BofA Attack on WikiLeaks Backfires?

SUBHEAD: Bank of America said to be using private data intelligence firms against

By Staff on 9 February 2011 for WikiLeaks -  

Image above: WikiLeaks logo.
In a document titled "The WikiLeaks Threat" three data intelligence companies, Plantir Technologies, HBGary Federal and Berico Technologies, outline a plan to attack Wikileaks. They are acting upon request from Hunton and Williams, a law firm working for Bank of America. The Department of Justice recommended the law firm to Bank of America according to an article in The Tech Herald. The proposed attacks on WikiLeaks according to the slides include these actions:

  • Feed the fuel between the feuding groups. Disinformation. Create messages around actions of sabotage or discredit the opposing organizations. Submit fake documents and then call out the error.
  • Create concern over the security of the infrastructure. Create exposure stories. If the process is believed not to be secure they are done.
  • Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.
  • Media campaign to push the radial and reckless nature of WikiLeaks activities. Sustain pressure. Does nothing for the fanatics, but creates concern and doubt among moderates.
  • Search for leaks. Use social media to profile and identify risky behavior of employees.

  • Original document converted to PDF (4.5MB):

    HBGary used as Anonymous object lesson

    By Steve Ragan on 7 February 2011 for the Tech Herald - 

    Aaron Barr, the COO of HBGary Federal, told the Financial Times this weekend that he used clues found online to discover the identities of key Anonymous members. Anonymous reacted to the story and Barr’s claims with a massive attack aimed at the security firm, leveraging local root exploits, shared passwords, and social engineering.
    In an interview with the Financial Times, Barr said that by using services such as LinkedIn,, Facebook, as well as IRC itself, he was able to connect the dots and identify several high-level Anonymous members, including “Owen” and “Q”, two people mentioned by their IRC names in the actual news report.
    Having spent several months on IRC with people who associate under the banner of Anonymous, The Tech Herald can confirm that Q and Owen are actual names used by people on the AnonOps network. However, they are not the leaders they are made out to be by the Financial Times’ story. Anonymous has no leaders. Even hinting at such a thing on IRC will invoke a long lecture on the topic.
    Out of all of the people who participate in the various Anonymous operations, only 30 or so are consistently active. Of that group, only ten “are the most senior and co-ordinate and manage most of the decisions,” Barr explained to the Financial Times.
    The Tech Herald has seen Barr’s research. [PDF] While there is plenty of information, several operation names and dates are out of order, and many of the names associated with membership are incorrect. When it comes to the ten “most senior people”, they are actually network administrators.
    They work to keep the IRC servers online. Their proper titles include Services Root Administrator, Network Administrator, and Operator. AnonOps is an IRC network, Anonymous is something entirely different. Those who manage the IRC servers might be part of Anonymous, but they are not co-founders or leaders. They are highly active people, but that is what is needed to maintain an IRC network such as theirs.
    After the Financial Times story broke, including Barr’s claims of infiltration, Anonymous responded. The response was brutal, resulting in full control over and They were also able to compromise HBGary’s network, including full access to all their financials, software products, PBX systems, Malware data, and email, which they released to the public in a 4.71 GB Torrent file.
    In a statement emailed to The Tech Herald, Anonymous called Barr’s actions media-whoring, and noted that his claims had amused them.
    “Let us teach you a lesson you'll never forget: you don't mess with Anonymous. You especially don't mess with Anonymous simply because you want to jump on a trend for public attention,” the statement directed to HBGary and Barr said.

    “You have blindly charged into the Anonymous hive, a hive from which you've tried to steal honey. Did you think the bees would not defend it? Well here we are. You've angered the hive, and now you are being stung. It would appear that security experts are not expertly secured.”

    The attack against HBGary is a classic example of leverage. It started with an SQL Injection attack on From there, Anonymous discovered and cracked the passwords used on the site. As it turns out, many of these passwords were used on GMail. Access to GMail, along with the use of shared passwords, led to the compromise Barr’s Twitter and LinkedIn accounts.

    HBGary fired the company responsible for the flawed code that led to the SQL Injection attack.
    While this was happening, Anonymous gained access to the email password used by Greg Hoglund, the co-founder of HBGary, and part owner of the Federal subsidiary run by Barr. With his account under their control, they sent an email to the admin of asking for the firewall to be opened and Hoglund’s password reset to “changeme123”.

    The reason for access, the fake request stated, was due to Hoglund being in Europe and unable to SSH into the server. The move was a classic case of Social Engineering. After some exchanges, SSH access was granted. Once on the server using Hoglund’s password, Anonymous leveraged the $ORIGIN expansion vulnerability to gain root control.

    After this, they copied data, wiped the backup servers, and released the Torrent with the company email. This email release is the third time Anonymous has exposed internal communications. Previously, they exposed company emails taken from ACSLaw and Acapor.

    On IRC Sunday, as the Torrent with HBGary emails started to spread, HBGary President Penny Leavy, as well as Greg Hoglund and Aaron Barr, spoke to Anonymous.

    Early on in the conversation with Anonymous, Leavy remarked that she was aware of Barr’s research on social media and the problems associated with it, including “…the ease of pretending to be one of you…” she told them.
    However, Barr was never planning on giving his research to the government, she added. “He was never going to release names, just talk about handles.”

    The data and information collected by Barr was to show people at RSA next week how easy it is to say they are someone online without actually being the person. However, the reaction from the Anons in the room was that the research and logic for conducting it at all was extremely flawed.

    Most of the anger was directed at Barr’s list of names and their alleged connections to Anonymous operations. Several Anons commented that the list includes fake names, reporters, and others who are in no way connected to any role in Anonymous. Its existence means that it “…could have and might still get innocent people in trouble for no reason at all.”

    When asked if she had seen Barr’s research, including the infamous list, Leavy said, “…we have not seen the list and we are kind of pissed at him right now.” She didn’t expand on that comment.
    There was a distinction made that HBGary only owns 15-percent of HBGary Federal, and that attacking both was wrong, as one had nothing to do with the other. The networks shared many common elements, that they are only moderately related was irrelevant to Anonymous.

    Later, there was talk about making things right. Not really demands, but more of a list of gestures that HBGary could make, such as donations to various causes, like the EFF or Bradley Manning’s defense fund.

    In addition, there were several calls for Barr to be burned by HBGary, but given that he is a partner, that is unlikely. At this stage, HBGary’s response is unknown. At the time this article was written, aside from the conversations on IRC, there has been no official comment.

    When asked by the Anons in the room about his alleged plans to sell the data collected, Barr denied it with a flat refusal that he was never going to sell it, and that they had it all wrong.

    “Ok I am going to say this one more time,” he told the room. “I did this for research. The FBI called me because of my research. The email you are referring to about selling data was about a model built on this type of research. It was not to sell specifically this data.”

    “I was going to use it to describe the process of how social media exploitation works... The most data I was going to show was an org chart of IRCs with icons representing those nicks I thought I knew. Social media provides huge vulnerabilities for everyone...nuclear power plants, military installations, and anonymous... this was about research.”

    When questioned about the data in his research document, Barr said that the document circulating online was an old copy, adding that there was a new version. When asked to present it, he refused.
    Just before he exited the room, after facing the same set of questions for several minutes, Barr made one final comment. “…guys you hacked our servers, took our data, and posted it to the’s criminal now... it’s out of my hands...”

    For his part, Greg Hoglund remained neutral, even complementing Anonymous on the hack. His main concern was the release of emails that are not part of the Torrent circulating online. For now, Anonymous says they have no plans to release them.

    As this story develops we will report additional updates.

    Data intel firms proposed an attack on WikiLeaks

    By Steve Ragan on 9 February 2011 for the Tech Herald - 

    After a tip from, The Tech Herald has learned that HBGary Federal, as well as two other data intelligence firms, worked to develop a strategic plan of attack against WikiLeaks. The plan included pressing a journalist in order to disrupt his support of the organization, cyber attacks, disinformation, and other potential proactive tactics.

    The tip from is directly related to the highly public attack on HBGary, after Anonymous responded to research performed by HBGary Federal COO, Aaron Barr. Part of Anonymous’ response included releasing more than 50,000 internal emails to the public. For more information, the initial coverage is here.

    What was pointed out by Crowdleaks is a proposal titled “The WikiLeaks Threat” and an email chain between three data intelligence firms. The proposal was quickly developed by Palantir Technologies, HBGary Federal, and Berico Technologies, after a request from Hunton and Williams, a law firm that currently counts Bank of America as a client.

    The law firm had a meeting with Bank of America on December 3. To prepare, the firm emailed Palantir and the others asking for “…five to six slides on Wikileaks - who they are, how they operate and how this group may help this bank.”

    Hunton and Williams were recommended to Bank of America’s general council by the Department of Justice, according to the email chain viewed by The Tech Herald. The law firm was using the meeting to pitch Bank of America on retaining them for an internal investigation surrounding WikiLeaks.

    “They basically want to sue them to put an injunction on releasing any data,” an email between the three data intelligence firms said. “They want to present to the bank a team capable of doing a comprehensive investigation into the data leak.”

    Hunton and Williams would act as outside counsel on retainer, while Palantir would take care of network and insider threat investigations. For their part, Berico Technologies and HBGary Federal would analyze WikiLeaks.

    “Apparently if they can show that WikiLeaks is hosting data in certain countries it will make prosecution easier,” the email added.

    In less than 24-hours, the three analytical companies created a presentation filled with publically available information and ideas on how the firms could be “deployed” against WikiLeaks “as a unified and cohesive investigative analysis cell.”

    On January 2, The New York Times wrote about a late night conference call held by Bank of America executives on November 30. The reason for the call was to deal with a statement given by WikiLeaks’ Julian Assange on November 29, where he said that he intended to “take down” a major American bank. The country’s third largest financial institution needed to get the jump on WikiLeaks, so they started scouring thousands of documents, and auditing physical assets.

    Shortly after the late night conference call, the email from Hunton and Williams was sent. Booz Allen Hamilton, according to the Times, was the firm brought in to help manage the bank’s internal review.

    A month after the proposal for the initial December meeting on WikiLeaks was created, email messages from HBGary Federal show plans for a meeting with Booz Allen Hamilton. The meeting was set after Barr emailed Hunton and Williams about information he was gathering on WikiLeaks and Anonymous. Later, this information would be the direct cause of Anonymous’ attack on HBGary.

    Note: There were several drafts of the proposal created before the sixth and final version was delivered. The emails released by Anonymous contain each of them. Most of the changes are formatting related and minor corrections.

    The proposal starts with an overview of WikiLeaks, including some history and employee statistics. From there it moves into a profile of Julian Assange and an organizational chart. The chart lists several people, including volunteers and actual staff.

    One of those listed as a volunteer, columnist, Glenn Greenwald, was singled out by the proposal. Greenwald, previously a constitutional law and civil rights litigator in New York, has been a vocal supporter of Bradley Manning, who is alleged to have given diplomatic cables and other government information to WikiLeaks. He has yet to be charged in the matter.

    Greenwald became a household name in December when he reported on the “inhumane conditions” of Bradley Manning’s confinement at the Marine brig in Quantico, Virginia. Since that report, Greenwald has reported on WikiLeaks and Manning several times.

    “Glenn was critical in the Amazon to OVH transition,” the proposal says, referencing the hosting switch WikiLeaks was forced to make after political pressure caused Amazon to drop their domain.

    [Earlier drafts of the proposal and an email from Aaron Barr used the word "attacked" over "disrupted" when discussing the level of support.]

    The proposal continues by listing the strengths and weaknesses of WikiLeaks. For the strong points, there is the global WikiLeaks following and volunteers. Outlining the weaknesses, the proposal lists financial pressure - due to the companies refusing to process WikiLeaks’ donations at the time - and discord among some of the WikiLeaks members.

    “Despite the publicity, WikiLeaks is NOT in a healthy position right now,” an early draft of the proposal noted. “Their weakness [sic] are causing great stress in the organization which can be capitalized on.”

    Some of the things mentioned as potential proactive tactics include feeding the fuel between the feuding groups, disinformation, creating messages around actions to sabotage or discredit the opposing organization, and submitting fake documents to WikiLeaks and then calling out the error.
    “Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.”

    After the tactics are discussed, the proposal outlines the highlights for each of the three data intelligence firms. From there, it concludes that in the new age of mass social media, the insider threat represents an ongoing and persistent threat “even if WikiLeaks is shut down.”

    “Traditional responses will fail; we must employ the best investigative team, currently employed by the most sensitive of national security agencies.”

    The emails released by Anonymous make no mention of the proposal’s success or failure. Aside from a single meeting confirmation with Booz Allen Hamilton, and an email that expressed hope that HBGary was going to “close the BOA deal”, there is no other data available.

    Since the attack on their company, HBGary has issued a single statement via their website, and declined to comment when questioned by several news organizations.

    “HBGary, Inc and HBGary Federal, a separate but related company, have been the victims of an intentional criminal cyberattack. We are taking this crime seriously and are working with federal, state, and local law enforcement authorities and redirecting internal resources to investigate and respond appropriately,” the statement reads.

    “To the extent that any client information may have been affected by this event, we will provide the affected clients with complete and accurate information as soon as it becomes available. Meanwhile, please be aware that any information currently in the public domain is not reliable because the perpetrators of this offense, or people working closely with them, have intentionally falsified certain data.”

    While some of the information in the public domain may be false, the emails and documents seen by The Tech Herald certainly look legitimate. It is unlikely that Anonymous would bother to forge 50,000 emails, in addition to the screen shots of internal software, PDF files, Word Documents, or PowerPoint slides released to the public.

    However, on Tuesday evening, HBGary’s accusal that Anonymous was falsifying information started another round of rage on IRC, where some who associate under the banner of Anonymous gather.
    As a result, there are rumors that more emails will be released in the coming days, including those belonging to Greg Hoglund, the co-founder of HBGary.

    [IB Editor's note - These are profound developments. For a breakdown of HBGary docs, available now publicly on the Internet, see We would expect the 'BankLogs' to be released soon on the Internet.]

    No comments :

    Post a Comment