Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Author Archive

OPSEC In the Post Snowden World

with one comment

 

WWBD

OPSEC:

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information

~Wikipedia

I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.

Technology and OPSEC:

Screenshot from 2014-07-25 13:34:36

So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?

No.

Consider these things before you begin your super sekret affair online…

  • Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
  • Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
  • Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
  • The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
  • Can you trust the supply chain of the TAILS instance you downloaded to start with?
  • Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
  • Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
  • Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?

All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.

The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?

There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.

Nation State Surveillance and YOU:

So you have decided to read on.. Gut gut…

OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?

So let’s consider some other things outside of the technical 0day and hackery bullshit.

POSIT: The technology is already owned and there is nothing you can do about it.

CONSEQUENCE: All your communications even encrypted by these means are compromised

RESULT: Nothing you do or say should be trusted to be secure

So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.

Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.

It’s Moscow Rules:

  • Assume nothing.
  • Murphy is right.
  • Never go against your gut; it is your operational antenna.
  • Don’t look back; you are never completely alone.
  • Everyone is potentially under opposition control.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Any operation can be aborted. If it feels wrong, it is wrong.
  • Maintain a natural pace.
  • Lull them into a sense of complacency.
  • Build in opportunity, but use it sparingly.
  • Float like a butterfly, sting like a bee. 
  • Don’t harass the opposition.
  • There is no limit to a human being’s ability to rationalize the truth.
  • Pick the time and place for action.
  • Keep your options open.
  • Once is an accident. Twice is coincidence. Three times is an enemy action.
  • Don’t attract attention, even by being too careful

So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…

Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.

Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:

  • Trust cannot be implicit in technology or people
  • Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
  • Understand the adversary, their motives, their techniques, and their weaknesses
  • If you use a technology be sure that you are it’s master
  • Secrets are secret (First rule of Fight Club) keep them that way
  • COMPARTMENT THE EVERYTHING!
  • Layer your encryption techniques and if possible use a OTP
  • Go read up on TSCM
  • Go read up on Counter-Surveillance techniques
  • If they can’t get at you technically they will send in assets to get close to you
  • If they can’t get assets close to you they will use your friends
  • If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)

I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.

K.

 

 

 

 

Written by Krypt3ia

2014/07/25 at 18:25

Posted in .gov, .mil, OPSEC

HOPE X Roundup

with one comment

Screenshot from 2014-07-21 09:55:50

 

HOPE X:

This last weekend was HOPE X held by the 2600 at the usual crumbling and fetid Hotel Pennsylvania. This go around I decided to attend because of the promise of all the talks surrounding the nation state surveillance today and a virtual visit from the Snowman himself. I booked my room at the Penn (I know.. bad idea really) and went in on Friday for the three days. What I got from attendance mostly was a sense of how crappy the Penn is again as well as how rough edged and lackluster the HOPE conferences have been over time. I also got to see my Twitter feed load up on hate for the con alongside the political tweets for and against it as well.

I left the con on Sunday morning with the final feeling being “Meh” Of course this could be said about most con’s for me now anyway. I said it on Twitter and I will repeat it here for you all.

“HOPE X = MORAL FAGS / DEFCON = Drink and then drink some more #hallwaycon”

That about sums up my feelings about conferences of late. Hope though was rather terrible.

Surveillance State:

So back to the whole politicizing of the con. 2600 has always been more political so you kind of have to expect that. However, this year after the Snowden revelations and the actual visit by Snowden via Skype one was left with a sense of impotence due to the conferences lack of cohesion. It’s true that the nation states of the world are spying on us all. The NSA is drift netting all of the data on the networks it can and saving it for a rainy day. Abuses are happening and governments are lying but even after Snowden’s discussion with Ellseburg I was left with a sense that nothing said was empowering.

Snowden exhorted the hackers to rise up and create better software and crypto which to me is something we all have been saying all along in the security community right? I mean if not saying make better crypto then we have been at least saying “USE IT!” right? Overall though, nothing really new came out of this discussion other than the usual cognitive re-assertions that Snowden did what was right and that we are all now living in a surveillance state. While I agree with this assessment for the most part I also did not feel at all energized by this talk.

Musings:

Overall I was not impressed by much at Hope and would agree with many who say it is a crappy con. Some may say though it is what you make of it. In that vein I will say that the Veal I had in Little Italy was fantastic but the restaurant failed on the seconds of bread. No, really, the Veal was a highlight. The conference did not teach me anything new and interesting and the venue really did not lend itself to any kind of flow for traffic so it was harder to attend anything you wanted to because you just could not get there. In fact my most prevalent thought each day was “FUCK I HOPE THERE ISN’T A FIRE! CUZ WE ARE ALL GONNA DIE!” That hotel needs to be torn down and something else built there… Seriously.

So on goes the politics of hacking… I personally believe things need to be done but generally I did not feel that this con did anything in the way of inspiring anything in me but a low level of “get me the fuck outta here”

K.

 

Written by Krypt3ia

2014/07/21 at 14:30

Posted in CON's

Attribution What’s It Good For?

leave a comment »

Screenshot from 2014-07-16 13:29:48

Presentation HERE

Video of BsidesLV: HERE

It seems not a day goes by without some new Panda or Kitten or other supercilious named actor come from the FireEye’s, Mandiant’s and the Crowdstrikes of the world. This morning a new “campaign” was announced by Symantec and backstopped by FireEye (saffron rose) and Crowdstrike (flying kitten) ..This one though has malware being named “Mysayad” because they “think” the writing and the changes show a tie in back to the flying saffron rose kitten. After reading the alert from Symantec and doing a little digging myself my head nearly exploded once again. Why? Well, because the attribution was weak and contained a lot of supposition.

I have railed about his before and in fact I did a presentation on the whole issue at BsidesLV a while back.. (see above links) My issue is why bother with the attribution anyway? Are these companies actually helping their clients with these details or not? Are they in fact digging into the whole picture of the actor and what they are looking for with the client who may be the target? Not so much that I have seen. You get a report with all the sexy sexy buzzwords and lingo and that’s it. No real help in dealing with the clients issues and it makes me have a headache.

So here ya go.. My presentation and my ideas on how it should all work. Take this and think about what you are getting as a client of these companies. Those of you working at the companies I am railing against should also perhaps think a moment or two on just what is the efficacy of what you are all doing. Are you in fact a new arm of law enforcement? I only ask because the only ones really interested in this data and can make it actionable are LE or the IC so who are you really selling to here?

Just my beef…

K.

 

Written by Krypt3ia

2014/07/16 at 18:42

Posted in Cyber

ASSESSMENT: Stephen Su aka Stephen SuBin aka Su Bin

leave a comment »

Chinese_Department_of_National_Security

 

The Arrest:

Recent news shows that an arrest has been made in a Chinese industrial espionage campaign that started around 2009 and resulted in larger dumps of data being taken from Boeing as well as other defense base aligned companies. Stephen Su aka Stephen Subin aka Su Bin was arrested in Canada after an affidavit was put in by the FBI giving evidence that SuBin and two others had broken into Boeing and other companies stealing data on the C-17 as well as F22 Raptor and JSF projects.

Screenshot from 2014-07-14 09:42:08

Screenshot from 2014-07-14 09:51:38

While the affidavit says a lot in a roundabout way on what the FBI considered evidence for the arrest there is a gap in just how the FBI came upon this guy and his co-conspirators in the first place. There is no mention of what tip may have led the FBI to obtain the email records of SuBin at Gmail and Hotmail as well as it seems the emails of the UC1 and UC2 at Gmail as well. Perhaps the data came from something like Xkeyscore or PRISM? I don’t think that that is likely but one has to ask the question anyway.

Aside from that lack of genesis for the FBI investigation the affidavit is quite detailed as to the back and forth with the UC’s and SuBin. There are file names and screen shots of data that was passed back and forth as well as email addresses and snippets of the emails themselves. Of more note though is a timeline and a operational details that SuBin and his team were using in order to carry off the espionage and this is very interesting. SuBin and the team were taking a more hybrid approach to the industrial espionage that we commonly don’t get to see or hear about in the current throes of APT madness.

Modus Operandi:

This case of espionage is different from the usual APT stories you hear today on the news. The reason for this is that the players here may or may not have ties back to those directorates and groups that APT come from. Or, they may not. The affidavit is unclear (perhaps deliberately so) on the two UC’s connections to any of the APT activities we have all heard about but they do use the same techniques that we have heard being used by APT actors.

What is different though is the use of human assets (i.e. SuBin) as a targeter for the hackers to hone in on specific files and architectures/companies/people. This is where this becomes more of a classic MSS (Ministry of State Security) operation than the ongoing attacks we have been seeing in the news since APT became a household term. Now, whether or not SuBin is actually a trained agent or just an asset is the sixty four thousand dollar question in my book. There are allegations in the affidavit that to me, looks like he could be either. Su talks about making money on the data he has been helping to steal which makes him look like a freelancer. Meanwhile there are other aspects that make it seem more like he is a true asset for MSS. I am still not quite sure myself and perhaps someday we will hear more on this from the FBI.

Screenshot from 2014-07-14 09:06:21

A common thread in much of the MSS’ (中华人民共和国国家安全部) playbook for industrial espionage is the use of human sources that are either naturalized citizens of another country. (i.e. Americans or in this case one who was about to be Canadian) In the case of SuBin, he had his own company in China that worked with wiring in airframes. This is a perfect cutout for the MSS to get an asset with access to Western companies that may be doing business with them. In the case of Lode-Tech (Su’s company) there was evidence from the 2009 documents (emails) that showed that his company was sharing space with Boeing at an expo which likely began this whole espionage exploit.

Now another fact that seems to emerge from the affidavit is that these guys were just using Gmail and other systems that are not the most secure. I do know that in some cases the APT also use these email systems but these guys seem to be pretty open with their exchanges back and forth. This to me means that they were not professional’s for the most part. I can come down on both sides here as well after having seen some of the flagrant OPSEC failures on the part of APT in the past. Generally though my feeling is that these guys were a little too loose with their OPSEC to be professional MSS operators and may in fact all have been contractors.

Screenshot from 2014-07-14 10:02:42

On the other hand though these guys had some tradecraft that they were following and these likely worked pretty well. In the image below you can see how they were hand carrying some data to Macao and Hong Kong in order to bypass certain “diplomatic issues” as they say. Additionally, the surveillance portion (which is the first time this has come up with the APT type of activity) has ever been mentioned. In the case of SuBin, he had access to Boeing itself (an assumption as none is directly mentioned in the affidavit) via his company ostensibly and thus had a presence that a hacker is lacking in remote APT activities.

Screenshot from 2014-07-14 10:25:06

 

So you can see how this is a hybrid operation and something we don’t often get to see. Could this be the new paradigm in industrial espionage? Frankly this is something I would have thought was going on all along given what I know of Chinese espionage as well as having done assessments in the past that included a physical attack portion. By synergizing the APT hacking with MSS old school tradecraft these guys were pretty successful (65 gig of targeted data from Boeing alone) and maximized insider knowledge of what to look for with technical hacking exploits. If you think about it how many companies do business with China? Now ponder how much access those companies may have to networks and people in those companies… Yeah.

These are tried and true practices on the part of the MSS as well as other intelligence agencies the world over so we have to pay attention to this stuff as well as worry about the common phishing emails that come in waves as well. Overall I think that the US needs to be a bit more self aware of all of these types of activities and methods to protect their environments but to do so I imagine will be a tough sell to most corporations.

Advanced Persistent Espionage:

What this all means is the following; “Industrial espionage doesn’t just mean APT phishing emails blindly coming at you. It also means that there may be actual people and companies that you are working with that are actively gathering your data for sale as well” Another recent incident involves Pratt & Whitney with a naturalized American Iranian who stole a lot of physical documents as well as seemingly had emailed data out of their environment to Iran as part of a sale. You have to remember it’s not just all electrons boys and girls.

However, the hybridization of the methods of APT and traditional tradecraft is just beginning. I think that the Chinese have seen the light so to speak and will start to leverage these things more as the US continues to put pressure on them concerning APT attacks. The MSS will get more and more cautious and work smarter as they continue to be persistent in their espionage activities. The Russians are already pretty good at this and they leverage both now. It’s time I guess that the Chinese have decided to look to their Russian friends and steal a bit from their playbook as well.

K.

 

Written by Krypt3ia

2014/07/14 at 18:47

Funding Jihad With Bitcoins REDUX

leave a comment »

Screenshot from 2014-07-10 11:32:33

 

Bitcoins for Jihad Isn’t New

A recent article that is making the rounds is decrying a new paradigm for jihad in that @abualbawi is calling for funding through Bitcoin and Darkwallet. I was sent the article and I took a look at the PDF that *was* located on this guy’s site but overall this is not as interesting or scary as the media would like to make it out to be. Why isn’t it scary you ask? Well, primarily because having been in the world of monitoring these jihobbyists I don’t find on average that they are that tech savvy. In fact, I haven’t seen a really tech savvy one since Irahbi007 back in the day but that is just my opinion.. *by the way he wasn’t a mental genius either*

 

Screenshot from 2014-07-10 11:35:30

This type of fund raising has been going on for some time in the Darknet *to what end I am not really sure* but as you will see below actual funds were transfered in the darknet to that wallet and taken out circa 2012 and recently more has been added. Of course to date, the above Darknet site (pictured at top of page) is the ONLY one of it’s kind that I am aware of but this would not preclude others passing bitcoins in the background to send to certain players in the global jihad. So this pdf and the rationalization for the use of kuffar technologies is in fact new and novel really for Abu and his pals at ISIS I will give them that.

Screenshot from 2014-07-10 11:39:42

It also seems that Abu is trying to horn in on the old and tired “Jihadi Magazine” with his AL-KHALIFA but hey, a jihadi media mogul has to start somewhere right? Interestingly Abu has decided to remove the bitcoin pdf from his galley but I luckily got it before it was gone. The notion though that Abu has in mind is that there is no real way to de-anonymize a Bitcoin transaction and, well, that isn’t completely true. So yeah, it may be tough but you also have to factor in bad OPSEC on the part of the players as well as possible technical attacks against the system that could in fact let the other guy know who you are.

Screenshot from 2014-07-10 09:08:00

… By the way.. Abu, umm it is Abu right? Or is it Bobihnd? You guys seem to have the same UID for Twitter and talk to the same people… Perhaps I am just not caffeinated enough.  Nope nope nope.. I was not caffeinated enough. There is telling tidbits that they are one in the same or close but I cannot prove this out.. Yet.

Anywho… Back to the issue of Bitcoin, Darkwallet’s, and anonymity. I expect that you guys will have some large hurdles here to get the funds flowing for your caliphate. I just can’t imagine Al-Baghdadi being all over this either. He doesn’t strike as a real “techie” ya know? I could however see the likes of the House of Saud maybe tossing some money at some GPU time but really, this is an untenable posit for funding your jihad Abu. I mean how many Western jihobbyists are going to rent bot time to mine or mine these things at home just to give to you and yours?

Get real.

The First Attempt On The Darknet Did Raise Money

Screenshot from 2014-07-10 09:06:15

On the other hand… The site I mentioned in the Darknet? Yeah as you can see above they had about 1200 bucks in there at one point. You have to notice though it wasn’t a lot of bitcoins but instead it was the inflation that was happening at the boom time that gave it the bump. Of course they cashed that shit out toot sweet and I suspect bought a nice Macbook Air, not an AK-47 or a ticket to Syria. So yeah, the idea is not new mainstream media and so far it has not made a huge amount of money so it should not be a booga booga booga news headline mmmkay? Nothing to see here.. Move along…

Next I will cover the hullabaloo over ISIS/AQ using TAILS OMG!

K.

 

 

Written by Krypt3ia

2014/07/10 at 16:46

Robin Sage Has Taught Us Nothing It Seems…

with one comment

Screenshot from 2014-07-08 09:28:52

Cutouts and LinkedIn

Recently I was sent an invite by the profile of “Emanuel Gomez” an alleged recruiter from Alaska asking to be added to my LinkedIn “friends” Some of you may have seen the event happen on LinkedIn as after I did a little due diligence OSINT it became clear that this account was a cutout for someone looking for entree to my list of connections using a rather obvious fake name and details. The first clue though was a quick search of the headshot used on Google image search which came up with the real person’s name and profile elsewhere. Once I got that hit it was all out OSINT time and here is what I found.

linkedinSE2Real user profile of unsuspecting Richard Velazquez

 

linkedinSE3

The culprit behind this fake LI account is one Leon Jaimes, a techie in Alaska via Colorado. Leon had used an email address in his profile that led me right to him as he posted under his real name at various bulletin boards and had a flickr account attached to the same address. Within his data on the image upload site he had many personal details as well as an old registration with pertinent personal data on it that he had photographed and placed on the web… Yeah.. Sigh…

 

 

Screenshot from 2014-07-08 09:58:18

I made short work of Leon and dug up a lot on him including an arrest record for being drunk and trespassing in someone’s house. All I have to say is Leon, buddy, like I said in the email I sent to you, your OPSEC sucks! Leon actually emailed me back asking where he had gone wrong and admitting to the profile which I did not answer… I mean really? I am going to teach you better OPSEC? Two words FUCK. NO.

I had meanwhile begun a thread on LinkedIn about the incident (pic at top started the string) to alert others as to the ongoing ruse. I had seen others within my circle who had fallen for this as well as others he seemed to be aiming at. At the time of my initially getting the email to add him he had 23 people as connections. By 10 am he had 50. People were just click happy and adding him to their connections without really taking a closer look at his profile. Mind you, these were people in INFOSEC as well as MIL and Fed types! I checked the profile as of this writing though and it is now gone from LI so there is at least that and more than a few people have looked at my post and commented. Yet, it still bothers me that so many fell for such a poorly constructed profile.

FAIL.

Social Animals With Cognitive Issues

Screenshot from 2014-07-08 09:41:30

So what have we learned since the big hullabaloo over Robin Sage? It would seem not much really. Why is this? Why have people generally not learned from the event Tommy sparked back a few years ago? Are we just not teaching people about SE and the perils of cutout accounts and espionage being carried out by state actors and others via venues like LinkedIn? I actually believe that there are many concomitant issues at play here and I recently spoke at BsidesCT about the cognitive issues around security.

We are creatures of habit with lazy minds it seems with biological impediments cognitively as well as generally, as a species have adapted to being social animals. It’s this very social aspect that is being leveraged so well today as always in the espionage world. It is just that today you can reach people much easier via the net and social media and harvest much more data extremely quickly. There are of course a host of social mores that I could go into but perhaps that’s for another day. What I would really like to say here though is that if you are on LinkedIn and you are not at least trying to vet those people trying to get you to add them then you are likely adding cutout accounts as well who are spying on you.

OPSEC Lessons Learned

So I guess many people may not care at all who they connect to on LinkedIn. Perhaps some of those people are in INFOSEC or the Defense base as well. Maybe those users really have nothing in their profiles to protect and do not consider their connections to be of worth to some adversary somewhere. Perhaps those same people are idiots and have not been paying attention to the news for the last, oh, let’s say 3 years? Maybe there is just a general lack of education on the whole within companies about social engineering, phishing, and today’s common attacks? Is there actually a study out there showing just how much education is going on at a corporate and nationwide scale?

Here are the salient simple facts for you all to chew on:

  • Everyone is a target and your information and your connections are important to an adversary looking to attack YOUR business.
  • Social Media sites like LinkedIn are a goldmine for this intelligence gathering. Not only of your connections but also your personal information that you may leak there or other places that when mined, can lead to a fuller picture of who you are, your habits, and your weaknesses.
  • Phishing and SPEAR-Phishing attacks start at this level with intelligence gathering on you and others in your circles. Plans are hatched leveraging who you know and who you work with to exploit yourself and others into clicking links or giving up intelligence to the adversary.
  • All of the above happens every day to millions of people and the reality is you are the only one who can try to prevent it by being more aware of these things.

I should think that there would be more moratoriums on the use of LinkedIn and other places tagging where you work to your profile. This is a real harvest festival and has been for some time and yet no one has made a move here. LinkedIn also is a part of the problem too. They seem to be doing pretty much nothing to invent means of vetting people to insure they are who they say they are. Look at the recent case of Newscaster and their use of not only LI but also Facebook and Twitter. They had numerous people from the Aerospace community connected to them on LinkedIn and this was an Iranian operation (note** Amateurish and likely not state sponsored or run**) but still… You get the picture right?

I will leave you with these questions;

  • What’s on your LinkedIn?
  • Who are you connected to?
  • What information is on your profile that could be used to tell what access you have, who you work for, who your friends are, what your preferences are etc…
  • What secrets do you have that I can exploit from your social media accounts?
  • What OPSEC precautions have you taken to protect your information?
  • Are you even aware of these things?

Think before you click ADD USER.

K.

 

Written by Krypt3ia

2014/07/08 at 14:41

JUNE 2014 Global Threat Intelligence Report

leave a comment »

photo

GLOBAL THREAT INTELLIGENCE ASSESSMENT JUNE 2014

 

Executive Summary:

In the month of June 2014 there were 3 top breaches that caused a loss of data within the range of 242,908 personal records. This is just one aspect of loss due to compromises due to criminal activities as well as state actors today within the realm of hacking. This report is being presented to you to give insight into what is happening in the world today and this last month online and in corporations where information security is involved.

This month has seen more activities from not only nation state actors but also defenders within the US working towards stopping them. Crowdstrike, Fireeye, and others have put out reports on actors and methods that are currently attacking infrastructures both private and public. In this report you will see some of the highlights from global events that is germane to your understanding of the threatscape today.

Screenshot from 2014-06-30 10:02:04

Report Highlights:

  • OpenSSL had another vulnerability found that could cause compromise of people’s credentials.
  • Iranian hackers attempted to socially engineer and spearphish numerous defense base users with LinkedIn, Facebook, and Twitter
  • A social engineering campaign was launched against the author of this report via LinkedIn in an attempt at intelligence gathering
  • The Russian state has allegedly launched attacks using the HAVEX RAT which attacks SCADA and ICS systems (Energy Sector)
  • The Syrian Electronic Army attacks Reuters website and defaces it in an propaganda campaign
  • The Dyreza RAT bypasses SSL sessions by stealing credentials and is attacking larger bank users
  • ANONYMOUS is planning an OP on ISIS funding states
  • ISIS/ISIL leveraging Twitter for propaganda and recruitment purposes
  • SEA (Syrian Electronic Army) Compromises and defaces Reuters website

Global Threats

Open SSL:

Summary:

Post the Heartbleed vulnerabilities disclosure, attackers have been working on other vulnerabilities within the code for SSL (Secure Sockets Layer) encryption. This is the encryption that protects internet traffic and has been the standard for many years. As of June 5th a new vulnerability was released and has been since patched in the code by the makers of SSL.

The attack allowed for a “Man in the Middle” attack that could have led to decryption of traffic and loss of credentials and data. This means that an intermediary machine would have to be in the middle of the traffic for this to work. This attack is feasible and it has been recommended that all instances within your environment that are vulnerable to this should be patched as soon as practicable.

From OpenSSL.org

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution

This attack though and Heartbleed show an inherent security problem with commonly used protocols or software like this due to the prevalence of use and the level of compromise that could come from exploiting this type of bug.

Social Engineering via LinkedIn: NEWSCASTER

Summary:

On May 28th iSight Partners put out a report on an alleged Iranian phishing and social engineering campaign that used some common tactics for APT (Advanced Persistent Threat) actors. This campaign started in or around August 2013 and continued up until the roll up after this report was put on the internet.

The site above posed as an on air radio station as well as a news site catering to topics that defense base individuals would be interested in. In tandem with this or at least in parallel, the adversary also created a group of accounts on Twitter, Facebook, and LinkedIN to socially engineer targets and backstop the fictitious site.

The parallell attack consisted of socially engineering employees and heads of departments up to and including high level brass in the military and C level exectuives from places like Pratt & Whitney and other companies that make defense hardware. Once users had accepted LinkedIN requests or Facebook requests they would be enticed to go to the Newsonair site to read the news and perhaps listen online. The links sent to the targets would then be drive by sites for infection or simple sites that requested users credentials to enter their site for content. These attempts would then perhaps net the adversary the users credentials to Outlook (one particular attack was a page that presented an outlook login) and thus compromising their email as well as perhaps other access such as VPN (depending on implementations)

According to the iSight report the gambit of socially engineering people via Facebook and LinkedIN worked well enough to gather approximately two thousand users “friending” or adding the fictitious (cutout) accounts that the adversary had created to mine for access. Given the numbers accredited to have been within the friends/linkedin connections it is a high probability that the adversary had at least some insight into the workings of their targets habits and perhaps even may have elicited access through the drive by attacks as well as perhaps SE data from unaware targets.

Analysis:

This campaign is not important or of note in its modus operandi generally as APT goes but it is an object lesson that should be heeded. The melding of the SE with the drive by attacks show how easy it is to attempt to get users to compromise their systems as well as their personal/corporate data through social media attacks.

Where this may in fact be an Iranian actor (not nation state but instead a hacker/group in Iran looking to carry out a campaign under the rubric of political fervor) we have also seen actors like the Lampeduza Republic (carders who attacked Target) use the same APT tactics to affect their goal of stealing PCI data.

Given that social media is so prevalent today, it is a given that campaigns are ongoing within the space and that our users as well as our executives could fall prey to these attacks by other adversaries than APT (Nation-state or other) As such we should insure that our education on Phishing as well as Social media attacks and SE should continue if not actually expand. This is the current and future of pivot attacks that will continue to be the means by which attackers break into companies and extract data.

Another factor to take into account is the endpoint where traffic is going on the internet. In the case of newsonair the IP space was located physically in DFW (Texas) but the end point of the data trail leads to Iran and a server within the Islamic Republic. IDS and SIEM can help to determine traffic patterns to such places outside of the country and should be leveraged to determine where data is ex-filtrating to. In the case of this team the SIEM and IDS solutions actually caught the traffic (hits on sites) as well as malware telemetry and remediation tools stopped the malware from compromising machines.

Social Engineering via LinkedIn: Personal Account

linkedinSE

Summary:

I personally received this invite from an alleged recruiter. Upon inspection of the account I found that the user had inconsistencies in their profile and began digging into it. Once I took the headshot and put it into an image search engine I was able to determine that the person in it certainly was not the person they claimed to be in LinkedIn.

By using the email address attached to the account I was able to then look up the metadata on the real person behind the account. This person does live in Alaska and purportedly works for a telco there. Having tracked him further using the email account provided in the LinkedIn profile I was able to track much of his life because he had placed it all online for anyone to see. This included an arrest report in 2013 for being drunk and trespassing in a residence.

linkedinSE3

 

linkedinSE2

Analysis:

The analysis for this incident follows much of what is discussed in the NEWSCASTER report. The takeaway is that your social media profile can lead to corporate or personal compromise. Care should be taken as to what you share and with whom on such sites as LinkedIn, Facebook, Twitter, etc as they can be used to create a dossier on you for further attacks.

In the case of this attempt, the user had poor OPSEC (Operational Security) and thus his legend (cover story) lacked credibility as well as leaving bread crumbs to follow easily to his real name and location. I personally do not list the companies I am employed by because of such attacks and leakage of information that would be counter to security. As such, this attacker was looking for what he had hoped was a target with entre into the government and military spaces that I listed in past jobs that I had had.

** Note at 6am 6/30/14 the user had 109 connections within the federal and MIL space**

HAVEX RAT (Russia)

scan_lanimage from F-Secure blog

Summary:

The HAVEX RAT (Remote Access Tool) has been leveraged by Russian APT to attack specific industries that now include power systems and energy companies. This actor group has modified the RAT and their modus operandi to attack SCADA and ICS systems (Supervisory Control and Data Acquisition) in hopes of perhaps carrying out supply chain attacks on those systems. This is the 43rd iteration of this RAT tool in use by this actor (RU)  This group also has used the “LightsOut Exploit Kit” watering hole attack as well to carry out attacks (http://pastebin.com/qCdMwtZ6) according to MalwareMustDie and Cisco.

**Crowdstrike designates this group “Energetic Bear” and currently this month showed them to be active and being reported on by the press.**

**Further analysis by Symantec HERE having named it DRAGONFLY**

Analysis:

This group of alleged Russian attackers has been active for some time now (circa 2012) and have been seeking data from systems within the energy sector. Given that Russia is a large player in the energy sector it is easy to assume that their motives are for state/private consumption within the energy space. The attacks have been not only on US assets but also on French and other countries companies that they have interests in.  As a whole, this group is believed to be nation state but it can be seen as perhaps a co-owned endeavour on the part of the state and the oligarchs who run the large petro and other energy concerns within the former USSR.

With the advent of the HAVEX RAT’s SCADA/ICS functionality though it can be an assumption that attacks on those systems could be used in ways that could help the Russian state’s prices on energy consumables as well as further other deeper state desires of the Putin government. An attack by an adversary with a horse in the game and geopolitical with monetary repercussions on the supply chains of certain competitors would place the Russian government in a better position globally if not regionally.

Crimeware

(DYREZA) SSL BYPASS RAT

Summary:

Dyreza is a new RAT that has a special method of gathering intelligence. This malware performs an SSL bypass allowing credentials to then be passed in the clear as a kind of man in the middle attack. It in fact steals the credentials in the targets browser thus nullifying the encrypted session altogether. Currently the primary targets of this malware/RAT have been Bank of America, Natwest, Citibank, RBS, and Ulsterbank. This malware campaign also has been cited to have an adversary set that is planning on turning this into a malware as a service model of business. They have set up money “mules” and are seeking to make this a global campaign that one can buy into as a full pipeline from compromise to money movement and laundering.

Analysis:

While this RAT and group (Assumed to be Russian with the naming of Dyreza) are ambitious they have failed to program encrypted comm’s into their model thus SIEM and IDS traffic will easily capture and stop their activities. While their approach is novel, they are not as yet a true threat to a larger swath of corporations due to their technical limitations. It is also assumed that these new players are attempting to cash in on the void that was left by the GoZeus takedown recently. Until such time as they next iteration includes encrypted C&C this group should not be considered a major threat actor.

