Unmasked.
by Ars Technica.
Anonymous got lucky. When five of its hackers attacked security company HBGary Federal on February 6, 2011, they were doing so in order to defend the group's privacy. It wasn't because they hoped to reveal plans to attack WikiLeaks, create surveillance cells targeting pro-union organizations, and sell sophisticated rootkits to the US government for use as offensive cyber weapons-but that's what they found.
In the weeks after the attack, the hackers released tens of thousands of e-mail messages and made headlines around the world. Aaron Bar, the CEO of HBGary Federal, eventually resigned; 12 Congressman called for an investigation; an ethics complaint was lodged against a major DC law firm involved with some of the more dubious plans.
Looked at from a certain angle, with one's eyes squinted just right, the whole saga could look almost n.o.ble, a cla.s.sic underdog story of rogue hackers taking on corporate and government power. On the flipside, however, the attacks caused big losses to several companies, leaked highly personal information about people's lives, and resulted in a sustained (and fairly juvenile) attack on related security firm HBGary, Inc. And the irony was not lost on those who were attacked: Anonymous demanded transparency while offering none itself.
The many contradictions of the narrative perfectly sum up Anonymous, which claims to have no leaders, no real members, and no fixed ideology. It is whatever anyone wants it to be; start an operation, drum up enough interest from others, and you are operating under the Anonymous banner. Such an approach can lead to chaos, simultaneously providing a fertile breeding ground for ideas and an opening for total anarchy. It can also cause a rift between those who want to be digital Robin Hoods and those who are merely hacking "for the lulz."
Few recent stories can shed so much light on a hacking movement, illuminate cla.s.sified government contracting, reveal corporate bad behavior, raise doubts about the limits of Internet vigilante behavior, and show just how completely privacy has been obliterated in the digital age as the conflict between Anonymous and the two HBGarys.
That's why Ars Technica poured so much time into researching and writing the complete narrative of the attacks and their aftermath, and it's why we're pleased to bring you the complete series now, packaged together for easy reading.
Internet vigilante group Anonymous turned its sights on security firm HBGary on Sunday evening in an attempt to "teach [HBGary] a lesson you'll never forget." The firm had been working with the Federal Bureau of Investigation (FBI) to unmask members of Anonymous following the group's pro-WikiLeaks attacks on on financial services companies, and was prepared to release its findings next week.
HBGary had been collecting information about Anonymous members after the group's DDoS attacks on companies perceived to be anti-WikiLeaks. The firm had targeted a number of senior Anonymous members, including a US-based member going by the name of Owen, as well as another member known as Q. In addition to working with the FBI (for a fee, of course), HBGary's CEO Aaron Barr was preparing to release the findings this month at a security conference in San Francisco. to release the findings this month at a security conference in San Francisco.
Anonymous, however, felt that HBGary's findings were "nonsense" and immediately retaliated-but this time with something other than a DDoS attack. Instead, Anonymous compromised the company's website, gained access to the doc.u.ments that HBGary had collected on its members, and published more than 60,000 of HBGary's e-mails to BitTorrent. They also vandalized Barr's Twitter and LinkedIn accounts with harsh messages and personal data about Barr, such as his social security number and home address. more than 60,000 of HBGary's e-mails to BitTorrent. They also vandalized Barr's Twitter and LinkedIn accounts with harsh messages and personal data about Barr, such as his social security number and home address.
"We've seen your internal doc.u.ments, all of them, and do you know what we did? We laughed. Most of the information you've 'extracted' is publicly available via our IRC networks," Anonymous wrote in a statement posted to HBGary's site on Sunday. "So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free." posted to HBGary's site on Sunday. "So why can't you sell this information to the FBI like you intended? Because we're going to give it to them for free."
HBGary cofounder and security researcher Greg Hoglund confirmed on Sunday evening that the latest attacks were sophisticated compared to the group's past shenanigans. "They broke into one of HBGary's servers that was used for tech support, and they got e-mails through compromising an insecure Web server at HBGary Federal," Hoglund told KrebsonSecurity. "They used that to get the credentials for Aaron, who happened to be an administrator on our e-mail system, which is how they got into everything else. So it's a case where the hackers break in on a non-important system, which is very common in hacking situations, and leveraged lateral movement to get onto systems of interest over time."
As for the 60,000 e-mails that are now available to anyone with a torrent client, Hoglund argued that their publication was irresponsible and would cost HBGary millions of dollars in losses due to the exposure of proprietary information. "Before this, what these guys were doing was technically illegal, but it was in direct support of a government whistle blower. But now, we have a situation where they're committing a federal crime, stealing private data and posting it on a torrent," Hoglund said.
It's unlikely that Anonymous cares about what Hoglund thinks, though. Several of the company's e-mails indicated that Barr was looking for ways to spin its info about Anonymous as a pro-HBGary PR move, which Anonymous took special issue with. The group warned HBGary that it had "charged into the Anonymous hive" and now the company is "being stung."
"It would appear that security experts are not expertly secured," Anonymous wrote.
[image]Aaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online ident.i.ties to real-world names and locations proved daunting. Barr found a way to crack the code.
In a private e-mail to a colleague at his security firm HBGary Federal, which sells digital tools to the US government, the CEO bragged about his research project.
"They think I have nothing but a heirarchy based on IRC [Internet Relay Chat] aliases!" he wrote. "As 1337 as these guys are suppsed to be they don't get it. I have pwned them! :)"
But had he?
"We are kind of p.i.s.sed at him right now"
Barr's "pwning" meant finding out the names and addresses of the top Anonymous leadership. While the group claimed to be headless, Barr believed this to be a lie; indeed, he told others that Anonymous was a tiny group.
"At any given time there are probably no more than 20-40 people active, accept during hightened points of activity like Egypt and Tunisia where the numbers swell but mostly by trolls," he wrote in an internal e-mail.(All e-mails in this investigative report are provided verbatim, typos and all.)"Most of the people in the IRC channel are zombies to inflate the numbers."
The show was run by a couple of admins he identified as "Q," "Owen," and "CommanderX"-and Barr had used social media data and subterfuge to map those names to three real people, two in California and one in New York.
Near the end of January, Barr began publicizing his information, though without divulging the names of the Anonymous admins. When the Financial Times picked up the story and ran a piece on it on February 4, it wasn't long before Barr got what he wanted-contacts from the FBI, the Director of National Intelligence, and the US military. The FBI had been after Anonymous for some time, recently on February 4, it wasn't long before Barr got what he wanted-contacts from the FBI, the Director of National Intelligence, and the US military. The FBI had been after Anonymous for some time, recently kicking in doors while executing 40 search warrants against group members. while executing 40 search warrants against group members.
Confident in his abilities, Barr told one of the programmers who helped him on the project, "You just need to program as good as I a.n.a.lyze."
But on February 5, one day after the Financial Times article and six days before Barr's sit-down with the FBI, Anonymous did some "pwning" of its own. "Ddos!!! Fckers," Barr sent from his iPhone as a distributed denial of service attack hit his corporate network. He then pledged to "take the gloves off."
When the liberal blog Daily Kos ran a story on Barr's work later that day, some Anonymous users commented on it. Barr sent out an e-mail to colleagues, and he was getting worked up: "They think all I know is their irc names!!!!! I know their real fing names. Karen [HBGary Federal's public relations head] I need u to help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested. This battle between us will help spur publicity anyway."
Indeed, publicity was the plan. Barr hoped his research would "start a verbal braul between us and keep it going because that will bring more media and more attention to a very important topic."
But within a day, Anonymous had managed to infiltrate HBGary Federal's website and take it down, replacing it with a pro-Anonymous message ("now the Anonymous hand is b.i.t.c.h-slapping you in the face.") Anonymous got into HBGary Federal's e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data. ("now the Anonymous hand is b.i.t.c.h-slapping you in the face.") Anonymous got into HBGary Federal's e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data.
They even claimed to have wiped Barr's iPad remotely.
The situation got so bad for the security company that HBGary, the company which partially owns HBGary Federal, sent its president Penny Leavy into the Anonymous IRC chat rooms to swim with the sharks-and to beg them to leave her company alone. (Read the bizarre chat log.) Instead, Anonymous suggested that, to avoid more problems, Leavy should fire Barr and "take your investment in aaron's company and donate it to BRADLEY MANNINGS DEFENCE FUND." Barr should cough off up a personal contribution, too; say, one month's salary?
