Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Author Archive

This Ain’t Cowboy BeBop Ya Know…

leave a comment »

BigShot1

BITCOIN JESUS

Last week I read a story in Wired about the Bitcoin Jesus Roger Ver’s tribulations and his response to hacking and bitcoin theft. It seems that Roger’s old email account at Hotmail got pwn3d and the attacker then stole some of his bitcoins. Roger had correspondences with the miscreant online and tried to get his bitcoins back but to no avail. It seems that this ersatz hacker is quite the sociopath at heart.

Anyway, Roger got mad as all Jesus’ will do in front of the money lenders or the golden calf and decided to go on his own to find and punish these hackers. He invented his own bounty program! Yes, you heard that right kids. Roger is offering about 20K in bitcoins for information that leads to the arrest and prosecution of the hacker that took his bitcoins. He has had just enough! So the the nets he went and began posting his wanted posters online for a few cases. In his case though he has a particular foe that he is offering some information about to start all you cowboys off with.

savaged

Savaged is one of the alleged identities that Roger has had contact with and believes to be involved in the coin-napping case of his as well as perhaps the Satoshi Nakamoto email hack. Savaged though was the one talking to Roger as you can see in the above linked pastebin conversation on Skype so I went with this one to look into a bit more closely. I know what you are thinking there after that last statement.. You’re thinking I am fancying myself a cowboy right? Well, hey 20k is nothing to sneeze at but no, no I am not in the end and I will explain why down further in this post.

BOUNTY HEADS

140267370677

So Roger had a conversation with someone calling themselves “Savaged” it turns out that once you start the Google and Maltego Fu on this cat you start to see a pattern and it is one I have seen before. See Savaged is one of those Xbox gamer derpheads who started life teabagging his enemies in gameplay and then decided to move on to petty acts of pseudo hacking. What I mean by pseudo hacking is that they go and jack someone’s game ID’s to start by social engineering or password guessing. Once they have had their fill of that they move on to breaking into email accts like Hotmail.

If you ever get the chance to review all of these gamehead’s chats online don’t. Save yourselves because insanity will ensue after reading the completely grammatically incorrect and incoherent drivel out of these teens. It really causes brain damage and I had to stop myself after about a half an hour of looking. The upshot though is that in these conversations you get to peek into the semi private lives of teens on the internets. Part bravado, part ineptitude, and all Lord of the Flies. I just have to ask myself where are these kids parents?

Anyway, you can see lots and lots of their messing about in the following links:

Conversations and Histories:

http://www.wiztracker.net/en/videos/view/X8sDCcOXVVk

http://webcache.googleusercontent.com/search?q=cache:nKfvNVZGzXUJ:www.xboxgamertag.com/search/Savaged/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

http://wilsons.com/dox.txt <—- NOTE: Derpy here is messing around and knows FAMEDGOD ya know, of the SONY DOS and Lizard crew fame? Yeah.. Derpy.

Alleged DOX:

http://pastebin.de/125559

http://pastebin.ru/201cAY9S

http://www.leakedin.com/tag/us-ssn/page/10/

http://pastebin.com/azbgWvBU

GAMERZ, JACKERZ, AND DERPHEADS

Finished hitting your head against the desk yet?…

So here’s my thing with these skidz.. They are an annoyance and not much more. Sure, someone jacked Rogers accts and then stole his bitcoins but it’s also kinda Roger’s fault for not securing those accts right? I mean 2FA now is easier to get but then again if it was a vuln in the validation process for lost passwords etc well that’s hotmail’s fault no matter what Apple says about iCloud’s hack right? *poke poke*

The upshot is that all these kids are just unmanageable fucktards who get away with all kinds of shit because they are “youthful offenders” and the cops are usually 5 steps behind the times in how the internets work. After dealing with them in the past and looking at this crew here I can give you a basic rundown of how the operate;

They do anything they want because they can. Mostly because they have Sociopathic behavior due to Disinhibition Syndrome

These kids just are pathological most of the time and it seems since like Joseph Campbell pointed out many years ago, we lack rights of passage that have meaning anymore as well as today’s parents seem to be disengaged. Of course I am no Cyber Psychiatrist *snerk* The reality is though that you can approach these kids reasonably and still get bitten, kinda like Roger does in that conversation linked above.

Until such time as the cops and the law catch up with the crimes being committed by these kids (SWAT-ing, jacking, petty online thefts) and put a stop to it they will just continue on and eventually move on to other more onerous crimes down the line as they get older and more tech savvy. This is my sad assessment of it all and for this and other reasons I will outline below I have decided to not be a Cowboy and try to collect a bounty on these bounty heads.

SEE YOU SPACE COWBOY

Roger, buddy, pal, give up on this pipe dream of bounties and maybe go for more a letter of marque instead. You are relying on cops who may not care and unless these crimes are federal you aren’t going to get much play from the law. Even if I or others were able to cobble together enough information to warrant a warrant for the FBI I seriously doubt they would move on anything and here’s why.

  • Attribution is hard
  • Proof is hard to get unless you seize their systems and PROVE hands on terminals
  • DOX just won’t cut it and that is about all you will have with cowboy’s out there… Well, unless they hack these guys and then you have a whole taint issue…

No Roger, I think if you really want action you are much better off going to the darknets and hiring yourself a leg breaker. Well, in this case really just a hand breaker. If you were to get the dox and feel assured that your target was in fact your target then just have their hands broken. No hands to type, no hacky hacky your shit right? I know some of you out there are like

“ERMEGERD! WHAT IS HE ADVOCATING!”

Well, it’s the truth right? I mean these little shit’s wont learn unless they are either incarcerated in jail, in a mental facility, or maybe, just maybe sitting in front of a keyboard with broken hands and wrists because they done fucked up. Now am I really saying that you Roger should hire some mechanic to whack these kids? Well, no, that would be bad of me. However, I think my point comes across pretty well in the farcical scenario right?

YOU AND YOUR BOUNTY PROGRAM WILL NOT WORK ROGER SO PLEASE LICK YOUR WOUNDS, SECURE YOUR SHIT, AND MOVE ON.

Simple enough?

K.

Written by Krypt3ia

2014/09/20 at 15:05

Digital Jihad: The Great Irhabi Cyber War That Won’t Be.

leave a comment »

 

Screenshot from 2014-09-12 10:03:12

 

Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK

 

The Great Cyber Jihad

Since Junaid Hussain escaped over the border to the new lands of jihad (aka Syria) he has been vocal on Twitter showing off his great cyber manhood in classic irhabi bloviating online. That Junaid made some inroads by hacking into the prime minister’s email address at Gmail only lends him dubious credit to his hacking skills  to a person involved in the security field. This however is not how the great unwashed within the media and certain quarters of the government and the military seem to perceive the threat posed by Junaid today now that he is an ISIL irhabi.

Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK

The above text came from just one of the spate of recent reports on the great “Cyber Jihad” that is being touted to come from the likes of Junaid and ISIS/L as they attempt to expand their reach from the Middle East globally. This ls.particular commentary makes the bile rise within my gut on so many levels though. But that kind of pales in comparison to the one right below…

“We’re in a pre-9/11 moment with cyber,” John Carlin, assistant attorney in charge of the Justice Department’s National Security Division, warned at a July conference in Aspen. “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction as they can to our infrastructure.” 

~Fox

PRE-9/11 OMG!!! Look you fuckwit if that were the case then China would have already put us out of our misery really. For that matter some half assed pot sodden kid who happened to hack into our grid would have taken us down years ago. There is just no need for this posturing and certainly above all coming from someone without a clue in their head about how things really work in the world of computer security. This kind of scare tactic aimed at getting people to respond in fear to allow for the government to do anything in the name of protecting us is vile.

Meanwhile you have other players such as the one below making statements of “ALL OUT CYBER WAR” while commenting on Anonymous’ operation against ISIS. I laughed and I laughed and I laughed until I just wanted to cry at the sheer stupidity of it all. Look, Anonymous can’t get their shit together enough to be both leaderless and effective so really, how much of an “ALL OUT CYBER WAR” can there be there huh? Do you even know what a cyber war really means? Cyber warfare is both digital and kinetic in it’s purest form and what kinetics did Anonymous really carry out in this operation to DoS ISIS offline?

Lemme give you a clue… None.

“Anonymous announced late last week a full scale cyber war against the Islamic State (Operation Ice ISIS), intended to attack ISIS supporters using social media for propaganda purposes”

~Fortuna’s Corner

So aside from the bloviating and the scare tactics coming out of ISIS itself we also have our responses from the government and the media with all their so called experts on cyber war and jihad. There is a lot of wankery going on here but finally this guy makes a little sense in the middle of his post on this mess…

ISIS’s main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions, as well as victory parades, as part of developing deterrence and creating an illusion of force in excess of the organization’s actual strength. The essence of its online activity, however, is broader. It enables its supporters to obtain operational information, including training in preparing explosives and car bombs, and religious rulings legitimizing massacres in regions under ISIS control. In tandem, it distributes indoctrination materials, such as a maagzine called Dabiq: The Return of Khilafah, which focuses mainly on topics relating to formation of the new Islamic state headed by ISIS leader Abu Bakr al-Baghdadi. However, ISIS’s technological expertise is not the only factor. Perhaps the public, which is revolted by the organization’s deeds but closely follows these clips and photos as a kind of reality show, is contributing a great deal to the organization’s popularity.

~Fortuna’s Corner

Yes, there it is.. ISIS has been carrying out a PROPAGANDA war primarily and with that comes from PSYOPS as well. This is the first true set of statements I have seen to date over this whole debacle. Ok, they are waging a propaganda war and a recruitment drive for sure but really, a cyber caliphate? I mean to date I have not seen this show up verbatim anywhere on the boards or on twitter so who’s leaping logic here? Seems to me that there’s a sucker born every minute and about 99% of them want to go into journalism nowadays.

A propaganda war using Twitter does not a cyber war make.

Cyber Warfare and Jihad

So let’s chat about the realities here about the capabilities of the Irhabi (ISIS/L or AQ or SEA) in a context of what we have seen so far. What have we seen you ask? Well, DoS, some data thievery, some malware use and phishing, but generally nothing spectacularly scary. Certainly nothing on the level of a nation state actor like China has been seen out of any of the loose groups that claim some jihadi notions online to date. So where do we get all this BOOGA BOOGA over the likes of Junaid Hussain and ISIS taking down our grids and things?

*squint*

Yeah, there’s no there there. I am sorry but even if ISIS/L used it’s monies that it has stolen over the last months to set up a “cyber team” they still would be LIGHT YEARS behind the likes of China.. Hell they would even be way behind Iran for that matter so really, there is nothing to fear here. Never mind that many of these guys like Junaid are working in countries that are actively being bombed and shooting is happening so really, how much longer does Juny have anyway before he gets a Hellfile missile up his ass?

Truly the cyber jihad is a non starter for me and it should be for you too. On the other end of that equation though is the fact that they are actively recruiting and getting their message out using social media and this is a problem. Now don’t get me wrong, it is not a clear and present danger kind of thing because really, 100 Americans out of how many people seeing their online drivel have actually left the country to go to jihad pretty much gives a sense of the threat. You have to be pretty unbalanced to want to do this shit to start with so if you get up and leave the country to join up you are a truly unbalanced person to start. One so easily swayed by the propaganda wing of ISIS needs help and what they will certainly get is a bullet instead while fighting. Even ISISL really doesn’t care about the Takfiri, you see kids, they are just bodies to be used… Nothing more. They may call you brother but under their breath they call you fodder.

Much Ado About Nothing

The reality is that ISIS is more a conventional force than anything else. They are not as well planned as AQ and they tend to be one dimensional thinkers. I will admit that their propaganda war has been interesting to watch but I don’t see that it is an existential threat. In fact, I concur with the assessment that AQ is still the real player here who can strike at the US and had a better track record thus far. Surely if ISIS continues to carry out the propaganda war they may garner more recruits but I just don’t see them being that inspirational to get lone wolves to activate/radicalize. I certainly don’t see them being able to put teams together to hack our infrastructure and take us down either. In fact I am not a proponent of that line of thinking anyway as a great threat. Our systems are too complex and fragmented to allow for such a spectacular attack.

So please news media… STFU.

K.

Written by Krypt3ia

2014/09/12 at 15:31

GLOBAL Threat Intelligence Report AUGUST 2014

with one comment

GLOBAL Threat Intelligence Report – AUGUST 2014

Executive Summary

Globally August 2014 was much of the same as we have seen in the previous months. The norm today is to see large corporations admit that they have been hacked and lost data, malware is consistently being released in the wild, and personal data has been stolen and is for sale in the darknet. This report covers the following stories that can be seen as indicative of what is happening in the world today and could affect your organization. These incidents should be looked at as potentially happening in your environment and as such any mitigations that would have prevented these from happening should be implemented in your network.

This month’s global threat indicators are:

  • JP Morgan hacked and data manipulated
  • Traffic lights are easily hacked and manipulated
  • SONY was DD0S’d again
  • Hacking victims become targets of the federal government
  • CHS Medical loses patient data to an alleged APT attack
  • The Nuclear Regulatory Committee was hacked and data stolen by nation state actors
  • A study of Black POS and Backoff POS malware
  • Carbon Grabber hits EU auto makers
  • Poisoned Hurricane APT malware uses Hurricane Electric
  • Taiwan claims to be the testing ground for Chinese APT attacks

Global Threats

JP Morgan Hacked Allegedly by Russia

JP Morgan lost gigabytes of sensitive data during a mid-August cyberattack that also targeted other top U.S. banks, according to sources familiar with the investigation of the hacking. ~Gantdaily.com

http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480

http://gantdaily.com/2014/08/28/jp-morgan-loses-data-fbi-suspects-russians-behind-hacking/

http://arstechnica.com/security/2014/08/the-long-game-how-hackers-spent-months-pulling-bank-data-from-jpmorgan/

Analysis:

The attack was carried out by actors alleged to be from Russia and there is talk of state sponsorship. As the investigation goes on nothing much has been released about the malware (if any) used nor the names of the possible players involved. However, if this attack was carried out by a nation state backed actor it is a paradigm shift for the US and corporations in general.
The purpose of this attack seems to have been to manipulate funds within the bank for certain accounts and not for criminal purposes common to hacking of this type. The attack was quiet and thorough which speaks to the nation state backing and also may in fact be a message from Russia over sanctions by the US. This type of attack would be a new chapter in the hacking going on to date in that it would be a nation state able to manipulate the US markets through attacks on banking infrastructure.

Hacking Traffic Lights and Infrastructure

“Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” writes the research team led by computer scientist J. Alex Halderman.
“With the appropriate hardware and a little effort, [a hacker] can execute a denial of service attack to cripple the flow of traffic in a city, cause congestion at intersections by modifying light timings, or even take control of the lights and give herself clear passage through intersections,” according to the researchers’ findings.

http://time.com/3146147/hacking-traffic-lights-is-apparently-really-easy/

Analysis:

While this type of attack has been portrayed in movies for quite some time it is now a reality and a potential security nightmare for the country. Attacking infrastructure like the traffic systems could be a prelude to larger kinetic attacks on the country or localized to a specific target area. One has to consider that this is just one step in a larger direction toward attacks on infrastructures that could be used by terrorists or criminals for other purposes. Being that this hack was carried off by a small team with a nominal amount of capital used to do it, this should be a concern for the country.

Sony PSN DD0S and Lizard Squad

Sony was attacked with a DD0S (Distributed Denial of Service) that took their systems offline for hours. The attackers call themselves the “Lizard Squad” and to date they are still at large. The group also was able to obtain information about a Sony exec flying on a commercial airline that they then used to phone in a bomb threat concerning that executive and flight.

http://www.forbes.com/sites/insertcoin/2014/08/27/fbi-hunted-hacking-group-continues-attacks-targets-twitch/

Analysis:

Lizard Squad generally seems to be a bunch of kids and the real author of the DD0S on Sony was another actor altogether. FamedGod is another entity online who claims that he was the one who attacked Sony and he did so because they are still not secure even after they were hacked in 2013. FamedGod posted some information that seems to lend credence to his being the arbiter of this attack on Sony and does have a valid point about the insecurity of the Sony networks still post their hack in 2013 which leaked user details including credit cards that had been improperly stored by Sony on their network.
In the final analysis however, it is a truism that DD0S is not going away and can be aimed at any system at the whim of any kid with the money to pay for a botnet. This should be the real takeaway and all corporations should have some mitigation in place to protect their presence online from DD0S.

Hacking Victims Become Federal Targets

What do you do if you’re a company that gets hacked, and the Federal Trade Commission treats you like a criminal? That was the quandary facing Wyndham Hotels after the FTC claimed a data security breach gave it the right to supervise the company’s IT department. Thus began the latest episode of the Obama Administrations’s habit of using vague laws to justify regulatory schemes that Congress never intended. More than 40 companies have already acquiesced to the FTC’s data security overreach—often small companies without the means to fight—but Wyndham to its credit is pushing back.

http://online.wsj.com/articles/wsj-hacking-victims-become-federal-targets-1408318038

Analysis:

As hacking incidents increase within large corporations and they get reported it is likely that the government will look to sanction companies that are not in compliance with security best practices. In the Wyndham case, it seems that the FTC feels obliged to regulate the activities of the network and security teams at the hacked company in order to insure best practices are followed. This of course is a new and troubling occurrence but not unforeseen as the government tries to regulate the security space.
This is a heads up for all companies that may handle PII, PCI, or HIPAA data should a compromise occur and lawsuits ensue. The government may want in as well on the remediation and oversight of the security and operations of the company.

CHS Hospital Systems Hacked and Leaked Patient Data

Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers. Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years or was merely referred there by an outside doctor is affected.

http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/

Malware sigs for what was used in CHS

Analysis:

While not much has been put out through the media there are certain areas where data has been released on the malware involved in this hack. The following links below are for samples sent to malwr.com before they shut down. Both of these show the same type of malware used and the hashes match for the family APT-18 was using.

https://malwr.com/analysis/Zjg2MDhkZjIyNDg4NDNhYTk0MTYzMWRhYjc2MTM3OTE/

https://malwr.com/analysis/Y2VlNDY0NmI3NjE0NDRiYjk1YmMxYTVkNjIyZjZlZGU/

Analysis:

The CHS hack has allegedly been pinned on a Chinese APT (Advanced Persistent Threat) known to the community as APT-18. However, the modus operandi of APT-18 does not fit well with what was stolen from CHS. Additionally, there is evidence that the CHS networks had many issues that allowed for numerous other types of infections to be ongoing within it’s confines that allowed for easy access for hackers. Instances of “Code Red” and other malware from many years ago has been seen beaconing from their IP space.
Whether or not the APT were involved though, the networks there were in a poor state specifically with regard to patching. As is common with Medical networks they are often not patched well because of the antiquated programs that run on them and disallow for proper patching. Overall the assessment here is that the network and their security practices were sub best practices and thus allowed for easy access to patient records even with HIPAA regulations.

Nuclear Regulatory Commission Hacked

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation. One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general reportNextgov obtained through an open-records request. The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”

http://www.defenseone.com/technology/2014/08/foreign-government-agents-suspected-hacking-us-nuclear-regulator/91856/

Analysis:

The NRC hack is common to the type of APT activities we have seen in the news over the last few years. In this case the NRC was phished with emails containing links to a Google Drive spread sheet that infected their systems with malware. This is a common attack today and should be covered in any respectable security awareness program but often still is the key to hackers getting into systems. Had the users checked the links to start or had thought better of logging into a site to verify an account then the compromise may not have happened at all.
All users should be aware of what phishing looks like and the tactics that the phishers use to trick people into compromise. In this case this is a nation state actor (likely China) and is par for the course today.

Crimeware

Backoff POS and BlackPOS

The “Backoff” POS (Point Of Sale) malware is a new version of skimming software that was used in a recent attack on the SuperValu grocery chain. This malware get’s it’s name from the word “backoff” in the code. BlackPOS is another malware that was created by the Rescator/Lampeduza network for their attacks on Target and now Home Depot. This also get’s it’s name from code snippets and the actual name being used on the Russian hacking/carding boards that sell it and the data that has been stolen.

http://threatpost.com/secret-service-warns-1000-businesses-hit-by-backoff-pos-malware

https://www.us-cert.gov/ncas/alerts/TA14-212A

Analysis:

These types of malware are common to this type of crime today because in the US we do not have the “chip and pin” technology that would prevent this attack from succeeding. Both of these pieces of malware have been bespoke for the crews that are using them and attack the actual interfaces for the POS device. When a card is scanned by the POS this malware scrapes the memory of the machine and captures the card numbers and the pin during the transaction. It then sends that data to an aggregator (compromised machines in the network) for exfiltration to servers usually in the Baltics.
Given that this type of attack now has leaked millions of cards (including a new Home Depot leak ongoing today) we can expect that retailers and banks in the US will soon be looking to upgrade the infrastructure here to a chip and pin system to stop this from happening. Banks in the US are already feeling the pinch from these attacks and are pushing behind the scenes for these changes.
Addendum: It has been reported by the FBI that as many as 1000 companies may in fact be compromised with these types of malware and actively being used to steal credit and debit cards.

Carbon Grabber Hits Automotive Industry

Europe’s automotive supply chain is being targeted by a malware campaign connected to the increasingly popular Carbon Grabber crimeware kit, researchers at Symantec have warned. At first glance, what Symantec uncovered earlier this month when investigating a spam campaign spreading malicious attachments looks relatively innocuous, one of dozens of such incidents security firms pick up on in any given month.
The giveaway that there is more to this one is the unusual level of targeting which aims more than half of all spam at the at the car rental, insurance, commercial transport, and second-hand commercial and agricultural vehicle sales sectors in Germany, The Netherlands, Italy and to a lesser extent, the UK

http://news.techworld.com/security/3539706/carbon-grabber-campaign-hunts-for-automotive-industry-logins/

Analysis:

The Carbon Grabber is a part of a larger supply chain attack and may be the work of a nation state actor. The initial attack gets the user to install software that in turn starts to mine data within their corporate network. Black Carbon then steals credentials and sends them to a C&C server. This attack is ongoing and more may come from this in the near future. However, this is a common 2 stage attack against companies in order to steal their secrets with the primary attack coming from a phishing campaign. The novelty here is that it is using spam campaigns and directed targeting (cars and rentals) to obtain their objectives.

APT Activities

Poisoned Hurricane

“We found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as adobe.com. Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service.

Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” ~Fireeye

http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html

Analysis:

The use of Hurricane Electric’s loose network has long been a staple for malware and APT activities. The fact that you could use their permissive DNS services only added to the ability of malware campaigns to effectively obfuscate their attacks and to exfiltrate data more easily. It is important as a company or security group to monitor your DNS traffic to insure that you are not compromised and beaconing traffic to bad actors and thus losing your data.

Taiwan: Testing Ground for China’s APT

http://thediplomat.com/2014/08/taiwan-complains-of-severe-cyber-attacks-from-china/

Analysis:

Taiwan has made a claim that they are the firing test ground for China’s APT activities.  This would make sense from the standpoint that now Taiwan is under Chinese control (for the most part but is still called Free Taiwan by many) If indeed the case, then the malware and hacking techniques could be possibly seen being tested in Taiwan and thus perhaps an intelligence boon for the US and other countries were we to be able to see that traffic as it happens.

Editable DOC file for DOWNLOAD to use for your organization

Written by Krypt3ia

2014/09/11 at 21:25

Posted in Threat Intel

Post Hoc Ergo Propter Hoc Poop: Recorded Future and the Jihadi FUD-O-Sphere

with 4 comments

encryption-indicators-table

Jihadi Crypto

Recently Recorded Future caused a stir in the media over what they gathered through OSINT on Jihadi crypto since the Snowden revelations. This report nearly made me have an aneurysm from it’s simplistic approach to the problem and it’s deep lack of knowledge on the subjects of crypto and jihadism.This report though made the rounds and ended up on places like NPR (which RF cited on their report LA DE DA) adding cache to it all.

The realities though are that RF has in fact only seen one small slice of a larger issue concerning crypto, propaganda, jihad, and the GWOT in general and it makes me mental when I see shit like this. So this post is to set some things straight and I will be furthering this out with a guest appearance on The Loopcast to discuss all of this in a longer forum. For now though, let me splain some things.

Jihadi Crypto AFTER Snowden

Before Snowden the crypto choices for the jihadi’s online pretty much broke down to a couple choices. The Mujahideen Secrets, a couple other crappy ones, and PGP. I will tell you now that the Mujahideen Secrets was the “gold” standard for these guys and it was the suck to start. So really, pre Snowden there were more limited options sure, but the reality is that Mujahideen Secrets was only really used for low level talk between guys on jihobbyist boards and for emailing the brothers at Inspire their derpy ass questions about jihad.

The cryptography was standard in Mujahideen Secrets and the programming of the application itself was so so. I have looked at this before and didn’t think much of it back then. Today I think even less of the whole prospect of the great cryptojihad being an actual “thing” at all. Now though, since Snowden sure, there are more options out there and some may actually be well programmed and using cryptography that is solid. However, that does not mean that the real players are using them post Snowden. Nor does it mean that the players who ARE using the crypto are a serious threat at all to begin with.

Crypto is a Red Herring

Cryptography is only as good as it’s user in many cases. In the case of the jihadi’s out there on the net they are mostly luddites when it comes to tech. Tell me RF, who do you have on your list of great Jihadi hackers today? No, really, who do you have on that list? Don’t throw TH3PR0 at me either because he is not a Muslim extremist as far as I have seen in his traffic. So who do you see as the great threat technically today? If a lot of these guys were adept at tech then most certainly their shitty site’s wouldn’t be getting PWN3D all the time right?

So there is that. Now look at the user base of the jihad. If you are not in country then you are elsewhere and on the Shamikh site spouting shit and throwing as much puffery as possible out there to look good for all the girls right? On the whole, after watching these guys I have to say that the majority aren’t the swiftest boats in the river nor the sharpest blades in the drawer if you catch my drift. So how many of these guys you figure are gonna be able to handle a two key system effectively and not fuck up the key exchange right off the bat?

*Let me give you a hint.. I have seen these idiots place their PRIVATE keys on the Shamikh site**

These guys are like any other users in the base of common people who have trouble comprehending how crypto works never mind how to send a PUBLIC key to the person they want to talk to! So I say to you all here and now, the issue of crypto with these guys on the net is a complete red herring and just a means to an end for RF to get clicks and revenue.

SIGINT/HUMINT/TRADECRAFT

So let’s get past all the crap about “ZOMG SNOWDEN GAVE THE JIHADI’S INTEL!!” and speak about the realities. Sure, the jiahdi’s saw what was being dropped and they learned from it. They immediately went out to create a new means to have encrypted traffic sure. However, ask yourselves how many of these guys using this stuff are really hard core AQ/ISIS/ISIL/AQAP etc guys? The truth of the matter is that the core AQ types are not even using the net because of fears that anything they do will be compromised.

A for instance is this; Post 9/11 UBL started using a sneakernet approach with REAL TRADECRAFT to carry his messages to his commanders. They carried messages by hand and if they used the net they did so sparingly for key comms. They did this because they knew that the net was PWN3D (more assumed) and they already knew communications like SATPHONE was already tagged. After all UBL’s SATPHONE had already been compromised and he found out after an attack.

My point here is that OPSEC and TRADECRAFT are important. If you have good crypto but you fail at OPSEC and TRADECRAFT then you lose. An example of this is that the Inspire accounts that they published in their so called magazine were Gmail and Hotmail accounts. That’s right kids, the jihadi’s were emailing their super secret questions and other things right to the NSA!

…But you think.. THEY USED CRYPTO! HA HA!

No, you see they have the account.. Then when YOU email them they have YOUR account too. See where I am going? Relational databases and bad OPSEC puts the jihadi on the list for flights to GITMO. On average these guys were not carrying out proficient OPSEC tactics and thus were likely to give up their private information along with the accounts and thus you have a black van or a drone showing up in the current GWOT. Crypto is not the answer nor is it the rubric to hang your hat on as to how a leak has compromised operations for the US.

Recorded Future has just taken a slice of the problem and blown it out of proportion for attention and that is a disservice. So please mass media ask some more questions on this. Don’t run with the Snowman OMG story because that is bogus. I know you won’t listen to me but hey a man’s gotta try right? The rest of you out there who read this blog likely already understand this and I am preaching to the choir.

I will look at the varying crypto programs soon and critique them as well as use the data to track some of these idiots just to show the MSM how easy it can be to track them. I have done it before and man sometimes these guys just make it too easy. Like that Jihadi who thought he was l337 by putting up YOUTUBE’s of himself hacking… With his own IP…

SUPER DERP.. But now he has CRYPTO post SNOWDEN OMG!

K.

 

PS.. Look for the Loopcast podcast on all this coming soon.

Written by Krypt3ia

2014/08/09 at 13:38

Posted in FUD, jihad

JULY 2014 UNIFIED THREAT INTELLIGENCE REPORT

leave a comment »

photo

Unified Threat Intelligence Report

 

July 2014

 

Executive Summary

Overall the month of July 2014 has been fraught with new malware campaigns against various entities and this has been the trending since approximately 2010. Malware today is the pivot point for attacks and these campaigns are initiated with emails (phishing) as well as other attacks. The Facebook cross site scripting attack that engages the user to go out of their way to compromise themselves is indicative of where the trend is going and shows how important user education is to malware prevention. As the adversaries grow in number and become more sophisticated in their practices (i.e. crimeware taking on more APT like characteristics) and the re-use of domains between actors it is increasingly apparent that the front line is not only technologies like SIEM and AntiVirus, but also the end users themselves.

Additionally, as the activities of nation state actors continue so too do the operations by hacktivists like SEA (Syrian Electronic Army) and countless other individuals and collectives that will use the same tactics and tools as well. Suffice to say that this is not going away soon and in fact will instead increase geometrically as various countries become more wired across the globe and allow for easy access to the net for these activities. This report is a generalist approach to data that has been in the news cycle within the month of July 2014 but deliberately selected to give a melange of stories that should be considered by any CSO, CISO, or others within domains trying to protect their assets. This is not directed data however, and this is an important part of the intelligence cycle that must be taken into account when reporting to executives. Thus I have placed this report in .odt form on this page for you to download and to add data for your own environment to use in enlightening your staff as to your own metrics on attacks and other activities that affect you directly.

Report Highlights:

  • One in five businesses have been hit by Advanced Persistent Threats Global Threats
  • Anonymous’: OP ISRAEL attacks Israel over Gaza
  • Russian malware infiltrated the Nasdaq servers in 2010
  • Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations
  • A critical Android vulnerability lets malware compromise most devices and apps
  • Facebook suffers a “self” XSS Attack that tricks users into exploiting themselves
  • A look at the Android FBI Lock Malware (Ransomware)
  • ‘Operation Emmental’ A malware campaign targeting banks across Europe
  • Goodwill is Investigating a Possible theft of credit card data
  • Nigerian 419 email scammers shift to malware and hacking
  • Malware hidden in Chinese inventory scanners targeted logistics, shipping firms in the US and other places
  • Manic malware Mayhem spreads through Linux and FreeBSD webservers on the internet
  • China: The Pirpi phishing attacks on 7/21/2014
  • China: Hacking attacks on NRC National Research Council (Canada)
  • Syria/SEA (Syrian Electronic Army) spreads false Rumors of Israel nuclear Leak on Twitter

Global Threats:

One in five businesses has been hit by Advanced Persistent Threats:

Summary:

A recent study of polled participants showed that one in five businesses have been hit with APT attacks. This means that nation state actors such as China have attempted and potentially successfully compromised their systems and ex-filtrated data. What follows are some stats from the polling:

  • Approximately 92 per cent of respondents believe that the use of a social networking site increases the likelihood of a successful APT attack, which could prove a threat to a large proportion of businesses.
  • 88 per cent think that ‘bring your own device’ combines with rooting or jail breaking by the owner make a successful APT attack more likely.
  • Over two thirds of people think that it is only a matter of time before their enterprise is targeted.
  • However, despite this, the majority of respondents believe that they are prepared to detect, respond to and stop an APT attack.
  • The most common technical control used to protect against these are antivirus and anti-malware, which over 90 percent reported using. This was followed by network technologies such as firewalls, then network segregation.
  • Under 30 per cent reported using anti-malware controls on mobile devices.
  • Around 96 per cent of the respondents are somewhat familiar of what an APT is, which is more than was reported last year.
  • They define an APT as an adversary that “possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objective by using multiple attack vendors”. This could come in a variety of formats, and some suggest that it is geared towards the aim of political espionage.
  • They often use the same attack vectors that traditional threats leverage, but they also leverage different attack methodologies and have different characteristics than traditional threats,” the report said.

