Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘EPIC FAIL’ Category

Newest U.S. Counterterrorism Strategy: “Trolling”… Say, Doesn’t Someone Already Have The Corner On This Market?

leave a comment »

X

Trolling VS. Jihad

Well, once again I hear a story about CT efforts that I just have to facepalm and say WTF? The story was evidently posted while I was on vacation and not looking to enrage myself with the stupid (thus meaning I was reading Hunter and other classics whilst sitting on a beach) So, someone tipped me off the other day that this little gem was out there. The premise of the story/program is that the Dept. Of State has given the go ahead to this 20-something to put together a coalition of people across the globe to subtly (maybe) troll the jihobbyists and jihadi’s out there online to break them up as groups.

*blink blink*

Really? Sooo, you are going to go on to say Shamikh and start to troll the players there in hopes that you will shame them into dropping the notions of radical jihad? Why am I surprised that a hair brained scheme like this would come out of State? My initial reaction was tempered when I read the piece again and the tempering was that this was going to be aborted before it got anywhere in the first place as the article describes scope creep already and a certain sense of other agenda’s on the parts of the players. In the end, I suspect there will be a failure to launch, but, what if they were to pull their act together? Would this in fact have any net effect on the jihadi’s and the forums they frequent?

I certainly think so… But… Not in the way that the creator of the idea has in mind….

The Psychology of Jihad and Trolling Them:

In reading the article the use of the word “Trolling” is somewhat a misnomer really I think. I would use “cajole” more than troll because the goal here is to subtly shame them and make them not only uncomfortable with wit and sarcasm, but also to lead them to drop jihad. Now, will this actually work? I suppose a dialog with certain folks as peers might actually work if you don’t alienate them with your “wit and sarcasm” but really, take a look at the mind set and the social norms of the people being targeted here. You are going to troll people who, though maybe misguided by doctrine or imam, or their personal histories, are rather devout about their beliefs, to the point that some actually take on jihad literally and go fight.

… And you seriously think mocking them will make them say; “oh, wow, I was being silly”

Good luck with that. Its my feeling that given the nature of the people I have seen/dealt with on the boards, that this will just not work. In fact, in certain spaces (and those spaces are now consolidating rapidly online creating a clearer channel) you will get yourselves banned rather quickly from the board. This too will also cause them to close ranks further and to become very selective about who they let in and who gets to talk, not to mention maybe force their hand to go to other places like the darknet to host their content. So, overall, I just don’t think that this line of action will be productive in any way.

Now, if you are going to go after more “moderate” sources of dialog like muslim.net or some of the other sites out there, you may have more luck and might be the right territory to hunt in and dissuade people from acting on jihad. It’s all a matter of how hard core these people are and how new they are to the whole thing. Sure, AQ/AQAP/Global Jihad is seeking new recruits all the time online but, they are also not really gaining a huge amount of traction there either. I do appreciate the idea of trying to debate these nascent jihadi’s with smart dialog, but, in the end, “trolling” will likely only make them angry, ban you, and then make vague and useless threats. Remember, these are giant crazy echo chambers and it’s not that easy to default them to sanity just by saying they are being stupid.

I would also say that using the moniker of “Troll” for this article on Wired was disingenuous if not just wrong for the circumstances. In the article, further down in graph 2 or three, the creator of the program clarifies that it’s not really trolling per se by the netspeak definition of it. Usually today’s troll is someone who is just maladjusted and looking for an outlet for odious behavior while usually enabled by anonymity. If one were to go troll (trollhard… haha..just had an image of another Bruce Willis movie there) hard at the jihadi’s it would be quite counterproductive. Unfortunately, this kind of thing already has been happening a little bit. It seems that some people have been not only inserting themselves into boards, hacking them, ddos’ing them etc. This has served only to cause them to be much more suspicious and clamp down on security.

This is not what we need.

YOU TROLL ME! I KILL YOU!

In the end, I just see this program having the net effect of creating a bunch of Ahmed the Dead Terrorist skits online…

… And that may be hilarious to some… It just won’t help us in the GWOT.

Written by Krypt3ia

2012/08/08 at 15:21

ZOMG, ZOMG, ZOMG, LinkedIN Was HACKED and Our CRAPPY Passwords Were Leaked!

with 2 comments

ZOMG LinkedIN was HACKED!

A tweet conversation yesterday finally snapped my brain into focus on the whole LinkdIN hack password debacle. Someone had tweeted about the non complex nature of the majority of the passwords from the hash dump and my snarky response was basically “Who cares? After all, LinkedIN certainly didn’t, why bother when places don’t carry out due diligence?” After all, it was only LinkedIN right? I mean, who’s not already “in the know” that this is the Mos Eisley of business networking right? Between all the cutout accounts and stupid headhunters, one really has to know that it’s just a business version of Faceyspace right?

Well, I guess there are some out there who are using it like it’s a super secure and wonderful tool to make “spook” contacts for intelligence gathering huh? *SNORT* If anything we have seen that it has just turned into a festival of stupid commentary, casual hooking up, and one of the BEST tools for someone like Tommy Ryan to nab all kinds of .MIL and .GOV folks with their digital pants down more than anything else. So they were hacked, any of us in the business with half a brain “should” have been using throw away passwords or phrases with the apropriate complexity anyway, this includes the government and certainly the military people….

Well, it seems that this is not really the case….

ZOMG LinkedIN WASN’T PROTECTING MY PASSWORD!

So, once again we find that a company, that people do in fact pay for, was NOT performing the due diligence that they should be on behalf of their clients and protecting their passwords with salted hashes at the very least. Nope, no crypto of worth was at work within the rarefied digital confines of LinkedIN and WHO’DA THUNK IT? Even after they found out they were hacked they did not really have a grasp on if they “really” had been and failed to issue an alert until later the same day (much later, like late afternoon) when word of the hack and proof of the dump was out on the Russian hacker board at 6am EST.

Now, given the past history of security gaff’s and certain unsavory people/accounts on LinkedIN over the recent few years, and LinkedIN’s lackadaisical attitude towards security, is it any surprise that this all happened? That LI was not encrypting the password database to BASIC security standards? After all, they just take your money so you can hit up the pretty recruiters right? No security needed there… Nah. Hell, they don’t even have a CIO/CSO/CISO do they? Who needs them huh? C’mon “We no need your stinkin CISO”

Oopsies.

So what has the “INFOSEC Community” have to gripe about here? I mean, gee, we already kinda knew their posture right? You should have collectively had your throw away password anyway, so no biggie. Yet, look at all the hue and cry here!

ZOMG The 6 MILLION Passwords Were On The Whole SIMPLE AND INSECURE!!!

Yup, that headline says it all really. You see, people on average don’t really care about their passwords nor do they really have the security awareness to even attempt to create complex ones. I mean, hey, it’s as simple as downloading a password manager/vault that creates them for you with good complexity as well as saves them for you to look upon when you forget right?

*Evidently, THAT is too hard for the majority of end users… Hangs head…*

Nope, all too many people had simple passwords like 1234 for their access to a site where they lay bare much of their business and social data it seems. Oh, and did I also mention that in the same day there was a vuln released on their iOS app that was thieving YOUR calendar data? Oh yeah, nice! I guess it’s all just human nature to be lazy and create passwords that are easy to remember but this is just getting silly people. One wonders just how many of those people replicate those silly passwords on to other sites like their email or maybe their bank huh?

Oh my…. That many? We’re DOOMED.

Look, I have said it before and I will say it again, our own natures provide the largest attack surface. In the case of LinkedIN and the six million passwords there are two:

  1. Laziness on the part of the company not encrypting the passwords to basic standards and laziness on the part of the EU’s not creating stronger passwords
  2. A STUNNING lack of situational and security awareness on the part of both parties
It’s simple really, if you are a pentester or a criminal, all you need do is remember the axiom that human nature will always be the undoing of many security systems.Trust in stupidity son…

 

ZOMG The Security Industry FAILED To Teach Us All About Strong Passwords!!!

