The HBGary Federal Hack
In February 2011, the loosely knit collective of hacktivists known as Anonymous successfully compromised the corporate network of HBGary Federal (HBG Fed), a company that provided information security services to the federal government of the United States. This attack brought down the HBG Fed website, compromised the Twitter and LinkedIn accounts of HBG Fed CEO Aaron Barr, and resulted in the public release of thousands of internal documents and emails.
Storm brewing – the prelude to the attack
The internal documents disseminated to the public by Anonymous reveal much about the nature of HBG Fed’s business operations before “the incident”. HBG Fed was engaged in several anti-hacker projects that were aimed at disrupting and discouraging Anonymous-style hacktivism. Based on their own internal files, here is a breakdown of HBG Fed’s efforts at fighting Anonymous, similarly motivated Internet activists, and individuals deemed to be antagonistic to their clients.
Cyber-stalking. Curiously for a chief executive officer, much of Aaron Barr’s time seems to have revolved around cyber-stalking individuals whom he targeted. Barr seems to have reveled in collecting personal information about them, creating fake online profiles, and impersonating hackers. Examples of this behavior are provided in an Ars Technica article which describes Barr’s efforts as “creepy” and sensibly asks: “How did Barr, a man with long experience in security and intelligence, come to spend his days as a CEO e-stalking clients and their wives on Facebook?”
Malware development. Software coders with HBGary (sister company of HBG Fed) had developed malware designed to exploit the Windows operating system, Adobe Flash, Java, and other programs. This malware took the form of rootkits, key loggers, and other nasties and were intended to be marketed to government agencies for spying and propaganda purposes. One rootkit, code named Magenta, was touted by HBGary as “almost impossible to remove”. Additionally it was revealed that HBG Fed had been contracted by the Air Force to create a swarm of fake social media ‘friends’ (bots) to promote government- and military-friendly propaganda.
Wikileaks. A proposal entitled “The Wikileaks Threat” contained tactics for disrupting and discrediting Wikileaks. The proposal suggested a smear campaign to destroy Wikileaks’ public image and marginalize its supporters. Shortly after the Anonymous incident, the proposal’s co-author, Palantir, cut off its dealings with HBG Fed.
Anonymous taunting. Barr’s claims that he would unmask and extinguish Anonymous proved to be the proverbial last straw on the camel’s back. In a Financial Times article dated Feb. 5, 2011, Barr claimed that had penetrated Anonymous and that he had “collected information on the core leaders, including many of their real names”.
The hammer falls
On February 6, 2011 (Super Bowl XLV Sunday), the HBG Fed website was wiped out and replaced with a message from Anonymous (screenshot).
Next, Barr’s Twitter and LinkedIn accounts were taken over and used to disseminate messages that were derogatory against him, and which also included his cell phone number, his home address, and his Social Security number. Not surprisingly, Barr began receiving threats and prank calls.
As if these breaches weren’t enough, a treasure trove of HBG Fed’s internal emails - over 60,000 of them – was released for public download. In fact, the very document that HBG Fed had been planning to sell to the FBI as some sort of intelligence report was also made available and criticized by Anonymous for being inaccurate. Additionally, Anonymous hackers acquired data backups and deleted HBG Fed’s copies.
How Anonymous did it
For website management, HBG Fed used a custom content management system (CMS) which was susceptible to SQL injection attacks, and these injections led to the breach in their database. Using rainbow tables, passwords were extracted from MD5 hashes which had not been salted.
The SQL injection vulnerability was especially egregious on HBG Fed’s part since such injections have been rated #1 in the OWASP’s top ten web application security risks for a while. Their CMS generated URLs such as http://hbgary.com/pages.php?pageNav=2&page=27 and failed to properly perform parameter checking. Commands were therefore passed on to the SQL database on the back end.
With HBGary CEO Hoglund’s email account compromised, a hacker obtained the server root password via social engineering. At this point, it was all over.
In December 2011, Network World quoted HBGary CEO Greg Hoglund as claiming that the Anonymous attack on HBG Fed did not achieve the effect of bringing down all of HBGary. Instead, HBGary actually saw its earnings increase in 2011. Hoglund further clarified that while HBG Fed was severely damaged by Anonymous, HBGary itself was not threatened in any similar manner. His outlook on Federal’s take-down had improved from the days after the attack in Feb. 2011 when he stated, “They are causing me a great deal of pain right now [because of the timing of the RSA conference in San Francisco]. What they’re doing right now is not hacktivism, it’s terrorism. They’ve really crossed a line here. I’ve worked so many years on HBGary, and I don’t deserve this. I never did anything to those people. They completely overreacted to [the Financial Times article]. Why did they need to do that?”
There are more than a few lessons to be learned from the Anonymous blitzkrieg against HBG Fed.
Tim Greene at Network World shares seven tactics for avoiding malicious, Anonymous-style intrusions. Among Green’s recommendations are regularly updating CMS software, hardening password hashes, using strong passwords and not reusing them for multiple accounts, and increasing awareness of social engineering tricks among employees.
I would like to add that not engaging in the conduct described in the ‘Prelude to the attack’ section above is an effective means to highly reduce the likelihood of being tagged with the hackers’ bull’s-eye. In other words, do not rile up the bee hive if you do not want to be stung.
Tony Bradley at PCWorld describes how other organizations can study the HBG Fed example to further lock down their own information systems. Bradley remarks that the hacking of a firm that actually specialized in anti-hacking measures is a sobering testament to the challenging complexity of effectively securing electronic data. He goes on to warn security practitioners not to underestimate the skills and determination of hackers, whether they qualify as mere script kiddies or as expert vulnerability analysts. Lastly, Bradley notes that often there is a thin line between hacktivists like those from Anonymous and “ethical hackers”, as Barr and others at HBG Fed surely fashioned themselves. This point merits some pondering. After all was said and done, could Barr himself be called anything other than a gray hat hacker? Perhaps we should reflect on this difference between Anonymous-style hacktivists and some of their “security professional” adversaries: while Anonymousers do what they do for recreation and/or idealistic political activism, Barr and his associates at HBG Fed were ultimately motivated by money and career advancement. Which side, then, is more respectable and praiseworthy?
One year after the Anonymous onslaught, browser requests for ‘www.hbgaryfederal.com’ remained unanswered.
Two years after the hack, the domain name appeared to have been purchased by…umm…definitely not HB Gary:
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book or two using the links below. Thanks!