deists who dared to trust, not simply in divine providence, but in the collective wisdom of their people.

So is there an automatic assumption that i am doing wrong with this knowledge?