APT Activities

China

Summary:

Crowdstrike reported on a new PLA unit active online today attacking corporations and government entities naming the unit (Unit 61486) as well as some of the players involved by name. In what is called OSINT (Open Source Intelligence) the Crowdstrike team reported on the actual names of PLA members who comprise this unit including pictures and personal details. Crowdstrike is calling this group “Putter Panda” and they are primraily attacking the government, defense, and technology research sectors.

PLA Unit 61486 focuses their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks (i.e. SpearPhishing)

**Currently there are 13 groups/cells within the Chinese PLA active today as APT (Advanced Persistent Threats)**

Analysis:

Attribution is a troublesome thing in hacking and cyber warfare but the data presented by Crowdstrike is compelling enough to say that they in fact were right. However, the usefulness of such reports is called into question as relations with China sour and the legalities surrounding all of this preclude any solid action of merit. In the case of the Putter Panda report and their doxing of the PLA players it may be a moot point. Outing these players will not necessarily change their tactics as we have seen from the Mandiant reporting on CN activities in the past. In the case of the Mandiant report those actors changed some of their activities but on the whole they fell back into the same practices.

On the legal front outing such sources of attacks also may in fact lead to some sort of naming and shaming at a political level that the US may leverage but I personally unsure of it’s efficacy. As we have seen to date the US and the globe lack the proper legal means to attack these problems as well as politically there are no common grounds for countries to apply warfare as separate from civil actions taken by individuals perhaps at the governments behest. In the case of the PLA they are military however, many of their proxy actors are private citizens that are motivated by patriotism and perhaps monetary incentives to carry out these attacks.

On the whole this is just another common APT group within the arcology of Chinese APT who’s OPSEC (Operational Security) was lacking and thus they re-used information or aligned information and backstopping for their campaigns with personal data. This allowed OSINT (Open Source Intelligence) analysts to easily follow Wang Dong’s trail back to his own personal accounts with photographs etc. While this is a marketing coup for Crowdstrike the efficacy as mentioned above is still questionable on outing these players.

Iran (See above NEWSCASTER campaign)

Russia(See above HAVEX RAT campaign)

Syria/SEA (Syrian Electronic Army)

Summary:

The SEA attacked and compromised the Reuters website on June 22nd 2014. This attack followed the usual protocol of defacement by the Syrian Electronic Army and its leader Th3Pr0. The SEA is a group that has formed to fight on the web in a propaganda war of web defacements for the Assad regime. It seems that this hack against the Reuters site was carried out via an attack on a third party vendor who had access to key systems. Someone from SEA fooled a company employee, into giving up their password and then used the access to Taboola’s Backstage platform to change the header in the Reuters widget, and thus to deface the page.

Screenshot from 2014-06-30 11:41:46

Analysis:

It is debated whether or not the SEA is considered to really be a nation state actor or not. As yet it is indeterminate if the SEA has backing from the Assad regime (i.e. money and support) but is something that should be watched and thought about. Such instances of anarchy and propaganda online are much more common post the Anonymous and LulzSec incidents from 2010 on and the model is now popular with online movements.

For the most part SEA’s attacks are more propaganda than anything on the level of espionage or acts of warfare. It is debatable whether or not SEA is really capable of much more than defacements but it may also be that the actors within this group may have been holding back on more serious actions. Given their penchant for SE attacks to gather access it is very possible that they could carry out more devastating attacks against their targets internal systems.

It is the recommendation of this assessment that a little of both applies here.

HACTIVISM:

ANONYMOUS: OP: NO2ISIS

Screenshot from 2014-06-30 12:10:29

Summary:

Anonymous has announced that it plans on attacking ISIS/ISIL funding sources and state backers. In an operation they are calling OP: NO2ISIS Anonymous claims they will be attacking the sources of funding for the group that is presently taking over large sections of Iraq. The three primary targets of Op: No2ISIS will be Turkey, Saudi Arabia, and Qatar but may include other targets as they get intelligence implicating other countries or individuals.

Anonymous plans to attack these sources of funding because they claim that ISIS is not something they can attack online as they are fighting a ground war in Iraq and Syria. Another reason that the Anonymous collective has targeted ISIS is because ISIS took over the account @theanonmessage (an Anon account) and feels that this operation would suffice for retribution against the newly minted terrorist organization. It is not possible to know what real damage Anonymous can have against the funding of ISIS nor perhaps against ISIS itself due to the primary modus operandi of distributed denial of service may or may not have any effect on those targeted.

OFFICIAL ANNOUNCEMENT:

Analysis:

It is of note that Anonymous feels moved to target the funding structure of ISIS for a couple of reasons. Firstly, a frontal attack on ISIS, as they say in their media is hard because ISIS is in fact fighting a ground war in Iraq. However, ISIS does use Twitter and other social media very effectively in a propaganda and recruitment war and this could be attacked rather easily by a group such as Anonymous. This cognitive dissonance on the part of the Anon’s makes them look a bit more impotent than they would like on the whole and this operation will likely hardly be a win in any book against ISIS or their funding feeds. This operation will likely have little to no effect on ISIS nor their funding and it is the opinion of this assessment that Anonymous would be better served by attacking the ISIS media wing instead. By degrading the ISIS capabilities for propaganda and recruitment Anonymous might play a better role within the GWOT.

PSYOPS & PROPAGANDA

ISIS/ISIL (Islamic State of Nineveh)

article-2661007-1EC4125D00000578-306_634x453

Summary:

The ISIS (Islamic State of Iraq and Syria) has been in a media jihad for some time now and it has accelerated this campaign with the current takeover of sections of Iraq that it has been carrying out. ISIS has a media arm that has been using social media such as Twitter (as seen above) to leverage the internet in a propaganda war as well as a recruitment drive. The group has not only been using twitter with individual accounts but also has created a twitter application that allowed the terrorist organization to use other accts to geometrically reach a larger audience. The tool would be loaded on to user systems and had an API function that allowed the user to put in their credentials and authorize the app to post ISIS jihadi media posts to all of the followers of that account.

Screenshot from 2014-06-30 13:07:59

Analysis:

ISIS has been rather novel in their use of Twitter online. Their creation of an application to bypass Twitter’s own systems is interesting to see as well as it’s inherent means of doubling or quadrupling their messages getting out through proxy accounts. (i.e. users allowing themselves to be the conduit of the media jihad) As a means of propagandizing their war in Iraq as well as a tool for recruitment (which has been rising since their campaigns both digitally and on the ground have taken off) ISIS has harnessed the internet and social media in a way that the old guard of Al Qaida never did. This is clearly an advance and should be noted not only from the position of the GWOT but also any other movement that might learn from ISIS and begin their own propaganda wars using social media as the primary medium.

MILITARY FACEBOOK PSYOPS TESTING

Summary:

Facebook has recently published a 2012 study in the March issue of the Proceedings of the National Academy of Sciences. The study was to determine whether it could alter the emotional state of its users and prompt them to post either more positive or negative content, the site’s data scientists enabled an algorithm, for one week, to automatically omit content that contained words associated with either positive or negative emotions from the central news feeds of 689,003 users. This study found that it could manipulate those users emotions to a certain degree by said manipulation.

According to an abstract of the study, “for people who had positive content reduced in their News Feed, a larger percentage of words in people’s status updates were negative and a smaller percentage were positive. When negativity was reduced, the opposite pattern occurred.” The study was partially funded by the Army Research Office — an agency within the U.S. Army that funds basic research in the military’s interest  according to a press release from Cornell University.

Analysis:

While this type of testing is a normative thing within the psychology sphere, the problem that many have latched onto is that the US military funded this one. The assessment of this story and the study itself does lead one to believe that on the whole the military as well as Facebook have some ethical questions to face about this. Facebook surely is looking to manipulate their users for purposes of sales and the synergy of that in tandem with the military’s desire for PSYOPS tools is rather assured. By using social media like Twitter or Facebook, the millitary as well as other actors could manipulate populaces en mas with these techniques and this is a dangerous precedent to set.

GLOBAL INTELLIGENCE ANALYSIS:

Summary:

Overall this report has been put together to show a high level approach to global trends in threats online. The actors are varied from criminal syndicates, to nation state actors and spies, to global jihadist movements abroad. Truly the internet and computers have brought a new and very extensible means of espionage, terror, and manipulation of peoples through social media, hacking, and other means within the digital realm.

As we have been seeing the technologies are becoming easier to master for many to use guerrilla tactics and unconventional warfare online to further their goals. Whether that be a nation state like Russia using malware to  effect the supply chains of other nation states energy companies or Ukrainian syndicates seeking to steal masses of personal data along with credit card numbers and pins we are seeing a change in paradigms digitally. All of the attacks written about in this report are fodder for the reader to consider the technological landscape today and the types of attack methods as well as goals that predicate them.

The takeaways from this June report are the following bullet points:

  • Social engineering has always been a staple but now that social media is in the mix it’s use is much more devastating to organizations
  • Malware tools are constantly being upgraded or created anew with various attack vectors that leverage phishing/spearphising/ and social media attacks
  • Globally, intelligence gathering techniques are no longer solely the purview of nation state actors and their spy agencies alone.
  • Propaganda and misdirection are becoming more popular not only with nation state actors but also terrorists and criminal gangs

 

PDF VERSION OF THIS DOCUMENT HERE

APPENDIX A: LINKS

http://www.stockhouse.com/news/press-releases/2014/06/10/akamai-warns-fortune-500-of-high-risk-threat-from-zeus-crimeware

http://www.nytimes.com/2014/06/10/technology/private-report-further-details-chinese-cyberattacks.html?_r=0

http://www.openssl.org/news/secadv_20140605.txt

http://www.crowdstrike.com/…/CrowdStrike_Global_Threat_Report_2013.pdf

http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/a-dyre-new-banking-trojan/d/d-id/1278620

http://www.zdnet.com/chinese-army-group-hacks-us-satellite-partners-crowdstrike-7000030353/

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB0QFjAA&url=http%3A%2F%2Fcdn0.vox-cdn.com%2Fassets%2F4589853%2Fcrowdstrike-intelligence-report-putter-panda.original.pdf&ei=ooOxU97iNYWqyATRqoKQDg&usg=AFQjCNHzq5qbTVgD8V-gwGKo_-naV9GG5Q&sig2=6TYhWyIHI4ZfRjO0NbyUxg&bvm=bv.69837884,d.aWw

http://www.eweek.com/security/third-party-service-providers-scrutinized-after-seas-reuters-hack.html

http://www.forbes.com/sites/jasperhamill/2014/06/27/anonymous-hacktivists-prepare-for-strike-against-isis-supporters/

http://www.kshb.com/news/us-government-helped-fund-facebook-experiment-that-manipulated-users-emotions

 

 

Written by Krypt3ia

2014/06/30 at 18:00

Posted in Threat Intel

Dropping DOX on APT: aka Free Lessons on OPSEC!

with 3 comments

The_enemy_is_listening

 

“And gentlemen in England now-a-bed
Shall think themselves accurs’d they were not here,
And hold their manhoods cheap whiles any speaks
That fought with us upon Saint Crispin’s day.”

“Prince Hal” Henry V Act 4 Scene 3 ~William Shakespeare

Stuck in The Middle with APT and YOU:

If you are like me then you too have to look at the feeds from FireEye, Crowdstrike, Mandiant, and others on a daily basis for my job. The job that I speak of includes fighting APT at times and having to keep executives aware of what is going on as well. Lately though, since the drop by Mandiant on the “China problem” (aka CN actors 1-13) there has been a huge uptick in reports that try to do the same thing, i.e. name and shame those attackers as a means to an end. That means to an end I feel 99.999% of the time is to garner attention by the media and to increase market share.

Others may have reasons that are more closely aligned with “America FUCK YEAH!” and may be well intentioned but misguided to my mind. I have seen the gamut of this and I too have played my roll in this as well. I have dox’d players in the Jihad as well as nation state actors (mostly wannabe’s) on this very blog and have watched as a pile of nothing really happened most of the time. These big companies though that sell “Threat Intelligence” seem to really mostly be driven by attention and marketing appeal for their services than nation state concerns in my opinion when they drop dox on B or C level players in the “great game” and sadly I think this is rather useless, well, in the great game that is, not in the bottom line of lining their pockets right? …But I digress…

Let’s face it folks, we are all subject to the great game and we have little to no power in it on the whole. The APT and the nation state will continue their games of thievery and espionage. The companies selling services will ubiquitously use their “insider” knowledge gathered from all of their clients DNS traffic to generate these reports and market them to garner more clients and we, the people at the end of and the beginning of this process will just have to sit by and get played. Sure, if you are running your program right in your environment and you are getting good threat intelligence telemetry at the least, then you can attempt to staunch the exfil flow but really, in the end that flow is after the fact right? The PWN has happened and you are just being reactive. From this though you feel a certain amount of angst right? So when some company drops dox on some third stringer in China you pump your fist in the air and say “FUCK YEAH! GOT YOU!” and feel good right?

Yeah… I have news for you. It doesn’t mean anything. It will not stop it from happening. In fact, the services you just paid for that just shamed Wang Dong just taught him a valuable lesson….

FREE OPSEC LESSONS!:

What Wang and the PLA just learned is that Crowdstrike offers FREE OPSEC TRAINING! If any of you out there believe that this will curb the insatiable Chinese Honey-badger they have another thing coming. While it may feel like a slam dunk it is really just a Pyrrhic victory in a larger war while it is really in fact a marketing coup. The Chinese don’t care and in fact all they will do is re-tool their exploits/ttp’s/C&C’s and learn from their mistakes to become more stealthy. Really, we are training the 3rd string to be better at their job when we drop all this stuff on the net. This is a direct forced reaction to their being outed instead of attempting to just share the data in a more covert manner within the IC community or other more secretive channels where it could be used effectively in my opinion.

So yeah, some PLA kids got a spanking and now they are known entities but really, this will not stop them from doing their job and it certainly will have an effect of changing their operational paradigms to be more subtle and inscrutable. While the marketing goal has been fulfilled I see really little other value in doing this ….unless there is a greater unseen game going on here. Some might imply that there is another dimension here and that may include disinformation or other back channel pressures by the government. In fact it was alluded to by the Crowdstrike folks that the government is fully aware and part of the whole “process” on these. So, is this also a synergistic tool for marketing AND nation state agendas for the US?

Eh… Given my opinion of late of the current Admin and the IC, not so much. Nope, I think in the end I will stick to the opinion that this is nothing more than marketing smoke and magic…

I hope the third stringers appreciate the free OPSEC lessons. I mean gee, the going rate for classes is pretty high.

K.

 

Written by Krypt3ia

2014/06/17 at 13:11

Posted in APT, OPSEC, OSINT

The Psych of Sec

with 4 comments

I recently gave this presentation at BsidesCT and have found that slideshare does not like my sense of graphic design as well as a slide deck at times alone just doesn’t tell the full story of the presentation. So, I am going to add commentary here that I gave in person and let you all see a better picture of what was talked about.

K.

