You are hereThreatPost: HBGary Emails A Sweet Valentine For Social Engineers
ThreatPost: HBGary Emails A Sweet Valentine For Social Engineers
February 14, 2011- The news keeps getting worse for security firm HBGary Federal. Members of the online mischief-making group Anonymous posted another cache of 20,000 company e-mails Sunday, following a similar disclosure last week. But the real damage from the leak may be yet to come, as sophisticated attackers mine the email trove for information on the company's business contacts, including U.S. military, intelligence and law enforcement organizations, that could be used later in targeted attacks.
The contents of the harvested e-mails present a potentially damaging breach: yielding personally identifiable information as well as details of social connections and relationships between members of the U.S.'s top defense, spy, intelligence and law enforcement agencies, as well as staff and members of the House of Representatives and Senate, says Chris Hadnagy of social-engineer.org, a non-profit group.
Among the more sensitive content are e-mail exchanges with active personnel within the CIA, FBI and NSA that include personal and business contact information. These include the names and e-mail addresses of personnel at DISA, the NSA, CIA, FBI, the Air Force and elite government contractors such as IBM.
"You've got the names and e-mail addresses of high ranking government officials," notes Hadnagy. Beyond that raw information, there are detailed exchanges between HBGary and HBGary Federal executives: CEO Aaron Barr, COO Ted Vera and Federal Principal Consultant Phil Wallisch detailing HBGary's Federal's efforts to win the approvals needed to pitch and sell its technology to individuals within the elite law enforcement, defense and intelligence agencies. Together, the e-mail messages provide a road map of the professional and personal networks that are the currency of the Washington D.C. business and intelligence communities. Other e-mail exchanges provide insight into the thinking and needs of U.S. spy agencies. E-mail conversations between HBGary executives discuss the technology interests of the NSA, for example, and how the super secretive agency may end up applying the company's technology, which allows researchers to observe and dissect the operation of malicious programs in minute detail, with the goal of discovering its author or origin.
"You've got all the communications that are occurring with that person -threads and conversations that tell you 'here's what they were talking about and with whom,' and 'here's what their interest level was,'" Hadnagy said. "For a social engineer, that stuff is a gold mine."
The information that can be gleaned about relationships and topics of conversation, coupled with the contact information - phone, work and even personal e-mails, are priceless and could all be used to build trust with the target in the context of a highly effective social engineering attack, he said.