Part 1: HBGary
In the middle of the banking crisis, the Bank of America was trying to change the public's opinion of them. They were trying to deal with their negative image that came out of the crisis. The US government also comes into this story along with companies the Bank was using -- directly and indirectly -- to change the public perception of them.
PART I
In the middle of the banking crisis, the Bank of America was trying to change the public's opinion of them. They were trying to deal with their negative image that came out of the crisis. The US government also comes into this story along with companies the Bank was using -- directly and indirectly -- to change the public perception of them.
Recently, two major news stories came together. First, from the world of business and government, the second from technology and government. The first story was the subprime mortgage crisis. This story featured several banks including the Bank of America who took on risky loans with unrealistic terms based on inflated home values. They did this to maximize payments by the homeowners. Because the debts were so optimistic, many people had to default when they lost their jobs. The banks, including Bank of America, ended up with huge losses from missed payments and only overvalued homes as collateral. To protect themselves from any reaction by angry homeowners, the Bank of America destroyed the documents that proved the customers were overpaying.
The US government covered their losses and bonuses were handed out to the executives who carried out this plan.
The second news story came from a website called wikileaks.org . They post secret documents for anyone in the world to see. The documents mostly came from large corporations and governments of small countries and were "leaked" by whistleblowers. WikiLeaks had been doing this for a few years but made big news when they posted US government documents from the Iraq War that gave first hand accounts of deliberate killing of prisoners, innocent civilians, and even members of their own military.
American officials took fast action to bury the story and erase the documents from public view. They went even further. They said they would retaliate against anyone who even read the leaked documents. The US government completely avoided the topic of the documents themselves. Many were basic informational cables. The government did not at any time try to explain how such documents were damaging to national security. They only seemed to be damaging to their own justification for the war, which was already on shaky ground in the international community.
The government successfully buried the story and focused the public attention onto WikiLeaks as a terrorist organization for revealing government secrets. The public and the press did not ask any officials to explain why the documents had anything to do with terrorism. The whole issue might have vanished under this bad press. But several computer users decided to take action. Under the name "Anonymous" they started to attack websites of corporations that were helping the US government bury the story.
At this point, we should switch over to another story – One about a US company who at first is not connected to either of these topics at all.
In Sacramento California, a company called HBGary advertised itself as computer security experts. They didn't really have much experience. They had no apparent formal computer training or even much experience. They mostly based their own products and services on public domain security software that anyone could download for free from the internet.
But they were successful salesmen and made enough money to decided to split off a second company called HBGary Federal, which would sell services to the US government. The companies are very closely linked and share executives.
But business was bad. HBGary Federal CEO Aaron Barr decided to entice government clients with something he thought they would like: The real identities of the members of the group Anonymous. So now we have joined the stories. This was the same group that was annoying the government by keeping the WikiLeaks story in the news and the Iraq War casualty documents.
Barr knew that he could get much needed sales for HBGary Federal by offering them the names of their online enemies. So he turned on his computer and visited the website 4chan.org . This site is known for letting people chat online without revealing their real identity. They discuss a variety of topics from frivolous to life threatening. Over time, they developed online "communities" where members could share information, getting valuable problem solving help.
Mr. Barr set up his own identity here, then got into discussion with the members of the group Anonymous. He asked them for information and compared it to what he read on their public profiles. Then he traced internet traffic to figure out the actual computers they were using at home. With the knowledge of the Anonymous members home computer addresses, he tracked social networking websites such as facebook and twitter, looking for people connecting from the same computer. When he found matches, he wrote down the names associated with the related account on the other websites.
Aaron Barr was openly excited with his work, bragging to coworkers he had infiltrated Anonymous. He wanted to reveal the names in a talk he would give at the RSA conference of 2011. He hinted that the FBI was interested in buying the list of names. There were rumors that 60 Minutes would do a story on him.
His overconfidence was contagious. Penny Leavy is President of the parent company, HBGary. She was getting ready to put a full public relations blitz on Aaron's conference talk and 60 minutes story.
But a few employees were worried about revealing idenities of people who took a lot of trouble to keep them secret, or even if his list was accurate. Many were defnitely worried since the group was known for breaking into computer systems. The address matching technique had many limitations and had many ways to generate false information. On top of all that, his system was very subjective. Facebook and Twitter are very popular websites and he could easily confuse multiple people connecting to them from the same computer connection.
But HBgary Fedeal CTO Greg Hoglund was not worried. He told Aaron Barr to go ahead with revealing the list, guaranteeing him that their network and website were fully protected against any computer attacks from Anonymous. He even drafted a press release announcing that the FBI had confirmed and arrested the members of Anonymous from Barr's list of names. With all this support, Aaon Barr was sure he was headed for unprecendented computer security fame.
But his plan was risky. Computer programmers warned him that his address matching strategy was untested and almost guaranteed to give false matches. For example, one of the people Aaron Barr exposed was not even alive during the process. Real security experts with more experience were certain that HBGary's computers would be in danger. Several employees were obviously worried and tried to convince Mr. Barr not to reveal any real names. Instead, he should focus on the address matching process he was using. It is actually an interesting idea and worth studying using some controlled methodology.
Aaron Barr ignored the warnings, even insisting that there was no point in giving his talk unless he revealed the names. He was confident about his results and urged his company to build up even more hype for his talk the week before the conference.
The hype worked. In fact, it got the attention of Anonymous. They launched an attack on HBGary computers, websites and online accounts. Employees started to notice problems with the website. Then system administrators noticed problems with the system. Then they found that unknown overseas computers were logged into their network remotely. Internal files were being copied and deleted faster than the company could respond.
Now Aaron Barr was starting to worry. He went back to 4chan.org to talk with the group. He chatted with one person who was part of the group but not part of the attacks. The chat transcript clearly shows him lying about the RSA conference talk, saying several times that he would not and never had plans to reveal names of the group members and was only going to talk about his address matching technique. The person he chatted with was neutral, sympathetic, but insisted he couldn't do anything about the attacks.
Later Penny Leavy also went online to chat with the group. Like Mr Barr, she reversed her earlier excitement. She even said that she was unhappy with the plan. This was the very plan that she was busy promoting extensively to media outlets. By the end of the chat she had gotten nowhere trying to convince Anonymous that the whole conference talk debacle was a huge misunderstanding. Her dreams of high profile government contracts and a 60 Minutes segment were long gone.
Meanwhile, Greg Hoglund was also busy changing his own story. Earlier, he boasted about how Anonymous would face defeat and humilation trying to crack HBGary's network security. After all, he believed his own company's hype. He even quoted from the movie Return of the Jedi to suggest that he could anticipate every move Anonymous would make. In the end, Hoglund's defence system turned out like the film's – inadequate.
Now his talking points focused on the danger of Anonymous, predicting that their cyber attack on HBGary would soon switch over to violent physical attacks on the children of their employees. He obviously put the keywords "family" "children" and "violence" together in his press release for maximum effect and turn attention away from Aaron Barr's misguided deception. Despite his claim of likely danger, there is no evidence that any person was physically harmed by the group's members. Mr Hoglund must have been thinking his own memos. Ironically, HBGary's own cyber defense strategy was to target family members of opponents.
So if there was no real threat of violence, what was Mr. Hogland so worried about? As we found out later, Anonymous copied over 70,000 emails from the HBGary server. These emails described what the company was really doing beyond what was in their public ads.