Meanwhile, there was a great hue and cry by the twits on my feed and in articles on Island and other places on how the industry (as well as LI) failed once again in the security space. We evidently do not have enough “evangelistas” out there teaching the wretched masses about the wonders of proper password choice. We are just not reaching them and when we see things like this we then go on ad nauseum chiding them or in most cases just pointing our collective fingers and laughing.

Yeah, that’ll teach em. I can feel their collective IQ’s rising now.

I guess my question is can we even really inculcate these things when the basic human nature is to not use our frontal lobes too much? We have too many passwords now and it’s hard! C’mon, just lemme do 1234 it’s gonna be fine because the company is protecting my data! How do I know? Oh, cuz they have this pretty graphic here with a lock on it!!

If you believe that, I have this bridge I’d like to sell you.

Look, all you INFOSEC people out there lamenting, stop. Breathe. The simple truth is that you cannot win this battle unless YOU are in direct control of the systems that would FORCE password complexity on the end users. The sad fact is too many of us aren’t actually in control, its the C levels who are in the end, we just tell them what would be best for the security of the business. It just so happens that much of the time these measures cost money, or, more likely, inconvenience the workers and the perception is that work and PROFIT would suffer from your new fangled security measures.

No, you cannot do that.. The workers will revolt and we will lose productivity Sonny Jim! That would affect the bottom line..

ZOMG You INFOSEC Weenies Are MISSING THE POINT!

Ok, so, it happened. LinkedIN handled it exceedingly poorly, and there is a great cry upon the internets over it all. People were tweeting and blogging, exhorting users to CHANGE THEIR PASSWORDS on LinkedIN but were failing to give a more nuanced warning.

“Uhhh, but, LI wasn’t sure they were hacked, how they were hacked, or IF they were still hacked!”

GO NOW! CHANGE YOUR PASSWORDS!

But, what about the whole password re-use thing? Any mention of that? Or that if you change your password, it may yet again be leaked because they may still be hacked?

*crickets*

Yup, bang up job people.

The real point for me is this salient fact: LinkedIN and other companies like Sony have shown time and again, they DON’T CARE about YOUR data. Always remember this people. So, you want an account on these places, then you best make a throw away pass and limit your data on the sites that host it. Otherwise, there will be a compromise like this one and not only your data there, but elsewhere (if you re-use or iterate) will be up for the taking.

What this also means is that business in general doesn’t get it nor care to and this is the most important point.

Either we demand they all do better or we just let them carry on leaking our data.

Written by Krypt3ia

2012/06/10 at 11:15

Posted in EPIC FAIL, Hacking, Infosec

Internet Jihad vs. Internet Propaganda Jihad: When The Media Gives Me Tourrettes

with 2 comments

From dnaindia.com

I followed a link today off of esecurityintelligence.net and after reading the first graph of the piece I pretty much had a bad case of Tourrettes syndrome. This is some of the WORST reporting I have seen where it concerns the state of internet jihad. Now, I know why these places all do this, they just want a lead story and headline that will draw people in and make them click into the site. I get it… But.. It’s just wrong. The internet jihad is more a propaganda campaign than anything else and as you can see from the piece below from of all places, “The Sun” did a bit of a better job on the facts than dnaindia did!

Now that is surprising.

From thesun.co.uk

So, as I was saying, a ‘bit’ of a better job.. Then they too go off the rails. Look, the cyber jihad or Internet jihad is comprised mostly of jihobbyists, guys who want to get in on the action but are too clueless to actually go to the battlefield in some cases. In others, they are deluded individuals with mental health issues that need to be medicated and taken care of. In either case, the needed skills to really cause greater issues other than setting up php bulletin boards to throw propaganda on are lacking on the part of the general jihobbyist populace. Just how many of the attacks by LulzSec were attributed to the likes of Al Qaeda?

hint: NONE

Yet the media persists in perpetuating this idea the there are some 31337 jihadi’s out there who are going to pwn the grid. Really guys, get your shit straight when reporting on things ok? I have seen some strives in the Jihadi hacking scene these last few years, but NOTHING like what you are talking about. Hell, their real hacker went to jail years ago (Irhabi007) What is worse it seems, is that likes of Home Secretary May, may in fact be spinning half truths about Internet jihad for whatever political expediency she needs. I have reported in the past about the Facebook Jihad (notice 2010) and pretty much sum it up to propaganda and thats it. Sure, there may be some illicit comms channels here, but, its Facebook for God’s sake! They are on top of this shit, TRUST ME! The jihadi’s have been complaining that as soon as they set up a Facebook page it gets taken down by Zucky and company! So really, there is no threat there.

