Two thousand accounts and passwords to Tesco.com’s site were dumped on Pastebin 2/12/14 and it set the news all a twitter about how Tesco had been hacked. The accounts and passwords have all been deactivated and changed according to Tesco and if they had it their way I am sure they’d just like to move on. However, the news on the hack has as yet been unclear as to how it happened. In looking around the usual dirty corners of the internet I have found a few details about how common it seems companies like Tesco have been the target of these kinds of attacks. I found trails of chatter going back to August of last year talking about how to go about abusing the Tesco online system to order goods and have them delivered in many places as well as offers by coders for scripts and programs to carry out the attack that seems to have befallen Tesco.
Tesco_Checker.exe and Freelancers:
One of the first hits that I located was talk of a “Tesco Account Checker” program back in October of last year. I was unable (as yet) to locate the live download of the program but above you can see a screen shot of one of the common file sharing sites where it was hosted back then. This program allegedly checks the site by imputing user ID’s (emails) and passwords which it will check for a (200) on the site and output a report much like what was uploaded to Pastebin recently. In fact there are many offerings out there for these kinds of scripts and programs that will work on many sites and some of them have a brute force element as well. It has yet to be determined though if the Tesco event was an actual hack on their systems with something like these programs or if the Pastebin dump was just a shot over the bow from data gathered and tested with a new tool. Of course Tesco was also not very strong on their security for their passwords or their practices here with six character non complex passwords and a tendency to send pass resets in email clear text. These factors may also have been at play in this dump of the two thousand accounts actually occurring but it still doesn’t elucidate on why someone would just dump them there and not just use them.
Tied to the scripts and programs being created for the purpose of checking accounts at Tesco and other places, the carding forums make their appearance selling the data culled as well as giving short tutorials on how to check balances and such. As seen above there are at least two different groups of carders involved in this incident (v3ch4j.cc as well as tuxedocrew.biz) so it seems that perhaps it may have been more than 2k accounts compromised and may in fact be being sold on their closed markets today. It does seem though that these guys are in it for the purchase of goods then having them shipped as Tesco is an online super market. There are posts asking how to get food sent and how to scam the site to get that food so it seems that this has been going on for some time now. Tesco users may want to check into their accounts for small charges that may have gone unnoticed as well as Tesco themselves should be looking at a full scale DFIR on their systems to see just what has happened here.
The overall analysis here is that Tesco was using insecure processes to generate passwords as well as reset them for people (in the clear in email) as well as perhaps had been under attack for some time (since last summer really) by these attackers. Probes of their site should have been noticed and one would hope that Tesco would have some sort of intelligence gathering to tell them when these types of campaigns are being created. My Googling only took about 15 minutes and I had a plethora of data on who was talking about this script as well as methods to cheat Tesco out of goods online. The upshot here is these guys weren’t really hiding very well and this stuff should be monitored. If they had been paying attention though they might have noticed Moad Abo Al Sheakh (G+ above) who posted a tutorial on using the Tesco account checking tool on his blog under the title “no secret her” and aside from his poor typing/spelling skills, lays it out pretty plainly. Overall this isn’t a Target attack on the scale of interesting but it does show just how poorly some places treat security as a primary goal only to get popped and dumped on Pastebin.
Fazio Heating & Cooling Phished via OSINT:
With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.
Side Channel Attacks:
In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.
APT Activities by Non State Actors:
Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.
The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.
Exploiting The X-Ray Machines, TIPs, & TSANet:
A few years ago I worked with a startup who’s main goal was to protect the L3/Smith/Rapiscan machines from compromise from physical and network attacks. At the time the claim was made that the systems were not connected to any networks and were in fact islands and that this type of attack was not a real problem. Of course in the process of assessing these machines (one of them in a garage with an explosives expert) it became quite clear that these machines were wholly insecure and likely to be compromised at some point to allow things through the system. The connectivity issues aside, the physical access to the systems could be procured by saboteurs working in TSA and local compromise of the weak OS (Win98 as well as Xp based as the article states in Wired) could be carried out locally with a USB drive. So when looking at the threat-scape and reporting back to TSA and the makers of these machines it was clear that this type of attack could be possible but my issue was whether or not there was a probability of it being used as an attack vector. When talk was started about networking these machines as well as others (i.e. bomb sniffers) to the TSANet the startup changed their direction a bit and began to work the idea of a SOC to monitor the machines and the network to insure no tampering had been carried out. Unfortunately though the TSA and other entities did not really buy off on the idea and in fact the technologies on the systems did not make it easy for any kind of monitoring to be carried out. I went on my way having had a good insight into how TSA/DHS/Detection machines worked and had fun with the explosives expert messing around with the technologies and talking about red team exercises he had carried out in the old days with simulants. Then I saw the article in Wired yesterday and hit up my explosives and machine experts who got a bit unhappy with the article.
Exploit to Terrorism:
The Wired article on the whole of it is correct, it is quite possible to insert those already pre-made images into the system because that is how it is supposed to work. The article though mentions being able to insert socks over a gun for example in an image to cover up the fact that the gun is there. This one point was vehemently refuted by the guys I worked with as too hard to pull off live and that, as I agreed, it would just be easier to pass along a similar imaged bag image itself instead of trying to insert an image into an image to obfuscate things. I think perhaps that the reporter got that idea a bit wrong in translation but perhaps the researchers thought they could pull that off. Either way, this issue brings up a larger issue of the exploit itself being used at all. In hacking and exploits like terrorism often times the attackers opt for the path of least resistance approach. In this case I personally don’t see this type of attack as the first go to for any attacker. It think it would be much more advantageous and easier for the attackers to insiders to allow things to get past the systems or bypass them altogether to effect their goals. This type of attack has been seen before within the airports security mechanism with regard to thefts and smuggling so it is a higher likelihood that if AQAP were to attempt to board a plane with guns or other explosives, they would use insiders to pass that through the system without being seen by any X-ray or bomb detection at all and not attempt to hire hackers to compromise a networked or physically access a machine to pass a gun or guns through the TSA line. This also is why at the time of 9/11 the 19 went for very low tek solutions of box cutters to overtake planes and use them as missiles against buildings, it’s just the path of least resistance.
Failure Rates on X-ray and MM Wave Results:
Meanwhile the TSA has never been seen as a bastion of security by the public from day one. As time has progressed the people of this nation have realized that much of the function of the TSA seems to be to harass the passengers and provide a simulacra of security that really isn’t there. How many times have you dear traveller passed things through security, primarily the color x-ray Smith/L3/Rapiscan machines without even trying? I have gone through TSA on many occasions with forgotten knives and other things that are forbidden and TSA completely missed them on the scans. Once again I would point to the systems being insecure or the processes being lax that would lead to compromise of the overall security and not so much a hack on a Smith machine for a terrorist attacks success. A recent OSINT search in Google turned up an interesting document of an assessment of Hartsfield, Atlanta’s airport by the OIG that shows just how this airport at least was not following processes and procedures that would make an attack much easier for the prepared aggressor. There are other documents out there and you can go dig them up but the point is that if you are not carrying out the policies and procedures, the technologies will not prevent their being bypassed. Additionally, there are issues around the technologies accuracy as well that have been addressed by the makers of the machines and the government so these systems are in no way foolproof and it requires vigilance to make them work well. The net/net here is that the technology can fail, be tampered with, or bypassed altogether without the need for an exotic and technical exploit series to be carried out on them to forward a terrorist attack.