Screenshot from 2014-06-15 05_53_30

 

Screenshot from 2014-06-15 05_53_51

 

Screenshot from 2014-06-15 05_54_22

 

Screenshot from 2014-06-15 05_54_42

 

Screenshot from 2014-06-15 05_54_59

 

Screenshot from 2014-06-15 05_55_19

Computer security starts and ends with people. People are the ones creating the hardware, software, processes, and operating the internet of things. We are the reason we have these problems around security and we are the reason as well that things don’t get done right or are abused. Our species, the tool user, has created a series of tools that outstrip our capacities to comprehend them en mas as well as operate them securely as a whole. I want you to remember one thing from this talk and that is that we are the reason we can’t have nice things as they say today. We are the beginning and the end of the problem and we must address this smartly to overcome the problem.

 

Screenshot from 2014-06-15 05_55_34

First though we will start out with the biological makeup of the brain that causes the dissonance that we are seeing today within the security community at large. The organic brain is the key to much of our problems around security. We have a lump of brain matter that has varying sections that operate in different ways and much of the time are the cause of our not being so able to handle security tasks very well as well as predisposes us to certain types of failures. These predispositions can be overcome but we have to work at improving out abilities of cognition as well as deal with the host of emotional and social issues that stem from our brains and our societal makeup.

 

Screenshot from 2014-06-15 05_55_53

Our brains are a wonder and yet they are the product of evolution that did not include computers from the start. The brain has some limitations in scope where cognition is concerned and you can see this in the form of such things as inability to remember hard passwords and long term memory and learning processes. We have simply created a tool (computers) that outstrip our capacities to retain and manipulate information and as such we have created a shortcut for ourselves to ease our brains burden. Unfortunately at the same time we have opened ourselves up to more insecurities now because of the tools that we have created to ease that brain workload.

 

Screenshot from 2014-06-15 05_56_18

Keeping all of the above in mind let’s take a look at the two primary actors in my presentation on security within the brain that come to bear on the issue. The first part of the brain that I will cover is the Amygdala. The Amygdala (shown above) is the part of the brain that deals with emotion as well as fight or flight responses. This part of the brain is the more reactionary and plays a key role in our abilities to react to stimuli such as needing to say “That’s a tiger and it’s about to eat me RUN!” The amygdala also functions as the short term memory agent to translate memories and data into long term memory in another part of the brain. Overall the Amygdala is that section of the brain that is reactive and knee jerk while the next part of our brain I will cover is the more reasoned one. A part of the brain that is almost diametrically opposed to the Amygdala, the Prefrontal Cortex.

 

Screenshot from 2014-06-15 05_56_35

While the Amygdala was great for our ancestors on the great savannah and still functions well for immediate threat responses it is a rather poor organ for information security today. Since the Amygdala deals with imminent threats to our lives the Prefrontal Cortex (henceforth PFC) deals with the more abstract things such as long term threats and other kinds of reasoning. While the Amygdala is freaking out at every little sound the PFC says “wait, we’ve heard that before.. It’s a cat so calm down”

Herein lies one of the primary reasons that infosec today has so many issues. The brain, while being really good at certain things that served us well in the past is not so well suited on average to long term threats due to this dichotomy of the PFC and the Amygdala. One of the primary functions of the Amygdala is to take really bad things and insure that the rest of the brain cognates that they were bad and to remember them long term. An example of this would be say 9/11. We all pretty much remember where we were and what we were doing when it happened. This is the amygdala processing something horrible into long term memory because it was scary.

Now ponder your everyday computer security problems. Are they life or death? On average they are not and thus without the huge scare factor, the memory engram isn’t created quickly if at all because the PFC rationalizes that this is nothing to really fear and is not as important as other tasks it is being hit with through all of the stimuli it gets daily. So you see that our physical makeup within the brain creates a certain cognitive dissonance to the problems of long term and abstract security concepts such as we face every day in INFOSEC.

 

Screenshot from 2014-06-15 05_56_54

 

Screenshot from 2014-06-15 05_57_14

Cognitive bias is a factor that comes from the aforementioned brain fight that we have between the Amygdala and the PFC. The bias issue is a large part of why we fail so much in security from the people side of the equation and it is rather systemic to the entirety of the problem. From the structural issues I just spoke about above we have bias issues where things like “It won’t happen to me” come to the fore. Unless the user has been really hit hard with real effects from a security incident, life or death kinds of incidents, the brain just does not really process that on average as a high priority to store in long term memory and this is a problem where we are concerned.

So unless the problems are fight or flight and life or death, then we tend to get these bias issues of it can’t happen or it won’t happen because it hasn’t already happened. We are poor at looking at statistics and relating them to probabilities that we will be victims of the same attack. This too is also part of the brains way of coping with day to day life really. If we all feared going out for a walk because we thought we’d get attacked by a bear then no one would go anywhere. It’s the brains ability to rationalize and normalize all of this that allows us to live our lives. So it’s a thin line really but it is one that we have to address in security to maximize our abilities to protect our data and perhaps our way of life, if you believe the hype.

 

Screenshot from 2014-06-15 05_57_42

How often have you heard users complain that passwords are too complex to remember? How many times have you heard those same users complain that just as they have gotten to the point where they can remember a password they now are being forced to change them? These aren’t just users being lazy. These are people who like all of us, have the same brain makeup that inherently causes us to tend to not remember these things so well.

As I spoke to earlier the brain does not do a great job with fight or flight vs. long term threats and so goes it as well for memory leaks let’s call them. Unless you train your brain or you are a savant the average person is not going to remember a long non standard multi variable password. It’s just a function of the brain. So we will have people who make the shortcut of writing it down and as tool users we really should just use a password safe on our smartphone right? Well then you have ANOTHER password to remember!

The brain loves to make shortcuts and use heuristics and well, changing passwords so much and making them difficult is anathema to the way the brain operates. The same goes for HCI’s (Human Computer Interfaces) in general too. Take a serious look at Windows and you will see just how poorly it is designed to really do things with the operating system effectively. There are too many flaming hoops for common users and their brains to bear so they just go with what works until it breaks. They don’t get under the hood because once you do that is having to become a specialist.

HCI’s should be designed more simplistically to allow for users to follow a process and really be able to handle their systems. MAC (APPLE) does this pretty well on the OS side but one has to remember that even they have this issue because the technology is too complex really to simplify everything into useable bytes for the average end user to truly own their system. It’s not that they are lazy (these users) per se, but really, do you have to be an engineer to set up a firewall?

 

Screenshot from 2014-06-15 05_58_03

 

Screenshot from 2014-06-15 05_58_20

Now that we have talked about brain makeup and the cognition issues let’s start talking about the emotional and psychological issues that come to play here. The brain works the way it works physically but all of that comprises a whole that has a life of it’s own and that is within the psychological realm. Why we react at a base level is one thing, but organically we will all respond differently depending on our psychological makeups as well.

First off though let’s put this on the table… Security is a “feeling” Think about this from the actual word and definition to the implications of that. Outside the abstract idea of this our relationship with this notion is emotional and deals with the brain. From soup to nuts here, from creation of systems to abuse of them we are all going along dealing with the feeling of security being the core of how we react, or don’t to situations.

So once again, harkening back to earlier slides take into account how we are wired in our daily dealings with INFOSEC.

 

Screenshot from 2014-06-15 05_58_34

 

Screenshot from 2014-06-15 05_59_29

Building on the psychology of human beings we next have to move further out to how collectives of humans work together where security is concerned. We have individual behaviors but then when we get in groups there are all kinds of dynamics that come up through the social aspect of society. There are many unwritten rules within our societies that differ and on average we are all beholden to them. If you go outside the norms there usually are punitive actions that are taken against you and this is a factor on how we react to things.

A key here though for me is to look at how this structure plays out on behaviour that can be and is abused all of the time as well as how it may be leveraged or changed to better serve security. In the case listed on this slide of authority figures, this is a common chink in the armor that social engineers use to trick people into phishing exploits or other attacks where data is handed over to them by a user afraid to rock the boat. Our social natures are the very same thing that are so helpful to the smart adversary because we on average are going to react much the same way.

 

Screenshot from 2014-06-15 05_59_45

Now look at the social behaviours in the petri dish that is the corporation today. A collective amalgam of how we are wired interacting with our social mores in tandem with the corporate needs put on us all. Many times businesses, which funnily enough now are considered by law (tenuously) as people or entities make some stunningly counter-intuitive decisions. many times this counter-intuitive behaviour directly affects the security of a company. A primary driver of this may be the perception of “productivity” where people are feeling pressed to be productive and will bypass security altogether to appear as productive.

Another factor that I have found is that often times a company will have a large body of security policies but no enforcement of them at all. This means in the collective unconscious that they are not important and there is no real negative effect for not following them. This is a cognitive dissonance that adds to our problems of trying to secure things. If there are no bad things happening when people do not follow the play book, then how do you get it to them that it is important to really do these things? One has to look at the social structures in the companies today as well as the social animals that run them. If you do not look at this aspect of security then you will be doomed to just repeat the failures we see every day.

 

Screenshot from 2014-06-15 06_00_05

 

Screenshot from 2014-06-15 06_00_19

The adversaries out there also have their own psyche’s, social structures, and all the same issues we have.. In their personal spheres but not where it concerns how they attack us. The smart adversary is going to use the psychology and the social norms against us to get what they want. What’s more they are not bound by the mores and the rules we have in our own societal and corporate structures and this is a key fact. We need to take this into account when we talk about how we secure our networks and our data because those are all rules based and when rules don’t matter to the adversary, well, they are pretty useless aren’t they?

I think we in security need to take a good look at how our societies run, our psychologies, and our biases to get a better handle on how we might effect better security with them in mind. A converse to this is to use the adversary’s rule-less model against them as well. Now by this I don’t necessarily mean hacking back. What I do mean is to study the adversary and their habits, their social dynamics, and use that intelligence against them. How? Well, build better security here with that data as well as perhaps deeper knowledge of how they operate to just stop them cold to start …but that is another presentation down the line I suppose.

 

Screenshot from 2014-06-15 06_00_37

On the other side of this fence is the defender class. The defenders have to work within the rules of the companies they work for, the social structures they live in, and overall must act within the bounds of rules laid upon them. This is a real issue for many defenders as they watch attacks happen that may have been stopped had there been a real pentest in the past that allowed a no holds barred approach. Alternately perhaps the defender feels frustrated by the rules themselves because those that make the rules do not comprehend the security issues to start with, no matter how they may try to enlighten them.

All too often today I hear people talk about users as just dull witted and not willing to do what is right. I say that sure there is some of that but you have to understand why they are that way innately as well as understand the pressures upon them to make them disregard things as they do. This is not a binary and as much as many people in this field would love it to be, it is a much more complex and abstract issue than that. So when you get frustrated next time around by obstructive behavior from the user level up to corporate with regard to security take a step back and ponder this. How can you make a change here by looking at behavior and understanding the rudiments of behavior?

 

 

Screenshot from 2014-06-15 06_01_33

 

Screenshot from 2014-06-15 06_01_48

To sum up here we have a lot of talk about the ROI of security measures like awareness training. Some say it is useless but I say it is not. In fact I would say that the current model of security awareness (i.e. once a year by powerpoint) is not enough. The reality is that people learn only by repetitive means. This is why we teach children times tables in school as well as innately children want to be read the same story over and over and over again. Our brain makes long term memory and learning by repetitive means. So yes, I would say our current model of awareness is useless because we are not really teaching anything to anyone by not doing it repeatedly and more than once a year.

I think we also need to take a long hard look at our rather simplistic ideal that the technology solution is the panacea to all our ills. The FireEye technology did not fail in the target hack. What failed was the people and the organizations mores about reporting and reacting that were at fault. Often times the implementation of security products is also the problem in that they weren’t done at all and weren’t monitored. This is an organic issue not a technological issue and we need to hold ourselves accountable to that fact. From design to implementation and management we are 99% of the time the organic failure that causes a breach and loss of data.

Face that fact and do something about it. Don’t just buy another blinky light product. Do the hard work and work with the users.

 

Screenshot from 2014-06-15 06_02_05

 

Screenshot from 2014-06-15 06_02_43

TEXT

Screenshot from 2014-06-15 06_02_58

Written by Krypt3ia

2014/06/16 at 15:51

Posted in Presentations

ASSESSMENT: Mujahideen Secrets and the Snowden Affair

leave a comment »

Screenshot from 2014-05-15 05:58:04

 

 

Mujahideen Secrets:

mujahideen_secrets_screen

The Mujahideen Secrets program for crypto has been around for a long time for those who wanted to connect in the jihad online. I looked at it a long time ago and didn’t think much of it to begin with but it has been around a while and in use by some. Recently there has been some tongue wagging that the Snowden Effect has deeply scarred the GWOT because actors (aka the jihadi’s) are not changing their patterns of behaviour and creating new crypto and comms. While this program was out there for use to say communicate with AQAP on their Inspire gmail account it wasn’t as far as I have seen over the years the go to for securing communications for the jihobbyists. In fact, I would preface that people are people and crypto is hard so not many really adopted the technology in the first place.

Since the program had been kicking around the internet so long my assumption was that it was broken already or tampered with more likely to allow for easier reading by security services. So with that said and I think some others within the jihad actually thinking the same it became just another not often used tool in the arsenal for communication between the jiahdi’s on the internet boards. Of course one must also take into account just how many of these people on the boards are “active” in the jihad and not just “jihobbyists” who want to blow smoke online but would never actuate themselves into real terroristic actions.

Pre and Post Snowden:

Screenshot from 2014-05-15 06:14:01

So the articles out there from Recorded Future   which is pretty much a theft of a MEMRI document by the way, purport that since Snowden dropped all his data online people are changing their operational patterns. I say that they perhaps are just seeing the crust of the data and not the innards of the problem statement. There may be a lot of chatter about not using Mujahideen Secrets anymore or of using other technologies but one has to look at the problem from the social/networking standpoint of a fractured AQ/Global jihad now as well. This is where I think they are failing.

GIMF is back and the groups are scrabbling for purchase in the jihad because of things like ISIS causing a stir, Boko Haram as well, and other players out there looking to be the big boss of jihad. Online the boards have been rife with hack attacks, paranoia, and a general malaise of people not actually doing anything but the usual spewing of dogma and posturing. So really, when one starts talking about the online jihad and the use of crypto the reality is on the whole that the online jihad is just a side show to the real deal that happens off the net. Communications are being handled offline now altogether with couriers and paper or USB drives and phones. It has been that way for a long time actually and the general public just doesn’t get this from the press.

ANALYSIS:

The final analysis of this story is pretty simple and it is this; Mujahideen secrets and the other new technologies being offered by GIMF are just fluff. The changing of tactics is only natural post any kind of leak that the nation states are watching and frankly since Snowden this should be a global reality and thus no surprise really. All of the people bemoaning it are just doing so in my mind to tow the party line and aren’t really facing the reality that the game is up. Secondarily, in the case of the jihad the game was pretty much a kids game to boot so please don’t moan about it in the press to make the general populace feel the fear again so you can go on about your business of “surveilling all the things”

This is much more a political power play than it is anything else and reading this tripe in the news makes me gag.

K.

Written by Krypt3ia

2014/05/15 at 10:53

Posted in .gov, .mil, FUD

Follow

Get every new post delivered to your Inbox.

Join 123 other followers