Some Lessons of the HBGary Hack

Posted on 1 March 2011 by

0


This blogpost has been adapted from an article I wrote which ran originally in The Salted Hash blog on 8 Feburary 2011 in CSO Online Magazine.

Since that time, there have been revelations about the nature of the work HBGary was doing which do not change my original conclusions but require amplification with respect to the conduct of HBGary: In the original article, I stated that HBGary was working or cooperating with authorities.

From what I have subsequently read in media accounts of the emails pilfered from HBGary executives, the company (including HBGary and its subsidiary, HBGary Federal) was doing work apparently at the behest of some agencies which was, shall we say, of questionable legality.

Make no mistake, we do not advocate doing anything illegal or unethical by any party. If HBGary’s actions prove to have been in contravention of the law, its principals and employees should be prosecuted. However the point I originally made, that commenting on active investigations is foolish, remains valid.


“My father was in the secret service, Mr Manfredjin St. John, and I know that you don’t ‘keep the public informed’ when you are debriefing KGB defectors in a safe house.”

– Wendy, A Fish Called Wanda

I’ve been speaking quite a bit lately about how information security professionals can work with law enforcement – in fact, I spoke about it at BSides San Francisco.

The attacks by Anonymous against HBGary, and the accompanying defecation-hitting-the-ventilation raises some important rules of the road for this. Private-public sector cooperation is at the heart of nearly all successful initiatives.

The public sector relies on private-sector innovation and expertise – indeed, organizations like In-Q-Tel and the Chesapeake Innovation Center count on it to make crucial advances in security.

There’s great satisfaction in working for the greater good – which can come in a warm, fuzzy feeling of accomplishment, or even in the warmth of some “non-recurring engineering funds” from some grinning, creepy guys in “Maryland”. Trying to get the specifics of your good deeds into the limelight, though, for personal or company public-relations gain is just bad business.

When speaking with journalists and analysts, executives at information security companies – especially venture-funded, non-profitable, non-cash-flow-positive ones – have long used implication, hints, wink-wink gestures and other sometimes adorable intimations that they ‘work with’ ‘three-letter agencies’* or law enforcement in darkly secret and very important ways.

They do this because they are trying to build their brand credibility. They often end up sounding like a tool. Now, often-times, they actually are using their technologies and their skills to support the work of law enforcement, but they’re not supposed to talk about it. Nor should they want to, necessarily.

If I sound snarky, let me be clear that public service is not to be mocked, it is absolutely to be lauded, and anyone helping a law enforcement agency fight crime, whether for money or service, is to be encouraged. But don’t forget that, as you help out, it is just that: public service.

You can’t publicize the specifics of your assistance without jeopardizing its very value. This is the line, apparently, that HBGary employees inadvertently crossed, and the results were terrible.

In the Financial Times last Saturday, in an article entitled, “Cyberactivists warned of arrest,” Joseph Menn quoted HBGary researcher Aaron Barr as saying that, “he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.”

They could be arrested if? What hubris!

Now, I don’t know much about law enforcement, but I do think that, if you’re planning, say, to serve a felony warrant, it’s a bad idea to phone ahead and let the guy know you’ll be by in 15 minutes.

If?

A good rule of thumb is that you don’t tip your hand about the specifics of your work on any case for any reason. And drumming up business through publicizing your specific public service is as bad a reason as any. Reasons for this fall into two categories.

The first is that fighting crime is, you know, dangerous. Criminals generally engage in criminal enterprises for the money (few people have a driving passion to establish, say, an industry-leading counterfeiting ring for the societal benefit), and those who stand between criminals and their goal risk the ire of the criminals. This is not fair or just, but it is so.

Now, stating in a newspaper that you possess the secret identity of a criminal? This falls squarely into the category of “standing between a criminal and his goal.” That’s a tip, kids. Write it down.

To paraphrase Wendy in A Fish Called Wanda, one only briefs the public on an upcoming law enforcement action if one is congenitally insane or irretrievably stupid.

Second, law enforcement officers, agents and agencies fight crime for a living. It’s dangerous and often thankless; it’s a calling, and these folks work hard under difficult conditions that require dedication, passion and purpose. Implying that they’re somehow not up to the task by stating that you have the X-factor that can be the secret of their success alienates those you seek to help.

Generally speaking, information security firms, security researchers, offensive computer folks, white-hat hackers and security professionals who want to help law enforcement should recognize a few things:

  1. Helping law enforcement is rarely a straightforward task. Sure, in movies, “we need your help” is followed by specific tasks that lead to the capture of the bad guys, the breaking up of the crime syndicate and windsurfing at Disneyland.
  2. Relationships in law enforcement must be carefully cultivated. Sworn officers and agents need to learn that you are trustworthy. You must learn the extents of their capabilities and authority. This takes time.
  3. Your help can’t be more trouble than it’s worth. In the movies, the brilliant but eccentric mathematician/hacker/systems expert can be un-bathed, wild-eyed and unpredictable. When you’re working with the fuzz, one press release costs you any and all good-will you’ve developed to date.
  4. The time to talk about arrests is a year later. The people to talk about arrests are cops. You’re helping law enforcement as part of your civic duty. While the cops will often be happy to mention your help in a press release at some point down the road, your primary driver for helping is public service, not self-promotion. If you’re in it for the publicity, get a cooking show.
  5. Criminals are dangerous. Criminals seek profit, and seek through illegal means to thwart those who would prevent these profits from being realized. Fighting criminals can absolutely be a cooperative exercise between public and private sector, but private sector people should keep the details of their cooperation as secret as the “sauce” they love to say makes their product work.

In short, companies wishing to help out might consider following the advice of Chris Rock, as he described some of the best ways Not to Get your Ass Kicked by the Police:

  • Obey the law;
  • Use common sense;
  • Be polite; and
  • Shut the #!@k up.

__________________________

*a phrase which itself provides proof that they do not