Anonymous vs HBGary: A classic geek tragedy

gadkkaadlLast week, in a straight-out-of-Hollywood B-movie plot, we learned that an obscure cyber security company was trying to take out a whistleblowing site on behalf of a Fortune 50 corporation, thanks to a shadowy group of uber geeks whose identities are as yet unknown.

(Quick, get me Matt Damon. He’s not available? Get me someone who looks like Matt Damon. OK, we’ll settle for Shia LeBeouf.)

But the saga of HBGary Federal, WikiLeaks, and Anonymous is still only unfolding, thanks to yet more private emails that have been released by Anonymous into the wild. InfoWorld blogger Woody Leonhard has a nice summary of all that has transpired so far.

Here’s a quick list of the dirty dealings buried in those emails:

* HBGary Fed (HBGF) was one of five companies that were pitching a proposal to take down WikiLeaks on behalf of Bank of America. Palantir and Berico immediately severed all ties with HBGF and apologized. As far as I know, Booz Allen and law firm Hunton & Williams have yet to issue a statement, while BofA claims it never heard of or saw this proposal. (Color me surprised.)

* HGBF was also targeting top journalists, including Salon’s Glenn Greenwald and former New York Times reporter Jennifer 8. Lee.

* HGBF had a copy of Stuxnet, the virus allegedly developed by US and Israeli spy agencies to monkey wrench Iran’s nuclear facilities, and may have been planning to use it for its own nefarious purposes. (Now, of course, Anonymous has that code. Nervous yet?)

* According to Crowdleaks.org, HBGary may have been developing a new Windows rootkit (code name: Magenta) that is undetectable and impossible to kill.

* Fill in the blank. I’m sure more revelations will arise before I’ve finished this blog post.

Want to peek inside those emails? Try this search engine. (I know what you’re wondering; no, I am not in them. Not yet, anyway. Justin Bieber, on the other hand, is mentioned in two of them. Go figure.)

All of this is only known because various members of Anonymous took exception to a story in the Financial Times earlier this month in which HBGF spook-in-chief Aaron Barr bragged about infiltrating Anonymous using fake social network profiles and other publicly available information. He even claimed to know the real identities of the group’s “leaders.”

Except that it turns out he was dead wrong.

ITworld’s Thank You For Not Sharing blogger Dan Tynan spoke with one of those accused of being not only part of Anonymous, but its alleged kingpin, Commander X. It turns out that Ben de Vries is just an organic gardener in San Francisco who happened to run a Facebook group where alleged Anons liked to gather. Yet that was enough for HBGary Fed spook-in-chief Aaron Barr to conclude that he was the mysterious X, and to discuss with his boss submitting that info to the FBI.

A handful of commenters weighed in saying that they too had been named by Barr, incorrectly, as members of Anonymous. So much for Barr’s theory that he could penetrate the innards of a supersecret org through the magic of social media and his own innate brilliance.

Ars Technica, which has been all over this story in a way nobody else can touch, has a detailed account of how the Anons managed to pwn this alleged security firm. It used a standard weapon from the hacker arsenal, an SQL Injection, to penetrate HBGF’s custom content management system. That in turn gave them access to HBGF’s database of user names and passwords, which the Anons quickly cracked. Turns out that the principals at HBGF used simple passwords, and they used the same ones promiscuously for Twitter, Facebook, email, etc.

That, as they say, was the ballgame. Per Ars:

For a security company to use a CMS that was so flawed is remarkable…. Proper handling of passwords—iterative hashing, using salts and slow algorithms—and protection against SQL injection attacks are basic errors. …And though not all the passwords were retrieved … two were, because they were so poorly chosen.

Meanwhile, HBGary Federal – a division of HBGary – is all but dead. It slunked out of the RSA conference with its tail behind its legs. I’ll bet within a year that if parent company HBGary survives this debacle, it decides on a name change. There’s no getting the stink off them now.

As for Barr, he’s a victim of his own hubris. I’d be surprised (and, really, appalled) if he’s still employed in any capacity within a month. He thought he could fly with the Gods; instead he crashed and burned.

You might call it a classic geek tragedy.

What’s your take on HBGF, Anonymous, et al? Post your thoughts below or email me: dan@dantynan.com. I’ll feature the best and brightest in a future post.

This post originally appeared on InfoWorld.

Comments are closed.