So, lets take another look at it from the post LulzSec perspective.

Lulz have been wreaking digital havoc with some pretty low level hacks. They carried out DD0S, they hacked low hanging fruit and stole data which they then published. LULZ did it, NOT Al Qaeda. Now, don’t you think that if AQ was adroit at hacking and wanted to cause pandemonium they would have beaten LulzSec to it all? Don’t you further think that perhaps when and if they hacked the servers with the low hanging fruit hacks (SQLi) that instead of just publishing the data, they would have say RM’d the whole databases?

Think about it;

  • Economic targets like the stock market
  • Military targets like the recent Anon attacks on Booz Allen
  • Attacks on grid and other key infrastructure targets

ALL of these things likely already harbor vulnerabilities that the likes of Anonymous could already have access to! The difference? The LULZ don’t want to be thrown in a hole forever and know their limits I suspect. Now, if you were AQ though, what’s to lose?

NADA

AQ, if they had the capabilities would already have used it! They haven’t, which means to me they lack the critical skills in their jihobbyist base to be a threat in this arena. It is as simple as that. So please Media, fucking buy a clue and stop just trying to use the “If it bleeds it leads” mentality to get clicks. Do your JOB’s and get subject matter experts with credentials to talk about this stuff instead of just trying to scare the straights with false reports.

I have often written on this topic in the past and from what I have seen here is the overall picture of the state of Jihadi hacking tech.

  • They are using OLD malware packages to infect machines to steal data/money (mostly money)
  • They are using OLD hacking exploits for the most part just as they are with the malware packages
  • SOME jihadi hackers (TNT_ON) are clued in and know what they are doing technically, but yet are inept enough to leave their real IP addresses in their tutorial videos (I see you!)
  • They are learning.. Slowly.. but their sites still keep getting popped and their super sekret rooms online have been penetrated
  • Their crypto program (Mujahid Secrets) has been cracked/Reverse Engineered

Finally, let me leave you with this little bit of wisdom post the demise of OBL:

  • They got him because his lackeys were tracked by their electronic comms
  • Even though they were using sneakernet  and email Dead Drops we managed to catch on (these techniques are not hacking)

Were OBL and his crew using high tech hacking techniques or crypto (aka steg) as their main means of communications, judiciously, it would have been even harder to get a line on what they were up to, where they were, and moving forward, determine future plans from OBL’s hard drives etc. Instead, they were using old spy tactics with minor digital twists to evade the US and other countries. This says a lot about their abilities and ours to detect them. They decided it was better to go old school because we cornered the digital market.

This follows today to the hacking scene, where we have some muslim hacker groups out there defacing pages, but not doing much else in the way of Islamic Electronic Jihad. So, media, let me put it plainly again;

They don’t have the skills to be super scary like you want them to be in your exaggerated reports!

CUT IT OUT!

I will let you know when they have their shit together.. Trust me.

K.

Past posts on this subject:

Cyber Jihad: Malaysia

Great Likelihood of Cyber Attacks By Terrorists: You Don’t Say!

Inspire Magazine Analysis: Going Green for College Age Recruits

Abo Yahya and Metadata Cleaning

TNT_ON@hotmail.com —> zmm@hotmail.com = Sword Azzam?

Inspire vol II: Rationalization, Operational Directions, Open-Source Jihad, and Pivoting the Battle-Space

Jihadi Malware 2010, Al Mojahden’s User Acct Boo Boo, & The Jihadi Technical Forums

Jihadi Hacking Tutorials: Irhabi 007′s Text and More

Jihadi Penetration Tutorials: Metoovet

The Jihadist Repertoire Expands

MJAHDEN: Jihadi Crypto Progam

Al-Qaida Goes “Old School” With Tradecraft and Steganography

 

 

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.

From Lulz to Global Espionage: The Age of the Cracker

leave a comment »

It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks  have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.

Lulzsec:

Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”

Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.

After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.

What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…

Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.

Nation State Actors:

The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)

What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.

This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.

Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.

Industrial Espionage:

This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.

In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.

Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’

Criminal Gangs:

This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.

Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.

With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.

When The Players All Meet:

It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.

In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.

More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.

Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…

K.

Yippee Ki Yay Mutha *%$#%^#

with 5 comments

Casper: That was creepy.
Trey: I tried to find more Nixon

Quote from Die Hard 4

A friend of mine, a more-or-less retired CIA paramilitary operative, sees the solution in characteristically simple terms. “We should go get him,” he said, speaking of Assange.

When my friend says “get him,” he isn’t thinking of lawsuits, but of suppressed pistols, car bombs and such. But as heart-warming as it is to envision Assange surveying his breakfast cereal with a Geiger counter, we shouldn’t deal with him and WikiLeaks that way.

At the risk of abusing the Bard, let’s “Cry havoc, and let slip the geeks of cyberwar.” We need to have a WikiLeaks fire sale.

A “fire sale” (as those who saw Die Hard 4 will remember) is a cyber attack aimed at disabling — even destroying — an adversary’s ability to function. Russia did this to Estonia in 2007 and Israel apparently did this to Syrian radar systems when it attacked the Syrian nuclear site later that year. The elegance of this is that if we can pull off a decisive cyber operation against WikiLeaks, it can and should be done entirely in secret.

Plausible deniability, anyone?

Full article HERE

So, with the revelations over the weekend of rape charges that mysteriously just vanished, one has to wonder if indeed there are forces at work trying to discredit Assange as step one in a much more ornate plan. After all, if one were to discredit him, then he could more easily be shipped out of his hidey hole to a more US friendly place with regard to legal standings right? Though, one wonders at the rape charge.. I mean we couldn’t get Polanski back here for child molestation, so what do you think is gonna happen with a regular rape charge?

Also this last week there was an article claiming to have a story being told by Lamo that there is a “velvet spy ring” Umm yeah, those days are not so over as this was the big deal with the Cambridge five no? I haven’t yet chased that story down due to laziness as well as.. Well, I can see that just as a poorly constructed propaganda attempt by someone.

Adrian, care to comment?

Anyway, this whole Fire Sale thing.. Uhh guys.. It ain’t gonna work. Sorry, but as the article alludes to, the Wikileaks pages are all over the place. They have some online ready to go and others are in their silos waiting to be prepped for launch. So, there is no real way to stop the data coming out if they want it out. I mean, I didn’t even mention the torrents… But this is who we are dealing with… A mindset that cannot grasp the intricacies of the intertubes sometimes. The damage has been done and short of taking down the whole of the Internet, the data will be set free by Wikileaks.

So what now?

Well, how about we make sure that the data does not get out of the compartmented systems in the first place huh? Manning evidently showed signs to others that he was a security risk and nothing was done. He had access to systems that if they were paying attention to infiltration and exfiltration methods, would have prevented the data from being burned to disc and taken out. It really reminds me of “The Falcon and the Snow Man” they were not paying attention to many of the rules in the secret areas and at the guard stations, thus the data was just taken out in quantity. I am sure that if the precautions were in place effectively and watched, Manning would have been caught sooner and perhaps this would not be as much a debacle.

Now, on the other side of the coin here… I am not against Wikileaks altogether. I agree with what Daniel Ellsberg did with the Pentagon Papers. The government was clearly lying about the war. In this case today, I am also sure that there were lies being told and likely still are… But the data I have seen thus far is no smoking gun and in no way shows any real malfeasance by the government. In fact, all the data thus far is about Afghanistan. Where I feel the big lies… well lie.. is in Iraq. Of course Assange is saying that data is coming soon.

We shall see.

So, to sum up..

1) You military and gov types… Get over it and tighten up your security!

2) Anything done to Assange will only make him a martyr

3) There is no stopping this data because it is already out of your control (pentagon, White House) So just buckle up cuz its likely to be a bumpy ride.

CoB

Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For

with 2 comments

The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.

These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.

The investigation’s other findings include:

* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.

* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.

* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.

From Secret America in the Washington Post

PBS Frontline report coming this fall

When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.

Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.

By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”

Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”

Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.

Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.

Welcome to Washington’s dementia…

Of Online Jihadist Flunkies and Mapping Online Jihad

leave a comment »

Excerpts from

Student, Online Terrorist Flunkie Arrested in Virginia

In something of a warning to all wannabe online mujahedeen, a 20-year-old student from northern Virginia was arrested today on charges of providing material support to al-Shabaab, the al-Qaida-aligned Somali extremist group.

Zachary Adam Chesser is the guy’s given name. But he went by several others: Abu Talhah, Abu Talhah Al-Amrikee. But Chesser’s highest profile appears to be online, where his sobriquets included TeachLearnFightDie and AlQuranWaAlaHadith. He posted on an apparently defunct blog called Themujahidblog.com and Revolutionmuslim.com, according to the affidavit of FBI Special Agent Mary Brandt Kinder, and he threatened the lives of the South Park creators for their portrayal of the prophet Mohammed. Searches for his uploaded videos led to the discovery of him getting pwned by one of the Jawa Report guys.

Apparently Chesser intended to put his internet skills to use for the extremist militia. According to the affidavit, Chesser told Menges that al-Shebaab members told him to bring laptops to Somalia, so he could join their media unit, the apparent posting of choice for foreign fighters — much like the rapping Alabaman Omar Hammammi. He wrote a post in June on an unspecified online forum, according to the affidavit, expressing his intent to leave for Somalia and announcing he was “actually leaving for jihad.”

The guy wrote a fair amount online. A different post from January encouraged fellow takfiris to stay fit: “We have to go for jogs, do push-ups, learn firearms, and all kinds of things…. And, perhaps above all, we have to actually go and fight against the disbelievers.” This kind of stuff is increasingly prevalent in the English-language internet. Just last week, a Pennsylvania-based internet hosting service shut down its blogetery.com platform after federal law enforcement officials showed that more than 70,000 bloggers used it to push al-Qaeda propaganda into the cyber-ether.

But he might be part of a recent trend in low-wattage/high-bandwidth self-radicalization. “This case exposes the disturbing reality that extreme radicalization can happen anywhere, including Northern Virginia,” U.S. Attorney Neil MacBride said in a statement. Especially with the aid of Wi-Fi.

From Wired.com by By Spencer Ackerman

Ok, so there is so much wrong with this article that I just have to call it into question as to if the reporter actually did any kind of “reporting” here. I mean, sources and actual leg work looking into the terminology and technology perhaps? This just seems to me to be more of a poorly worded and thought out scareware piece than anything else there Spencer.


Lets pull it apart a bit…

First,


“Tafkiris” the root of which is kufir or kafir, which means “impure” or those who are excommunicated from the Muslim faith. Uhh yeah, it would be helpful to show that this kid had even LESS of a clue what he was talking about here by pointing that one out Spencer.. IF that is, you had any clue what it meant. I am sure you thought perhaps it was another term for a jihadi or mujahideen.

No.. its not.


This kid had less of a clue than Spencer.. But that ain’t saying much. Lets show a little more of the subtlety here huh?

Second,

Just last week, a Pennsylvania-based internet hosting service shut down its blogetery.com platform after federal law enforcement officials showed that more than 70,000 bloggers used it to push al-Qaeda propaganda into the cyber-ether.

As I wrote about yesterday, the whole affair over the blogetery site was not so much the feds saying that there were 70K worth of users pushing jihadist data on there, but instead asked about a couple of their servers that had data on them. You see, as I had reported, the site was a file trading site primarily and it is likely that the jihadi’s just found it easy to put up the files there and leave links elsewhere as they do in many other cases.

I checked Google and only came up with one potential site that had connections to Iranian Muslim propaganda against the west so, I don’t think that this was another “mos eisley” on the internet here. Spencer, do a little research huh? Had this been so riddled with data and grave things indeed, then the Feds would have swooped down either with a warrant to seize the servers or, they would have quietly assumed control with the help of the burst folks to watch and collect data. It was in fact Burst that took the system down for fear of being nailed for copyright infringement as they had already been sniffed around on before.

Third,

But he might be part of a recent trend in low-wattage/high-bandwidth self-radicalization. “This case exposes the disturbing reality that extreme radicalization can happen anywhere, including Northern Virginia,” U.S. Attorney Neil MacBride said in a statement. Especially with the aid of Wi-Fi.

WTF? WI-FI is the cause of rapid and widespread jihadi conversion? Spencer what the fuck is this crap being quoted without the benefit of calling the reasoning into question here?

Look, self radicalization can happen with or without WIFI there buddy, and the internet sure does have something to do with that, but, it is not a big deal to say that it EVEN HAPPENED IN VIRGINIA! What the hell man? Any kid or nutbag out there ANYWHERE could turn to Jihad as well as perhaps any other whackjob religious sect and become a terrorist! … And it has nothing to do with WIFI!

Wired.com has been steadily slipping here…

So yeah, this kid is a shmuck. He was being used by Al-Shebab and likely “if” he did have contact with Al-Awlaki then he was being groomed to be the next BVD bomber and not so much a new whizkid at their media arm. I mean fuck, he had no idea what Tafkiri meant!

Here kid.. take this plastic bottle of boom juice, place it in your rectum and pull the chord in flight for us!

Ok! Will I get my 72 raisins?

Tards… (Spencer included)

CoB

#LIGATT A Cautionary Tale of Cyber-Security Snake Oil

with 10 comments

The Charlatan of the Intertubes:

Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;

1) Plagiarism is just wrong.

2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.

Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.

Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;

  • His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
  • None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
  • His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
  • None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
  • He immediately played the race card in response to the allegations of his plagiarism and fraud
  • In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)

Here are some more examples via Twitter:

#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo

#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc

#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..

#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy

#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names

♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE

Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.

Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.

This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!

The “Industry”

The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.

Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.

The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…

I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.

Security is a voyage… Not a destination:

This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.

I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.

It’s really all about the basics…

So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…

CoB

Adrian Lamo: From Homeless Hacker to Lamer?

with 6 comments



From the Sacramento Bee

On Thursday afternoon, Adrian Lamo sat quietly in the corner of a Starbucks inside the Carmichael Safeway, tapping on a laptop that requires his thumbprint to turn on and answering his cell phone.

The first call, he said, came from an FBI agent asking about a death threat Lamo had received.

The second was from a Domino’s pizza outlet. One of his many new enemies had left his name and number on a phony order.

The third was from Army counterintelligence, he said.

In other circumstances, it might be easy to dismiss his claims.

He is an unassuming 29-year-old who lives with his parents on a dead-end street in Carmichael and was recently released from a mental ward, where he was held briefly until doctors discovered his odd behavior stemmed from Asperger’s syndrome.

On Thursday, he was dressed in black. A rumpled sport coat covered his bone-thin frame, and a Phillips-head screw pierced his left earlobe – a real screw, not an ear stud made to look like one.

He spoke slowly and methodically, sounding almost drunk, a side effect of medication he takes to treat Asperger’s, anxiety and his rapid heartbeat.

But Lamo is the most famous computer hacker in the world at the moment, the subject of national security debates and international controversy – and a target of scorn in the hacker community that once celebrated him.

He first gained notoriety in 2003, when he was charged with hacking into the New York Times computer system, essentially just to prove he could.

“I just wanted to see what their network was like,” he said. “It was going to be the Washington Post, but I got distracted by a banner ad.”

He has re-emerged in the spotlight following his decision last month to tell federal agents he had reason to believe an Army private in Iraq was leaking classified information. He said the information was going to WikiLeaks.org, a website based in Sweden that publishes information about governments and corporations submitted by anonymous individuals.

The soldier, Pfc. Bradley Manning, a 22-year-old intelligence analyst who was stationed near Baghdad, is reportedly being held by the Army in Kuwait while the case is investigated.

