In association with heise online

15 February 2011, 11:44

Anonymous exposes US security company

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security company HBGary wanted to help the FBI take action against Anonymous but instead, some of its systems were hacked and company information, including over 50,000 internal emails, was published. The scale of the disaster which has overtaken the company is slowly becoming clear.

HBGary is known largely for the exploits of its former Director of Engineering, James Butler, who rightly earned plaudits for his earlier work on Windows rootkits. These days, the company's key product is HBGary Responder, which can be used to analyse memory on Windows systems. It is often used as a forensic tool by criminal investigation agencies, but can also be used to detect malware.

Now, the details of the company's other areas of business are also slowly being revealed. It turns out that Aaron Barr, CEO of subsidiary HBGary Federal, offered the FBI his services in illuminating the obscurity which surrounds Anonymous, the movement behind Operation Payback, an apparent attempt to support Wikileaks. Barr collected information on the IRC, Facebook and Twitter accounts of alleged activists. But fate intervened before Barr could sell his results to the US authorities. Unknown perpetrators broke into a number of systems and published this dossierPDF, HBGary's email archive and other information.

HBGary Federal, together with two other companies, Palantir and Berico, had produced an analysis of "The Wikileaks Threat", which included recommendations for action. On Glenn Greenwald, who reports on Wikileaks frequently and enthusiastically for, the report states, "It is this level of support that needs to be disrupted," and goes on to explain how it believes this could be achieved. It suggests that, although professionals like Greenwald often have liberal tendencies, given the choice between their career and the cause, most will ultimately choose career.

The stolen emails also contain plenty of explosive material. They record that co-founder and renowned rootkit expert Greg Hoglund offered Farallon Research a completely new type of super-rootkit designed by HBGary and codenamed Magenta. Farallon's stated aim is to "connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government". HBGary also developed trojans, rootkits and spyware with codenames such as Project CPDF, Task ZPDF, Task M and Task B – the latter with a dollar value in the hundreds of thousands – for defense contractor General Dynamics.

As well as the company's mail server and website,, a security site run as a sideline by Hoglund, was also compromised. Passwords for accessing the discussion forums have also been cracked and published. Registered users of the security forum include many well-known names. Although many forum users appear to have deliberately used simple 'disposable passwords', this can still prove embarrassing if they have also been used on other sites. A quick automated analysis is reported to have found 225 passwords which could also be used to gain Twitter access.

An interesting side point is the means used to gain access to the website. The intruders appear to have used faked emails to persuade an administrator to allow external SSH access. The attackers had previously gained access to the root password, though it is not clear how. However, in view of HBGary's practice of sending even sensitive data in unencrypted plain text emails the fact that passwords found their way into the wrong hands is not particularly surprising.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit