Most (in)famous for proposing a wide-ranging plan to discredit the defenders of WikiLeaks, the security company HBGary Federal recently pitched the Pentagon’s premiere research branch on a “Paranoia Meter” to hunt down the next Bradley Manning.
The proposal was valuable enough to the company that its author was CEO Aaron Barr, who resigned in the wake of the firm’s WikiLeaks scandal.
Last August, as Danger Room reported, blue-sky research firm Darpa asked software engineers to design a system to sift through Defense Department email, web and network usage for “anomalous missions” indicating that a user might intend to siphon sensitive information to unauthorized entities. The program is called CINDER, for Cyber Insider Threat. It’s managed by legendary hacker Peiter “Mudge” Zatko.
Months before HBGary became synonymous with an attack against WikiLeaks and its posse, Barr offered Darpa a way to make CINDER a reality — and potentially taking down the next big U.S. government secret-leaker.
Barr’s proposal to Darpa — dated September 17 and reported by our sister site Ars Technica in February — envisioned CINDER as an online lie detector, searching for peaks and troughs in virtual “adrenaline” during a user’s network activity. “[W]e will have a rootkit on the host that monitors keystrokes, mouse movements, and visual cues through the system camera,” Barr pitched. “We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc.” He called his proposed creation a “‘Paranoia Meter’ — a human factor and activity correlation engine.”
That requires collecting a lot of data, HBGary’s proposal acknowledges: the only way to judge anomalous user behavior is to create a model for normal behavior; that in turn requires mapping normal behavior for the median user — which in the Defense Department’s case is millions of people.
“[Y]ou can create way too many false positives,” Barr’s proposal concedes. “That said, the approach is fundamental to detecting insider threat activity.”
HBGary’s CINDER would use the methods of a malicious user in order to catch one. Using a rootkit, a program gives an outsider the same privileges as a network administrator, HBGary would “collect select file access, process execution with parameters, email communications, keyboard activity with a time/date stamp, network/TDI activity (and the actual network data if appropriate), and IM traffic.” The rootkit could be configured to provide security officers with “screenshots and… a video stream” of suspicious behavior. And it would exfiltrate data to a controlling server by a process that “emulate[s] outbound HTTP browsing.”
Once collected, data would be assigned numeric value varying with a specific user, in order to gauge who’s suspicious and who isn’t. For example: “Do they encrypt files (+10), do they regularly explore the data stores (+5). Are they part of a corporate effort to bring horizontal visibility across their business verticals (-5). Is the person a prolific author and not just a consumer of data on a particular topic or program (-10).”
Nor did HBGary expect to keep its “Paranoia Meter” limited to Defense Department use. “HBGary plans to transition technology into commercial products,” it specified on its proposal.
Darpa hasn’t issued a contract for CINDER yet. So far, it’s collected just over 50 interested vendors, ranging from mega-intel contractors like California’s SAIC to Virginia’s Blackbird Technologies, an internet security firm that recently branched out into warzone personnel recovery tech. HBGary isn’t on the newest vendor list.
As our sister blog Threat Level has extensively reported, HBGary came in for a world of hurt after Barr boasted of how easy it was to discover the identities of WikiLeaks’ defenders. The hacktivist and prankster group Anonymous retaliated, big time, by posting torrents of internal HBGary emails. In some messages, the firm claims to work with the FBI to unmask Anonymous members through their online habits. In others, Barr suggests targeting the financial supporters of WikiLeaks (“…get people to understand that if they support the organization we will come after them…”) and to threaten the livelihoods of pro-WikiLeaks writers like Salon’s Glenn Greenwald.
In response, a House subcommittee demanded last month that the Defense Department disclose any contracts it holds with HBGary. (The firm also wrote a proposal for Darpa’s “Cyber Genome” project.) And after Anonymous hacked his Twitter account and disclosed 60,000 of the firm’s emails — making a mockery of his claims to provide his clients with online security — Barr resigned as CEO in late February.
Whether that makes HBGary too radioactive for Darpa’s CINDER contract remains to be seen. If not, soldiers at the Morale Welfare and Recreation computer labs might find themselves secretly monitored under the suspicion that they’re the next Bradley Manning.