by Parmy Olson
Topiary was the least skilled of the group when it came to hacking, but he had another talent to make up for it: his wit. Cocksure and often brimming with ideas, Topiary used his silver tongue and an unusual knack for public promotion to slowly make his way up the ladder of secret planning rooms in the Anonymous chat networks. While others strained to listen at the door, Topiary got invited right in. He had become so trusted that the network operators asked him to write the official Anonymous statements for each attack on PayPal and MasterCard. He had picked his nickname on a whim. The low-budget time travel film Primer had been a favorite, and when he found out its director was working on a new film called A Topiary, he decided he liked the word, oblivious to its definition of clipped ornamental shrubs.
Tflow, the guy who’d brought everyone here, was a skilled programmer and mostly quiet, a person who strictly followed the Anonymous custom of never talking about himself. He had been with Anonymous for at least four months, a good amount of time to understand its culture and key figures within it. He knew the communications channels and supporting cast of hackers better than most. Fittingly, he got down to business. Someone had to do something about this Aaron Barr and his “research.” Barr had claimed there were leaders in Anonymous, which wasn’t true. That meant his research was probably wrong. Then there was that quote from the Financial Times story saying Barr had “collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.”
This now posed another problem: if Barr’s data was actually right, Anons could be in trouble. The group started making plans. First, they had to scan the server that ran the HBGary Federal website for any source code vulnerabilities. If they got lucky, they might find a hole they could enter, then take control and replace Barr’s home page with a giant logo of Anonymous and a written warning not to mess with their collective.
That afternoon, someone looked up “Aaron Barr” on Google and came up with his official company portrait: swept-back hair, suit, and a keen stare at the camera. The group laughed when they saw the photo. He looked so…earnest, and increasingly like fresh meat. Then Sabu started scanning HBGaryFederal.com for a hole. It turned out Barr’s site ran on a publishing system created by a third-party developer, which had a major bug. Jackpot.
Though its job was to help other companies protect themselves from cyber attacks, HBGary Federal itself was vulnerable to a simple attack method called SQL injection, which targeted databases. Databases were one of the many key technologies powering the Internet. They stored passwords, corporate e-mails, and a wide variety of other types of data. The use of Structured Query Language (SQL, commonly mispronounced “sequel”) was a popular way to retrieve and manipulate the information in databases. SQL injection worked by “injecting” SQL commands into the server that hosted the site to retrieve information that should be hidden, essentially using the language against itself. As a result, the server would not recognize the typed characters as text, but as commands that should be executed. Sometimes this could be carried out by simply typing out commands in the search bar of a home page. The key was to find the search bar or text box that represented a weak entry point.
This could be devastating to a company. If DDoSing meant a sucker punch, SQL injection was secretly removing someone’s vital organs while they slept. The language it required, a series of symbols and key words like “SELECT,” “NULL,” and “UNION,” were gibberish to people like Topiary, but for Sabu and Kayla they rolled off the tongue.
Now that they were in, the hackers had to root around for the names and passwords of people like Barr and Hoglund, who had control of the site’s servers. Jackpot again. They found a list of usernames and passwords for HBGary employees. But here was a stumbling block. The passwords were encrypted, or “hashed,” using a standard technique called MD5. If all the administrative passwords were lengthy and complicated, it might be impossible to crack them, and the hackers’ fun would have come to an end.
Sabu picked out three hashes, long strings of random numbers corresponding to the passwords of Aaron Barr, Ted Vera, and another executive named Phil Wallisch. He expected them to be exceptionally tough to unlock, and when he passed them to the others on the team, he wasn’t surprised to find that no one could crack them. In a last-ditch attempt, he uploaded them to a Web forum for password cracking that was popular among hackers—Hashkiller.com. Within a couple of hours all three hashes had been cracked by random anonymous volunteers. The result for one of them looked exactly like this:
4036d5fe575fb46f48ffcd5d7aeeb5af:kibafo33
Right there at the end of the string of letters and numbers was Aaron Barr’s password. When they tried using kibafo33 to access his HBGary Federal e-mails hosted by Google Apps, they got in. The group couldn’t believe their luck. By Friday night they were watching an oblivious Barr exchange happy e-mails with his colleagues about the Financial Times article.
