Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

SEC BURNOUT and The Psychology of Security

with 4 comments

baby-crying

 

 

Recent Days of Whine and Wiping of Noses:

Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all  just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.

Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?

At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.

Not all of us have INOFSEC Jesus complexes.

The Problem Statement:

So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.

  • We can’t win the war and it’s hard to even win battles
  • The job is hard because the adversaries have no rules while we do
  • We are constrained by our managements
  • Our end users are morons
  • We’re the God damned smartest people in the room and no one listens to us!
  • We are just perceived as an obstacle to be bypassed or ignored

I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.

In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.

Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.

The Psychology of Security:

Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.

What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.

So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?

Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.

A Pragmatic Approach To Your Woes:

So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:

  • It is your job to inform your client/bosses of the vulnerabilities and the risks
  • It is your job ONLY to inform them of these things and to recommend solutions
  • Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
  • Your job is done (except if you are actually making changes to the environment to fix issues)

That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.

Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.

Catharsis:

Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.

HACK THE GOD DAMNED SYSTEM!

Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.

Either understand and come up with a way to fix the problem or accept it for what it is and move on.

Stop the whining.

K.

 

Written by Krypt3ia

2014/04/13 at 12:22

New Age INFOSEC

leave a comment »

 

Yesterday’s Source Boston keynote started bubbling up in Twitter like swamp gas releasing soundbites that were reminiscent to new age babble on how we as a community are bad communicators. While I agree that many in the community at large are bad at communicating anything other than self interest (i.e. con deadheads) I would have to say that there are many many more of us with day jobs who can communicate and do.

Often.

The fact of the matter is that if you are a con deadhead then perhaps Justine Aitel is talking to you, which she did coincidentally at a conference! Gross generalities make my eye twitch and so do new age koans about such a complex issue as information security. So I would like to address the snippets that came out yesterday in my usual style of bilious and yet hopefully thought provoking responses.

 

Screenshot from 2014-04-09 04:37:17

 

The first slide in the roster actually struck me as something I have been saying for quite a while but in this re-telling it’s much softer. I have been calling bullshit on the con deadheads for a while now but I guess it’s finally getting traction. The truth of the matter is that if you are just speaking at conferences all the time what the fuck are you really doing? You speak to the same crowds and often times of late you present the same god damned things. What is the fucking point?

So yes I agree with you Justine on this but I think you could be more blunt. If all you do is go from con to con partying and giving the same talks then you sir or madam are committing cyber douchery. It’s just that simple.

 

Screenshot from 2014-04-09 04:37:42

 

We develop secret knowledge and power? Holy what the fuck does that even mean? If this is the case then we are all collectively Dr. Evil at worst or Bloefeld at the best? We also suck at listening because we are evil geniuses? What the fuck does this even mean? Look we are technical people and we speak in technical language which often times seems like magic to the people who do not comprehend the rudiments of technology never mind some of its most complex theory and implementation.

We also suck at listening? Really? All of us? Gross generality much? Look there are two sides to the equation here and sure some of us in the community may not listen well. For that matter we may not listen at all except to our own base drum of LOOK AT ME! LOOK AT ME! but please, we aren’t the only problem here when it comes to the security problems of today. You are over simplifying things just a bit in a time when we need more complex and nuanced thought on the matter. The corker here is that all of this is being transmitted by soundbite by Twitter of all things.

#FAIL

 

Screenshot from 2014-04-09 04:38:10

Uh what? Are you going to tell me that Hitler wasn’t a great communicator? Have you seen those old movies of his speeches? I am in no way saying he was a huggybear but HOLY WTF are you on a roll with generalities and useless new age speech. So once again you see us as great technical masters of the universe and yet we are all portrayed as somewhere on the far end of the spectrum on the DSMV for Aspergers? Look, we may have great technical abilities in some cases. In others we may be just useless twats. Let’s not put this into axis of evil territory or paint us all with the same inept brush of bad communicators or sufferers of Aspergers here.

 

Screenshot from 2014-04-09 04:38:27

Oh here we go.. We need to be vulnerable to grow. Thanks Dr. Phil. How about instead we just be more self aware and able to comprehend the social surroundings we are in. Understand the system to work the system. Better yet how about you understand the system and the players to come to the place where you accept that nothing you do really matters unless the people WHO PAY YOU are willing to make changes or LISTEN to you. It has nothing to do with being soft or vulnerable and this kind of shit is just as bad as the polar opposite of “Real men don’t eat quiche”

Twattle.

 

Screenshot from 2014-04-09 04:39:14

No no no NO. The word CYBER is a mystical amulet that the masses use to infer some vague notion of all things magic and incomprehensible! This is not something we should promote whatsoever. It’s perpetuation should stop and you just crossed the Rubicon on this. This really burns me and that this idea was even floated makes my blood boil. You say you want to communicate but you are willing to compromise with the word CYBER instead of using real language to convey the complexities we deal with? Good God this is one of the most idiotic statements I have seen of late!

 

Screenshot from 2014-04-09 04:39:37

I agree.. Much of society at large has no idea what we do.  Do you really want to know why this is true? Have you ever tried to explain to them why it’s important and how it works? Even in small words? You get the glazed eyes and they begin musing on what Kim Kardashian is doing. THEY DON’T CARE TO UNDERSTAND! Still you want to call it CYBER and use general terms in an attempt to dumb it down so they get it? I am saying to you right here and right now that they won’t care and they won’t get it. It’s all fucking CYBER APT CLOUD MAGIC to them all.

 

Screenshot from 2014-04-09 04:39:59

 

So as an industry we are too self involved and unable to listen to the people we are tasked with protecting… Hmmm… Ok sure. We are a calamity of derp as an industry that has been riddled with FUD and sales buzzwords. We also have a populace of attention seekers with a real penchant for TNT Dramallama flogging. We wallow in our soup of “Ain’t I cool” and look at me look at me! It’s true. However, that is not the whole community and this is yet another generality that borders on the new age derpy.

