As the fallout continues from the compromise of HBGary Federal and the subsequent publishing of tens of thousands of its emails by hacker group Anonymous, some in the security industry are embarrassed over revelations that the security services firm was engaged in shady, potentially illegal, activities.
The saga has brought to light a potentially uncomfortable reality: that legitimate security companies, presumably created to protect innocent users from the dangers of the internet, may be using their firepower to win big contracts and attack others, even their peers.
Of particular concern is the discovery that HBGary Federal and two other security firms were in negotiations with a major law firm, believed to represent Bank of America, to launch an offensive against the whistleblower site WikiLeaks and its supporters.Late last year, WikiLeaks founder Julian Assange hinted that his organization is sitting on a treasure trove of documents that point to corruption at a major U.S. bank (purportedly Bank of America) and a leaked PowerPoint deck seems to suggest that HBGary Federal, Palantir Technologies and Berico Technologies were hired to hack WikiLeaks' central server and spread false documents as a way to discredit the whistleblower site.
The stolen emails also disclosed a proposal on behalf of the U.S. Chamber of Commerce to undermine its left-leaning adversaries. “From a government-policy standpoint, heads should roll on that one, if it's true,” said Jeremiah Grossman, founder and CTO of web application security firm WhiteHat Security. “Our government contracting with people to target citizens? That should not be allowed.”Since this plot has been unearthed, many in the vendor community have attempted to distance themselves from HBGary Federal and its sister company HBGary, said Chenxi Wang, principal analyst at Forrester Research.
“People are worried about what security companies are doing behind closed doors,” Wang said.
Grossman, who founded WhiteHat Security in 2001, said he doesn't think the industry suffers from a systemic problem. “I couldn't name another company that engages in that – a coordinated effort to hack another entity,” he said. “Not to say it's not happening, but we don't know of it.”Wang, however, said she has heard vendors express concern over the threat of attacks from competitors.
“I would tend to think that these kind of offensive tactics are employed more often than we know,” she said.
[An earlier version of this story was corrected to accurately describe HBGary Federal's business.]
Photo by Dan Kaplan