As for Barr's "pwning," Leavy couldn't backtrack from it fast enough. "We have not seen the list [of Anonymous admins] and we are kind of p.i.s.sed at him right now."
Were Barr's vaunted names even correct? Anonymous insisted repeatedly that they were not.As one admin put it in the IRC chat with Leavy, "Did you also know that aaron was peddling fake/wrong/false information leading to the potential arrest of innocent people?" The group then made that information public, claiming that it was all ridiculous.
Thanks to the leaked e-mails, we now have the full story of how Barr infiltrated Anonymous, used social media to compile his lists, and even resorted to attacks on the codebase of the Low Orbit Ion Cannon-and how others at his own company warned him about the pitfalls of his research.
"I will sell it"
Barr had been interested in social media for quite some time, believing that the links it showed between people had enormous value when it came to mapping networks of hackers-and when hackers wanted to target their victims. He presented a talk to a closed Department of Justice conference earlier this year on "specific techniques that can be used to target, collect, and exploit targets with laser focus and with 100 percent success" through social media.
His curiosity about teasing out the webs of connections between people grew. By sc.r.a.ping sites like Facebook or LinkedIn, Barr believed he could draw strong conclusions, such as determining which town someone lived in even if they didn't provide that information. How? By looking at their friends.
"The next step would be ok we have 24 people that list Auburn, NY as their hometown," he wrote to the programmer implementing his directives. "There are 60 other people that list over 5 of those 24 as friends. That immediately tells me that at a minimum those 60 can be tagged as having a hometown as Auburn, NY. The more the data matures the more things we can do with it."
The same went for hackers, whose family and friends might provide information that even the most carefully guarded Anonymous member could not conceal. "Hackers may not list the data, but hackers are people too so they a.s.sociate with friends and family," Barr said. "Those friends and family can provide key indicators on the hacker without them releasing it..."
His programmer had doubts, saying that the sc.r.a.ping and linking work he was doing was of limited value and had no commercial prospects. As he wrote in an e-mail: Step 1 : Gather all the data Step 2 : ???
Step 3 : Profit But Barr was confident. "I will sell it," he wrote.
To further test his ideas and to drum up interest in them, Barr proposed a talk at the BSides security conference in San Francisco, which takes place February 14 and 15. Barr's talk was t.i.tled "Who Needs NSA when we have Social Media?" and his plan to draw publicity involved a fateful decision: he would infiltrate and expose Anonymous, which he believed was strongly linked to WikiLeaks.
"I am going to focus on outing the major players of the anonymous group I think," he wrote. "Afterall - no secrets right? :) We will see how far I get. I may focus on NSA a bit to just so I can give all those freespeech nutjobs something... I just called people advocating freespeech, nutjobs - I threw up in my mouth a little."
With that, the game was afoot.
"I enjoy the LULZ"
Barr created multiple aliases and began logging on to Anonymous IRC chat rooms to figure out how the group worked. He worked to link these IRC handles to real people, in part using his social networking expertise, and he created fake Twitter accounts and Facebook profiles. He began communicating with those he believed were leaders.
After weeks of this work, he reported back to his colleagues on how he planned to use his fake personas to drum up interest in his upcoming talk.
I have developed a persona that is well accepted within their groups and want to use this and my real persona against eachother to build up press for the talk. Pre-talk plan.
I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media a.n.a.lysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press. This will then generate press about the talk, hopefully driving more people and more business to us.
Barr then contacted another security company that specializes in botnet research. He suspected that top Anonymous admins like CommanderX had access to serious Internet firepower, and that this probably came through control of bots on compromised computers around the world.
Barr asked if the researchers could "search their database for specific targets (like the one below) during an operational window (date/time span) to see if any botnet(s) are partic.i.p.ating in attacks? Below is an attack which is currently ongoing." (The attack in question was part of Anonymous' "Operation Payback" campaign and was targeted at the government of Venezuela.) The report that came back focused on the Low Orbit Ion Cannon, a tool originally coded by a private security firm in order to test website defenses. The code was open-sourced and then abandoned, but someone later dusted it off and added "hivemind mode" that let LOIC users "opt in" to centralized control of the tool. With hundreds or thousands of machines running the stress-test tool at once, even major sites could be dropped quickly. (The company recorded only 1,200 machines going after MasterCard on December 11, for instance.) To boost the credibility of his online aliases, Barr then resorted to a ruse. He asked his coder to grab the LOIC source code. "I want to add some code to it," Barr said. "I don't want to distribute that, it will be found and then my persona will be called out. I want to add it, distribute it under a persona to burn and then have my other persona call out the code."
The code to be added was an HTTP beacon that linked to a free website Barr had set up on Blogspot. He wanted a copy of the altered source and a compiled executable. His programmer, fearing Anonymous, balked.
On January 20, the coder wrote back, "I'm not compiling that s.h.i.t on my box!" He even refused to grab a copy of the source code from message boards or other IRC users, because "I ain't touchin' any of that s.h.i.t as those are already monitored."
"Dude," responded Barr. "Anonymous is a reckless organization. C'mon I know u and I both understand and believe generally in their principles but they are not a focused and considerate group, the[y] attack at will and do not care of their effects. Do u actually like this group?"
The coder said he didn't support all they did, but that Anonymous had its moments. Besides, "I enjoy the LULZ."
"Dude-who's evil?"
At one time, Barr supported WikiLeaks. When the site released its (edited) "Collateral Murder" video of a US gunship killing Reuters photographers in Iraq, Barr was on board. But when WikiLeaks released its huge cache of US diplomatic cables, Barr came to believe "they are a menace," and that when Anonymous sprang to the defense of WikiLeaks, it wasn't merely out of principle. It was about power.
"When they took down MasterCard do u think they thought alright win one for the small guy!" he asked. "The first thought through most of their malcontented minds was a rush of power. That's not ideals."
He continued in this philosophical vein: But dude whos evil?
US Gov? Wikileaks? Anonymous?
Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves.
I follow one law.
Mine.
His coder asked Barr how he slept at night, "you military industrial machine capitalist."
"I sleep great," Barr responded. "Of course I do indoor [enjoy?] the money and some sense of purpose. But I canget purpose a lot of places, few of which pay this salary."
The comments are over the top, of course. Elsewhere, Barr gets more serious. "I really dislike corporations," he says. "They suck the lifeblood out of humanity. But they are also necessary and keep us moving, in what direction I don't know.
"Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bulls.h.i.t... Society needs some people in the know and some people not. These folks, these sheep believe that all information should be accessible. BS. And if they truly believe it then they should have no problem with me gathering information for public distribution."
But Anonymous had a bit of a problem with that.
The hunter and the hunted As Barr wrapped up his research and wrote his conference presentation, he believed he had unmasked 80-90 percent of the Anonymous leadership-and he had done it all using publicly available information.
"They are relying on IP for anonymity," he wrote in a draft of his presentation. "That is irrelevant with social media users. U use IRC and FB and Twitter and Forums and Blogs regularly... hiding UR IP doesn't matter."
Barr would do things like correlate timestamps; a user in IRC would post something, and then a Twitter post on the same topic might appear a second later. Find a few of these links and you might conclude that the IRC user and the Twitter user were the same person.
Even if the content differed, what if you could correlate the times that someone was on IRC with the times a Facebook user was posting to his wall? "If you friend enough people you might be able to correlate people logging into chat with people logging into Facebook," Barr wrote.
The doc.u.ment contained a list of key IRC chatrooms and Twitter accounts. Facebook groups were included, as were websites. But then Barr started naming names. His notes are full of comments on Anonymous members. "Switch" is a "real a.s.shole but knows what he's talking about," while "unbeliever" might be "alexander [last name redacted]."
In the end, Barr determined that three people were most important. A figure called Q was the "founder and runs the IRC. He is indead in California, as are many of the senior leadership of the group." Another person called Owen is "almost a co-founder, lives in NY with family that are also active in the group, including slenaid and rabbit (nicks)." Finally, CommanderX can "manage some significant firepower." Barr believed he had matched real names to each of these three individuals.
He wasn't doing it to actually expose the names, though. "My intent is not to do this work to put people in jail," Barr wrote to others in the company. "My intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines)."
He then revealed himself on Facebook to the person he believed was CommanderX. "I am not going to release names," Barr said on February 5, using the alias Julian Goodspeak. "I am merely doing security research to prove the vulnerability of social media." He asked for Anonymous to call off its DDoS attack on HBGary Federal, an attack that had begun earlier that day.
Some of the responses from CommanderX were a bit chilling. Late in the conversation, CommanderX warned Barr "that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly. I hope you are being paid well."
Then came an IRC log that Barr sent around, in which a user named Topiary tried to recruit him (under the name CogAnon) for "a new operation in the Washington area" where HBGary Federal has its headquarters. The target is "a security company."
By late afternoon on the 5th, Barr was angry and perhaps a little scared, and he asked his PR person to "help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested." It's not clear that Barr ever did this, however; he admitted in another e-mail that he could get a bit "hot" in private, though he would generally cool down before going public.
Hours later, the attack escalated from some odd DDoS traffic to a full-scale break-in of HBGary Federal systems, one that showed tremendous skill. "What amazes me is, for a security company - you had such a basic SQL vulnerability on your website," wrote one Anonymous member later.
Days afterward, the company has still not managed to restore its complete website.
"Danger, Will Robinson!"
Throughout Barr's research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his "a.n.a.lysis" work, but doubts remained. An email exchange between the two on January 19 is instructive: Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group. [I want to] check a persons friends list against the people that have liked or joined a particular group.
Coder: No it won't. It will tell you how mindless their friends are at clicking stupid s.h.i.t that comes up on a friends page. especially when they first join facebook. No it won't. It will tell you how mindless their friends are at clicking stupid s.h.i.t that comes up on a friends page. especially when they first join facebook.
Barr: What? Yes it will. I am running throug a.n.a.lysis on the anonymous group right now and it definately would. What? Yes it will. I am running throug a.n.a.lysis on the anonymous group right now and it definately would.
Coder: You keep a.s.suming you're right, and basing that a.s.sumption off of guilt by a.s.sociation. You keep a.s.suming you're right, and basing that a.s.sumption off of guilt by a.s.sociation.
Barr: Noooo....its about probabilty based on frequency...c'mon ur way smarter at math than me. Noooo....its about probabilty based on frequency...c'mon ur way smarter at math than me.
Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don't want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong. Right, which is why i know your numbers are too small to draw the conclusion but you don't want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.
Barr: [redacted] [redacted]
Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types. [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.
Barr: [some information redacted] On the gut feeling thing...dude I don't just go by gut feeling...I spend hours doing a.n.a.lysis and come to conclusions that I know can be automated...so put the taco down and get to work! [some information redacted] On the gut feeling thing...dude I don't just go by gut feeling...I spend hours doing a.n.a.lysis and come to conclusions that I know can be automated...so put the taco down and get to work!
Coder: I'm not doubting that you're doing a.n.a.lysis. I'm doubting that statistically that a.n.a.lysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate. mmmm.....taco! I'm not doubting that you're doing a.n.a.lysis. I'm doubting that statistically that a.n.a.lysis has any mathematical weight to back it. I put it at less than .1% chance that it's right. You're still working off of the idea that the data is accurate. mmmm.....taco!
Later, when Barr talks about some "advanced a.n.a.lytical techniques" he's been pondering for use on the Anonymous data, the coder replies with apparent frustration, "You keep saying things about statistics and a.n.a.lytics but you haven't given me one algorithm or SQL query statement."
Privately, the coder then went to another company official with a warning. "He's on a bad path. He's talking about his a.n.a.lytics and that he can prove things statistically but he hasn't proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It's irresponsible to make claims/accusations based off of a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it's been proven wrong. I feel his arrogance is catching up to him again and that has never ended well...for any of us."
Others made similar dark warnings. "I don't really want to get DDOS'd, so a.s.suming we do get DDOS'd then what? How do we make lemonade from that?" one executive asked Barr. The public relations exec warned Barr not to start dropping real names: "Take the emotion out of it -> focus on the purpose. I don't see benefit to you or company to tell them you have their real names -- published or not."