In this Diary:
HBGary Federal hacked and exposed by Anonymous by Chester Wisniewski (2/7/11)
HBGary Federal had been working on unmasking their identities in cooperation with an FBI investigation into the attacks against companies who were cutting off WikiLeaks access and financing.
Unlike the DDoS attacks for which Anonymous has made headlines in recent months, this incident involved true hacking skills. Anonymous compromised the HBGary website and replaced it with an image explaining their motivation. In addition to the defacement, they downloaded over 60,000 emails from the company and posted them on The Pirate Bay.
Data intelligence firms proposed a systematic attack against WikiLeaks By Steve Ragan (2/9/11)
Some of the things mentioned as potential proactive tactics include feeding the fuel between the feuding groups, disinformation, creating messages around actions to sabotage or discredit the opposing organization, and submitting fake documents to WikiLeaks and then calling out the error.
“Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.”
According to one document prepared by Team Themis, the campaign included an entrapment project. The proposal called for first creating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then to subsequently expose the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win. View a screenshot below:
The security firms hoped to obtain $200,000 for initial background research, then charge up to $2 million for a larger disinformation campaign against progressives. We don’t know if the proposal was accepted after Phase 1 was completed.
The e-mails ThinkProgress acquired are available widely on the web. They were posted by members of “Anonymous,” the hactivist community responsible for taking down websites for oppressive regimes in Tunisia, Egypt, and American corporations that have censored WikiLeaks.
ChamberLeaks Timeline by Brad Johnson (2/16/11)
The HBGary Scandal: Using Counterterrorism Tactics on Citizen Activism by Marcy Wheeler (2/14/11)
I will get into what we know of Barr’s past intelligence work in future posts, but for the moment I wanted to look just at his reference to analysis he did on FARC. Barr’s HBGary coder, who sounds like the smartest cookie of the bunch was balking at his analysis of Anonymous for several reasons–some of them ethical, some of them cautionary, and some of them technical. In the middle of an argument over whether what Barr was doing had any technical validity (the coder said it did not), Barr explained.The math is already working out. Based on analysis I did on the FARC I was able to determine that Tanja (the dutch girl that converted to the FARC is likely managing a host of propoganda profiles for top leaders. I was able to associate key supporters technically to the FARC propoganda effort.
He’s referring to Tanja Anamary Nijmeijer, a Dutch woman who has been an active FARC member for a number of years. And while it’s not proof that Barr did his analysis on Nijmeijer for the government, she was indicted in the kidnapping of some American contractors last December and the primary overt act the indictment alleged her to have committed was in a propaganda function.On or about July 25, 2003, JOSE IGNACIO GONZALEZ PERDOMO, LUIS ALBERTO JIMENEZ MARTINEZ, and TANJA ANAMARY NIJMEIJER, and other conspirators, participated in making a proof of life video of the three American hostages. On the video, the FARC announced that the “three North American prisoners” will only be released by the FARC once the Colombian government agrees to release all FARC guerrillas in Colombian jails in a “prisoner exchange” to take place “in a large demilitarized area.” The proof of life video was then disseminated to media outlets in the United States.
In any case, Barr is referring to an ongoing investigation conducted by the Miami and Counterterrorism Section of DOJ, with assistance from the DNI.
Scott Horton Interviews Marcy Wheeler (2/15/11)
The HBGary Federal Scandal by Ryan Chittum (2/14/11)
The day after the Tech Herald scoop, ThinkProgress reported that the same group of firms had also pitched Hunton & Williams on attacking unions and other opponents of the U.S. Chamber of Commerce with similar dirty tricks. These included what might be called a, ahem, Dan Rather/Mary Mapes-inspired screw job:“false document, perhaps highlighting periodical financial information… Afterward, present explicit evidence proving that such transactions never occurred. Also, create a fake insider persona and generate communications with (Change to Win labor coalition). Afterward, release the actual documents at a specified time and explain the activity as a CtW contrived operation. Both instances will prove that US Chamber Watch cannot be trusted with information and or tell the truth.
The leaked campaign to attack WikiLeaks and its supporters by Glenn Greenwald (2/11/11)
One section of the leaked report focused on attacking WikiLeaks' supporters and it featured a discussion of me. A graph purporting to be an "organizational chart" identified several other targets, including former New York Times reporter Jennifer 8 Lee, Guardian reporter James Ball, and Manning supporter David House. The report claimed I was "critical" to WikiLeaks' public support after its website was removed by Amazon and that "it is this level of support that needs to be disrupted"; absurdly speculated that "without the support of people like Glenn, WikiLeaks would fold"; and darkly suggested that "these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause." As The Tech Herald noted, "earlier drafts of the proposal and an email from Aaron Barr used the word 'attacked' over 'disrupted' when discussing the level of support."
Themis Applies JSOC Techniques to Citizens “Extorting” from Corporate Clients by Marcy Wheeler (2/16/11)
This particular installment comes from an early presentation and accompanying proposal Themis prepared for Hunton & Williams. These documents were attached to an email dated November 2, 2010 sent out by Berico Technologies’ Deputy Director. He explains that the presentation and proposal would be briefed to H&W the following day.
The Powerpoint includes a slide describing the purpose of Themis’ pitch to H&W.
Purpose: Develop a corporate information reconnaissance service to aid legal investigations through the open source collection of information on target groups and individuals that appear organized to extort specific concessions through online slander campaigns.
Now, this is in the period when H&W was only beginning to discuss the Chamber of Commerce project with Themis, long before the BoA pitch. That is, this is the period when they were discussing generalized opposition to Chamber of Commerce.
And of that they got “extortion”? “slander”?
Late Updates on the U.S. Chamber of Commerce Plot to Target, Discredit, Defraud Political Enemies by Brad Friedman (2/14/11)
The Chamber Knew: I also noted the utter failure and complete absurdity of the U.S. Chamber's two, laughable non-denial denials (here and here) issued in the wake of this mess, claiming it was they who were the victims of "baseless attacks" and "smears", when in reality, they had simply no idea what those dastardly folks at Team Themis were up to! I noted the HBGary emails published by Anonymous showed that, in fact, the Chamber certainly knew what was going on, and how it was ridiculous on its face to presume their own law firm was acting without their direction. Today, Scott Keyes at ThinkProgress highlights a number of those emails demonstrating that the Chamber was in the loop throughout as their law firm H&W and Team Themis honed their conspiracies to defraud and defame.
From the ChamberPot: Number Two by Marcy Wheeler (2/12/11)
But their more interesting tack in this re-nondenial-denial is in how they characterize HBGary (and Palantir and Berico’s) plot to spy on Chamber’s enemies. As with their last nondenial denial, they emphasize the proposal written on October 29 for Hunton & Williams rather than discussing the plot itself.HBGary’s proposal, which has been written about by ThinkProgress, was not requested by the Chamber, it was not delivered to the Chamber, and it was never discussed with anyone at the Chamber.
Emails show the discussions with the Chamber itself happened weeks after this proposal.
Finally, like Palantir and Berico did in their apologies, the Chamber blamed it all on HBGary.The leaked e-mails appear to show that HBGary was willing to propose questionable actions in an attempt to drum up business, but the Chamber was not aware of these proposals until HBGary’s e-mails leaked.
Note how vague this is? Note how it portrays the spying HBGary (and others) planned as “willing to propose,” rather than, as the emails show, “did propose?”
Despite Denials, New Emails Suggest US Chamber Was Aware Of Private Security Firms’ Espionage Work by Scott Keyes (2/14/11)
As ThinkProgress laid out last week, the lobbying law firm Hunton & Williams (H&W) served as the go-between for the Chamber and three private security firms — HBGary, Palantir, and Berico Technologies — who were collectively known as “Team Themis.” Emails indicate that three top lawyers at Hunton & Williams — John Woods, Bob Quackenboss, and Richard Wyatt — met on multiple occasions with the Chamber in order to brief them on Team Themis’s proposals.
