RSAC 2011: Inside the talk that started a war with Anonymous

Inside the talk that started a war with Anonymous. (IMG:HBGary Federal)

Last weekend, Aaron Barr, the CEO of HBGary Federal, gave an interview to the Financial Times that eventually led to a war with Anonymous. The interview centered on a talk he was giving during the B-Sides security conference this week. He has since canceled his talk, but here is a breakdown of what he was expected to discuss.

Details of the HBGary and HBGary Federal attacks by Anonymous are here.

A war started:

“I have been researching the Anonymous group over the last few weeks in preparation for a social media talk I will be giving at the B-Sides conference in San Francisco on Feb. 14th. My focus is to show the power of social media analytics to derive intelligence and for potential exploitation,” an email from Barr, dated January 29 and viewed by The Tech Herald reads.

“In the talk I will be focusing how effective it is to penetrate three organizations, one military (INSCOM), one Critical Infrastructure (Nuclear PowerPlant in PA), and the Anonymous Group.”

Additionally, Barr said in the email that he was surprised at the level of success he was having on the Anonymous group.

“I am able to tie IRC Alias to Facebook account to real people. I have laid out the organizations communications and operational structure. Determined the leadership of the organization…I have to believe this data would be valuable to someone in government, and if so I would like to get this data in front of those that are interested prior to my talk.”

Barr’s claims to the press that he had discovered the identities of key members in Anonymous were the spark; the notion that he would sell or give this information to the government was the fuel that led Anonymous to explode and respond. Part of their response was to leak HBGary’s internal communications to the public.

Barr knew that such claims would make HBGary and HBGary Federal targets; he said so in a January 22 email to the other senior executives. The problem was that HBGary expected Anonymous to respond with the normal Denial of Service attack.

HBGary CEO, Greg Hoglund, asked, “I don't really want to get DDOS'd, so assuming we do get DDOS'd then what? How do we make lemonade from that?”

As it turns out, it was so much more. Anonymous responded by leaking emails, taking down both HBGary and HBGary Federal domains, hijacking Twitter and LinkedIn accounts maintained by company officials, and they compromised a separate domain co-founded by Hoglund,

So what was this information on Anonymous? Was it legitimate? Barr maintains that it was, but Anonymous disagreed and released it to the public. You can view the Anonymous PDF report created by Barr here.

If the information researched by Barr on Anonymous is incorrect, what about his actual presentation? Was that flawed as well? As mentioned, he pulled his talk at B-Sides, so no one will know for sure.

However, we can get some clue as to how the talk might have developed by examining the emails released by Anonymous.

As a side note for those who don’t know, B-Sides is a conference within a conference. If you are heading to RSA Conference (RSAC) 2011 this week, B-Sides will be held on Monday and Tuesday. If you can make it, the talks presented are highly interesting. The informal atmosphere of B-Sides makes it a great place to learn from and network with security experts.

More information on Barr’s talk starts on page two.

A talk developed:

Barr has been working on social media research since 2010. A PowerPoint presentation created in August of that year focuses on “Social Media: Targeting, Reconnaissance, and Exploitation”. On January 13 of this year, a second social media presentation was created titled, “Social Media: A New Age in Information Exploitation”.

These presentations, as well as one other, borrow heavily from each other. In some cases, Barr uses the same slides and data. He pitched these presentations to various government and private sector organizations, with the hope of drumming up business for his side of the HBGary partnership.

Based on emails viewed by The Tech Herald, the FBI, the Office of the Secretary of Defense, and the Office of the Director of National Intelligence, all were told of the data collected by Barr for his presentation. Meetings and conversations were planned, a few of them were held, but there is nothing in the leaked data that suggests that Barr was able to make actual sales.

Five days after the January draft was created, Barr’s talk at B-Sides, “Who needs the NSA when we have Social Media” was accepted by the conference. So it is from this final social media presentation that we’ll piece together his talk.

A talk defined:

Barr’s social media slides start with some figures. They are designed to show how the various social platforms have changed over the years, and just how connected we all are. For example, the presentation makes note that 150 networks control 50-percent of all Internet traffic. Of those, thirty companies control 30-percent of the Web’s traffic, including 7-percent to Facebook and 6-percent to Google.

“Social Media is the single most effective resource when developing targeted attacks,” one slide explaining the vulnerabilities of social media explains. “[There is] little no capability to monitor and protect against in service content and the aggregation [Personally Identifiable Information].”

The slides go on to talk about Link Analysis, an HBGary Federal tool, that helps connect the dots on social media. Presumably, Barr used this tool and others to perform a good deal of his research.

Social media services such as LinkedIn, Facebook, MySpace, and Twitter can be leveraged for business intelligence and targeted information gathering. However, there is a risk this information is false or misleading, so it appears that HBGary Federal’s Link Analysis tool is designed to help filter the signal to noise ratio.

The fact that social media profiles and public details contain potentially false information is part of what Barr was planning to talk about. His presentation appears to center on two points.

One is that information is too easily available thanks to the social media explosion, and that it is entirely possible to create fake social media personas and gather information. Once the information is gathered, it can be leveraged against a person or business in a number of ways, including Malware attacks.

The Tech Herald has included some of the slides we viewed for this report below. Please note that we have redacted what we felt was private information. While some of the social profiles redacted may have been false, we were unable to determine which ones were fake, so we redacted all of them.

Overall, the talk itself takes information in the public domain and shows how it can pose significant risk. The problem is that this is research many security experts, including the government agencies pitched on the data, are well aware of. There is nothing earth shattering.

Yet, the methods used to collect the examples in this report are the same ones used to collect information on alleged members of Anonymous, which brought the loosely associative group down on Barr and HBGary in a way they never imagined.

Not everyone agreed:

While discussing his research methods, Barr had an exchange with another developer in HBGary who disagreed with his conclusions, not only on Anonymous, but on how he was making social media interactions link people.

Barr wanted to check a person’s friends list against the people that have liked or joined a particular group on Facebook, assuming that doing so would, “give me information on how tightly connected that person is to that group or page...”

The developer responded with, “No it won't.”

“It will tell you how mindless their friends are at clicking stupid shit that comes up on a friend’s page, especially when they first join Facebook.”

Later the developer asked Barr if he honestly thought, “some hacker is going to have all his hacker buddies as friends on Facebook”.

“Even if they did,” the developer explained, “they would more than likely have no geographical significant data to tie them together. I'll keep building, because really; you have to sell it, but I just don't see the math working out.”

Essentially, the analysis done by Barr, when used as an investigation tool, assumes guilt by association. This is something that the developer and Barr went back and forth on during the entire project

“I'm not doubting that you're doing analysis,” the developer wrote to Barr, “I'm doubting that statistically, that analysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate…Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.”

In the end, Barr was preparing a statement on his research and Anonymous in general. As it turns out, it was the final bit of work done to prepare for his B-Sides talk. The statement was partly used as the basis of the story in the Financial Times that triggered the war with Anonymous. We’ve included the entire statement, as Barr originally wrote it, on page four.

His research has plenty of interesting aspects, but seems to have several flaws as well. He is right when he says social media can be used to target and exploit people and organizations, but wrong when he assumes the spider web links between people are proof positive of anything criminal or malicious.

However, the final part of his presentation contains tips that are valuable to anyone who maintains a social media presence online. They're worth a look and consideration when implementing a social media policy.

A statement by Aaron Barr, the CEO HBGary Federal

“My job as a security professional and as the CEO of a security services company is to understand the current and future threats that face individuals, organizations, and nations. I believe that social media is our next great vulnerability and I have attempted to get that message heard. When considering my research topic for the B-Sides security conference this month I selected subjects that would clearly demonstrate that message, and I chose three case studies - a critical infrastructure facility, a military installation, and the Anonymous group.

“I want to emphasize I did not choose the Anonymous group out of any malice of intent or aggression, nor as any part of ongoing law enforcement activities. I chose the Anonymous group specifically because they posed a significant challenge as a technically savvy, security conscious group of individuals that strongly desired to remain anonymous; a challenge that if I could meet would surely prove my point that social media creates significant vulnerabilities that are littler understood and difficult to manage.

“It is important to remember I had two other targets and was equally as successful at gaining entry and gathering information in those use cases as I was with Anonymous. I also want to be clear that my research was not limited to only monitoring their IRC channel conversations and developing an organizational chart based on those conversations - that would have taken little effort.

“What I did using some custom developed collection and analytic tools and our developed social media analysis methodology was tie those IRC nicknames to real names and addresses and develop an clearly defined hierarchy within the group. Of the apparent 30 or so administrators and operators that manage the Anonymous group on a day to day basis I have identified to a real name over 80% of them.

“I have identified significantly more regular members but did not focus on them for the purpose of my research. I obtained similar results in all three cases and do not plan on releasing any specific personnel data, but focus on the methodology and high level results. Again I want to emphasize the targets were not chosen with malice of intent or political motivation, it was research to illustrate social media is a significant problem that should worry everyone.

“If I can identify the real names of over 80% of the senior leadership of a semi-clandestine group of very capable hackers and technologists that try very hard to protect their identifies, what does that mean for everyone one else? So to be clear I have no intentions of releasing the actual names of the leadership of the organization at this point. I hope that the Anonymous group will understand my intentions and realize the importance of getting this message our rather and decide to make this personal [sic].”

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.