Soon his platoon moved into an empty police station in the city’s downtown and began its work. Much of the fighting was over: NATO had already been dropping bombs for a year. But the lingering Serbian presence under the command of alleged war criminal Slobodan Miloševic´ continued to attack NATO forces and Albanians continued to retaliate against the Serbs. Barr’s group was dispatched to track down and break up pockets of violence.
The signals-analyst-turned-soldier would be sent into combat with two oversize and armored Tadpole Unix laptops strapped to his body, one as a backup, and a pair of transceivers with antennae designed for intercepting and interpreting radio communications. He hadn’t been certified to carry heavy weapons, so he was given only a nine millimeter pistol. The Marines joked that if they took fire, he would be the first to be shot, because the weapon made him look like an officer.
In the end, the United States and its allies suffered zero combat casualties in Kosovo. But Barr left the peacekeeping mission with a bitter taste in his mouth. “I was struck by the folly of the exercise, how we had no business inserting ourselves into a battle that had been going on for centuries,” he says.
He recalled one Albanian man who was detained by the troops for possessing weapons. “He told the interpreter that the Serbs had killed his wife and kids,” says Barr. “What else was he supposed to do, he asked us. It was hard to argue with that.”
Barr left the military two years later and took a job for the defense contractor TRW in Unix systems administration. But in 2003 he began a master’s degree in cybersecurity at Colorado Technical College in Colorado Springs. With a classmate who would later become a cofounder of HBGary Federal, Ted Vera, he drove around the town with an antenna, combing the streets for security vulnerabilities in local networks. That process was called “war driving,” a modern take on the “war dialing” technique that hackers like Mudge had used decades earlier.
The two applied for a single position as a “cyber warrior” at Northrop Grumman, with the agreement that whichever was hired would try to bring the other on later. Instead, they were both hired together to work as a team.
At the time, the defense industrial base was just beginning to be vivisected by cyberspies, a phenomenon that today has become a full-blown hemorrhaging of data from government and private industry. Just as Barr and Vera were finishing their master’s degrees, The Washington Post reported the attack on Sandia National Laboratories and the defense contractor Lockheed Martin that would become known as Titan Rain. The advanced intrusion had penetrated some of the military’s deepest research secrets, including four hundred pages of proprietary documents and plans for the Mars Reconnaissance Orbiter, a satellite whose technology could be repurposed for military applications.
The culprits were methodical and untraceable, sussing out the target networks, siphoning off sensitive data, and covering their tracks in minutes. The stolen data could be tracked back to servers in the Guangdong province of China. But the thieves themselves hid behind layers of proxies that kept them altogether anonymous.
At Northrop Grumman, Barr taught a class to Department of Defense officials on social media vulnerabilities, scaring them with demonstrations of how LinkedIn and Facebook profiles could be used to case potential target organizations, gleaning information for social engineering attacks. The young defense exec began to wonder if the same attacks couldn’t be used against the Pentagon’s faceless enemies, too, matching characteristics of the malicious software planted by cyberspies with any personal information they leaked to the world. “It hit me: We could apply social media analysis with a different problem set. Instead of working our way into an organization, maybe we could identify individuals who didn’t want to be ID’d,” he says.
The military was desperate for any solution to the attribution problem, and Northrop was eager to sell Barr’s solution. He rose to chief engineer and then technical director of a division, managing twenty million dollars in annual research budget. Aaron Barr, the humble enlisted man, had become Aaron Barr, the defender of American secrets and slayer of anonymity.
In 1998, Richard Clarke, President Clinton’s head of national security, came to Boston on a self-guided educational tour to learn about the growing risk of cyberattacks on American critical infrastructure. A legal counsel to the White House suggested he meet Mudge, whose name had begun to be passed around as a smart, articulate hacker without the taint of a criminal record.
Clarke was told to come alone to John Harvard’s Brew House, just a block away from the same Au Bon Pain that hosted the city’s hacker underground. He sat, drank a vodka on the rocks, and waited. No one showed up. Thirty minutes later, his drink long finished, Clarke began to pay the bill and leave when Mudge, who had been sitting at the bar sizing up Clarke since he arrived, announced himself. “You were only going to wait half an hour?” Mudge asked.
Mudge had been watching for Clarke to reveal what other agent he had brought with him. He was surprised to see that such a high-level cabinet official traveled alone to clandestine meetings with digital miscreants. Over the rest of the evening, they drank and talked about how to break the Internet and put it back together.
A few weeks later, Mudge invited Clarke back to the L0pht. It was a strange scene: one of the country’s top “feds,” with four members of the National Security Council at his side, in the digital lion’s den. But Clarke’s endless curiosity charmed and flattered the young hackers. He pulled out his Palm Pilot and asked what sorts of security flaws it might have. Kingpin plugged it into a device he’d created that could quickly crack the device’s password and siphon off its files in seconds.
Clarke quizzed them about vulnerabilities in the country’s critical infrastructure. Soon they were deep in a discussion about BGP hijacking, a then-theoretical trick: BGP, or Border Gateway Protocol, is the language used by the routers that connect major carriers like AT&T and Qwest. Taking advantage of a bug in those routers could detour large chunks of the Internet or send it into a black hole. (The same exploit is still possible today, and some researchers believe it was used to mysteriously reroute a significant fraction of the Internet through China for eighteen minutes in April 2010.)