My analysis here is that yet again the research is valid but the hype around the revealing of such research at places like the recent Kaspersky Security Analyst Summit is just a way to garner attention. Much like the issues with the power grid and physical attacks which I profiled last on this blog, we are enamoured with the idea of cyber attacks as a vector for terror but the realities are somewhat more mundane. A physical attack or an insider attack is much more probable in this case as in the power systems attacks as the main modus operandi not an elaborate hack to insecure machines that will require access to begin with. At such time as we have networked all of these machines (remember many are islands presently) then we will have to address these issues much more closely and yet still, this attack vector may be sexy to the hacker set, but not so much to the terrorist set today. The machines are insecure though, the researchers are bang on about that and these issues should be addressed but then you have to look at the government procurement process as well as the corporations that do not want to have to re-architect their systems completely. It was a pain to try and get these makers to add API’s to their code in order to allow for remote monitoring by a SOC so think about telling them then that they have to not only harden their systems but also re-architect them completely to run on more advanced systems than WIN98. I would also point you all to the recent revelation that 94% of the ATM’s in the world still run on Windows Xp… How about an upgrade there?
Physical Attacks on Grid Systems As Terrorism:
The fear of cyber attacks on the grid (or more to the point transformers and power stations) has been in the news cycle incessantly since Stuxnet made the news back in 2010. The fixation on the cyber world really has occluded the fact that the physical attacks against power systems are the easiest to carry out and often times occur not by attack per se but in reality are acts of nature like squirrels or tree branches. The recent re-hash of a story that happened last April in California is case in point of hype as well as a real cause celebre being propagated by the former head of FERC Jon Wellinghoff. Speaking on NPR and other news outlets he makes it clear that not only can a branch cause a blackout like the one in 2003 that took out the east coast so too can an attack like this at strategic points in the country. While Mr. Wellinghoff is absolutely correct here the news is making this more of a terrorist scenario than the FBI is willing to label it for website hits but perhaps that is what is needed to effect change here. Wellinghoff is in earnest talking about how FERC and the government have done nothing substantive to build in redundancy to protect the grid from such physical attacks as well as accidents such as the aforementioned tree limb in 2003. So really, can you blame someone like Wellinghoff using the media to point out these issues and perhaps get them really addressed instead of spending millions and millions on alleged cyber vulnerabilities?
After the attack in San Jose, Wellinghoff says, he went to the scene with a team of Defense Department specialists who train special forces personnel. They found evidence of pre-planning — including piles of stones to apparently mark locations from which to shoot. The specialists also told Wellinghoff it’s their opinion that a lookout monitored police radio traffic — and raised an alert as officers came near. Otherwise, Wellinghoff says, shots might have taken out three more transformers and power to Silicon Valley might have been threatened.
What stands out here though and what the FBI is not calling terrorism, even claiming that perhaps it was domestic terrorism or even testing and planning is that the attackers in California were motivated and rather methodical about their attack. As is noted by Wellinghoff after visiting the scene with some commandos who assessed the attack. So we have a set of attackers who planned their operation by casing the power station and seemingly had knowledge of what to hit in order to cause a systems failure for that area. Such information could be gathered from Google maps as well as going on site as it is also the same for any information on power station plans and manuals as I have written about before on here. Does this though say to us all that it was a probative attempt at a larger plot to attack the power grid by some terrorist group? Or does this say that there may in fact be a group of kids who decided to live out their dream of a commando raid black op outside of their Xbox? No one can really say definitively and only speculation thus far has been spun in the news cycle but nevertheless the truth of the matter is that power stations on average are vulnerable to physical attacks.
Cause and Effect From Physical Attacks to Infrastructure:
Another truth is that there is an obvious cause and effect if one were to attack the right areas of the grid. As we saw from the great blackout in 2003 if you overflow or underflow the system it can have a domino effect depending on the time of the day, year, and weather conditions at the time. If you were going to attack the grid there are about 5-6 places I can think of that you would want to attack simultaneously to cause a cascade effect that would effect a large swath of the country potentially. These attacks could be like the one in California but most likely would be something along the lines of explosives or even crashing something into the stations to cause the dominoes to start to fall. One would have to have a good working knowledge of how the system works overall and how the interlinks work across the country to do this as well as it would have to be a concerted effort with more than a few people. Still though, to what end would this all be done? So the power goes out and perhaps everyone will know it’s from an attack of some kind but really, then what? This attack scenarios to me would only be carried out by a nation state to really be of any real use and that would have to be in tandem with an invasion force on the continental US. So for terrorism’s sake would it really be worth it? This is not to say that some actors just might to it to “watch the world burn” as it were so it is not inconceivable that someone could pull it off on small scale like in California.
Another not really discussed possible effect from such attacks might be losses in the markets both in the general markets as well as directed losses for the power companies. Such attacks would cause prices to fluctuate as well as instill fear that the companies cannot protect their systems. This too would also put doubt into the picture concerning the national infrastructure’s overall security and any and all regulation thereof. So an attack would not only leave us in the dark but could be used as a financial weapon as well. The cascade failures would also place the power companies at a loss for having to re-tool their systems and upgrade the infrastructure as a whole which then would also have financial effects on the end users by way of fee increases. It is a web of more than just physical lines, heat, and power isn’t it? There are many scenarios here that we could cover on this but let’s just leave it at the idea that a physical attack is quite possible as well as one that could be carried off to darken a great swath of the nation. However, who would do so and what else would they be up to after they did so? What is the aegis here as well as what is the bigger picture?
This story has been burning up the wires for a day or so now and people are all asking why now? Well, the why is because of Mr. Wellinghoff, he has been pimping this story along with the Wall Street Journal and rightly so if we are to face facts that these stations are poorly protected. However, I would like to point out some things here that one should consider concerning this story;
- The attack in California was carried out by individuals who had some SECOPS knowledge in that they had cut the lines to prevent automated alerts but anyone with sufficient will could do this even teens
- The California attackers also planned out where to shoot from with regard to their weapons (AK47′s it seems) and at 60 yards they are not “snipers” nor are AK47′s considered sniper rifles. Had these attackers had Barret’s or some other .50 cal with depleted uranium that’d be a different story altogether
- The FBI is saying this was not terrorism so what was it?
- Could it be possible that someone could be making the point by action to get someone like Mr. Wellinghoff ammunition to make a case for securing these systems over spending all the money on cyber attacks? He says outright in his NPR interview that he believes the cyber attack scenario is much less a possibility or a threat than an actual physical attack.
- For all we know this caper was pulled off to black out a local jewelry store for an epic heist and not actually as some pre-cursor to an all out attack on the USA.
While I think this core story is much ado about nothing the point being made by Mr. Wellinghoff is absolutely valid. Will changes be made to protect these systems? Will new walls be put up and more security laid on to prevent such attacks in the future? Well, let me point you back to Mr. Wellinghoff’s point on what happened post the 2003 incident in the Northeast. Ferc was not mandated to make any redundancy changes or upgrades by law by the Congress. So there you have it. Unless something really serious happens nothing will change so do go to sleep at night in the warm blanket of governmental ineptitude. Maybe, just maybe the lights will still be on in the morning.
Operation: ROLLING THUNDER:
It has come to light that the GCHQ (The UK’s NSA) took action against Anonymous by DDoS as well as the use of HUMINT and malware attacks to attempt to dissuade them from further actions. While this may be a surprise to some it is just a matter of action and reaction in the hive mind of the IC. Of course at one time there may have been more trepidation about carrying out direct action against quote unquote “dissidents” as some may call Anonymous but those days are long gone and one of the primary reasons such actions are easily rationalized now is because of terrorism. Terrorism used to mean blowing things up or taking hostages but now, with the 5th domain of cyber, that equation has changed greatly in the eyes of the worlds governments. Of course in this case it was the British carrying out the covert actions against the anonymous servers and users and as many know the Brits don’t have the most stellar first amendment record (D orders) and have a different perspective on what people have the right to do or say that may be considered civil disobedience. However, I should like to point out that it is highly likely that the UK did not act alone here and that it is probable that the NSA and the UKUSA agreements were in play here as well. I once sat on a panel at Defcon where I warned that these types of tactics as well as others would be used by the governments of the world against the Anon’s if push came to shove and it seems that I was not far off the mark. We have crossed the Rubicon and we are all in a new domain where the rules are fluid.
Civil Disobedience vs. Criminality In Anon Actions:
Some have written that these actions now revealed by Snowden show that we are all in danger of censorship and of direct action if we say or do things online that a government or agency doesn’t like and they are correct. It really is a matter of dystopian nightmare import when one stops to think that these were not state actors nor really terrorists by definition (yet) that GCHQ and the JTRIG were carrying out netwar on. The rationale I am sure is that the C&C of Anon needed to be taken out because they were “attacking” sites with DDoS or other actions (hacking in the case of LulzSec) and thus were a clear and present danger to… Well… Money really. While some consider DDoS a form of civil disobedience others see it as a threat to the lifeblood of commerce as well as portents of larger attacks against the infrastructure of the internet itself or perhaps the power grid as we keep hearing about from sources who really haven’t a clue on how these things work. Sure, there were criminal actions taken by Sabu and others within the collective as well as the splinter cell that was LulzSec/Antisec but most of the activity was not anything that I would consider grounds for covert action. That the JTRIG not only used malware but also HUMINT and SIGINT (all things used in nation state covert collections and actions) shows that they were genuinely afraid of the Anon’s and Lulzers and that their only solution was to reciprocate with nation state tools to deny and disrupt their cabal. I think though that most of the aegis that the IC had though was the fact that they “could” do it all without any sanction against them because it was all secret and they hold the keys to all of the data. Of course now that is not the case and they should be held accountable for the actions they took just as the CIA has been or should have been in the past over say the covert action in Nicaragua. I don’t think this will happen though so what will really only come out of this revelation is more distrust of governments and a warning to Anonymous and others about their operational security.
Cyber Warfare and Law:
What this release shows though most of all is that the government is above the law because in reality there is very little real law on the books covering the 5th domain of cyberspace. As we have seen in the last few years there has been a rapid outpace of any kind of lawfare over actions taken in cyberspace either on the nation state level (think APT tit for tat) and criminal actions such as the target hack and all the carding going on. In the case of the US government the military has far outstripped the government where this is concerned with warfare units actively being formed and skills honed. All the while the government(s) has/have failed to create or edit any of the current law out there concerning cyber warfare in any consistent manner. So this leaves us with warfare capabilities and actions being carried out on a global medium that is not nation state owned but globally owned by the people. Of course this is one of the core arguments over the internet, it’s being free and a place of expression whereas corporations want to commoditize it and governments want to control it and make war with it. This all is muddled as the people really do not truly own the infrastructure corporations do and well, who controls what then without solid laws? Increasingly this is all looking more and more like a plot from Ghost in the Shell SAC with government teams carrying out covert actions against alleged terrorists and plots behind every bit passing over the fiber. The upshot though is that as yet the capacity to carry out actions against anyone the government see’s as a threat far outstrips the laws concerning those actions as being illegal just as much as the illegalities of actors like Anonymous. The current law is weak or damaged and no one has really stepped up in the US yet to fix even the CFAA in a serious way as yet.
Covert Actions, HUMINT, and SIGINT:
When I was on the panel at DEFCON I spoke of the governments and agencies likely using disinformation and other covert actions against the digital insurgency that they perceived was being levied against them. Now with the perspective of the Snowden collection it is plain to me that not only will the easily make the call to carry out actions against those they fear but also those actions are myriad. If you are going against the nation state by attacking it’s power elite or its interests expect the actions to be taken against you to be swift and unstoppable. In the case of the DDoS this was just a tit for tat disruptive attack that seemed to have worked on some. The other more subtle attacks of hacking via insertion of malware through phishing and intelligence gathering my using spiked links and leverage against providers shows how willing they were to effect their goals. Now consider all that we have learned from Snowden and conjure up how easy it is today with NSL letters and obfuscated secret court rulings on the collection of data wholesale from the internet and infrastructure.. You should be scared. Add to this the effect of the over-classification of everything and you have a rich environment for abuses against whomever they choose no matter how many in the IC say that they are to be trusted. The base fact is this; The internet is the new battlefield for war as well as espionage not just criminality and law enforcement actions. If you are considered a threat by today’s crazy standards of terrorism is everywhere, then you too can have your data held in Utah where someday someone could make a case against you. Some of that data may in fact come from direct covert actions against you by your government or law enforcement per the rules today as they stand.
The final analysis of this presentation that was leaked and the actions alleged to have been taken against Anonymous is that there is no real accountability and that secrecy is the blanket for covert action against non combatants in any war. We are in a new dystopian nightmare where cyberwar is concerned and there is a lot of fear on the governments part on attacks that could take down grids (misinformed ones really) as well as a ravening by some to be “in” on the ground level for carrying out such warfare. Without proper laws nationally and internationally as well as proper oversight there never will be an equitable solution to actions in cyberspace as either being criminal, grounds for war, or civil disobedience just as there will always be the high chance of reciprocity that far outstrips a common DoS. The crux here is that without the proper laws you as a participant of a DDoS could be sanctioned for attack and then over prosecuted for your actions as we have seen these last few years. Without a solid legal infrastructure and a Geneva Convention of sorts concerning cyber warfare, no one is safe. As an ancillary factor to this I would also say to all those in Anonymous and any other collectives that may rise you should be very careful and step up your OPSEC and technical security measures if you are going to play this game. As we have seen many of those key players in Anonymous and LulzSec were caught up with and are in legal trouble just as much as the guy who just decided to join a DoS for a minute and was fined a huge amount of money for his trouble. Remember, it’s all fun and games until the governments of the world decide that it’s not and want to squash you like a bug.
A connection passed me this little missive from a jihadist board this morning and I couldn’t pass this one up to write about. The poster is a fairly new one (Nov 2013 started his acct) and he is writing about how the jihadist boards have pretty much turned into security services traps online to break the brothers jihad. While much of the post is pedantic there is a core of truth to what the guy is saying no matter how poorly he writes about it. The fact of the matter is that many of the sites out there have always been poorly secured as well as subject to not only agent provocateur attacks but DD0S as well. Khaled wants to not only warn about the insecurity around much of the boards but also that he proposes new means to protect the brothers from being captured. While he lacks any real technical specifics here he is alluding to issues that they do have and he half understands. In all, an interesting read and I thought it would be for you all as well. Please forgive some of the crudity to the translation as I am not fluent yet in Arabi (written specifically) but I think I worked it down to the gist of it.
Khaled Musli writes….
In the name of God the Merciful Peace and blessings be upon His Messengers and his family and followed them until the Day of religion.
Triangle of terror in the forums is :
The forum hosting company where members write and do not know of the security apparatus follows!!
The forums were a blessing and a gift of God Almighty to see religion and belief and the search for news of the Mujahideen in the squares jihadist turned to tyranny under the hammers and the plight of a curse and a means to discredit and handcuff and restrict votes and hands ! It’s the same traps that were previously exercised .. But this time it electronically ! What is the saddest technology while turning into a weapon , however, and the darkness of tyrants and enemies !
But before then :
Jihadist forums , the story of excitement and crying at the same time! Soul-searching on the other, and the journey of self-affirmation with others.
The Islamic index launched all models Brotherhood and mystic , etc. .. Then came the jihadist forums.. The number does not exceed the fingers of one hand , it was a new phenomenon on the Internet audience! Where he became a man feels that he reveal what is inside without supervision or control , was expressing his faith and exactitude of the Lord by denying him the reality and the environment!
This Phenomenon was attractive , especially as it allows you to call yourself names new sail where the character of (different) about the real personality ! (aliases)
A new way started from the point of expression to the point of promoting thought and ideology then came fake masks (users) from other countries and intelligence and security apparatus’ After this massive development witnessed by the jihadist forums during Alsnouattalmadih there had to be a careful and accurate study of this phenomenon which is now affecting the Muslims in our country especially the Islamic and even the media ! !
The jihadist forums evolved so dramatically in recent years where development and there has been a growth in diversity and subtraction and expansion in the Internet audience in them. This development was most exciting and its transformation into a media spreads in alleys of the scientists of truth and quacks, and unknowns both naive and smart good and bad. The intelligence and the bad guys have been the hunted and hunter !
The forums spread the word of jihadist Almzakah , and thereby helped by programs to provide forums and ease of hosting and installation appeared to separate the wheat from the chaff but soon this began deteriorating , back to a lack of creativity and underdevelopment about the reality of the nation in all its details in these forums ! !
There were several people in the doctrines of the label :
Itzmy, his real name or a part of his real name ( and this is very rare ) and some Itzmy loved loved their character or were influenced by him and on behalf of some specific code or loved admire him or battle or incident or event or history or geography ! Some names Itzmy intellectual of the names of groups to the currents of ideas to beliefs ! But behind these names were hiding and a variety of different personalities all share in wearing masks made available to it forums !
When he woke up the other party :
Then evolved phenomenon where the forums became the largest gathering of spying and surveillance helped in that this rush is limited and non-formal and informal sectors of the large numbers of oppressed peoples and thought it a good opportunity to unload their repressed thoughts and feelings from all these years of injustice and tyranny …oppression and tyranny !
The reason for this is that the phenomenon made it a breeding ground for Investigation and Intelligence in the Arab world. I realized that these gatherings can be exploited for certain goals by opposition groups whatever the quality of the opposition the victim went so young and the needy and were duped !
It Was a trap :
After the ( jihadist forums ) were knocked off on top of the world’s attention and communication to the public Internet encouraged in people a kind of technical yearning and longing began which broke the restrictions and isolation and Retention of intellectual thoughts and feelings for many segments of Arab society that had been restricted for decades.
Evolution subtraction qualitative in forums, and take character media purely in the recent period , became the local media global following with interest what poses in these forums, news , articles, analyzes and information materials , and raising it interesting and exciting is the exploitation of various groups of these forums for the dissemination of data and statements and files audio and video , was a chance of life opportunities that will not be repeated ! Especially jihadist groups that are active in many countries .
This increased the ferocity of the conflict groups are active in the media and promotion of the ideology and goals of the State and the security services are trying to reduce this phenomenon which is in fact the reason for media restrictions on these groups !
They did not benefit from all attempts at blocking and destruction and closure to these forums and sites though and it was not necessary to plan more intelligent and more effective means ! The plan then was ( electronic fishing ) which is about security issues growing and multiplying living in the forums and negatively affecting the governments.
The mission of this campaign was to set a trap for the electronic owners who promote a particular ideology or without their media machine to a disseminate their ideas.
Electronic fishing plan :
The plan was as follows (according to visualize the conflict that is happening in the forums, which I am following and still do for a long time ) the idea is to visualize imaginary and not necessary to be literally it all revolves around this department and within this framework.
These are set up within the Department of Internal security services to monitor and participate in these forums are a group of security agents ( or recruit active in the forums ) that have a good cultural understanding and the ability to understand the forums and dialogues and ideas of these jihadi groups .
These groups are divided into small teams , each band has a specific role and a specific play :
For example, ( under cover agents ) as role supporters in these groups to give ideas and establish relationships with these members ! !
( agent provocateurs ), a group of others who do the opposite role of attacking the ideas and these groups in a provocative way to agitate ! ! !
The elements ( under cover agents ) register under the names of forums are closer to the ideology of these groups in order to notify the other party that they are close to them ! ! These start writing topics (posts) that advocate these groups ideas/ideologies to fool (put to sleep or fool) the other party to these topics and fool them all ! ! !
They start side correspondences by mail and messenger until the rhythm of the prey to the network ! ! !
The ( agent provocateurs ) whereupon register the names of the exact opposite or normal , and you subtract topics provoke the other party and try to reply to topics and raising the other end !
I do not mind the exchange of roles between two opinions , and do not mind a game of cat and mouse between two opinions ! ! !
In the sense that both the teams are playing a game direction and the opposite direction ! ! The other party is watching and watching , and perhaps fools trick and tends to the party who supported !
Of course , this plan is a plan that I mentioned several of the plans pursued by the security forces in the forums ! There are ways and methods more dangerous .
Forums owners in the dark :
Do the forums and owners play an important role in this fierce conflict ? !
And why are other jihadist forums not being prosecuted and shut down ? !
Technically you could see the members and where are they? ! (poor opsec)
There is no doubt that the owners of jihadist forums are between rock and the hard place about member security services ! ! Members are trying to hide their identities , and the security services are trying to get information from the owners of these forums for members !
The quality of these forums are (vb/phbb) which are the largest percentage of Arab forums and are the most insecure because these forums know the number of the entry of the member or the so-called IP address ( a unique number to the Internet in which you can know which country you enter including the member or visitor) These can be seen through additional software that shows the access number (IP) and the specified complete information and not just the state.
IP addresses can be traced but not always as there are numbers entering hidden (proxies and TOR) and are therefore difficult to follow. But with the development of spyware it has become possible to be done to access the phone which have has been used to get on the site and therefore know who the owner of the phone as and arrest him .
Of course this site has your mail lists and add them also the nature of the posts and the responses and some of the words that fall from the member inadvertently and they can go through it all to figure out who writes the posts .
Of course , there are many ways to hide the real information browsing , but the majority don’t know how to.
From this point, cooperated some forums that claim to advocate jihad falsely with the security services in order to provide information for those members , and this is what explains the survival of some forums that claim to advocate Mujahideen falsely published scandals and write the spectrum of the opposition , remained these forums is blocked and non- prosecution ! ! !
Malice and cunning develops when :
Prepared by the security and intelligence plan, the most insidious of these, because the jihadi forums sincere did not respond to their requests , and they have established a private forum, new , and have been promoting it to attract members from another forum , has put a smart plan commissioned by some members left threads against them in order to attract other parties .
There are forums known to follow the security services or they collaborating with them! ! There is no need to mention names , but they are known to attendees of the forums.
Hosting companies accused of the biggest security problems :
Where the role of hosting companies in this fray ? !
Hosting companies play a serious role and important role in this conflict , and the hosting company is a company that holds files and data on its website ( servers ) which computers are intended to put the sites .
Attackers can see and open and watch databases , and can know the numbers to access the site , and know of any states walk , and knows all the passwords and data members , and you know the number entering false or not!
All these factors make hosting companies play an important role in this battle, electronic , and therefore are trying to stay away from forums hosting companies Arabic! Being located under the control of the state they are in. !
However this does not mean that the hosting companies the best of America ! ! Now there is a law that allows the Office of the FBI to enter on any server hosting company to search for specific information ! This has happened several times to major sites !
Third-party invisibility :
Jihadi forums are trying to protect their members and are trying to escape from the grip of security intelligence , to put its companies away from corporate America and the Arab , such as the European companies , or Russian or Chinese or Malaysian , etc.
And many sites have succeeded in this, and there are some people disappeared from the world of the net, because he did not find a suitable hosting company has its reservation !
There is continuous monitoring of all the jihadist forums , both of Arab security services or of Jews themselves! (don’t forget me too
There are many other sites tasked with monitoring the sites and forums where Arab and positions and what he writes , and this is part of a global scheme to follow up on all matters relating to anti- occupation ,
Crusader Zionist hegemony and arrogance . And speech in this long technically and media .
As about the ability of the security forces in the Arab countries to prosecute tens of thousands of attendees and break forums , it is also thought by some that they have a miraculous power that they can follow each person and follow every word and character! Despite the evolution of technology and the presence of all the requirements for it , but not to this extent , there is a general framework to move and there are filters ( filters technique ) are certain of which focus on groups without the other ! (NSA programs no doubt)
How does one fall prey in the net ? !
After creating the overall atmosphere at the level of the forums and the level of individuals , begins a plan to arrest cyber dissidents , and begins the process of gathering the spoils in the forums that have been the focus on them.
There are many styles of plots within the security plan ( electronic fishing ) for catching prey and these methods are divided into two sections:
First: the technical methods
Secondly, methods of mankind ( by handling )
It is technical methods :
1 – the theft of the e-mail
2 – planting spyware on your machine
3 – access to your screen and real name ; who writes in the forums and stealing and writing through it.
4 – to be a forum in which he writes is originally belonging to the security and intelligence services
5 – to break into his computer via messenger or an email , and get all the files ! aka hacking ( In the absence of protection software on the device )
Methods of human :
1 – Trying to bribe him by writing topics supports the idea and opinion , and thus created a friendly relationship up to Instant , then chatting on Messenger , then communicate the sensory and the meeting , and spoke of the disaster here !
2 – Posting certain topics glorifying and praising thought to bait the brothers
3 – Continuous communication via private messages and e-mail in order to strengthen the relationship and development.
4 – Get the addresses of the other victim , and thus expanding the circle of victims. (making connections)
5 – Providing any assistance to him in order to gain affection and confidence , and providing false information in order to manipulate it .
All of these methods and many others , followed by the adversaries within the security plan for the implementation of a comprehensive plan inside the jihadi forums which are expressing their opposition to the intellectual and practical for any system or state .
Many Colorful masks and face of one :
The most dangerous thing in this matter and this plan is a game of multiple masks ! The sense of how to be a captain in the intelligence and security services and at the same time a member of one of the jihadi groups ! It is the process of distortion of the party in order to achieve the objectives of the hidden benefit of the first party. (aka it’s hard to be an agent provocateur!)
This is what should be what the jihadist forums pay attention to and understand well when going into dialogues on jihadist forums .
Forums conflict and war forums took great dimension while wearing a turban Maguethohmah intelligence captain for the appearance and Mufti Sheikh Naseer jihad and the mujahideen , or vice versa !
It was expected to evolve conflict to this point having stepped up jihadist groups and their presence on the net, the forums in particular are the point of the media work and the address of Sheikh Ayman al-Zawahiri Media jihadist began to communicate strongly among its members attempt to circumvent the limitations of reality and movement.
The security services began a new attempt to penetrate these groups and control them by distorting the work of jihad and started electronic detection cells that spread in the forums !
Electronic mechanism of action plan :
I started to plan the new electronic security and it is:
1 – Cell formation and fake jihadist forums task specific data dissemination promotion and promote ideas distort the image of jihad and the mujahideen , or an image of the other. (DISINFORMATION)
2 – The team must responded to and disseminate data to encourage them to generate a stream of support and advocacy for the emergence of a strong appearance !
3 – Creating the case of adverse reaction to the visitors through a crude way of asking and barbaric ideas and beliefs and statements such as atonement. This is what you want the security of this plan to be .
The plan is very easy and can be applied with ease examples are well known and the data easy to formulate. The method of dialogue and atonement are available, the technical possibilities exist but these ideas must be spread dramatically
The strongest example of this is the multiple data released from several destinations in the bombings in Sharm el Sheikh ! Data for each group claiming to be made from it! ! No one knows anything about the other group ! (DISINFORMATION)
Long talk about this axis , and there is information difficult to talk about and write , but it’s much broader than that , and the danger lies in changing the minds and ways of thinking to the public net, it is the process of laundering organization of the minds and ideas , involving everyone!
There is no end :
Forums war or conflict to exist in jihadist forums will not stop and will not end , because the technical means available to everyone in the complete absence of freedom and unloading shipments of oppression and injustice , will remain gatherings knock on her exercise of this right for the delivery of her voice.
The greatest danger lies not in this right to these gatherings , but lies in the transformation of this arena to ( traps electronic ) to the rhythm of this prey weak and convert the arena to a new prison , prosecutions and follow-up informants and wiretaps and spying and the practice of the worst methods of distortion and deception !
It’s the same traps that were previously exercised .. But this time it electronically ! What is the saddest technology while turning into a weapon , however, and the darkness of tyrants and enemies !
Hur eye , conformist God, claiming well for the owner of this review good .
While Khaled wishes to have real dialogue out there on these forums he is worried that the security services and the NSA have pwn3d them all. He also worries that infighting within the groups has not helped and believes (perhaps rightly) that there are agent provocateurs on the sites sowing dissent as one team, and then another playing the good cop to the bad and gathering intel on users. He implores the brothers to learn more about the security around these sites as well as to take a serious look at who is hosting their sites to start. He references the FBI as being able to seize servers and peek into them while they are active (like they did with SR and SRII) and posits that the brothers need to start managing their domain access better though he does not offer a solution other than locating them in countries outside the US. Khaled is also worried about the revelations from Snowden it seems though he does not reference him directly. He speaks about hacking against the brothers being carried out through (phishing) but also larger plans of social engineering and espionage tactics by the local security services as well as others like the US. He then offers an idea of creating their own DISINFORMATION campaigns by creating fake cells and sites to draw the law off of their other more secret sites that have been secured. Overall though he see’s that the internet has given this gift to the jihadi’s of being able to talk to each other and evangelize online and is upset that it is being perverted by the LEO’s in order to break their spirits and their jihad.
While I agree that there is a lot of what Khaled is describing going on out there, I also think that the jihadi’s do it to themselves quite a bit as well with shooting themselves in the foot so to speak. The infighting and squabbles on these boards is like watching an arabic 4chan argument sometimes. There are certainly more stringent rules regarding actions on the jihadi boards but all in all they too are seen backbiting each other at times like adolescent school girls on a playground. The issue though as I see it is that primarily these sites have always been insecure and easy to prey upon as Khaled says. Most of these sites are filled just with those who want to spew their thoughts in a place where like minds prevail and to advocate for the proselytizing of others to become shahid. While these sites do harbour solid intelligence it is usually only over actors and their connections, rarely actual data on plans that will be put into action. Until such time as a newly secrued and closely watched jihadi board shows up in the darknet or completely inside a private network somewhere I find these sites to be more amusement than anything else of intelligence value. This makes Khaled’s concerns all the more amusing as he is so fervent in his writing here.
Insider Threat SNOWDEN:
The insider threat has always been and always will be the bigger of the threats or so the aphorism goes. In reality it certainly seems to be the case in the Snowden affair and the NSA is still stinging from it as I write this. Snowden leveraged his administrative access where he could and used technical and social means as well to gather the information and access he wanted to ex-filtrate out of Ft. Meade. Since Snowden was so successful and the NSA and IC has been blindsided by the ease of the attack and their stunning lack of controls the government and IC has been re-thinking their security around insider threats. Since much of today’s technology allows for ease of access and people tend to be the weakest link in the security chain (on average) the NSA is looking to more proactive controls against this type of exploit. Since they failed logically and technically to stop an insider attack I assume that they are in a real bind trying to assert control over not only the data they house but also the custodians of that data and architecture as well.
The Insider Threat Has Always Been The Largest:
Since the dawn of time the insider threat has always been a go to if possible in waging war against anyone. The Trojan Horse for example is the greatest use of the “insider” by placing outsiders inside and making the opposition the method of their own doom. Insiders though are commonly traitors or spies (sleeper or other) inserted or bought to work for the opposition to gain access inside the confines of the sanctum. In the case of hacking and digital malfeasance this often times takes the shape of an insider who feels they have been wronged in some way and either steals IP or destroys operations within a company or org to cause great damage. What has come to light though over the years and now has been brought to the fore are the psychological and social cues or traits that make a person more likely to be an insider threat.
In the case of espionage the recruitment of spies really is the tale of an insider threat. What makes someone become an asset for a service like the CIA? Within the IC (CIA) a lot of time was spent on the psychology of recruitment and handling of assets. MICE was the standard by which the CIA handled recruitment and handling up until recently when a new paradigm was put forth (RASCLS) which is much more reciprocal instead of just carrot and stick. Where all of this touches on insider threats though in the common vernacular of INFOSEC is where the motivation lies for someone’s actions. In a paper put out recently called “Inside the Mind of An Insider” the focus is on technologists and insider attacks that they have or may carry out and their personal motivations as well as proclivities to do so within the tech sector. I however would assert that this take is only a sub header within the larger umbrella of motivations and actions that an insider whether or not they are a spy or just an aggravated tech worker would have or carry out.
in the paper (cited above in picture at top) the writers lay out the “six characteristics” that coincidentally make up much of the same ideals and motivations that you will find in a recruit-able asset within the IC sphere. In fact, I would assert as well that if in fact Snowden were at all contacted by an outside security services to do what he did, these motivations would have been leveraged within him as well. What it all comes down to human nature. We are all subject to wants and desires as well as feelings of being under appreciated or not appreciated at all in our daily lives. This makes anyone potentially an insider whether they self activate or are handled by someone.
Countermeasures And Technologies:
The NSA though has been working on some technical means of detection and deterrence of an insider attack where other logical means have failed. These consist of programs that monitor behaviour patterns of users and access as well as I can only assume their outside activities such as internet access, browsing, and comments on sites. Can such programs really detect accurately the mind of a person and their motivations to lock down on them as a potential threat? I am sure that the technology is getting much better at this heuristic behaviour detection so sure but I don’t think it will be infallible however. I also suspect that it will also mark people as bad actors when in fact they may never even entertain the thought of actually carrying out some plan against the NSA or whatever company that might employ such tech. I would also assume that the people at the NSA will be undergoing more frequent and rigorous Poly sessions as well as perhaps psychological profiling which does not bode well for many I think who want to feel as though they are part of a team. Generally the job is stressful enough when you cannot talk about anything you do and are always fearing that you might slip at some point and give away information that you shouldn’t. The psychological stress of cleared life is hard and this will all just make it a little harder in the post Snowden world.
Whether you call it an “insider threat” or a spy, saboteur, or insurgent the same psychology applies. People are motivated by things that are personal to them. Desires they have for money, power, or fame as well as a myriad of other reasons for their actions. To attempt to detect and deter this activity will be quite the undertaking and hard enough in the classified world. Now imagine that you are not a cleared individual but instead an corporate employee, how are you going to feel about such activities and programs attempting to tell whether or not you might turn on the company and damage their servers? I somehow doubt that many corporations will undertake the threat modelling here for insider threats as seriously as the NSA but I can see where some might want some insight. We already have things like Websense and IDS/IPS/SIEM tech that follows traffic but with the advent of the likes of Facebook, how long will it be until they offer a service that tracks users behaviour and sells it to your security department? If companies are sufficiently worried about their insider threats then they will begin profiling and putting in countermeasures.
Welcome to the brave new world…
PARASTOO پرستو :
I got a tweet today about some data sitting on cryptome.org that got me thinking about this “group” again so I did some more digging online on them (him) The name of the “group” is Parastoo (پرستو Farsi) which means Swallow or bird. In the last year this guy (yes I think it’s literally one deranged person) had been active on at least two .ir sites that dealt with security and hacking and then started his own domains to ostensibly carry out cyber war against Israel and attempt to leverage the IAEA and others. So far all of the alleged hacks and data dumps that I have seen have not impressed and the data itself seems to be from systems that they “think” are important but in reality they are not. Specifically of late there are threats concerning CIA plots and diatribes that read like Lulzsec on methamphetamine and Ketamine at the same time. This guy really has quite the beautiful and large tinfoil hat and he wants us all to know about it in no uncertain terms. It is interesting to read between the lines in a stylographic way how the writer here seems to be molding their communiques in the manner of Zodiac. with a third person approach that intones more than one person and that this is a group. By using “Parastoo is speaking” they come very close to the “This is Zodiac Speaking” which attempted to portray power and induce fear. It is also interesting to note the language used in the emails is of a nature that implies a good grasp of English as well as a flare for the overly dramatic which does not lend credence to the threats that they imply. In fact the reading I take away, and seemingly the press as well, is that of someone either trying too hard to be Anonymous or smacks of outright trolling.
In tracing the domains for parastoo.ir and hacker4hire.ir I came across a defunct site (RCE.ir) which was a PHBB site that is now offline live but is archived in a couple of places as well as Google caches. When searches for “Parastoo” were used a clear link to a user on the RCE.ir site came up and that user was “DarkPassenger” who posted often on the site not only about hacking tutorials, tools, and the like but also dropped many links to government sites in the US and talked about conspiratorial things in nearly every posting. The DarkPassenger’s favorite saying or ahorism in each posting was “de nobis ipsis silemus” which is taken from the Baconian epigraph to the first Critique and translates to “on ourselves we are silent” which is ironic for all the commentary that DarkPassenger is putting out there that speaks to his state of mind. The DarkPassenger is also a fan of TV and movies and can be tracked to other .ir sites but generally from the first searches, does not have a lot out there under this account name to go much further (at present writing) to say who he may be in real life. DarkPassenger though does seem to have quite a bit of time on his hands and some technical capabilities though. Much of the data however that he and Parastoo post though is really just OSINT that anyone capable could carry out. In fact in one post (DP) talks about OSINT while laying out informatics on a military organizations email addresses and contact list so he is in fact versed in the ways of OSINT collection. A key factor to the link I am making between the Parastoo and DP is that he uses the “EXPECT US” cutline in many of his posts as well and seems rather enamoured with the idea that he is in fact an Anon and that bent of conspiracy and overarching plots infuses the majority of his postings online.
Parasatoo.ir, hacker4hire.ir & RCE.ir:
The postings claiming hacks as well as those that rave on claim that DP had set up a couple domains for “attacks” on the outside world from the .ir domain. These domains are registered by what I assume is a cutout name of zohre sajadian which coincidentally was also used for the RCE.ir site. All sites are currently down and in fact I cannot locate any content for the hacker4hire.ir nor the parastoo.ir sites respectively. The only one that did have active content for a while was the RCE.ir address. This site was up for quite some time but was insecure and much of the content was not that interesting. It is of note though that the domain registrations all line up as well as there seems to be some overlap in email hosting between a .ru address and the chmail.ir site (that address is verified as being real)The information for the address as well as the name of the holder seems to be just made up. In fact the address cannot exist because there is no intersection for Felestin Street with Johmoori. A cursory look at the name used of Zohre Sajadian also comes up with some hits but they seem to be un-related at this time to the sites and their registration so mostly this is a dead end I think.
Alleged Hacks & Anonymous Rhetoric:
So far in my searching I have not found too much out there to support any large hacks of data or dumps thereof that show this “group” has done what they claim they have overall. Aside from news stories (few in fact) that claim Parastoo made off with “sensitive” information on nuclear systems and facilities. However the data that they claim to have taken and was admitted to by IHS Inc. is all of a nature that can be purchased from the web or has been published already in the past. The only real sensitive information that has been possibly breached was credit card information that may have resided on those servers that were compromised. So while the Parastoo makes grandiose claims of important hacks and data leaks, thus far, when really investigated they have yet to make a major hit on anything of real import. Since the sites have gone dormant or offline as well it has yet to be determined what else they may be working on or have compromised but if you look at the rhetoric from their pastebin posts as well as the alleged emails on Cryptome one becomes a bit jaundiced and must take everything they say with a large grain of salt. Another factor to remember that even with the drawings like the one at the top of this post are often available to anyone on the internet either by insecure or misconfigured servers or in fact the data is meant to be open to the public. This is a paradigm I have learned about recently in looking into the OSINT on nuclear facilities and systems. So these dumps of information are not what the attackers think they are because they are unacquainted with the data and it’s secrecy or lack thereof.
The final analysis of the “Parastoo” group is that in reality it is at least one person (DarkPassenger) who wants to make a statement on Israel and nukes with a fixation on IAEA and DOE. While some pastes in the pastebin list seem to have actual data from systems that are externally facing to the internet (DOE for one) the majority of the data seems to be half understood misinformation being spewed to garner attention. As the Anonymous model has been let out of the bottle so to speak post Lulzsec, there are many who would aspire to their level of reputation and attention and these dumps are an attempt to attract it. Of course the problem with the Anonymous model of operation is that anyone can take on the mantle and claim to be an Anon or a group of them to effect whatever outcome they seek (mostly attention) so it is oftentimes hard to take groups like this seiously until such time as they dump hard data onto the internet for all to see. In the case of Parastoo none of this is evident and as such I categorize (him/them) as a non threat actor on the larger stage of geopolitics and information warfare at this time.
The Lampeduza Republic:
The Lampeduza Republic is a collective of carders which has it’s base of founders primarily in the Baltic states. You may be familiar with this name and the group through Brian Krebs work on the Target breach of 2013. The Lampeduza came into existence circa 2011 (Creation Date: 2011-06-01T16:54:41Z) as a follow up to other sites that had shut down but with the creation of this one the creators also covered all the bases with mirrors on other servers and domain names. What makes this site different from the rest of the carder arcology is that this group is exceedingly hierarchical and structured themselves after the constructs of Roman rule. As the main player who seems to be involved per Brian has a penchant for games as well as hacking and carding, Rescator (aka Hellkern) it seems only fitting that he has a STEAM account and a love for ROME II (All Out War) It is my contention that he and others within his clan perhaps began this whole escapade after playing ROME II together and grew to love the idea of being powerful “Senatus” or dare I say even Caesars?
The Lampeduza Republic (Lampeduza rei publicae) took it’s structure from the old Roman rule as I said above and within this classicist format they have the following categories of “citizens”
- Сaesar — monarch of the Lampeduza Republic.
- Consul — highest public official, the head of executive & administrative authority, the head of the Senate.
- Senator — highest governmental authority of Lampeduza Republic Senate.
- Praetores — highest public official, Republic arbitrator.
- Legatus — messenger of the Republic Senate, legion leader. Senate assigns the title to the most devoted Republic warriors, shown himself to good advantage.
- Quaestores — assistant of the Republic Senate. Treasurer, assessor, the one responsible for payments to contractors. Posts all the decisions, resolutions & laws of the Senate and Caesar ordinances.
- Primus Pilus — ranked highest in Centurio legion. Shown himself to good advantage for a long period of time. Literally the first rank. Having the right to assign himself two assistants (Centurios).
- Centurio — warrior, recommended himself to good advantage and decent reputation amongst collegues. Having the right to assign himself two assistants (Optios).
- Optio — assistant of the Centurio. Chosen by Centurio among his warriors. The title can be assigned by Republic Senate, without Centurio’s petition to anyone standing out sharply against background. Having the right to assign himself one assistant (Tesserarius).
- Tesserarius — assistant of the Optio. Obligated to organize security & password transitions. Republic of Lampeduza army career is starting with Tesserarius title.
- Censor — title assigned by default to forum moderator, invited by Senate for observing compliance with Republic constitution. Moderator having title of the Lampeduza Republic allowed to indicate It in his status.
- Legionarius — citizen of the Lampeduza Republic, lucky passport owner.
Whether or not the actual group functions in a strict regimental way remains to be proven but the general idea is followed through on from what I can see. In looking at it from caches of pages it seems like the inner group of progenitors consists of Consul Octavian (Caesar) , Senator Severa, Senator Tiberiy, and Senator Flavius. The Caesar is named as “Octavian” which as it happens there is a site Octavian.su which is now a defunct site. This may account as to who was the progenitorus primus in the Lampeduza universe and to date no one has really looked at this Octavian as much as Rescator has. My question becomes who is Octavian? Is Octavian just another user ID for Rescator? Or is this someone else altogether? Additionally, you can see how Rescator has moved up the ranks in the site as time has moved on from Legatus to Praetor all from meeting notes as it were on the site itself. Additionally, the role of Tiberius Caesar seems to have it’s laurel wreath squarely upon Tiberiy, a name that to date really hasn’t been mentioned in the stories around the Target heist.
The Senate of Lampeduza:
Senate of the Lampeduza Republic: Consul Octavian, Senator Severa, Senator Tiberiy, Senator Flavius, considering petition of the Сenturio Pompei, Primus Pilus DJ CRACK, Quaestores Trayan have decided:
I. Magistrate the following:
- Octavian – Ceasor pro tempore, the Consul & the head of the Republic Senate
- Rescator – Praetores of the Lampeduza Republic, assign the Legatus title
- Trayan – Guarantor of the Lampeduza Republic, assign the Quaestores title
II. Assign the Primus Pilus title of the Lampeduza Republic
DJ CRACK – Primus Pilus of the Republic, province Censor
Blaster – Primus Pilus of the Republic, province Censor
III. Assign the Сenturio title of the Lampeduza Republic
Pompei – Сenturio of the Republic
rfcid – Сenturio of the Republic
goldminer – Сenturio of the Republic
-=SGA=- – Сenturio of the Republic, province Censor
St.Patrick – Сenturio of the Republic
Mesr – Сenturio of the Republic
greystone – Сenturio of the Republic
powerseller – Сenturio of the Republic
Search – Сenturio of the Republic
Шаман – Сenturio of the Republic
j.p.morgan – Сenturio of the Republic
True Partners – Сenturio of the Republic
alphadog – Сenturio of the Republic
risk25 – Сenturio of the Republic
IV. Assign the Optio title of the Lampeduza Republic
TaoBao – Optio of the Republic
jimy – Optio of the Republic
fff3fff – Optio of the Republic
himik – Optio of the Republic
PapaRed – Optio of the Republic
Septimiy – Optio of the Republic
Avidiy – Optio of the Republic
V. Assign the Tesserarius title of the Lampeduza Republic
bissone – Tesserarius of the Republic
liberral – Tesserarius of the Republic
So the main players here are the following;
While Brian has actual screen shots of Rescator (a lover of old French films it seems about pirates) talking about the BlackPOS and the shuttling of card data there is certainly more than one player here in the Lampeduza universe. Given the love of the Roman structure of governance it actually played out a most interesting game of looking at who was in fact in charge and the overall makeup of the organization. I have not really taken any kind of real look at the other players on an OSINT level but I am sure that once that is done it will be a bit more enlightening as to who these guys are. It is my theory that they all are gamers and all played quite a bit of ROME II (Total War) and aspire to be the new Romanus Civilis of the digital age. It kind of also fits with the Russian/Ukrainian tastes as well on a societal level. The other part of the puzzle is whether or not these guys were just the procurement specialists and others actually carried out the hack or was it all of them, in their structured and regimented organization that carried off not only the hack but also the brokering of the card data, reaping all the financial rewards as a new Rome should?
Meanwhile Rescator (ala Hellkern) surely had the technical chops to code some of the software as well. In his online profile as Hellkern dates much further back with hacks and code that seems to include a worm that made the rounds circa 2009. He’s been around but so too has Ree4 who it seems for all intents and purposes was the one who modified the memory scraper tech and made it what it is today at least in a proto form. Did Rescator go the next steps and get it to be the application that bypassed AV today and was what was used on Target and the others? Ostensibly the FBI has shown as well as Brian that the software was up for sale for six thousand dollars and obviously that price was paid. Just who made the changes? We still aren’t sure as solid evidence goes but it seems from what Brian has found concerning OPSEC failures on the part of Rescator/Hellkern he surely had something to do with it. The collective though for me is the thing..
Who else is there and who are they in real life?
mlal qh xzvp ttdqdm xof fgrowuqd
DPRK INTERNET AND INTRANET:
As the DPRK under Kim Jung Un has been poking the global bear lately with threatening faxes I thought it was time to re-approach the CNE/CNO/CNA capabilities that they have and gut check against the hype in the news cycle. As there has been talk of cyber attacks allegedly carried out by the DPRK against at least the South, one has to wonder just what kind of connection the North actually has to the global internet. As it turns out the DPRK has a class B (22.214.171.124 – 126.96.36.199) address space that is ostensibly outwardly facing to the global internet. Inside the country though the fiber intranet is closed off to the external internet for the most part save for those eleets deemed important enough to have it. The gateways for this internet connection are sourced out to the Chinese mainland (China Unicom/ Star JV/ Loxley Pac) and are most likely located in southern China. This however has not stopped certain people actually downloading from Bittorrent this last year so we know that a certain amount of people actually do have access that goes to the internet directly from Pyonyang which was a bit of a surprise for me at first but then you look at the small area from which they are coming from and you see it is a very small subset of people accessing the net to pirate movies. The masses though who have access to a computer are relegated to the Kwangmyong network that they can only access through the “Red Star OS” that the DPRK has special made for them to use. This intranet is from all reports, more like a BBS than the internet and consists of very little content and certainly not anything revolutionary (both technically and literally) I have downloaded a copy of Red Star and will be putting it in a sandbox to play with and report on at a later date.
