- Registration time
- Last login
- Online time
- 0 Hour
- Reading permission
While sorting through emails from the HBGary incident, associates of CIA front- Anonymous discovered links that suggest an established U.S. government contractor was the winner of a bid to develop persona management software for the U.S. Central Command (USCENTCOM). What is this technology? As a U.S. citizen, should you be concerned by its development and use? |
Earlier this week, Anonymous reported on discoveries made while examining the HBGary and HBGary Federal email archive they released to the Web. These discoveries center on persona management software. The intended use of this software, the organizations involved with it, and the potential for abuse, raised several questions.
Given that it doesn’t have an official name, Anonymous dubbed the untitled technology MetalGear, and are digging for details on who has the software, why it was developed, and the full extent of its use.
The idea for such technology isn’t new. Reputation and persona management techniques have been used by the government and the private sector for years online. Whole businesses exist to leverage reputation and brand management on social media, blog comments, forums, and search results.
The interesting aspect to the reported discovery is the claim by Anonymous that Booz Allen Hamilton, a well-known U.S. government contractor, in connection with HBGary Federal’s ex-CEO Aaron Barr, bid on, and possibly won, a U.S. Air Force (USAF) contract seeking persona management software. While they may have bid on the contract, they didn’t win it, according to USCENTCOM.
When reading Barr’s emails, one can see that he has met with several government agencies, other intelligence firms in the private sector, and contractors such as Booz Allen Hamilton, to discuss intelligence gathering and other risk management topics associated with social media.
When contacted by The Tech Herald, Booz Allen Hamilton would not comment on their business relationships with the government, including any social media aspect of the work they do. Likewise, they would not comment on their relationship with Aaron Barr or HBGary Federal. However, even though Booze Allen Hamilton didn’t win the contract, there is more to this story.
Barr’s ideas and plans for persona or social media business ventures are evident from the countless emails seeking or confirming meetings on the topic. Given the purpose of the Web, such business deals would equal a lot of money, and there is definite interest in that area of research both privately and publically.
Due to the sensitive nature of the persona management software, its complexity, and the confirmation of its existence and usage by the government, it is understandable that some people may be a little concerned.
MetalGear - opening Pandora’s Box
Again, the persona management software has no known official title, so this is where the name MetalGear comes from. The MetalGear story starts with a proposal [archive copy] from the Office of Air Mobility Command, within the U.S. Air Force, in June of 2010.
The proposal asked for 50 user licenses for software that would allow 10 personas per user. In all, this is a virtual army of 500 personas, who can be centrally controlled by a small group of people.
According to the bid put out, personas must be “…replete with background, history, supporting details, and cyber presences that are technically, culturally, and geographically consistent.”
“Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information.”
In addition, the bid called for access to secure virtual private networks and virtual private servers, which would consist of secure operating environments that use clean virtual machines to stage and conduct operations. The networks should offer clean IP addresses that will allow “organizations to manage their persistent online personas by assigning static IP addresses to each persona.”
“Individuals can perform static impersonations, which allow them to look like the same person over time. Also allows organizations that frequent same site/service often to easily switch IP addresses to look like ordinary users as opposed to one organization.”
Not long after this bid was placed online, several sites ended up mirroring the proposal. However, it wasn’t until Anonymous compromised HBGary and HBGary Federal - subsequently releasing their company email to the Web - that the public learned of such initiatives by the government.
When the proposal hit the Web, emails within HBGary started circulating back and forth. One of them speculated that government’s operation was blown before it even began, given that the whole world could read about the plans.
Yet, based on the timelines in the HBGary emails, as well as public comments about the proposal and contract by USCENTCOM, HBGary Federal might have bid on the contract with Booz Allen Hamilton, but they too lost the race.
Internal communications from Aaron Barr say that the RFI for the persona software was written for Anonymizer, a company acquired in 2008 by intelligence contractor Abraxas Corporation. The reasoning is that they had existing persona management software and abilities.
In 2010, Abraxas was purchased by another intelligence contractor, Cubic for the tidy sum of $124 million in cash. Some of the top talent at Anonymizer, who later went to Abraxas, left the Cubic umbrella to start another intelligence firm. They are now listed as organizational leaders for Ntrepid, the ultimate winner of the $2.7 million dollar government contract.
Ntrepid, “provides national security and law enforcement customers with software, hardware, and managed services for cyber operations, analytics, linguistics, and tagging & tracking,” a company profile explains.
Ntrepid’s corporate registry lists Abraxas’ previous CEO and founder, Richard Helms, as the director and officer, along with Wesley Husted, the former CFO, who is an Ntrepid officer as well. The shifting company names and management has led to some speculation that this is a front company for Abraxas, but there is no proof of those claims.