First, emails clearly indicate that the “client” whom Team Themis was assisting was indeed the U.S. Chamber of Commerce:– December 13: Pat Ryan of Berico Technologies emailed John Woods that the team was excited “to provide the client with a powerful, innovative solution” and were “still working through the details of our Phase I research/analysis support for the Chamber.”
– January 9: Pat Ryan emailed his Team Themis colleagues that he had received a message from H&W lawyer Bob Quackenboss’s secretary “requesting a conference call on Mon at 10am to discuss the way ahead for the Chamber effort.”
Despite the Chamber’s insistence that they were “not aware” of HBGary’s proposals, a November 16 email between Aaron Barr of HBGary and Berico Technologies indicated that members of Team Themis had been communicating about the “sensitive” Chamber project:
Hunton & Williams Left Fingerprints at SEIU by Marcy Wheeler (2/17/11)
Hunton & Williams, the law firm that solicited HBGary and two other security firms to spy on Chamber of Commerce opponents, has remained silent so far about its efforts.
But it hasn’t covered its tracks. The SEIU reports that people from Hunton & Williams spent 20 hours last November–at the time when Themis was pitching H&W to use a JSOC approach to go after Chamber opponents–on the SEIU sites.
More facts emerge about the leaked smear campaigns by Glenn Greenwald (2/15/11)
So apparently, if Palantir's new version is to be believed, a 26-year-old engineer went off on his own and -- without any supervision or direction -- participated in the development of odious smear campaigns intended for two of the nation's deepest-pocket organizations (Bank of America and the Chamber), potential clients which the emails repeatedly emphasize would be very lucrative. I'll leave it to others to decide how credible that version is, but I will note that several facts undermine it:
First, another Palantir employee besides Steckman-- Eli Bingham -- was one of the recipients of Barr's original email proposing this smear campaign. Second, this proposal was being developed immediately before (and for consideration at) a conference call that included Hunton & Williams' Woods, HBGary's Barr, a Berico official, and both Steckman and Bingham on behalf of Palantir (see the bottom email here); was a 26-year-old mid-level engineer the only Palantir official aware of what they were proposing to H&W in order to attract the Bank and the Chamber's business? Third, there's no question -- as this article yesterday from The San Francisco Business Times documents -- that at least three Palantir employees (Steckman, Bingham and Ryan Castle) were all sent emails containing the proposals to smear critics of the Chamber of Commerce, including ThinkProgress. That article notes that these newly released emails "suggest that staff at Palantir Technologies, a high-profile data analysis company co-founded by ex-PayPal CEO Peter Thiel, may have helped prepare a proposal for the U.S. Chamber of Commerce to undermine a pro-labor publication called ThinkProgress with dirty tricks."
Whatever else is true, Palantir's knowledge of and involvement in these proposals is more extensive than it originally claimed, and extends beyond the 26-year-old scapegoat just placed on leave.
HBGary CEO Also Suggested Tracking, Intimidating WikiLeaks’ Donors by Andy Greenberg (2/14/11)
WikiLeaks and its inner circle of supporters may not have been the only targets of a group of security firms that offered to take on the secret-spilling site on behalf of Bank of America. In an email conversation, the head of one of those firms also suggested going after the thousands of individuals who have donated to the group.
A quick search of the company’s WikiLeaks-related conversations shows that Aaron Barr, the HBGary chief executive who first caught the attention of Anonymous by boasting that he’d penetrated the group and identified its leaders, also suggested other tactics against WikiLeaks that weren’t included in that PowerPoint: namely, tracking and intimidating anyone who had given money to WikiLeaks. The security firms “need to get people to understand that if they support the organization we will come after them,” he wrote in an email. “Transaction records are easily identifiable.”
HBGary, the parent company of HBGary Federal, specializes in analyzing “malware,” computer viruses that are used to maliciously steal data from computers or networks. In other presentations, Barr makes clear that his expertise in “Information Operations” covers forms of hacking like a “computer network attack,” “custom malware development,” and “persistent software implants.” The presentation shows Barr boasting that he had knowledge of using “zero day” attacks to exploit vulnerabilities in Flash, Java, Windows 2000 and other programs to steal data from a target’s computer.
Indeed, malware hacking appears to be a key service sold by HBGary Federal. Describing a “spear phishing” strategy (an illegal form of hacking), Barr advised his colleague Greg Hoglund that “We should have a capability to do this to our adversaries.” In another e-mail chain, HBGary Federal executives discuss using a fake “patriotic video of our soldiers overseas” to induce military officials to open malicious data extraction viruses. In September, HBGary Federal executives again contemplate their success of a dummy “evite” e-mail used to maliciously hack target computers.
Some of the initial e-mails discussing the Chamber deal with Team Themis stress the fact that HBGary Federal would provide “expertise on ‘digital intellgence collection’ and social media exploitation.’”
Barr also sent another document to the Chamber’s attorney describing in greater detail Team Themis’ hacking abilities (download a copy here). In one section, Team Themis claims that “if/when Hunton & Williams LLP needs or desire,” they can use “direct engagement” to “provide valuable information that cannot be acquired through other means.”
Operation Set-the-Record-Straight by Jacob Shiflett (3/4/11)
First, it appears the U.S. government wants to play both sides of the fence, so to speak. U.S. officials feign outrage over “cyber crime” and “terrorism” while simultaneously conspiring with private entities and other nations behind closed doors to commit offenses that they publicly condemn.
Second, cyber security firms and their clients—including U.S. government agencies—do not possess a higher degree of electronic protection than the average citizen. Third, Wikileaks should not be anyone’s central concern for the simple reason that, in the absence of Wikileaks, the leaks will continue through the independent efforts of groups like Anonymous.
Lastly and most importantly, when comparing Wikileaks to significant leaks from the past, such as the Pentagon Papers’ acquitted whistleblower Daniel Ellsberg, it appears that the U.S. wants to reframe social and political norms.
The U.S., empowered by stringent counterterrorism measures in the wake of September 11, 2001, effectively conditioned the populace into believing that electronic acts of civil disobedience, protest, and crimes of conscience are equal to terrorism just because these interactions occur through the new medium of the internet.
Taking all of this into consideration, Secretary of State Hillary Clinton recently said that, “[c]onfidential communication gives our government the opportunity to do work that could not be done otherwise.”
Are the arrangements made between the Department of Justice, Bank of America, and H.B. Gary, et al the type of “confidential communication” so eloquently described by Secretary Clinton?
Law Firm That Worked With HBGary Hit With Bar Complaint by Andy Greenberg (2/25/11)
Kevin Zeese, a lawyer with the NGOs VelvetRevolution.us and StopTheChamber.com, filed a complaint with the Washington, D.C. Bar Association earlier this week against John Woods, Richard Wyatt Jr., and Robert Quackenboss, three members of the law firm Hunton & Williams, seeking their disbarment. The complaint alleges a long list of misbehavior that includes domestic spying, cyber stalking, spear phishing, cyber attacks, and theft.
Earlier this month, a trove of emails hacked from the servers of security firm HBGary Federal by the loose hacker group Anonymous revealed that Hunton & Williams had asked HBGary Federal and two other security firms to put together a proposal to address Bank of America’s fear that WikiLeaks would release leaked documents from the bank sometime early this year. In another collaboration with the Chamber of Commerce, it assembled the same team of security contractors, which aside from HBGary also included Palantir and Berico Technologies, to create a proposal for undermining and discrediting political opponents of the Chamber of Commerce including the groups Change to Win, Chamber Watch and Think Progress, and the Service Employees International Union.