For a moment, Clarke huddled with his NSC colleagues in private conversation. But Mudge interrupted, chiding the feds for excluding him and his hacker friends on their own turf. So Clarke repeated what they had just been discussing: Until his visit, he had believed that only state-sponsored hackers were capable of what the L0pht’s members were showing him. “Have any governments asked you to do technical work for them?” he asked.
“No,” Mudge said with a smile. “But if you’re willing to be the first, we’re willing to entertain offers.”
Clarke wanted lawmakers to see what he had seen. So in April 1998, he helped arrange for Mudge to be invited to speak at a congressional hearing. Mudge insisted that if the legislators wanted his presence, the entire L0pht would need to testify together. So the eight hackers piled into a rented van with tinted windows they’d outfitted with war-driving antennas and drove to Washington. On the way they stopped at the NSA’s Cryptologic Museum and accidentally drove past the guards into the agency’s secure facility, before timidly backing out. They visited the museum, played with its Nazi-built Enigma encryption machine, and took turns posing for photos in front of a computer in the museum’s exhibition on the rising threat of cyberattacks. It was, in other words, a giddy hacker field trip.
Later, at the hearing before senators that included John Glenn, Fred Thompson, and Joe Lieberman, the group rattled off a terrifying list of flaws in America’s digital backbone. Mudge, his mane of hair spilling over the lapels of a gray suit and tie, stole the show and the next day’s headlines by explaining BGP hijacking, a trick that he warned the legislators could take down the entire Internet in half an hour.
Before the hackers left the chamber, Senator Thompson told the group that they wer
e “performing a valuable service” to their country. Lieberman compared them to Rachel Carson and Paul Revere. Then the L0pht went off for a tour of the White House situation room and ended their trip hanging out with Secret Service agents at Archibald’s, a nearby strip club.
After the Senate hearing, the L0pht felt like it had overgrown its after-work hacker clubhouse. So Mudge engineered a deal with a young company called @stake (pronounced “at stake”), a venture-capitalist-backed consultancy based in Cambridge that would make the L0pht its research lab. As Hunter S. Thompson would say, the weird were turning pro.
But soon after the L0pht moved into its swanky new building, complete with Aeron chairs and a hundred-gallon aquarium where a new tropical fish was added for each new employee, Mudge began to disappear for long stretches. “Where’s Mudge?” became a mantra, eventually a bitter slogan, among the rest of the group.
Then the dot-com crash hit. Budgets were eviscerated, clients evaporated, even @stake’s tropical fish began to die. The L0pht’s members began to be laid off one by one, starting with Space Rogue and Brian Oblivion.
And where was Mudge? Much of the time, he was in Washington. After the Senate hearing, the rest of the L0pht left the political limelight. But Mudge went in deeper. He was invited to an off-site meeting of legislators in West Virginia, and convinced the politicos to offer him a ride on the congressional bus instead of the one reserved for guests. For the entire drive, he held court with some of the country’s most powerful politicians, sharing Internet war stories and fielding questions. In 2000, as cyberattacks began to pound major websites like Amazon and Yahoo!, Mudge was asked to attend a National Security Council meeting on cybersecurity at the White House, where he sat two seats away from the president.
In 2002, Mudge’s frequent absence became official—he announced that he was taking a year’s sabbatical. Some say he left @stake for personal reasons, others because he was doing sensitive work for the government. Regardless, he never returned. Eventually, after most of the L0pht’s hackers left @stake, the start-up was sold to the security giant Symantec at a price low enough that it didn’t affect the antivirus giant’s accounting enough to be disclosed. “We had had a clubhouse, and it was communal and close-knit and awesome. And then we threw it all away,” recalls Kingpin. “It was a typical sellout.”
Mudge wouldn’t reappear on the cybersecurity scene for another two years. When he did, it was with a research paper focused on a little-discussed problem: the “insider threat.”
Mudge’s scenario started with a counterintuitive assumption: that the evildoer was already inside the company’s network. Then it suggested ways that malicious insider might get data out, whether it be moving large amounts of information, accessing unusual elements of the company’s network, or using obfuscation techniques like “reverse HTTP tunnels,” a technique of disguising outgoing data as Web traffic.
“Like a mole in a government agency, the greatest value is achieved through unnoticed longevity in the target environment,” Mudge wrote in another late 2003 article for the journal of the Unix-focused group USENIX. “The expected movement and characteristics of information and its handling related to business functions must change in these cases, providing us with the ability to identify such covert activities.” In other words, with a constant eye toward mole-ish behavior in your employees and their computers, those moles can be whacked.
The idea grabbed the attention of two brothers, Jonathan and Justin Bingham, who raised nineteen million dollars from venture capital firms and made Mudge chief scientist of a start-up called Intrusic. Intrusic never got off the ground and folded three years later. Mudge blames its failure on infighting and bad business decisions caused by friction between the Binghams. He would spend the next three years before his government appointment at the contractor BBN Technologies.
Why did Intrusic fail? Some say its problems went beyond family tensions. Like the L0pht, it was populated largely by twentysomething researchers. One analyst who worked with the start-up, Jon Oltsik, describes it as lacking “adult supervision,” and producing tools that worked for hackers but never had the polish and the disciplined development cycle of business software. “Mudge makes a great evangelist and champion,” says Oltsik. “I would never give him execution responsibility.”
But the fundamental flaw in Intrusic’s business may have had less to do with management than the nature of the eternal problem the company hoped to solve. The company’s technology could never provide the easy litmus test for insider misbehavior that customers wanted. Its tools were hardly an automatic mole-whacking machine: Like its competitors’, the company’s products required humans to monitor and analyze the data they produced.
And just as important, there was a cultural barrier to pushing insider threat software. Mudge himself, in his USENIX journal article, had already guessed at that hard sell: “Perhaps, whether accurate or not, it is too painful for organizations to entertain the notion that they might already be compromised. Being overrun by reverse HTTP tunnels might be an easier pill to swallow than accepting that these reverse tunnels are symptoms of actions initiated from internal machines that are already compromised.”
Politically and culturally, companies simply didn’t want to accept that they were teeming with leaks.
When the Financial Times story about Aaron Barr’s research hit the Web, Anonymous quietly moved into action. Strange traffic began hitting the HBGary Federal website. It appeared to be a distributed denial of service attack, Anonymous’ usual tactic of clogging a site with phony data requests. “DDOS, fuckers!” Barr wrote to his colleagues. Privately, he was relieved. A mere DDOS attack he could handle.
But Barr had hit at Anonymous’ deepest nerve—its anonymity. And the id of the Internet wasn’t content merely causing his website some downtime.
HBGary Federal used custom software for managing its website, and the Anonymous hackers quickly combed the site and found a critical flaw in the code. When the software stored data in a database, it didn’t always differentiate that information from executable commands—with a trick called SQL injection, a user could pretend to be entering something as innocuous as a username and password, but in fact include characters that triggered actions on the website’s back end—even actions like coughing up sensitive data.
HBGary’s attackers sussed out the flaw immediately and used it to access the company’s password database. But the security firm hadn’t been altogether careless: Instead of storing the passwords unprotected, it had scrambled them with a type of encryption called cryptographic hashes.
Hashes are mathematical functions designed to be irreversible. When a user entered a password, HBGary’s server would perform a hash that converted it to a unique number and checked whether that number matched the one in the database. But the function couldn’t be used in the other direction, to start with the number and reverse the hash to find the password. So storing the numbers instead of the passwords helped protect them against hackers.
In theory, at least. In practice, with a bit of crypto savvy, an attacker can feed every possible password into a hashing function, simply trying them all until one matches. By precomputing hashes of entire dictionaries of passwords, code breakers can use so-called “rainbow tables” to vastly speed up the process. The attack could be prevented by salting the hashes, injecting random numbers to make the operations far more difficult. But like Microsoft in 1998, HBGary didn’t use salting.
As Mudge would say, “kindergarten crypto.”
The process was made easier still by the fact that Barr’s password was short and simple: “kibafo33.” The attackers had it in minutes. Barr, being a systems administrator himself as well as HBGary Federal’s chief executive, had administrative privileges on HBGary’s network. He could reset the password of any other user. So once the attackers owned his account, they owned all of them. Barr had used the same password again and
again. So Anonymous soon had access to his Twitter feed and HBGary’s home page. And, most crucially, the more than seventy thousand e-mails archived on the company’s servers.
For one last laugh, the Anons also decided to hack the personal website of HBGary’s Greg Hoglund, rootkit.com. So, like Assange in his Shakespearean phone hack twenty-five years earlier, they set about using a bit of social engineering. The hackers found the name of a systems administrator for the site who worked for Nokia in Finland. Pretending to be Hoglund, they e-mailed the administrator.
“I’m in Europe and need to SSH into the server. Can you drop open up firewall and allow SSH through port 59022 or something vague?” Then they tried two passwords they had found in his mail archive. “Is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88?”
“It is w0cky—though no remote root access allowed,” the Finn answered.
“Just reset my password to changeme123 and give me public IP, and I’ll SSH in and reset my pw.”
“Your password is changeme123. I am online so just shoot me if you need something.”
Anonymous’ hackers had utterly disemboweled HBGary and HBGary Federal. They set about defacing the companies’ websites and Barr’s Twitter account while deleting a terabyte of backup data and research materials. The hackers used Barr’s own Twitter account to publish his home address, social security number, and other personal information. Then they posted a long message on HBGary’s home page.
You think you’ve gathered full names and home addresses of the “higher-ups” of Anonymous? You haven’t. You think Anonymous has a founder and various co-founders? False. You believe that you can sell the information you’ve found to the FBI? False. Now, why is this one false? We’ve seen your internal documents, all of them, and do you know what we did? We laughed. Most of the information you’ve “extracted” is publicly available via our IRC networks. The personal details of Anonymous “members” you think you’ve acquired are, quite simply, nonsense.
This Machine Kills Secrets Page 24