“Anonymous” Hacks HBGary

HBGary Federal has been working on unmasking the identities of the “Anonymous” group of WikiLeaks hacktivists in cooperation with an FBI investigation regarding their involvement in the attacks against companies who were impairing WikiLeaks’ access and funding.  HBGary had made claims to have penetrated the group and identified several “key members”.  Anonymous chose to react during the Super Bowl.

Unlike the DDoS attacks that brought the group recent headlines, this incident seems to have involved actual hacking skills.  It appears HBGary was victimized by a combination of social engineering and a shared password between systems.  Anonymous managed to compromise the HBGary website and replace it with an image explaining their motivation.  In addition to the defacement, they downloaded over 60,000 emails from the company and posted those to The Pirate Bay for broad distribution.

The Twitter account of HBGary’s CEO was compromised and used to send out several offensive messages, his home address, social security number and cell phone number. According to Forbes, the LinkedIn accounts of other HBGary executives were compromised “in minutes.”

The resulting tweets put up a set of claims that “Anonymous has:

• “entire control of all emails for the company of hbgary.com”
• “we have wordpress control of hbgary.com”
• “all emails will be put up in a torrent”
• “full access to all their finincials”
• “their ssns [social security numbers]”
• “their w2s [US tax reporting statement]”
• “their 1099s [US tax identification certificate]”
• “their software products”
• “their malware data”
• “their backup server was wiped”
• “access to their pbx system via 8×8.com”
• “control of their support server and their clients logins”
• “root access to rootkit.com, personal website of greg hoglund”
• “aaron barr’s ipad is now wiped”

WikiLeaks – Twitter Link

The US government has served subpoenas seeking personal details of some Twitter users who are believed to have close ties to WikiLeaks.  The US District Court in Virginia is seeking names, addresses, connection records, phone numbers and payment information.

The court order was issued on December 14, 2010, and WikiLeaks was ordered not to reveal that it had been served or being investigated, but the court last week removed those restrictions.  Among those named are Julian Assange, US Army Pfc. Bradley Manning and Birgitta Jonsdottir, a member of Iceland’s Parliament who has allegedly worked with Assange.  Assange has called the court order harassment.

BBC US/Canadian News

WikiLeaks – Could It Happen To You?

For enterprise IT managers and security professionals, the on-going WikiLeaks disclosures underscore the information security gaps that exist even when common security controls are in use by large organizations.  It is not necessarily the controls themselves that are flawed, but more often the supporting processes and procedures that were quickly pulled together under pressure, and seldom if ever revisited or audited at a granular level for optimal performance and completeness.

This entire ordeal also serves to highlight the importance of adopting a “trust, but verify” approach to hiring practices and access control.  This means that you need to be just a little bit more paranoid regarding your practices, without distrusting your employees.  Remember that everyone that you hire is human, and that people will make mistakes if mistakes are possible.  They are (hopefully) hired due to their capabilities and experience, but what really separates them from the other candidates that showed up for an interview?  Were you able to validate their claims of reliability and trustworthiness?  Trust that they will exercise good judgement, work towards corporate betterment, but verify that each access to sensitive data or corporate intellectual property is properly justified.   Remove the temptation to go astray, and by all means, let them know that you verify.  Your intentions are to DISCOURAGE criminal or damaging behavior, not ENTRAP those who may err or fall prey to social engineering.

What controls should be in place?  That depends on the type and classification of the information that is at risk.  When it comes to client financial and personal information, it is clear that monitoring, notification and escalation controls are a requirement.  Take a lesson from PCI, even if you don’t adopt it formally.  The PCI DSS is simply basic computer security.  A quick review of the 12 main PCI requirements shows nothing revolutionary, and they offer a solid starting point for virtually any security compliance engagement. 

Continue reading →

More Trouble For WikiLeaks

After posting documents that have caused embarassment for the US Government, wikileaks.org has suffered multiple DDoS attacks.  It was forced to relocate its services to Amazon.com’s cloud services, and now its DNS provider has pulled the plug on its DNS resolution. 

Nameserver provider EveryDNS decided to pull the plug on the site this morning. “These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites,” EveryDNS said. According to a statement from the company, Wikileaks was properly notified about this issue a day in advance.

After being cut off, Wikileaks decided to move from the .org to a .ch domain registered by the Pirate Party Switzerland.  An interesting move, but certainly not the most ideal solution.  This .ch domain uses the very same nameserver provider! 

This is not the first time a Pirate Party has helped out Wikileaks either.  Earlier this year the Pirates announced a hosting deal them  “to protect the freedom of the press”.  For now at least, Wikileaks.ch is up and running but it’s unclear how long it will stay that way.  The domain Wikileaks.org has not been seized so it is expected to return once it finds a new nameserver provider.

WikiLeaks To Release US Bank Docs

Reuters has posted that Forbes Magazine reports that the now infamous whistle-blower website, WikiLeaks, plans to release tens of thousands of internal documents from a major US bank early next year.  Describing the release as a “megaleak” involving  a bank that is still doing business, Julian Assange suggests that it will “give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms”, comparing the release to the Enron email revelations.

“There will be some flagrant violations, unethical practices that will be revealed, but it will also be all the supporting decision-making structures and the internal executive ethos … and that’s tremendously valuable.  You could call it the ecosystem of corruption, but it’s also all the regular decision making that turns a blind eye to and supports unethical practices: the oversight that’s not done, the priorities of executives, how they think they’re fulfilling their own self-interest,” he said.

Assange also hinted that his group has material on many businesses and governments, including some on pharmaceutical companies, which he did not identify.

Personally, I am of two minds regarding these releases.  I am both skeptical of the quality and reliability of what may or may not be authenic documentation, and concerned about the lack of the affected organizations’ ability to detect and correct the leakage.  The sources of these leaks must be found, but the transparency of all organizations must be increased if there is indeed illegal, illicit or questionably moral activity going on inside.

I find myself suspicious of the intentions of WikiLeaks, and wonder just how it is that it can release damagaing information on such high profile businesses and people without seeming to suffer any serious repercussions.  Why hasn’t the owner and all of his critical staff been “disappeared”?  When I can read in the press how Boris, the Russian mobster can hire North American muscle to intimidate or persuade Security Researchers to go away, and drug cartels can get US and Mexican thugs to take care of their “problems”, how is it that these guys seem so untouchable?

Also, if WikiLeaks could get this information out of a bank, pharmaceutical company or government installation, who’s to say that a competitor or someone with an axe to grind couldn’t do the same?  Own a company?  Work for one that might want to protect its information assets, regardless of the reasons?  Time to Google “Data Leakage Prevention” and start doing your homework.

WikiLeaks info from Bruce Schneier:  http://www.schneier.com/blog/archives/2010/06/wikileaks.html