On a whim, one of them decided to check to see if kibafo33 worked anywhere else besides Barr’s e-mail account. It was worth a try. Unbelievably for a cyber security specialist investigating the highly volatile Anonymous, Barr had used the same easy-to-crack password on almost all his Web accounts, including Twitter, Yahoo!, Flickr, Facebook, even World of Warcraft. This meant there was now the opportunity for pure, unadulterated “lulz.”
Lulz was a variation of the term lol—“laugh out loud”—which had for years been tagged onto the end of lighthearted statements such as “The pun on bar is intended lol.” A more recent addition to Web parlance, lulz took that sentiment further and essentially meant entertainment at someone else’s expense. Prank-calling the FBI was lol. Prank-calling the FBI and successfully sending a SWAT team to Aaron Barr’s house was lulz.
The group decided that they would not swoop on Barr that day or even the next. They would take the weekend to spy on him and download every e-mail he’d ever sent or received during his time with HBGary Federal. But there was a sense of urgency. As they started browsing, the team realized Barr was planning to meet with the FBI the following Monday. Once they had taken what they could, it was decided all hell would break loose at kickoff on Super Bowl Sunday. There were sixty hours to go.
Saturday started off as any other for Barr. Relaxing and spending time with his family, sending and receiving a few e-mails from his iPhone over breakfast, he had no idea that an Anonymous team of seven was busy delving into his e-mails, or how excited they were with what they had stumbled upon. Their latest find: Barr’s own research on Anonymous. It was a PDF document that started with a decent, short explanation of what Anonymous was. It listed websites, a timeline of recent cyber attacks, and lots of nicknames next to real-life names and addresses. The names Sabu, Topiary, and Kayla were nowhere to be seen. At the end were hasty notes like “Mmxanon—states…ghetto.” It looked unfinished. As they gradually realized how Barr had been using Facebook to try to identify real people, it looked like he had no idea what he was doing. It looked like Barr might actually point the finger at some innocent people.
In the meantime, Tflow had downloaded Barr’s e-mails onto his server, then waited about fifteen hours for them to compile into a torrent, a tiny file that linked to a larger file on a host computer somewhere else, in this case HBGary’s. It was a process that millions of people across the world used every day to download pirated software, music, or movies, and Tflow planned to put his torrent file on the most popular torrenting site around: The Pirate Bay. This meant that soon, anyone could download and read more than forty thousand of Aaron Barr’s e-mails.
That morning, with about thirty hours until kickoff, Barr ran some checks on HBGaryFederal.com and, just as he had expected, saw it was getting more traffic than usual. That didn’t mean more legitimate visitors, but the beginnings of a DDoS attack from Anonymous. It wasn’t the end of the world, but he logged into Facebook under the fake profile Julian Goodspeak to talk to one of his Anon contacts, an apparently senior figure
who went by the nickname CommanderX. Barr’s research and discussions with CommanderX had led him to believe his real name was “Benjamin Spock de Vries,” though this was not accurate. CommanderX, who had no idea that a small group of hackers was already in Barr’s e-mails, responded to Barr’s instant message. Barr was asking politely if CommanderX could do something about the extra traffic he was getting.
“I am done with my research. I am not out to get you guys,” Barr explained. “My focus is on social media vulnerabilities.” Barr meant that his research was merely trying to show how organizations could be infiltrated by snooping on the Facebook, Twitter, and LinkedIn profiles of their members.
“Not my doing,” CommanderX said honestly. He had taken a look at the HBGary Federal website and pointed out to Barr that, in any case, it looked vulnerable. “I hope you are being paid well.”
Sunday morning, with eleven hours till kickoff, Tflow was done collating all of Barr’s e-mails and those of the two other executives, Vera and Wallisch. The torrent file was ready to publish. Now came the pleasure of telling Barr what they had just done. Of course, to play this right, the hackers wouldn’t tell him everything immediately. Better lulz would come from toying with him first. By now they had figured out that Barr was using the nickname CogAnon to talk to people in Anonymous chat rooms, and that he lived in Washington, D.C.
“We have everything from his Social Security number, to his career in the military, to his clearances,” Sabu told the others, “to how many shits a day he takes.”
At around 8:00 a.m. eastern standard time on Sunday morning, they decided to make him a little paranoid before the strike. When Barr entered the AnonOps chat network as CogAnon, Topiary sent him a private message.
“Hello,” said Topiary.
“Hi,” CogAnon replied.
In another chat window Topiary was giving a running commentary to other Anons who were laughing at his exploits. “Tell him you’re recruiting for a new mission,” Sabu said.
“Be careful,” said another. “He may get suspicious quickly.”
Topiary went back into his conversation with the security specialist, still pretending to believe CogAnon was a real Anonymous supporter. “We’re recruiting for a new operation in the Washington area. Interested?”
Barr paused for twenty seconds. “Potentially. Depends on what it is,” he said.
Topiary pasted the response in the other chat room.
“Hahahahhaa,” said Sabu.
“Look at that faggot trying to psyops me out of info,” Topiary said, referring to the tactics of psychological warfare. The word faggot was a word so liberally used in Anonymous that it wasn’t even considered a real insult.
“I take it from your host that you’re near where our target is,” Topiary told Barr.
Back in Washington, D.C., Barr held his breath. “Is it physical or virtual?” he typed back, knowing full well it was virtual but at a loss for what else to say. “Ah yeah…I am close…” How exactly could they have figured out he lived in D.C.?
“Virtual,” Topiary replied. “Everything is in place.”
Topiary relayed this again to the Anons. “I’d laugh so hard if he sends an e-mail about this,” he told them.
They couldn’t believe what they were reading. “THIS GUY IS A FUCKING DICK,” Sabu exclaimed.
“I want to rape his anus,” Topiary replied. “Raping” servers was typically a way to describe a hack into its network. Tflow made a new chat room in the Anonymous chat network called #ophbgary and invited Topiary to join it.
“Guys,” a hacker named Avunit piped up. “Is this really happening? Because this shit is awesome.”
Back in the conversation, Barr tried to sound helpful. “I can be in the city within a few hours…depending on traffic lol.”
Topiary decided to give him another fright: “Our target is a security company,” he said. Barr’s stomach turned. Okay, so this meant Anonymous was definitely targeting HBGary Federal. He opened up his e-mail client and quickly typed out an e-mail to other HBGary managers, including Hoglund and Penny Leavy.
“Now we are being directly threatened,” he wrote. “I will bring this up with the FBI when I meet them tomorrow.” Sabu and the others quietly watched him send it.
He clicked back into the chat with Topiary. “Ok well just let me know,” he wrote. “Not sure how I can still help though?”
“That depends,” Topiary said. “What skills do you have? We need help gathering info on Ligatt.com security company.”
Barr let out a long breath of relief. Ligatt was in the same line of work as HBGary Federal, so it looked (for now at least) like his company was not the target after all.
“Ahhhh ok let me check them out,” Barr replied almost gratefully. “It’s been a while since I have looked at them. Anything specific?” At this point he seemed happy to do anything that would keep HBGary from being a target, even if he was just playing along.
There was no reply.
He typed, “I didn’t realize they were local to D.C.”
A minute later he added, “Man I am racking my brain and I can’t remember why they were so popular a while back. I remember their [sic] being a lot of aggression towards them.”
Nothing.
“You still there?” Barr asked.