Lamo said Manning contacted him online after reading a profile of him on wired.com, which first reported Manning’s arrest and Lamo’s involvement last Sunday. Manning, he said, bragged about leaking classified military information to WikiLeaks, including the so-called “Collateral Murder” video of a U.S. helicopter attack in Baghdad that killed several civilians in 2007. That video appeared on WikiLeaks in April.

Lamo said Manning also claimed to have leaked other materials to the website, including 260,000 U.S. classified diplomatic cables.

“I couldn’t just not do anything, knowing lives were in danger,” Lamo said. “It’s classified information, and when you play Russian roulette, how do you know there’s not a bullet in the next chamber?”

Full article HERE

Adrian Lamo, a name that in the hacker community for a while, was a zeitgeist for the altruism of hacking in the original sense. He popped into systems and networks with only a web browser and told the companies he had compromised in an effort to secure them. Frankly, the recent diagnosis of Aspergers makes a lot of sense to me and likely to others who have met him or know of him by watching him. He has an interesting personality that borders on the strange and Aspergers may well explain his focus on such minutiae as he has shown up with in his hacks.

With the events of late regarding his turning in the alleged source for Wikileaks, there has been a fair bit of loathing on the part of the hacker community against Lamo and I for one think that he did the right thing. Look, this guy Manning has yet to be shown to be a Daniel Ellsberg here. Daniel released data that unequivocally showed that our government was lying to us about Viet Nam. Perhaps some of what Manning was seeing was on par with that, but, he went to Wikileaks instead of say the New York Times with his allegations. In fact, I have not heard anything substantive out of Manning that would lead me to believe that he is anything more than a hacker wannabe or.. Just someone craving attention. The mere fact he went to Lamo on this show’s more about his motives than anything else.

If you look at the chat transcripts there is no real sense that this guy was looking to put an end to conspiracy as much as get Lamo to like him… Simple as that I think. So, what Lamo did was in my mind right. He reported the potential for large leaks of cables that could blow NOC agents all over the world potentially as well as place our diplomatic aspirations globally at risk. Who knows what else might have been given to Wikileaks and or may be out of pocket elsewhere thanks to Manning. The damage could be long in coming and severe really and Lamo could see that. Not to mention that he knew enough that now he was a party to treasonous acts and could by just knowing of it, be a co-conspirator had he not reported. If he thought he knew the dark side of the judicial system before with the Grey Lady incident, he certainly could fathom what would happen to him on treason charges.

So, all the hacker kiddiez out there.. Leave him alone. He actually did the right thing here. Cut out the death threats and all the BS that certainly is going to go on… Especially at DC18 I am sure he will get some negative attention because many of the hacker types are childish narcissists to start. Its time to grow up.

Now, with all that said, should there have been some epic malfeasance on the part of the government along the lines of the Pentagon Papers, then I would understand in passing such data to the Times or perhaps even to Wikileaks. However, without there being confirmed actions on the part of our government, I cannot agree with what has happened. Yes, the footage that came out and the subsequent recognition that civilians in a war zone were killed by US forces fire is bad and perhaps there was some attempt at covering up, it does not merit the continued and further exploitation of all data at the hands of this guy.

For an analyst he sure wasn’t analyzing the data. I guess that some of this all will come out eventually if there is a trial that can be reported on by the press. Though, likely it will not as everything is classified.

What may be more telling is that what Manning did was so easily done with SIPRNET systems and alleged compartmented data. Once again, the measures that the military had taken, even with the assumption of “trust but verify” were clearly not being carried out here. I have heard the stories before and seen the fall out from processes not being followed where security is involved not only in the military area, but in every day corporate life. If you fail to carry out your basics of OPSEC and INFOSEC, then you FAIL epically to retain your data security.

Bad on the military here.

In any case, Lamo did the right thing either for his own skin’s safety or a real sense of just how far reaching the damage could be to this country. As well, this incident may actually get him closer to being a truly functional member of the security community.

Well done.

CoB

Written by Krypt3ia

2010/06/14 at 17:46

Follow

Get every new post delivered to your Inbox.

Join 131 other followers