Aetheric Research, Ltd.

Some folks may remember the HBGary debacle a short while ago, when HBGary Federal (a wholly-owned subsidiary of HBGary, specializing in government contracts) got themselves cracked by Anonymous after specifically calling them out.  The parent company, HBGary, have published an open letter making certain claims, which Ars Technica has examined.

There’s little surprise in the letter–it’s mostly a reiteration of previous claims about the leaked emails having been ‘altered’ and about how HBGary Federal was a completely separate company with no actual connection to the parent organization other than ownership.  Ars does a good job in dissecting these claims and pointing out which ones hold water and which ones don’t.

Publishing this letter in the first place was likely a bad idea, though.  Anyone who has the least bit of knowledge about Anonymous–which the head of HBGary Federal claimed to have–knows that resurrecting attention to a controversy causes the phenomenon known as “lulz” to occur.  For those unfamiliar with the term, it’s a sort of measurement of attention-worthiness of a particular topic or entity, based on the quality and quantity of reaction to be gained from any interaction with them.  Leaking the HBGary Federal documents produced an extensive amount of this–it gained mainstream media attention and increased the visibility of Anonymous in the public eye.  The Scientology protests were the same–shedding light on the known-bad Scientology organization’s policies and procedures with public protests (and their characteristic purple prose) caused extreme consternation amongst the organization and brought public attention to Anonymous.

Now, HBGary has, essentially, done the same thing that HBGary Federal did–call out Anonymous’ activities, claim to be invulnerable to their attentions, and bring public attention to Anonymous’ interactions with them.  This is the sort of thing that tends to be deemed “lulzy” by Anonymous, and generally tends to bring certain actions.

Westboro Baptist attempted to take advantage of this phenomenon by releasing a fake press release (that claimed to be on behalf of Anonymous) claiming a war against them followed by a press release under their own aegis calling out Anonymous.  The Anonymous collective rather quickly determined the illegitimacy of the first release–there may be no central organization, but there is a fairly distinct style, which Westboro did not emulate perfectly–and (correctly, as it turned out) determined that there were likely specific intentions to trap Anonymim who attempted to DDoS or otherwise infiltrate the servers provided via honeypot servers.  

As it happened, when Westboro pushed the issue, they were rather promptly taken down–just as HBGary is likely to be.  Westboro, like HBGary, made the key mistakes of assuming Anonymous is entirely disaffected teenagers with a modicum of computer skills and a coherent organization with limited membership.  These assumptions miss certain key points–Anonymous is, in essence, a nom de guerre that can be taken on by any person or entity, as is evidenced by th3j3st3r’s participation in the actions against Westboro following his specific attacks against Wikileaks; while not strictly an Anonymous action (as he did claim credit for it), the action against Westboro was compatible with Anonymous’ goals and views.

What HBGary fails to realize is that, by seeking to defend themselves against the ‘blog-o-sphere’, they’ve inadvertently invoked the Streisand effect and drawn specific attention to what they want to keep quiet.  Whether this release has produced enough ‘lulz’–that is, attention to the incident as a cause worthy of working on–remains to be seen, but if they do manage to get away with it without significant infiltration and exposure of more embarassing secrets, they should count themselves lucky.

Anonymous’ actions cannot be predicted specifically, but it’s fairly obvious that calling them out is, as a comedian recently opined, tantamount to inserting one’s genitals into a hornet’s nest–a bad idea, and likely to cause embarassing, painful problems.

The Examiner reports yet more fallout from the HBGary Federal leak: agencies of the US Government contracted with them to deliver “persona management” software that would enable the creation of, and use of, ten profiles per user with all the associated details required to make them appear to be independent, legitimate users.

Using “sockpuppet” accounts to build the illusion of a greater level of support on a given topic than actually exists is nothing new.  ”Alt” accounts are a fine old tradition, refined to an art by generations of trolls, and the techniques discussed by HBGary for ‘legitimizing’ their existence are largely unnecessary and overly complex.  Ultimately, any use of this program, absent some genuine talent for trolling on the part of the operator, is going to be doomed to failure.

