Before Christmas last year, Julian Assange, the founder of WikiLeaks, said that his firm’s next target was a major U.S. bank. WikiLeaks has been in the news a lot since it began releasing secret U.S. State Department documents in 2010. It has shed light on embarrassing language used by some U.S. diplomats, and thus the firm has been under fire from the U.S. government.
The next target was widely believed to be Bank of America, headquartered in Charlotte, NC. Understandably, this made Bank of America quite uneasy. According to The Charlotte Observer, the bank “cut off payments intended for WikiLeaks, spurring the group to tell customers to stop doing business with the bank.” But in a company so large (“too big to fail”), how would you ever find a leak anyways?
“At Bank of America (BofA), widely thought to be the bank in question, an internal investigation began. Had any laptop gone missing? What could be on its hard drive? And how should BofA react if, say, compromising e-mails were leaked?”
Indeed, the bank’s high level executives were squirming. I’m sure they’re much more used to being targeted in such scandals as the average person, but they were certainly feeling the pressure. Fortunately for the bank,
“Recent reports say that Mr Assange has acknowledged in private that the material may be less revealing than he had suggested. Financial experts would be needed to determine whether any of it was at all newsworthy.”
But in the rush to cover themselves, and possibly the government’s role in the Merrill Lynch deal, did they cross the line and enter into the murky waters of private internet security firms? In February of this year,
“Aaron Barr, a top executive at computer security firm HB Gary Federal, boasted to the Financial Times that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks on companies terminating services to the whistleblowing site (such as Paypal, MasterCard, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary, published 50,000 of their emails online, and also hacked Barr’s Twitter and other online accounts.”
The most interesting thing that was found in the leaked emails was a PowerPoint presentation that seemed to have been created for Bank of America, and it was to be given to them by way of their law firm, Hunton & Williams.
The presentation was created in conjunction with other security firms, like Palantir Technologies, and included details of an “anti-WikiLeaks campaign.”
“The leaked report suggested numerous ways to destroy WikiLeaks, some of them likely illegal — including planting fake documents with the group and then attacking them when published; “creat[ing] concern over the security” of the site; “cyber attacks against the infrastructure to get data on document submitters”; and a “media campaign to push the radical and reckless nature of wikileaks activities.” Many of those proposals were also featured prongs of a secret 2008 Pentagon plan to destroy WikiLeaks.”
Perhaps most disturbing of the details was the section that detailed attacking so called “WikiLeaks supporters,” such as the journalist Glenn Greenwald, who has written extensively about WikiLeaks recently.
“The report claimed I [Glenn] was ‘critical’ to WikiLeaks’ public support after its website was removed by Amazon and that ‘it is this level of support that needs to be disrupted’; absurdly speculated that ‘without the support of people like Glenn, WikiLeaks would fold’; and darkly suggested that ‘these are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause.’ As The Tech Herald noted, ‘earlier drafts of the proposal and an email from Aaron Barr used the word ‘attacked’ over ‘disrupted’ when discussing the level of support.'”
When Mr. Greenwald originally found out about the leaked report, he said he didn’t take it all that seriously. But after looking into it some more, he changed his tune.
“…it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation’s largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir). Moreover, these kinds of smear campaigns are far from unusual; in other leaked HB Gary emails, ThinkProgress discovered that similar proposals were prepared for the Chamber of Commerce to attack progressive groups and other activists (including ThinkProgress). And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America’s General Counsel by the Justice Department — meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.”
Since all of this has happened, Mr. Barr from HB Gary has been let go and the firms involved have all released statements. The security firms involved have said they do not condone the actions of those who put together the proposal and have apologized to the journalists targeted in the report. Hunton & Williams, Bank of America’s law firm, has said they were unaware of the proposal. And Bank of America said they knew nothing of the proposal and they did not solicit it in any way.
No one has as of yet found a direct tie to Bank of America and the security firms. But maybe that’s not the real point of this story.
What I think we should take away from this is that cyber-security and cyber-law must be taken extremely seriously. I don’t think enough of us understand that what you do on the Internet is not disposable. When I post a story on my blog it is hosted on a server owned by WordPress somewhere. When you save an email in your gmail account, it’s being saved onto a server owned by Google. Even your Facebook pictures are there to stay. When you are tagged in a photo, that will stay attached to your name. Even if you delete your personal account.
Companies like Bank of America should be afraid of groups like Anonymous and WikiLeaks. But more importantly, you and I should understand just how easy it can be for someone to access our online lives. To finish explaining why we should all pay attention to this, I’ll leave you with this bit of information. Referring to another project, Aaron Barr from HB Gary, said the following in an email:
“If I want to gain access to the Exelon plant up in Pottsdown PA I only have to go as far as LinkedIn to identify Nuclear engineers being employed by Exelon in that location. Jump over to Facebook to start doing link analysis and profiling. Add data from twitter and other social media services. I have enough information to develop a highly targeted exploitation effort.
I can and have gained access to various government and government contractor groups in the social media space using this technique (more detailed but you get the point). Given that people work from home, access home services from work — getting access to the target is just a matter of time and nominal effort.”
Watch this video of Glenn Greenwald on MSNBC detailing some of the story mentioned above.