Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘EPIC FAIL’ Category

Newest U.S. Counterterrorism Strategy: “Trolling”… Say, Doesn’t Someone Already Have The Corner On This Market?

leave a comment »

X

Trolling VS. Jihad

Well, once again I hear a story about CT efforts that I just have to facepalm and say WTF? The story was evidently posted while I was on vacation and not looking to enrage myself with the stupid (thus meaning I was reading Hunter and other classics whilst sitting on a beach) So, someone tipped me off the other day that this little gem was out there. The premise of the story/program is that the Dept. Of State has given the go ahead to this 20-something to put together a coalition of people across the globe to subtly (maybe) troll the jihobbyists and jihadi’s out there online to break them up as groups.

*blink blink*

Really? Sooo, you are going to go on to say Shamikh and start to troll the players there in hopes that you will shame them into dropping the notions of radical jihad? Why am I surprised that a hair brained scheme like this would come out of State? My initial reaction was tempered when I read the piece again and the tempering was that this was going to be aborted before it got anywhere in the first place as the article describes scope creep already and a certain sense of other agenda’s on the parts of the players. In the end, I suspect there will be a failure to launch, but, what if they were to pull their act together? Would this in fact have any net effect on the jihadi’s and the forums they frequent?

I certainly think so… But… Not in the way that the creator of the idea has in mind….

The Psychology of Jihad and Trolling Them:

In reading the article the use of the word “Trolling” is somewhat a misnomer really I think. I would use “cajole” more than troll because the goal here is to subtly shame them and make them not only uncomfortable with wit and sarcasm, but also to lead them to drop jihad. Now, will this actually work? I suppose a dialog with certain folks as peers might actually work if you don’t alienate them with your “wit and sarcasm” but really, take a look at the mind set and the social norms of the people being targeted here. You are going to troll people who, though maybe misguided by doctrine or imam, or their personal histories, are rather devout about their beliefs, to the point that some actually take on jihad literally and go fight.

… And you seriously think mocking them will make them say; “oh, wow, I was being silly”

Good luck with that. Its my feeling that given the nature of the people I have seen/dealt with on the boards, that this will just not work. In fact, in certain spaces (and those spaces are now consolidating rapidly online creating a clearer channel) you will get yourselves banned rather quickly from the board. This too will also cause them to close ranks further and to become very selective about who they let in and who gets to talk, not to mention maybe force their hand to go to other places like the darknet to host their content. So, overall, I just don’t think that this line of action will be productive in any way.

Now, if you are going to go after more “moderate” sources of dialog like muslim.net or some of the other sites out there, you may have more luck and might be the right territory to hunt in and dissuade people from acting on jihad. It’s all a matter of how hard core these people are and how new they are to the whole thing. Sure, AQ/AQAP/Global Jihad is seeking new recruits all the time online but, they are also not really gaining a huge amount of traction there either. I do appreciate the idea of trying to debate these nascent jihadi’s with smart dialog, but, in the end, “trolling” will likely only make them angry, ban you, and then make vague and useless threats. Remember, these are giant crazy echo chambers and it’s not that easy to default them to sanity just by saying they are being stupid.

I would also say that using the moniker of “Troll” for this article on Wired was disingenuous if not just wrong for the circumstances. In the article, further down in graph 2 or three, the creator of the program clarifies that it’s not really trolling per se by the netspeak definition of it. Usually today’s troll is someone who is just maladjusted and looking for an outlet for odious behavior while usually enabled by anonymity. If one were to go troll (trollhard… haha..just had an image of another Bruce Willis movie there) hard at the jihadi’s it would be quite counterproductive. Unfortunately, this kind of thing already has been happening a little bit. It seems that some people have been not only inserting themselves into boards, hacking them, ddos’ing them etc. This has served only to cause them to be much more suspicious and clamp down on security.

This is not what we need.

YOU TROLL ME! I KILL YOU!

In the end, I just see this program having the net effect of creating a bunch of Ahmed the Dead Terrorist skits online…

… And that may be hilarious to some… It just won’t help us in the GWOT.

Written by Krypt3ia

2012/08/08 at 15:21

ZOMG, ZOMG, ZOMG, LinkedIN Was HACKED and Our CRAPPY Passwords Were Leaked!

with 2 comments

ZOMG LinkedIN was HACKED!

A tweet conversation yesterday finally snapped my brain into focus on the whole LinkdIN hack password debacle. Someone had tweeted about the non complex nature of the majority of the passwords from the hash dump and my snarky response was basically “Who cares? After all, LinkedIN certainly didn’t, why bother when places don’t carry out due diligence?” After all, it was only LinkedIN right? I mean, who’s not already “in the know” that this is the Mos Eisley of business networking right? Between all the cutout accounts and stupid headhunters, one really has to know that it’s just a business version of Faceyspace right?

Well, I guess there are some out there who are using it like it’s a super secure and wonderful tool to make “spook” contacts for intelligence gathering huh? *SNORT* If anything we have seen that it has just turned into a festival of stupid commentary, casual hooking up, and one of the BEST tools for someone like Tommy Ryan to nab all kinds of .MIL and .GOV folks with their digital pants down more than anything else. So they were hacked, any of us in the business with half a brain “should” have been using throw away passwords or phrases with the apropriate complexity anyway, this includes the government and certainly the military people….

Well, it seems that this is not really the case….

ZOMG LinkedIN WASN’T PROTECTING MY PASSWORD!

So, once again we find that a company, that people do in fact pay for, was NOT performing the due diligence that they should be on behalf of their clients and protecting their passwords with salted hashes at the very least. Nope, no crypto of worth was at work within the rarefied digital confines of LinkedIN and WHO’DA THUNK IT? Even after they found out they were hacked they did not really have a grasp on if they “really” had been and failed to issue an alert until later the same day (much later, like late afternoon) when word of the hack and proof of the dump was out on the Russian hacker board at 6am EST.

Now, given the past history of security gaff’s and certain unsavory people/accounts on LinkedIN over the recent few years, and LinkedIN’s lackadaisical attitude towards security, is it any surprise that this all happened? That LI was not encrypting the password database to BASIC security standards? After all, they just take your money so you can hit up the pretty recruiters right? No security needed there… Nah. Hell, they don’t even have a CIO/CSO/CISO do they? Who needs them huh? C’mon “We no need your stinkin CISO”

Oopsies.

So what has the “INFOSEC Community” have to gripe about here? I mean, gee, we already kinda knew their posture right? You should have collectively had your throw away password anyway, so no biggie. Yet, look at all the hue and cry here!

ZOMG The 6 MILLION Passwords Were On The Whole SIMPLE AND INSECURE!!!

Yup, that headline says it all really. You see, people on average don’t really care about their passwords nor do they really have the security awareness to even attempt to create complex ones. I mean, hey, it’s as simple as downloading a password manager/vault that creates them for you with good complexity as well as saves them for you to look upon when you forget right?

*Evidently, THAT is too hard for the majority of end users… Hangs head…*

Nope, all too many people had simple passwords like 1234 for their access to a site where they lay bare much of their business and social data it seems. Oh, and did I also mention that in the same day there was a vuln released on their iOS app that was thieving YOUR calendar data? Oh yeah, nice! I guess it’s all just human nature to be lazy and create passwords that are easy to remember but this is just getting silly people. One wonders just how many of those people replicate those silly passwords on to other sites like their email or maybe their bank huh?

Oh my…. That many? We’re DOOMED.

Look, I have said it before and I will say it again, our own natures provide the largest attack surface. In the case of LinkedIN and the six million passwords there are two:

  1. Laziness on the part of the company not encrypting the passwords to basic standards and laziness on the part of the EU’s not creating stronger passwords
  2. A STUNNING lack of situational and security awareness on the part of both parties
It’s simple really, if you are a pentester or a criminal, all you need do is remember the axiom that human nature will always be the undoing of many security systems.Trust in stupidity son…

 

ZOMG The Security Industry FAILED To Teach Us All About Strong Passwords!!!

Meanwhile, there was a great hue and cry by the twits on my feed and in articles on Island and other places on how the industry (as well as LI) failed once again in the security space. We evidently do not have enough “evangelistas” out there teaching the wretched masses about the wonders of proper password choice. We are just not reaching them and when we see things like this we then go on ad nauseum chiding them or in most cases just pointing our collective fingers and laughing.

