The first global cyber war has begun

[Plutonia]

Haha! No problem!

Does this story have a scriptwriter FFS? Srsly, it's unbelievable.

Check out the email exchange Aaron Barr had with his marketing director and see just what a dope he is - from Crowdleaks:

Anonymous retaliates against HBGary espionage

This article was written by Laurelai, TauxFu and Stephen Lacy



In an article published on February 4th by Financial Times, Aaron Barr, CEO of the security services firm HBGary Federal, claims to have been spying on those frequenting the Anonymous Operations chat network.

In response, hackers under the banner of Anonymous have attacked the HBGary Federal computer system, defacing their website. They also took control of Aaron Barr’s personal twitter account where they posted his home address, telephone number, social security number, and an archive containing 50,000 messages from his HBGary email account.

Aaron Barr expressed to Financial Times that his aim was to expose the identities of Anonymous members, their individual locations, and the caliber of any influence they may have within the community. The information, Barr said, was for his upcoming talk at B-Sides security conference in San Francisco on Feb. 14 regarding information security in social media. He stated that he wanted to drum up some publicity ahead of time to help spur the debate but denied that he planned to release any of the information to Law Enforcement.

He further denied this in a February 7th interview with Forbes blogger Parmy Olson after the Anonymous attack had taken place.

“I did have a meeting with them this morning,” Barr says “They called me.”

A claim which Anonymous sources insist is an outright lie, citing an email conversation between Karen Burke (Director of Marketing & Communications for HBGary Inc,) and Aaron Barr.

On Feb 5, 2011, at 10:17 AM, Karen Burke wrote:
Thanks — I just saw the tweets and thought they were great. Will you say that you’ve been contacted by FBI (or law enforcement) as result of story?

On Sat, Feb 5, 2011 at 7:15 AM, Aaron Barr wrote:
ok Karen. I just tweeted a few posts on research and talk. This is the angle I want to stick with. If anyone asks about using this information for law enforcement I think we should say, well of course if law enforcement wants to discuss with me my research I will, its all open source, thats the thing, its all there. But my intent is not to do this work to put people
in jail, my intent is to clearly demonstrate how this can be effectively used to gather significant intelligence and potentially exploit targets of interest (the other customers will read between the lines).

In further email correspondance, Karen Burke appears to believe that Barr is becoming too emotionally involved in his Anonymous research project. On closer inspection of the emails you can clearly see Barrs childish mindset and volatile intentions.

Aaron Barr
“They still don’t get it. They think all I know is their irc names!!!!! I know their real fing names.” he brags to a colleague. “My plan is to post on the HBGary Fed and HBGary website, Daily Kos, tweet, and post on the anonymous FB page.” He goes on to reiterate “No they are not freaked out. They don’t get it…Greg will tell you. They think I have nothing but a heirarchy based on IRC aliases!”

Karen Burke
“Hi Aaron, I don’t see the link — please resend. You are a researcher — I recommend that you write, post and tweet a blogpost about the purpose of your research and why you decided to include Anonymous as part of this research. Take the emotion out of it -> focus on the purpose. I don’t see benefit to you or company to tell them you have their real names — published or not. I think it will only antagonize them. I think we should continue to look for radio interview opportunities for you so you can share your story.”

Reading further, it becomes clear that Barr views his invasion of privacy as a game.

“as 1337 as these guys are suppsed to be they don’t get it. I have pwned them! ”

Penny Leavy, President of HBGary INC (a seperate company which invests a small percentage into HBGary Federal) stated in an interview with Crowdleaks that she was unaware of Aarons plan to sell the information to the FBI and that to her knowledge this was only supposed to be used in theoretical research. She also stated that her company would take a serious look at their current ties with HBGary Federal. She pointed out that she is a firm believer in freedom of speech and supports transparency in the government. However she feels there would have been a better way to resolve this and wished that the individuals responsible had approached her first. When asked if she supported the ideals of their cause she had this to say:

“Yes, I think any American would. It’s important to support citizens ability to criticize their government, to support their government, to provide feedback in a variety of ways. We would not be the country we are today without it. Look at all the positive things that have happened in the US because of freedom of the press. But any type of violence or in this case, a reputation issue without all the facts isn’t good, it degrades the cause.”

A member of the Anonymous Operations community spoke to Crowdleaks on the record regarding motivations behind the attacks.

“We’ve essentially decided to exact revenge on HBGary, a “security” company who thinks they’ve, in their own words, gathered personal information on 80% of the Anonymous “higher-ups.” “We’ve acquired an email sent to the company from Aaron Barr (the CEO of HBGary Federal) essentially explaining how he simply wants to keep a verbal brawl with Anonymous going to gain publicity for himself; he’s jumping on the Anonymous trend to gain attention. Not only is this propagating a falsehood, but the fact that the FBI was gullible enough to believe it (not to mention burn tax money on it) just pushed this to all different levels of ridiculous. Couldn’t just let that go.”

They continued, saying:

“It would be nice to get it out there that Ted Vera was sending out emails of skepticism towards Aaron’s actions, and that other members of the company were beginning to doubt Aaron’s findings as well. He planned to meet with the FBI tomorrow morning to negotiate prices for the document that we’ve now made public, he wanted to further his own career by trying to jump on the attention Anonymous has been getting recently. Well, he got what he wanted in the end. Yes, admittedly it was a bit harsh posting his address and social security number on Twitter, but his initial plan was to find information like that on Anonymous.”

What a git!



(BTW, Crowdleaks needs more writers and translators. )

[Plutonia]

OMFG!!!

...
[03:28] <blackjak__> department of defense (fail)
[03:28] <&Sabu> hbgary does dod and have clearance
[03:28] <+heyguise> forbesies
[03:28] <~tflow> http://www.icerocket.com/search?tab=twi ... &x=37&y=17
[03:28] <url> emailing the inquirer
[03:28] <&Sabu> BUT after this im sure they will lose their clearance
[03:28] <RealNick> add this
[03:28] <RealNick> We must resist, not as a last act of desperation, but as a first act of creation. We will raise public awareness with DDoS attacks like we have successfully done in the past. Comparable to a sit-in, DDoS protesters disrupt business or government actions by obstructing the flow of normal traffic, in order to make a political point. Anonymous will fight against censorship and oppression. The truth is too important. To Quote Bradley Manning: “I
[03:28] <spoonzy> DoD darknet passcodes? Lol
[03:28] <RealNick> I reckon
...


http://pastebin.com/x69Akp5L

First Wikileaks, then Egypt, now this! The US is having a really bad decade - 5 weeks in!!!

[Plutonia]

Fresh news at the end:

(Virtually) face to face: how Aaron Barr revealed himself to Anonymous
By Nate Anderson | Last updated about 7 hours ago

Aaron Barr, CEO of security company HBGary Federal, spent the month of January trying to uncover the real identifies of the hacker collective Anonymous—only to end with his company website knocked offline, his e-mails stolen, 1TB of backups deleted, and his personal iPad wiped when Anonymous found out.

Our lengthy investigation of that story generated such interest that we wanted to flesh out one compelling facet of the story in even more detail. In a sea of technical jargon, social media analysis, and digital detective work, it stands out as a truly human moment, when Barr revealed himself to Anonymous and dialogued directly with senior leaders and "members" of the group.

The encounter began on February 5. Barr had managed to get his work written up in a Financial Times story the day before, and now strange traffic was pouring in to HBGary Federal. With his research done and his story in print, Barr needed only to work up some conference slides and prepare for a meeting with the FBI, which had been tracking Anonymous for some time. So Barr ditched the covert identities he had been using to watch the group, and on February 5 he approached a person on Facebook whom he believed was the powerful CommanderX.

Barr's apparent motives were multiple: to mitigate any revenge upon his company, but also to meet as equals with his hacker subjects. No harm, no foul, right? Anonymous didn't agree. (Quotes in this article are provided verbatim, typos and all.)

Barr: CommanderX. This is my research… I am not going to release names I am merely doing security research to prove the vulnerability of social media so please tell [redacted] and [redacted] or whoever else is hitting our site to stop.

CommanderX: Uhhh…. not my doing! Just as a thought… wouldn't that be valuable data to your research?

Barr: I am done with my research…doing my slides…I am not out to gut u guys. My focus is on social media vulnerabilities only. So please tell the folks there that I am not out to get you guys… I knew you guys were a risky target but nothing risked nothing gained. People can show their bravado thats fine I can deal with that. Just want the 'leadership' to know what my intent is…that will filter as it needs to I am sure.

