Hacked Documents Show Chamber Engaged HBGary to Spy on Unions
(photo: Timothy Valentine; Edited: Lance Page / t r u t h o u t)
[Ed: Read the documents about the US Chamber’s plan to spy on unions.]
I noted yesterday how mind-numbingly ignorant analysis of Glenn Greenwald’s motivation as a careerist hack that was provided by HBGary. And if the allegations in the excerpts of former WikiLeaks volunteer Daniel Domscheit-Berg’s book are accurate, HBGary’s analysis about WikiLeaks itself is even more ignorant.
Add in the fact that this “security” company got hacked in rather embarrassing fashion.
Which, I’m guessing, is going to cause the Chamber of Commerce to rethink the spying work with HBGary it apparently has been considering.
Let me start with this caveat: what follows is based on emails available by Torrent. The parties in this affair are making claims and counterclaims about the accuracy of what is in there.
But it appears that back in November the same parties involved in the pitch to Bank of America–Palantir, HBGary Federal, and Berico Technologies working through Hunton and Williams–started preparing a pitch to the Chamber of Commerce. At that point, HBGary started researching anti-Chamber groups StoptheChamber.com and USChamberWatch. At one point, HBGary maps the connections between SEIU, Change to Win, and USChamberWatch as if he’s found gold.
By the end of November, Barr starts working on a presentation outlining the difference between StoptheChamber and USChamberWatch, as well as “a link chart of key people in the distribution of information, background information on each individual and ways to counteract their effect on group.”
On January 13, HBGary believed they had signed a contract.
This afternoon an H&W courier is bringing over a CD with the data from H&W from phase 1. We are assuming that this means that phase 1 is a go (We’ll let you know once we confirm this) and I’m wondering how we will integrate that data. Should we bring the CD over to Tyson’s Corner?
On February 3, law firm H&W came back to the three security firms and told them they’d be doing their Phase I work on spec, until the Chamber had bought into the full project. At that point, the firms put together a plan including a proposed February 14 briefing.
In response, Aaron Barr boasted (as is his wont) that his upcoming presentation at BSides security conference on Anonymous should be proof enough.
Let them read about my talk in two weeks on my analysis of the anonymous group.
Should be proof enough. But willing to discuss.
Which gets us just about to the point where Barr blabs his mouth, this security firm is badly hacked, and the Chamber of Commerce’s efforts to use intelligence firms to investigate activists exposing the Chambers own work is revealed.
I’m guessing HBGary just lost that contract, how about you?
Update: TP has a related take on this, describing more about what the proposal is:
According to one document prepared by Team Themis, the campaign included an entrapment project. The proposal called for first creating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then to subsequently expose the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win.
I’m afraid I wouldn’t bet on it. All parties involved are so clueless they may deny all publicly and continue with Phase 2 secretly. They’re buffoons, but they’re dangerous if they can avoid tripping over their own feet.
http://hbgary.com/
Kettle. Pot. Black.
Boxturtle (And somebody should tell them they’re whining)
!!!
Let’s see, should we trust HBGary’s claim that someone “intentionally falsified” data found among the hacked documents? Of course not. The company is in the intelligence business; lying is just one of the things it will do.
True, but the fact that many of Aaron’s emails (other than the ones composed on his iPad) are digitally-signed, is proof-positive that they were not tampered-with.
Snagglepuss
Too complex for me. I don’t understand a word of it.
I’m thinking that they not only lost this contract, but a lot more. Their system has been demonstrated insecure, their information has been shown to be worthless, and they’ve been publically outed as willing to suggest illegal means to an end.
Any legit company will now part ways with them. Any questionable company will move their business to someplace less exposed.
Boxturtle (And I’m sure somebody will get a sternly worded letter out of this)
Indeed. It is interesting, in light of HBGary’s protests that Anonymous has falsified or tampered with some of the email, that there has been little or no mention of the fact that a good percentage of Mr. Barr’s emails are digitally-signed. In April of 2010, Mr. Barr purchased a Class 1 VeriSign email certificate, as follows:
Message Security
Message is Signed
This message includes a valid digital signature. The message has not been altered since it was sent.
Signed by: Aaron Barr
Email address: [email protected]
Certificate issued by: VeriSign Class 1 Individual Subscriber CA – G2
[View Signature Certificate] (button)
Message Not Encrypted
This message was not encrypted before it was sent, information sent over the Internet without encryption can be seen by other people while in transit.