- The official North Korean governmental portal Naenara at: http://www.naenara.com.kp
- Committee for Cultural Relations with Foreign Countries at: http://www.friend.com.kp
- Korea Education Fund at: http://www.koredufund.org.kp
- Korean Central News Agency at: http://www.kcna.kp
- Korea Elderly Care Fund at: http://www.korelcfund.org.kp
- Rodong Sinmun newspaper at: http://www.rodong.rep.kp
- Voice of Korea at: http://www.vok.rep.kp
- : http://www.ksf.com.kp
- Air Koryo, a North Korean flying service, at: http://www.airkoryo.com.kp
- Pyongyang Film Festival at: http://www.korfilm.com.kp
- Pyongyang Broadcasting Station at: http://www.gnu.rep.kp
DPRK Internet Accessible sites:
DPRK CNO, CNA & CNE:
There seems to be some cognitive dissonance concerning the capabilities of the DPRK where network warfare is concerned. As seen below in the two snippets of articles either they have nothing much in place because they are focusing more on nuclear technologies or they are creating a master group of hackers to attack the US and South Korea. I for one think that the truth lies somewhere in the middle in that I know that fiber has been laid and that the eleet and the military both have access to the internet for their own purposes. That the connection is routed through a satellite ostensibly (mostly) shows just how disconnected the regime wants to be to insure their power consolidation. Though there is a single “internet cafe” in Pyongyang, it must be noted that it only serves network traffic to the intranet that they have created. I have to wonder though if perhaps somewhere within that infrastructure lies unknown dark spots where the government may not have as much control as they would like.
On the topic of cyber capabilities, the report said North Korea probably has a military computer network operations capability. North Korea may view computer network operations as an appealing platform from which to collect intelligence, the report added, and the nation has been implicated since 2009 in cyberattacks ranging from computer network exploitation to distributed denial of service attacks.
In assessing North Korea’s security situation, the report said, “North Korea continues to fall behind the rising power of its regional neighbors, creating a widening military disparity and fueling its commitment to improving asymmetric and strategic deterrent capabilities as the primary guarantor of regime survival.”
Tensions on the Korean Peninsula have grown as relations between North and South Korea worsen, the report noted. North Korea has portrayed South Korea and the United States as constant threats to North Korea’s sovereignty in a probable attempt to legitimize the Kim family rule, its draconian internal control mechanisms and existing strategies, the report said.
“The regime’s greatest security concern is opposition from within,” the report added, “and outside forces taking advantage of internal instability to topple the regime and achieve unification of the Korean Peninsula.”
North Korea seeks recognition as an equal and legitimate international player and recognized nuclear power and seeks to normalize its diplomatic relations with the Western world and pursue economic recovery and prosperity, the report said.
“[North Korea’s] rhetoric suggests the regime at this time is unlikely to pursue this second goal at the expense of the primary goal of pursuing its nuclear and missile capabilities,” the report added.
North Korea has the highest percentage of military personnel in relation to population than any other nation in the world, with approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budge of the country. Don’t forget also that North Korea has capabilities that also include chemical and biological weapons. A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.
The large cyber force responds directly to the command of the country’s top intelligence agency, the General Reconnaissance Bureau. Last year in internet have been published satellite photos of the area that is suspected to host North Korea’s ‘No. 91 Office’, a unit based in the Mangkyungdae-district of Pyongyang dedicated to computer hacking, its existence was revealed in a seminar on cyber terror in Seoul.
According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming high skilled team of hackers to be engaged in offensive cyber operations against hostile government and in cyber espionage activities.
In more than one occasion the North Korea has threatened the South promising waves of attacks, and the cyber offensive option is the most plausible considering the advantage in terms of efficiency, noise and political impact.
North Korea’s electronic warfare capabilities are second only to Russia and the United States…
So when the question of CNO/CNA/CNE comes up with many here in the rest of the world it is all pretty much a guess as to what the answer truly is. Of course I would love to know what the NSA knows about that internal infrastructure. I suppose that the NSA, with all of the revelations of late, probably has(d) entre into the intranet from hardware that had been spiked with surveillance tech. Overall the picture from using nmap and other technologies shows that the infrastructure outside looking in, without backdoor access to China Netcom systems, is pretty blank from an information warfare perspective. The sites that are sitting out there that are live are flat but if one were to r00t one what would the acl’s be like one wonders. DPRK has spent a lot of time hardening and walling themselves off but nothing ever is 100% secure. With all the talk about their DD0S attacks against S. Korea though and the bank hack (2013) there have been some leaks that lead us to believe that they do use that .kp IP space for access to their malware C&C’s. In the case of the bank hack this last year the malware was beaconing to an IP within their internet facing space surprisingly. For the most part though the attacks that have been perpetrated by the DPRK have been through proxy addresses (S. China etc) so as to have some plausible deniability.So short of some leaking of intelligence on DPRK and their internal fiber networks it’s pretty much still a black hole or maybe more apropos a giant darknet of their own and we cannot see inside.
Speaking of Darknets I just wanted to touch on this idea for a bit. One wonders just what CNA/CNO the DPRK might be carrying on with regard to TOR nodes and the use of the darknet. I should think an interesting study might be tracking IP’s from Southern China to see where much of that traffic is being routed through TOR nodes. I think that this could be a real untapped subject for study to date. If the eleets have access to not only the internet through INTELSAT/Chinacom and MAC OSX boxes then perhaps some of them are actually routing traffic through proxies like TOR to cover their own censorship arcology? Can you imagine that Un doesn’t have high speed SAT connection through INTELSAT so he can surf unencumbered? What about certain high ranking intelligence and military people as well? It surprises me that I am not seeing more in the darknet from the DPRK itself as well. Of course this would, even with it being on TOR or in a proxied hosted system, a dangerous game to have any kind of truth telling coming directly out of Pyongyang. Still though, I would love to see this happen as well as perhaps some incursion into the intranet by someone adding a rogue SAT feed and a router. Presently I have seen reports about how former DPRK escapee’s have been smuggling in DVD’s, Net-Top PC’s and Netbooks over the Chinese border and giving them to people. The thrust of this idea is to bring Western movies and media to the DPRK as a subtle form of mental malware. I would push that further and create a new darknet within their dark fiber network.
When one sIn the final analysis, the DPRK has connectivity that is very limited in scope and in actual use. The eleet few have access to the outside world while the rest have a very controlled intranet that is full of propaganda and surveillance. When one starts talking about their capabilities for cyber warfare you have to take what is usually said with a grain of salt or a whole shaker. The fact of the matter is that much is still not known about their capabilities outside of perhaps the NSA and certain people in the IC. From the attacks seen to date we have seen much activity out of China that could also be dual purpose attacks for DPRK as well. Since much of their CNA/CNE capabilities and training has come out of (literally) China one has to assume that not every China hack is just for China or originating from them. For that matter, it is entirely possible that traffic we have all seen coming from S. Korea could in fact be proxy attacks from the DPRK as well for plausible deniability. My feeling though is that the DPRK is still getting it’s unit’s together and building capacities and is not a clear and present danger to the world from any kind of cyber warfare scenarios. DPRK uses the aggrieved and angry squeaky wheel approach to diplomacy cum bullying on the world stage and is not suited for sneaky cyber war just yet. Also cite the fact that if you poll the likes of Crowdstrike or Mandiant you will not see too many (if any at all) attacks or campaigns being designated to DPRK actions. Now why would that be?