Topiary had gone back to planning with the others. There wasn’t much time left and he had to write the official Anonymous message that would replace the home page of HBGaryFederal.com.
About forty-five minutes later, Topiary finally replied. “Sorry about that—stay tuned.”
“Ok,” Barr wrote.
A few hours later and it was lunchtime, about six hours until the Super Bowl kickoff, with Barr sitting in his living room and staring in dreadful fascination at his phone after realizing he’d just been locked out of his e-mails. When he ran upstairs to try talking to CommanderX again on Facebook, he’d been locked out of that, too. When he saw that his Twitter account was under someone else’s control, it hit him how serious this was, and how potentially very embarrassing.
He picked up the phone and called Greg Hoglund and Penny Leavy to let them know what was going on. Then he called his IT administrators, who said they would contact Google to try to regain control of HBGaryFederal.com. But there was nothing they could do about the stolen e-mails.
At 2.45 p.m., Barr got another message from Topiary: “Right, something will be happening tonight. How available are you throughout the evening?” There were just a few more hours to go, and he wanted Barr to have a front-row seat to the end of his career.
As Sunday evening drew near on the eastern seaboard, the Anons, in their own homes and time zones around the world, got ready to pounce. Cowboys Stadium in Arlington, Texas, started filling up. There were a few songs from the Black Eyed Peas, and Christina Aguilera muddling the words to the national anthem. Finally, the coin toss. A player from the Green Bay Packers drew back his foot and kicked the pigskin across the field.
On the other side of the Atlantic, Topiary watched on his laptop as the football flew through the sky. Sitting in his black leather gaming chair, a giant pair of headphones resting on his hair, he swiftly opened up another window and logged into Barr’s Twitter account. He had locked Barr out six hours ago with the kibafo33 password and with the Super Bowl finally underway he started posting from it. He felt no inhibition, no sense of holding back from this man. He would let Barr have it: “Okay my fellow Anonymous faggots,” he wrote from Barr’s Twitter account, “we’re working on bringing you the finest lulz as we speak. Stay tuned!”
Then: “Sup motherfuckers, I’m CEO of a shitty company and I’m a giant media-whoring cunt. LOL check out my nigga Greg’s site: rootkit.com.” These were statements that Topiary would never have said out loud, or face-to-face with Barr. In real life he was quiet, polite, and rarely swore.
Rootkit.com was Hoglund’s website specializing in the latest research on programming tools that gave root access to a computer network. Ironicall
y, Sabu and Kayla now had system administrator access, or “root” on rootkit.com, too. This was because Barr had been an administrator of the company’s e-mail system, meaning “kibafo33” let them reset the passwords of other in-boxes, including Hoglund’s.
Once he got into Hoglund’s in-box, Sabu had sent out an e-mail as Hoglund to one of HBGary’s IT administrators, a Finnish security specialist named Jussi Jaakonaho. Sabu was looking for root access to rootkit.com.
“im in europe and need to ssh into the server,” Sabu wrote in the e-mail to Jaakonaho, using lowercase letters to suggest he was in a rush. SSH stood for “secure shell” and referred to a way of logging into a server from a remote location. When Jaakonaho asked if Hoglund (Sabu) was on a public computer, Hoglund (Sabu) said, “no I dont have the public ip with me at the moment because im ready for a small meeting and im in a rush. if anything just reset my password to changeme123 and give me public IP and ill ssh in and reset my pw [password].”
“Ok,” Jaakonaho replied. “Your password is changeme123.” He added, with a smiley face, “In Europe but not in Finland?”
Sabu played along. “if I can squeeze out the time maybe we can catch up…ill be in germany for a little bit. thanks.” The password didn’t even work right away, and Sabu had to e-mail Jaakonaho a few more times with questions, including whether his own username was “greg or?” before Jaakonaho explained it was “hoglund.” Sabu got in. This was a prime example of social engineering, the art of manipulating someone into divulging secret information or doing something they normally wouldn’t.