Unmasked - Ars Technica [15]
This seems an absurd claim on a number of levels, but it also upped the “creep factor” dramatically. Barr was now suggesting that a major US corporation find ways to lean on a civil liberties lawyer who held a particular view of WikiLeaks, pressuring him into silence on the topic. Barr, the former Navy SIGINT officer who had traveled around the world to defend the US right to freedom of speech, had no apparent qualms about his idea.
“Discontinued all ties with HBGary Federal”
The fallout rained down quickly enough. In January, with H&W still not signing off on any big-dollar deals, Barr decided to work on a talk for the BSides security conference in San Francisco. He hoped to build on all of the social media work he was doing to identify the main participants in the Anonymous hacker collective—and by doing so to drum up business.
The decision seems to have stemmed from Barr’s work on WikiLeaks. Anonymous defended WikiLeaks on several occasions in 2010, even attacking the websites of Visa and MasterCard when the companies refused to process WikiLeaks donations. But Barr also liked the thrill of chasing a dangerous quarry.
For instance, to make his point about the vulnerabilities of social media, Barr spent some time in 2010 digging into the power company Exelon and its US nuclear plants. “I am going to target the largest nuclear operator in the United States, Exelon, and I am going to do a social media targeted collection, reconnaissance against them,” he wrote.
Once Barr had his social media map of connections, he could attack. As he wrote elsewhere:
Example. If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link analysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.
I can and have gained access to various government and government contractor groups in the social media space using this technique (more detailed but you get the point). Given that people work from home, access home services from work—getting access to the target is just a matter of time and nominal effort.
Knowing about a target’s spouse and college and business and friends makes it relatively easy to engage in a “spear phishing” attack against that person—say, a fake e-mail from an old friend, in which the target eventually reveals useful information.
Ironically, when Anonymous later commandeered Greg Hoglund’s separate security site rootkit.com, it did so through a spear phishing e-mail attack on Hoglund’s site administrator—who promptly turned off the site’s defenses and issued a new password (“Changeme123”) for a user he believed was Hoglund. Minutes later, the site was compromised.
After the Anonymous attacks and the release of Barr’s e-mails, his partners furiously distanced themselves from Barr’s work. Palantir CEO Dr. Alex Karp wrote, “We do not provide—nor do we have any plans to develop—offensive cyber capabilities... The right to free speech and the right to privacy are critical to a flourishing democracy. From its inception, Palantir Technologies has supported these ideals and demonstrated a commitment to building software that protects privacy and civil liberties. Furthermore, personally and on behalf of the entire company, I want to publicly apologize to progressive organizations in general, and Mr. Greenwald in particular, for any involvement that we may have had in these matters.”
Berico said (PDF) that it “does not condone or support