B of A Enlists Security Firms to Undermine WikiLeaks

Thursday, February 10, 2011

Anthony M. Freed


UPDATE:  BofA denies connection to proactive tactics to silence WikiLeaks

Bank of America has broken silence about news reports and Internet discussions circulating all week connecting BofA to these presentation slides outlining "proactive tactics" to neutralize WikiLeaks and silence its leader, Julian Assange. We've never seen the presentation, never evaluated it, and have no interest in it," BofA spokesman Scott Silvestri told Technology Live late Thursday.

*   *   *

The fallout from the HBGary Federal breach by hacktivists continues to spread as leaked documents reveal that one of the nation's largest banks was soliciting proposals for strategies to undermine the whistleblower organization WikiLeaks.

The Tech Herald reports that HBGary Federal, Palantir Technologies and Berico Technologies were enlisted by the law firm Hunton and Williams to develop a plan to disrupt WikiLeaks operations on behalf of Bank of America late in 2010.

Bank of America had swung into damage control mode in late November after WikiLeak's Julian Assange revealed in an interview the group's plans to "take down" a large U.S. bank with the release of confidential executive level documents.

Many have speculated that Bank of America was the target of the pending leaks, and the bank enlisted outside specialists to assist with preparations, including Hunton and Williams after they were recommended by the U.S. Department of Justice.

The Tech Herald report was developed after a tip from Crowdleaks.org and was based on emails and documents released by Anonymous after supporters of the loose-knit movement breached the private networks of HBGary Federal.

HBGary Federal's head of information security, Aaron Barr, last week claimed to have infiltrated the Anonymous network seeking to uncover the identities of those in leadership rolls who worked to coordinate a series of distributed denial of service attacks, which in turn prompted the attack and subsequent data release.

One of the items revealed in the breach was a twenty-four page plan developed by HBGary Federal and the other two security firms to counter WikiLeaks activities. The proposed strategies suggested a variety of tactics which ranged from a disinformation campaign to outright cyber attacks.

The following is a list of some of the suggested strategies in the proposal:

  • Feed the fuel between the feuding groups. Disinformation. Create messages around actions of sabotage or discredit the opposing organisations. Submit fake documents and then call out the error.
  • Create concern over the security of the infrastructure. Create exposure stories. If the process is believed not to be secure they are done.
  • Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.
  • Media campaign to push the radial and reckless nature of WikiLeaks activities. Sustain pressure. Does nothing for the fanatics, but creates concern and doubt among moderates.
  • Search for leaks. Use social media to profile and identify risky behavior of employees.

Assuming the information cited is correct, had the cyber attacks against WikiLeaks data servers been carried out, they may have violated the laws of the nations where the networks were hosted, which raises some serious ethical issues.

Private corporations should not be entertaining strategies to commit illegal cyber acts, and security companies should definitely not be proposing attacks against the network systems of other private companies regardless of the circumstances.

Information security specialists who engage in unethical operations threaten the credibility of the entire industry, and provide the rationale that groups like Anonymous need to engage in further acts of lawlessness.

The revelations should prompt the information security community to debate the legitimacy of such activities.

Comments welcome.

Possibly Related Articles:
Attacks WikiLeaks Hacktivist Bank of America hackers Information Security breach HBGary Federal
Post Rating I Like this!
Morey Straus Anthony, I think it's a mistake to conflate law and ethics. Regardless, I agree with your general sentiment. I would never knowingly do business with anyone who believes that fraud and deception are legitimate business tactics. I would like to think that view is shared by the majority of our community.
Anthony M. Freed Morey - My point was to generate some discussion regarding legitimate security professionals pitching proposals that include potentially illegal attacks on other company's networks. In my opinion that runs counter to everyone's best interests, and casts security professionals as techno mercenaries.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.