I also would say just what is it we need to listen to? Listen to the companies and players who have agenda’s that make bad choices in the face of being told that they are vulnerable? Listen to the people who say that the work is too hard and that out of hand deny anything you say is relevant or important? Some actually put on a show and say they will fix things or change their ways but really, how many times have we seen that and then seen nothing change? Listening is just fine but the crux of the matter today is that you tell the client what is wrong and then say “You can fix this or you can accept the risk on this”

That’s it.

You don’t need to be a great communicator here or all new age fuzzy because the fact of the matter is that people will make decisions based on their own needs and desires and not the truth. What this community (and the one I speak of are the con deadheads) needs to do is grow up. Spend less time lauding their own ingenuity and grok a bit more on other things in the world. Perhaps there are a mass of Aspergers sufferers at these cons but that is no reason to paint the whole community of security with the same brush. I communicate just fine and I have come to accept the fact that all I can really do is present the information, the risks, and recommendations. It is up to the client to decide whether or not it is in their own interests to do anything about them. I just get them to sign off on the risks of not doing so and my job is done.

Enough of the new age fuckery…

K.

 

Written by Krypt3ia

2014/04/09 at 10:40

Posted in Infosec

ASSESSMENT: The ZunZuneo “Hummingbird” Social Network and The Cuban Spring

with one comment

Zunzuneo

 

Cuban Intranet and Internet Access:

Cuban internet access is minimal and very controlled the the government. There were as of 2011 about 124K addresses listed to the .cu domain on the internet belonging to Cuba and the average ownership of a computer was low. The same was true over cell phone ownership and use compared to other Caribbean countries. The regime’s control over all of the infrastructure pervades to the intranet being primarily a tool for propaganda and a means of control via surveillance on those who could access it.

Screenshot from 2014-04-06 07:13:01

Internet access though became a feature to the rich in the country or the political (both are the same in reality) and one could buy access to the internet for a hefty price underground. In fact some blogs have shown up over the years on the proper internet after dissidents paid for or obtained access either themselves or by exfiltrating data to outside sympathizers for publication on blogs like WordPress or LiveJournal. Generally, if you wanted a source of outside news you had to either buy access to the internet in the black market, get it on the streets from people with SW radios, or by some other means. This control over the media and technology has perpetuated the control of the Castro regime and allowed his dictatorship to continue.

CUBA CYBER

Cuban Telco:

Cubacel also is a single proprietorship of all cell phone communication (state run) on the island and in fact the ownership of cell phones is one of the lowest as well in the world for penetration of cell phone owners and use. This too means that the Castro government has greater control over what the people can access as well as a single point of surveillance that can be used as a mans of control as well. Of course today this is all being said in the age of the NSA tapping just about everything so please take this with a grain of salt and the knowledge of how that makes you feel about surveillance by any government.

Screenshot from 2014-04-06 07:24:17

I am unsure of the prevalence of cell phones today in Cuba but I am guessing that these statistics are only a little different today due to the controls that the Castro government has in place over it’s populace as well as the poverty rate of the island itself disallowing general ownership and use. While the numbers may have grown so too might the attitude of the government due to a shift in power from Fidel to Raoul Castro. While the former was a bit more hard line the latter seems to be a little more open to allowing the country to loosen it’s grip on the people and allow communications with the US. This may also play a part in easing the minds of the people into thinking they could in fact use cell phones and platforms like ZunZuneo to air grievances.

ZunZuneo:

The ZunZuneo platform went live in 2010 and was a “Cuban Twitter” which was text based on the cellular network on the island. It was in fact a program put in place by USAID (likely a covert program run by CIA in reality) and ran until about 2012 and at it’s end it had about 40 thousand users on the island. The broad idea of the project was to have the Cuban’s generate their own “buzz” around dissident ideas and allow them a means to text one another outside the controls (ostensibly) of the Castro governments eyes and ears. This though likely was not a complete success nor was the program a success from the standpoint of mass demonstrations happening either as far as can be seen by any news sources reporting on this.

ZunZuneo was inserted and run by contractors and purported to be a Cuban creation with cleverly hidden funds and controls from USAID/CIA. The program’s aegis was to insert itself, gain a user base, and then to start to send texts to the users to spur political unrest against Raoul and Fidel Castro’s government. In the end the program came to a sudden halt due to finance issues (alleged) but the reality is it never actually got the directive to insert itself as an influence operation. It operated unbeknownst to the users and in reality was a failure because I think USAID and CIA had hoped they would see dissent traffic on it’s own. It did not and thus perhaps the idea was seen as not feasible and the finances were withdrawn.

YOUTUBE

Influence Operations:

 

Screenshot from 2014-04-06 07:36:44

 

Influence Operations are nothing new and over the years many have been carried out on places like Cuba. With the advent of new technologies like the internet this has become even easier to carry out on average when the populace has easy and free access to the net. in the case of Cuba this is not so much the case like the DPRK. I would say though that Cuba has a much more permeable information border than the DPRK due to it’s geographical location as well as the current regime’s leanings towards opening up a bit more. Though it is still the case that the current government still holds all the keys to information flow as well as a secret police force that controls the populace who get out of line. So it is no paradise of freedom and beauty.

That the US decided to use USAID to carry out this operation is an interesting choice but in their charter is the mandate to “spread democracy” so while some might question the aegis here and say that this was a rogue operation I don’t necessarily agree with that. One must understand that at least USAID has access to many places under its mission in general of providing humanitarian aid so there is purview there. The question though becomes do we want to taint such an org in the future and deny access to critical areas where people really do need help? This will be the fallout from this in general globally and likely will hurt people in the end. As influence operations go though this was a bit of a flop in the short term however. In the long term though perhaps this may lead an internal company or group to create a new ZunZuneo because the 40 thousand people using it really enjoyed it. If someone were to create a new one and if the populace felt that they could in fact speak their minds freely, then maybe they would rise up.

ANALYSIS:

My analysis of the ZunZuneo operation is that it was a novel idea but lacked oversight. An influence operation that inserted itself as a platform for communication in a place where cell phones and internet access is tightly controlled was a gambit that was bound to fail in my opinion. This was in fact the digital equivalent of releasing balloons with propaganda over the DPRK (which is ongoing today) and does not have a penetration level at which a real traction could occur. It is my belief that the CIA/USAID thought that what they had seen with popular uprisings like the Arab Spring could be effected in Cuba internally by it’s populace. What they failed to comprehend was the amount of outside help the Arab Spring had from the likes of Anonymous and the general internet to assist them in carrying it out. In the case of the Arab Spring and other incidents the governments attempted to clamp down on communications that they controlled only to be denied absolute control by key players outside allowing access through POTS and other means.

In the ZunZuneo scenario two things did not happen to cause it’s failure at the end. One was that the populace who had access perhaps did not feel they could speak their minds because everything was on Cubacel to start with. The second was the fact that this program was not a populist movement from the start. You will note that the other “spring” incidents had access to the internet proper not only on twitter but also by other means. These countries already had a populace who had access to external information and were consuming it regularly. The same cannot be said about Cuba in general as I have described it above. The traction just wasn’t there because the people know already that the vehicle that the information operation was to use was already monitored by the government that is oppressing them.

At the end of the day though I have been seeing an easing in the Castro regime since Raoul took over from Fidel and this would I hope, continue as the two of them age into retirement (aka their graves) and the people might have a chance at that point to make a change. Time will tell just how much more Raoul opens things up post this little debacle. However flights in and out of Cuba are more plentiful and there is a flow of monies etc that could be much more beneficial in the long run than any influence operation ever could. My fear though is that the old guard Cubano’s in Florida may have had a hand in this as well and there may be more out there in the wings. It could upend the growth that has happened and that would be a shame.

K.

Written by Krypt3ia

2014/04/06 at 12:22

So you want to go to the Darknets huh?

leave a comment »

DW

 

DARKNETS!

I recently asked people on Twitter what they would like to see me write about here for a new post and the majority of people came back with something around the Darknets. So I am bowing to all those calls and I now present to you a post on THE DARKNETS! How to get there, what to see, and how not to get yourself into a shitload of trouble…

Well, I can’t vouch on that last one though…

I suppose though I should back up a bit and explain to some of you out there just what the darknet is. The darknet is actually just a sub-basement of the Internet that is comprised of systems on the regular internet that have a separate gateway to get to them and an infrastructure that is separate from the internet proper. Simply put, the basement analogy is really apropos due to two things. First, the connection to it is rather like taking a creaky and rickety old staircase into a dark basement in an abandoned building. Second is what you find once you are in that dark and creepy basement often times are things you want to never see again yet you cannot un-see.

So take care gentle reader for if you decide to follow me into the dank world of the DARKNETS you may encounter things that you might never recover from. Alternatively you could just laugh and laugh and laugh as you see some of these sites out there offering snake oil and drugs. Hey, maybe you can buy snake oil as a drug! Oh and yeah one more thing. If you decide to go anywhere near the child porn I will personally hunt you down and make you disappear into federal custody.

Just sayin….

Do you know the way to the Darknets?

Do you know the way to the DARKNET? Well obviously if you are looking at this blog post you don’t. That is unless you want a good giggle. Anyway, the darknet can be reached pretty dang easily today and you have a few choices on how to get there as well as varying versions of networks to choose from. The best way though for the casual observer would be to go to the Googles and just type in TOR BROWSER DOWNLOAD

Screenshot from 2014-04-03 13:15:33

You download the file for your system (one hopes it’s a Linux or UNIX system.. Or maybe even that MAC crap) and then install it. Once installed you RUN it. It’s really that simple. Of course if you are in Linux you unzip, save it to a directory, then run it (run as program not as a txt file thank you very much!) which will start the version of Firefox fr you that is already pre-configured to proxy to TOR.

Guess what.. If you have done this then you are able to get to the DARKNETS! Now you just need to find some links like to The Hidden Wiki (the first layer of 7 levels of DARKNET HELL! *waves at Dante*) This site was recently taken control of by the inimitable DOXBIN because of the amount of paedo links that it was allowing to fester. This is just one place where you can get links to the DARKNET sites out there though. You can in fact use the TOR SEARCH or something like that but the best way I have found of late is just to hit up Pastebin.

There you have it.. By doing some simple points and clicks and then using your frontal cortex a bit you too can be on the DARKNETS with the rest of us. Come on in! The water is… Well.. Scummy but it’s at least warm from all the kids peeing in the pool!

TOR vs. i2p:

Now some old timers may tell you that the TOR is full of Feds and that you need to just go straight for i2p for your DARKNET binges. I for one would tell you that this is a falsehood because i2p is FUCKING SLOW AS ALL SHIT. However, it is an option if you aren’t in a hurry to see anything and you want to see different content than what you may map out on the TOR DARKNET.

Another word of warning on the i2p front is that you have to be a bit more savvy than the usual user to make this one work for you and to correctly manage and configure your system because YOU are also a router within the arcology when you get on i2p. You can of course change that and secure the system more so that you aren’t going to be pwned but you have to keep this in mind before you just go download and run it.

Be.

Forewarned.

On the other end of the spectrum you can also go download the full TOR node setup and make youself a page or you can just use it to access the net in a configuration of your choice (secure one would hope) instead of the pre-configured browser bundle. If you choose to do this just make sure you understand what you are doing and do keep an eye on the versions out there. TOR seems to be a target for security flaw hunting by the likes of the NSA so ya know, you kinda have to be careful if you are out there doing things you perhaps shouldn’t be on an un-secured version.