If you click on the [View Signature Certificate] button you can see the following:
This certificate has been verified for the following uses:
Email Signer Certificate
Email Recipient Certificate
Issued To
Common Name (CN): Aaron Barr
Organization (O): VeriSign, Inc.
Organizational Unit (OU): VeriSign Trust Network
Issued By
Common Name (CN): VeriSign Class 1 Individual Subscriber CA – G2
Organization (O): VeriSign, Inc.
Organizational Unit (OU): VeriSign Trust Network
Validity
Issued On: 4/28/2010
Expires On: 4/28/2011
Fingerprints
SHA1 Fingerprint 32:54:31:25:F6:4D:8C:E4:9E:90:2E:A7:E4:51:CF:A5:F2:7E:C3:11
MD5 Fingerprint E3:63:31:3B:AE:20:61:59:C5:0F:A8:54:F1:5D:66:38
The interesting point about these signatures are twofold:
1) They confirm that the emails are authentic, and not tampered with; and
2) They are non-repudiable. Neither Mr. Barr nor HBGary can credibly claim that the signed messages are either forged or tampered-with.
If I am not mistaken, these signatures will even stand up in a court of law. If I recall correctly, President Clinton was the first to use a digital signature to sign a bill into law.
Snagglepuss
The Chamber has just opened the door to being seriously hacked itself. Lie down with dogs, come up with fleas and all that.
I’m amused that a “Security” firm could be hacked in this manner.
It would be interesting to map the connections between these and other firms…
Don’t hold that too much against them. Anybody running a Micro$loth product with a live internet connection or an open usb port is at risk.
The only totally secure network is totally isolated.
Boxturtle (Still, it IS amusing)
I agree about secure=isolated, but isolated!=communication.
Defeats the objective.
I wonder how the Iranians feel about Microsoft (especially when spinning centrifuges), and isolated networks.
Isolated networks with open USB ports are not secure.
If I were Iran, I’d be converting to Linux. Quickly. Actually, if I were ANYBODY running Windows, I’d be running to Linux.
Boxturtle (And on my network, if you ain’t an admin, your USB port is full of superglue)
Good luck converting all your centrifuge spinning code to Linux. Siemens support for programming PLCs with Linux is fairly limited. In fact, I would guess that the U.S. and Israel would be quite happy if that were Iran’s response.
Not defending Iran or Microsoft here, just pointing out that it’s a lot easier to say that than to do it in an on-going concern.
Oh, I don’t underestimate the size of the task. And I admit that my experience with PLC is limited.
But I have seen chunks of that virus, and a reconstituted design. It might be easier to convert to linux then to clean those machines. And once the code gets into the PLC’s, linux/windows doesn’t matter. I think they’ll have to replace those PLC’s as well.
HBgary might want to take note of what a truly evil virus can do and stop provoking people capable of building one. At least until they clean up their network a bit.
Boxturtle (And Iran has an even bigger problem: Preventing reinfection even if they get things clean)
If reports are to be believed, Anonymous is said to possess a valid copy of Stuxnet, as part of the 27,000 email haul from rootkit.com. According to the Forbes.com blog, Anonymous plans to release these emails as well. If so, you may get a chance to look at the Real McCoy.
What raised my eyebrows was the alleged email query pertaining to renting a botnet?! One has to wonder… what use would a security firm have for renting a botnet? If true, I have to wonder if this was to use against Wikileaks.
Snagglepuss
William:
I’m not familiar w/what Iran is doing w/PLCs & centrifuges, seems to be common knowledge in this thread they are running M$. Is it also known they are running Sieman’s products? And what are they… are these hardware or software barriers to running Linux?
Could u give me brief catchup, or links?
I would think most PLC hardware could connect to Linux just fine, I don’t understand these barriers.
Thanks in advance.
Start here:
http://www.controlglobal.com/articles/2011/IndustrialControllers1101.html?page=full
Siemens provides a Windows app called WinCC that Stuxnet infected to put code on the PLCs. Read the comments on Marcy’s previous Stuxnet posts. I am working on more complete analysis.
Thanks so much William.
Hey, if you are analyzing this thing … have you gotten your hands on the breakdown matrix of all nine variants? Apparently, I’m not “formal security professional” enough to be granted access. I’ve only seen four discussed and I’m quite curious what the differences in the others are.
Of course you are correct, the PLCs should attach to anything that throws their language at ’em. But in this case, Iran has purchased integrated Siemens control solutions – and they like windows apparently.
This is left over from the Stuxnet discussion (the munitions-grade virus seemingly targeted at Iran). If you missed it, the thing reprograms (carefully selected) Seimen’s PLCs attached to any PC running the control software. Two of the payload vectors were targeted to changing motor frequencies so the assumption everyone has drawn is that Iran’s centrifuges were the target.
Boxturtle is convinced that all security issues lead back to Microsoft and has been on a big “anyone smart will convert everything to Linux” kick.
However, the reason this particular virus targeted Windows seemingly had nothing to do with the security of the OS. Seimens control software suite is Windows based, hence the munitions were designed to target Windows. Linux also suffers from zero-day exploits and various compromises which require a lot of work to ensure are always patched up to date and secure (just ask HBGary!). So I personally suspect if Seimens had invested in Linux-based control software – we’d have just seen one hell of a Linux virus instead of a Windows one.
In the final analysis … quasi-fanboy war.
HBGary was hacked because there was a weaker machine connected which was 16-yr old chick compatible. Had nothing to do with the OS.
And because that Aaron Barr was both arrogant and incompetent. Those two in combination rarely end well. He deserves everything that comes to him out of creating this mess. He’s going to end up taking a bunch of other people down with him, because their whole operation was corrupt.
Thanks.
Until +/- 5yrs ago I was top of my game security guy: code, hardware, vulnerability assessment etc etc. I worked on initial HIPAA II stuff, power plants in Singapore, and automatic tennis racket stringing machines. :) I’ve seen/used/wrote/designed for a number of different controller applications, never from shrink-wrapped all in one systems.
I’m 3+ yrs removed from the trade, and reading William’s (and now other links) seems I don’t know so much anymore.
I read NYT (AFAIK) initial article on this thing, was aware of Israeli/US (alleged) collaboration on this thing. I was not aware Siemens (apparently) delivered packaged “stuff” to Mullahs for this project, something that really astounds me. Given Israel’s destroyed their projects in the past, driven US policy to do what we did in Iraq, listened to Neocons rattling their swords early in Iraq endeavor clamoring to extend “Operation Iraqi Freedom” to Iran… not to mention very common knowledge of massive Windows vulnerabilities in more ways than I can count along w/MS’ well know cooperation w/US clandestine services.
Just amazed Iran would go w/such a product. I wonder what N. Korea/Pakistan/China used?… or is Siemens the “Spin Doctor” supplier world wide?
I had assumed projects like this would run on any one of many custom designed, lean & mean embedded, custom OS(s), as was most common for highly specialized automation that I encountered. NASA did this for most of their deep space projects, CISCO does it for all kinds of their hardware, we did it on Singapore project and research that went into that was definitive that’s how these things were done.
So anyway, I’m really really amazed Iran would go this route.
(Fascinating thread & articles BTW Marcy, thanks so much).
…
I haven’t seen yet (is it out there?) just how Stuxnet was introduced into Iranian system… maybe downloading a mandatory Windows auto-install update (sarcasm)? :)
Also can’t help wondering if, in response to this, the entire Muslim tech world isn’t incubating similar projects to disable everything that makes Israel tick.
You do realize that Linux is the most hacked OS on the planet, right?
Cute. We all know that people are always hacking on linux, you know adding features like the 200 line hack.
check this out, if you haven’t already:
http://www.wired.com/threatlevel/2011/02/anonymous/all/1
Aaron Barr isn’t the sharpest knife in the drawer (more like a baby spoon, if you ask me).
ah yes, the Lioness drags another fat carcass back to the pride
as it should be
From the link I posted above:
I’m willing to bet that means Anon got in through a SQL injection attack which is just poor programming practice rather than a vulnerability in a particular product, Microsoft or otherwise.
Yeah, I just read that. I retract my “Don’t hold that too much against them” @ 9. That is a standard thing to check for in any realistic code review. Which means they’re not reviewing their code, not even the stuff that goes outside.
Which means that Anonymous likely DOES have them by the short hairs. They had at least 30 hours of undetected access and I doubt they spent that time playing Warcraft on the corporate servers.