CommanderX: 'Leadership' lmao [laughing my ass off] it has grown beyond my control, just as I intended.

Barr: … I will talk about aliases. I won't talk about names. But please don't play me a chump any more than you have to to protect anons cred. I know more than IRC aliases…. u have a lot of firepower and know how in some dark corners…hell some of them may even know Greg Hoglund the CEO of our other company. So if it is some of your guys just want to make sure they don't get too aggressive.

CommanderX: Which website?

Barr: hbgaryfederal.com

CommanderX … I warn you that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly. I hope you are being paid well.

"Come at us, bro"

Barr then entered an Anonymous IRC chat room, where his "CogAnon" profile had already been exposed. When he showed up, this is what greeted him. (Anonymous handles have been altered in this non-public section of chat.)

[23:47] <CogAnon> guys I'll tell you...it was only research...it has now become a criminal matter...

[23:48] <CogAnon> our website was hacked...twitter account... email.... ok...guys if thats the way u want to play it.

[23:48] <ANON2> CogAnon: come at us bro

[23:48] <CogAnon> I won't...

[23:48] <ANON1> CogAnon: Hello.

[23:48] <ANON2> CogAnon: nice screencap earlier by the way, did Ted and [HBGary CEO] Penny enjoy it, faggot?

[23:49] <CogAnon> not sure why u had to make it personal...I had 2 other usecases...

[23:49] <CogAnon> but ok... I figured this might happen...I am not upset... it just takes a differnt path...

[23:51] <CogAnon> ok see you guys later...not even close to end of career... need to finish my talk.

[23:52] <ANON2> maybe CogAnon will enjoy what's uploading right now

[00:18] * CogAnon is now known as AaronBarr

The material "uploading right now" was apparently Barr's private e-mails; Anonymous had infiltrated his company e-mail server, where Barr was the admin, and had taken more than 40,000 messages from three top execs. They were then uploaded to The Pirate Bay.
"What's coming next is the delicious cake"

The next day, February 6, the attacks turned serious, and Barr realized the extent of what Anonymous had done to him and to his company, which was currently in negotiations to sell itself to a pair of interested buyers. This was no longer a game; it looked more like war. The sheer freewheeling raucousness of what follows illustrates as well as anything the nature of Anonymous, and it's worth quoting at length. (A few unimportant bits have been stripped for clarity, denoted by an ellipsis.)

Note that several members of the channel have already seen Barr's e-mails. (Read the full public log.)

23:53:49] q> Ohai CogAnon

[23:53:56] <tflow> Hello, Mr. Barr.

[23:54:12] <Topiary> Mr. Barr and his infiltration of Anonymous; "Now they're threatening us directly", amirite?

[23:54:16] <tflow> I apologize for what's about to happen to you and your company.

[23:54:20] <q> Enjoying the Superbowl, I hope?

[23:54:25] <CogAnon> high one sec. please

[23:54:25] <tflow> I really do, Mr. Barr.

[23:54:36] <tflow> You have no idea what's coming next.

[23:54:36] <Topiary> tflow: How are things going with that, anyway?

[23:55:24] <Topiary> CogAnon is clearly super 1337 with his PM psyops skills in the Washington area

[23:55:29] <CogAnon> ok...sure I figured something like this might happen.

[23:55:42] <Topiary> CogAnon: nah, you won't like what's coming next

[23:55:51] <tflow> CogAnon: Can you guess what's coming next?

[23:56:00] <Topiary> Ooh, a fun game - guess!

[23:56:02] <CogAnon> dude...you just don't get it. it was research on social media vulnerabilities...I was never going to release the names...

[23:56:11] <Sabu> LIAR

[23:56:14] <CogAnon> as I told CommanderX last night.

[23:56:16] <BarrettBrown> CogAnon: You went to press

[23:56:22] <Topiary> CogAnon: yeah we read the facebook conversation, and every other conversation

[23:56:23] <BarrettBrown> With info that was largely false

[23:56:24] <q> CogAnon: only that your research like totally failed and all your info was bullshit

[23:56:25] c0s> CogAnon: that article was a hit peice.

[23:56:27] <CogAnon> ok whatever...whoever has done this has tied my hands now though.

[23:56:37] <BarrettBrown> I suggest you go to Bloomberg and explain

[23:56:38] <Sabu> CogAnon: Don't you have a meeting with the FBI Monday morning?

[23:56:39] <CogAnon> ok

[23:56:42] <Topiary> Sabu: he totally does

[23:56:44] <tflow> CogAnon: I feel sorry for what's about to happen. I really do.

[23:56:45] <Sabu> Tomorrow @ 11am?

[23:56:46] <q> CogAnon: we'll send that to your FBI friends, so they have that before your talk tomorrow

[23:56:49] <CogAnon> yep...they called me.

[23:56:51] <n0pants> Moral of the Story: Don't drum up business by banging on a hornet's nest.

[23:57:01] <CogAnon> I have a lot of people calling me.

[23:57:02] <Sabu> You intended of battling anonymous in the media for media gain and attention

[23:57:04] <Sabu> well let me ask you

[23:57:08] <Sabu> you got the media attention now

[23:57:10] <Sabu> how does it feel

[23:57:11] <Sabu> ?

[23:57:14] <CogAnon> yep

…

[23:57:34] <Topiary> Oh guys, what's coming next is the delicious cake.

…

[23:58:53] <nigg> so who wants all of

[23:58:55] <nigg> his emails?

[23:59:06] <Sabu> uhm you have his emails????

[23:59:10] <Sabu> DAMN!

[23:59:14] <nigg> 2.3gb's of gold

[23:59:15] <Topiary> sure, I'd enjoy some 68,000 emails

[23:59:19] <Topiary> can we please have 68,000 of their emails?

[23:59:21] <blergh> lol

[23:59:21] <`k> nigg not ehre

[23:59:22] <tflow> I already have them

[23:59:23] <blergh> what is this?

[23:59:25] <c0s> those emails are going to be pretty

[23:59:25] <Topiary> oh wait we totally already have them

[23:59:26] <`k> here

[23:59:27] <nigg> 68,000?

[23:59:27] <Topiary> trolololol

…

[23:59:50] <tflow> I have Barr's, Ted's and Phil's emails

[23:59:50] <nigg> im talking

[23:59:50] <CogAnon> lol..ok guys well u got me right.

On February 7, Barr's compromised Twitter account contained the following posts, which appear to be from Barr himself—though it's hard to say. (Those from his Anonymous persecutors have a very different tone, and contain more links and profanity.)

Ok. Well this has been fun. Anon has certainly done a number on me for the last, wow has it only been 24hrs? Seems longer...

site defaced, twitter hacked, email taken...priceless.

Does this mean I have become an internet celebrity...not quite how I imagined it?

ok. So Anon has done a number on me. Probably going to take a bit to piece things together, probably more to come.

But there has been no more to come. Twitter has now locked the account, according to Anonymous.

The persecution was brutal. People began defacing images of Barr, hosting them all in a central repository for easy viewing—they even dredged up a personal picture of the man dressed as The Hulk for a round of trick-or-treating with his kid. HBGary, a part owner of HBGary Federal, sent its own President Penny Leavy into the Anonymous chat rooms to ask them to stop—or at least to keep the e-mails private. Anonymous did not, demanding instead Barr's resignation.

Members of the group have spent today apparently prepping to release a new e-mail archive from Leavy's husband, the respected security pro Greg Hoglund, whose own site rootkit.com was compromised by (allegedly) a 16-year-old through a bit of social engineering. The persecution continues.

Persecution? Retribution more like. Heh.

[JackRiddler]

.

What a treasure trove. I didn't realize this HB Gary story has been going for several days, and so well-documented here, before I started the other thread on it.

Thanks all, especially plutonia!

[Plutonia]

Yeah, it's like Egypt all over again Lol (Edit: keeps getting better, I meant to say)

So, of course there is more.

Get this

After her foray into the chans to beg for mercy, Penny & crew made a public statement accusing Anons of doctoring/faking the leaked emails. Which, predictably, pissed Anons off.

AnonymousIRC Anonymous
@PalantirTech welcome to the Jedis. @HBGaryPR Burn in hell. @BericoTech we are waiting for a statement. #Anonymous.

They were going to hold back Greg Hoglunds emails as a courtesy, (prolly to him 'cause he is quite a reputable hacker) but not any more.

They have begun leaking his emails rather covertly, posting them into comments sections and here and there with notifications via Twitter (#anonleaks.) I've been keeping an eye out for developments but those I've seen have been comparatively uninteresting and presumably only meant to embarrass Greg (like here http://pastebin.com/4rM26cwT.)

Until now....


Duh duh daaaa

Houston, we have a problem. Or should I say, “Iran, we have your problem?” Last night, a member of hacker group Anonymous – a devious 4chan-spawned Internet coalition known for increasingly serious web-based attacks – announced on Twitter that the group was in possession of the Stuxnet virus.

Stuxnet is one of the more powerful viruses to ever spread across the internet. As Bruce Schneier detailed for Forbes, the worm crippled Iran’s nuclear facility by infiltrating a Siemen’s control system for industrial centrifuges. As I wrote late last year, the Stuxnet virus is a stark example of how cyber attacks can affect brick and mortar institutions.

Anonymous Claims Possession Of Insidious Stuxnet Virus

Feb. 11 2011 - 6:19 pm

“Anonymous is now in possession of Stuxnet – problem, officer?” tweeted user by the name of Topiary. Topiary’s profile describes the user as an online activist and a “Supporter of Anonymous Operations, WikiLeaks, and maintaining freedom on the Internet.”

To me, two huge questions arise from Anonymous’ claim:

1. Are they actually in possession of Stuxnet?
2. Can they do anything with it?

The answer to both questions, of course, is maybe. But let’s dive a little deeper.

Recently, Anonymous has been in the news for its high profile attacks on software security firm HBGary, after Aaron Barr, the CEO of HBGary’s sister firm HBGary Federal, claimed to have acquired the names of senior Anonymous members and threatened to release them to the public. Forbes’ Parmy Olson has done a fantastic job covering that affair.

This is where the possibility for Anonymous getting its hands on Stuxnet increases. In a post this morning, Olson quotes a source from Anonymous who briefly rattles off the contents of a slew of emails uncovered during the HBGary takedown. “Three different malware archives, two bots, an offer to sell a botnet, a genuine stuxnet copy, and various malware lists,” are supposedly among the contents.

Could this be pure posturing? Sure. But it doesn’t seem out of the question that a security firm would have high level information on one of the most threatening viruses out there.

So let’s pretend that Anonymous does, in fact, have a copy of the Stuxnet worm in their possession. Can they do anything with it? We’ve already seen Stuxnet’s efficacy in attacking Siemens Supervisory Control And Data Acquisition (SCADA) systems attached to very specific industrial machinery. The complexity of the worm allowed it to infiltrate deep into Iran’s nuclear facilities before unleashing its payload. A report by Symantec today updated their September dossier on the virus and revealed that the attacks started in June of 2009 and ended in May 2010, around a month before the attacks were even noticed.

The worm’s complexity, however, could also render it mostly useless in Anonymous’ hands. I’ll let Schneier get into the weeds on some of the details, since he does a great job of explaining:

Here’s what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four “zero-day exploits”: vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

Stuxnet doesn’t actually do anything on those infected Windows computers, because they’re not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines–and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.

If it doesn’t find one, it does nothing.

So, unless the Anonymous hackers want to control industrial centrifuges, we should be alright? Not so fast. Theoretically, it would be possible to dismantle the virus and implant a separate payload, effectively piggy-backing another virus on the Windows-based attack code. This is no walk in the park coding exercise, to be sure, but Anonymous has proven their impressive abilities in the past. If such a deconstruction and reconstruction were to be pulled off, it could have wide-reaching consequences. In August 2010, the Stuxnet virus was reportedly infecting over 60,000 computers in Iran, not causing any harm but eager to spread until it found a place to release its payload.

For now, we’re largely dealing in hypotheticals. Since Stuxnet has been discovered, efforts are being put against it at high levels to prevent such attacks in the future. But if Anonymous does, in fact, have possession of the worm, it could have massive repercussions for both online and offline security. As Mort Zuckerman said late last year, though, “Malicious programmers are always able to find weaknesses and challenge security measures. The defender is always lagging behind the attacker.”

http://blogs.forbes.com/chrisbarth/2011 ... net-virus/

Holy shit eh?

[seemslikeadream]

It's been a really fun day

[KeenInsight]

Lol, this is great stuff. Really sticking it to 'em. Anon!

[Plutonia]

Topiary=Anon Twitter

atopiary Topiary
@HBGaryPR - Tell the press about your involvement with Stuxnet or we will do it for you. http://pastebin.com/raw.php?i=KSuiCriG #AnonLeaks

From: Greg Hoglund <greg@hbgary.com>
To: all@hbgary.com
Date: Sun, 26 Sep 2010 20:26:02 -0700
Subject: stuxnet

All,

HBGary has no official position on Stuxnet. Please do not comment to the
press on Stuxnet. We know nothing about Stuxnet.

-Greg Hoglund
CEO, HBGary, Inc.

atopiary Topiary
Anonymous' response on future #Stuxnet use is "lol idk". We kind of don't care - it's nothing special. All we need are steroids and magnets.

"lol idk"?



Two narratives re: stuxnet out there - Super-duper-dyn-o-mite-astic!! and Not-so-much:

From another "elite" infosec company:

Dec262010
We at Langner help our clients plan, procure, install, operate and maintain secure and robust control system networks. Our global leadership was demonstrated by our quick success in technically, tactically and strategically analyzing the first cyber warfare weapon in history – the Stuxnet malware.

...

The short path from cyber missiles to dirty digital bombs

More and more details of the Stuxnet malware and its purpose become clear. Stuxnet appears to be the first real cyber warfare attack in history, with “real” meaning that the virus caused physical destruction of heavily fortified military targets, some of them buried 75 feet underground. Plans had been made to destroy these targets by air strikes when it became clear that sanctions alone would not stop Tehran on its way to nuclear weapon capability. Both Israel and the United States had not only planned for military action, but, in the case of Israel, even done rehearsals.

etc

And this bit at the bottom of the wiki page:

"The attack is still ongoing and new versions of this virus are spreading." He reports that his company had begun the cleanup process at Iran's "sensitive centres and organizations."[86] "We had anticipated that we could root out the virus within one to two months, but the virus is not stable, and since we started the cleanup process three new versions of it have been spreading," he told the Islamic Republic News Agency on 27 September 2010.[88]

On 29 November 2010, Iranian president Mahmoud Ahmadinejad admitted for the first time that a computer virus had caused problems with the controller handling the centrifuges at its Natanz facilities. According to Reuters he told reporters at a news conference in Tehran, "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts."[89][90]

On the same day two Iranian nuclear scientists were targeted in separate, but nearly simultaneous car bomb attacks near Shahid Beheshti University in Tehran. Majid Shahriari, head of the Iranian nuclear program was killed. Fereydoon Abbasi, a high-ranking official at the Ministry of Defense was seriously wounded. Wired speculated that the assassinations could indicate that whoever was behind Stuxnet felt that it was not sufficient to stop the nuclear program.[91] In January 2010, another Iranian nuclear scientist, a physics professor at Tehran University, had been assassinated in a similar attack.[91]

[JackRiddler]

.

For reference, prior Stuxnet discussion:
viewtopic.php?f=8&t=29540

.

[Plutonia]

.

For reference, prior Stuxnet discussion:
viewtopic.php?f=8&t=29540

.

Thanks JR. tldr: Stuxnet more of a psyop then a real threat.


Now here's the latest development - corp-spook ops revealed once again to be equal parts creepy and retarded.

We let these guys fuck with us, why?

Highlights:
*TSA rife with Stuxnet?!
*Greg and Aaron are hot for "Hunter/Killer" malware!?
*Aaron Barr can't get a date without Penny's help?!

HBGary wanted to suppress Stuxnet research

This article was written by laurelai

It is no secret that in recent days, Anonymous Operatives have released a cache of HBGary Federal internal emails to the public. Crowdleaks has discovered that within these communications, Aaron Barr received a copy of Stuxnet (a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities) from McAfee on July 28, 2010.

In an effort to confirm this was in fact Stuxnet, Crowdleaks has decompiled some of the source code, which can be found here. Throughout the following emails it is revealed that HBGary Federal may have been planning to use Stuxnet for their own purposes.

In a message sent to all email account holders at HBGary.com, Charles Copeland (Lead Support Engineer at HBGary, Inc.) writes:

from: Charles Copeland
to: all@hbgary.com
date: Sat, Sep 25, 2010 at 9:54 PM
subject: Stuxnet Worm Mailing List
Filter messages from this mailing list. mailed-byhbgary.com
hide details 9/25/10
Computerworld – Officials in Iran have confirmed that the Stuxnet worm infected at least
30,000 Windows PCs in the country, multiple Iranian news services reported on Saturday.

http://www.computerworld.com/s/article/ ... al_systems

I’ve already got a email asking about stuxnet, this came out late Friday. Does anyone have a dropper I have been unable to find it.

In another email sent directly to Aaron Barr, David D. Merritt writes:

from: David D. Merritt
to: Aaron Barr
date: Sun, Oct 3, 2010 at 9:35 PM
subject: Re: Hunter Killer Insanity 285mailed-bygmail.com
hide details 10/3/10
contacts over at TSA say that everybody has a copy…combine that with US CERTs vulnerability status and their own systems not meeting the spec….
i’m seeing TSA becoming a malware testbed…

Aaron Barr responds:

On Oct 3, 2010, at 10:13 PM, Aaron Barr wrote:
> Dave,
>
> We haven’t but I would be interested to talk to you some about the tie. I do have a decent amount of information on Stuxnet and would be interested to hear about the tie. Some of what I know about Stuxnet might be of interest. I think it would be best to discuss in a more closed space though.
>
> In doing a little research:
> http://diocyde.wordpress.com/2010/03/12 ... eir-pwned/

A bit of tasty whatsit from that link:

For those that don’t know or havent been reading the press Einstein is DHS’s hope/vision for a big old digital condom from all that nasti hackiness thats been eroding our countries competitive edge for o say like 10 years. Better hurry up guys, we probably on have about 5 years of Research and Development left to lose before we are facing adversaries that are technologically advanced as us. And o ya 4 times the population. There wont be much need for us in the future.

cont...

> While this guy can be a bit of a crackpot at times his post has more validity than fiction. Greg and I have brainstormed a bit in the past on how to conduct such an attack that would be very difficult to detect. Autonomous, single purpose malware with no C&C. As we have said the battle is on the edges either source of destination, everything else is or will become somewhat irrelevant or diminished in value.
>
> Aaron Barr
> CEO
> HBGary Federal, LLC
> 719.510.8478

In another message sent to all email account holders at HBGary.com by
Greg Hoglund, it’s made clear that HBGary wanted to hide their work on Stuxnet.

from: Greg Hoglund
to: all@hbgary.com
date: Sun, Sep 26, 2010 at 10:26 PM
subject: stuxnet mailing list
Filter messages from this mailing listmailed-byhbgary.com
hide details 9/26/10

All,

HBGary has no official position on Stuxnet. Please do not comment to the press on Stuxnet. We know nothing about Stuxnet.

-Greg Hoglund
CEO, HBGary, Inc.

In the most chilling strand of emails, we find that whatever HBGary was working on, it was in conjunction with the NSA.

I found a Cheryl D Peace as Directer of Cyber Space Security DHS (2004)... same?

Aaron Barr writes:

Hi Cheryl,
719.510.8478
Aaron
Sent from my iPad

Aaron Barr writes:

> From: Aaron Barr
> To: Peace, Cheryl D
> Sent: Mon Aug 09 13:54:23 2010
> Subject: Re: Number
>
> Hi Cheryl,
>
> It does. I haven’t met him personally. Our sister company does work
> in a few different pockets on the bldg. And i am on the extended NANA
> team. I recently joined to stand up HBGary federal, a related but
> separate company. We manage all the work that requires clearances.
> We exchange some technologies, but we have some separate developments
> as well. Mostly around threat intelligence and CNO/social media.
>
> I think there are some enabling tech to your mission but really need
> that qualified.
>
> Interested to run some of the stuxnet stuff by u as well.
>
> Aaron
>
>
> Sent from my iPhone

Cheryl Peace writes:

On Aug 9, 2010, at 9:27 AM, “Peace, Cheryl D” wrote:
>
>> Aaron
>> Did a little checking and we already do busy with you guys. Does the name
>> Tony Seager ring a bell?

Aaron Barr writes:

>> —–Original Message—–
>> From: Aaron Barr [mailto:aaron@hbgary.com]
>> Sent: Friday, August 06, 2010 10:56 AM
>> To: Peace, Cheryl D
>> Subject: Re: Number
>>
>> OK. If interested do you have some time to get together when you get back?
>> either next Friday or early the following week?
>> Aaron

Cheryl Peace writes:

>> On Aug 6, 2010, at 10:44 AM, Peace, Cheryl D wrote:
>>
>>> I am in Europe till mid next week

Aaron Barr writes:

>>> —–Original Message—–
>>> From: Aaron Barr [mailto:aaron@hbgary.com]
>>> Sent: Thursday, August 05, 2010 10:57 PM
>>> To: Peace, Cheryl D
>>> Subject: Re: Number
>>>
>>> Hi Cheryl,
>>>
>>> Can I schedule an appointment with you to come by and chat for a few
>>> minutes?
>>>
>>> Aaron

Cheryl Peace writes:

>>> On Jul 30, 2010, at 10:41 PM, Peace, Cheryl D wrote:
>>>
>>>> I am at Rao at the bar if you want to come by for a few. Meeting friends
>>> for a cocktail in a few
>>>> ————————–
>>>> Sent using BlackBerry

Arron Barr writes:

>>>> —– Original Message —–
>>>> From: Aaron Barr
>>>> To: Peace, Cheryl D
>>>> Sent: Fri Jul 30 20:02:44 2010
>>>> Subject: Number
>>>>
>>>> Cheryl,
>>>>
>>>> Sorry to bother you but do you have a minute to talk. I don’t have
>>>> your number handy. It will only take moment, but I have some
>>>> information for you.
>>>>
>>>> Aaron Barr
>>>> CEO
>>>> HBGary Federal
>>>> 7195108478

In a related internal email sent to Rich Cummings (CTO of HBGary, Inc.) Greg Hoglund writes:

from: Greg Hoglund
to: Rich Cummings
date: Mon, Nov 16, 2009 at 9:30 PM
subject: Govt dropper in this word DOC, zipped up for youmailed-byhbgary.com
hide details 11/16/09

Phil, Rich,

I got this word doc linked off a dangler site for Al Qaeda peeps. I think it has a US govvy payload buried inside. Would be neat to REcon it and see what it’s about. DONT open it unless in a VM obviously. password is meatflower. Remove the .txt extension too. DONT let it FONE HOME unless you want black suits landing on your front acre.

-Greg

Crowdleaks.org had a software engineer (whose name has been withheld) look at the Stuxnet binaries inside of a debugger and offer some insight on the worm. She informed us that most of the worms’ sources were using code similar to what is already publically available. She noted that the only remarkable thing about it was the 4 windows 0 days and the stolen certificates.

She says:

“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”

When asked what type of organization likely wrote it, she stated:

“Probably a corporation by request of a government, it was clearly tested and put together by pro’s. It really looks like outsourced work.”

[Plutonia]

Moar

@kaepora Nadim Kobeissi
Hey everyone, here's all the conversations between HBGary and their Canadian Private Intelligence friends @SecDev http://uiu.me/secdev.zip

[Plutonia]

Searchable database of HBGary emails is up!!

http://hbgary.operationfreedom.ru/

"Protip: search for WikiLeaks, Anonymous, FBI, NASA, Stuxnet, etc."

[wintler2]

Its interesting that Anon are now serious leakers in their own right. The HBGary & related material is pretty devastating for the status of the national security state, and contains detail that wikileaks would have redacted. Could a public prosecutor step up and give the privatised spooks the haircut they deserve, using the hacked emails?

[Joe Hillshoist]

That search function at the email leaks page doesn't work at the moment (at least from Australia.)

[Joe Hillshoist]

..In a separate development, an attack which exposed the email addresses and passwords of 1.3 million Gawker users was also today linked with the thousand-strong Anonymous group.

Interesting, interesting. How long before social media becomes a front too, and not just for snark&lulz.

Not very long it turns out (you wrote that 2 months ago tomorrow.)