Anonymous speaks: the inside story of the HBGary hack by Peter Bright
The hbgaryfederal.com CMS was susceptible to a kind of attack called SQL injection. In common with other CMSes, the hbgaryfederal.com CMS stores its data in an SQL database, retrieving data from that database with suitable queries. Some queries are fixed—an integral part of the CMS application itself. Others, however, need parameters. For example, a query to retrieve an article from the CMS will generally need a parameter corresponding to the article ID number. These parameters are, in turn, generally passed from the Web front-end to the CMS.
SQL injection is possible when the code that deals with these parameters is faulty. Many applications join the parameters from the Web front-end with hard-coded queries, then pass the whole concatenated lot to the database. Often, they do this without verifying the validity of those parameters. This exposes the systems to SQL injection. Attackers can pass in specially crafted parameters that cause the database to execute queries of the attackers' own choosing.
Specifically, the attackers grabbed the user database from the CMS—the list of usernames, e-mail addresses, and password hashes for the HBGary employees authorized to make changes to the CMS. In spite of the rudimentary SQL injection flaw, the designers of the CMS system were not completely oblivious to security best practices; the user database did not store plain readable passwords. It stored only hashed passwords—passwords that have been mathematically processed with a hash function to yield a number from which the original password can't be deciphered.
Is This The Girl That Hacked HBGary? by Parmy Olson (3/16/11)
Still, the girl known on chat forums as ‘k, and who spoke to me by e-mail as “Kayla,” is no figment of the Internet’s imagination: she helped all but destroy a company. When Aaron Barr, the now-former CEO of software security firm HBGary Federal, claimed in a press report that he could identify members of the Anonymous collective through social media, she and four other hackers broke into his company’s servers in revenge, defacing his Web site, purging data and posting more than 50,000 of his emails online for the world to see, all within the space of 24 hours.
Kayla played a crucial role, posing as HBGary CEO Greg Hoglund to an IT administrator (who happened to be Nokia security specialist Jussi Jaakonaho) to gain access to the company’s servers. Read their email correspondence here and here. In the fallout, Barr’s emails revealed HBGary had proposed a dirty tricks campaign against WikiLeaks to a law firm representing Bank of America. Other security firms distanced themselves. Kayla and her buddies had opened a can of worms.
Black ops: how HBGary wrote backdoors for the government by Nate Anderson
Thanks to a cache of HBGary e-mails leaked by the hacker collective Anonymous, we have at least a small glimpse through a dirty window into the process by which tax dollars enter the military-industrial complex and emerge as malware.
In 2009, HBGary had partnered with the Advanced Information Systems group of defense contractor General Dynamics to work on a project euphemistically known as "Task B." The team had a simple mission: slip a piece of stealth software onto a target laptop without the owner's knowledge.
They focused on ports—a laptop's interfaces to the world around it—including the familiar USB port, the less-common PCMCIA Type II card slot, the smaller ExpressCard slot, WiFi, and Firewire. No laptop would have all of these, but most recent machines would have at least two.
The HBGary engineering team broke this list down into three categories. First came the "direct access" ports that provided "uninhibited electronic direct memory access." PCMCIA, ExpressCard, and Firewire all allowed external devices—say a custom piece of hardware delivered by a field operative—to interact directly with the laptop with a minimum amount of fuss. The direct memory access provided by the controllers for these ports mean that devices in them can write directly to the computer's memory without intervention from the main CPU and with little restriction from the operating system. If you want to overwrite key parts of the operating system to sneak in a bit of your own code, this is the easiest way to go.
HBGary Federal’s Aaron Barr Resigns After Anonymous Hack Scandal by Andy Greenberg (2/28/11)
Aaron Barr’s time in the security industry’s spotlight may have finally, mercifully ended. On Monday, the much-tormented chief executive of HBGary Federal announced that he has resigned from his position, three weeks after a hacking scandal that tainted not just his firm, but its partners, clients, and even the U.S. government.
