Hacked Documents Show Chamber Engaged HBGary to Spy on Unions

(photo: Timothy Valentine; Edited: Lance Page / t r u t h o u t)

[Ed: Read the documents about the US Chamber’s plan to spy on unions.]

I noted yesterday how mind-numbingly ignorant analysis of Glenn Greenwald’s motivation as a careerist hack that was provided by HBGary. And if the allegations in the excerpts of former WikiLeaks volunteer Daniel Domscheit-Berg’s book are accurate, HBGary’s analysis about WikiLeaks itself is even more ignorant.

Add in the fact that this “security” company got hacked in rather embarrassing fashion.

Which, I’m guessing, is going to cause the Chamber of Commerce to rethink the spying work with HBGary it apparently has been considering.

Let me start with this caveat: what follows is based on emails available by Torrent. The parties in this affair are making claims and counterclaims about the accuracy of what is in there.

But it appears that back in November the same parties involved in the pitch to Bank of America–Palantir, HBGary Federal, and Berico Technologies working through Hunton and Williams–started preparing a pitch to the Chamber of Commerce. At that point, HBGary started researching anti-Chamber groups StoptheChamber.com and USChamberWatch. At one point, HBGary maps the connections between SEIU, Change to Win, and USChamberWatch as if he’s found gold.

By the end of November, Barr starts working on a presentation outlining the difference between StoptheChamber and USChamberWatch, as well as “a link chart of key people in the distribution of information, background information on each individual and ways to counteract their effect on group.”

On January 13, HBGary believed they had signed a contract.

This afternoon an H&W courier is bringing over a CD with the data from H&W from phase 1. We are assuming that this means that phase 1 is a go (We’ll let you know once we confirm this) and I’m wondering how we will integrate that data. Should we bring the CD over to Tyson’s Corner?

On February 3, law firm H&W came back to the three security firms and told them they’d be doing their Phase I work on spec, until the Chamber had bought into the full project. At that point, the firms put together a plan including a proposed February 14 briefing.

In response, Aaron Barr boasted (as is his wont) that his upcoming presentation at BSides security conference on Anonymous should be proof enough.

Let them read about my talk in two weeks on my analysis of the anonymous group.

Should be proof enough. But willing to discuss.

Which gets us just about to the point where Barr blabs his mouth, this security firm is badly hacked, and the Chamber of Commerce’s efforts to use intelligence firms to investigate activists exposing the Chambers own work is revealed.

I’m guessing HBGary just lost that contract, how about you?

Update: TP has a related take on this, describing more about what the proposal is:

According to one document prepared by Team Themis, the campaign included an entrapment project. The proposal called for first creating a “false document, perhaps highlighting periodical financial information,” to give to a progressive group opposing the Chamber, and then to subsequently expose the document as a fake to undermine the credibility of the Chamber’s opponents. In addition, the group proposed creating a “fake insider persona” to “generate communications” with Change to Win.

  1. gesneri says:

    I’m afraid I wouldn’t bet on it. All parties involved are so clueless they may deny all publicly and continue with Phase 2 secretly. They’re buffoons, but they’re dangerous if they can avoid tripping over their own feet.

    • szielinski says:

      Let’s see, should we trust HBGary’s claim that someone “intentionally falsified” data found among the hacked documents? Of course not. The company is in the intelligence business; lying is just one of the things it will do.

      • snagglepuss says:

        Let’s see, should we trust HBGary’s claim that someone “intentionally falsified” data found among the hacked documents? Of course not. The company is in the intelligence business; lying is just one of the things it will do.

        True, but the fact that many of Aaron’s emails (other than the ones composed on his iPad) are digitally-signed, is proof-positive that they were not tampered-with.


  2. BoxTurtle says:

    I’m thinking that they not only lost this contract, but a lot more. Their system has been demonstrated insecure, their information has been shown to be worthless, and they’ve been publically outed as willing to suggest illegal means to an end.

    Any legit company will now part ways with them. Any questionable company will move their business to someplace less exposed.

    Boxturtle (And I’m sure somebody will get a sternly worded letter out of this)

    • snagglepuss says:

      I’m thinking that they not only lost this contract, but a lot more. Their system has been demonstrated insecure, their information has been shown to be worthless, and they’ve been publically outed as willing to suggest illegal means to an end.

      Indeed. It is interesting, in light of HBGary’s protests that Anonymous has falsified or tampered with some of the email, that there has been little or no mention of the fact that a good percentage of Mr. Barr’s emails are digitally-signed. In April of 2010, Mr. Barr purchased a Class 1 VeriSign email certificate, as follows:

      Message Security
      Message is Signed
      This message includes a valid digital signature. The message has not been altered since it was sent.

      Signed by: Aaron Barr
      Email address: [email protected]
      Certificate issued by: VeriSign Class 1 Individual Subscriber CA – G2
      [View Signature Certificate] (button)

      Message Not Encrypted
      This message was not encrypted before it was sent, information sent over the Internet without encryption can be seen by other people while in transit.

      If you click on the [View Signature Certificate] button you can see the following:

      This certificate has been verified for the following uses:
      Email Signer Certificate
      Email Recipient Certificate

      Issued To
      Common Name (CN): Aaron Barr
      Organization (O): VeriSign, Inc.
      Organizational Unit (OU): VeriSign Trust Network

      Issued By
      Common Name (CN): VeriSign Class 1 Individual Subscriber CA – G2
      Organization (O): VeriSign, Inc.
      Organizational Unit (OU): VeriSign Trust Network

      Issued On: 4/28/2010
      Expires On: 4/28/2011

      SHA1 Fingerprint 32:54:31:25:F6:4D:8C:E4:9E:90:2E:A7:E4:51:CF:A5:F2:7E:C3:11
      MD5 Fingerprint E3:63:31:3B:AE:20:61:59:C5:0F:A8:54:F1:5D:66:38

      The interesting point about these signatures are twofold:

      1) They confirm that the emails are authentic, and not tampered with; and

      2) They are non-repudiable. Neither Mr. Barr nor HBGary can credibly claim that the signed messages are either forged or tampered-with.

      If I am not mistaken, these signatures will even stand up in a court of law. If I recall correctly, President Clinton was the first to use a digital signature to sign a bill into law.


  3. Knut says:

    The Chamber has just opened the door to being seriously hacked itself. Lie down with dogs, come up with fleas and all that.

  4. Synoia says:

    I’m amused that a “Security” firm could be hacked in this manner.

    It would be interesting to map the connections between these and other firms…

    • BoxTurtle says:

      Don’t hold that too much against them. Anybody running a Micro$loth product with a live internet connection or an open usb port is at risk.

      The only totally secure network is totally isolated.

      Boxturtle (Still, it IS amusing)

      • Synoia says:

        I wonder how the Iranians feel about Microsoft (especially when spinning centrifuges), and isolated networks.

        Isolated networks with open USB ports are not secure.

        • BoxTurtle says:

          If I were Iran, I’d be converting to Linux. Quickly. Actually, if I were ANYBODY running Windows, I’d be running to Linux.

          Boxturtle (And on my network, if you ain’t an admin, your USB port is full of superglue)

          • WilliamOckham says:

            Good luck converting all your centrifuge spinning code to Linux. Siemens support for programming PLCs with Linux is fairly limited. In fact, I would guess that the U.S. and Israel would be quite happy if that were Iran’s response.

            Not defending Iran or Microsoft here, just pointing out that it’s a lot easier to say that than to do it in an on-going concern.

            • BoxTurtle says:

              Oh, I don’t underestimate the size of the task. And I admit that my experience with PLC is limited.

              But I have seen chunks of that virus, and a reconstituted design. It might be easier to convert to linux then to clean those machines. And once the code gets into the PLC’s, linux/windows doesn’t matter. I think they’ll have to replace those PLC’s as well.

              HBgary might want to take note of what a truly evil virus can do and stop provoking people capable of building one. At least until they clean up their network a bit.

              Boxturtle (And Iran has an even bigger problem: Preventing reinfection even if they get things clean)

              • snagglepuss says:

                But I have seen chunks of that virus, and a reconstituted design. It might be easier to convert to linux then to clean those machines. And once the code gets into the PLC’s, linux/windows doesn’t matter. I think they’ll have to replace those PLC’s as well.

                If reports are to be believed, Anonymous is said to possess a valid copy of Stuxnet, as part of the 27,000 email haul from rootkit.com. According to the Forbes.com blog, Anonymous plans to release these emails as well. If so, you may get a chance to look at the Real McCoy.

                What raised my eyebrows was the alleged email query pertaining to renting a botnet?! One has to wonder… what use would a security firm have for renting a botnet? If true, I have to wonder if this was to use against Wikileaks.


            • jdmckay0 says:


              I’m not familiar w/what Iran is doing w/PLCs & centrifuges, seems to be common knowledge in this thread they are running M$. Is it also known they are running Sieman’s products? And what are they… are these hardware or software barriers to running Linux?

              Could u give me brief catchup, or links?

