Hacker News new | past | comments | ask | show | jobs | submit login
Black ops: how HBGary wrote backdoors for the government (arstechnica.com)
209 points by jayro on Feb 18, 2011 | hide | past | favorite | 39 comments



This is a _really_ good article after reading through thousands of emails. It also provides good insights into the bigger picture, and what kind of fascinating glimpse this email leak provides in to a secretive industry.

I'm glad this whole thing has happened.


It's in a series of really good articles on this story. Thank you Ars.


Please don't think that the information security industry (or penetration testing or malware niche) in general is like this. While many firms have relationships with defence contractors, the local military and intelligence agencies, we're not all writing undetectable rootkits and exploit code for commercial gain. I would say the actions disclosed in the very well written article (in a series of very well written articles) highlight one of a subset of security firms. I'm loathe to use the enron-esque bad apples description, because the truth is I just don't know but I suspect that such actions are limited to a minority of firms.


Considering the amount of money governments are willing to spend on rootkits as compared to more benevolent activities, I suspect that these companies won't stay a minority for long.


The more I hear about the HBGary story, the more concerned I get with their business partners at Palantir and Berico. This can't be the bottom of the rabbit hole.

Apparently both companies are deep into fighting the war on terror, are they seriously pursuing business against U.S. citizens?


You are probably right.

Always follow the money. The government is concerned about "cyber-security type things" and there will be no end of shady and less-shady firms willing to charge millions of dollars for providing whatever the government thinks it wants (which is probably not what it needs).

And as you pointed out these firms don't operate in a vacuum, they form networks. They compete with each other but also look for a possible strategic partnership if one comes along.

The real key is to recruit someone who retired from the military or from one of the 3-letter-agencies. (At least ask them to serve on the board). Just that right there nets you an enormous amount of projects. You thought big enterprise runs on golf-ware, but big government projects also run on friend-ware and friend-of-a-friend-ware. It is very much an incestuous family.


Case-in-point: "For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths to ensure that his dealings with Washington stay secret." https://www.nytimes.com/2011/02/20/us/politics/20data.html?_...


  "I got this word doc linked off a dangler site for Al Qaeda peeps"
I find his choice of words there to be rather amusing.


> Al Qaeda peeps

Interesting that these people brainwashed themselves and believe there are actually lots of Al Qaeda operatives out there hiding in the bushes, researching methods to kill their victims using fecal matter. These are the kinds of people who get lots of government money for "security" related projects...


No doubt Al Qaeda were researching a biological weapon based on Jenkem ;) - http://en.wikipedia.org/wiki/Jenkem


Clearly we need to be worried and perhaps we should even phone our representatives and ask them to increase anti-terrorism and DoD funding.


Does anyone know whether Anonymous got all of the 0-day exploits discussed? If so, does anyone know what they are planning to do with them?


Having slides claiming ownership of exploits is a very long way away from having the exploits themselves. Such a commodity has substantial financial value - if an intruder came upon them they'd be unlikely to publicly announce their existence but not release them.

It's possible such exploits don't exist, are misrepresented or were never in HBGary's possession. Exploits have a shelf life that degrades as other actors are likely to discover the same bug, maybe 6-18 months in general wisdom. But, it is always possible to claim you have a private cache and then buy them if/when they are needed.


It's possible that it is all a work of fiction, but Greg Hoglund is an accomplished security researcher. It's certainly a realistic scenario that Hoglund discovered them himself, or purchased them from someone else if he didn't have time to do the vulndev. That being said, if it is fiction it wouldn't be the first time a contracter mislead the government about competency.


I agree with you, it's not that I'm trying to say the whole thing is a work of fiction, just that things are often (partially) misrepresented. I believe the breadth of the claimed in house and unused code is unusual, but certainly not impossible. There seems to be a lot of people that attempt to sell/broker other peoples code that they aren't in possession of (since IP protections in these cases are non-existent)

Regardless, it seems anon got a SQL dump, root on a web server and a ticket box, and a google apps admin account - these aren't the types of places marketable vulnerabilities are usually kept.


Anon got more than that. Anon got passwords that got reused. I would be shocked if they did not poke around the network more to see where those passwords would go, and (given that passwords were reused where they shouldn't have been) I would not be surprised if there were not some more interesting places that they got into.


Is it not morally wrong as a non-black hat to not inform a company about a vulnerability you've found?

I thought only black hats sat on exploits.


Sell them, then use them against some dude who hurts a kitten.


Good point. Those are notable armaments.


So the whole thing about plugging something into your computer port (firewall, etc) to gain complete control like in the movies is true.


Yes there are two pieces of uber-secret space alien technology Microsoft included in Windows at the behest of the NSA called "autorun" and "plug and play".

Windows installs a Plug and Play device and its driver automatically. http://www.microsoft.com/resources/documentation/windows/xp/...


Well, there's a piece of Apple-championed technology, Firewire, which doesn't care what OS you're running because it has direct path to the DMA controller, and can read and write physical memory.


Yeah, that applies to PCMCIA and Cardbus too.

A USB attack device could probably also emulate a hardware CD-ROM.

I wonder if they could emulate a crypto accelerator and actually use stock drivers with backdoored hardware?


This is not true. OSX locks down the FireWire ports to protect system memory. I am not sure exactly how this works but I believe it's firmware/driver dependent and Windows usually lacks the drivers to force the firmware into a protected mode. FireWire having direct access to the system ram is not a requirement of the 1.0 spec, it's a stupid implemention decision by chip designers.


It must have done it pretty recently then, because it's been vulnerable to this for a very long time.


Yes. http://www.irongeek.com/i.php?page=security/programmable-hid...

Plug it in, makes the OS think it's a keyboard while the user thinks it's a USB stick.


I wonder if the "technology to carry payloads through USB drives" was used in Stuxnet?


The highly sophisticated autorun technology? Shrugs.


LNK files can point to DLLs that get loaded by Explorer when it draws the icon for the link target.

I only know this because I watched an excellent video explaining the 0-day vulnerabilities that stuxnet used by Microsoft leet hax0r Bruce Dang.

http://www.youtube.com/watch?v=rOwMW6agpTI#t=13m49s


Is USB autorun not enabled by default in XP? I tried getting some stuff to autorun from a thumbdrive and I never did get it working.


Microsoft recently patched that so it's no longer the default action.


Stuxnet didn't use autorun, it used vulnerabilities in the code windows executes after the insertion of a new flash drive


The best part of the article is the obvious sockpuppet in the comments. Same format I saw among many paid stock bashers: Buddy up with the emoticons, claim little, suggest a lot.


Wouldn't researching and discovering 0-day vulnerabilities be treading close to DMCA violations and/or cybercrime laws? I don't see why this information isn't causing Microsoft and/or the Government to go on the offensive legally against the likes of HBGary.


I can't speak to any cybercrime laws (I'm simply not familiar enough with them), but the DMCA 1) only applies to mechanisms which protects copyright, and 2) has very explicit exemptions for the purpose of security research, among other things.


Not to mention, government TLA's do their own "research."


Has anybody tried a "grep stuxnet" on the email messages? Or is the Torrent still up? Then I could try it myself.


All of this reminds me of Daemon.


http://en.wikipedia.org/wiki/Daemon_%28technothriller_series...

Came up as the third result for "daemon" on Google. There's a lot I don't like about Google, but sometimes it just works.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: