by Parmy Olson
Kayla herself went into overdrive on her hacking sprees for q, one source said, mostly looking for vulnerabilities. “She’s always been blatant, out-in-your-face, I’m-going-to-hack-and-don’t-give-a-shit,” the source said. But Kayla did not always give everything to q. Around the same time that she started hacking for him, she got root access to a major web-hosting company—all of its VPSs (virtual private servers) and every normal server—and she started handing out the root exploits “like candy” to her friends, including people on the AnonOps chat network.
“She would just hack the biggest shit she could and give it away,” said the source, dropping a cache of stolen credit card numbers or root logins then disappearing for a day. “She was like the Santa Claus of hackers.”
“I don’t really hack for the sake of hacking to be honest,” Kayla later said in an interview. “If someone’s moaning about some site I just have a quick look and if I find a bug on it I’ll tell everyone in the channel. What happens from there is nothing to do with me. :P.” Kayla said she didn’t like being the one who defaced a site and preferred hiding silently in the background, “like a ninja.”
“Being able to come and go without leaving a trace is key,” she said. The longer she was in a network like Gawker’s, the more she could get in and take things like administrative or executive passwords. Kayla liked Anonymous and the people in it, but she ultimately saw herself as a free spirit, one who didn’t care to align herself with any particular group. Even when she was working with AnonOps or the people in #InternetFeds, Kayla didn’t see herself as having a role or area of expertise.
“I’ll go away and hack it, come back with access and let people go mad,” she said. Kayla couldn’t help herself most of the time anyway. If she was reading something online she would habitually start playing around with their parameters and login scripts. More often than not, she would find something wrong with them.
Still, working for q gave Kayla a bigger excuse to go after the .gov and .mil targets, particularly those of third-world countries in Africa or South America, which were easier to get access to than those in more developed countries. Every day was a search for new targets and a new hack. Kayla never found anything as big as, say, the HBGary e-mail hoard for q, but she did, for instance, find vulnerabilities in the main website for the United Nations. In April 2011, Kayla started putting together a list of United Nations “vulns.” This, for example:
http://www.un.org.al/subindex.php?faqe=details&id=57
was a United Nations server that was vulnerable to SQL injection, specifically subindex.php. And this page at the time:
http://www.un.org.al/subindex.php?faqe=details&id=57%27
would throw an SQL error, meaning Kayla or anyone else could inject SQL statements and suck out the database. The original URL didn’t have %27 at the end, but Kayla’s simply adding that after testing the parameters of php/asp scripts helped her find the error messages.
Kayla eventually got access to hundreds of passwords for government contractors and lots of military e-mail addresses. The latter were worthless, since the military uses a token system for e-mail that is built into a computer chip on an individual’s ID card, and it requires a PIN and a certificate on the card before anyone is able to access anything.
It was boring and repetitive work, trawling through lists of e-mail addresses, looking for dumps from other hackers, and hunting for anything government or military related. But Kayla was said to be happy doing it. Every week or so, she would meet on IRC with q and pass over the collected info via encrypted e-mail, then await further instructions. If she asked what Julian Assange thought of what she was doing, q would say he approved of what was going on.
It turned out that q was good at lying.
Almost a year after Kayla started volunteering for WikiLeaks, other hackers who had been working with q found out he was a rogue operator who had recruited them without Assange’s knowledge. In late 2011, Assange asked q to leave the organization. Kayla was not the only volunteer looking for information for what she thought was WikiLeaks. The rogue operator had also gotten other hackers to work with him on false pretenses. And in addition, one source claims, q stole $60,000 from the WikiLeaks t-shirt shop and transferred the money into his personal account. WikiLeaks never found out what q was doing with the vulnerabilities that Kayla and other hackers found, though it is possible he sold them to others in the criminal underworld. It seemed, either way, like q did not really care about unearthing government corruption, and Kayla, a master at hiding her true identity from even her closest online friends, had been duped.
None of this mattered come February of 2011 when Kayla began talking with Tflow, Topiary, and Sabu in the exclusive new chat room that would bring them together for a landmark heist on Super Bowl Sunday: the attack on HBGary Federal. The bigger secret, which Kayla didn’t know then, was that Sabu would not only get her deeper into a world of hacking that would become front-page news, but watch as her details got passed on directly to the FBI.
Chapter 11
The Aftermath
It was February 8, 2011, two days after Super Bowl Sunday. Aaron Barr was grabbing shirts out of his closet, quickly folding them, and placing them into the medium-size suitcase that rested on the bed in front of him. This was no mad rush, but Barr had to move. He had spent fifteen years in the military, and he and his family were now expert travelers. They made their preparations quickly and with quiet efficiency. His wife was packing a separate bag, the silence interrupted only by the occasional question about traveling arrangements. Just two hours before, Barr had been back in his study catching up on the flood of news stories about the HBGary attack and the new, disastrous view the media was taking of Barr’s proposals to Hunton & Williams against WikiLeaks and Glenn Greenwald.
Learning about the Anonymous hack had been stressful for him. But the media’s feast on his controversial e-mails was having a definite effect on his blood pressure. Barr longed to correct each story, but lawyers had told him to stay quiet for now. All he could do was read and grit his teeth. Occasionally, curiosity would overcome his better judgment and he would dip into the AnonOps IRC rooms under a pseudonym to see what the Anons were saying. He was still a laughingstock for the hundreds of participants hungry to see Barr humiliated in new ways. There were calls for anyone who lived in Washington, D.C., to drive past Barr’s house and take pictures or to send him things in the mail—he received a blind person’s walking cane and a truckful of empty boxes. He also got one pizza. A couple of people had randomly shown up at his front door, and one had tried to take pictures of the inside of his house. Barr had been disturbed but had just sent them away, figuring this was mostly harmless. Then, a couple of hours earlier, he had visited Reddit, a snarky forum site that had become increasingly popular with people who liked 4chan but wanted more intelligent discussion. A user had posted the Forbes interview with Barr from the preceding Monday, and amid the analysis and machismo in the 228 resulting comments, there were a few nasty suggestions about Barr’s kids. It was most likely just talk, but Barr didn’t want to take any more chances. It took only one nutjob to pull a trigger, after all. Minutes later, he had talked to his wife, and the two started packing.
That afternoon the family loaded everything into their car, the twins thinking they were about to embark on some exciting road trip. Barr’s wife and kids drove south to stay with a friend for two weeks while Barr hopped on a plane to Sacramento. This was where HBGary Inc. was headquartered and where Barr would get into the cleanup job and start to help the police with their investigation.
Meanwhile, HBGary Inc.’s Greg Hoglund was working on damage control. He contacted Mark Zwillinger of Internet law firm Zwillinger & Genetski. Mark would later be assisted on the case by Jennifer Granick, a well-known Internet lawyer who had previously represented hackers like Kevin Poulsen and worked for freedom-of-information advocates the Electronic Freedom Foundation. After talking to Zwillinger, Hoglund penned an open letter to HBGary
customers. When he was done, he published it on the now restored HBGary website, referring specifically to HBGary Inc. and not the sister company Barr had run.
“On the weekend of Super Bowl Sunday, HBGary, Inc., experienced a cyber incident. Hackers unlawfully accessed the e-mail accounts of two HBGary Inc. employees, held by our cloud-based service provider, using a stolen password, and uploaded the stolen e-mails to the Internet.”
Hoglund’s letter wasn’t clear about where it was pointing the finger—though that would change in time. It seemed to suggest that HBGary’s attackers had gone to great lengths to access the company’s e-mails, when actually the process had not been difficult at all. It was an SQL injection, the simplest of attacks. Ted Vera’s password, satcom31, had been easy to crack. Only Hoglund had used a random string of numbers and letters that had no relation to any of his other web accounts. The attack could have been worse too. The hackers had gotten all kinds of personal data on HBGary employees, from social security numbers to home addresses, and photos of Vera’s kids after getting access to his Flickr account. “This was when my moralfag mode kicked in,” Topiary later remembered. The others agreed that no kids should be involved, and they all decided not to leak the social security numbers. “I’m thankful that we didn’t.”
Still, the combination of social media, blogs, and twenty-four-hour online and TV news meant the names Aaron Barr and HBGary were all over the Internet the day after Super Bowl Sunday. Topiary’s fake Aaron Barr tweets had been retweeted by Anonymous IRC, a feed with tens of thousands of followers, and there were now thousands of news stories about Barr.
Barr soon found out the attack had been conducted largely by five people. “I’m surprised it’s a small number,” he said in a phone interview early Monday morning in Washington, D.C. “There is a core set of people who manage the direction of the organization. And those people are, in my impression, very good.”
Barr sounded tired. “Right now I just feel a bit exhausted by the whole thing. Shock, anger, frustration, regret, all those types of things,” he said. “You know if I…maybe I should have known these guys were going to come after me this way.”
No one knew at the time that the content of Barr’s e-mails would prove so controversial and would gain him as much press attention as the attack itself had, but Barr was already concerned. “The thing I’m worried about the most is I’d rather my e-mails not be all out there, but I can’t stop that now,” he said, adding he would be contacting all the people he had exchanged e-mails with to tell them what was going on. “It does not cause any significant long-term damage to our company so I’m not worried.” About this, Barr was wrong.
As the hack on HBGary Federal was taking place, Kayla had sent a message to Laurelai, the transgender woman who a couple of years before had been a soldier named Wesley Bailey and who was now becoming a familiar face in the world of hacking. Kayla told Laurelai that she was in the middle of “owning” a federal contractor called HBGary and asked if she wanted to come into AnonOps and see.
Laurelai hopped onto the AnonOps network to find hundreds of people talking over one another about what had happened, and the wife of Greg Hoglund, Penny Leavy, appealing to the attackers in the AnonOps #reporter channel.
“It was chaos,” Laurelai remembered. Laurelai was now volunteering with a website and blog called Crowdleaks, an evolved version of Operation Leakspin. This was the project that had spun off Operation Payback and gotten Anons sifting through WikiLeaks cables. Laurelai had disliked Operation Payback because, like Kayla, she believed DDoSing things was pointless. She liked sifting through data and considered herself an information broker. She came aboard Crowdleaks when a mutual friend suggested she’d make a great server admin for the site’s manager, an Anonymous sympathizer nicknamed Lexi.
“There’s a huge story brewing from this HBGary hack,” Laurelai told Lexi, who replied that Laurelai should cover it for the blog herself. Laurelai downloaded Barr’s and Greg’s e-mails and started searching for terms like FBI, CIA, NSA, and eventually, WikiLeaks. A list of Barr’s e-mails to Hunton & Williams showed up on her screen. As Laurelai looked through these e-mails, she stumbled on the PowerPoint presentation Barr had made for the law firm in which he suggested ways of sabotaging the credibility of WikiLeaks. Laurelai did a bit more digging on Hunton & Williams and realized that the firm represented the Bank of America. By now it was widely rumored that WikiLeaks had a treasure trove of confidential data that had been leaked to it from Bank of America and that it was getting ready to publish. That’s when the penny dropped.
“Oh shit,” Laurelai said she thought then. “Bank of America is trying to destroy WikiLeaks.” Her next realization was scarier: Barr hadn’t even tried to encrypt the e-mails about the proposal, and he hadn’t seemed that secretive about it. It suggested that this sort of proposal, however unethical, was not that far from standard industry practices. HBGary Federal was not a rogue operator; it counted stalwarts in the industry like Palantir and Berico Technologies as partners. Laurelai wrote a blog post for Crowdleaks and collaborated with a journalist from the Tech Herald to report that HBGary had been working with a storied law firm and, indirectly, Bank of America to hurt WikiLeaks.
Still only a couple of days after the HBGary attack, Sabu, Topiary, and Kayla did not know about Barr’s strange proposals on WikiLeaks. Topiary was still trawling through the e-mails looking for juicy information, and the team was planning to publish them on an easy-to-navigate website that they wanted to call AnonLeaks. If this sort of thing caught on, they figured, AnonLeaks could become a more aggressive, proactive counterpart to WikiLeaks. Lexi offered the server space being used by Crowdleaks, which was using the same hosting company as WikiLeaks.
Just as an Anon named Joepie91 had finished programming the e-mail viewer, the group started seeing press reports on the actual content of the HBGary e-mails from journalists who had already downloaded the entire package via torrent sites.
The group decided that the searchable HBGary e-mails would be the first addition to their new site, AnonLeaks.ru. But they had no plans for where this new site would go or how, or even if, it would be organized.
“I think the media will get confused and think AnonLeaks is separate to AnonOps or PayBack,” said Kayla. “I dunno. The media ALWAYS seem to get anything Anon wrong.” Still, the team spent a few days in early February waiting for HBGary Federal’s tens of thousands of e-mails to compile, and Topiary suggested looking for a few choice pieces to put on the new AnonLeaks website as teasers. That way, the blank website wouldn’t give the impression that the team was playing for time. It was a classic PR strategy—getting the word out initially, then developing the story with a drip feed of exclusive information. Among the teasers was an embarrassing e-mail from Barr to company employees in which he gave them his password, “kibafo33,” so that they could all take part in a conference call.
Finally, on Monday, February 14, after a few news sites reported that a WikiLeaks-style site called AnonLeaks was coming, the team launched the new web viewer with all 71,800 e-mails from HBGary. They included 16,906 e-mails from Aaron Barr, more than 25,000 e-mails from two other HBGary execs, and 27,606 e-mails from HBGary Inc. CEO Greg Hoglund, including a lovesick e-mail from his wife, Penny, that said, “I love when you wear your fuzzy socks with your jammies.”
Now more journalists started covering the story, and the coverage went on for more than a month. The attack had been unscrupulous, but the ends were an exposé on spying, misinformation, and cyber attacks by a security researcher. Hardly anyone pointed out that people with Anonymous were using exactly the same tactics.
In late February 2011, Barr resigned as CEO of HBGary Federal. A week later, Democratic congressman Hank Johnson called for an investigation into government, military, and NSA contracts with HBGary Federal and its partners Palantir and Berico Technologies. Johnson had read reports of the scandal and asked his staff to look into it.
“I felt duty bound to move fo
r further investigation,” Johnson said in an interview at the time. He did not like the idea of government contractors like HBGary Federal developing software tools that were meant to be used in counterterrorism for “domestic surveillance and marketing to business organizations.” Spying on your own citizens, he added, was bad enough.
“If you have anything else like this come up,” Laurelai asked Kayla after getting a peek at the chaos from the HBGary attack, “can you let me know so we can write about it?”
“Sure,” Kayla replied. She kept her word. A couple of days later Kayla asked Laurelai if she wanted to see where some action was happening and then invited her into a new exclusive IRC channel, again off AnonOps, called #HQ. By now #InternetFeds had been shut down after rumors that one of the thirty or so participants was leaking its chat logs. This room, #HQ, was smaller and had about six people in it, at most, at any one time. It included everyone who had helped in the HBGary Federal attack.
“Hang out here and you’ll see when stuff is about to pop up,” Kayla said. Laurelai was excited about being in #HQ and wondered if she might be able to help expose other white hat security firms that were operating under their own laws and getting away with the kind of stuff that Anons were getting arrested for. Already in January, the FBI had executed forty search warrants on people suspected of taking part in the DDoS attacks on PayPal, working off the list of a thousand IP addresses the company had detected.
Though no one else knew it, Laurelai was secretly logging everything that was being said in the #HQ room, even when she wasn’t in it. Having spent the last two years learning how to hack and social-engineer people, she deemed it important to document what people around her were saying—at a later date, the logs could be used to corroborate things or refute them if necessary. Logging the chat was just standard procedure for Laurelai. In the meantime, she gradually became disappointed with the standard of discussion in the room. “They were acting like a bunch of damn kids,” she later remembered.