With arrests, HBGary hack saga finally ends

[avmad]

With arrests, HBGary hack saga finally ends

By Peter Bright | Published about 16 hours ago

A little over a year ago, small security firm HBGary Federal made the news for all the wrong reasons: it had been hacked, its CEO had been made a laughing stock, and its private e-mails were splashed across the Internet. The perpetrators, a group of hackers sympathetic to the Anonymous group, trashed HBGary Federal's servers and name with impunity, confident that tor and private VPNs would keep their identities secret.

For months, they seemed invincible; most went on to form LulzSec during the summer of 2011, which infiltrated a huge number of corporations and police servers, releasing e-mails, taking credit card numbers, and taunting their pursuers. But the pursuers kept coming, and this week brought down their quarry with a string of indictments and the possibility of lengthy jail terms. With the arrests, the HBGary Federal hack saga is largely concluded.

The HBGary Federal attack

Aaron Barr thought he was on to something big. Something that would make a name for both himself and the company he was CEO of, HBGary Federal.

HBGary sells security software for detecting, categorizing, and analyzing malware. Its HBGary Federal subsidiary was created to cater to the security and classification needs of federal agencies, and hoped to sell HBGary's software to the Department of Defense and the numerous three-letter agencies. Federal was struggling, however, failing to bring in the lucrative government contracts that HBGary had hoped for.

After years of minor trolling and harassment of Scientologists, the Anonymous group had performed a series of high-profile denial-of-service attacks on PayPal, MasterCard, and Visa, after the credit card companies and payment processor halted all donations in support of WikiLeaks.

Though presenting itself as a faceless collective, Anonymous undoubtedly had ring-leaders, people within the group setting the agenda and co-ordinating the attacks. Law enforcement agencies around the world wanted to know who was behind the pro-WikiLeaks attacks—and Aaron Barr thought he knew.

It was the perfect opportunity to get HBGary Federal's name some high profile press and reinvigorate the business, and on February 5th, 2011, Barr announced his plans to unmask Anonymous' main players.

The reaction from Anonymous was immediate and brutal. HBGary's servers were hacked, and its e-mail system pillaged. A server belonging to its CEO, Greg Hoglund, was also compromised and wiped.

The hackers reveled in their power. In a chat log, they spoke with Barr, who was using the name "CogAnon."

<tflow> CogAnon: I feel sorry for what's about to happen. I really do.

<Sabu> You intended of battling anonymous in the media for media gain and attention

<Sabu> well let me ask you

<Sabu> you got the media attention now

<Sabu> how does it feel

<Sabu> ?

<Topiary> Oh guys, what's coming next is the delicious cake.

<nigg> so who wants all of

<nigg> his emails?

<Sabu> uhm you have his emails????

<Sabu> DAMN!

<nigg> 2.3gb's of gold

<Topiary> sure, I'd enjoy some 68,000 emails

<Topiary> can we please have 68,000 of their emails?

<Topiary> oh wait we totally already have them

<Topiary> trolololol

<CogAnon> lol..ok guys well u got me right. :)

They feasted on the "delicious cake," even doing media interviews—I spoke to the group soon after the hacks took place. They were cautious, speaking only via an intermediary, and hostile to any questions about their identities (except to say that one of their number, "Kayla," was a "16 year old girl") but they were confident and excited, keen for their attacks to be publicised.

The result was considerable embarrassment for HBGary. The hacks revealed basic errors in the configuration and administration of HBGary's systems—embarrassing enough for a company working in the security sphere. Worse still was the leaking of the e-mails, which laid bare the company's efforts to solicit government contracts to discredit WikiLeaks and develop undetectable rootkits for the government.

Where are they now?

When we spoke to the company shortly after the attacks, then-Vice President of Services (now Chief Security Officer) Jim Butterworth told us that there was a "very good chance" that the perpetrators of the hack would be caught. And so it has come to pass.

28 year-old Hector Xavier "Sabu" Monsegur was arrested by federal agents in June last year, and has since been co-operating with the FBI. That co-operation led to the capture of Ryan "Kayla" Ackroyd, 23, Jake "Topiary" Davis, 19, and unnamed teenager "tflow", 16, in the UK for, among other crimes, their participation in the HBGary hack. Darren "pwnsauce" Martyn, 19, in Ireland, has been named and indicted, but not yet arrested.

The HBGary hackers collectively called themselves Internet Feds. They then started working under the name LulzSec, rapidly achieving infamy for a series of high-profile break-ins (victims including PBS, Sony, and Nintendo) and denial-of-service attacks. But by late September 2011, everyone in LulzSec except one member, avunit, had been identified, and every identified member except pwnsauce had been arrested.

Who exactly did what in the HBGary hack remains unclear. The hack had several stages: the initial break-in, the theft of the e-mails, and then the destruction of Hoglund's server. Publicly, the hacking of Hoglund's server was the work of a "16 year-old girl," with Kayla habitually claiming to be a female teenager. In chatlogs leaked by Wesley "Laurelai" Bailey and published by Backtrace Security (the group that successfully named Sabu months before he was arrested), however, Sabu claimed responsibility for the entire attack.

In April, HBGary followed this with an open letter apologizing to customers and dismissing the media as ill-informed.

HBGary, though bruised by the affair, has survived. The early days were rough. A few days after the hack, HBGary withdrew from the RSA security conference, claiming that threats had been made against the company. Companies that the leaked e-mails showed to be working with HBGary Federal on anti-WikiLeaks proposals quickly distanced themselves from the firm, claiming the the co-operation was a mistake or oversight. Jim Butterworth, CSO of HBGary, told us that immediately after the attacks some of its customers and partners were showing "second thoughts" about working with the firm

A year on, the long-term impact appears less catastrophic than it might have been. In fact, CEO Greg Hoglund told Network World last December that HBGary actually received additional business as a result of the hacks.

Last month, defense contractor ManTech announced that it was purchasing HBGary's assets, with Greg Hoglund saying that "ManTech's government business will be bolstered with a cutting edge set of products to protect mission-critical IT assets"—HBGary software will be sold to government departments, which is precisely what the HBGary management were hoping for when they set up HBGary Federal.

One might expect a prospective buyer to be put off by the very high profile hack, but ManTech may have been a sympathetic buyer: the company was broken into by Anonymous hackers last July as part of the Operation AntiSec's "Fuck FBI Friday" attacks. The AntiSec movement was spawned by LulzSec.

Speaking to Ars this week, Butterworth said that HBGary was pleased at the arrests, and warned "There really is no such thing as anonymity on the Internet."

Though the e-mails indicated otherwise, HBGary management continues to insist that the companies were quite separate, sharing only an e-mail system and a name. The company makes no mention of HBGary Federal and doesn't talk about it.

The lightning rod

Aaron Barr has continued to make a name for himself. As CEO and minority shareholder of HBGary Federal, he could not simply be fired, but he stepped down from the firm a few weeks after the break-ins.

Within a couple of months of his departure from HBGary Federal, Barr had taken a position as "cybersecurity director" at federal contractor Sayres and Associates. During his tenure at the company, he continued to raise eyebrows.

Hoping to capitalize on his own infamy, Barr was scheduled to speak at the DEFCON conference last August. Shortly before the conference was due to take place, however, he withdrew, claiming that he had been threatened with legal action. In October, he dyed his hair blue and visited the Occupy Wall Street protests.

At HBGary Federal, Barr's research into Anonymous had focused on social media. This interest continued at Sayres: in January of this year, he spoke at an FBI-organized security conference about the dangers of social networks.

While the FBI might have been interested in what he had to say, Sayres, it seems, was not. Barr was fired from the company in late January. Company founder John Sayres told the Huffington Post that Barr spent all his time working on social media and Anonymous, rather than doing what he was employed to do—helping with dealing with the NSA and national security issues.

Perhaps Aaron Barr should feel some vindication, though. The data he collected depended on cross-referencing information found on IRC, Facebook, Twitter, and elsewhere; he drew correlations between who knew whom, and when people were active. Though other employees at HBGary Federal were dismissive of this work, perhaps they should not have been. (Barr did not return an e-mail this week seeking comment.)

Among the information that Sabu collected for the FBI was information about the online activity of Stratfor hacker Jeremy "anarchaos" Hammond, including notifications of when he came on and offline. The FBI then correlated this with other information it gathered. Barr of course lacked the resources and equipment that the federal agencies have at their disposal—but his approach to information gathering and learning about the relationships between Anonymous members might not have been so crazy after all.

Original article

http://arstechnica.c...ars-its-end.ars