HBGary hacked by Anonymous.
Aaron Barr, the CEO of HBGary Federal, told the Financial Times this weekend that he used clues found online to discover the identities of key Anonymous members. Anonymous reacted to the story and Barr’s claims with a massive attack aimed at the security firm, leveraging local root exploits, shared passwords, and social engineering.
In an interview with the Financial Times, Barr said that by using services such as LinkedIn, Classmates.com, Facebook, as well as IRC itself, he was able to connect the dots and identify several high-level Anonymous members, including “Owen” and “Q”, two people mentioned by their IRC names in the actual news report.
Having spent several months on IRC with people who associate under the banner of Anonymous, The Tech Herald can confirm that Q and Owen are actual names used by people on the AnonOps network. However, they are not the leaders they are made out to be by the Financial Times’ story. Anonymous has no leaders. Even hinting at such a thing on IRC will invoke a long lecture on the topic.
Out of all of the people who participate in the various Anonymous operations, only 30 or so are consistently active. Of that group, only ten “are the most senior and co-ordinate and manage most of the decisions,” Barr explained to the Financial Times.
The Tech Herald has seen Barr’s research. [PDF] While there is plenty of information, several operation names and dates are out of order, and many of the names associated with membership are incorrect. When it comes to the ten “most senior people”, they are actually network administrators.
They work to keep the IRC servers online. Their proper titles include Services Root Administrator, Network Administrator, and Operator. AnonOps is an IRC network, Anonymous is something entirely different. Those who manage the IRC servers might be part of Anonymous, but they are not co-founders or leaders. They are highly active people, but that is what is needed to maintain an IRC network such as theirs.
After the Financial Times story broke, including Barr’s claims of infiltration, Anonymous responded. The response was brutal, resulting in full control over hbgary.com and hbgaryfederal.com. They were also able to compromise HBGary’s network, including full access to all their financials, software products, PBX systems, Malware data, and email, which they released to the public in a 4.71 GB Torrent file.
In a statement emailed to The Tech Herald, Anonymous called Barr’s actions media-whoring, and noted that his claims had amused them.
“Let us teach you a lesson you'll never forget: you don't mess with Anonymous. You especially don't mess with Anonymous simply because you want to jump on a trend for public attention,” the statement directed to HBGary and Barr said.
“You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung. It would appear that security experts are not expertly secured.”
The attack against HBGary is a classic example of leverage. It started with an SQL Injection attack on hbgaryfederal.com. From there, Anonymous discovered and cracked the passwords used on the site.
Once on the server, Anonymous leveraged the $ORIGIN expansion vulnerability to gain root control.
While this was happening, Anonymous gained access to the email password used by Greg Hoglund, the co-founder of HBGary, and part owner of the Federal subsidiary run by Barr. With his account under their control, they sent an email to the admin of rootkit.com asking for the firewall to be opened and Hoglund’s password reset to “changeme123”.
The reason for access, the fake request stated, was due to Hoglund being in Europe and unable to SSH into the rootkit.com server. The move was a classic case of Social Engineering. After some exchanges, root SSH access was granted.
In all, they copied data, wiped the backup servers, and released the Torrent with the company email. This email release is the third time Anonymous has exposed internal communications. Previously, they exposed company emails taken from ACSLaw and Acapor.
HBGary said the company responsible for the flawed code that led to the SQL Injection attack was fired.
[Update: 2011-2-10 - Added new link and corrected minor details related to timeline. -Steve]
On IRC Sunday, as the Torrent with HBGary emails started to spread, HBGary President Penny Leavy, as well as Greg Hoglund and Aaron Barr, spoke to Anonymous.
Early on in the conversation with Anonymous, Leavy remarked that she was aware of Barr’s research on social media and the problems associated with it, including “…the ease of pretending to be one of you…” she told them.
However, Barr was never planning on giving his research to the government, she added. “He was never going to release names, just talk about handles.”
The data and information collected by Barr was to show people at RSA next week how easy it is to say they are someone online without actually being the person. However, the reaction from the Anons in the room was that the research and logic for conducting it at all was extremely flawed.
Most of the anger was directed at Barr’s list of names and their alleged connections to Anonymous operations. Several Anons commented that the list includes fake names, reporters, and others who are in no way connected to any role in Anonymous. Its existence means that it “…could have and might still get innocent people in trouble for no reason at all.”
When asked if she had seen Barr’s research, including the infamous list, Leavy said, “…we have not seen the list and we are kind of pissed at him right now.” She didn’t expand on that comment.
There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous.
Later, there was talk about making things right. Not really demands, but more of a list of gestures that HBGary could make, such as donations to various causes, like the EFF or Bradley Manning’s defense fund.
In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment.
When asked by the Anons in the room about his alleged plans to sell the data collected, Barr denied it with a flat refusal that he was never going to sell it, and that they had it all wrong.
“Ok I am going to say this one more time,” he told the room. “I did this for research. The FBI called me because of my research. The email you are referring to about selling data was about a model built on this type of research. It was not to sell specifically this data.”
“I was going to use it to describe the process of how social media exploitation works... The most data I was going to show was an org chart of IRCs with icons representing those nicks I thought I knew. Social media provides huge vulnerabilities for everyone...nuclear power plants, military installations, and anonymous... this was about research.”
When questioned about the data in his research document, Barr said that the document circulating online was an old copy, adding that there was a new version. When asked to present it, he refused.
Just before he exited the room, after facing the same set of questions for several minutes, Barr made one final comment. “…guys you hacked our servers, took our data, and posted it to the public...it’s criminal now... it’s out of my hands...”
For his part, Greg Hoglund remained neutral, even complementing Anonymous on the hack. His main concern was the release of emails that are not part of the Torrent circulating online. For now, Anonymous says they have no plans to release them.
As this story develops we will report additional updates.
From our Other Sites
This Japanese guy cooks up some pancakesâ€¦nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most [â€¦]
Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.
McLarenâ€™s 675LT will debut at this yearâ€™s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate [â€¦]
Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.
This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western [â€¦]
This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robotâ€™s arm. For a sense of scale the roverâ€™s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASAâ€™s Goddard Space Flight Center.
This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.