http://digital-intifada.blogspot.com/2012/04/digital-intifada-exclusive-interview.html

Monday, 16 January 2012

hbgary and qinetiq government defense network expose


  1. [ Profile for investigators cyberveillance.com and cyveillance.com ]
  2.  
  3. After a logged, robots.txt non-compliant spidering, origination ip 38.105.71.34, access of xor.cx occurs on jan 5 and jan 10.
  4. IP attempted password reset hack attempt on co-admin bwall's account on xor.cx.
  5.  
  6. [ Info ]
  7. Cyveillance is part of QinetiQ's Mission Solution's Group, headed by Stephen Cambone, a former US Under-Secretary of Defense
  8. for Intelligence who served President George W. Bush. Many of QinetiQ's clients are in the defense and other government arenas.
  9. Possible CIA etc contracted firm investigating either possible web threats or doing a background check on bwall for his security
  10. clearance.  
  11.  
  12. Known affiliations: microsoft (partner) US DoD contracted firms aka QinetiQ (shareholders) British ministry of defense (former/current golden share holder) hbgary (affiliation unknown)
  13.  
  14. -From wikipedia:
  15.     Cyveillance, founded in 1997, is a private Internet-monitoring company based in Arlington, Virginia and provides an intelligence-led approach to security.
  16. [!] Cyveillance was bought in May 2009 by the UK firm QinetiQ, for an initial cash consideration of $40 million.[1]
  17.     Cyveillance is part of QinetiQ's Mission Solution's Group, headed by Stephen Cambone, a former US Under-Secretary of Defense for Intelligence who served President George W. Bush. Many of QinetiQ's clients are in the defense and other government arenas.[2]
  18.     Cyveillance's corporate officers include:
  19.     Dave Papas, Chief Operating Officer.[3]
  20. **  Manoj Srivastava, Chief Technical Officer, and a former VeriSign executive.[4]
  21.     Richard D. Rose, Chief Financial Officer.[5]
  22.  
  23.  
  24. --QinetiQ
  25. Early expansion
  26. In September 2004 Qinetiq acquired the U.S. defence companies Westar Corporation[4] and Foster-Miller (maker of the Talon robot).[5] Also in 2004, it acquired HVR Consulting Services Ltd. a leading UK based engineering consultancy.[6] In early August 2005, the company announced it would acquire Apogen Technologies, Inc., pending regulatory approval.[7] The Qinetiq website lists this merger as costing $288.0m (£162.7m). In September 2005, it acquired a 90% share of Verhaert Design and Development NV (VDD), the Belgian space systems integrator.[8] In October that year, it acquired Broadreach Networks Limited, a supplier of Wi-Fi internet to the European rail industry,[9] and in February 2006, it bought Graphics Research Corporation Ltd, developer of the Paramarine software suite of ship and submarine design tools.[10]
  27. ** Qinetiq has a 25-year agreement with the UK Ministry of Defence (MoD) to provide test and evaluation services and manage military ranges. This agreement is the Long Term Partnering Agreement (LTPA). It is a major stakeholder in the UK Defence Technology Centre which places military research contracts on behalf of the MoD.
  28. ** In January 2007, the Company bought Analex, a U.S. corporation providing high technology professional services and solutions, principally to the United States Government and its agencies.[17] Analex originally incorporated in 1964 under the name Biorad which then evolved into Hadron, Inc.,[18] a U.S. government systems consulting firm chaired by Earl Brian, a controversial, often shady, businessman who eventually became the centre of focus in a Ronald Reagan-era, software piracy case: Inslaw Inc. v. United States Government.
  29.  
  30.  
  31. Criticisms
  32. Numerous websites have complained about Cyveillance's traffic for the following reasons:
  33.     Their robots access many pages, and thus use a comparatively large amount of bandwidth.
  34.     Their robots send many fake HTTP attacks which are a cover channel for deadly (accept, read, write) timeout attacks which easily disrupt Apache and IIS servers.
  35.     They ignore the robots.txt exclusion standard, which specifies pages that should not be accessed by robots.
  36.     They use a falsified user-agent string, usually pretending to be some version of Microsoft Internet Explorer on some version of Windows, which is deceptive and can throw off log analysis. (Interestingly, this is one way to identify the crawler, as it often lists 'Windows XP' in the user-agent. A real Windows XP system actually identifies itself as 'Windows NT 5.1'. This method should not be depended on for positive identification, however, as Cyveillance has been known to change its user-agent strings from time to time. It actually has changed it to "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2" and "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" has also been seen.)[citation needed] (Ironically, while Cyveillance is in the business of protecting the intellectual property of its clients, its falsified user-agent string could be violating one or more trademarks.)
  37.     The company does not always respond to cease and desist letters.
  38.  
  39. --John Chisholm (executive)
  40. In 1991, Chisholm was asked by the UK Ministry of Defence to organize a number of their research organisations into a single entity, which eventually became the Defence Evaluation and Research Agency (DERA) - the largest science and technology organisation in the UK. In July 2001, three quarters of DERA was spun off to form a new private company called QinetiQ.
  41. -From Linkedin
  42. --Manoj Srivastava  | LinkedIn
  43. Passionate about product innovation (named as inventor or co-inventor on four patents), my inventions include the:
  44. • Social Engineering Protection Appliance in 2010, the first device of its kind, which prevents cyber-attacks that exploit social media networks and penetrate target companies.
  45. • First Global Threat Intelligence product (five years ahead of its time) that detects cyber threats and feeds data to security devices via the Internet “cloud.”
  46. • Shared Registration System, which led to creation and explosive growth of a new industry – domain-name registrars that sell domain names.
  47. ..
  48. Currently leading technology, strategy, R&D, product development, SaaS infrastructure, offshore operations, marketing support, and strategic partnerships. Contribute expertise during analyst and media briefings; collaborate on product and pricing strategy; and brief Board of Directors on technology, products, performance, and plans. Performed M&A integration and due-diligence during QinetiQ’s acquisition of Cyveillance (2009).
  49. ..
  50. Launched highly profitable OEM threat intelligence feeds, which update gateway-security devices for protection against zero-day threats.
  51. Launched successful products, including: Knowledge Discovery Appliance (KDA), which scans and analyzes content in near real-time; and SEPA, which counters “social engineering” attacks.
  52. ..
  53. Vice President
  54. VeriSign, Inc
  55. May 2000 – June 2005 (5 years 2 months) Dulles, Virginia
  56. http://webcache.googleusercontent.com/search?q=cache:eMYDqoYgxaYJ:www.linkedin.com/in/manojkumarsrivastava+Manoj+Srivastava+cyveillance&cd=9&hl=en&ct=clnk&gl=us
  57.  
  58. -From uspto.gov patent office
  59.  
  60. 1       7,299,299       Full-Text       Shared registration system for registering domain names
  61. 2       6,533,320       Full-Text       Automotive seat belt restraint assembly
  62. 3       6,523,237       Full-Text       Automotive seat assembly having an integral tear seam
  63. 4       6,485,096       Full-Text       Continuous self-adjusting head restraint system
  64. 5       6,250,703       Full-Text       Automotive removable power seat
  65. 6       6,074,006       Full-Text       Automotive seat with pneumatic pelvic stabilization
  66.  
  67. --Paul Hart Sr Network Engineer - Cyveillance
  68.  
  69. -From linkedin !
  70. HTTP Status 401 -
  71. type Status report
  72. message
  73. [!] description This request requires HTTP authentication ().
  74. http://www.linkedin.com/pub/paul-hart/26/7b2/ba7
  75.  
  76. [ xor.cx Access.log ]
  77. 38.105.71.34 - - [05/Jan/2012:02:04:32 -0700] "GET / HTTP/1.1" 302 - "-" "Java/1.5.0_15"
  78. 38.105.71.34 - - [05/Jan/2012:02:04:33 -0700] "GET /drupal7 HTTP/1.1" 301 230 "-" "Java/1.5.0_15"
  79. 38.105.71.34 - - [05/Jan/2012:02:04:33 -0700] "GET /drupal7/ HTTP/1.1" 200 15679 "-" "Java/1.5.0_15"
  80. 38.105.71.34 - - [05/Jan/2012:02:04:34 -0700] "GET /drupal7/?q=node/52 HTTP/1.1" 200 27212 "-" "Java/1.5.0_15"
  81. 38.105.71.34 - - [05/Jan/2012:02:04:35 -0700] "GET /drupal7/?q=tracker HTTP/1.1" 200 27958 "-" "Java/1.5.0_15"
  82. 38.105.71.34 - - [05/Jan/2012:02:04:35 -0700] "GET /drupal7/?q=tracker&page=1 HTTP/1.1" 200 28064 "-" "Java/1.5.0_15"
  83. 38.105.71.34 - - [05/Jan/2012:02:04:36 -0700] "GET /drupal7/?q=user/password HTTP/1.1" 200 10477 "-" "Java/1.5.0_15"
  84. 38.105.71.34 - - [05/Jan/2012:02:04:36 -0700] "GET /drupal7/?q=login HTTP/1.1" 302 - "-" "Java/1.5.0_15"
  85. 38.105.71.34 - - [05/Jan/2012:02:04:36 -0700] "GET /drupal7/?q=user/login HTTP/1.1" 200 12850 "-" "Java/1.5.0_15"
  86. 38.105.71.34 - - [05/Jan/2012:02:04:37 -0700] "GET /drupal7/?q=user/login HTTP/1.1" 200 12850 "-" "Java/1.5.0_15"
  87. 38.105.71.34 - - [05/Jan/2012:02:04:38 -0700] "GET /drupal7/?q=user/login HTTP/1.1" 200 12850 "-" "Java/1.5.0_15"
  88. 38.105.71.34 - - [05/Jan/2012:02:04:38 -0700] "GET /drupal7/?q=Links HTTP/1.1" 200 21033 "-" "Java/1.5.0_15"
  89. 38.105.71.34 - - [05/Jan/2012:02:04:39 -0700] "GET /drupal7/?q=Links HTTP/1.1" 200 21033 "-" "Java/1.5.0_15"
  90. 38.105.71.34 - - [05/Jan/2012:02:04:39 -0700] "GET /drupal7/ HTTP/1.1" 200 15679 "-" "Java/1.5.0_15"
  91. 38.105.71.34 - - [05/Jan/2012:02:04:40 -0700] "GET /drupal7/?q=node/1 HTTP/1.1" 200 14128 "-" "Java/1.5.0_15"
  92. 38.105.71.34 - - [05/Jan/2012:02:04:40 -0700] "GET /drupal7/?q=node/1 HTTP/1.1" 200 14128 "-" "Java/1.5.0_15"
  93. 38.105.71.34 - - [05/Jan/2012:02:04:41 -0700] "GET /drupal7/?q=Affiliates HTTP/1.1" 200 14035 "-" "Java/1.5.0_15"
  94. 38.105.71.34 - - [05/Jan/2012:02:04:41 -0700] "GET /drupal7/?q=user/register HTTP/1.1" 200 12679 "-" "Java/1.5.0_15"
  95. 38.105.71.34 - - [05/Jan/2012:02:04:42 -0700] "GET /drupal7/?q=user/register HTTP/1.1" 200 12679 "-" "Java/1.5.0_15"
  96. 38.105.71.34 - - [05/Jan/2012:02:04:43 -0700] "GET /drupal7/?q=forum HTTP/1.1" 200 16166 "-" "Java/1.5.0_15"
  97. 38.105.71.34 - - [05/Jan/2012:02:04:43 -0700] "GET /drupal7/?q=forum/3 HTTP/1.1" 200 14049 "-" "Java/1.5.0_15"
  98. 38.105.71.34 - - [05/Jan/2012:02:04:44 -0700] "GET //?q=forum/1 HTTP/1.1" 302 - "-" "Java/1.5.0_15"
  99. 38.105.71.34 - - [05/Jan/2012:02:04:44 -0700] "GET /drupal7 HTTP/1.1" 301 230 "-" "Java/1.5.0_15"
  100. 38.105.71.34 - - [05/Jan/2012:02:04:44 -0700] "GET /drupal7/ HTTP/1.1" 200 15679 "-" "Java/1.5.0_15"
  101. 38.105.71.34 - - [05/Jan/2012:02:04:45 -0700] "GET /drupal7/?q=node/64 HTTP/1.1" 200 20576 "-" "Java/1.5.0_15"
  102. (Jan 10th logs are identical)
  103.  
