You are hereBlogs / FZ's blog / ARS Technica: HBGary's open letter: full of denials that don't hold water

ARS Technica: HBGary's open letter: full of denials that don't hold water

By FZ - Posted on 22 April 2011

April 19, 2011- HBGary, the security firm that saw its servers hacked and its e-mails released after its HBGary Federal offshoot angered the Anonymous hive, published a rather peculiar open letter this past Friday in an effort to address the "large amount of misinformation reported in the press." But the letter makes some questionable claims of its own.

The unsigned letter outlines the basics of the attack and asserts that HBGary's internal systems remained safe and uncompromised. To ward off future attacks, the letter also claimed that HBGary's website, which was hacked using a basic security flaw, and its e-mail system, which fell victim to weak, re-used passwords, were now back in operation with "even stronger cyber defense mechanisms."

HBGary says that the company's concern in the immediate aftermath was to determine if customers had been affected by the intrusion. On receipt of legal advice, the company's policy was to refrain from commenting on the e-mails, though it acknowledges that this may have led to the amount of "misinformation" floating around.

Deny everything

The main thrust of the letter is an effort to distance HBGary from the entire hack and its subsequent aftermath. Five specific claims are made: that HBGary and HBGary Federal are distinct, with separate "management, employees, and missions"; that HBGary was not involved in the research performed by then-HBGary Federal CEO Aaron Barr and was merely caught in the crossfire; that HBGary did not develop Stuxnet; that HBGary does indeed sell software to the US government and is proud of that fact; and finally, that HBGary's rootkit research is solely to help improve its own security products.

While the claims about Stuxnet and software sales to the US government are uncontentious, the others are more than a little surprising. For a start, some of the claims appear to be contradicted by the extensive e-mail dumps. Though HBGary representatives have implied that some of the e-mails may have been tampered with, the prodigious quantity of mail precludes any substantial effort to create fraudulent mail (and the company never responded to our request to identify any instances of such fraud).

While HBGary Federal was legally a distinct company (albeit one with some overlap in ownership), both the hacking methodology and e-mails subsequently published make clear that this distinction was far less clear in practice.

The hack itself revealed that HBGary and HBGary Federal used a single Google Apps account for its e-mail. Former HBGary Federal CEO Aaron Barr, whose actions provoked the hack in the first place and whose password was cracked, had administrative access to both HBGary and HBGary Federal mails. The e-mail accounts of HBGary Federal employees used the domain, not HBGary Federal COO Ted Vera had access to a Linux server used by HBGary for providing support to its customers. And the e-mails themselves show that Aaron Barr was in regular correspondence with HBGary CEO Greg Hoglund. The two also worked together to decide how best to word press releases to promote HBGary Federal's work to uncover Anonymous.