back to article Anonymous security firm hack used every trick in book

An attack by Anonymous on security firm HBGary used a combination of software vulnerabilities and social engineering to pull off a highly sophisticated hack, it has emerged. A SQL injection weakness in a third-party content management product used to post content on HBGary's website allowed a cadre of hackers from Anonymous to …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    ''HBGary said the leaked documents might have been altered prior to publication.''

    Is that the best defence they got?

  2. Destroy All Monsters Silver badge

    Anonymous delivers!

    This is what I will tell our sysop to prepare for and be able to weather during the next coffee & croissants meeting.

  3. Mike Flugennock

    HBGary sez the EDITED those emails...?!

    Uh huh, yeah... they edited and falsified over 70,000 emails in under a week. Nice try, HBGary.

    1. Scorchio!!

      Re: HBGary sez the EDITED those emails...?!

      "Uh huh, yeah... they edited and falsified over 70,000 emails in under a week. Nice try, HBGary."

      Did HBGary claim that all 70,000 emails were edited, or only a few? I haven't seen the source material so I can't say.

  4. Richard 120

    I read about this elsewhere

    It's quite amusing, they got Penny (CEO) to go and speak to the Anonymous IRC and there's a log of the whole conversation -

    I think more than anything this proves that corporations and organisations are just a bunch of people, and each and every one of them has their own opinions, they lie, they slander, but they're also truthful, witty & endearing. Every now and then there's a fuckwit who seems to value themselves over others though.

    I pity Penny of HBGary, but the anonymous people have made fair points (albeit in a flippant and sonetimes surreal manner)

    Aaron Barr seems in this case to be the fuckwit, claiming to have infiltrated anonymous, seems a bit like someone saying I've invaded Midgaard (all you mudders out there know what I'm talking about)

    1. Scorchio!!

      Re: I read about this elsewhere

      "Aaron Barr seems in this case to be the fuckwit, claiming to have infiltrated anonymous, seems a bit like someone saying I've invaded Midgaard (all you mudders out there know what I'm talking about)"

      That is a tad extreme, don't you think? After all, 'anonymous' is comprised of genuine corporeal beings. There's no question of Cartesian fairies at the bottom of the garden here; bodies can always be traced, unless of course we're talking 2600 style hacking, in which case the Feebs will have to stretch that extra mile to trace them.

      1. Richard 120

        It's a simile

        It's an IRC channel.

        The point of a loose collective is that it expands and contracts, leadership is transient and generally irrelevant. That's what anonymous is.

        Trace a bunch of people logged on, a bunch of others log in, take them down another channel opens.

        There will always be more to rage against the machine.

        Can you understand the simile now?

        1. Scorchio!!

          Re: It's a simile

          "It's an IRC channel.

          The point of a loose collective is that it expands and contracts, leadership is transient and generally irrelevant. That's what anonymous is."

          Contacts between real people can always be traced back, like following skeins of mixed up material. Similes are irrelevant. The physical world holds in principle no possibility of anonymity, and the LoIC sacrificial sheep are just the first round in gathering them all in, self deception notwithstanding. Everyone leaves a trace, unless they use 2600 methods but, even then, there are ways of tracking people down. Do you understand my points now?

          1. Richard 120

            Your point

            Your point, Scorchio, would seem to be that people on the internet can be tracked. I do not dispute that.

            My point is that Aaron Barr and yourself seem to have the (in my opinion misguided) impression that the Anonymous collective is a hierarchy and that in determining who the leaders of this hierarchy are is to have infiltrated Anonymous.

            I don't think Anonymous works that way and that if ultimately you removed what you consider to be "the head" that the body would not die, it would just grow another head.

            1. Scorchio!!

              Re: Your point

              "My point is that Aaron Barr and yourself seem to have the (in my opinion misguided) impression that the Anonymous collective is a hierarchy and that in determining who the leaders of this hierarchy are is to have infiltrated Anonymous."

              Never assume anything about someone like me, not least because when you assume you make an ass out of you.

              Passive intelligence techniques have a lot of mileage in them. It is possible to leave a movement riddled with pain and angst by using them, and appropriately punishing those who act in the way that we have seen. Believe me it is coming. If you are so naive as to believe otherwise, well have a good one. Don't read something into my words that is not there. Your preconceptions are wasted, worthless, deceive you.

              As to heads and bodies, do grow up. I could not GAD what sort of cell structure they are using. Sufficient pain, repeatedly applied for a sufficient duration has a marked effect on the CNS. Just watch, and make sure that you have ordered a LOT of popcorn. Pain's a coming, believe me.

      2. Anonymous Coward
        Thumb Down


        In old DIKU muds and most of their derivitives, Midgard was the city you started in, and re-popped in when you died. It has little to do with Faries. The allusion being made is that "Infiltrating" anonymous, is hardly a complex task. (In the same way as getting back inside Midgard could be done a number of ways, all trivial)

        Sadly spend far too much time in my youth playing MUDS. Especially when i should have been doing collage work, even ported Merc 2.2 to my Amiga. (I had to re-write the sockets layer to use Amiga PORTS, as i couldnt afford a TCP/IP library)

        1. Scorchio!!

          Re: no..

          "It has little to do with Faries."

          My point exactly, although the irony seems to have zinged over you.

          The point is that, wherease corporeal bodies do not interact with some immaterial soul, leaving no energy trace (see Helmholtz' principle of the conservation of energy for more on that story), *always* leaving evidence of their activities, the same applies to people online. There is always an entry point to trace back to, and of course there is always chat. (If the fool from HBGary had kept his mouth shut and had good security we'd probably be responding to a completely different story.). It is impossible for a corporeal *not* to leave some form of trace of their activities behind them. Only fairies at the bottom of the garden can do such a thing. They leave so little trace that, when prompted to produce replicable hard evidence the proponents fail every time. It's a bit like the homeopathy debate. You do not get something for nothing in the world of physics unless you are not a corporeal entity but, once again, no evidence has been adduced to support such claims.

          1. Daniel 4

            If the fool had kept his mouth shut...

            We wouldn't be hearing about any story at all, because either a) the FBI would have had their real professionals look over his research and shown him the door, or b) he would have wowed some suits well enough to apply buy it and waste millions of dollars and thousands of man hours figuring out it was a waste of time.

            I'm not arguing with the basic notion that real people leave traces coming and going online, but a) if done intelligently, they are faint, and b) even done stupidly, it doesn't matter re: Barr's "research." Just from what is available publicly at this point any qualified statistician can tell you - it was flawed from the ground up. You can't run such a project on gut feelings and guess work, and Barr's own internal staff were telling him that that was all he had. The only things he did get right are so basic that there are already hundreds, if not thousands, of people researching based off of those starting points.

            Perhaps if Barr had kept his mouth shut, kept his head down and NOT tried to rush off to the FBI or BoA, and gotten in someone with real CS and statistics background, he would have gotten somewhere. Of course, that's a lot like saying that if someone would just give me billions of dollars, I could start up my own search engine to rival google - just hire all the talent I need. Not particularly relevant, is it?


            P.S. - On the other hand, the FBI may have welcomed a tool that they could use to justify getting warrants based on nothing more than the very vaguest of guilt by association (the very core of Barr's "technique"). You get a lot of flotsam in the net, but do they care how many innocents they trample? Does anyone in our government care these days?

            1. Scorchio!!

              Re: If the fool had kept his mouth shut...

              "I'm not arguing with the basic notion that real people leave traces coming and going online"

              Good, one of the first signs of sense I've read yet. It is impossible to NOT leave a trace unless you are not corporeal but incorporeal actors are an impossibility as modern physics shows. This is not a theological forum, but one founded on technology that came from western physics and philosophy (e.g., Wittgenstein). There are ALWAYS traces. Faint or not they are there. People who deceive themselves into believing otherwise (how can someone deceive themselves I ask rhetorically) are no better than the LoIC sheep, and dream about a spirit world segregated from the reality of physics. Both the US and UK governments have insisted that ISPs and other organisations preserve logs for a long time, and the police don't have to work hard to access the data. These things - plus the extra special measures that will have been worked up in response to recent 'developments' - are likely to ensure a series of very fucking hard punishments, and no end in sight for the process. A special effort will be made to squash this, do not kid yourself otherwise; for each new serious crime an equivalent unit is normally formed, and the laws tend to reflect determination to quash the act. This will happen. People will watch with horror as their friends go down for a long stretch, with restrictions on their release, and they will decide to give the whole thing a body swerve.

              Give me braggadocio, ignore or laugh at my words, but this will happen. Anyone who thinks that any government is going to sit there and let this happen without giving those who do these things a good smack on the muzzle has to be numbing their minds with something I don't want to find in my coffee beans tomorrow.

              So just wake up is all.

              The sad thing is that this abuse will curtail all of our freedoms:


              These people have made our lives harder with their stupidity. I would like to seem them in the stocks. That is a gag worthy experience that might make the silly twats think.

            2. Scorchio!!

              Re: If the fool had kept his mouth shut...

              I'm just about to go away for a week and packing. As I did so a passage from your response continually resurfaced in my mind:

              "I'm not arguing with the basic notion that real people leave traces coming and going online, but a) if done intelligently, they are faint"

              Existence is like pregnancy; you cannot be a "little bit pregnant" or "faintly pregnant", and you cannot faintly exist, either on or off line. In the world of bits and bytes, of zeros and ones, you are either a number or you are not present. There's no such thing as being slightly existent, or a little bit pregnant, and it is this that will cause a lot of agony for any sloppy thinker who nurtures such fond silliness.

              They'll use a number of attacks to find offenders, starting with offline profiling, matching online behaviour with the profile, basic police work (listening carefully in meat space for dissent that matches the target behaviour) and so on. This will probably roll on for years, like Carlos, the Unabomber, and plenty of others, but, and be sure of this, revenge will be unstoppable, harsh and unrelenting. It's coming.

              As to caring, don't make the mistake of believing that the things you think matter are the things that really do matter. What we have here, as Bill Thompson correctly identified, is democracy's 'Napster moment' ( ). Freedom of information, the culture of FOIA which engendered the MP3 and digital book rip off culture, following the collapse of the Soviet Union and a mistaken belief that everything can be peace and love if only we let everything go, these are mistaken and resemble a headlong plunge off the cliff. People working in this way face bloody noses, if only because irresponsible governments do not pay attention to core state functions - security and defence being particularly important - and wake up to find the new international bodies at their heels. You can include billionaire drug dealers with large arsenals, and other individuals with private armies, including bin Laden clones. It also goes without saying that, as each international body succumbs to attacks on it, other regional powers will fill the vacuum left by them. So, Iran is now free to pursue the paths we have seen, and, having spread its commercial and military tentacles throughout the world (Military? Remember Sri Lanka) China will happily fill any space left by other, weakened states.

              Arriving at the conclusion that secrecy must be overturned because it's not conducive to peace of mind is a non sequitur. It's taken the violent creature, homo sapiens, far longer than history to arrive here, fully tooled up and aggressive. No amount of wishy washy thinking is going to change that, because it is hard wired. In fact the act of destructive, digital pissing about with other organisations/countries is aggressive, and it will reap pain. I see a failure to apprehend this, and it is at best naive. It will leave a lot of people behind bars for a long time.

      3. neb

        @2600 style hacking

        peeeeeeeeeeeeeeeeeeeeeeeeeep! :)

        1. Scorchio!!

          Re: @2600 style hacking

          "peeeeeeeeeeeeeeeeeeeeeeeeeep! :)"

          It's not so much the frequency as the anonymity it appears to afford. It can be done from a public phone box in the middle of nowhere, or in a relatively busy area. Pop up, do a brief job, disappear, reappear somewhere else. The problems come when people start to work out the time period online from a specified phone and look for other correlated clues, and modern technology is alarmingly sophisticated when it comes to this. In addition identification of techniques that are peculiar to one individual, as happened in WWII with signalling. Just one identifying clue is all that is needed to begin the process of unravelling the skeins, of making a pattern, and then the whole house of cards falls. Positions of phone boxes/phones would be a start. There are geo location tricks for finding most offenders.

          Anyhow, old fashioned hacking techniques or modern, governments have spent vast amounts on precisely this sort of elint. People can kid themselves that they are indetectable, and the odds are that one or two will hold out for a year or two, but they will slowly and inevitably be reeled in.

          Suddenly it is not so funny, especially when the door caves in.

          1. asdf

            funny that

            Remember how people used to assume how big and bad the CIA was and how it could do anything? Funny how they can't even kill or locate a 6'5" Saudi goat farmer looking dude who only threatens the entire west. Yes US signal intel is second to none but when a Jordanian doctor can blow up our top 5 experts on the baddies with one bomb you know our people based intel sucks. Morale of story to stay anon avoid creating any electronic signals and live in a cave (or cabin in Montana and get your damn brother to shut up) I guess.

            1. Scorchio!!

              Re: funny that

              "Remember how people used to assume how big and bad the CIA was and how it could do anything? Funny how they can't even kill or locate a 6'5" Saudi goat farmer looking dude who only threatens the entire west."

              AIUI the American special forces followed bin Laden's mobile phone signal, but he'd given it to an assistant and that was all they got. You see bin Laden didn't hang around.

              Elint is good, but imagination is priceless. Isn't it? Look at the Russian example; they homed in on Dudayev's (it'll be on Wikipedia if you're too young to remember) sat phone signal and dropped two laser guided bombs on him. A contrast in methodology; the Russians did not for one second assume that he could be apprehended, nor did they assume that he had yuman rights. They just killed him, and that is what Clinton could have done in his time, but refused to authorise a Cruise missile attack on bin Laden.


              However, the lessons do appear to have been learned. Old counter insurgency and Elint methodologies are being wheeled out, because people have woken up to the fact that truths are not fashionable, relative, they just are, and good practise is unavoidable.

              The irony of the situation? Dudayev, a former Russian general, was the Russian's best hope at the time, someone with whom the like of General Lebed could have done business, whereas bin Laden is another kettle of philosophical fish altogether. He is unreasonable.

    2. Anonymous Coward
      Anonymous Coward

      While this Penny character may be endearing

      It would seem that a total lack of technical knowledge is not the best standpoint from which to run any kind of IT company.

      Maybe she was good at all of the other "boss" type things, who knows (who cares at this point), but if any of the more 'technical' employees and suppliers could simply bullshit her into believing that they're doing a good job... then something like this was going to happen sooner or later.

      As it turns out her staff were riding the special bus in every day and she didn't even know it. Reminds me a lot of... every other company I've worked for actually.

  5. The Alpha Klutz

    They call themselves security professionals?

    You know I was going to try and write something insightful here but really there is nothing insightful that can be said about this group of useless slackers. The only white hats they own must taper to a sharp point at the end and sport the capital letter 'D'.

  6. Destroy All Monsters Silver badge

    And additionally...

    "It could be that the destiny of your company is only to serve as a warning to others."

  7. Sonny Jim

    I wouldn't say they used every trick in the book

    What about Rubber hose cryptography?

    Anyway, it seems a straightforward (but multi-vectored) hack. Now, if you want a sophisticated attack, have a look at the Stuxnet analysis:

    Now *that* really did use every trick in the book, and then some.

  8. oolon

    Read arstechnica again

    Did you read the ars story? Highly sophisticated attack? We are not talking stuxnet here with multiple 0-day exploits...

    They got in through SQL injection - the haxors best friend. But hardly difficult given the level of knowledge here. HBGary really should not have been vulnerable especially since they supposedly provide services to test for these vulns!

    Rainbow tables to hack MD5 hashed passwords is not hard when they were not encrypted properly. No salting or iterative hashing used to make it difficult.

    They used a flaw in linux to get root - should have been patched. Again not that hard if you know how - it was well documented.

    They used social engineering... Well they had control of an email account so would look to almost anyone like the actual owner of said email account. Not quite at the level of the best cold-calling social engineering exploits.

    So really... Hard for me or anyone not in the hacking fraternity but I doubt it would get max points at any hackfest. The main point of the story is how come HBGary were so easy to get into when they are a bleedin security firm!!

    1. Sir Runcible Spoon


      "I doubt it would get max points at any hackfest."

      I don't think the Anon's are claiming that it was sophisticated, however results do count, and this was a clean hit.


      I recall a colleague who boasted to me and the resident security bod who said he had set up his home system on the end of a VPN and that it was impregnable and actually challenged us to break into it when we laughed at him.

      When we got him to log in after his lunch break to look at the little text file we'd put in with root priveledges telling him he owed us a pint he went fucking ballistic. Especially when we didn't tell how we did it for three days, he was already losing his hair but by the end of it he hardly had any left and had bags under his eyes.

      When we finally took pity on him and told him how we'd done it he claimed that we had 'cheated' and not really hacked into his system at all. He didn't like us any more for laughing again though :)

      (The silly sod went and left his laptop unlocked when he went to lunch. I installed a keylogger which emailed me all the details. Whilst we were telling him we had broken in, he logged in to verify what we had done. I was IM'ing my mate all the login details and whilst I was talking to him he logged in and left the text file. Simple and fun, but no way to make friends.*


      *parenthesis missing to cause mild stress levels in coders.

      1. Scorchio!!

        Re: Sir

        Ah, the evil maid trick. Autoruns should be disabled, a good HIPS should prevent an unauthorised package from running, a registry protector should prevent alterations to the registry and BIOS password/boot settings should prevent a USB stick from booting, though a BIOS transplant is always a possibility. There are other precautions.

        Whoa? He *left the machine unguarded*? The fucking idiot.

      2. Anonymous Coward
        Anonymous Coward

        @Sir Runcible Spoon

        Similar story.

        I was asked by a colleague to test the security of his application by trying to break into it.

        Only I was logged in (as a privileged user) even before he had finished his smug explanation of how there was no chance of me getting in.

        Dude *always* used the same user name and password for his login credentials, so it only took me one guess. He called that 'cheating', I called it 'social engineering'.

        1. Scorchio!!

          Re: @Sir Runcible Spoon

          I am amazed even now at the number of people who think that a windows password is sufficient to protect a system (though a BIOS password only lives for as long as the BIOS itself). Booting up with a CD-ROM that has password cracking tools on it is simple. No skills needed. As I say, amazed, and sometimes gratified when I pull someone's arse out of the fire.

      3. oolon


        @Runcible - I like your VPN hack story...

        But you did not get the point of my post - Anon did not claim the hack was hard they made the same point as me, how did they get in so easily to a security companies system? I'm criticizing the article (Not anonymous) as the author obviously did not even bother to read the arstechnica article he ripped off and pick up that salient point.

        1. Sir Runcible Spoon


          "I'm criticizing the article (Not anonymous)"

          Good point. I wasn't having a digg-1 at your position, just trying to clarify that the people who were claiming they used every trick in the book, or tried to make out it was a sophisticated attack, wasn't the people who performed the attack.

          My point was that whether it was sophisticated or not is irrelevant as long as the result was a hit.

          So, we are agreeing, I think :)

  9. ttuk


    very james bond.. especially the spoofing an email to get someone to reveal details... I await the (TV) movie

  10. Anonymous Coward

    What losers

    On the positive side, HBGary will probably have lost a great deal of future business; not even competent to manage their own web site (combined with easily identified personal boo boos by senior members of staff). Title says it all......

    1. Scorchio!!
      Thumb Up

      Re: What losers

      "On the positive side, HBGary will probably have lost a great deal of future business; not even competent to manage their own web site (combined with easily identified personal boo boos by senior members of staff). Title says it all......"

      The passwords, goddamit, the frigging passwords. Even a kid could do better. It doesn't take much to use a password package, and then perhaps lock it up in an encrypted container and/or drive. If their clients have any sense they will find someone else.

  11. Anonymous Coward

    documents altered?

    Well they would say that, wouldn't they?

  12. Anonymous Coward

    Big Big BIG FAIL

    HBGary said the leaked documents might have been altered prior to publication. "Given that Anonymous has had these emails for days I would be highly suspect [sic] of them," the president of HBGary Penny Leavy told the BBC.

    He has the emails, either HE KNOWS they changed them or HE KNOWS they didn't.

    He practically admits they didn't.

    1. Dave Bell

      Who to believe?

      Even if HBGary have originals which are safe to publish, they've "had these emails for days": which is the fake?

  13. Quxy

    "Highly sophisticated"?

    As ars technica points out, Anonymous used nothing but standard, well known techniques. HBGary left the door wide open by making all the stupid security errors in the book:

    A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up.

    Don't give the clowns at HBGary the satisfaction of thinking that the enemy that brought them down was the least bit sophisticated in their attack.

  14. Clive Galway

    Email transcript @ arstechnica


    "Jussi" should be for the high jump IMHO - revealing usernames and passwords like that via email. If it absolutely had to be done ASAP, he should have called him. Even if it was really Greg, having that info sittting in his mailbox is a bad idea.

    I am also quite surprised that some of the grammar did not raise eyebrows; "no i dont have the public ip with me at the moment" sounds very suspect. Unless of course Greg normally says things in such odd ways.

    Anyway, you reap what you sow fellas !

    1. Anonymous Coward
      Big Brother

      Unless of course Greg normally says things in such odd ways.

      he reused that password on his Twitter account and yeah, let's say he was not exactly el maestro when it comes to TEH GRAMMARZ.

      Took about a quarter of an hour to make something that looked like his style. Not difficult.

  15. maclovinz


    The best implementation plan is one that involves common sense.

  16. Anonymous Coward

    Every trick? hardly

    Seriously, HBGary have only got themselves to blame. Re-using the same passwords for Facebook, twitter and corporate emails?? The CEO of a "security" company?

    They deserve to be a smoking hole in the ground (in corporate terms) after this. They have proved themselves incompetent at doing exactly what they declared themselves to be the experts at.

  17. Anonymous Coward

    Barr proceeded from a set of false assumptions

    and got his ass handed to him as a consequence. Ars' coverage of the whole affair has been superb, and should be required reading for anyone who thinks they know anything about Anonymous. Far from the "hackers on steroids" mythology, but nonetheless decentralized and quite happy to sit around taking not just individuals but a whole company to pieces just because they've been prodded with a stick.

  18. NoneSuch Silver badge

    Good analysis

    Just goes to show that no one is 100% safe, 100% of the time.

    Reminds me of Monty Python's "How Not To Be Seen".

  19. Paul Shirley

    Hardly 'every trick in the book', hardly any challenge at all

    Strange to say most people seem to think this was an easy hack, mainly because HBGary were so damn lax about security best practice. A simple sequence of basic methods, I'd bet anonymous wasted more time wondering when they were going to hit the real security measures than on the actual job.

  20. Anonymous Coward
    Anonymous Coward

    3rd party? That's not what Ars techwhatever reported

    "a third-party content management product "

    What Ars ..... reported is that it was written specifically for them by a 3rd party because the didn't like the ?security? of the original? I don't know, I've been laughing all day.

  21. tom 24

    A firm handshake... Maintain eye contact... Confident...

    "Given that Anonymous has had these emails for days I would be highly suspect [sic] of them"

    Admit nothing. Deny everything. Make counter-accusations.


    1. amanfromMars 1 Silver badge

      Cloaked Crooks r Us percolate through everything and offer Nothing of Value.

      "Admit nothing. Deny everything. Make counter-accusations." .... tom 24 Posted Friday 18th February 2011 00:17 GMT ....... Now that is a great meal ticket methodology for dodgy law firms/ambulance chasers/failed businesses/laundering banks.

      And in a complicated, open and shut case such as this one .... ...... it appears that the defendant does not control anything, and it is now to be turned into a media circus with lawyers starring, and billing, of course, although where the money is coming from, other than out of thin air, and someone else's pocket, is disappointing familiar and not at all dissimilar to a Ponzi, which is that which one team in the case above is defending as legit, with another team prosecuting as criminal, with Justice the stoolie sat in the middle, dispensing rules and regulations.

      "Last month, a US federal judge ruled that Mr Stanford was unfit to stand trial.

      District Judge David Hittner ruled that he did not have the mental capacity to assist his lawyers. " .... An odd declaration about someone who once ran a very lucrative business and private bank, but whenever you know too much for you own good and not enough for your own good is it best to the dumb,mad fool and useless tool.

  22. This post has been deleted by its author

  23. json

    threat of physical harm?

    more like threat from dying of embarrassment.

  24. amanfromMars 1 Silver badge

    There's Pork and there's Easy Meat and then Government Pork with ITs Special Strings Attached

    "HBGary had intended to reveal its research into the senior members of Anonymous at the BSides San Francisco conference..."

    Presumably, considering their little difficulty, is that research completely discredited and just part of a federal funding scam if it were to be presented as kosher.

  25. JaitcH

    HBGary: Loss of all credibility = loss of clients: Is the U.S. government included?

    Given that HBGary was a start-up with only a few years under it's belt, will it survive this exposure of it's business tactics and it's 'expertise'? I love this quote (from their web site): "Security is not an IT problem, it's an intelligence problem" - it exactly describes the failings of HBgary.

    Given it's relatively short life and the number of e-mails it appears all they do is thump away at keyboards.

    Aaron Barr is a sweetheart, apart from being dumb, as he posted about going after children < >. Only dummies write about their criminal activities.

    Demonstarting how blind the U.S. government can be almost a year ago, HBgary received an extension to their contract with the US Department of Homeland Security to “conduct a series of hands-on memory forensics and malware analysis training events with local, state, and federal law enforcement officials around the country.” (See: < >)

    HBgary competitors Sophos managed to get the knife in when their Graham Cluley said: "The fallout from the affair will be difficult to overcome." "The damage to HBGary's reputation from this incident is, quite frankly, enormous," he added.

    "... it's particularly damaging when the victim is a specialist in the field of computer security," he theorised.

    No kidding!

    This demonstrates when governments are running scared and all sorts of money are being tossed around the usual crowd of corporate freeloaders are out there busy get a share of the spoils. Undoubtedly this happening in many countries.

  26. Sam Therapy
    Thumb Down

    That'll be right, then

    "Given that Anonymous has had these emails for days I would be highly suspect [sic] of them,"

    Liar liar pants on fire.

  27. Hooch181

    Another Beltway Bandit...

    "Consultancy" outfit bites the dust...

    "And nothing of value was lost!"

    Washington is full of these kind of firms who's only job is to suck up taxpayer monies!

    I do feel bad for the ordinary 9 to 5 guys and girls who worked there and had nothing to do with this but they only have there bosses to blame!

    Lol at attempted damage control!

    (While it is still going I do not reckon it will survive this!)

  28. JP19


    <i>"Given that Anonymous has had these emails for days I would be highly suspect [sic] of them," the president of HBGary Penny Leavy told the BBC.</i>

    St00pid HBGary "security company" CEO. Most of the emails are digitally signed using S/MIME, which can't be forged.

    According to such an email (at, Penny's husband, Greg Hoglund, composed this hilarious press release:

    Original file: 1297012933.M175384P25652Q2379.cybercom

    click here to show this e-mail with HTML markup

    From: Greg Hoglund <>

    To: Aaron Barr <>

    Date: Fri, 4 Feb 2011 22:19:31 -0800

    Subject: Re: slightly revised copy

    click here to show full headers

    Full headers



    received: Array

    return-path: <>

    received-spf: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;

    authentication-results:; spf=neutral ( is neither permitted nor denied by best guess record for domain of

    mime-version: 1.0

    in-reply-to: <>

    references: <><>

    date: Fri, 4 Feb 2011 22:19:31 -0800

    message-id: <>

    subject: Re: slightly revised copy

    from: Greg Hoglund <>

    to: Aaron Barr <>

    content-type: text/plain; charset=windows-1252

    content-transfer-encoding: quoted-printable

    Attachments: This e-mail does not have any attachments.

    and here is a blog post that I want to post

    HBGary Federal Pwns Anonymous


    This is a proud day. HBGary Federal, lead by Aaron Barr, has made

    public their long term penetration of the Anonymous group, the DDOS

    group associated with Wikileaks. They were able to penetrate the

    group to the highest level, gaining the trust of the inner circle.

    The HBGary Federal team was able to learn the real identities of all

    the key players – approximately 10 people. Now these individuals are

    being arrested by the FBI. Aaron and his team were also able to learn

    the identities of approx. 30 additional high level lieutenants. The

    Feds are finally taking down Anonymous, but it should be noted that

    HBGary Federal performed this entire operation without law enforcement

    or government involvement.

    On 2/4/11, Aaron Barr <> wrote:

    > Hold off don't post this yet please.

    > I'll talk to you about it tomorrow...need sleep. :)


    > On Feb 5, 2011, at 1:07 AM, Greg Hoglund wrote:


    >> HBGary Federal Flexes Private Intelligence Muscle.

    >> ---

    >> HBGary Federal, the specialized and classified services arm of HBGary,

    >> flexes its muscle today by revealing the identities of all the top

    >> management within the group Anonymous, the group behind the DDOS

    >> attacks associated with Wikileaks. HBGary Federal constructed and

    >> maintained multiple digital identities and penetrated the upper

    >> management of Anonymous, and was subsequently able to learn actual

    >> identities of the primary management team – BUILDING A COMPLETE ORG

    >> CHART. This information was critical for law enforcement, yet all the

    >> intelligence work was done without law enforcement or government

    >> involvement. Only after achieving the mission did Aaron Barr, the CEO

    >> of HBGary Federal, reveal this information to the Feds. This

    >> underscores the need for new blood in the intelligence community and

    >> the abilities of small agile teams that are unhindered by the

    >> bureaucratic machine.


    >> what do you think? too negative on intel community?

  29. The Fuzzy Wotnot

    What about dear old Aaron Barr?

    Not sticking up for Anonymous, they are a just bunch of troublemakers, but some "credit" must be given to Aaron Barr working HBGary, who first stirred up the Anonymous Hornet's nest by supposedly threatening to expose them!

  30. Anonymous Coward
    Anonymous Coward


    El Reg! It's famous.....


    [03:25] <MGMX> im torrenting it. none of them have enough data to open


    [03:25] <+c0s> i also sent it to nyt, aolnews, cnn, cbs and about 50 others


    [03:25] <url> ahh yeah, the register too

    AC cos I'm scared of em!

  31. Anonymous Coward
    Anonymous Coward

    Did you read the Ars article?

    The email account used in the social engineering phase of the attack was from Greg Hoglund, not Aaron Barr. Also, if they had used a brute force attack, they would still be at it. They used a rainbow table which takes advantage of somebody else's prior brute force effort. All of this was in the original Ars article. Did you read it?

    And it was HBGary Federal, not HBGary which had intended to reveal to the world it's fantastical research about Anonymous. HBGary Federal originated the BofA stuff, not HBGary. The two firms are marginally related financially and operationally, but unfortunately for HBGary shared a similar name and infrastructure.

    But the overall moral of the story is 1. Follow your own advice. 2. Especially do #1 if you're going to take on a skilled group of hackers. 3. If you have documents outlining actions that you can't morally defend in public, then maybe you shouldn't be engaging in those actions. (Kind of a twist on Eric Schmit's famous Google quote "If you have something you don't want anyone to know, maybe you shouldn't be doing it." His bachelor party must have been the most BORING affair in history. Actually, that's a good idea for a parody video. Onion, are you there? )

  32. Will Godfrey Silver badge

    Minimum necessary effort

    That is what I call real class, doing just enough to get the desired effect and no more.

  33. Anonymous Coward
    Anonymous Coward

    @"Jussi" should be for the high jump IMHO

    fire jussi and the next guy in the job will just make the same mistake!

    the point of mistakes is that you learn from them, don't get rid of the people that have learned from them and replace them with people that haven't

    and IMO that sign at the sec conference should have said,

    "we are not worthy"

    Also, I'm a bit surprised it's taken the reg so long to 'break' this story, considering that it's been all over everywhere else already, and the amount of detail that appears to be wrong in the article.

  34. Tempest

    Watch out for the Bittorrent there really are ...

    problems with the files in PDF format by way of viruses.

    I think anonymous jumped too soon, they should done it during the presentation with someone in the audience to ask a question!

This topic is closed for new posts.

Other stories you might like