Sunday, March 20, 2011

Haroon Meer: Lessons from Anonymous on cyberwar -- A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal shows how deep the war goes

Lessons from Anonymous on cyberwar: A cyberwar is brewing, and Anonymous reprisal attacks on HBGary Federal shows how deep the war goes.
Haroon Meer
Al Jazeera

"Cyberwar" is a heavily loaded term, which conjures up Hollywood inspired images of hackers causing oil refineries to explode.

Some security celebrities came out very strongly against the thought of it, claiming that cyberwar was less science, and more science fiction.

Last year on May 21, the United States Cyber Command (USCYBERCOM) reported reaching initial operational capability, and news stories abound of US soldiers undergoing basic cyber training, which all point to the idea that traditional super powers are starting to explore this arena.

Recent activities with one government contractor and Anonymous, however, show clearly that cyber operations have been going on for a long while, and that the private sector has been only too ready to fill the cyber mercenary role for piles of cash.

Anonymous vs. HBGary

Early in 2011, Aaron Barr submitted a talk to a security conference in which he planned to "focus on outing the major players of the anonymous group".

Barr, the CEO of Washington-based HBGary Federal, had spent time "infiltrating the group" using multiple identities on social networks and Anonymous IRC channels.

He was confident enough of his analysis to publish parts of it through the Financial Times. Barr (and indeed the rest of the company) planned to milk the exposure, lining up a string of meetings to profit from the research, from an interview with 60 Minutes to multiple potential deals with federal agencies.

The CEO of HBGary prepared a post explaining how they had flexed their "muscle today by revealing the identities of all the top management within the group Anonymous."

Anonymous were quick to respond.

Even while Barr was proclaiming victory and threatening to "take the gloves off", Anonymous were burrowing deeper into his network.

By the end of the attack, Barr's iPad was reputedly erased, his LinkedIn and Twitter accounts were hijacked, the HBGary Federal website was defaced, proprietary HBGary source code was stolen and with over 71,000 private emails now published to the internet, HBGary was laid bare.

In this, was our first lesson: The asymmetry of cyber warfare.

HBGary, a well-funded, pedigreed security company with strong offensive cyber capabilities was given a beating by a non-funded, loosely organised hacker collective.

The incident holds a string of lessons for those wishing to secure their networks from attack, but what's far more interesting is the leaked emails that give us insight into the murky world of "cyber contractors" and what’s being called "the military digital complex".

HBGary: cyberwar arms dealer

HBGary was formed by security research veteran Greg Hoglund, who has made a name for himself over the years doing research on rootkit technology.

A rootkit is a piece of software installed to ensure that an attacker is able to maintain control of a compromised computer. Rootkits are designed to avoid detection once installed.

Hoglund’s emails claim that his current products were built with "about 2 million in Uncle Sam's money", but this alone is no shocker. Governments fund technology research all the time, and HBGary were also building a commercial product.

What is shocking though, are some of the other details that came out in the wash.

The emails make it clear that HBGary sold rootkits and keyloggers (tools to record and exfiltrate keystrokes surreptitiously) to government contractors for prices between $60,000 and $200,000 each.

These pieces of "malware" would be tailored specifically to the clients needs, which undoubtedly reflected the state of the ultimate targets e.g.: "..test the tool against McAfee and Norton".

Some rootkits were fairly routine, while others clearly betrayed specific needs: "Runs on MS Windows XP sp2 and Office 2003, finds MS Office files using the XRK technique to exfiltrate files".

Even next generation rootkits were explored - to remain active despite the removal of a hard drive or to persist on a machine through the video card.

Make no mistake, these were offensive cyber tools, made to order.

To Read the Rest of this Article

No comments: