This is the first in a two-part interview with Aaron Barr, the former CEO of HBGary Federal
Each of us has made mistakes in our lives – woeful errors that we’ve been forced to learn from at great personal cost. Blessedly, those painful experiences are typically private affairs. Tears are spilled. Mea culpas are issued to those we’ve wronged, then we, the folks we hurt and the storm clouds move on.
For an unfortunate few, however, blunders go viral. Their mistakes fuel evening news segments and column inches in the pages of leading newspapers. Millions queue up to watch them on YouTube and they get turned over for laughs by late night comedians. Think about lonely Congressman Weiner or that poor woman who, distracted by her cell phone texting, flopped into the fountain at a Kentucky mall.
Aaron Barr, the former CEO of security firm HBGary Federal, is one of those unlucky few. No fountain-flopper, Barr is a respected authority on computer security whose mistake was to openly speculate on the identities of members of the online hacking group Anonymous, then watch as events spun gruesomely out of his control. Infuriated by what they interpreted as an attempt to out them, Anonymous hacked HBGary’s servers and made off with tens of thousands of messages from the company’s e-mail server, which the group then posted online. Anonymous’s preemptive strike put the inner workings of HBGary up for public view. That begot countless other stories – not all of them accurate – as reporters poured over the contents of HBGary Federal’s correspondence, Wikileaks style. Their digging turned up troubling communications about the company’s plans to assist the U.S. government and various other Beltway interests with online reconnaissance. Before it was all over, no less than Comedy Central titan Stephen Colbert riffed on the controversy. And, not too long after that, Barr tendered his resignation from HBGary Federal.
Since then, Barr has kept his hand in the IT security game, but he’s also kept a low profile. On the other side of the fence, Anonymous and related groups, like LulzSec, have become emboldened by their success in the HBGary Federal attack, launching similar attacks on Sony Corp. and Monsanto, the U.S. Senate, the U.S. Federal Bureau of Investigation, the Public Broadcasting System, the federal police in Spain, the government of Turkey and other targets. There have been some arrests, but the core leadership of both Anonymous and the closely related LulzSec remain free.
But the unfortunate events of this Spring haven’t bowed the former CEO.
And the events of the last four months have, if anything, made him seem
prophetic. More than ever, Barr’s call for the IT community to focus attention on the individuals behind cyber attacks – not just the technical details of the attacks – rings true. In one of the first interviews he’s given since the hack of HBGary Federal in February, Barr talked, by phone, with Threatpost editor Paul Roberts about the hack of HBGary Federal, Anonymous, LulzSec and why most security investments are misplaced.
Threatpost: There’s a certain folk hero aspect to groups like Anonymous and LulzSec – a Robin Hood kind
of thing, at least within some segments of online population.
But how should the public, governments and the private sector understand
these groups and what they’re doing and keep from getting in their
Aaron Barr: Well, they’re certainly complex.
LulzSec is a bit less complex because they’re a smaller organization
that has broken off from Anonymous and are very focused. But Anonymous
is complex in its totality. But the people that have real capabilities –
the people that are the real threats, the Anonops folks and a small
core within Anonops folks are, I think, misrepresented. They’re
misrepresented purposefully by the group, but they’re also
misrepresented in the media.
Threatpost: How so?
Aaron Barr: Based on
what I’ve watched and conversations I’ve had, I don’t believe that the hacktivist; mentality that they’ve attached themselves to – and that a
good amount of the larger group believes in – -is core to their belief
system. I think core to their belief system is that they want to
(expletive) (expletive) up. They get a rise out of it. They get a
power hit off it, and they’re using the hacktivist ideology to ride
on. But, that said, the larger group Anonymous is much more complex.
Looking ahead, there might be some people that have real capability that
truly believe in the hacktivist ideology and will take a different
approach. But I don’t think that – other than being extremely cautions
and staying away from what are likely to be important issues – that you
can stay out of their crosshairs. How do you predict what’s going to…I
mean stay away from Wikileaks – check! Stay away from prosecuting
hackers – check! What’s next? I don’t know. Monsanto…they’ve had a
grudge against Monsanto for quite some time for genetically modified
foods. Anyone dealing with globalization has a problem. The IMF, the
Threatpost: The issues
are quite diverse. You’re forgetting about the Church of Scientology
which was their primary target for a long time. So there’s that. But the
list of issues is diverse and growing. And, of course, any tentative
connection you have to these issues could make you a target.
Right and, you know, I get it. I get it. I grew up a liberal Democrat. I
remember being an angry 20-something full of ideology and a sense of
what’s right and wrong in the world. I was very adamant in my beliefs.
So I get it. What I don’t get is the destructive nature of the
organization. I fundamentally believe in civil disobedience as a
functioning part of our society. I believe in the right to protest as a
necessary element of our society. But they’ve taken – and I’ll lump
Wikileaks in the same boat – have taken what is a healthy element in our
society and made it destructive. I’ll jump off the cyber wagon for a
moment and talk Wikileaks. You can’t release 250,000 sensitive documents
into the wild and think you’re doing good for society. I don’t think
you can, because there’s no way you can vet all 250,000 documents for
whether there’s a need to release a specific document and what the
blow back to that doc might be. When you go back to other exposure
events, whether Watergate or the Pentagon papers, there was an awful lot
of research and an investigation that went into the release of that
Threatpost: You mean that information was vetted prior to its release and a reason existed for releasing it?
Yes. The information was vetted for its purpose and the potential
detriment. Because there’s no need. Plenty of people who work for the
State Department and federal government and commercial organizations
just work there. If you have an axe to grind about a specific issue, its
destructive to hurt the employees, in my opinion. Its destructive to
hurt all the liaisons working in embassies across the world on policy and
foreign affairs issues if its not to serve a particular purpose. And
transparency is not a good enough reason. There are reasons for some
information to be classified. There are reasons for businesses to hold
some info as sensitive. If you feel like a particular government
organization or a business has committed an illegal act and you feel
compelled to expose that illegal act, that’s your prerogative. Go to it.
In the meantime, if you get access to other information, I believe that
its irresponsible and destructive to release it. Freedom requires a
significant level of responsibility. So, coming back to Anonymous. Their
LOIC (denial of service) tool is reaching a scary point of automation of
capabilities, where you can have armchair protests and convince a bunch
of kids in 4chan to come over and help protest against Sony by
downloading a tool and, you know, connecting into the hive mind so
someone can remotely control very large botnet. A kid just needs to
download it, set it up and go back to playing Quake. But you’ve just
participating in a pseudo protest capability. I think that’s dangerous.
Protest used to require some amount of dedication and effort and
responsibility, You had to put yourself out there by standing in a
picket line and signing a petition. Now you’re hiding behind a cloak and
giving support to someone who might not have the same altruistic
motives as you do.
Threatpost: Why are these attacks getting headlines now as opposed to before? How do you think the government should sort out the differences between state sponsored espionage and attacks that are pranks, financially motivated attacks, and so on?
Aaron Barr: One of the reasons I think we are where we are is a few recent events in which LulzSec and Anonymous just pushed things over the edge. It started with the very public discussion of state-sponsored attacks. The reason the public now knows the term APT (advanced persistent threat) is because of the Aurora attack. Then you had Wikileaks, which isn’t necessarily a tradition cyber threat. But it does have insider threat components that’s are a huge concern and which we don’t have a lot of protections against. Then we had Stuxnet. And, while maybe the general public didn’t understand the significance of Stuxnet, those of us in the community did, and it was discussed very publicly. There was an analysis of a state-sponsored threat. That started to get the ball rolling and you saw increasing discussion even among mainstream news outlets. And then Anonymous and LulzSec just blew it out of all proportion. Its like watching cyber reality TV – we can’t not watch it. There was the extreme damage done to myself and my company, and then Sony. I mean, my God, you had people wondering ‘what part of Sony will get hit today?’ And it grabbed attention. People started to talk about significant cyber threats to the economy and corporations and nation states. The Chinese came out and publicly admitted they have a cyber army, which is the first time they’ve done that.
Threatpost: How similar do you think state sponsored attacks are to LulzSec or Anonymous-linked attacks against a company or government? How different should the response be? More similar than dissimilar?
Aaron Barr: We’re so far away from that now its really frightening. We still look at the problem as an incident response problem, for the most part. There are pockets of the government and intelligence community that have the capacity and authority to look at it slightly differently. Overall, by and large, we look at threats when someone gets compromised. When there’s an attack, or attempted attack and we try to trace it back to its source. We’re not looking at the problem in terms of where the real threat is.
For example, we got very good at identifying and taking down drug cartels. We started looking at how they finance themselves, how they move goods, how they operate. What means of communications do they have? We’re not looking at cyber threats from that perspective. We’re looking at them from a technical perspective. Until we start looking at the human actors and start to categorize them, we’re not going to know.How do we know with Anon(ymous) and LulzSec that there’s not a state-sponsored element hiding under the covers? There’s been a lot of discussion about APT. What is state sponsored? What is not? That is a discussion had by people that never really worked in government and the Department of Defense before. From my perspective, APT will look, smell and feel how it needs to in order to achieve an objective. In some cases, that may be using tactics that are crude, so it looks like some college kid out of Ukraine. In other cases, they will use techniques that are very sophisticated, like Stuxnet. Clearly, there are immense capabilities that are remotely deployed by state agencies that have never been found and might never be found. I mean, if you have millions of dollars and pools of resources to point at a problem, what might you come up with?
Threatpost: Are there lessons from the hack of your company, HBGary Federal, that the U.S. government or firms like Sony need to learn? If so, what are they?
Aaron Barr: Operationally, businesses and even security companies fall to the weakness of getting overly focused on business operations and then letting security lapse. You need to send out an email and, oh, the guy sending it doesn’t have PGP so slowly, insidiously, it creeps and creeps and creeps. Security needs to be a significant focus and significant budget item, especially by security companies. But when you’re trying to get proposals out the door or there’s M&A (mergers and acquisitions)…One of the biggest weaknesses of large companies is that they hardly ever get fully integrated, especially when you have one company buying another big company. So there are weaknesses in the infrastructure and the bigger you get, there are more of them. But we have to focus on security. We have to assume now that no matter how many security precautions we take, they’re going to get in or already are in.
So what mitigating steps do we take? We’re already seeing a lot of focus on identity management amd encryption and authentication. Those have to be areas we put big resources in. Perimeter and host defenses aren’t good enough, and never will be good enough. We don’t have good enough threat intelligence. Companies like HBGary, Fidelis, Sourcefire all do good work and have good products, but we don’t know what to tell them about preventing attacks. We can tell them what worked yesterday, but not what they’ll face tomorrow. Government and industry have poured resources into perimeter security, but we also have organizations that are more and more mobile. And we’ve put so much emphasis on perimeter security because host security is so problematic. You need agents on every system. So our adversaries have a lot of ceiling – a lot of room to grow. We haven’t even talked about insider threat or supply chain threats, which we have very little ability to detect. If we focus on the vehicle of the attack, we’re always gonna lose. And if we don’t get better at offense, we’re never going to win. So we have to get better at figuring out who threats are – categorize them and develop strategies to combat them.
Threatpost: if you believe the claims of groups like Lulzsec, these attacks aren’t difficult to carry out. Or, at the very least, the doorways into these organizations – Sony, etc. – are out there and in the open. They’re unpatched, SQL injection or cross site scripting holes on public facing Web applications that are easily identified and exploited.
Aaron Barr: Companies are never going to close all doors, that’s why organizations have to use authentication and encryption to make sure the critical data they have – user names and passwords and client information and PII is secured and encrypted, so that if it is stolen, there’s not much to gain from it. There’s always going to be a risk, whether you’re HBGary, which had very little external presence, or Sony, which had a massive external presence. I mean, the SQL injection (attack) that we succumbed to was because I asked a Web developer to make a change to our Web site just prior to the attack that added some features and functionality. That opened the SQL injection hole. So its a matter of your development processes and business processes and your security processes. How can you integrate those so that you protect yourself continually? The answer is you can’t.
Now, I’m easy to poke at because I’m a small company and a security company. And Sony was, maybe, because they had some data that should have been better protected. So those steps need to be taken, no doubt. You need to protect your critical data. That’s the number one takeaway. You need to focus on what sensitive data you have and how to protect it. You need to worry about protecting your perimeter as well, but you’re never going to close all the doors. There will always be a zero day (vulnerability). There will always be an insider threat, potentially. There’s always the potential for someone to get in.
Threatpost: One of the problems that seems to be cropping up is that organizations don’t know enough about who their enemies are. PBS is an example. Their Frontline crew does a story on Wikileaks and they get attacked by LulzSec. In retrospect, maybe there should have been a conversation internally with IT that said ‘hey, we’re going to put out a story that could raise the ire of this hacking group. We could become a target of that group. So what methods might they use to go after us? Where would they come in? Will it be Frontline or could it be other shows or parts of our infrastructure?’ Clearly that conversation never took place, but it seems like other organizations that aren’t media organizations have the same problem. So, Sony, in going after (PlayStation 3 hacker) George Hotz couldn’t have anticipated that he’d become a cause célèbre of this anarchic hacking group.
Aaron Barr: That’s the core of the problem. They don’t understand, because nobody understands the threat. Its not like LulzSec and Anonymous have good opsec (operational security). They talk a lot. If you’re in their IRC channels or watch what they tweet, they give a lot of warnings. I mean, the (FBI) Infraguard attack, LulzSec was talking about doing something to the FBI for two weeks before that took place.
You and I have talked about this. But prior to your decision to do a
presentation on Anonymous, did you consider that your company could be
the target of retribution?
Aaron Barr: When I was
planning to do the talk, I knew that I could potentially become a
target, but I didn’t know how significantly. I underestimated the
threat. We had discussions internally about (denial of service attacks),
and things like that. But I underestimated the threat at the time. I
won’t do that again. (Laughs) But prior to the talk, my company was very
little known. We were very very small. Just starting out and trying to
build business with the government. We weren’t public enough to be that
much of a threat or a target.
Threatpost: Yes. You’d assume someone in FBI was looking around internally.
Aaron Barr: Internally, yes. But maybe not Infraguard. But I know they were looking very hard internally at FBI.gov and their external presence. But also with Sony and PBS. You can assume that a discussion was happening somewhere online about these attacks, about the coordination of the attacks. So how do you become knowledgeable of the different groups that are out there and what their motives and actions are? To me, that’s what’s needed to get ahead of these threats and get some indication and warning about what’s coming. As it stands, there’s no way, outside of PBS just speculating, for them to know. But I’d say now, with these very public attacks – Sony, PBS, Unveilance – that its a conversation that needs to happen in board rooms when you are doing something that might be controversial. But what do they do about it after that? I don’t know. That goes back to our previous conversation about locking all the doors.
Threatpost: One of the things that has come up in the wake of the Sony hack is that there’s a split between Japan and the rest of the world. Sony wants to bring PlayStation Network back up and the government in Japan is saying ‘we’re not satisfied that you’ve done enough to secure this network and system to bring it back up.’ Whereas in EU and US, more or less, the authorities are taking Sony’s word that its ready to resume business operations on this gaming network. Is there a role for government., as with, say, an E.coli outbreak, in the wake of an incident for governments to come in and say ‘you’ve had a huge public health event and spilled alot of sensitive data, we’re now the arbiters of when you’re ready to relaunch these services and get back in biz. The decision is not up to your internal IT team because you’ve already proven that you don’t know what the hell is going on.
Aaron Barr: Right. And this gets to the heart of the prob. of .GOV protecting .COM. We’ve created a lot of rules and policies to separate that because we want to foster innovation and creativity. I mean the majority of great Web technologies and services have happened in the U.S. We want to continue to foster that kind of development so that it happens here. But government getting involved is the antithesis of sponsoring innovation and creativity. It will likely stifle it. But you do need to pay attention to significant security theaters. Government doesn’t want to get involved with the business of .COM and telling them what they need to do in relation to security. Government is still trying to wrap its head around that problem. But if you look at government initiatives like the consolidation of external entry points through TIC (the U.S. Department of Homeland Security’s Trusted Internet Connections program) or its effort to stand up Cyber Command and consolidate army and military networks, they’re still trying to grapple with their own internal security issues. I am sure that .GOV and .MIL need to provide better information related to threats. But that will take a while.
So when you ask about (the government) jumping in and telling Sony they’re not secure enough, we’re not there. I’m not sure the Japanese government is there, either, but I understand their desire to do so because of the exposure to the Japanese citizenry. I do like the answer ‘you’re not ready to come back up again,’ but think that could be a regulatory or governing body making those calls after a significant compromise occurred.