Personally I use all of the above but as you might have guessed from above, I find the idea of all the caching on i2p to be rather tedious so I don’t go there often. You can in fact find gateways to both DARKNETS if you GOOGLE for them. These are gateways that allow you to enter by using the CLEARNET (i.e. internet) as the gateway with a node handling all the routing for you. I don’t know about their security but let’s put it this way; people can see your traffic in the clearnet so… Yeah…

Abandon hope all ye who enter here…

Ok so now you know how to get the software, what to click and where to get links. Now comes the abandonment of hope. See once you get inside the darknet and you start looking around you realize just how much of it is lame, how much of it is illegal, and how much more of it seems to be rather puerile. I have spent hours, aw hell, let’s say days in there looking around. I have laughed, I have cried, and it changed my life like “Cats” the musical. The gist here is prepare yourself for an experience that may just leave you slumped in your seat saying “Is that it?”

Alternatively you might be able to find new and interesting sites that no one really knows about (if you do please tell me!) such as a nice site on furry on furry cosplay sheise movies. Who really knows what you will find. Take a stroll around and see what you see. Mostly though I think you will find that unless you start messing about with the technology deeply, you will just see the same things everyone else does.

Porn

More porn

Drugs markets

chans

dropboxes

etc.

I for one have begun looking at the intracacies of things like transient sites and covert url exchanges but that’s just me. You might want to do other things. All of these things though usually are shall we say more exotic in nature to begin with and mostly considered illegal and this is why they are in the DARKNET to start. They think that it’s all anonymous and that you can then not only access the DARKNET but the internet without leaving a digital trail. This of course has been shown to be wrong.

The Arcology:

This brings me to the arcology of the DARKNET and security. There are ways that you can in fact be tracked by wily people who can poison the network with their own nodes or be sniffing their exit data. In one case it has been posited that the whole of the onion router system could be cracked by the use of nodes under the control of a determined adversary.

This is an interesting idea as are all of the others out there on how to de-obfuscate users on the DARKNET. Be aware that the NSA is more than likely working on this if not already there and monitoring traffic. Why aren’t more people being arrested then you ask? Well, then how would they get the really bad guys if they tipped their hand huh? Cracking the DARKNET would be a HUGE thing and a real tipping of the scales were it to get out in the open. Is it happening now? I am not sure but what I am sure of is that they are trying very very hard to make it happen at the very least.

So gentle reader go forth, get the software, secure it as best you can and then wade into the DARKNET! Remember, the water is warm because of all the pee.. And remember too that; “We are the reason we can’t have nice things”

K.

 

Written by Krypt3ia

2014/04/03 at 17:55

Posted in DARKNET

ASSESSMENT: Target Media and Lawsuit Failures

with 2 comments

new-management-model

 

The Target Hack Media Failures:

From the moment that Brian Krebs first put out his story on the Target hack it’s been mostly a feeding frenzy of reporters trying to out scoop not only Brian but everyone else they could leverage to get a headline. Throughout the whole affair though there has been a lot of speculation on how the hack happened, the timelines and just what if anything Target knew about what was happening to them as it was going on. Since the first report we have come a long way to understanding through confidential sources just how the happened but the reality is that there are many things still unsaid about the hack itself with any certainty.

The biggest hole in the whole story to date has been how did the hackers infiltrate into Target in the first place? After looking at data that Brian had shown me and doing my own research on Rescator and the Lampeduza he and I came to some conclusions on how they most likely got into their systems. Primarily the phish on Fazio allowed the attackers to gain access to Target’s booking/payment systems for doing business with their vendor’s online. It was a supposition on my part that they used an infected Excel sheet, doc file or pdf to gain access to the peripheral system connected to the internet by passing it with the stolen credentials to Target’s online system. Once a user had the file inside they likely opened the document and infected themselves and thus allowed access to the general network. Of course then it become simply an issue of locating a machine that sits on the LAN where the servers and the POS can be accessed.

The media generally though has been harping on the idea that since Fazio is an HVAC company that they had access to ICS or PLC units within the Target network as this is all the rage in the news. There never has been any proof of this happening and in fact Fazio has made a statement saying they never had access to the Target HVAC systems remotely as they don’t do that kind of work for them. This however escaped the media in general as well as some Infosec bloggers that I know as well. Now however we have a new twist on this media festival of failure with the advent of the Target lawsuits recently brought out by banks involved with this mess.

The Target Lawsuit Failures:

The Target lawsuit  now not only goes after Target Corp itself but also Trustwave, a security company that allegedly carried out the Target PCI-DSS (Payment Card Industry) assessment at or around the same time as the compromise to Target was happening. It was at this time that Trustwave certified that Target was in fact “PCI Compliant” and that in the industry’s eyes secure. Of course this is a misnomer that many in the security field have been venting about for years and the popular euphemism for it is “Check box Security” because in reality it is just a check mark on a form and not a real means of protecting data.

Screenshot from 2014-03-28 15:59:42

 

The lawsuit is filled with ill informed views on what happened to Target as well as how security works and has been roundly regarded in the security community as well as the legal community as a joke. Using dubious sources on cyber security and primarily believing all that the media has written on the subject of the Target breach this lawsuit makes assumptions about the PCI that are common and untenable. One of the more egregious failures in comprehension is that any system of checks and or regulations would make any system or database secure just by the very fact that you have checked off all the boxes in a list of things to do. This is especially the case with PCI due in a larger part because of the way it is audited and by whom.

PCI-DSS Failures:

One of the real issues that seems to be coming out of the lawsuit and the reporting on it centers on encryption of data. The encryption of data at rest (in a database) or in flight (on the network between systems) is the crux of the issue it seems to the legal team for the litigants in the Target affair but I would like to state here and now that it is a moot one. The idea is that if everything is encrypted end to end then it’s all good. This is not the case though as in the case of this particular attack on Target the BlackPOS malware that was used scraped the RAM of the systems which was not encrypted and usually isn’t. This is a key factor in the case and unfortunately I know that the legal teams here as well as the legal system itself are pretty much clueless on how things work in technology today so this will just sail right over their heads.

Here are the facts in as plain a way as I can get across to you all:

  • BlackPOS infects the system and scrapes the RAM for the card data
  • BlackPOS then copy’s the data and exfiltrates it to an intermediary server to be sent eventually to the RU
  • The data is not encrypted at this time and thus all talk of encryption of data or databases is moot unless said data came from database servers and not copied from POS terminals
  • Encryption therefore in database or on the fly is a MOOT POINT in this case

There you have it. It’s a pile of fail all the way round and the media and the law are perpetuating half truths and misconceptions on how things really work in the digital world. There are many issues with PCI-DSS and the encryption issue that is cited in the law suit and the Wired piece linked above are just silly because the writers and the lawyers haven’t a clue. While PCI needs to either die a quick death for something better it is not the only reason nor the primary one that the attack on Target worked. There are of course many other reasons due to inaction that have been brought forth recently that do paint quite another picture of ineptitude that are the real culprits here.

Analysis:

Overall the analysis here is that there are many to be blamed for this hack and not all of them are the adversaries that carried it off. The fallout now with the lawsuits and the press coverage of the debacle has only amplified the failures  and is making things worse for some and better for others. We have seen an uptick already in finger pointing as well as sales calls laden with snake oil on how their products could have stopped Rescator cold. The fact of the matter is Fireeye and Symantec both tried but the end users failed to allow it to act as well as heed their warnings. Of course one also should look at this and see that even if the tools had been heeded it may not have stopped the attack anyway without a full IR into what was going on.

The people who are any good in this business of security live every day with the assumption that their network is already compromised. This is a truism that we all should take to heart as well as the knowledge that we cannot stop every attack that is carried out against us. We can’t win every battle and we may never win the war but we have to try. Targets failures will hurt for some time within the company as well as to those who were working there at the time. I have no doubts that heads rolled and perhaps that was necessary. It is also entirely possible that people did try to stop this event but were told not to do something because it might affect their production environment. Of course this is all speculative but you people out there reading this from this business know what I am talking about. It’s a universal thing to be shackled in your battle to secure the network because it affects the bottom line.

What I would like you all to take away here though is that PCI is not the only reason for this hack and certainly it isn’t because Target was not encrypting their traffic or their databases. This is just a ridiculous argument to be having. Just as ridiculous as it is to have the cognitive dissonance to believe that checking a box in an audit makes anything more secure.

K.

Written by Krypt3ia

2014/03/28 at 20:50

Posted in FAIL, Target

Ninja, Samurai, Shogun, and Ronin

leave a comment »

ninja_red

Preface:

I cannot count the amount of times that someone has called this or that person a “Ninja” in the INFOSEC/Red Team community that we all inhabit. One cannot go to a hacker conference without seeing Ninja imagery in the artwork surrounding the business of digital security today and this allusion to the Ninja has been problematic for me for some time. I think my feelings on this are akin to the feelings of some who grind their teeth on hearing about another presentation on security that contains Sun Tzu quotes from the Art of War.  Recently though I have had some insights due to some reading as well as a series of incidents involving the Target story that got me thinking. My conclusion is this; “If we are going to use the imagery and call ourselves Ninja then we had better also look at the Samurai who defend their domains and their Shogun as well as the odd Ronin out there we run into”

To this end I am writing this post on the parallels today for those who wish to consider themselves Ninja as well as perhaps reach those defenders or “blue team” folks to understand the landscape here from a historical perspective as well as a tactical one. Given the nature of the threats today and the increasing use of unconventional warfare tactics in everyday compromises it is my opinion that we all must be much more versed with warfare as well as espionage in order to deal with the everyday job of compromising a network as well as defending it. This too also follows through to the idea that you must be able to deal with your particular “Shogun” and take their orders as well as advise them on the battles that you are waging.

So, if you want to consider yourself a Ninja Mr. pen-test red team-er then so shall I consider myself a Samurai. However, I will understand their meanings in the context of history, not Hollywood, and apply their traditions and capabilities to today’s battle on my Shogun’s network.

Ninja History:

The history of the Ninja is shrouded in mystery for many but the truth of the matter is that they were primarily two clans from Iga and Koga during the 14th century that are the wellspring of the story of Ninja. These were mountain ascetics at first and then commoner families or clans who passed down their teachings within the family for security’s sake. These Ninja were not bound by the Bushido as completely as the Samurai were but did have their core ideals emanate from the same code. The Ninja were specialists in unconventional warfare using common tools as weapons but their primary aegis was to not have to fight in the first place. A Ninja you see was in fact a spy more than anything else and their first tool in their arsenal was stealth. The use of disguises and psychological warfare were the first tenets outside of a command of their bodies as weapons and this made them a force to be dealt with that the Samurai often failed to do well.

The reason that the Samurai often failed to win against a Ninja was that the Samurai’s main goals were to die in battle honourably and to use no artifice in battle. The Ninja on the other hand used trickery and deception as their primary tools and this extended to individual fighting between the two which often times was not on a field of battle but instead at a gate to the castle or elsewhere where they were not prepared to fight. This is of course if the Ninja was forced into a battle in the first place. As one master put it; “The best ninja has no smell, leaves no name, and makes everybody wonder whether he existed.” so the first priority was never to be seen at all.

For more on Ninja go HERE

INFOSEC Ninja:

Given the quick primer above we then have to look at the dialectic today when these people are calling themselves Ninjas in our community. If we are to consider a Ninja then to be a warrior or adversary who uses unconventional warfare tactics and espionage techniques in the digital sphere many within the Red Teaming and Pen-Testing field “might” qualify. One has to ask though just how many of these red teams are using unconventional tactics like 0day to carry out their attacks as well as recruiting spies or physically infiltrating targets. This all depends on whether or not you are in fact allowed to take the gloves off and actually do things that an actual adversary would do. All too often I have seen penetration tests that would be called red teaming that had very limited scopes and ground rules that no self respecting Ninja would allow or abide by. So is this really a Ninja? One who follows the rules of engagement set forth by the target? Are they in fact then more of a Ronin or Samurai posing as a Ninja performing their task?

What I am trying to get at here is this;

  • Does following the rules of engagement on an assessment allow you to be called a Ninja?
  • Did you get in and get out without being seen or heard?
  • Did you use unconventional means or did you just use Metasploit?

Many guys out there I know personally are doing great work and I would call them Ninjas if it weren’t for my dislike of the whole hype and silliness around this imagery personified by Hollywood and now the INFOSEC community without the benefit of real historical context or understanding. As I mentioned above though increasingly this field of information security both aggressive and defensive is becoming more and more a pawn in a greater geopolitical game as well as field of battle and we need to catch up. The points I made just a bit ago about just how you carried out your penetration tests comes to bear here with adversaries like China and others who have no rules of engagement. They use whatever they can to get in and take the data they want and no amount of compliance like PCI will stop them or the common carder like Rescator and his crew. Unless we as a community can get it across to our Shogun’s (aka corporate America) that there are no rules we will then always see more Target breaches because they only followed the rules of PCI compliance and did no more.

EDIT:

I have been thinking about this post after watching an episode of TMNT (yes I watch Nick) and how the story line is including April O’Niel as a Kunoichi. A Kunoichi is a female ninja and they were also commonplace before the comic book world got their hands on the idea. Of course today you think Kunoichi and you may see something like “Shi” in your head. This was not necessarily the case but indeed there were female Ninja and they were often times inserted into situations like Anna Chapman was as an illegal and a honeytrap but they were exceedingly skilled in the same techniques as the men and equals if not more efficient.

Today there are many women Ninja in our business and it was an oversight on my part not to mention this designation. I am correcting this now though. I would like to however make the distinction that today’s Kunoichi is not just a pretty girl but there are many highly technical women in this business that can hack and to not acknowledge this is a disservice. This designation is not to separate the sexes and skills but to be inclusive where I had been remiss before in not thinking about including the term.

INFOSEC Samurai:

The opposite side of the coin for this argument is that the Blue Team side is in fact the hapless Samurai. Why are they the Samurai? Well, take a look at your average defender and you will see the similarities. The primary thing though is that the Blue Team is bound by the rules of the system in place or the Shogun they report to. In the case of corporate America your Shogun is your CSO/CISO/CIO and your Emperor is of course the CEO. The blue team cannot go outsides the confines of the rules set forth by the Shogun and the Emperor no matter how much you try and all too often it seems that the C level execs are hard to reach and consider the blue team more of a check box than anything else in today’s culture. Thus I add the title of “Hapless” to the Samurai because no matter how good the Samurai is he is always defined by the Bushido of the lord he or she works for.

In a battle against the Ninja (i.e. APT/Criminals/Mal-Actors) who use the tactics of unconventional warfare there is little that can be done by the Hapless Samurai who wears the shackles of corporate Bushido rules. How many of you out there have been hamstrung by policy or lack thereof in trying to address the unconventional war that is being waged today on all our networks by various actors? Again what I am trying to say is this;

  • How many times have you been told you cannot get a tool for prevention/detection because it costs too much and there is no budget?
  • How many times have you attempted to get the word out on security and awareness let’s say only to get a half hearted or any response at all?
  • How many times have you laid out the risks to your Shogun and been told that they would not fix the issues due to time/money/business continuity issues?

There are a host of questions I could ask but you get the gist here right? YOU are at the feet of your Shogun and your corporate emperor and you have little to no say in the direction of things. All you can do though is serve and serve with honor no matter the cost. Oh, and yeah, usually when the compromise happens who gets the blame and then is shuffled off to the unemployment line? Hey, at least it’s just that instead of being told to commit Seppuku right? Remember that you are the Infosec Samurai and learn to live with this because if you cannot, you will be very unhappy and your every day will be filled with angst and misery. If you take a real look at the Bushido code though or the Hagakure perhaps you can find meaning.

INFOSEC Shogun:

The Infosec Shogun is in fact the CSO or CISO in today’s corporate structure. These are the lords who, like the Shogun generals should be marshaling the troops and fighting the overall tactical battles. My experience to date has been that far too few of these Shogun’s had actual viable experience to be the Shogun and more often than not got their jobs by the fickle flying finger of fate. Of course this is changing now in more places but I would hasten to point you at the Target affair to show you otherwise. Given the information that has come out of Target so far there was no CISO or CSO Shogun but instead a CIO who had no real IT background to begin with. Unfortunately all too often this is the case with the CSO as well. What good is a general (Shogun/CSO/CISO) who has no experience in battle? How can one expect to win any battle with someone at the army’s head who has no idea what the conventions are never-mind the tactics to fight it?

Alternatively you may have a Shogun who does have experience and can give you direction as well as take counsel to fight the war but they too may be hamstrung by their emperor who holds them back. The idea here is that like it or not, whether you are literally in ancient Japan or the corporate boardroom today you are always reporting to someone and taking their orders. This is the key here, that while the Ninja may have basic orders they also were given greater purview on tactics and mission parameters and we, the hapless Samurai are not. We are governed by our corporate masters and to go outside the rules is to be let go. Remember this Blue Team Samurai as you prosecute your daily battles against the adversary who laughs at rules.

