Thursday, March 10, 2011
Hacker vs. Hacker
The hacking and public humiliation of cyber-security firm HBGary isn't just entertaining geek theater. It's a cautionary tale for businesses everywhere Greg Hoglund's nightmare began on Super Bowl Sunday. On Feb. 6 the high-tech entrepreneur was sitting in his home office, trying to get to the bottom of some unusual traffic he was seeing on the Internet. Two days earlier he'd noticed troubling activity hitting the website of HBGary Federal, the Sacramento startup he helped launch in 2009. He suspected some kind of hacker assault and had spent the weekend helping to shore up the company's systems. A few hours before Green Bay kicked off to Pittsburgh, Hoglund logged into his corporate account on Google (GOOG)—and confirmed his fears. He couldn't get in. Someone had changed the password and locked him out of his own e-mail system. Stolen passwords and hackers are facts of life in the Internet Age. Twitter, Facebook, MasterCard (MA), the Washington Post Co. (WPO), the New York Stock Exchange (NYSE), the U.S. State Dept., and countless other organizations large and small have had to deal with cyber-assaults. More often than not, the security hole is plugged and, if the victims are lucky, the plague abates. Not this time. HBGary Federal is a spinoff of Hoglund's HBGary Inc., a cyber-security firm that offers protection to corporations and governments from cyber-attack. Hoglund built his career on the business of hacker-proofing—getting hacked meant HBGary failed at the very thing it's paid to get right.
Hoglund called Google's corporate technical support to shut down the account, but a representative told him that doing so would take time. It didn't matter. Intruders were already helping themselves to tens of thousands of internal documents and e-mails, some of them personal exchanges between Hoglund and his wife, Penny Leavy, president of HBGary. Then the hackers—who turned out to be members of the anarchic cyber-guerrilla organization that calls itself Anonymous—triumphantly posted their electronic booty on an online file-sharing service for all the world to see. That's when Hoglund's real problems began, and the resulting controversy—involving a high-powered Washington (D.C.) law firm, the Justice Dept., and the whistle-blower site WikiLeaks—hasn't just been entertaining geek theater but a rare look into the esoteric realm of cyber-security. It's a world where only a select few understand the workings of the computers and networks we all use, where publicly antagonizing the wrong people can have disastrous consequences, and where some participants tend toward self-aggrandizement and flexible differentiations between right and wrong.
The HBGary Federal documents—to Hoglund's surprise, he says—revealed unethical and potentially criminal plans to build a digital-espionage-for-hire business. "They really showed how bad things are getting," says Bruce Schneier, a renowned computer security expert. "Blackmail, espionage, data theft. These are things that were proposed as reasonable things to do. And no one said, 'Are you crazy?' " The plans were conceived in part by HBGary Federal's top executive, a former U.S. Navy cryptologist named Aaron Barr. Barr was working in conjunction with two other security companies. In a bit of cloak-and-dagger grandiosity, the firms dubbed their collaboration Team Themis, after a titan of Greek mythology who embodied natural law. (Forsaking Themis brings on Nemesis.) Team Themis proposed to electronically infiltrate grass-roots organizations opposed to the U.S. Chamber of Commerce, the powerful Washington lobbying organization. In a separate and even more legally dubious proposal intended for Bank of America (BAC), the group laid out a plan to infiltrate WikiLeaks and intimidate its supporters.
Team Themis's machinations were exposed before they got past the proposal stage. But the schemes the security firms came up with were Nixonian in scope and Keystone Kops-like in execution. In a 12-page PDF sent to Hunton & Williams, the Washington law firm representing the U.S. Chamber, Team Themis suggested creating dummy documents and online personae, and scouring social networks such as Facebook for intelligence on their prospective client's most vocal critics. In the proposal for Bank of America, the security firms suggested hacking WikiLeaks itself to expose its sources. For Hoglund and his 30-person company, the fallout from the revelations continues to grow. Employees of HBGary and their families have been besieged with hostile phone calls and e-mails, including some death threats, and the company canceled its presentations at the annual RSA cyber-security conference in February. News sites that cover computer security have plumbed the document dump, turning HBGary and Barr into objects of ridicule. Barr resigned on Mar. 1 and declines to speak publicly about the ordeal. All of it makes Greg Hoglund furious. "These individuals are not hacktivists, they are criminals," he tells Bloomberg Businessweek, referring to his Anonymous adversaries. "If you let a gang of cyber-thugs hack into systems with impunity and get away with it, what kind of precedent does that set for cyber-security?"
Hoglund, 38, is widely respected in the computer security world for his expertise with "rootkits," software that facilitates privileged access to a computer while evading detection. The HBGary chief executive officer never went to college and learned his trade on the fly, spending time with other hackers and writing his own security software. He co-founded HBGary in 2004, providing corporations with tools to detect, analyze, and combat sophisticated malware attacks from hostile foreign governments. (The firm's name is derived from Hoglund and his two original partners, Shawn Bracken and Jon Gary.) Among the companies HBGary has worked with are Morgan Stanley (MS), Sony (SNE), and Walt Disney (DIS).
Fifteen months ago, Hoglund decided to branch out into a new market and spun off HBGary Federal to perform classified work for the U.S. government. Employees of the subsidiary would have military experience and top security clearances. To run the operation, Hoglund tapped Barr, then an engineer in the Intelligence Systems Division of military contractor Northrop Grumman (NOC). "Aaron has a very high IQ. He's a very smart individual," says Hoglund. "He also has an incredibly good reputation, or he did at the time." In the year after he was hired, Barr had little success building HBGary Federal's business. The firm initially attempted to break into the "incident response" market, selling its spycraft to government agencies so they could shut down leaks and identify cyber-attackers. That field is competitive, and paying work sparse for startups. By October 2010, in the e-mails that later became public, Hoglund warned Barr that HBGary Federal was "out of money and none of the work you had planned has come in." In his reply, Barr agreed. Barr did have one possible lifeline. On Oct. 19, Palantir Technologies, a Palo Alto (Calif.) cyber-security company whose terrorism analysis software is used by the Pentagon and the CIA, reached out to HBGary Federal and another security firm, Virginia-based Berico Technologies, with a tempting offer. Palantir said it had been approached by Hunton & Williams, a century-old firm with ties to the Republican Party and the defense industry. The firm needed investigative services on behalf of a high-profile, deep-pocketed client.
Barr and representatives from the other companies discussed the project via e-mail and visited Hunton & Williams in November to meet with Richard Wyatt, co-head of the firm's litigation group. A person who was at the meeting says Wyatt wore suspenders, smoked a cigar, and propped up his cowboy boots on his desk—a cartoonish vision of a D.C. power broker. But the security professionals were impressed when they learned the identity of the prospective client: the U.S. Chamber of Commerce, which had just backed a wave of successful conservative candidates for Congress. The Chamber, it seemed, had a public-relations problem: Activist organizations such as U.S. ChamberWatch, Velvet Revolution, and Change to Win were accusing it of financial improprieties and using foreign donations for political purposes. The Chamber believed all these grass-roots organizations were working in concert with the surreptitious backing of major unions. According to the e-mails released by Anonymous, Hunton & Williams was already amassing reams of information, including union rosters, and needed expert help in digesting the data. The security firms' mission, should they choose to accept it: Infiltrate the activist groups and their leadership, compile dossiers, and help the law firm "truly understand and eliminate emerging threats that could cause harm to their clients," according to a Team Themis document.
The team's members spent much of November working up their proposal. They highlighted how they would funnel their gleanings through Palantir Technologies' military-grade terrorist-tracking software. "We need to blow these guys away with descriptions of our capabilities," wrote Matthew Steckman, an engineer at Palantir, in one of the e-mails in the published documents. "Make them think that we are Bond, Q, and money penny [sic] all packaged up with a bow." Then there was the matter of price. Such private online espionage was hardly common practice, and there was no industry-standard pay scale. Team Themis landed on $2 million. For that sum, the client would get a "daily intelligence summary," "link diagrams," and "target impact analysis," among other services. Hunton & Williams, on behalf of the Chamber, balked at the price, so the security companies agreed to do a pilot on spec. (The law firm has not commented on the matter.) Hunton & Williams clearly saw potential in Team Themis. On Dec. 2, in a message with the subject line "Urgent: Opportunity," a partner at the firm asked the group to come up with a new plan, this time to combat WikiLeaks on behalf of a different prospective client—Bank of America, which believed WikiLeaks was about to publish a cache of its documents. (The Justice Dept., the e-mails suggested, had recommended that Bank of America hire Hunton & Williams.)
Barr took the lead in crafting what would become an infamous 24-slide PowerPoint presentation that called for a cyber-campaign of disinformation against WikiLeaks. The document analyzes WikiLeaks' server infrastructure, talks about planting news stories about the exposure of its confidential informants, and proposes online attacks. Some of the language is comical, like a verbal version of an old Spy Vs. Spy cartoon from Mad magazine: "Speed is crucial!" blares one slide. "The threat demands a comprehensive analysis capability now." A person familiar with the creation of the presentation said it was the result of late-night brainstorming, and that the security firms knew Bank of America would likely reject the most aggressive tactics.
As with the Chamber of Commerce scheme, the WikiLeaks proposal never got a final hearing. While HBGary Federal and the other security firms awaited a formal go-ahead from Hunton & Williams and its clients, Barr decided to deploy his new research techniques on Anonymous.
Anonymous has had a busy winter. The group, which appears to be less a formal organization than a loose coalition of tech-savvy radicals, attacked government websites in Egypt and Tunisia. It launched denial-of-service attacks on Amazon.com (AMZN), PayPal, MasterCard, and Visa (V) after those companies declined to do business with WikiLeaks. Barrett Brown, an unofficial spokesman for the group, says its goal is "a perpetual revolution across the world that goes on until governments are basically overwhelmed and results in a freer system." Barr had come to believe that companies would have to defend themselves against this anarchic sensibility using the same tactics as the mischief makers. He also believed he had the skills and experience to join the battle. His principal weapon was a method he developed to associate the real identities found in social networks such as Facebook and LinkedIn with the anonymous profiles of hackers. So while Hunton & Williams weighed Team Themis's proposals, and with the ultimate fate of HBGary Federal hanging in the balance, Barr figured the time was right to demonstrate how social networks could yield an intelligence bonanza.
Barr began by hanging out in an online forum called Internet Relay Chat (IRC), using a fake identity. At the same time, on social networks, he "friended" people thought to be senior members of the Anonymous collective. Barr then compared the times that suspected hackers logged into IRC chat rooms anonymously and into their own identifiable social networking accounts. The exposed HBGary e-mails would later reveal that Barr's own employees thought he was overreaching and that they feared retribution from the vengeful Anonymous. But Barr plunged ahead. He proposed a talk at the RSA conference in San Francisco titled "Who Needs NSA when we have Social Media?" Then he promoted the talk by suggesting he would expose the identities of the primary members of the group. On Feb. 4, a Friday, Barr bragged to the Financial Times about his upcoming talk and claimed he had obtained the identities of the group's de facto leaders. Bad idea. As Stephen Colbert summed it up, lampooning the HBGary affair on his TV show, "Anonymous is a hornet's nest. And Barr said, 'I'm gonna stick my penis in that thing.' "
When hackers taunt, they often use the term "pwned"—as in, "I so pwned you, newbie." No one seems to agree where the word came from. Google it, and you'll find claims that it's a corruption of "owned," or that it's from a computer game, or maybe it's just a shortened form of the chess term "pawned." Whatever its origins, the term connotes humiliating domination by another person or group. That's roughly what happened next to Barr, Hoglund, and HBGary. Responding to Barr's public claims, the Anonymous hackers exploited a vulnerability in the software that ran HBGary Federal's website, obtained an encrypted list of the company's user names and passwords, and decoded them. Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours after Barr's Financial Times interview appeared, the hackers had the keys to the kingdom. They immediately started downloading HBGary's e-mails. All told, Anonymous got hold of 60,000-plus—about 4.7 gigabytes worth, including attachments—and quickly put them all online in conveniently searchable form. The material details online security holes at HBGary clients and prospects such as Sony, Johnson & Johnson (JNJ), Disney, ConocoPhillips (COP), and dozens of others. The e-mails showed that DuPont (DD) was breached in 2009 (by the same hackers who hit Google) and again in late 2010. DuPont employees on a business trip to China even found that their laptops had been implanted with spyware while the hardware was supposedly locked inside a hotel safe.
In the ensuing days, Barr and Leavy, HBGary's president, took to IRC channels to plead with Anonymous for mercy. None was forthcoming. Members of the group and their supporters gleefully defaced and posted photos of Barr, published personal details about his family, tweeted his Social Security number, and generally gloated about pwning a professional adversary. They said the "ninja team" that hacked HBGary included a 16-year-old girl named Kayla. (Rumors online suggest that "Kayla" is actually a 26-year-old man living in New Jersey. Who's right? Not even Anonymous may know.) "We have no choice but to defend ourselves and defend WikiLeaks by these means," says Brown, the unofficial Anonymous spokesman. "This has just begun. We're absolutely at war now."
Meanwhile, the other members of Team Themis deny they wanted to push the operations as far as Barr did—despite the volumes of incriminating e-mails. Palantir Technologies CEO Alex Karp blames HBGary for conceiving the plot, decries any attempt to develop "offensive cyber capabilities," and has placed on leave Steckman, the engineer who coordinated with Team Themis. Palantir also issued a public apology to Glenn Greenwald, a Salon.com journalist who was singled out in a Themis proposal as a WikiLeaks defender and thus a possible target. In a statement, Berico Technologies says it "does not condone or support any effort that proactively targets American firms, organizations, or individuals." At the same time, it cut ties with HBGary. The U.S. Chamber of Commerce said in a press release that it's "incredulous that anyone would attempt to associate such activities with the Chamber," adding that it had not seen the incendiary proposals before they were made public. Morgan Stanley dropped HBGary as a security contractor. Barr never delivered his speech and when he tendered his resignation three weeks after the Anonymous attack, he said he was confident HBGary would be able to "weather this storm." As for Hoglund, even his friends in the security industry wonder how long HBGary can survive amid the onslaught of negative publicity. But the CEO claims his company has undergone a rigorous security review and is back on track. He says the hackers "made a hole-in-one from 200 yards away" and that it will never happen again. "They are nowhere near as sophisticated and scary and large as they would like people to think they are," he says.
And while the lesson of the HBGary saga may be that it's not always easy to tell the black hats from the white hats in the ambiguous game of computer security, Hoglund has no doubt which is which. "It will get worse," he says. "This whole event has only emboldened them. I hope this isn't the way the Internet has to be. Right now it's a domain of lawlessness. This is bigger than HBGary, than my company. Right now, the pendulum has swung way over to the bad guys' side