RSAC 2011: Inside the talk that started a war with Anonymous

Last weekend, Aaron Barr, the CEO of HBGary Federal, gave an interview to the Financial Times that eventually led to a war with Anonymous. The interview centered on a talk he was giving during the B-Sides security conference this week. He has since canceled his talk, but here is a breakdown of what he was expected to discuss.

Details of the HBGary and HBGary Federal attacks by Anonymous are here.

A war started:

“I have been researching the Anonymous group over the last few weeks in preparation for a social media talk I will be giving at the B-Sides conference in San Francisco on Feb. 14th. My focus is to show the power of social media analytics to derive intelligence and for potential exploitation,” an email from Barr, dated January 29 and viewed by The Tech Herald reads.

“In the talk I will be focusing how effective it is to penetrate three organizations, one military (INSCOM), one Critical Infrastructure (Nuclear PowerPlant in PA), and the Anonymous Group.”

Additionally, Barr said in the email that he was surprised at the level of success he was having on the Anonymous group.

“I am able to tie IRC Alias to Facebook account to real people. I have laid out the organizations communications and operational structure. Determined the leadership of the organization…I have to believe this data would be valuable to someone in government, and if so I would like to get this data in front of those that are interested prior to my talk.”

Barr’s claims to the press that he had discovered the identities of key members in Anonymous were the spark; the notion that he would sell or give this information to the government was the fuel that led Anonymous to explode and respond. Part of their response was to leak HBGary’s internal communications to the public.

Barr knew that such claims would make HBGary and HBGary Federal targets; he said so in a January 22 email to the other senior executives. The problem was that HBGary expected Anonymous to respond with the normal Denial of Service attack.

HBGary CEO, Greg Hoglund, asked, “I don't really want to get DDOS'd, so assuming we do get DDOS'd then what? How do we make lemonade from that?”

As it turns out, it was so much more. Anonymous responded by leaking emails, taking down both HBGary and HBGary Federal domains, hijacking Twitter and LinkedIn accounts maintained by company officials, and they compromised a separate domain co-founded by Hoglund,

So what was this information on Anonymous? Was it legitimate? Barr maintains that it was, but Anonymous disagreed and released it to the public. You can view the Anonymous PDF report created by Barr here.

If the information researched by Barr on Anonymous is incorrect, what about his actual presentation? Was that flawed as well? As mentioned, he pulled his talk at B-Sides, so no one will know for sure.

However, we can get some clue as to how the talk might have developed by examining the emails released by Anonymous.

As a side note for those who don’t know, B-Sides is a conference within a conference. If you are heading to RSA Conference (RSAC) 2011 this week, B-Sides will be held on Monday and Tuesday. If you can make it, the talks presented are highly interesting. The informal atmosphere of B-Sides makes it a great place to learn from and network with security experts.

More information on Barr’s talk starts on page two.

A talk developed:

Barr has been working on social media research since 2010. A PowerPoint presentation created in August of that year focuses on “Social Media: Targeting, Reconnaissance, and Exploitation”. On January 13 of this year, a second social media presentation was created titled, “Social Media: A New Age in Information Exploitation”.

These presentations, as well as one other, borrow heavily from each other. In some cases, Barr uses the same slides and data. He pitched these presentations to various government and private sector organizations, with the hope of drumming up business for his side of the HBGary partnership.

Based on emails viewed by The Tech Herald, the FBI, the Office of the Secretary of Defense, and the Office of the Director of National Intelligence, all were told of the data collected by Barr for his presentation. Meetings and conversations were planned, a few of them were held, but there is nothing in the leaked data that suggests that Barr was able to make actual sales.

Five days after the January draft was created, Barr’s talk at B-Sides, “Who needs the NSA when we have Social Media” was accepted by the conference. So it is from this final social media presentation that we’ll piece together his talk.

A talk defined:

Barr’s social media slides start with some figures. They are designed to show how the various social platforms have changed over the years, and just how connected we all are. For example, the presentation makes note that 150 networks control 50-percent of all Internet traffic. Of those, thirty companies control 30-percent of the Web’s traffic, including 7-percent to Facebook and 6-percent to Google.

“Social Media is the single most effective resource when developing targeted attacks,” one slide explaining the vulnerabilities of social media explains. “[There is] little no capability to monitor and protect against in service content and the aggregation [Personally Identifiable Information].”

The slides go on to talk about Link Analysis, an HBGary Federal tool, that helps connect the dots on social media. Presumably, Barr used this tool and others to perform a good deal of his research.

Social media services such as LinkedIn, Facebook, MySpace, and Twitter can be leveraged for business intelligence and targeted information gathering. However, there is a risk this information is false or misleading, so it appears that HBGary Federal’s Link Analysis tool is designed to help filter the signal to noise ratio.

The fact that social media profiles and public details contain potentially false information is part of what Barr was planning to talk about. His presentation appears to center on two points.

One is that information is too easily available thanks to the social media explosion, and that it is entirely possible to create fake social media personas and gather information. Once the information is gathered, it can be leveraged against a person or business in a number of ways, including Malware attacks.

The Tech Herald has included some of the slides we viewed for this report below. Please note that we have redacted what we felt was private information. While some of the social profiles redacted may have been false, we were unable to determine which ones were fake, so we redacted all of them.

Overall, the talk itself takes information in the public domain and shows how it can pose significant risk. The problem is that this is research many security experts, including the government agencies pitched on the data, are well aware of. There is nothing earth shattering.

Yet, the methods used to collect the examples in this report are the same ones used to collect information on alleged members of Anonymous, which brought the loosely associative group down on Barr and HBGary in a way they never imagined.

Not everyone agreed:

While discussing his research methods, Barr had an exchange with another developer in HBGary who disagreed with his conclusions, not only on Anonymous, but on how he was making social media interactions link people.

Barr wanted to check a person’s friends list against the people that have liked or joined a particular group on Facebook, assuming that doing so would, “give me information on how tightly connected that person is to that group or page...”

The developer responded with, “No it won't.”

“It will tell you how mindless their friends are at clicking stupid shit that comes up on a friend’s page, especially when they first join Facebook.”

Later the developer asked Barr if he honestly thought, “some hacker is going to have all his hacker buddies as friends on Facebook”.

“Even if they did,” the developer explained, “they would more than likely have no geographical significant data to tie them together. I'll keep building, because really; you have to sell it, but I just don't see the math working out.”

Essentially, the analysis done by Barr, when used as an investigation tool, assumes guilt by association. This is something that the developer and Barr went back and forth on during the entire project

“I'm not doubting that you're doing analysis,” the developer wrote to Barr, “I'm doubting that statistically, that analysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate…Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.”

In the end, Barr was preparing a statement on his research and Anonymous in general. As it turns out, it was the final bit of work done to prepare for his B-Sides talk. The statement was partly used as the basis of the story in the Financial Times that triggered the war with Anonymous. We’ve included the entire statement, as Barr originally wrote it, on page four.

His research has plenty of interesting aspects, but seems to have several flaws as well. He is right when he says social media can be used to target and exploit people and organizations, but wrong when he assumes the spider web links between people are proof positive of anything criminal or malicious.

However, the final part of his presentation contains tips that are valuable to anyone who maintains a social media presence online. They're worth a look and consideration when implementing a social media policy.

A statement by Aaron Barr, the CEO HBGary Federal

“My job as a security professional and as the CEO of a security services company is to understand the current and future threats that face individuals, organizations, and nations. I believe that social media is our next great vulnerability and I have attempted to get that message heard. When considering my research topic for the B-Sides security conference this month I selected subjects that would clearly demonstrate that message, and I chose three case studies - a critical infrastructure facility, a military installation, and the Anonymous group.

“I want to emphasize I did not choose the Anonymous group out of any malice of intent or aggression, nor as any part of ongoing law enforcement activities. I chose the Anonymous group specifically because they posed a significant challenge as a technically savvy, security conscious group of individuals that strongly desired to remain anonymous; a challenge that if I could meet would surely prove my point that social media creates significant vulnerabilities that are littler understood and difficult to manage.

“It is important to remember I had two other targets and was equally as successful at gaining entry and gathering information in those use cases as I was with Anonymous. I also want to be clear that my research was not limited to only monitoring their IRC channel conversations and developing an organizational chart based on those conversations - that would have taken little effort.

“What I did using some custom developed collection and analytic tools and our developed social media analysis methodology was tie those IRC nicknames to real names and addresses and develop an clearly defined hierarchy within the group. Of the apparent 30 or so administrators and operators that manage the Anonymous group on a day to day basis I have identified to a real name over 80% of them.

“I have identified significantly more regular members but did not focus on them for the purpose of my research. I obtained similar results in all three cases and do not plan on releasing any specific personnel data, but focus on the methodology and high level results. Again I want to emphasize the targets were not chosen with malice of intent or political motivation, it was research to illustrate social media is a significant problem that should worry everyone.

“If I can identify the real names of over 80% of the senior leadership of a semi-clandestine group of very capable hackers and technologists that try very hard to protect their identifies, what does that mean for everyone one else? So to be clear I have no intentions of releasing the actual names of the leadership of the organization at this point. I hope that the Anonymous group will understand my intentions and realize the importance of getting this message our rather and decide to make this personal [sic].”

Like this article? Please share on Facebook and give The Tech Herald a Like too!