INFOSEC Ronin:

The last designation I would have you consider is the Infosec Ronin. The Ronin are master-less Samurai who often became more NInja than anything else historically. Some of these Ronin were in reality still Samurai but using the tactics of the Ninja to win the day for their Shogun but this was not the norm. In today’s world I would consider the consultant to be a Ronin. A consultant goes from job to job and does the bidding of the master of the day and in fact may have the latitude to tell the master that they are wrong. A Ronin may in fact operate as a Ninja primarily because they have no set master and this is rather liberating.

For the sake of this argument I am going to just say that the Ronin, one who is established can walk away from any contract if they are unhappy with the responses from their “master Shogun” and move on. This is the key to perhaps actually being an effective Samurai in some cases. It really does depend though on the master who has hired you to perform a job. I personally have walked away from clients because after the first pass of a final report they had decided that certain things were not worth re-mediating. If I feel that the client is only going to perform “check box” security then I am no longer willing to help them if I am in fact a Ronin. I know that some will say that this is just stupid and you will not make your pay day but I personally would rather be benefiting the security of a place than just giving it lip service wouldn’t you? Of course not many of us out there are in the position to do this and I will admit that my consulting is a side business to my main income so for me it is a bit of a luxury having this code of ethics. The Ronin though has a place at the information security table specifically next to the Ninja because they are not bound solidly by the rules of the emperor at that particular shogunate.

Unconventional Warfare  & INFOSEC:

Finally I would like to cover the idea of Unconventional Warfare and the state of INFOSEC today. As I have made statements about above, we are now in a place where information is power and all warfare with it is allowed. The advent of APT (Advanced Persistent Threats) and nation state actors has changed the paradigm of Information Security forever as much as networking has. We have seen the advent of many kinds of laws and rules being put in place to stop bad actors as well as force corporations to at least adhere to a modicum of security practices to protect their clients. Many of these, such as HIPAA or PCI-DSS have come out of Washington as toothless cudgels that corporations can just speak to as talking points and skate on actual practices. Alternatively many of these rules have little to no comprehension of actual technological issues nor address unconventional warfare tactics that are being used to attack systems and companies to steal data. On the whole nothing to date out there really will make a difference against a determined adversary and that knowledge needs to be common. Instead though it seems to be arcane and mysterious to many in power.

Until such time as ideas like Defense in Depth are more common and we have Shogun’s and emperors who understand not only how their business runs but their threatscape we will be doomed to failure. Of course one might also hasten to add that even with the best of the best we will always lose a battle or two and this is quite correct. The key though is to attempt to win the war itself and leave the battles to the day to day. Accept those we lose and learn from them to hopefully win the overall war later on. Unfortunately too many of the people that we the Samurai deal with are not at all aware and in many cases do not seem to care to understand the issues until they have been burned and burned badly (like Target)…

We, the Samurai face the battle today that no one has faced before. The threatscape is ever changing at the speed of light and the adversaries are many. Prepare for your daily battles knowing who you are and where you sit in the hierarchy. If you decide you want to be a Ninja understand that you too may be bound by the rules of the Shogun as your retainer. I want you all to think about the names we give ourselves and the perceptions we want others to have of us but most of all I want us all to be enlightened about our fight and who we are. Today it’s just a given that you must consider your networks are already compromised and that Ninja is in there stealthily stealing data and it more than likely isn’t one that you may be paying to test your security.

K.

Written by Krypt3ia

2014/03/26 at 17:41

Posted in Ninja

ASSESSMENT: INSPIRE 12 “Shattered”

leave a comment »

Screenshot from 2014-03-15 07:25:33

Inspire 12 Shattered:

Inspire issue 12 was dropped on Alplatform Friday night and this issue is somewhat different from past issues due to changes in staff and a change in thought probably brought on by the attrition that has occurred. It is also of note that this issue is ostensibly just put out by AQAP and makes no mention of Al Malahem which may show some of the fractions in the AQ umbrella as well as security issues that may have happened online in the recent past. Of course AQAP was the progenitor of the magazine but it was also a group effort for some time and that seems to have changed with the isolation of groups in part due to the death of OBL and the pedantic leadership of Ayman. This issue seeks to reach the “lone wolf” audience and broach the field of operations in the West as opposed to the Ummah in the lands which has been the standard of this magazine nearly from the beginning.

It has been some time since the last issue was released and I am assuming this was because of the attrition I spoke about before. Indeed there seems to be little input from Abu Al Amrici in this issue and there are new guest writers as well as a scope creep into other areas of concern such as North Africa which was a bit of a surprise but as you look at the bigger picture of the magazine that makes sense as the publishers are trying to change the scope to cover more areas of jihad outside the lands of the Ummah such as the EU and now Africa. Covering such things as an article on the bombings in Kenya by Al Shabaab and even having a Harakat (Shabab Youth Brigade)  guest writer. Overall, there are some subtle changes within this issue that analysts should take note of that bespeak a change in thought to a more global approach.

Contents Overview:

Screenshot from 2014-03-15 07:27:27

Changes From Previous Issues:

The biggest change in Inspire other than a change in staff and writers was the subtle tone from a more Koran centric and pedantic messaging to a more political and Western thought driven methodology. Through the course of the magazine the writers have been coming to grips with trying to motivate the Westerner to action while doing so with the call of jihad through the Koran and their particular spin on it. Over time I believe they have come to realize that to reach the Western audience that may be enamoured but unwilling to act solely on the Koranic call to jihad they have to reason with them in a more Western manner. In this issue there is a much more political and economic spin that attempts to spark a response in a Westerner against the actions of America in particular. The authors have seized upon the times (i.e. Snowden releases, war weariness, and economic climate issues) to try and sway the reader into action.

The layout of the magazine is just as slick as before (because the authors have used the 2011 pdf frame used in the past from the metadata in the file) and the progression of the magazine’s dialectic is as follows;

  1. The state of the jihad (Koranic)
  2. The deen of jihad (Koranic)
  3. Interview/Questions on the reasoning of actions within Jihad with Anwar Al-Alawki (Koranic)
  4. Samir Khan on the politics of Palestine and the Jihad (Political)
  5. City Wolves “call to action” (political)
  6. Tawheed/Choosing AQ ( Doctrine/Koranic)
  7. Experience of Jihad (Koranic and Romanticism thereof)
  8. Q&A with President Obama *Q&A carried out by snippets of press conferences** (Political)
  9. The Sister’s corner *Mujahidah wives exhortations by Umm Yahya) (Koranic)
  10. Shattered *the political and economic bankruptcy of America and the West** (political)
  11. Open Source Jihad (IED’s)

Screenshot from 2014-03-15 07:30:13

Screenshot from 2014-03-15 07:52:37

Screenshot from 2014-03-15 07:53:28

Screenshot from 2014-03-15 07:57:09

Screenshot from 2014-03-15 07:59:30

Screenshot from 2014-03-15 08:03:30

Screenshot from 2014-03-15 08:04:26

Screenshot from 2014-03-15 08:08:19

Screenshot from 2014-03-15 08:18:33 Screenshot from 2014-03-15 08:20:08

Screenshot from 2014-03-15 08:27:53

Screenshot from 2014-03-16 05:39:08

This shows more of a creep away from the hard edged issues in the past that focused on the “duty” of the Ummah via the Koran to a more balanced logical/rhetorical argument basis for Jihad with softened approaches more palatable to the Westerner. The issues of the day make their appearances covering not only drone strikes and the pull out of Afghanistan (2014 maybe?) as well as the surveillance state that has been revealed by the Snowden releases. This magazine talks about the Snowden files indirectly but also shows that they have taken heed by removing the Q&A section via email “due to security reasons” which obviously is due to the Snowden revelations.

Screenshot from 2014-03-16 06:56:49

For the most part this issue shows a direction change that is more subtle but perceptible if you look at the entirety of the issues from 1 to 12. The changes to the organization through attrition slowed them down but it also perhaps gave them new blood and pause to determine just how they could attract the Westerner better. Mentions of Faisal Shazad as well as Dzokhar and Tamerlan make it into the issue as well as add targeting ideas that will be explored below in the next sections. This of course is the more troubling thing about this issue with more of a focus on targeting and timing for attacks. Generally though this issue once again follows the basic formula to engage the would be “Lone Wolf” and exhort them to action. The main difference being that the tenor is less strident and more engaging and this is the primary difference.

Open Source Jihad: Car IED’s

Screenshot from 2014-03-16 05:39:46

One of the more troubling points of this issue however is an expansion on a theme. I had heard pundits in the past ask why AQ and others had not used the idea of car bombs here in the US more often. Well, now they are advocating this with a type of bomb that actually failed in Times Square by Faisal Shazad. The Open Source Jihad section this go around focused solely on car bombs. In this case it was focused solely on the use of gas canisters and oxidization. I am not showing the how to’s but suffice to say that they have a basic design that Shazad used but with some changes to make it more effective. The authors also revised their operations manual to offer the lone wolf the choice of martyrdom or remote/timed detonation systems. With these plans a would be wolf could do some serious damage were they to carry out their plan with a working IED in a car or, more to the point as they show in their final image of the magazine, a panel van.

Screenshot from 2014-03-16 05:55:40

TARGETING:

The most problematic part of the open source jihad section was a new feature called “Targeting” which needs no preamble. In this case the targeting is very directed and shows some thought post the bombings of the Boston Marathon. The authors are laying the groundwork for the wolves to be methodical about their target choices. In this case they have a focus on NY as always and Washington but also mandate that the UK has specific targets and times that are propitious for attacks to create the maximum kill ratios and fear factors. This is a significant change and what has me more worried is the whole package here. You have your device which is fairly easy to create with materials on hand (especially as summer approaches BBQ) and then you have directed targeting and times with which to carry out your action. The targeting also gives the wolf things to look for such as the usual congregating events but hints at specific events upcoming this spring and summer as well.

Screenshot from 2014-03-16 05:41:30

Screenshot from 2014-03-16 05:45:06

ANALYSIS:

The final analysis on this issue of Inspire is that the changes in staff have also garnered a change in tone and approach to radicalizing the lone wolves into action. These changes are showing how they are learning to approach the Westerner to incite action and given the climate today there may be more people who are moved toward this line of thinking. Though I would hasten to add that the mental status of the individuals who wish to be lone wolves plays a key role in their movement from just ideating on such actions to actually putting them into practice. In the case of the Boston bombers they both came from a region that was fraught with issues and both had issues stemming from broken home lives and a desire to feel they belonged somewhere. This and other factors make it possible that some other deranged and motivated individual of the Western persuasion will act out upon these orders by AQAP.

If anything though, this publication is sure to get a reaction from the government and security around events throughout the world will be tightened even more than they might have been post the marathon bombing. In this instance the IED’s are specifically designed for carnage to bystanders and not for demolition of buildings as well. This is I assume to generate the maximum amounts of fear from attack but also because the complexity of larger and more powerful bombs is higher and the likelihood of failure is more probable from the lone wolf set. I can imagine though that the AQAP set may in the future attempt to engage the wolves to come to the lands of the Ummah and train for those more complex missions in places like Syria or perhaps in Afghanistan post US pull out. Time will tell though and I am sure we will be seeing another issue of Inspire for summer soon enough.

K

Written by Krypt3ia

2014/03/16 at 11:39

Follow

Get every new post delivered to your Inbox.

Join 117 other followers