Interpreting the HBGary Federal security breach

In February, security firm FBGary Federal was hacked by Anonymous. HBGary Federal is a security firm that offers services such as rootkit detection, incident response, malware reverse engineering, and computer forsenics. They have also given presentations at conferences such Black Hat Briefings and the RSA Conference.

Anonymous hacked HBGary Federal quickly and catastrophically. Anonymous released ~60,000 internal emails, released an easily cracked database full of hashed passwords, and severely hurt business (several companies are considering buying out HBGary Federal). Even worse, the hacks were performed using well-known security flaws. Some of the vulnerabilities that were exploited include badly-hashed passwords (no salting or multiple hasing used), easily cracked passwords (simple to guess), a SQL injection flaw, and social engineering (passwords were emailed around, among other things).

All of this activity is illegal; HGBary Federal was (at the time) a respected security company, employed by governments and companies around the world. Yet Anonymous did not hack HBGary Federal without provocation: CEO Aaron Barr was investigating the collective, and preparing to release names, online IDs, and addresses of members. Aaron Barr _told_ an anonymous ringleader about the forthcoming dump of information.

That alone is food for thought; an anonymous collective was able to carry out a form of vigilante justice. It brings to mind the famous letter by John Perry Barlow entitled “A Declaration of the Independence of Cyberspace”. “[…]you weary giants of slesh and steel[…]”.

But it gets weirder. In the email dump, it was revealed that HBGary Federal was itself selling rootkit software ($60,000) and 0-day security exploits, pursuing a plan to sniff cell phones to collect personal data, and was being paid to investigate Wikileaks by Bank of America.

This serves to show that security is not a black-and-white affair. A respected company was itself performing a variety of sketchy services, and the collective that unmasked it looks innocent by comparison. It’s an odd reversal of roles.