              I would think most PLC hardware could connect to Linux just fine, I don’t understand these barriers.

              Thanks in advance.

                • kgb999 says:

                  Hey, if you are analyzing this thing … have you gotten your hands on the breakdown matrix of all nine variants? Apparently, I’m not “formal security professional” enough to be granted access. I’ve only seen four discussed and I’m quite curious what the differences in the others are.

              • kgb999 says:

                Of course you are correct, the PLCs should attach to anything that throws their language at ’em. But in this case, Iran has purchased integrated Siemens control solutions – and they like windows apparently.

                This is left over from the Stuxnet discussion (the munitions-grade virus seemingly targeted at Iran). If you missed it, the thing reprograms (carefully selected) Seimen’s PLCs attached to any PC running the control software. Two of the payload vectors were targeted to changing motor frequencies so the assumption everyone has drawn is that Iran’s centrifuges were the target.

                Boxturtle is convinced that all security issues lead back to Microsoft and has been on a big “anyone smart will convert everything to Linux” kick.

                However, the reason this particular virus targeted Windows seemingly had nothing to do with the security of the OS. Seimens control software suite is Windows based, hence the munitions were designed to target Windows. Linux also suffers from zero-day exploits and various compromises which require a lot of work to ensure are always patched up to date and secure (just ask HBGary!). So I personally suspect if Seimens had invested in Linux-based control software – we’d have just seen one hell of a Linux virus instead of a Windows one.

                In the final analysis … quasi-fanboy war.

                  • Aerows says:

                    And because that Aaron Barr was both arrogant and incompetent. Those two in combination rarely end well. He deserves everything that comes to him out of creating this mess. He’s going to end up taking a bunch of other people down with him, because their whole operation was corrupt.

                • jdmckay0 says:


                  Until +/- 5yrs ago I was top of my game security guy: code, hardware, vulnerability assessment etc etc. I worked on initial HIPAA II stuff, power plants in Singapore, and automatic tennis racket stringing machines. :) I’ve seen/used/wrote/designed for a number of different controller applications, never from shrink-wrapped all in one systems.

                  I’m 3+ yrs removed from the trade, and reading William’s (and now other links) seems I don’t know so much anymore.

                  I read NYT (AFAIK) initial article on this thing, was aware of Israeli/US (alleged) collaboration on this thing. I was not aware Siemens (apparently) delivered packaged “stuff” to Mullahs for this project, something that really astounds me. Given Israel’s destroyed their projects in the past, driven US policy to do what we did in Iraq, listened to Neocons rattling their swords early in Iraq endeavor clamoring to extend “Operation Iraqi Freedom” to Iran… not to mention very common knowledge of massive Windows vulnerabilities in more ways than I can count along w/MS’ well know cooperation w/US clandestine services.

                  Just amazed Iran would go w/such a product. I wonder what N. Korea/Pakistan/China used?… or is Siemens the “Spin Doctor” supplier world wide?

                  I had assumed projects like this would run on any one of many custom designed, lean & mean embedded, custom OS(s), as was most common for highly specialized automation that I encountered. NASA did this for most of their deep space projects, CISCO does it for all kinds of their hardware, we did it on Singapore project and research that went into that was definitive that’s how these things were done.

                  So anyway, I’m really really amazed Iran would go this route.

                  (Fascinating thread & articles BTW Marcy, thanks so much).

                  I haven’t seen yet (is it out there?) just how Stuxnet was introduced into Iranian system… maybe downloading a mandatory Windows auto-install update (sarcasm)? :)

                  Also can’t help wondering if, in response to this, the entire Muslim tech world isn’t incubating similar projects to disable everything that makes Israel tick.

  5. WilliamOckham says:

    From the link I posted above:

    “What amazes me is, for a security company – you had such a basic SQL vulnerability on your website,” wrote one Anonymous member later.

    I’m willing to bet that means Anon got in through a SQL injection attack which is just poor programming practice rather than a vulnerability in a particular product, Microsoft or otherwise.

    • BoxTurtle says:

      Yeah, I just read that. I retract my “Don’t hold that too much against them” @ 9. That is a standard thing to check for in any realistic code review. Which means they’re not reviewing their code, not even the stuff that goes outside.

      Which means that Anonymous likely DOES have them by the short hairs. They had at least 30 hours of undetected access and I doubt they spent that time playing Warcraft on the corporate servers.

      Boxturtle (My sympathy to the sysadmins at hbgary, but, well…Dog. Fleas.)

  6. Auduboner says:

    Aaron Barr is an incompetent blowhard – maybe he can be next RNC chief? He surely will have to find another line of work – no company large enough to have a Risk Management program would ever entrust him with semi-confidential data or tasks.

