I’ve said it before and I’ll say it again. This will be the year of the hacker – or rather, the year hacking goes mainstream.
It’s been brewing for quite some time. According to McAfee, a team of Chinese hackers has been infiltrating computer networks for the world’s largest oil and gas companies. Last week the Wall Street Journal reported that NASDAQ’s network was penetrated last year (though not the NASDAQ market – at least, as far as we know). And the ongoing battle between Anonymous and the folks who are aiming to take it down is really just heating up.
Before you fire up your email program or leap immediately to the comments to correct me: Yes, I know: hacker isn’t the right word for this. Hackers are not necessarily criminals or even evil doers. There are white hat, black hat, gray hat, and the occasional houndstooth hatted hackers. The appropriate word for people who attack computer systems for their own nefarious criminal purposes is ‘cracker.’ But to most people, a cracker is either something you spread cheese on or someone you try to avoid talking to at cocktail parties. These days everybody understands “hacker” – at least, the Hollywood version. Sorry, but that’s just the way it is.
And when hackers get tired of eating Doritos for dinner and have actual bills to pay, they grow up to be highly paid security consultants, who are then hired to do battle with their younger doppelgangers.
Case in point: The war between HBGary Federal, a security firm hired by the FBI to suss out who was behind the revenge attacks on assorted “enemies” of WikiLeaks, and Anonymous.
Last weekend, HBGary CEO Aaron Barr made the fatal mistake of bragging to the Financial Times about how his firm had managed to infiltrate the computers of leading members of Anonymous. Per the FT:
‘Of a few hundred participants in operations, only about 30 are steadily active, with 10 people who "are the most senior and co-ordinate and manage most of the decisions", Mr. Barr told the Financial Times. That team works together in private internet relay chat sessions, through e-mail and in Facebook groups. Mr. Barr said he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.’
You’d think he’d know better. But no. Sure enough, HBGary’s servers got hacked and Barr’s Twitter account got hijacked by, yes, Anonymous. They posted Barr’s address, phone number, and Social Security Number on his Twitter feed, and sent out numerous taunting tweets on his behalf. They also hacked HBGary’s Web site and replaced it with this message, which reads in part:
“You have blindly charged into the Anonymous hive, a hive from which you’ve tried to steal honey. Did you think the bees would not defend it? Well here we are, You’ve angered the hive, and now you are being stung.”
Writing for CSO online, guest blogger Nick Selby sums up Barr’s boneheadedness:
‘I don’t know much about law enforcement, but I do think that, if you’re planning, say, to serve a felony warrant, it’s a bad idea to phone ahead and let the guy know you’ll be by in 15 minutes…. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. … Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of "standing between a criminal and his goal." That’s a tip, kids. Write it down. To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid.’
Anonymous also published somewhere between 44,000 and 60,000 emails between HBGary and its corporate/government customers. And what was inside those emails was an eye opener.
It seems HBGary was working with Bank of America on a plan to take down WikiLeaks – and, strangely, CNN and Salon commentator Glenn Greenwald, whom it deemed instrumental to WikiLeaks’ continued existence, along with a handful of other prominent journalists.
HBGary was one of five firms allegedly involved in the discussion, along with law firm Hunton & Williams, data gathering firms Palantir and Berico, and consultants Booz Allen Hamilton. Business Insider published the slides this group prepared for BofA. It’s pretty chilling. To quote slide 5:
“Glenn was critical in the Amazon to OVH [hosting] transition…It is this level of support that needs to be disrupted. These are established professionals that have a liberal bent, but ultimately if pushed most of them choose professional preservation over cause, such is the mentality of most business professionals. Without the support of people like Glenn wikileaks [sic] would fold.”
What do you suppose they meant by “pushed”? As in, over a cliff?
That presentation suggests strategies such as sowing dissension within the WikiLeaks org, disinformation (ie, submitting false documents to WikiLeaks in order to discredit it), cyberattacks against WikiLeaks’ service providers, a media smear campaign, and “using social media to profile and identify risky behavior of [WikiLeaks] employees.”
Does that last one sound like blackmail to you?
HBGary is trying to sell the idea that Anonymous falsified some of the documents, but I doubt anyone’s buying it. Palantir has already publicly apologized to Greenwald and severed its ties with HBGary, which suggests the information contained in that leak is accurate.
To recap: A massive US corporation is targeting whistleblowing Web sites and mainstream American journalists, with the help of several data/security/consulting firms with strong ties to the US government. It sounds like the plot of a Hollywood summer blockbuster. It’s not.
So tell me: Who are the white hats and who are the black hats here?
Fasten your seatbelts. It’s going to get a lot more bumpy from here on out.
Does all this corporate hacking hack you off too? Vent your spleen below or email me: firstname.lastname@example.org.
This post originally appeared on InfoWorld.com.