  104.    Administrative Contact, Technical Contact:
  105.       Hart, PAUL                it_ops@cyveillance.com
  106.       CYVEILLANCE
  107. [!]   2677 Prosperity Ave
  108.       Suite 400
  109. [!]   FairFax, VA 22031
  110.       US
  111.       (703) 351-2432 fax: (703) 312-0536
  112.  
  113. [ 2677 Prosperity Ave ]
  114. At this address:
  115.     Analex Corporation‎ -
  116.     Beta Analytics International Inc‎ -
  117. [!] Lockheed Martin Corporation‎ -
  118.     Sunspot Cafe‎ -
  119. http://maps.google.com/maps?q=+2677+Prosperity+Ave+fairfax&hl=en&ll=38.880744,-77.233372&spn=0.011609,0.032809&sll=38.967617,-77.156725&sspn=0.047047,0.132093&vpsrc=0&hnear=2677+Prosperity+Ave,+Fairfax,+Virginia+22031&t=m&z=16
  120.  
  121. [ cyberveillance.com ]
  122. whois:
  123. private
  124.  
  125. [ cyveillance.com ]
  126. QinetiQ North America
  127. 7918 Jones Branch Drive
  128. McLean, VA 22102
  129.  
  130.  
  131. whois:
  132. Registrant:
  133. Cyveillance
  134.    2677 Prosperity Ave
  135.    Suite 400
  136.    Fairfax, VA 22031
  137.    US
  138.  
  139.    Domain Name: CYVEILLANCE.COM
  140.  
  141.    ------------------------------------------------------------------------
  142.    Promote your business to millions of viewers for only $1 a month
  143.    Learn how you can get an Enhanced Business Listing here for your domain name.
  144.    Learn more at http://www.NetworkSolutions.com/
  145.    ------------------------------------------------------------------------
  146.  
  147.    Administrative Contact, Technical Contact:
  148.       Hart, PAUL                it_ops@cyveillance.com
  149.       CYVEILLANCE
  150.       2677 Prosperity Ave
  151.       Suite 400
  152.       FairFax, VA 22031
  153.       US
  154.       (703) 351-2432 fax: (703) 312-0536
  155.  
  156.  
  157.    Record expires on 16-Aug-2021.
  158.    Record created on 17-Aug-1998.
  159.    Database last updated on 15-Jan-2012 18:27:28 EST.
  160.  
  161.    Domain servers in listed order:
  162.  
  163.    AUTH100.NS.UU.NET            198.6.1.202
  164.    AUTH00.NS.UU.NET             198.6.1.65
  165.    AUTH1.DNS.COGENTCO.COM       66.28.0.14
  166.    AUTH2.DNS.COGENTCO.COM       66.28.0.30
  167.  
  168.  
  169. [ 38.105.71.34 ]
  170. Whois:
  171. network:ID:NET4-2669470019
  172. network:Network-Name:NET4-2669470019
  173. network:IP-Network:38.105.71.0/25
  174. network:Postal-Code:22209
  175. network:Country:US
  176. network:State:VA
  177. network:City:Arlington
  178. network:Street-Address:1555 Wilson Blvd, Suite 406
  179. network:Org-Name:Cyveillance Inc.
  180. network:Tech-Contact:ZC108-ARIN
  181. network:Updated:2010-07-09 18:51:19
  182. network:Updated-by:Michael Callender
  183.  
  184.  
  185.  
  186. 38.105.71.34 Information
  187.  
  188. Public/natted address? 10.20.1.200 - 38.100.41.112
  189.  
  190. Honeynet project:
  191. This IP addresses has been seen by at least one Honey Pot. However, none of its visits have resulted in any bad events yet. It's possible that this IP is just a harmless web spider or Internet user. If you know something about this IP, please leave a comment.
  192. User-Agents     seen with 2 user-agent(s)
  193. ! 38.105.71.34's User Agent Strings
  194. ! HTMLParser/1.6
  195. ! Java/1.5.0_15
  196.  
  197.  
  198. [hbgary.com]
  199. Matt Anglin
  200. Information Security Principal
  201. Office of the CSO
  202. QinetiQ North America
  203. 7918 Jones Branch Drive
  204. McLean, VA 22102
  205. 703-967-2862 cell
  206.  
  207. Rich Cummings
  208. CTO, HBGary
  209. 703-999-5012
  210.  
  211. Michael G. Spohn | Director – Security Services | HBGary, Inc.
  212. Office 916-459-4727 x124 | Mobile 949-370-7769 | Fax 916-481-1460
  213. mike@hbgary.com | www.hbgary.com
  214. work ip: 68.5.159.254
  215.  
  216.  
  217. --Confidential defense server staff communication ip+emails included!
  218. from: http://webcache.googleusercontent.com/search?q=cache:furUG9cJJ_4J:mirror.anapnea.net/hbgary/phil_hbgary_com/3001.html+paul+hart+cyveillance&cd=4&hl=nl&ct=clnk&gl=nl&client=firefox-a
  219. Original file:  1296985733.M431662P20123Q1579.cybercom
  220. click here to show this e-mail with HTML markup
  221. From:   "Chris Glenn" <cglenn@Cyveillance.com>
  222. To:     "Rich Cummings" <rich@hbgary.com>,"Mike Spohn" <mike@hbgary.com>,"Matthew Anglin" <matthew.anglin@qinetiq-na.com>,"Penny Leavy" <penny@hbgary.com>,"Phil Wallisch" <phil@hbgary.com>
  223. Date:   Fri, 20 Aug 2010 18:34:39 -0400
  224. Subject:        RE: Access to HBGary Active Defense server
  225. Full headers
  226. -----
  227. delivered-to: phil@hbgary.com
  228. received: Array
  229. return-path: <cglenn@cyveillance.com>
  230. received-spf: neutral (google.com: 38.100.21.105 is neither permitted nor denied by domain of cglenn@cyveillance.com) client-ip=38.100.21.105;
  231. authentication-results: mx.google.com; spf=neutral (google.com: 38.100.21.105 is neither permitted nor denied by domain of cglenn@cyveillance.com) smtp.mail=cglenn@cyveillance.com
  232. message-id: <2638c5c1-8e5c-457a-ba51-04e3c2afdadd@blur>
  233. from: "Chris Glenn" <cglenn@Cyveillance.com>
  234. to: "Rich Cummings" <rich@hbgary.com>,"Mike Spohn" <mike@hbgary.com>,"Matthew Anglin" <matthew.anglin@qinetiq-na.com>,"Penny Leavy" <penny@hbgary.com>,"Phil Wallisch" <phil@hbgary.com>
  235. date: Fri, 20 Aug 2010 18:34:39 -0400
  236. x-mailer: Motorola android mail 1.0
  237. thread-topic: Access to HBGary Active Defense server
  238. thread-index: ActAt5EkVWfzKEo6Sm2Uad0jmxANlg==
  239. mime-version: 1.0
  240. subject: RE: Access to HBGary Active Defense server
  241. x-priority: 3
  242. references: <4C6E9CAE.5020503@hbgary.com> <D01A10FBDBD34B4EAA478FD02A6B2A1601EB6184@cwmail.corp.cyveillance.com> <f22b1dee71a6961e5dd6b737cf63711e@mail.gmail.com>
  243. in-reply-to: <f22b1dee71a6961e5dd6b737cf63711e@mail.gmail.com>
  244. content-type: multipart/alternative;boundary="Motorola-A-Mail-ZtgL3w1xlrTP6nSz";charset="utf-8"
  245. Attachments:    This e-mail does not have any attachments.
  246. Please send you IP.
  247.  
  248. Sent via DROID on Verizon Wireless
  249.  
  250. -----Original message-----
  251. From: Rich Cummings <rich@hbgary.com>
  252. To: Chris Glenn <cglenn@cyveillance.com>, Mike Spohn <mike@hbgary.com>, Matthew Anglin <matthew.anglin@qinetiq-na.com>, Penny Leavy <penny@hbgary.com>, Phil Wallisch <phil@hbgary.com>
  253. Sent: Fri, Aug 20, 2010 22:08:14 GMT+00:00
  254. Subject: RE: Access to HBGary Active Defense server
  255.  
  256. Hi Chris,
  257.  
  258.  
  259.  
  260. Sorry to chime in so late but could you please add my IP address to the
  261. approved list too. I need to help the team access some of the files on the
  262. Active Defense server.
  263.  
  264.  
  265.  
  266. Thank you very much,
  267.  
  268.  
  269. Rich Cummings
  270.  
  271. CTO, HBGary
  272.  
  273. 703-999-5012
  274.  
  275.  
  276.  
  277. *From:* Chris Glenn [mailto:cglenn@Cyveillance.com]
  278. *Sent:* Friday, August 20, 2010 11:26 AM
  279. *To:* Michael G. Spohn; Matthew Anglin; Penny Leavy-Hoglund; Phil Wallisch;
  280. Rich Cummings
  281. *Subject:* RE: Access to HBGary Active Defense server
  282.  
  283.  
  284.  
  285. Forwarding up to management for approval.
  286.  
  287.  
  288.  
  289. *From:* Michael G. Spohn [mailto:mike@hbgary.com]
  290. *Sent:* Friday, August 20, 2010 11:18 AM
  291. *To:* Chris Glenn; Matthew Anglin; Penny Leavy-Hoglund; Phil Wallisch; Rich
  292. Cummings
  293. *Subject:* Fwd: Access to HBGary Active Defense server
  294.  
  295.  
  296.  
  297. Chris,
  298.  
  299. See below - Paul is out of the office.
  300. Can you hook us back up to our A/D server via the Internet?
  301.  
  302. IP Addresses:
  303. 68.5.159.254 - Mike Spohn
  304. 96.255.48.178 - Phil Wallisch
  305.  
  306. Thanks,
  307.  
  308. MGS
  309.  
  310. -------- Original Message --------
  311.  
  312. *Subject: *
  313.  
  314. Access to HBGary Active Defense server
  315.  
  316. *Date: *
  317.  
  318. Fri, 20 Aug 2010 08:10:06 -0700
  319.  
  320. *From: *
  321.  
  322. Michael G. Spohn <mike@hbgary.com> <mike@hbgary.com>
  323.  
  324. *To: *
  325.  
  326. Paul Hart <phart@cyveillance.com> <phart@cyveillance.com>, Matthew Anglin
  327. <matthew.anglin@qinetiq-na.com> <matthew.anglin@qinetiq-na.com>, Penny
  328. Leavy-Hoglund <penny@hbgary.com> <penny@hbgary.com>, Phil Wallisch
  329. <phil@hbgary.com> <phil@hbgary.com>, Rich Cummings
  330. <rich@hbgary.com><rich@hbgary.com>
  331.  
  332. Paul,
  333.  
  334. We have been asked to do more analysis on the Active Defense server by Matt
  335. Anglin.
  336. Can you please provide access to the following IP addresses?
  337.  
  338. 68.5.159.254 - Mike Spohn
  339. 96.255.48.178 - Phil Wallisch
  340.  
  341. Matt, as soon as we get access, we will start the additional tasks.
  342.  
  343. MGS
  344.  
  345. --
  346. Michael G. Spohn | Director – Security Services | HBGary, Inc.
  347. Office 916-459-4727 x124 | Mobile 949-370-7769 | Fax 916-481-1460
  348. mike@hbgary.com | www.hbgary.com

No comments:

Post a Comment