Delirium
1st April 2011, 20:58
Lessons from Anonymous on cyberwar
A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal shows how deep the war goes.
Haroon Meer
After Anonymous hacked into HBGary's network and published over 71,000 private emails, signs of a brewing cyberwar were more troubling, hinting that this sort of activity has been going on for some time
"Cyberwar" is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode.
Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction.
Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena.
Recent activities with one government contractor and Anonymous, however, show clearly that cyber operations have been going on for a long while, and that the private sector has been only too ready to fill the cyber mercenary role for piles of cash.
Anonymous vs. HBGary
Early in 2011, Aaron Barr submitted a talk to a security conference in which he planned to "focus on outing the major players of the anonymous group".
Barr, the CEO of Washington-based HBGary Federal, had spent time "infiltrating the group" using multiple identities on social networks and Anonymous IRC channels.
He was confident enough of his analysis to publish parts of it through the Financial Times. Barr (and indeed the rest of the company) planned to milk the exposure, lining up a string of meetings to profit from the research, from an interview with 60 Minutes to multiple potential deals with federal agencies.
The CEO of HBGary prepared a post explaining how they had flexed their "muscle today by revealing the identities of all the top management within the group Anonymous."
Anonymous were quick to respond.
Even while Barr was proclaiming victory and threatening to "take the gloves off", Anonymous were burrowing deeper into his network.
By the end of the attack, Barr's iPad was reputedly erased, his LinkedIn and Twitter accounts were hijacked, the HBGary Federal website was defaced, proprietary HBGary source code was stolen and with over 71,000 private emails now published to the internet, HBGary was laid bare.
In this, was our first lesson: The asymmetry of cyber warfare.
HBGary, a well-funded, pedigreed security company with strong offensive cyber capabilities was given a beating by a non-funded, loosely organised hacker collective.
The incident holds a string of lessons for those wishing to secure their networks from attack, but what's far more interesting is the leaked emails that give us insight into the murky world of "cyber contractors" and what’s being called "the military digital complex".
HBGary: cyberwar arms dealer
HBGary was formed by security research veteran Greg Hoglund, who has made a name for himself over the years doing research on rootkit technology.
A rootkit is a piece of software installed to ensure that an attacker is able to maintain control of a compromised computer. Rootkits are designed to avoid detection once installed.
Hoglund’s emails claim that his current products were built with "about 2 million in Uncle Sam's money", but this alone is no shocker. Governments fund technology research all the time, and HBGary were also building a commercial product.
What is shocking though, are some of the other details that came out in the wash.
The emails make it clear that HBGary sold rootkits and keyloggers (tools to record and exfiltrate keystrokes surreptitiously) to government contractors for prices between $60,000 and $200,000 each.
These pieces of "malware" would be tailored specifically to the clients needs, which undoubtedly reflected the state of the ultimate targets e.g.: "..test the tool against McAfee and Norton".
Some rootkits were fairly routine, while others clearly betrayed specific needs: "Runs on MS Windows XP sp2 and Office 2003, finds MS Office files using the XRK technique to exfiltrate files".
Even next generation rootkits were explored - to remain active despite the removal of a hard drive or to persist on a machine through the video card.
Make no mistake, these were offensive cyber tools, made to order.
0day exploits
Rootkits allow you to maintain control of a compromised machine, but one would still need an initial compromise vector.
Once again, the mail archives deliver: HBGary sales personnel can be seen making reference to "Juicy Fruit", their internal name for HBGary supplied 0day exploits.
0day refers to exploits that are currently unknown to the software vendor, making defence against 0day attacks sometimes impossible.
One email lists their 0day arsenal, which included attacks against Adobe Flash, Windows 2003, Sun Java and a host of other products.
The emails even differentiate between exploits that have been sold to a customer and those that are still exclusive.
Other emails include discussions on selling back-doored software to foreign governments and plans to create "themes for video games and movies appropriate for Middle East & Asia. These theme packs would contain back doors."
Clearly cyber attacks against foreign nationals appear to be fair game.
If the ethical line on such matters was slightly blurry, the line was completely obliterated with plans to combat WikiLeaks by targeting supporters of the cause:
http://english.aljazeera.net/indepth/opinion/2011/03/20113981026464808.html
A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal shows how deep the war goes.
