Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

BofA Gets A Burn Notice

leave a comment »

data-deeper

rode bb iqdnpmbia fpn’k ybi lr qektrf?

PARANOIA 

par·a·noi·a

[par-uh-noi-uh]  

noun

1.

Psychiatry. a mental disorder characterized by systematized delusions and the projection of personal
conflicts, which are ascribed to the supposed hostility of others, sometimes progressing to
disturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.
2.

baseless or excessive suspicion of the motives of others.
Also, par·a·noe·a  [par-uh-nee-uh]  Show IPA .
Origin: 
1805–15;  < Neo-Latin  < Greek paránoia  madness. See para-, nous, -ia

Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.

This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.

B of A’s THREAT INTELLIGENCE TEAM

Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.

One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.

Nothing more.. Nothing less.

Threat Intelligence vs. Analysis and Product

All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.

Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.

Threat Intelligence vs. HUMINT

This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.

Assessment

My assessment in a nutshell here of the Paranoia BofA Drop is as follows:

  1. Paranoia found some interesting documentation but no smoking gun
  2. TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
  3. BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
  4. If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
  5. BofA needs to classify their data and protect it better on this front
  6. Paranoia needs to not let its name get the best of itself

All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.

For everyone else.. It’s just LULZ.

K.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 135 other followers

%d bloggers like this: