Anonymous, an amorphous group of cyberactivists, has set its sights on HBGary Federal, a company claiming to provide security expertise to the United States’ federal government.
Anonymous’ attack followed statements by Aaron Barr, HBGary Federal’s CEO, that the company had collected information on the group’s main leaders.
Anonymous has previously attacked the websites of governments and firms that opposed or took action against WikiLeaks for publishing more than 250,000 U.S. government cables on the Internet.
HBGary Federal did not respond to requests for comment by press time.
During an interview the Financial Times published last week, Barr claimed to have put together information about various high-ranking members of Anonymous through various means, including Facebook profiles.
Barr did this to demonstrate the security risks to organizations from social media and networking, he claimed.
In the interview, he also identified the nicknames and locations of a few individuals he believed to be top members of Anonymous.
Giving an interview to the Financial Times was probably a mistake, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
“One thing you quickly learn as a security company is that you don’t go out and bait people,” Enderle said. “You don’t go out and seek news coverage or it will backfire on you,” he added.
“That’s the risk you take any time you challenge hackers,” Mandeep Khera, chief marketing officer at Cenzic, told TechNewsWorld. “They’ll always find a way to get in.”
In addition to hijacking HBGary Federal’s domain, Anonymous posted a message on the company’s website.
The message also included an excerpt from what it claims is one of Barr’s emails in which he essentially said his actions were about publicizing HBGary Federal’s expertise.
Anonymous’ message states the information Barr discovered is publicly available on its IRC networks, and it implies that Barr meant to sell his research to the FBI. The message claims Anonymous has in fact already sent the information to the FBI itself.
The cyberactivist group also posted 66,000 of HBGary Federal’s corporate emails onto the Web.
Members of the group are being targeted by various governments. The British authorities have reportedly arrested five people they claim are members of Anonymous, and the U.S. authorities are claimed to have carried out 40 court-authorized searches in connection with their investigation into Anonymous.
What Is HBGary Federal?
HBGary Federal was the U.S. government cybersecurity services arm of HBGary. It was spun off in December of 2009.
HBGary CEO and Founder Greg Hoglund hired cybersecurity experts Aaron Barr and Ted Vera as the spin-off’s CEO and COO, respectively. Both are former employees of Northrop Grumman.
Barr, whose interview triggered the retaliation from Anonymous, reportedly served as the director of technology for the cybersecurity and signal intelligence business unit in Northrop Grumman’s Intelligence Systems Division.
HBGary Federal’s targeted customers included the U.S. Department of Defense, the U.S. intelligence community and other government agencies.
Breaking Into HBGary Federal
Anonymous apparently hacked into HBGary Federal by first hacking a tech support server, then compromising an insecure Web server to get at the company’s emails, Hoglund told the Financial Times.
Finding and getting into a relatively insecure server in order to penetrate the enterprise network is a pretty standard hacking technique. Shouldn’t a company that specializes in security perhaps have all its servers secured?
“If you’re in the security business you probably need to make sure your own stuff is secure,” Enderle said. “But often it’s a case of the cobbler’s children not having new shoes — a company puts out new technology but that technology isn’t necessarily applied to its own operations.”
That’s because the workings of many security companies’ operations and in-house IT are kept separate, Enderle elaborated.
“The general security posture across the industry is very low right now,” Cenzic’s Khera said. “Most companies, for example, are testing only a fraction of their Web applications for security.”
However, it might not be feasible to harden all a company’s systems, even if that company specializes in security, suggested Randy Abrams, director of technical education at ESET.
“Even security companies have budgets and resource limitations,” Abrams told TechNewsWorld. “Security is all about managing risk and, in weighing how secure the least important servers need to be, public relations should be part of the risk assessment for a security company.”