“I need to focus on taking care of my family and rebuilding my reputation,” Barr told Threatpost. “It’s been a challenge to do that and run a company. And, given that I’ve been the focus of much of bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm.”
House Democrats Call For ChamberLeaks Investigation by Scott Keyes (3/1/11)
Now that the severity of the plot has come into focus, Congress may soon get involved. Today, 20 House Democrats, led by Rep. Hank Johnson (D-GA), called for an investigation into the ChamberLeaks scandal, noting that Hunton & Williams appear to have orchestrated “a ‘dirty-tricks’ campaign that included possible illegal actions against citizens engaged in free speech.” Johnson wants to examine whether these “subversive techniques” which were discussed in the leaked emails were “developed at U.S. government expense to target terrorists and other security threats.”
Indeed, ThinkProgress’ report detailed how the tactics revealed in this plot are “typically reserved for use against terrorist groups.” After all, Johnson notes, “it is deeply troubling to think that tactics developed for use against terrorists may have been unleashed against American citizens.”
The letter, which is being sent to the chairmen of four relevant House Committees – Oversight and Government Reform, Judiciary, Armed Services, and the Permanent Select Committee on Intelligence – notes that beyond the political ramifications of the Chamber’s lobbying firm targeting opponents, federal crimes may have been committed as well:Given evidence of their proposal to infiltrate computer systems, discredit and disrupt the operations of U.S. advocacy groups, Team Themis and Hunton and Williams may have conspired to carry out or previously carried out actions in violation of federal law, including:
• Forgery under 10 USC §923
• Mail and Wire Fraud under 18 USC §1341 and 18 USC §1343
• Fraud and Related Activity in Connection with Computers 18 USC §1030
The letter concludes by stating that the leaked emails and documents “provide a window into a deeply concerning set of circumstances, but not all of the facts are known. We believe it is therefore incumbent upon the Committee to investigate this matter thoroughly and with the utmost urgency.”
During an Armed Services Committee hearing on Wednesday, Rep. Hank Johnson (D-GA) asked Gen. Keith Alexander, director of the NSA and commander of the U.S. Cyber Command, and Dr. James Miller Jr., deputy under secretary of defense for policy, to provide contract information related to the government’s business with the firms involved in the Chamber proposal. Watch it:
Attorney Consulted HB Gary About Spiking Defamatory Content “By Any Means Necessary” by Kai Falkenberg (3/14/11)
New York IP lawyer Sean Kane is one of many other attorneys whose e-mails were compromised in this scandal. In the e-mail (available here), Kane tells HB Gary founder Greg Hoglund that a client of his wants to have defamatory content removed from a website “by any means necessary”. Kane writes that he advised his client of his legal options but the client wants to pursue more “aggressive” means. He adds that he told his client that ”there are consultants that do this type of work” but that he does not have contact with them and that not everything they do “is on the up and up” so he could not retain them. Kane says he “assumes this is not something that” HB Gary does but asks if they have some information about where Kane’s client can turn. The Anonymous database does not appear to include any e-mail response from HB Gary execs to Sean Kane. Kane did not respond to multiple requests for comment.
Richard Clarke Says U.S. Chamber May Have Committed A Felony With Hacking Plot by Lee Fang (3/24/11)
CLARKE: I think it’s a violation of 10USC. I think it’s a felony, and I think they should go to jail. You call them a large trade association, I call them a large political action group that took foreign money in the last election. But be that as it may, if you in the United States, if any American citizen anywhere in the world, because this is an extraterritorial law, so don’t think you can go to Bermuda and do it, if any American citizen anywhere in the world engages in unauthorized penetration, or identity theft, accessing a number through identity theft purposes, that’s a felony and if the Chamber of Commerce wants to try that, that’s fine with me because the FBI will be on their doorstep in a matter of hours.