Nettime mailing list archives

<nettime> Lessons from Anonymous on cyberwar
Hans Lammerant (Vredesactie) on Fri, 18 Mar 2011 03:25:45 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Lessons from Anonymous on cyberwar


this piece on Al Jazeera will probably also interest this mailinglist.


Lessons from Anonymous on cyberwar

A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal
shows how deep the war goes.

Haroon Meer

"Cyberwar" is a heavily loaded term, which conjures up Hollywood
inspired images of hackers causing oil refineries to explode.

Some security celebrities came out very strongly against the thought of
it, claiming that cyberwar was less science, and more science fiction.

Last year on May 21, the United States Cyber Command (USCYBERCOM)
reported reaching initial operational capability, and news stories
abound of US soldiers undergoing basic cyber training
which all point to the idea that traditional super powers are starting
to explore this arena.

Recent activities with one government contractor and Anonymous, however,
show clearly that cyber operations have been going on for a long while,
and that the private sector has been only too ready to fill the cyber
mercenary role for piles of cash.

*Anonymous vs. HBGary*

Early in 2011, Aaron Barr submitted a talk to a security conference in
which he planned to "focus on outing the major players of the anonymous

Barr, the CEO of Washington-based HBGary Federal, had spent time
"infiltrating the group" using multiple identities on social networks
and Anonymous IRC channels.

He was confident enough of his analysis to publish parts of it through
the Financial Times
Barr (and indeed the rest of the company) planned to milk the exposure,
lining up a string of meetings to profit from the research, from an
interview with /60 Minutes/ to multiple potential deals with federal

The CEO of HBGary prepared a post explaining
<http://hbgary.anonleaks.ch/aaron_hbgary_com/4518.html> how they had
flexed their "muscle today by revealing the identities of all the top
management within the group Anonymous."

Anonymous were quick to respond.

Even while Barr was proclaiming victory and threatening to "take the
gloves off", Anonymous were burrowing deeper into his network

By the end of the attack, Barr's iPad was reputedly erased, his LinkedIn
and Twitter accounts were hijacked, the HBGary Federal website was
defaced, proprietary HBGary source code was stolen and with over 71,000
private emails now published to the internet, HBGary was laid bare.

In this, was our first lesson: The asymmetry of cyber warfare.

HBGary, a well-funded, pedigreed security company with strong offensive
cyber capabilities was given a beating by a non-funded, loosely
organised hacker collective.

The incident holds a string of lessons for those wishing to secure their
networks from attack, but what's far more interesting is the leaked
emails that give us insight into the murky world of "cyber contractors"
and what???s being called "the military digital complex". 

*HBGary: cyberwar arms dealer*

HBGary was formed by security research veteran Greg Hoglund, who has
made a name for himself over the years doing research on rootkit technology.

A rootkit is a piece of software installed to ensure that an attacker is
able to maintain control of a compromised computer. Rootkits are
designed to avoid detection once installed.

Hoglund???s emails claim that his current products were built with "about
2 million in Uncle Sam's money", but this alone is no shocker.
Governments fund technology research all the time, and HBGary were also
building a commercial product.

What is shocking though, are some of the other details that came out in
the wash.

The emails make it clear that HBGary sold rootkits and keyloggers
<http://hbgary.anonleaks.ch/ted_hbgary_com/7838.html> (tools to record
and exfiltrate keystrokes surreptitiously) to government contractors for
prices between $60,000 and $200,000 each.

These pieces of "malware" would be tailored specifically to the clients
needs, which undoubtedly reflected the state of the ultimate targets
e.g.: "..test the tool against McAfee and Norton".

Some rootkits were fairly routine, while others clearly betrayed
specific needs: "Runs on MS Windows XP sp2 and Office 2003, finds MS
Office files using the XRK technique to exfiltrate files".

Even next generation rootkits were explored - to remain active despite
the removal of a hard drive or to persist on a machine through the video

Make no mistake, these were offensive cyber tools, made to order.

*0day exploits*

Rootkits allow you to maintain control of a compromised machine, but one
would still need an initial compromise vector.

Once again, the mail archives deliver: HBGary sales personnel can be
seen making reference to "Juicy Fruit", their internal name for HBGary
supplied 0day exploits.

0day refers to exploits that are currently unknown to the software
vendor, making defence against 0day attacks sometimes impossible.

One email lists their 0day arsenal, which included attacks against Adobe
Flash, Windows 2003, Sun Java and a host of other products.

The emails even differentiate between exploits that have been sold to a
customer and those that are still exclusive.

Other emails include discussions on selling back-doored software to
foreign governments and plans to create
<http://hbgary.anonleaks.ch/aaron_hbgary_com/15656.html> "themes for
video games and movies appropriate for Middle East & Asia. These theme
packs would contain back doors."

Clearly cyber attacks against foreign nationals appear to be fair game.

If the ethical line on such matters was slightly blurry, the line was
completely obliterated with plans to combat WikiLeaks by targeting
supporters of the cause:

>From - Tue Feb 08 09:06:48 2011

Subject: Re: first cut
From: Aaron Barr <aaron {AT} hbgary.com <mailto:aaron {AT} hbgary.com>>
Date: Fri, 3 Dec 2010 08:32:12 -0500
Cc: Eli Bingham <ebingham {AT} palantir.com <mailto:ebingham {AT} palantir.com>>,
BERICO-Sam.Kremin <skremin {AT} bericotechnologies.com
<mailto:skremin {AT} bericotechnologies.com>>
To: Matthew Steckman <msteckman {AT} palantir.com
<mailto:msteckman {AT} palantir.com>>

One other thing.  I think we need to highlight people like Glenn
Greenwald.  Glenn was critical in the Amazon to OVH transition and
helped wikileaks provide access to information during the transition.
It is this level of support we need to attack.  These are established
proffessionals that have a liberal bent, but ultimately most of them if
pushed will choose professional preservation over cause, such is the
mentality of most business professionals.  Without the support of people
like Glenn wikileaks would fold.

/(Subsequent emails show that the project to target WikiLeaks was to be
sold for $2 million dollars.)/

*Maybe HBGary was an outlier?*

At this point we could make the jump that HBGary was a single bad apple,
operating on the other side of the ethical line all on its own, but we
would be wrong.

The email above indicates that the project to discredit WikiLeaks (and
their supporters) was a joint operation by HBGary Federal, Palantir and
BericoTechnologies, although the other companies involved were quick to
distance themselves from HBGary after the Anonymous hack.

Endgame Systems, a company with almost no public footprint were also
thrust into the spotlight, when several of their previously well-guarded
reports and company presentations were shared amongst the emails.

In an early email to Aaron Barr
<http://hbgary.anonleaks.ch/aaron_hbgary_com/5686.html>, Endgame Systems
made it clear that they had "been very careful NOT to have public face
on our company". The CEO of Endgame Systems was clear: "Please let
HBgary know we don't ever want to see our name in a press release."

So what exactly do the secretive Endgame Systems do? The company started
by ex ISS and CIA executives promises (in private) "to provide our
customers with the highest quality offensive CNA/CNE (Computer Network
Attack/Computer Network Exploitation) software in the world".

Their overview makes it clear
<http://hbgary.anonleaks.ch/greg_hbgary_com/25501.html> that they serve
"the special requirements of the United States DoD and Intelligence

Their leaked PowerPoint deck advertises subscriptions of $2,500,000 per
year <http://hbgary.anonleaks.ch/greg_hbgary_com/attachments/629.pdf>
for access to 0day exploits, with slightly more affordable "intelligence
feeds" effectively selling information on vulnerable servers by
geographic region.

With a single report (and a big enough chequebook) you can find out all
the servers vulnerable to attack in the Venezuelan government, along
with the software required to exploit them. [Downloadable file

Even just the CV's sent to HBGary for job applications turned out to be
instructive, revealing details that are not often circulated in the
public arena.

One candidate had "managed team of 15 persons, responsible for
coordinating offensive computer network operations for the United States
Department of Defense and other federal agencies."

Clearly offensive cyber operations far predate the 2009 founding of

The email conversations make clear what many have known, that offensive
cyber operations against individuals and nation states have been going
on for a long, long time.

Experts who claim otherwise are misinformed at best, or actively
spreading misinformation at worst. When it comes to cyberwar, the matter
is best handled by William Gibson's famous quote: "The future is already
here - it's just not very evenly distributed."

*/Haroon Meer is the founder of Thinkst <http://thinkst.com>, an applied
research company with a deep focus on information security. He has
contributed to several books on information security and has presented
research at industry and academic conferences around the world./*

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mail.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime {AT} kein.org