HBGary Federal, a security company that is helping the FBI track down the hacker group Anonymous, has become a target itself. The group hacked into HBGary's networks and posted archives of some 50,000 e-mails between company executives. The group also hacked the firm's website, publishing an explanation as to why the website was targeted.

Full article: http://www.techspot.com/news/42308-anonymous-hacks-security-company-hbgary-for-working-with-fbi.html

CEO's twitter feed of the security company: http://twitter.com/aaronbarr#

(also I suck cocks and am a sweaty ballsack of caterpillars) oh s*** not supposed to be in his account still, sorry Aaron *hops off*

rofl
I love the humor

I only found out about this issue thru aus gamers but it seems the company deserves it if what anonymous says about them is true. Helping the riots and uprisings over in the middle east is cool in a 'v for vendetta' kind of way.

Anonymous are awesome.

^ and legion

There's a great log of the hack after the email was compromised on pastie site, amazing how easy the social engineering works

I deal a lot with people by email in my role and as long as someone wasn't asking for something strange it would be hard to not just respond

Sending me a password in plaintext email WOULD set off alarm bells though. I guess anonymous just saw through other emails in the account that flicking around passwords was common practice

Yeah sending passwords via email is realy bad, but I have to admit that i've done it in the past aswell.

Social engineering is WAY easier than doing any actually hacking, you only need a little bit of knowledge, like the name of the IT company they deal with, or there hosting providers name etc.

The lulz.

I found the log here http://webcache.googleusercontent.com/search?q=cache:TZ2OB-xxF2IJ:pastie.org/1535735/wrap+1535735&cd=2&hl=en&ct=clnk&gl=au&source=www.google.com.au

Yeah sending passwords via email is realy bad, but I have to admit that i've done it in the past aswell.

Social engineering is WAY easier than doing any actually hacking, you only need a little bit of knowledge, like the name of the IT company they deal with, or there hosting providers name etc.

I've been getting a s***load of spam from "facebook" in my email lately, what someone would want with my facebook I don't know

Bahahaha, oh man. Is it bad that every time I read about an anon attack I get overly excited?

Its a pretty big f***en failure for a security company to get so easily socially engineered.

I thought it would be more subtle, but they just asked to open up SSH over and port and reset the password

Our security guys wouldn't even allow us to get that sort of access, direct SSH from any public IP what a f***en idiot.

The only way into our network is through an SSL vpn that only connects if your machine passes a host checker, which checks that its a company machine.

He did know the current and previous root passwords though. Was chatty and typed in fluent English. I can see why it worked, but the password would've given it away to me

oh, and the fact that someone was asking me to change firewall rules outside of change control and the change cycle

and that someone was asking me to do something.. that would've been the real light bulb moment....

you are asking me to stop reading qgl and do something? HACK ATTEMPT!!@!!

Some more details:

The attack against HBGary is a classic example of leverage. It started with an SQL Injection attack on hbgary.com. From there, Anonymous discovered and cracked the passwords used on the site. As it turns out, many of these passwords were used on GMail. Access to GMail, along with the use of shared passwords, led to the compromise Barr’s Twitter and LinkedIn accounts.

HBGary fired the company responsible for the flawed code that led to the SQL Injection attack.

While this was happening, Anonymous gained access to the email password used by Greg Hoglund, the co-founder of HBGary, and part owner of the Federal subsidiary run by Barr. With his account under their control, they sent an email to the admin of rootkit.com asking for the firewall to be opened and Hoglund’s password reset to “changeme123”.

The reason for access, the fake request stated, was due to Hoglund being in Europe and unable to SSH into the rootkit.com server. The move was a classic case of Social Engineering. After some exchanges, SSH access was granted. Once on the server using Hoglund’s password, Anonymous leveraged the $ORIGIN expansion vulnerability to gain root control.

After this, they copied data, wiped the backup servers, and released the Torrent with the company email. This email release is the third time Anonymous has exposed internal communications. Previously, they exposed company emails taken from ACSLaw and Acapor.

Source: http://www.thetechherald.com/article.php/201106/6785/Report-HBGary-used-as-an-object-lesson-by-Anonymous

ohh snap.

You don't f*** with anon. They will ruin your s***.

That's really got to put faith in your security company when it gets hacked.

The attack against HBGary is a classic example of leverage. It started with an SQL Injection attack on hbgary.com. From there, Anonymous discovered and cracked the passwords used on the site.

First problem, plain text passwords in DB.

Seriously, who does this anymore?

Regardless of whether or not you like what the security company was doing, surely you can't justify Anonymous taking matters into their own hands and breaking laws (which I assume they are doing)? Vigilantes are outlawed for a reason, right?

Whenever I read your posts billy I read them in a voice of a whiny, idealistic 11-year old. Seems pretty accurate so far.

billy, anon are the internet police.

Regardless of whether or not you like what the security company was doing, surely you can't justify Anonymous taking matters into their own hands and breaking laws (which I assume they are doing)? Vigilantes are outlawed for a reason, right?

Correct. Their goals are (usually) pretty good but their methods could do with some refinement.

There is some speculation on Slashdot that this was a giant sting operation by this HBGary mob - just giving them more evidence in their investigation into Anonymous. But given the catastro-fail that seems to be how HBGary was run I think that might be giving them too much credit.

Anon are the Zorro of the internet.

There is some speculation on Slashdot that this was a giant sting operation by this HBGary mob - just giving them more evidence in their investigation into Anonymous. But given the catastro-fail that seems to be how HBGary was run I think that might be giving them too much credit.

yeah, that seems pretty unlikely to me given the content of some of the emails anon has leaked.

all of the security jargon went well over my head but from those emails these HBGary chaps seem at least somewhat incompetent.

go anon!

hardware is turning on everyone. Who's next?

I agree with Hardballs in principle, but I still find it pretty amusing. It's a crime yes, but on the scale of petty this kind of thing seems well below B&E, or something like that.

You could argue it's cost this guy a lot of money personally through loss of business - but c'mon, his business is electronic security. You could argue that he should have no business based on the outcome of this!

Chasing Anon is a joke. It's a decentralised group of internet-connected anarchists - what, you're going to catch them one by one?

yeah, chasing anon seems like a pretty pointless exercise to me.

even if you got a couple they'd just be martyrs to the rest and more would pop up to take their place.

billy, anon are the internet police.

yea sorta... they're a little more 'V' from V for Vendetta, a little less law abiding...

from what I've noticed they tend to focus on political targets rather than 'Peace and Justice for all'

Yeah, I'll just leave this here...

http://www.wired.com/threatlevel/2008/01/anonymous-hac-1/

This is the risk they are taking.

They are certainly no worse than real-world activists whose activity and civil disobedience very often flouts the law. They just do it online.

Yeah, I'll just leave this here...

http://www.wired.com/threatlevel/2008/01/anonymous-hac-1/

This is the risk they are taking.

Well, that just shows that vigilante justice is no justice at all. The real risk they are taking is getting caught up in all the arrests that are happening to people that took part in various Anonymous-organised DDOS attempts.

bahaha, that's quite a bit of trouble they went to in order to arrange this one. Very amusing.

Well, that just shows that vigilante justice is no justice at all.

One event doesn't equate to a general case.

One event doesn't equate to a general case.

Yes, except the way Anon moves you can see this happening over and over.

If I go on /b/ right now and make up some bulls*** story and give them your home address and mobs, what do you think will happen?

It's more of a weapon than a justice mechanism.

agreed.. and how do you define what an acceptable rate of false positives is ? I mean sure, there are examples of this in our justice system too, but there are many many many many checks in place to try and minimize it. (appeals, burdon of proof).

surely you can't justify Anonymous taking matters into their own hands and breaking laws (which I assume they are doing)? Vigilantes are outlawed for a reason, right?

you can't justify it, but there is a certain amount of vigilante justice.

my take:

1) Aaron Barr compiled a list of 4chan users based of random inaccurate information he found with circumstantial evidence.
2) He was then going to sell this information to the FBI as "these people are senior members of Anon." (which is scary, because whose the judge going to believe? "upstanding security expert that would (if this was successful) have contracts with the government" OR "dirty international anon hacker terrorist who is able to cover his tracks so no evidence other than circumstantial could be used against him." they have a place for those types of people, it starts with Guantanamo and ends in "ouch my butt hurts". evidence is for non-terrorists)
3) he then attempted to use his "elite" security skills in infiltrating anon as an attempt at a PR campaign to profit.
4) got schooled.

he is lucky he didn't do this to anyone who would take SERIOUS action against him (like the mafia), he would have been dead instead of embarrassed.

agreed.. and how do you define what an acceptable rate of false positives is ? I mean sure, there are examples of this in our justice system too, but there are many many many many checks in place to try and minimize it. (appeals, burdon of proof).

Absolutely. There's no doubt that an organisation without accountability like Anon will get it wrong more often.

However one example doesn't prove a general case, regardless of whether the general case really is true. Its just a sloppy argument.

Well, that just shows that vigilante justice is no justice at all. The real risk they are taking is getting caught up in all the arrests that are happening to people that took part in various Anonymous-organised DDOS attempts.

sounds like someone framed the guy. if they attacked the FBI's website instead of 711chan do you think this guy would be any better off? he was harrased until the information was verified, if it was the FBI he would have been jailed till the information was verified.

If I go on /b/ right now and make up some bulls*** story and give them your home address and mobs, what do you think will happen?

more than likely you would be told a bajillion times that they are not your personal army and your thread would probably be filled with gay porn.

i browse /b/ for the lols from time to time and this happens regularly.

One event doesn't equate to a general case.

I feel like you're just baiting me by throwing back my "general principles should not be based on exceptional circumstances" quote that I trot out all the time - confirm/deny?

If not I think you're weird if you live in a Western society and don't believe in due process as part of justice seeking

If I go on /b/ right now and make up some bulls*** story and give them your home address and mobs, what do you think will happen?

"Not your personal Army!"

Probably slowpoke'd and SAGED as well...
▲
▲ ▲

Pffft, you guys don't give me enough credit for my story-telling ability! Nary a heartstring will be spared and the angry mob shall rise to my doing.

I feel like you're just baiting me by throwing back my "general principles should not be based on exceptional circumstances" quote that I trot out all the time - confirm/deny?

A little bit.

If not I think you're weird if you live in a Western society and don't believe in due process as part of justice seeking

Of course I believe in this! I'm on record any number of times on here yelling at people for using media beatups as proof of guilt, its one of my pet hates :)

But that one guy who was picked on by Anon is an example or an anecdote, not proof in and of itself. I would just as quickly object to someone using a single wrongful conviction as a demonstration that our justice system is inherently flawed.

A question: what's the difference between a DDOS and people picketing a physical store or organisation to protest an issue?

i browse /b/ for the loli's from time to time

more correct taggs?

For the record, I find the hacked page amusing, but there's certainly nothing that I've read that justifies it.

But that one guy who was picked on by Anon is an example or an anecdote, not proof in and of itself. I would just as quickly object to someone using a single wrongful conviction as a demonstration that our justice system is inherently flawed.

I think there's a huge difference here, as has sorta been pointed out already. We don't just let any random people on the internet run our justice system. I choose to live in a country where we know that there may be problems with the legal system, but it's a work in progress and we're constantly striving to improve it. On the other hand, I have no idea who Anonymous are, and I don't see why I should trust them to self-regulate at all. I don't have a problem with them having an agenda, but who are they responsible to?

I don't think you can justify a couple of failures by Anon by saying that they have everyone's best interest at heart and they'll try not to do it again in future... To me that's an unacceptable corollary of a group that shouldn't exist in the first place.

Also, just as another anecdote, I recently read #6 on this story: http://www.cracked.com/article_18950_9-major-stories-everyone-got-wrong-this-year.html

Not sure how accurately Anon have been portrayed there, but again, if this is the necessary consequence of having this vigilante group (in your analogy, this is the same as failures of the justice system), then it's not justified, and I assume the exact reason we don't tolerate vigilante groups irl.

i browse /b/ for the loli's from time to time

more correct taggs?

haha well played, sir.

They dont just go after random people becuase someone posts that they should.

People post storys and the group somehow decides if its worthy of action, and then somehow it decides the level of action that needs to be taken.

The thing is, no one actualy decides who gets taken down, and no one actually decides how far they take it, theres no leaders.

Its a global unruly mob, made up of different people everytime, but undoubtly some people are in multiple mobs.

Anyone who thinks they could stop anonymous by putting a few people, even 50 people in jail, is kidding themselves.

Correct. Their goals are (usually) pretty good but their methods could do with some refinement.

Of course! Real change comes from voting in a black man or a woman and protesting! Only if you protest PC rubbish but. Don't protest any conservative s***, or your'e a racist/sexist/homophobe/bigot/redneck/etc.

If anyone is following this still, this blog is doing well with the coverage: http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars

Interesting to read. It's like watching a school-ground fight play out.

haha, those irc transcripts are pretty funny.

still can't get over the fact that this 'security expert' thought it would be good business to take on anon.

that was never going to be a winning play.

taggs, it's not even that, it's how he played the game. He is a total fool. Anyone in their right mind looking for security solutions should ignore that guys presentations and everything, it's garbage; can't not be.

If you were serious about doing what he was going to do you'd bunker down and protect your identity properly first. It's just crazy how he went about it.

RSA Conference this week had a stall for HBGary setup and they were going to present some talks and training sessions. This is what arrived instead.

http://i.imgur.com/TvWog.jpg

huh, do they not realise they are the laughing stock of the conference/IT world, and posting a message about how the computer systems of a computer security company got broken into is pretty bad advertising.

I'd be suprised if this company ever got a job in the industry again.

Well since the hack was only last week and the RSAC bookings would have been made months ago it makes sense that they would still have been provided the space as originally allocated.

The company will bounce back from this but will have most likely trimmed the fat that is HBGary Federal and Aaron Barr.

Agree with `ViPER` - someone should have rewritten the notice to highlight their insecure systems. HBGary is a joke.

Ahaha that sign is wonderful. "we picked a fight with a stronger kid on the play ground and got beat up and had our lunch money stolen. I told my dad"

Aren't HBGary about finding Anonymous? Or are they about providing security so you can't be hacked?

Anyone who thinks they could stop anonymous by putting a few people, even 50 people in jail, is kidding themselves.

can't we try it and see how it goes?

A question: what's the difference between a DDOS and people picketing a physical store or organisation to protest an issue?

The net effect is arguably similar, but the means by which it is achieved is completely different.

Correct my if I'm wrong, but aren't all major DDOS attacks orchestrated by utilising hundreds/thousands of zombie computers? These are the property and internet connections of private citizens being exploited by viruses and malware, being used without their knowledge or consent to flood the connectivty of an online service. That's completely unethical no matter how you slice it -- there's no legitimate justification for that s***.

If they were performing these DDOS's by mobilising thousands of supporters to all visit the target site or consentually run a packet flooding application directed at the target, it might have some merit as a legitimate protest tactic. But the way it's currently being conducted, there is a massive difference between picketing a physical store.

If they were performing these DDOS's by mobilising thousands of supporters to all visit the target site or consentually run a packet flooding application directed at the target, it might have some merit as a legitimate protest tactic

Actually it was a combination of both. Individuals were encouraged to participate in the DDOS attacks by using LOIC, which enabled a single person to contribute to the effort. While I'm sure people with botnets participated, a large number were from individual anons with LOIC.

A question: what's the difference between a DDOS and people picketing a physical store or organisation to protest an issue?

one's a denial of service and one's generally not

if the picket/protest purposely blocks the doors of the store to prevent their customers being able to get in and cops etc need to come and prevent them from doing it, they'd be fairly similar things

if the picket/protest purposely blocks the doors of the store to prevent their customers being able to get in and cops etc need to come and prevent them from doing it, they'd be fairly similar things

Happens all the time in labour disputes - blockades of workplaces etc preventing (or at least trying to) non-striking staff from entering. Protests outside retail stores are often permitted to continue even though they have disastrous affect on sales (even if its still possible to enter the store).

The stupid protests down the main streets of metro areas are often explicitly designed to 'shut down the city'.

sure, but a denial of service denies service every time, people picketing a store or organisation to protest an issue don't necessarily do that.

I'm not sure what your point was, I didn't really read the thread, just saw that question quoted and replied to it. you might've been thinking specifically of protests that do block a company's day to day business, in which case yeh I agree they're pretty similar if not the same