    I hope his credit rating is ruined, now that his Social Security number is out there for all to see… :)

    • szielinski says:

      S of a B, why is it so many creepy things happen in Sacramento. HBGary headquarters is several miles from my house. So was Lamo’s family home.

      Once Glenn Beck hears of this connection….

  7. WilliamOckham says:

    One last thing before I have to attend to some familial duties. The ThemisPlan document (Themis, really?) produced by Berico is labeled:


    That’s “For Official Use Only/ Proprietary Information” if you aren’t used to USG markings.

    • emptywheel says:

      I presume you saw that that Chinese hack on some oil companies got industrial control systems?

      The focus of the intrusions was on oil and gas field production systems as well as financial documents related to field exploration and bidding for new oil and gas leases, according to the report. The attackers also stole information related to industrial control systems, the researchers noted, but no efforts to tamper with these systems were observed.

  8. Frank33 says:

    I am so jealous of those ANONYMOUS boys and girls. They are definitely making the neo-con spies angry. But it is Bill Gates fault. He let the NSA write his operating systems. So 16 year olds could be hacking NSA.

    Look out! Configuration Drift!.

    Today’s categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. “The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit,” said the spokeswoman…

    The compliance management toolkit provides a set of security configurations that address additional levels of risks beyond those addressed out of the box, as well as tools to deploy these configurations and monitor what Microsoft calls “configuration drift.” The toolkit is aimed at enterprises, government agencies and other large-scale organizations.

  9. spocko says:

    I do hope that the Chamber of Commerce starts bitching about anonymous.
    Better yet, Karl Rove’s group that was set up after Citizens United.

    The people at the top of these organizations are some of the most clueless when it comes to security. I worked with a guy who did both physical security and IT security. He said that some of the easiest way into a network don’t involve any computer skills but involve understanding how humans think, work and interact. He said he’d rather spend some money on training everyone from Secretaries to CEOs on how they make the network vulnerable than on some zippie new firewall.

    His biggest security weakness wasn’t the company’s network it was the company’s employees.

      • bmaz says:

        And I bitch like a hurricane backstage every time I see something on SCRIBD; I hate that thing, it is totally bogus.

        Michael Whitney @48 is a smart man

    • Michael Whitney says:

      Thanks, MadDog. We’ve had DocumentCloud access for a while, but this is the first time we’ve been able to really get to its power. It’s a lot of fun, and we’ll be using it extensively for this and other documents from here on out. Thank you again.

  10. kgb999 says:

    Curious. Poulsen was dropped from the byline on that Daniel Domscheit-Berg article from Wired.

    Anyone know if he has a “Lamo problem” with Domscheit-Berg? It was definitely filed as written by both Poulsen and Zetter earlier this morning.

  11. kgb999 says:

    One other question. This article refers to “HBGary”, not “HBGary Federal”.

    Was this chamber proposal out of HBG or HBGF? Or has studying the information revealed that there isn’t really any separation between the two companies’ operations?

  12. cronewit says:

    Is it schadenfreude to get a charge out of seeing hubris get its just reward?

    Hubris, in this case, is calling this disinformation/spyinghacking scheme ‘Project Themis’. From Wikipedia:

    Themis (Greek: Θέμις) is an ancient Greek Titan. She is described as “of good counsel”, and is the embodiment of divine order, law, and custom. Themis means “divine law” rather than human ordinance . . .. To the ancient Greeks she was originally the organizer of the “communal affairs of humans, particularly assemblies” . . .

    When Themis is disregarded, Nemesis brings just and wrathful retribution . . ..

    Maybe we should call Anon ‘AnonNemesis’; not only is DOJ (at least marginally) involved in this plan to distort reality (falsify the social/political narrative), but the corporate players appear to have connections to “DOD, Intelligence community,” “CIA, DHS and FBI,” along with NSA, according to an article at wlcentral.org (http://wlcentral.org/node/1250 ). The wlcentral article’s author comments —

    Either Palantir Technologies found the time to stop serving government and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.

    So — If WikiLeaks is this generation’s Pentagon Papers, did Anonymous just uncover the Watergate Plumbers?

  13. Aerows says:

    This whole story is delicious. This Aaron Barr is a complete a$$hole, and that’s exactly where he got it – repeatedly. He’s just exposed the Chamber as being in collusion with the government, and implicated several other organizations right along with them.

    I’ll bet he’s having trouble sitting down. Couldn’t happen to a more arrogant, deserving idiot.