As the coin was tossed to kick off Superbowl XLV, Anonymous unleashed their anger at a security firm who had been investigating their membership.
HBGary Federal had been working on unmasking their identities in cooperation with an FBI investigation into the attacks against companies who were cutting off WikiLeaks access and financing.
Unlike the DDoS attacks for which Anonymous has made headlines in recent months, this incident involved true hacking skills. Anonymous compromised the HBGary website and replaced it with an image explaining their motivation. In addition to the defacement, they downloaded over 60,000 emails from the company and posted them on The Pirate Bay.
The Twitter account of HBGary’s CEO, Aaron Barr, was also compromised and tweeted multiple offensive messages, as well as his home address, social security number and cell phone. According to Forbes, the LinkedIn accounts of other HBGary executives were compromised “in minutes.”
The research, which HBGary was preparing to sell to the FBI and which allegedly contains names, addresses and other information on Anonymous, was also posted as part of the attack. Anonymous maintains the information is largely bogus and says they are providing it publicly to prove it.
A writer for the DailyKos claims that, in addition to the other damages, Anonymous also deleted the firm’s backups.
From a legal perspective, Anonymous had better hope they remain anonymous. The criminal activities outlined by their own bragging could get them some serious prison time in the US, UK and other countries with strict cybersecurity laws.
While we do not know the methods employed (perhaps Anonymous will tell us that as well) it is a good time to review the basics of security. Audit your own sites, never use the same password on more than one site and try to maintain separation of privileges to prevent the compromise of one account from affecting all of your services.
As of the time of this post hbgary.com is still offline.
Update: According to information from krebsonsecurity.com it appears HBGary was victimized by a combination of social engineering and a shared password between systems. Training employees on the proper verification of identity before exposing secure systems is an essential part of a corporate security program. Staff who feel they need to take any action when someone important like a company executive is apparently asking for help can create disastrous results. The CEO and founders must be subjected to the same rules as everyone else. Employees challenging their superiors should be praised rather than chastised when they follow the policy.