First, when attempting to sockpuppet or astroturf a position as several different people, one’s writing style has to be disguised.  Spotting someone’s characteristic ‘fist’ is not easy, and is not an exact science, but there are many cues that will tip off the careful and attentive reader–characteristic typos, for instance, or idiosyncracies of punctuation.  Few people make their posts in exact accordance with the AP Stylebook–and those posts would themselves be highly characteristic.  Word choice, too, makes a significant difference–the English language vocabulary is large enough and contains enough synonyms for different shadings of words that word choice can often reflect the mental state of the person writing.

Secondly, using multiple personas will lead to mistakes.  It is inevitable that, when managing multiple personae, slipups will happen–this happens even to the best trolls, and is a significant factor in catching them.  All it takes is for one persona to display knowledge that the would not reasonably have as that persona, and suspicions will arise; pulling the thread will unravel the whole thing as previously unnoticed inconsistencies come to light.

Thirdly, most people are not going to bother researching the “full background” of every person they argue with on the internet.  While the facebook/myspace/etc profiles may be consistent and hang together under casual scrutiny, almost by definition the only time someone will be likely to investigate ‘em is if they’re suspicious already–at which point, various indicators (apparent monomania over a subject, lack of internet presence before a certain date, etc.) will clue in the careful investigator to the sockpuppet nature of the poster.

Fourth, approaching people with personas generated from old classmates is one of the oldest scams in the book, and the method for defeating it is so well-known as to form a trope–the “false memory gambit.”  Asking the so-called classmate, “Hey, do you remember back when such-and-such happened?” where the event described did not, in fact, happen (or, for more subtlety, did happen but they weren’t involved) is a trivially easy means of establishing identity–the “shared secret” forms the basis of many systems of cryptography.  Getting around that requires a true master of social engineering–and given HBGary’s demonstrated failures in that realm, it’s unlikely that they would be able to communicate to the software users any sort of expertise in this field.

Fifth, the IP roulette described is bound to cause difficulties.  Maintaining a static IP per persona is a reasonably good idea, albeit wasteful of IPs and unlikely to make much difference–most users of most fora are unaware of the IPs that any individual users may have; those are usually only available to administrators.  The “bank of proxy IPs” is more or less equivalent to using a TOR proxy; those will likely all be quickly flagged by administrators as being proxy IPs and, accordingly, banned.

Finally, if your propaganda message requires astroturfing and sockpuppeting to get out, there are far more effective ways of doing it (not the least of which is “writing a better propaganda message”) than sitting a bunch of airmen down to try to troll internet fora.  Single strong personalities will get far better results than a lot of shallow sockpuppets–especially given that each user is, according to that plan, responsible for ten alts apiece, the personalities and posting history of each will be, of necessity, very thin.  While this approach may fool the “Sarah Lou” school of users, it’s unlikely to work for any length of time on any messageboards with enough population to sustain such an interruption.

(And then, of course, there are always professional astroturfing agencies that already have the expertise to pull ths off properly–once again, HBGary was trying to reinvent the wheel.)

Ars reports that further examination of the leaked HBGary correspondence reveals that one of the focuses of their work was in developing rootkits that would bypass detection from existing antivirus products and would be capable of forwarding keystroke logs past existing firewalls.

Rootkits are a special kind of malware.  Most malware is written to take advantage of various holes in the operating system; some trojans convince users to open such a hole ‘voluntarily’.  Rootkits attempt to bypass a large portion of the operating system, generally by providing administrative access to low level portions of the system’s running code–in the case of the HBGary ‘products’ this would be the Windows kernel, the ‘supervisor’ program that orchestrates all the other programs.  Rootkits act to subvert and redirect portions of the operating system; by modifying certain system functions, they both cloak their presence from the user and act to allow elevated or hidden access to the interloper.

HBGary is not the only ‘legitimate’ firm to make use of rootkits; a little over five years ago, there was significant outcry due to Sony installing a rootkit via an autorun vulnerability on users’ computers as part of a copy protection scheme.  This was rather a PR disaster for Sony; as part of the rootkit’s function, certain files–those starting with “$sys$”–were hidden from users; this provided significant opportunity to other malware vendors to install various kinds of viruses and the like to the systems that Sony compromised.

Detecting rootkits is inherently a very difficult task.  Usually, rootkits can hide themselves from conventional antivirus products (HBGary’s boasts about lack of detection from the standard AV products reveal only very base malware writing competency, as this is a required feature for any new malware) by subverting the runtime environment of the system; hence, no program running on the system can be trusted to reveal a new infection–detection is most reliably accomplished by booting from a ‘trusted’ operating system, one that runs on a read-only medium.  

Cleaning up after a rootkit is an onerous task; generally, the safest method to use will be to wipe the system and restore from a known-safe source.  In the case of known rootkits, AV vendors tend to be very quick to update their signatures–once a rootkit is known to be in the wild and has been detected, then the method by which it can be detected and removed will be quickly determined and distributed.  

Needless to say, any use of rootkits is ethically suspicious–the use of malware as a weapon for espionage is a logical one, but given HBGary’s demonstrated lack of competence in other fields, no confidence as to the proper targeting or usage of said malware can be assumed.  Additionally, holding onto a collection of OS security flaws rather than providing them to the vendor for a fix is ethically unsound; Microsoft, especially, is already very lackluster about fixing known security flaws; reporting these holes would likely do little to impact their business, especially as al-Qaeda is hardly likely to be running the latest patches on their systems.

Defending against HBGary’s rootkits would be relatively simple for a competent corporate network security administrator with access to a proper IDS or IPS; the network traffic “disguised as ad clicks” would be readily apparent moving across the network and could be blocked and mitigated at that level.  Home users would find detection and removal to be more difficult, having fewer resources, but little damage would likely be done–especially as any destination server for extracted traffic would be very quickly closed down by interested parties.

All in all, rootkits are just another unsavory part of HBGary’s product line; presumably, at least some of these have been leaked along with the emails, so it would be in HBGary’s best interest as a company to either dissolve quickly or report the full contents of their “inventory” to antivirus and OS vendors–otherwise, when, inevitably, their “products” are used for the usual criminal reasons, HBGary will end up being sued–and it is doubtful that they will be able to handle the inevitable suits as well as Sony was able to.

Those in the field of computer security are often scrutinized with suspicion by both media and business.  Antivirus companies, for instance, have sometimes been suggested to create viruses themselves in order to maintain their business–high prices for software updates and ‘professional’ versions of their scanning products may give some people the image of a mafia ‘protection’ racket.  That some companies have, in the past, hired high-profile ‘hackers’ to their company certainly does not help matters; while the so-called ‘hackers’ do tend to be talented, the fact that they have done actual harm causes them to be viewed with suspicion–the leopard cannot change his spots.

So to couple with the news that HBGary was involved in a conspiracy to discredit reporters and that they were run by someone completely incompetent with basic security tenets, news has now come out that they were attempting to modify the recently widely-publicized Stuxnet worm for their own purposes.

It is perhaps fitting that someone who thought that data mining social media was a new and different idea would think that repurposing a worm known to have caused millions of dollars’ worth of damage–real-world damage, too, not just lost productivity–was somehow not ethically repugnant.  

There is no ethical reason for a “cybersecurity” company to deploy malware.  Even in the context of “cyberwarfare,” there is no reason why private companies should be involved in developing or deploying malware; warfare is the province of the Department of Defense.  

Further, it wouldn’t work.  Stuxnet has been addressed fully by all AV vendors; its method of propogation is known, the viral signature is known, and the countermeasures to remove it are known.  In fact, it was useless in the western world at the time it was originally released–the payload, the disruption of the industrial control systems, relied on a vulnerability that was patched by Seimens years ago.  The only reason why it had an effect in Iran is due to their lax security and their lack of access to software updates.

Beyond that, there has been extensive analysis of the Stuxnet worm (as befits the celebrity status of being the first notable instance of malware being used specifically to cause targeted damage to a specific system) that has noted the very amateurish techniques behind its construction.  True, the sabotage of the ICS was well carried out–it did its job well–but the viral payload that enabled the infection of the systems was like something out of a “malware for beginners” manual.  Besides the use of multiple zero-day exploits, the polymorphism and rootkit installation are very well-known techniques that AV vendors have been very successful in mitigating.  

Using Stuxnet for any purpose other than that specific ICS sabotage is useless:  that would involve removing the competent part and retaining the incompetent part.  It would be quickly detected and its infuence mitigated by AV software, and it would become just one more variant of the same thing out in the wild, clogging up spam filters and unpatched systems–more needless work for the competent, ethical administrators without resulting in any reward for these incompetents.

HBGary Federal is to be condemned for this breach of ethics, and no ethical company or person ought to do business with them–though their utter lack of competency with basic security for a so-called ‘security’ firm ought to have given a warning sign that hiring them for any purpose other than wasting money would be a mistake.

In other, related news, Palantir Technologies, implicated during the last breach as being in collusion with HBGary to smear opponents of BoA, has made statements to distance themselves from HBGary.  While their hands are certainly far from clean in this matter, it appears that HBGary Federal has become the designated scapegoat for this particular incident.

As reported elsewhere, a number of firms (including the subject of Tuesday’s entry, HBGary Federal) are, per the leaked documents from the compromise on Sunday, attempting to control the imminent leaks threated by Wikileaks.  Hunton and Williams (a law firm associated with BofA) has been in talks with, besides HBGary Federal, the firms of Palantir Technologies (who provides analytics software–software that helps organize and track information–for financial institutions) and Berico Technologies (a DoD IT contractor) to mitigate the leaks in question.

Per the Raw Story articles and various other ones across the web, the objective of these meetings and talks was to find a way to discredit and disrupt the wikileaks release.  

The course being discussed in the article, though, betrays a significant misunderstanding of the realities behind the wikileaks phenomenon and the other organizational processes in the internet communities associated with it.

First, it appears that the firms in question regard Wikileaks as a monolithic organization–that disrupting their operations in the same manner as they would any other company is a viable option.  This is erroneous; while the wikileaks banner is associated with a single organization, the underlying structure has already been forked and duplicated in various ways–”leak” websites are relatively common now, and the opportunity for removing wikileaks as a viable entitiy and strategy for disseminating previously-covert information is long since past.  Were they sucessful in removing wikileaks’ ability to do business–highly doubtful, given that their strategy appeared to be to leverage legal pressure on the companies where their servers were located, a strategy already employed by the US Government during the last big leak–then the information would already have been disseminated amongst independent operators and other organizations of a related bent.  Treating them as a monolithic organization is not a viable option, and will mistarget and otherwise waste resources that would be better employed for mitigating the damage of the leaks in other ways.

Secondly, pressuring sympathetic journalists–in this case, Salon’s Glen Greenwald–is never a good idea.  This tactic was used during each of the large newspaper-released scandals of the last century, and in all cases where the parent news organization was large enough to mount an effective defense (and where the parent news organization was ideologically comitted to the principles of Freedom of Speech and of the Press) it was uniformly unsuccessful.  Salon is a relatively large target, and deeply concerned with Freedom of the Press; attacking Mr. Greenwald in any fashion would be a grave mistake.  Further, the notion that his removal would have any actual effect on the Wikileaks organization is laughably naive; other than writing articles in support of the basic principles behind Wikileaks, and praising the actions of those who did the leaking, there’s really no connection between Mr. Greenwald and Wikileaks.  Indeed, even if they were able to pressure him into retracting or reversing his position, these firms would only make him a martyr for the cause, and would end up making their task that much more difficult.  The leaked slide regarding him states that “professional preservation” would be an effective motivator over “cause” even for someone of a “liberal bent”–apparently not a single one of them has read “All the President’s Men” or any other similar record.

The only part of the presentation mentioned that would potentially have any chance of success would be attempts at sowing disinformation–but even then, the impact would be negligible.  Anyone familiar with the usual methods of distribution of such things would easily see that the tactics as proposed are already mitigated as a matter of course–indeed, the wikileaks organization mostly exists to filter out these disinformational attacks against their infrastructure, and the chances are that any media campaign would only end up making a martyr of the organization–just as their actions against Mr. Greenwald would do.

What would work?

At this point, likely nothing–the leak has been announced; the only real effective course of action for BoA would be to ignore these naive and incompetent firms and concentrate wholly on determining what is likely to have been leaked, and make sweeping organizational changes to correct whatever public response is likely to occur.  By pre-empting the outrage, they would effectively neuter it; after a few weeks of stories about how they ‘capitulated’, the story would die down quickly–without fuel for outrage, most of the people who would otherwise complain will look elsewhere for entertainment.

In the future, placing effective controls on who has what access to what information, according to proper best-principles that every security professional should know would mitigate the risk of a leak.  It would not prevent a leak, but the likelihood of one would significantly decrease, as would the likely scope.  

Also, BoA should definitely not hire any of the companies who made this proposal for anything, either now or in the future; they obviously have no real understanding of the factors involved.

Over Super Bowl Sunday, some interesting news came out–HB Gary Federal, a purveyor of “cybersecurity” services for the FBI, got themselves cracked by Anonymous.  Much like the recent Gawker crack, the reason that this was accomplished was entirely due to the hubris of the person in charge.

The adage says that a chain is only as strong as its weakest link–and this is very much true for organizational security.  When the lynchpin in the center of the chain–the top administrative accounts–is weakened by improper separation of duties, the whole thing falls apart.

In both the Gawker and the HBGary cases, the leader of the organization made the same key mistakes:  they reused the same password for multiple accounts across different security levels, they had too much access to critical administrative areas, and they deliberately invited the interest of blackhats.  These all point to the same problem at both organizations: leadership that does not take security seriously.

The password reuse is the first critical error.  In both cases, the organization beneath the compromised executive doubtless had knowledge of proper password policy.  In the case of Gawker, the Lifehacker affiliate site had a widely-publicized article providing base guidelines for password use and reuse–giving standards for strength and entropy, and cautioning against reusing a password in multiple places.  Given that HBGary’s whole business is based on security, there’s no excuse for them not to be familiar with these standards; the leaders of both organizations have shown deep and pervasive incompetence in their actions.  

The lack of proper separation of duties is the second error.  While Gawker has some small excuse for this, given that the head of the company was apparently involved in code review and the like, there is absolutely zero excuse for HBGary’s president to have any level of access above the basic user level to the organization’s mailserver.  This cannot be emphasized enough: any executive who demands administrative access to critical administrative areas in a company with an actual IT department is incompetent and dangerous.  If the executive needs to access employee emails, then they can set up a policy to do so as part of the acceptable use policy, and coordinate with the IT department to do so.  If the executive cannot trust his IT department and his lawyers to do this effectively, then he has made a poor choice of employees.  The doctrine of separation of duties exists for a reason: to prevent just this sort of compromise, where a single account can be leveraged to access unrelated resources.  That this form of attack worked in both organization indicates the same endemic organizational failure:  a micromanaging, hubristic leadership without sufficient checks on their executive powers to prevent abuses.  Neither of these organizations would be suitable for a competent professional’s employment.

Third, the absolutely baffling hubris of calling out a specific group to attack them indicates a complete lack of ability in senior leadership.  Granted, the Anonymim who carried out the attacks are, in their own right, comitting criminal actions, but when a known hazard from a known vector exists, there is zero excuse to specifically invite action from that hazard.  The most baffling of the various incompetencies listed, the leadership of HBGary and Gawker did not apparently conduct any security audits or ensure that measures were in place to prevent or counter intrusion by outside forces before issuing their declarations–taunting an enemy into attacking is a valid strategy, but only if you have some means of responding to it.  To use a colloquialism, both HB Federal and Gawker were asking for it–literally.  

These are just the overt failures that are common to both organizations–and they’re quite enough to label both HBGary Federal and Gawker as completely incompetent.  The most troubling aspect of this whole business is, I think, that HBGary Federal provides services to the United States Government:  I would urge any agency that has contact with this company to seek immediate separation from their services and to perform a full and complete security audit to ensure that none of the compromise of their leadership has led to compromise of the Government resources that they had access to.  

The lessons here are obvious:  Do not reuse passwords.  Enforce password policies.  Do not allow senior leadership administrative access to administrative accounts.  Apply IT security policies to everybody in the organization, including senior leadership–ESPECIALLY senior leadership, given that they are the highest priority targets in any compromise attempt.  Do not invite trouble unless you have specifically prepared for it–one might argue even if you have specifically prepared for it.  

Sadly, neither HBGary nor Gawker are unique; there is a constant stream of anecdotes in the IT world about micromanaging senior leadership that demands access to administrative functions without the competency required to use this access wisely.  The question is not if, but when, this sort of compromise will happen again–and, like as not, it will be obvious who the next target is; they’ll likely announce themselves.