Haroon Meer
After Anonymous hacked into HBGary's network and published over 71,000 private emails, signs of a brewing cyberwar were more troubling, hinting that this sort of activity has been going on for some time
"Cyberwar" is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode.
Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction.
Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena.
Recent activities with one government contractor and Anonymous, however, show clearly that cyber operations have been going on for a long while, and that the private sector has been only too ready to fill the cyber mercenary role for piles of cash.
Anonymous vs. HBGary
Early in 2011, Aaron Barr submitted a talk to a security conference in which he planned to "focus on outing the major players of the anonymous group".
Barr, the CEO of Washington-based HBGary Federal, had spent time "infiltrating the group" using multiple identities on social networks and Anonymous IRC channels.
He was confident enough of his analysis to publish parts of it through the Financial Times. Barr (and indeed the rest of the company) planned to milk the exposure, lining up a string of meetings to profit from the research, from an interview with 60 Minutes to multiple potential deals with federal agencies.
The CEO of HBGary prepared a post explaining how they had flexed their "muscle today by revealing the identities of all the top management within the group Anonymous."
Anonymous were quick to respond.
Even while Barr was proclaiming victory and threatening to "take the gloves off", Anonymous were burrowing deeper into his network.
By the end of the attack, Barr's iPad was reputedly erased, his LinkedIn and Twitter accounts were hijacked, the HBGary Federal website was defaced, proprietary HBGary source code was stolen and with over 71,000 private emails now published to the internet, HBGary was laid bare.
In this, was our first lesson: The asymmetry of cyber warfare.
HBGary, a well-funded, pedigreed security company with strong offensive cyber capabilities was given a beating by a non-funded, loosely organised hacker collective.
The incident holds a string of lessons for those wishing to secure their networks from attack, but what's far more interesting is the leaked emails that give us insight into the murky world of "cyber contractors" and what’s being called "the military digital complex".
HBGary: cyberwar arms dealer
HBGary was formed by security research veteran Greg Hoglund, who has made a name for himself over the years doing research on rootkit technology.
A rootkit is a piece of software installed to ensure that an attacker is able to maintain control of a compromised computer. Rootkits are designed to avoid detection once installed.
Hoglund’s emails claim that his current products were built with "about 2 million in Uncle Sam's money", but this alone is no shocker. Governments fund technology research all the time, and HBGary were also building a commercial product.
What is shocking though, are some of the other details that came out in the wash.
The emails make it clear that HBGary sold rootkits and keyloggers (tools to record and exfiltrate keystrokes surreptitiously) to government contractors for prices between $60,000 and $200,000 each.
These pieces of "malware" would be tailored specifically to the clients needs, which undoubtedly reflected the state of the ultimate targets e.g.: "..test the tool against McAfee and Norton".
Some rootkits were fairly routine, while others clearly betrayed specific needs: "Runs on MS Windows XP sp2 and Office 2003, finds MS Office files using the XRK technique to exfiltrate files".
Even next generation rootkits were explored - to remain active despite the removal of a hard drive or to persist on a machine through the video card.
Make no mistake, these were offensive cyber tools, made to order.
0day exploits
Rootkits allow you to maintain control of a compromised machine, but one would still need an initial compromise vector.
Once again, the mail archives deliver: HBGary sales personnel can be seen making reference to "Juicy Fruit", their internal name for HBGary supplied 0day exploits.
0day refers to exploits that are currently unknown to the software vendor, making defence against 0day attacks sometimes impossible.
One email lists their 0day arsenal, which included attacks against Adobe Flash, Windows 2003, Sun Java and a host of other products.
The emails even differentiate between exploits that have been sold to a customer and those that are still exclusive.
Other emails include discussions on selling back-doored software to foreign governments and plans to create "themes for video games and movies appropriate for Middle East & Asia. These theme packs would contain back doors."
Clearly cyber attacks against foreign nationals appear to be fair game.
If the ethical line on such matters was slightly blurry, the line was completely obliterated with plans to combat WikiLeaks by targeting supporters of the cause:
http://english.aljazeera.net/indepth/opinion/2011/03/20113981026464808.html