Yeah, that’ll teach em. I can feel their collective IQ’s rising now.

I guess my question is can we even really inculcate these things when the basic human nature is to not use our frontal lobes too much? We have too many passwords now and it’s hard! C’mon, just lemme do 1234 it’s gonna be fine because the company is protecting my data! How do I know? Oh, cuz they have this pretty graphic here with a lock on it!!

If you believe that, I have this bridge I’d like to sell you.

Look, all you INFOSEC people out there lamenting, stop. Breathe. The simple truth is that you cannot win this battle unless YOU are in direct control of the systems that would FORCE password complexity on the end users. The sad fact is too many of us aren’t actually in control, its the C levels who are in the end, we just tell them what would be best for the security of the business. It just so happens that much of the time these measures cost money, or, more likely, inconvenience the workers and the perception is that work and PROFIT would suffer from your new fangled security measures.

No, you cannot do that.. The workers will revolt and we will lose productivity Sonny Jim! That would affect the bottom line..

ZOMG You INFOSEC Weenies Are MISSING THE POINT!

Ok, so, it happened. LinkedIN handled it exceedingly poorly, and there is a great cry upon the internets over it all. People were tweeting and blogging, exhorting users to CHANGE THEIR PASSWORDS on LinkedIN but were failing to give a more nuanced warning.

“Uhhh, but, LI wasn’t sure they were hacked, how they were hacked, or IF they were still hacked!”

GO NOW! CHANGE YOUR PASSWORDS!

But, what about the whole password re-use thing? Any mention of that? Or that if you change your password, it may yet again be leaked because they may still be hacked?

*crickets*

Yup, bang up job people.

The real point for me is this salient fact: LinkedIN and other companies like Sony have shown time and again, they DON’T CARE about YOUR data. Always remember this people. So, you want an account on these places, then you best make a throw away pass and limit your data on the sites that host it. Otherwise, there will be a compromise like this one and not only your data there, but elsewhere (if you re-use or iterate) will be up for the taking.

What this also means is that business in general doesn’t get it nor care to and this is the most important point.

Either we demand they all do better or we just let them carry on leaking our data.

Written by Krypt3ia

2012/06/10 at 11:15

Posted in EPIC FAIL, Hacking, Infosec

Internet Jihad vs. Internet Propaganda Jihad: When The Media Gives Me Tourrettes

with 2 comments

From dnaindia.com

I followed a link today off of esecurityintelligence.net and after reading the first graph of the piece I pretty much had a bad case of Tourrettes syndrome. This is some of the WORST reporting I have seen where it concerns the state of internet jihad. Now, I know why these places all do this, they just want a lead story and headline that will draw people in and make them click into the site. I get it… But.. It’s just wrong. The internet jihad is more a propaganda campaign than anything else and as you can see from the piece below from of all places, “The Sun” did a bit of a better job on the facts than dnaindia did!

Now that is surprising.

From thesun.co.uk

So, as I was saying, a ‘bit’ of a better job.. Then they too go off the rails. Look, the cyber jihad or Internet jihad is comprised mostly of jihobbyists, guys who want to get in on the action but are too clueless to actually go to the battlefield in some cases. In others, they are deluded individuals with mental health issues that need to be medicated and taken care of. In either case, the needed skills to really cause greater issues other than setting up php bulletin boards to throw propaganda on are lacking on the part of the general jihobbyist populace. Just how many of the attacks by LulzSec were attributed to the likes of Al Qaeda?

hint: NONE

Yet the media persists in perpetuating this idea the there are some 31337 jihadi’s out there who are going to pwn the grid. Really guys, get your shit straight when reporting on things ok? I have seen some strives in the Jihadi hacking scene these last few years, but NOTHING like what you are talking about. Hell, their real hacker went to jail years ago (Irhabi007) What is worse it seems, is that likes of Home Secretary May, may in fact be spinning half truths about Internet jihad for whatever political expediency she needs. I have reported in the past about the Facebook Jihad (notice 2010) and pretty much sum it up to propaganda and thats it. Sure, there may be some illicit comms channels here, but, its Facebook for God’s sake! They are on top of this shit, TRUST ME! The jihadi’s have been complaining that as soon as they set up a Facebook page it gets taken down by Zucky and company! So really, there is no threat there.

So, lets take another look at it from the post LulzSec perspective.

Lulz have been wreaking digital havoc with some pretty low level hacks. They carried out DD0S, they hacked low hanging fruit and stole data which they then published. LULZ did it, NOT Al Qaeda. Now, don’t you think that if AQ was adroit at hacking and wanted to cause pandemonium they would have beaten LulzSec to it all? Don’t you further think that perhaps when and if they hacked the servers with the low hanging fruit hacks (SQLi) that instead of just publishing the data, they would have say RM’d the whole databases?

Think about it;

  • Economic targets like the stock market
  • Military targets like the recent Anon attacks on Booz Allen
  • Attacks on grid and other key infrastructure targets

ALL of these things likely already harbor vulnerabilities that the likes of Anonymous could already have access to! The difference? The LULZ don’t want to be thrown in a hole forever and know their limits I suspect. Now, if you were AQ though, what’s to lose?

NADA

AQ, if they had the capabilities would already have used it! They haven’t, which means to me they lack the critical skills in their jihobbyist base to be a threat in this arena. It is as simple as that. So please Media, fucking buy a clue and stop just trying to use the “If it bleeds it leads” mentality to get clicks. Do your JOB’s and get subject matter experts with credentials to talk about this stuff instead of just trying to scare the straights with false reports.

I have often written on this topic in the past and from what I have seen here is the overall picture of the state of Jihadi hacking tech.

  • They are using OLD malware packages to infect machines to steal data/money (mostly money)
  • They are using OLD hacking exploits for the most part just as they are with the malware packages
  • SOME jihadi hackers (TNT_ON) are clued in and know what they are doing technically, but yet are inept enough to leave their real IP addresses in their tutorial videos (I see you!)
  • They are learning.. Slowly.. but their sites still keep getting popped and their super sekret rooms online have been penetrated
  • Their crypto program (Mujahid Secrets) has been cracked/Reverse Engineered

Finally, let me leave you with this little bit of wisdom post the demise of OBL:

  • They got him because his lackeys were tracked by their electronic comms
  • Even though they were using sneakernet  and email Dead Drops we managed to catch on (these techniques are not hacking)

Were OBL and his crew using high tech hacking techniques or crypto (aka steg) as their main means of communications, judiciously, it would have been even harder to get a line on what they were up to, where they were, and moving forward, determine future plans from OBL’s hard drives etc. Instead, they were using old spy tactics with minor digital twists to evade the US and other countries. This says a lot about their abilities and ours to detect them. They decided it was better to go old school because we cornered the digital market.

This follows today to the hacking scene, where we have some muslim hacker groups out there defacing pages, but not doing much else in the way of Islamic Electronic Jihad. So, media, let me put it plainly again;

They don’t have the skills to be super scary like you want them to be in your exaggerated reports!

CUT IT OUT!

I will let you know when they have their shit together.. Trust me.

K.

Past posts on this subject:

Cyber Jihad: Malaysia

Great Likelihood of Cyber Attacks By Terrorists: You Don’t Say!

Inspire Magazine Analysis: Going Green for College Age Recruits

Abo Yahya and Metadata Cleaning

TNT_ON@hotmail.com —> zmm@hotmail.com = Sword Azzam?

Inspire vol II: Rationalization, Operational Directions, Open-Source Jihad, and Pivoting the Battle-Space

Jihadi Malware 2010, Al Mojahden’s User Acct Boo Boo, & The Jihadi Technical Forums

Jihadi Hacking Tutorials: Irhabi 007′s Text and More

Jihadi Penetration Tutorials: Metoovet

The Jihadist Repertoire Expands

MJAHDEN: Jihadi Crypto Progam

Al-Qaida Goes “Old School” With Tradecraft and Steganography

 

 

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.

From Lulz to Global Espionage: The Age of the Cracker

leave a comment »

It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks  have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.

Lulzsec:

Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”

Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.

After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.

What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…

Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.

Nation State Actors:

The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)

What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.

This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.

Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.

Industrial Espionage:

This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.

In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.

Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’

Criminal Gangs:

This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.

Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.

With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.

When The Players All Meet:

It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.

In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.

More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.

Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…

K.

Yippee Ki Yay Mutha *%$#%^#

with 5 comments

Casper: That was creepy.
Trey: I tried to find more Nixon

Quote from Die Hard 4

A friend of mine, a more-or-less retired CIA paramilitary operative, sees the solution in characteristically simple terms. “We should go get him,” he said, speaking of Assange.

When my friend says “get him,” he isn’t thinking of lawsuits, but of suppressed pistols, car bombs and such. But as heart-warming as it is to envision Assange surveying his breakfast cereal with a Geiger counter, we shouldn’t deal with him and WikiLeaks that way.

At the risk of abusing the Bard, let’s “Cry havoc, and let slip the geeks of cyberwar.” We need to have a WikiLeaks fire sale.

A “fire sale” (as those who saw Die Hard 4 will remember) is a cyber attack aimed at disabling — even destroying — an adversary’s ability to function. Russia did this to Estonia in 2007 and Israel apparently did this to Syrian radar systems when it attacked the Syrian nuclear site later that year. The elegance of this is that if we can pull off a decisive cyber operation against WikiLeaks, it can and should be done entirely in secret.

Plausible deniability, anyone?

Full article HERE

So, with the revelations over the weekend of rape charges that mysteriously just vanished, one has to wonder if indeed there are forces at work trying to discredit Assange as step one in a much more ornate plan. After all, if one were to discredit him, then he could more easily be shipped out of his hidey hole to a more US friendly place with regard to legal standings right? Though, one wonders at the rape charge.. I mean we couldn’t get Polanski back here for child molestation, so what do you think is gonna happen with a regular rape charge?

Also this last week there was an article claiming to have a story being told by Lamo that there is a “velvet spy ring” Umm yeah, those days are not so over as this was the big deal with the Cambridge five no? I haven’t yet chased that story down due to laziness as well as.. Well, I can see that just as a poorly constructed propaganda attempt by someone.

Adrian, care to comment?

Anyway, this whole Fire Sale thing.. Uhh guys.. It ain’t gonna work. Sorry, but as the article alludes to, the Wikileaks pages are all over the place. They have some online ready to go and others are in their silos waiting to be prepped for launch. So, there is no real way to stop the data coming out if they want it out. I mean, I didn’t even mention the torrents… But this is who we are dealing with… A mindset that cannot grasp the intricacies of the intertubes sometimes. The damage has been done and short of taking down the whole of the Internet, the data will be set free by Wikileaks.

So what now?

Well, how about we make sure that the data does not get out of the compartmented systems in the first place huh? Manning evidently showed signs to others that he was a security risk and nothing was done. He had access to systems that if they were paying attention to infiltration and exfiltration methods, would have prevented the data from being burned to disc and taken out. It really reminds me of “The Falcon and the Snow Man” they were not paying attention to many of the rules in the secret areas and at the guard stations, thus the data was just taken out in quantity. I am sure that if the precautions were in place effectively and watched, Manning would have been caught sooner and perhaps this would not be as much a debacle.

Now, on the other side of the coin here… I am not against Wikileaks altogether. I agree with what Daniel Ellsberg did with the Pentagon Papers. The government was clearly lying about the war. In this case today, I am also sure that there were lies being told and likely still are… But the data I have seen thus far is no smoking gun and in no way shows any real malfeasance by the government. In fact, all the data thus far is about Afghanistan. Where I feel the big lies… well lie.. is in Iraq. Of course Assange is saying that data is coming soon.

We shall see.

So, to sum up..

1) You military and gov types… Get over it and tighten up your security!

2) Anything done to Assange will only make him a martyr

3) There is no stopping this data because it is already out of your control (pentagon, White House) So just buckle up cuz its likely to be a bumpy ride.

CoB

Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For

with 2 comments

The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.

These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.

The investigation’s other findings include:

* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.

* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.

* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.

From Secret America in the Washington Post

PBS Frontline report coming this fall

When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.

Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.

By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”

Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”

Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.

Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.

Welcome to Washington’s dementia…

Follow

Get every new post delivered to your Inbox.

Join 136 other followers