(2011-02-13) Bank Of America Targeting Wikileaks Hb Gary

Last week, Aaron Barr, a top executive at computer security firm H B Gary Federal, boasted to the Financial Times that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks on companies terminating services to the whistleblowing site (such as PayPal, Master Card, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary, published 50,000 of their emails online, and also hacked Barr's Twitter and other online accounts. Among the emails that were published was a report prepared by HB Gary -- in conjunction with several other top online security firms, including PalantirTechnologies -- on how to destroy WikiLeaks. The emails indicated the report was part of a proposal to be submitted to Bank Of America through its outside law firm, Hunton & Williams... It turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation's largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered that similar proposals were prepared for the Chamber Of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America's General Counsel by the Justice Department -- meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.

Update: details on the Anonymous hack of H B Gary's systems. For a Security company to use a CMS that was so flawed is remarkable. Improper handling of passwords—iterative hashing, using salts and slow algorithms—and lack of protection against SQL injection attacks are basic errors. Their system did not fall prey to some subtle, complex issue: it was broken into with basic, well-known techniques. And though not all the passwords were retrieved through the rainbow tables, two were, because they were so poorly chosen.