Boxturtle (My sympathy to the sysadmins at hbgary, but, well…Dog. Fleas.)
Aaron Barr is an incompetent blowhard – maybe he can be next RNC chief? He surely will have to find another line of work – no company large enough to have a Risk Management program would ever entrust him with semi-confidential data or tasks.
I hope his credit rating is ruined, now that his Social Security number is out there for all to see… :)
Not a problem. He’ll get a contract as a “consultant” to the CIA. And maybe Fox News.
Tagaris tweets
pre emptive facepalm if that is somewhere in EW’s post
No, I hadn’t seen it. Interesting.
Very interesting. Indeed.
S of a B, why is it so many creepy things happen in Sacramento. HBGary headquarters is several miles from my house. So was Lamo’s family home.
Once Glenn Beck hears of this connection….
One last thing before I have to attend to some familial duties. The ThemisPlan document (Themis, really?) produced by Berico is labeled:
UNCLASSIFIED//FOUO//PROPIN
That’s “For Official Use Only/ Proprietary Information” if you aren’t used to USG markings.
Themis = Penis Theme.
I presume you saw that that Chinese hack on some oil companies got industrial control systems?
??? When I was in the Army FOUO was not considered a security classification.
Great report. Thanks.
Cyberwar.
I am so jealous of those ANONYMOUS boys and girls. They are definitely making the neo-con spies angry. But it is Bill Gates fault. He let the NSA write his operating systems. So 16 year olds could be hacking NSA.
Look out! Configuration Drift!.
Shit just got real.
I do hope that the Chamber of Commerce starts bitching about anonymous.
Better yet, Karl Rove’s group that was set up after Citizens United.
The people at the top of these organizations are some of the most clueless when it comes to security. I worked with a guy who did both physical security and IT security. He said that some of the easiest way into a network don’t involve any computer skills but involve understanding how humans think, work and interact. He said he’d rather spend some money on training everyone from Secretaries to CEOs on how they make the network vulnerable than on some zippie new firewall.
His biggest security weakness wasn’t the company’s network it was the company’s employees.
The Keystone Spies.
The “entrapment project” sounds like one of Breitbart’s turds.
(or a blossom thereof)
*yawn* – who really cares?
Can I compliment EW and FDL for having that brains to use something like DocumentCloud that actually works instead of that near useless Scribd?
And why am I not surprised? *g*
Wasn’t me. It was the smart people backstage who make everything work. Will make sure they see the compliment.
And I bitch like a hurricane backstage every time I see something on SCRIBD; I hate that thing, it is totally bogus.
Michael Whitney @48 is a smart man
Thanks, MadDog. We’ve had DocumentCloud access for a while, but this is the first time we’ve been able to really get to its power. It’s a lot of fun, and we’ll be using it extensively for this and other documents from here on out. Thank you again.
Curious. Poulsen was dropped from the byline on that Daniel Domscheit-Berg article from Wired.
Anyone know if he has a “Lamo problem” with Domscheit-Berg? It was definitely filed as written by both Poulsen and Zetter earlier this morning.
One other question. This article refers to “HBGary”, not “HBGary Federal”.
Was this chamber proposal out of HBG or HBGF? Or has studying the information revealed that there isn’t really any separation between the two companies’ operations?
HBGary Federal.
Is it schadenfreude to get a charge out of seeing hubris get its just reward?
Hubris, in this case, is calling this disinformation/spyinghacking scheme ‘Project Themis’. From Wikipedia:
Maybe we should call Anon ‘AnonNemesis’; not only is DOJ (at least marginally) involved in this plan to distort reality (falsify the social/political narrative), but the corporate players appear to have connections to “DOD, Intelligence community,” “CIA, DHS and FBI,” along with NSA, according to an article at wlcentral.org (http://wlcentral.org/node/1250 ). The wlcentral article’s author comments —
So — If WikiLeaks is this generation’s Pentagon Papers, did Anonymous just uncover the Watergate Plumbers?
This whole story is delicious. This Aaron Barr is a complete a$$hole, and that’s exactly where he got it – repeatedly. He’s just exposed the Chamber as being in collusion with the government, and implicated several other organizations right along with them.
I’ll bet he’s having trouble sitting down. Couldn’t happen to a more arrogant, deserving idiot.