Skip to content

February 10, 2011


HBGary: Security Firm Investigating ‘Anonymous’ Hacked and Exposed

“Do not meddle in the affairs of hackers, for they are subtle and quick to anger.”

Following last week’s hacking of shamed LIGATT CEO Gregory D Evans, this week it was the turn of security firm HBGary to get exposed. HBGary have been aiding the FBI with their investigations into members of Anonymous. Although Anonymous isn’t a centralised ‘group’, their recent DDoS attacks and hacks of oppressive governments and anti-wikileaks organisations (including PayPal, MasterCard and VISA), have made them a target of the US Federal Government.

HBGary were allegedly preparing to hand over information about certain members of Anonymous to the FBI, who have already made several arrests in the US and UK, and obtained over 40 search warrants in an attempt to shut down Anonymous (probably not possible imo). Angered by CEO Aaron Barr and HBGary’s involvement in FBI investigations, members of Anonymous compromised a number of HBGary servers, defacing their website, gaining access to CEO Aaron Barr’s Twitter account, and obtaining a large number of emails. In what seems to be the popular punishment at the moment, over 50,000 corporate emails were released in a torrent. Anonymous also stated, on one of their many Twitter accounts, that the source code of HBGary’s security products was also obtained – although these don’t appear to have been released (yet?).

“You’ve angered the hive, and now you are being stung.”

Anonymous posted a message to HBGary on their defaced website, where they mock the firm for their lack of security and the unsubstantial ‘public’ information that was going to be handed sold to the FBI.

Hit the jump for Anonymous’ full message.

Ars Technica has a good review of how this all went down, and a step-by-step account of how the hack was possible.

[Update] Aaron Barr steps down as CEO of HBGary Federal

Greetings HBGary,

Your recent claims of “infiltrating” Anonymous amuse us, and so do your
attempts at using Anonymous as a means to garner press attention for
yourself. How’s this for attention?

You brought this upon yourself. You’ve tried to bite at the Anonymous hand,
and now the Anonymous hand is bitch-slapping you in the face. You expected
a counter-attack in the form of a verbal braul (as you so eloquently put it
in one of your private emails), but now you’ve received the full fury of
Anonymous. We award you no points.

What you seem to have failed to realize is that, just because you have the
title and general appearence of a “security” company, you’re nothing
compared to Anonymous. You have little to no security knowledge. Your
business thrives off charging ridiclous prices for simple things like
NMAPs, and you don’t deserve praise or even recognition as security
experts. And now you turn to Anonymous for fame and attention? You’re a
pathetic gathering of media-whoring money-grabbing sycophants who want to
reel in business for your equally pathetic company.

Let us teach you a lesson you’ll never forget: you don’t mess with
Anonymous. You especially don’t mess with Anonymous simply because you want
to jump on a trend for public attention, which Aaron Barr admitted to in
the following email:

“But its not about them…its about our audience having the right
impression of our capability and the competency of our research. Anonymous
will do what every they can to discredit that. and they have the mic so to
speak because they are on Al Jazeeera, ABC, CNN, etc. I am going to keep up
the debate because I think it is good business but I will be smart about my
public responses.”

You’ve clearly overlooked something very obvious here: we are everyone and
we are no one. If you swing a sword of malice into Anonymous’ innards, we
will simply engulf it. You cannot break us, you cannot harm us, even though
you have clearly tried…

You think you’ve gathered full names and home addresses of the “higher-ups”
of Anonymous? You haven’t. You think Anonymous has a founder and various
co-founders? False. You believe that you can sell the information you’ve
found to the FBI? False. Now, why is this one false? We’ve seen your
internal documents, all of them, and do you know what we did? We laughed.
Most of the information you’ve “extracted” is publicly available via our
IRC networks. The personal details of Anonymous “members” you think you’ve
acquired are, quite simply, nonsense.

So why can’t you sell this information to the FBI like you intended?
Because we’re going to give it to them for free. Your gloriously fallacious
work can be a wonder for all to scour, as will all of your private emails
(more than 44,000 beauties for the public to enjoy). Now as you’re probably
aware, Anonymous is quite serious when it comes to things like this, and
usually we can elaborate gratuitously on our reasoning behind operations,
but we will give you a simple explanation, because you seem like primitive

You have blindly charged into the Anonymous hive, a hive from which you’ve
tried to steal honey. Did you think the bees would not defend it? Well here
we are. You’ve angered the hive, and now you are being stung.

It would appear that security experts are not expertly secured.

We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us – always.

2 Comments Post a comment
  1. Alex Andersson
    Feb 13 2011

    This will probably mean the beginning of the end for HBGary simply because they cannot keep the security of confidentiality between clients and management as a given. Would you entrust the future and reputation of your company, or even the security of an entire nation, to a security firm that cannot even keep the front door locked?

    Goodbye HBGary.

  2. Feb 14 2011

    Hi Alex,

    Indeed this will prove very difficult for HBGary, particularly HBGary Federal who rely solely on gov’t contracts. They are likely to lose their security clearance, as they’ve been compromised. Aaron Barr played with fire the way he handled his dealings with Anonymous. Unfortunately everyone got burnt because of it.

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments