Home / Uncategorized / How a cyber-security firm got hacked

How a cyber-security firm got hacked

This is just amazing and something that almost slipped under my radar somehow.

Earlier this year, we were all waiting with bated breath for the leak of secret Bank of America emails via Wikileaks.

It was going to be explosive stuff, but ended up being a damp squib and was sent out via a member of the subversive group Anonymous instead, under the twitter name @OperationLeaks.

Or so many have reported, even though this does not appear to be the case and Julian Assange, Wikileaks founder, still holds the cards.

But who and what is Anonymous?

No-one knows … that’s why they’re anonymous! … but what is known is that it’s a loose affiliation of activists who believe in free internet speech.

And this is the bit that gets really interesting, and is the bit I missed.

Anonymous were the ones who tried to take down PayPal, MasterCard and Visa when these firms closed Wikileaks and Julain Assange’s accounts at the end of last year.

They have also targeted many other firms over the past year or os.

Their attacks are described as basic and crude, and just involve Distributed Denial of Service (DDoS) attacks that any newbie to the net could learn, even an old dog like me!

In a brilliant article by Michael Riley and Brad Stone in this month’s Bloomberg Business Week, there is a really wonderful write-up of all that has happened since then, and how Anonymous work.

I would cut and paste the whole article – but you can read it – so for those who don’t have time, here’s the cut to the chase version.

Basically, HBGary is a cybersecurity firm in the USA founded in 2004. In 2010, they created a special Federal division for government work, headed by Aaron Barr, a form navy cryptologist.

The Division wasn’t working out but had one deal with Palantir Technologies that they were bidding into the US Chamber of Commerce via lawfirm Hunton & Williams.

HBGary Federal were bidding for the business in partnership with Berico Technologies.

So here’s the low-down:

“In a bit of cloak-and-dagger grandiosity, the firms dubbed their collaboration Team Themis, after a titan of Greek mythology who embodied natural law. (Forsaking Themis brings on Nemesis.) Team Themis proposed to electronically infiltrate grass-roots organizations opposed to the U.S. Chamber of Commerce, the powerful Washington lobbying organization. In a separate and even more legally dubious proposal intended for Bank of America, the group laid out a plan to infiltrate WikiLeaks and intimidate its supporters.

“In a 12-page PDF (wanna read it then click here – slow download) sent to Hunton & Williams, the Washington law firm representing the U.S. Chamber, Team Themis suggested creating dummy documents and online personae, and scouring social networks such as Facebook for intelligence on their prospective client's most vocal critics. In the proposal for Bank of America, the security firms suggested hacking WikiLeaks itself to expose its sources …

“Hunton & Williams clearly saw potential in Team Themis. On Dec. 2, in a message with the subject line ‘Urgent: Opportunity’, a partner at the firm asked the group to come up with a new plan, this time to combat WikiLeaks on behalf of a different prospective client—Bank of America, which believed WikiLeaks was about to publish a cache of its documents …

“As with the Chamber of Commerce scheme, the WikiLeaks proposal never got a final hearing. While HBGary Federal and the other security firms awaited a formal go-ahead from Hunton & Williams and its clients, Barr decided to deploy his new research techniques on Anonymous.

“Anonymous has had a busy winter. The group, which appears to be less a formal organization than a loose coalition of tech-savvy radicals, attacked government websites in Egypt and Tunisia. It launched denial-of-service attacks on Amazon.com, PayPal, MasterCard, and Visa, after those companies declined to do business with WikiLeaks. Barrett Brown, an unofficial spokesman for the group, says its goal is ‘a perpetual revolution across the world that goes on until governments are basically overwhelmed and results in a freer system.’

“Barr had come to believe that companies would have to defend themselves against this anarchic sensibility using the same tactics as the mischief makers. He also believed he had the skills and experience to join the battle. His principal weapon was a method he developed to associate the real identities found in social networks such as Facebook and LinkedIn with the anonymous profiles of hackers. So while Hunton & Williams weighed Team Themis's proposals, and with the ultimate fate of HBGary Federal hanging in the balance, Barr figured the time was right to demonstrate how social networks could yield an intelligence bonanza …

“The exposed HBGary e-mails would later reveal that Barr's own employees thought he was overreaching and that they feared retribution from the vengeful Anonymous. But Barr plunged ahead. He proposed a talk at the RSA conference in San Francisco titled ‘Who Needs NSA when we have Social Media?’ Then he promoted the talk by suggesting he would expose the identities of the primary members of the group.

“On Feb. 4, a Friday, Barr bragged to the Financial Times about his upcoming talk and claimed he had obtained the identities of the group's de facto leaders. Bad idea. As Stephen Colbert summed it up, lampooning the HBGary affair on his TV show, ‘Anonymous is a hornet's nest. And Barr said, “I'm gonna stick my penis in that thing”’ …

“Responding to Barr's public claims, the Anonymous hackers exploited a vulnerability in the software that ran HBGary Federal's website, obtained an encrypted list of the company's user names and passwords, and decoded them. Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours after Barr's Financial Times interview appeared, the hackers had the keys to the kingdom.

“They immediately started downloading HBGary's e-mails. All told, Anonymous got hold of 60,000-plus—about 4.7 gigabytes worth, including attachments—and quickly put them all online in conveniently searchable form. The material details online security holes at HBGary clients and prospects such as Sony, Johnson & Johnson, Disney, ConocoPhillips, and dozens of others. The e-mails showed that DuPont was breached in 2009 (by the same hackers who hit Google) and again in late 2010. DuPont employees on a business trip to China even found that their laptops had been implanted with spyware while the hardware was supposedly locked inside a hotel safe.”

You can see the whole leaked documentation of cybersecurity, anit-hacker firm HBGary at http://hbgary.anonleaks.ch/

 

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

track-work-at-embankment-station

Renewing core systems is like renovating the subways

Someone recently equated banks and their systems and structures, to the underground in London.  It’s …

2 comments

  1. SIA Training Birmingham

    Great post! Its becoming more common for companies to get cyber hacked but its worse when its a cyber-security firm who are the victims. Shouldn’t they be prepared against this sort of attack?

  2. Hey, great post. i remember how big of a deal that hack was. did they even found a hacker who did this? Also, it is funny how cyber security program like that gets hacked. I guess no one is protected for those guys.

Click on a tab to select how you'd like to leave your comment

Leave a Reply

Your email address will not be published. Required fields are marked *