Analysis:

  • APT attacks are not arcane and solely targeting Defense Base corporations.
  • The general consensus is that everyone will eventually be targeted in some way
  • Generally people do not think that they are properly prepared for these attacks
  • That social media access is a key to compromise
  • AV products are the main defense against APT campaigns but under 30% have AV on mobile assets

While APT activities have been in the news it is still important to note that not everyone knows what an APT is never mind how they operate. Many still do not consider APT a threat because they have the perception that their environments are not of importance to the Chinese and others. This is a misapprehension that must be corrected. There is always the possibility that your environment may be a target for data that you hold or access that you have leading to another target more sought after. It is important that more within the field of security understand how APT works and separate the hype from the reality.

Anonymous’ Offensive against Israel: OP ISRAEL

Summary:

Anonymous announced last month that they would be attacking Israeli systems to protest their attacks in Gaza and the troubles ongoing in the area. This stemmed from the abduction and beating of youths in the area that now have blown up into all out missile wars between Hamas/Palestine and Israel. The hackers managed to deface many government pages as well as leak user names and passwords to systems.

Analysis:

Overall this type of activity is questionable as to its merit for or against war. In the grander scope of things these attacks do not stop the hostilities between parties or ameliorate much else other than the sense of accomplishment on the part of the Anon’s out there taking part in it all.

The flip side of this is that any action against a corporation of government that is successful will lead to financial loss as well as perceptions of vulnerability for said company or government systems. This is the essence of asymmetric warfare.

Russian malware infiltrated the NASDAQ servers

Summary:

In 2010 the NSA, CIA, FBI, and other agencies learned that the NASDAQ Stock Exchange had been hacked by a Russian individual and malware was placed within their core servers. The malware was a form of logic bomb that could potentially stop trading on Wall Street and thus cause a cascade effect in the global economy.

Analysis:

This incursion into the NASDAQ network shows how one actor can potentially have a mass effect on the local (US) and global economy should his attacks have been carried out. The malware was designed to erase data and lock users out of systems. This would have had a detrimental effect not only in downtime but also in confidence in the stock exchange as well as the economy in general. These types of “Supply Chain” and FInancial attacks will be on the uptick in the future as adversaries work toward global implications of their actions as well as Nation State actors like China who foresee these types of attacks as a necessary tool within the 5th domain.

Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations

Summary:

Microsoft moved to take down the NO-IP dynamic Domain system in an effort to short circuit cybercriminal and APT activities. The service allowed for quick and anonymous creation of dynamic domains that these actors would use as command and control servers for malware. This particular takedown affected a great number of malware systems.

From report:

In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:

Flame/Miniflame

Turla/Snake/Uroburos, including Epic

Cycldek

Shiqiang

HackingTeam RCS customers

Banechant

Ladyoffice

Analysis:

This takedown shows the ecology of many of the malware campaigns out there today. They tend to use the same C&C infrastructures that Crimeware inhabits and thus at times it can be hard to determine who the actors truly are. In the case of the Flame and MiniFlame servers this action will be taking out a significant amount of APT activity which may in fact be Israeli in origin. As the actors become more adept at their prosecution of warfare in cyberspace so too will the disinformation and psychological warfare capabilities and actions increase. As a means of knocking out large swaths of C&C Microsoft is taking more solid action by taking the systems down as opposed to watching them as others might do. This is an ongoing discussion within the community as to whether it is better to just remove their access rather than watch them and use that information later within intelligence circles.

Crimeware

Facebook “self” XSS Attacks

 

xssself

Summary:

This attack leverages user’s interest in hacking into “anyone’s” Facebook account. The gist of this attack is the task of fooling the user to input code into their browser that will then exploit the end users account and allow access to it by the attacker.

Analysis:

This exploit works on a premise based in social engineering and psychology. Humans have a penchant for wanting to know unknown things or to be slightly “bad” and thus this attack works. By fooling users into exploiting their own accounts this attack falls more within the social engineering area than anything else.

Critical Android vulnerability lets malware compromise most devices and apps

Summary:

The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device.

The core problem is that Android fails to validate public key infrastructure certificate chains for app digital signatures. According to Google’s documentation, Android applications must be signed in order to be installed on the OS, but the digital certificate used to sign them does not need to be issued by a digital certificate authority.

Analysis:

The analysis of this vulnerability is that no system or hardware should be considered to be absolutely “secure” The reason for this is not only that there may be inherent flaws in the systems creation and upkeep but also from end user abuses or misconfiguration.

Secondarily, if you run a BYOD program then Android may be more vulnerable to attack than you may have thought previously. Even with software means to protect your data the system itself could be compromised due to the way it was created.

Android FBI Lock Malware: FIBLOCK-A

 

fbilock

Summary:

A new ransomeware scam has been found in the wild by Sophos. This malware masquerades as a FLASH player update/application which then encrypts your phone and ransoms you with the picture shown above. Once you click proceed, the system then presents you with a way to pay a “fine” (see below)

Analysis:

This malware is tricky in that it ostensibly offers something that Android does not have now (i.e. access to Flash) so this tricks many people into installing it in the first place. The malware then takes over the phone and is hard to get rid of.

The final analysis though is that these types of malware and extortion schemes are becoming more commonplace and thus end users should be more aware of these tactics and how to deal with them. In the case of this malware the payment scheme does not mean that they will be able to rid themselves of the malware.

‘Operation Emmental’ Malware Campaign Targeting Banks Across Europe

 

emmental

Summary:

Operation Emmental attacks are spread using phishing emails which masquerade as being sent from a reputed online retailers. These emails contain malware-infested links which users are prompted to click. If victims click on the link, the malware gets downloaded to users’ computers/mobile devices.

 

The Emmental malware manipulates the configuration of host systems, and automatically vanishes from the system, which makes it undetectable. The DNS settings of the host computer are manipulated to synchronise with an external server (operated by the cyber-criminals).

Emmental malware then loads rogue SSL root certificates within host systems. These certificates are designed to trust the external server controlled by hackers and thereby eliminate security prompts.

Analysis:

This malware creates in effect, a “Man in the Middle” attack and then tricks users into thinking they have a secure session with their site of choice. This attack is even more dangerous because it cleans up after itself and is hard to detect until it’s too late.

The upshot here is that end users should be aware of how to check links in emails before clicking on them and be aware of phishing attacks through regular security education.

Nigerian 419 Email Scammers Shift to Malware and Hacking

Summary:

It seems that the Nigerians have learned that their tactics are losing ground and they have to move on to bigger and better things. It stands to reason that as things become more point and click and the media gives attention to the big losses by malware at large corporations that the 419’ers will get in the game as well. I expect that the phishing emails will have the same tell tale flaws but people will still click on them and infect their machines with malware. All in all this is just another player in a saturated vector that we all need to pay attention to.

Analysis:

Be on the lookout for the usual types of emails but instead of asking for someone to wire something those will instead be links to malware. As these guys get more savvy we all will need to keep an eye out for their phishing emails. On a threat scale these guys aren’t high just yet.

Malware

Historically the Nigerian scammers have been using emails and phone calls to steal money from unsuspecting people. Recently though they have moved into the world of phishing and hacking using phish emails to send people malware. Once the malware has been installed the 419 scammers are acting just like other criminal actors and stealing personal data and passwords. These they then use to steal money or create fake identities for their own purposes.

Analysis:

The 419 scammers are finally getting into the modern world of malware because people have been catching on to their usual routines as well as spam filters are stopping their emails. The scammers then had to change their tactics in order to continue their work and their revenue streams.

This is a natural evolution really but it shows just how effective these tactics are and how easily they can be picked up by people like these.

Malware hidden in Chinese inventory scanners targeted logistics, shipping firms

Summary:

Financial and business information was stolen from several shipping and logistics firms by sophisticated malware hiding in inventory scanners manufactured by a Chinese company. The supply chain attack, dubbed “Zombie Zero,” was identified by security researchers from TrapX, a cybersecurity firm in San Mateo, California, who wrote about it in a report released Thursday.

TrapX hasn’t named the Chinese manufacturer, but said that the malware was implanted in physical scanners shipped to customers, as well as in the Windows XP Embedded firmware available for download on the manufacturer’s website.

Analysis:

This is what is known as a “supply chain attack” and it means that an attacker has managed to attack your supply chain either by stopping it or changing its capacity in some way. These attacks can be devastating to a company where time and flow of product is essential to the business operations. This also can be seen in the light of supply chains such as military and other chains that could be broken to affect warfare in the favor of an attacker.

Manic malware Mayhem spreads through Linux, FreeBSD web servers

Summary:

Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches.

Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, discovered the malware targeting *nix servers. They traced transmissions from compromised computers to two command and control (C&C) servers. So far they have found 1,400 machines that have fallen to the code, with potentially thousands more to come.
Analysis:

This malware is novel in a couple of important ways. First off it is on UNIX using a common vulnerability and secondly it is a botnet that is also leveraging those systems infected to compromise other systems. UNIX and Linux are the underpinnings of the internet so if this malware infects systems as rapidly as predicted this could be a real juggernaut.

It is recommended that all UNIX systems facing the internet should be looked at and assessed for the vulnerability that allows for this malware to load and add the systems to the botnet.

APT Activities

China: Pirpi/Gothic Panda Phishing Attack 7/21/2014

Summary:

A phishing attack was launched on 7/21/2014 that leveraged a new 0day and had a very short window of opportunity. The attack has been dubbed Pirpi or Gothic Panda (by Crowdstrike) and is now over. Detection of the attack was quick and the duration of the emails and the hacking was approximately three days.

Data and Sample Email:

From: XXXXXXXXXXXXXXX
Subject: Outstanding Invoice

Part of the email body:

Our records show that you have an outstanding balance dating back to January. Your January invoice was for $445.00 and we have yet to receive this payment. Please find a copy of the invoice enclosed.


If this amount has already been paid, please disregard this notice,and let us know that
in this link.  Otherwise, please forward us the amount owed in full by Aguest 1st. As our contract indicates, we begin charging 5% interest for any outstanding balances after 30 days.

Analysis:

Malware C&C Details:

The links led to resources at hazarhaliyikama[.]com. All emails linked to this domain with a pseudo-random URL paths just like the earlier spam runs from late April. Each recipient was given a unique URI. Examples below….

hxxp://web.hazarhaliyikama[.]com/doc/idear.htm?a=XXddddddd
hxxp://web.hazarhaliyikama[.]com/doc/uid.php?num=XXddddddd
hxxp://web.hazarhaliyikama[.]com/doc/solo.cfm?cg=XXddddddd
hxxp://web.hazarhaliyikama[.]com/doc/list.jsp?x=XXddddddd
hxxp://web.hazarhaliyikama[.]com/doc/reference.cfm?i=XXddddddd
hxxp://web.hazarhaliyikama[.]com/doc/pag.html?vv=Xdddddddd

China: Attacks on NRC (Canada)

Summary:

A “highly sophisticated Chinese state-sponsored actor” recently managed to hack into the computer systems at Canada’s National Research Council, according to Canada’s chief information officer, Corinne Charette. The attack was discovered by Communications Security Establishment Canada.

In a statement released Tuesday, Charette, confirmed that while the NRC’s computers operate outside those of the government of Canada as a whole, the council’s IT system has been “isolated” to ensure no other departments are compromised.

Analysis:

Chinese APT (2PLA People’s Liberation Army) has been active for some time now attacking defense base and other companies. However, of late they have changed tactics and added think tanks and other governmental bodies that suit their intelligence needs. In the case of the Canadian NRC (National Research Council) China seems to be looking for intelligence concerning matters of state with regard to Canada. This is an important pivot and shows that no group is beyond the interest of the Chinese state.

Syria/SEA (Syrian Electronic Army) Spreads False Rumors of Israel Nuclear Leak

Summary:

Hacker outfit the Syrian Electronic Army (SEA cracked the Israel’s Defence Forces (IDF) Twitter account where it posted a fake warning of a possible nuclear leak due to rocket strikes.

The group posted under the IDF (@IDFSpokesperson) account of a “possible nuclear leak in the region after two rockets hit [the] Dimona nuclear facility” which triggered a brief panic among some of the account’s 215,000 followers.

The SEA published a screenshot showing it gained access to the IDF’s Hootsuite dashboard, a Twitter client that manages public tweets and private direct messages. Israel’s defense force later apologized for the erroneous and alarmist tweet advising users it was compromised and would “combat terror on all fronts including the cyber dimension”.
Analysis:

The importance of attacks like these is the use of disinformation and the open forum of Twitter. In this case it was a panic after such news (disinfo) was placed on the account’s timeline. However, in another case last year the same actors placed information that the White-house had been attacked and that President Obama had been hurt. Once that news had been placed on the Twitter stream the stock market went down and panic ensued. These types of attacks can be powerful against companies as well and could cause financial and reputational loss. It is thus important to consider social media accounts as needing extra security attention as they can be breached and misused in these ways.

DOWNLOAD-ABLE ODT FILE HERE

APPENDIX A: LINKS

http://business-technology.co.uk/2014/07/one-in-five-have-experienced-an-advanced-persistent-threat/

http://www.theguardian.com/technology/2014/jul/29/chinese-hackers-steal-israel-iron-dome-missile-data

http://www.nextgov.com/cybersecurity/2014/07/syrian-electronic-army-spreads-false-rumors-israel-nuclear-leak/87964/

https://news.vice.com/article/anonymouss-offensive-against-israel-reveals-the-splintered-state-of-hacktivism

http://www.ctvnews.ca/canada/sophisticated-chinese-cyberattack-targets-canadian-government-computers-1.1936800

http://www.tomsguide.com/us/facebook-self-xss,news-19224.html

http://bits.blogs.nytimes.com/2014/07/21/goodwill-investigating-possible-theft-of-credit-card-data/?_php=true&_type=blogs&_r=0

http://www.pcworld.com/article/2459240/android-vulnerability-allows-malware-to-compromise-most-devices-and-apps.html

http://www.ibtimes.co.uk/new-operation-emmental-malware-campaign-targeting-banks-various-european-countries-1458575

http://www.nbcnews.com/tech/security/nigerian-419-email-scammers-shift-malware-hacking-n163491

http://www.theregister.co.uk/2014/07/23/ruskie_vxers_change_dns_nuke_malware_in_swiss_bank_raids/

http://www.pcworld.com/article/2453100/malware-hidden-in-chinese-inventory-scanners-targeted-logistics-shipping-firms.html

http://www.theverge.com/2014/7/17/5912159/russian-malware-infiltrated-the-nasdaq-stock-exchange-says-businessweek

http://www.pcworld.com/article/2454840/ssl-blacklist-project-exposes-certificates-used-by-malware.html

http://nakedsecurity.sophos.com/2014/07/25/android-fbi-lock-malware-how-to-avoid-paying-the-ransom/

http://www.theregister.co.uk/2014/07/18/malware_linux_freebsd_web_servers/

https://www.securelist.com/en/blog/208214339/Microsoft_seizes_22_NO_IP_domains_disrupts_cybercriminal_and_nation_state_APT_malware_operations

Written by Krypt3ia

2014/07/31 at 21:03

Posted in OSINT

OPSEC In the Post Snowden World

with one comment

 

WWBD

OPSEC:

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information

~Wikipedia

I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.

Technology and OPSEC:

Screenshot from 2014-07-25 13:34:36

So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?

No.

Consider these things before you begin your super sekret affair online…

  • Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
  • Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
  • Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
  • The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
  • Can you trust the supply chain of the TAILS instance you downloaded to start with?
  • Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
  • Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
  • Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?

All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.

The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?

There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.

Nation State Surveillance and YOU:

So you have decided to read on.. Gut gut…

OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?

So let’s consider some other things outside of the technical 0day and hackery bullshit.

POSIT: The technology is already owned and there is nothing you can do about it.

CONSEQUENCE: All your communications even encrypted by these means are compromised

RESULT: Nothing you do or say should be trusted to be secure

So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.

Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.

It’s Moscow Rules:

  • Assume nothing.
  • Murphy is right.
  • Never go against your gut; it is your operational antenna.
  • Don’t look back; you are never completely alone.
  • Everyone is potentially under opposition control.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Any operation can be aborted. If it feels wrong, it is wrong.
  • Maintain a natural pace.
  • Lull them into a sense of complacency.
  • Build in opportunity, but use it sparingly.
  • Float like a butterfly, sting like a bee. 
  • Don’t harass the opposition.
  • There is no limit to a human being’s ability to rationalize the truth.
  • Pick the time and place for action.
  • Keep your options open.
  • Once is an accident. Twice is coincidence. Three times is an enemy action.
  • Don’t attract attention, even by being too careful

So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…

Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.

Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:

  • Trust cannot be implicit in technology or people
  • Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
  • Understand the adversary, their motives, their techniques, and their weaknesses
  • If you use a technology be sure that you are it’s master
  • Secrets are secret (First rule of Fight Club) keep them that way
  • COMPARTMENT THE EVERYTHING!
  • Layer your encryption techniques and if possible use a OTP
  • Go read up on TSCM
  • Go read up on Counter-Surveillance techniques
  • If they can’t get at you technically they will send in assets to get close to you
  • If they can’t get assets close to you they will use your friends
  • If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)

I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.

K.

 

 

 

 

Written by Krypt3ia

2014/07/25 at 18:25

Posted in .gov, .mil, OPSEC

HOPE X Roundup

with one comment

Screenshot from 2014-07-21 09:55:50

 

HOPE X:

This last weekend was HOPE X held by the 2600 at the usual crumbling and fetid Hotel Pennsylvania. This go around I decided to attend because of the promise of all the talks surrounding the nation state surveillance today and a virtual visit from the Snowman himself. I booked my room at the Penn (I know.. bad idea really) and went in on Friday for the three days. What I got from attendance mostly was a sense of how crappy the Penn is again as well as how rough edged and lackluster the HOPE conferences have been over time. I also got to see my Twitter feed load up on hate for the con alongside the political tweets for and against it as well.

I left the con on Sunday morning with the final feeling being “Meh” Of course this could be said about most con’s for me now anyway. I said it on Twitter and I will repeat it here for you all.

“HOPE X = MORAL FAGS / DEFCON = Drink and then drink some more #hallwaycon”

That about sums up my feelings about conferences of late. Hope though was rather terrible.

Surveillance State:

So back to the whole politicizing of the con. 2600 has always been more political so you kind of have to expect that. However, this year after the Snowden revelations and the actual visit by Snowden via Skype one was left with a sense of impotence due to the conferences lack of cohesion. It’s true that the nation states of the world are spying on us all. The NSA is drift netting all of the data on the networks it can and saving it for a rainy day. Abuses are happening and governments are lying but even after Snowden’s discussion with Ellseburg I was left with a sense that nothing said was empowering.

Snowden exhorted the hackers to rise up and create better software and crypto which to me is something we all have been saying all along in the security community right? I mean if not saying make better crypto then we have been at least saying “USE IT!” right? Overall though, nothing really new came out of this discussion other than the usual cognitive re-assertions that Snowden did what was right and that we are all now living in a surveillance state. While I agree with this assessment for the most part I also did not feel at all energized by this talk.

Musings:

Overall I was not impressed by much at Hope and would agree with many who say it is a crappy con. Some may say though it is what you make of it. In that vein I will say that the Veal I had in Little Italy was fantastic but the restaurant failed on the seconds of bread. No, really, the Veal was a highlight. The conference did not teach me anything new and interesting and the venue really did not lend itself to any kind of flow for traffic so it was harder to attend anything you wanted to because you just could not get there. In fact my most prevalent thought each day was “FUCK I HOPE THERE ISN’T A FIRE! CUZ WE ARE ALL GONNA DIE!” That hotel needs to be torn down and something else built there… Seriously.

So on goes the politics of hacking… I personally believe things need to be done but generally I did not feel that this con did anything in the way of inspiring anything in me but a low level of “get me the fuck outta here”

K.

 

Written by Krypt3ia

2014/07/21 at 14:30

Posted in CON's

Follow

Get every new post delivered to your Inbox.

Join 133 other followers