Archive for the ‘FUD’ Category
“At the operational level, you have groups such as Hamas, Hezbollah, al-Qaida. Like teeth in a shark, it is irrelevant if you take one group out,” Gawthrop said during his lecture to the New York Metro Infragard at the World Financial Center in downtown Manhattan From Wired.com
Who say’s the crusades are dead? At least that is what it seems to be running through my mind watching this diatribe by William Gawthrop in his video on Jihadist terrorism presented to Infragard. I have news for you William,
“You’re doing it wrong”
Simple enough for you? No? Ok lemme splain some more for you and others out there… 99+% of the 2.2 Billion Muslims in the world are not jihadi fundamentalists. If it were true that all adherents of Islam were radicalised because they believe the “word” of their book and prophet as “gospel” then we would already be a caliphate by now.
Comprende? We savvy?
Now, I know what you are thinking here, its all about the religion of hate that rules over the 2 lands with their Sharia law! Well, sure, there is some Sharia out there but is it really so different from the patina of separation of secular and religious we have here in the states? C’mon, really, think about it, how much is this country ruled by the religious right now-a-days?
Or, should I say how much would they LOVE to be in charge more?
Yeah, you know what? ALL of the books that are “gospel” to these people to become radicalised over were all written by people who barely understood science and now, in some quarters would like to do away with critical thought (science) because it gets in the way of their dogmatic beliefs. Might I just cite a place in Kentucky that has a diorama with dinosaurs and man TOGETHER?
Fucking Marx was right about one thing; “Religion is the opiate for the masses” So, when you or anyone else wants to cite any one religion as the bane of existence (in this case Islam) then I suggest you take a long hard look at the other religions out there and just who is running them as well as created them.. Yep, it was us, humans.
No burning bush
No alien tablets
No God delivering us a giant idol to worship
We as humans wanted to rationalise that which we did not understand (death, life, the universe, everything) and our primitive brains could only come up with the construct of God… I have more news for you. It’s not the books fault. They were written long ago and things were more primal. It’s 2011 and you know what? Any of the books taken LITERALLY are indeed done so by lunatics who lack a perception of reality.
In essence, its not the religion or the book or the law.. It’s who’s wielding it as a cudgel to further their own agenda.
So, when you have someone like Mr. Gawthrop blaming the book for people’s actions, he is completely discounting the human element here. Perhaps it would have been better if he had decided to quantify things with the words “Radical Sharia believers” or “Radical Muslims” Ya know, kinda like Radical Christians or even Radical Shinto Buddhists! Though, there have not been too many Buddhists whacking folks out there.. More like immolating themselves to make us all look at our own shit.. But I digress.
For every belief whether it be religion or philosophical, there will be ardent believers who may even become “radical” in their belief. These are the people using the books or beliefs to their own purposes or interpretations. This is the problem and those are the people and personalities that need to be assessed and dealt with. Not to just make gross characterisations of groups.
There’s a lot more going on socially and psychologically than your simplistic truth you espouse that Islam is bad. Has that little changed since Bush uttered the immortally stupid words of “They hate us because of our freedom”
More on Radicalisation today HERE
First, let me preface with an expletive laced rant that will be stripped for the straights at Infosecisland.. Please forgive the capslock shouting, but I cannot contain myself here!
HOLY WHAT THE FUCK?
McAffee WHAT IS THIS EPIC BULLSHIT YOU ARE PUTTING OUT THERE TO FUD THE CONGRESS INTO WANTING TO SEE IT? ARE YOU THAT FUCKING DESPERATE TO APPEAR AS TO KNOW WHAT THE FUCK IS GOING ON WITH REGARD TO APT THAT YOU PUT THIS “BOOGA, BOOGA, FEAR, FEAR, FEAR, FUD, BUY OUR PRODUCTS CUZ WE SAW SOME SHIT” LIGATT-IAN PRESS RELEASE?
YOU ARE WASTING OUR COLLECTIVE TIME AND IF YOU FUCKING GO TO CONGRESS WITH THIS BS I FULLY EXPECT TO SEE A NO CONFIDENCE VOTE IN THEM AND YOU!
NO.. WAIT…I ALREADY THINK YOUR PRODUCT IS JUST SHIT.
CONGRESS… WELL WE KNOW HOW USELESS THEY ARE TOO.. I GUESS YOU SHOULD BE FAST FRIENDS HUH?
Ok, now that I have that out of my system, I will now attempt to explain a few things in a civil manner on the RAT/APT situation. First off, there is nothing new here as I have said before on numerous occasions. This type of activity says more about the laxity of the targets security as well as the intent of the adversary in gathering state desired secrets on the part of China. The simple facts are these;
- China wants to have an edge and it finds itself using the Thousand Grains of Sand strategy to its benefit in the digital arena
- We have made it easy for them to compromise our systems due to lack of accountability and the short term gains seen by individuals within companies
- The adversary is smart and will do what it takes up to even intercepting helpdesk tickets and fielding problems to keep their persistent access!
- This has been going on for a long time and now is just getting out to the press.. Ok, I get that, but really, sowing FUD to win business will not help
It is readily apparent from this POS that McAffee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well. This is a nation state working on these APT attacks, come on now! They have more interests than just the US! Just as much as you (McAffee) had access to ONE server out of many! Never mind all the others that were fleeting and pointed to by DYNDNS sites!
Really McAffee, you come off looking like rank amateurs here… Well, I guess you are really for pulling this little stunt altogether.
The adversary has been around for a long time. No one product nor service is going to protect us from them (that means you McAffee) so it is useless to try and sell us the snake oil you would like to. It is our own human natures that we have to overcome to handle the least of the problems that feed into group think and herd mentality in corporations and governments. Face the facts, they are here to stay and we need to learn the game of ‘Go’ in order to play on their field.
Unfortunately, we get dullards like these (McAffee) crying wolf and offering unctions to take our troubles away.. Unfortunately all too often there are too many willing to buy into their crap.
… And we keep losing.
A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.
Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24″ face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;
If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?
Or, would you start using sharp implements to get him to talk in a more expedient fashion?
We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.
I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.
Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7′s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.
We all will have choices to make and trials to overcome… Cofer was right.
“May you live in interesting times” the Chinese say…
Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;
“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”
Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;
“Curtis: If it isn’t Leopard Boy and the Decepticons.”
So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:
- Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
- Targets need recon and intelligence gathered has to be vetted before dumping
- Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
- Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
- Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
- If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
- Grow up
- The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
- If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
- You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
- Failure to pay attention will only result in fail.
There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.
The Eternal Game of Whack-A-Mole Goes On:
Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.
Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;
British Hackers Take Down Al-Qaeda Websites
NBC News: Hacker attack cripples al-Qaida Web communications
None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:
The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.
Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.
In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.
“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.
This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)
In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.
All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.
This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.
So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?
Cupcake Recipies Instead of IED’s Do Not A Hack Make:
Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.
Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?
No one has said.
This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.
They are worried.
Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.
This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?
All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..
But, they will be back again… Let the great game of whack a mole begin!
“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
Recently, a story has come up in the news concerning certain police departments (Michigan to be precise) have been taking more or less “forensic” images of people’s cell phones and other PDA devices when they have them stopped for traffic violations. Since the reports went live, the Michigan PD has sent out a rebuttal saying that they are in fact asking the citizen if they can scan their data. I say, whether or not they actively are doing it or not, they have the ability to do so per the courts since the loosening of the laws on search and seizure in places like California and Michigan where electronic media is concerned. The net effect is that our due process rights are being eroded in an ever rapid pace.
I. Police Seize Citizens’ Smartphones
In January 2011, California’s Supreme Court ruled 5-2 that police could conduct warrantless inspections of suspects’ cell phones. According to the majority decision, when a person is taken into police custody, they lose privacy rights to anything they’re carrying on them.
The ruling describes, “this loss of privacy allows police not only to seize anything of importance they find on the arrestee’s body … but also to open and examine what they find.”
In a dissenting ruling, Justice Kathryn Mickle Werdegar stated, “[The ruling allows police] to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or hand-held computer merely because the device was taken from an arrestee’s person.”
But California was not alone. Michigan State Police officers have been using a device called Cellebrite UFED Physical Pro for the last couple years. The device scrapes off everything stored on the phone — GPS geotag data, media (pictures, videos, music, etc.), text messages, emails, call history, and more.
Michigan State Police have been reportedly regularly been scraping the phones of people they pull over.
In neighboring Wisconsin, the state Supreme Court has ruled that while such searches are generally illegal, their evidence can become admissible in court if the police demonstrate an exigency (a press need) for the information.
Essentially this ruling offers support for such searches as it indicates that they can give solid evidence and ostensibly offers no repercussions to law enforcement officials conducting the officially “illegal” procedure.
So far the only state to have a high profile ruling against the practice was Ohio. The Supreme Court of Ohio ruled that warrant-less smart phone searching violated suspects’ rights. The requested the U.S. Supreme Court review the issue, but the request was denied.
II. What Does the Constitution Say?
The United States Constitution ostensibly is the most important government document in the U.S. It guarantees essential rights to the citizens of the U.S.
Some of those rights are specified in the Fourth Amendment, part of the original Bill of Rights. It states:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The Constitution explicitly states that effects of a person cannot be unreasonably seized without a warrant.
Of course courts must play the vital role of defining what a “reasonable” search is. But by extending the limits of searches to deem nearly all searches “reasonable”, no matter how tenuous the connection to a suspects detainment, this and several other decisions have created an erosion of the protections in the amendment.
Essentially what court rulings in California, Michigan, and Wisconsin indicate is that the courts believe the Constitution is no longer valid, or that certain Constitutional freedoms can be specially selected for elimination.
The law and our losing the path :
The legal battle over the terms here has come down to the nature of papers and effects where they regard digital media as I understand it. I sat in on the EFF talk at Shmoocon where this very topic was brought up. It seems, that the gray areas of just what is a laptop or a phone as opposed to a “cabinet or desk” is a key factor in how some interpret the legalities of searching someone’s hard drive or phone. In my opinion, they are the same thing. A laptop is a case in which my data is stored, just like a desk or a room, which, you MUST get a warrant to search.
But, that’s just me I guess.
Personally, as the title of this post alludes, I believe that all of this started as soon as John Yoo and the Bush administration began to twist the laws concerning not only torture, but moreover, the use of warrant-less wiretaps. Post 9/11 the US went mad for tapping of phones/data at the trunk level in such instances like the one in the MAE West where they put in the NARUS STA6400. This was the biggie for me because that system hoovers ALL of the traffic, there is no selectivity over it at all. Sure the STA6400 can sift the data, but it needs ALL of the data in order to sift and data-mine. Who’s to say what data becomes important other than those who are running the compartmentalised program that has to report nothing to anyone because it is too secret.
What allowed for all of this to happen and then for the over-reaching to continue was 9/11 itself. Having been in NYC at the towers just before the attacks and working there just after in the hole, I know how many felt after it all went down. We here in the US had only had a handful of terrorist attacks within our borders and those were nothing in comparison to what took place on that day.
We all felt vulnerable and wanted the government to take care of us. We wanted vengeance, and we wanted a take charge guy.
Unfortunately that “guy” was GW Bush and his posse of cowboys who then began to run rough shod over the constitution and other documents like the Geneva conventions. It was from this need to be protected that the American people just went along with the things they knew about, as well as a healthy dose of over classification by the Bush administration that kept us in the dark as to what they really were doing. It was only later, toward the end of the second term that the full scope of abuses were coming out, and yet, the American populace really did nothing. Sure, we elected Obama who made promises to end the nightmare of abuse… But.. He hasn’t has he?
So, here we are in 2011. Ten years post 9/11, and we are finding our rights being eroded by legal positions and decisions that remove the most basic and cherished rights to reasonable searches slipping away.
Who’s to blame?
We the people have failed to keep in check the actions of the government and in some cases the courts because we have taken our collective hand off the tiller steering this country. Perhaps we really have no hand on that tiller to start simply because we have created a beast that is too big to control or have any sway over. By just looking at the state of affairs today within the political arena, one has to admit that its becoming more and more akin to what it used to be back in the days of Boss Tweed than anything looking like the era of J.F.K.
Simply put, without the people standing up and calling a foul on these types of erosions to liberty, then we have nothing to complain about when the liberties are taken away. On that list is the rights granted to us all by the fourth amendment. The tough thing now though is that where once your personal belongings were either in your house or on your person. Now, those “papers and effects” live digitally not only on your device that you have on you, but also may exist “in the cloud” as well. A cloud that you “use” and is not “owned” by you.
So sure, a cop could ask you if they can look at your phone data. Do they have to say that they are taking an “alleged” forensic image? Perhaps not, but, the thing about the whole Michigan PD thing is that independent reports have shown that they were not asking, they were just taking images when they felt they wanted to, and this is where they run afoul of due process. As far as I am concerned, a file on a phone that is not on the screen as a cop looks at it while it sits in front of him in plain view, is NOT a document that he should just have the right to fish for without a warrant.
Sorry cops… It’s a country of laws, no matter how you try to spin them so you can cut corners.
On the other hand, I know how hard it must be for the police forces of the world to do their jobs now in a digital world. Especially one that so few really understand and likely fear. These magic boxes called phones and computers now hold data that could easily make a case for crimes, but, you just can’t take them and rummage through them just like anything else where due process is concerned. What’s more, I know for a fact that unless you are a forensic investigator, AND you have a decent tool, YOU WILL MISS DATA. Which will lead potentially to acquittal because you did not follow processes such as chain of custody in E-Discovery.
For some though, I am sure it’s just about cutting a corner to make a collar… And that is not how the law is supposed to work.
Our complicity in our own privacy erosion:
Meanwhile, in the last few days another spate of news articles warned about how the iOS and Android systems were collecting data on our movements and details. This particular story is not new if you have been paying attention, it was just the aggregate amount of data that we saw being collected by the iOS particularly that shocked the general populace. For these people I have news for you;
This data and even more have been collected on you all for every service that you sign up for on the Internet. Every phone call you make, every text you send, every picture you upload. All of it is available to someone else who has access to the data.
It’s not private.
YOU have been giving away your personal data every minute of every day that you upload or pass through the telco/Internet systems.
So, even if laws are being subverted on personal searches, your data can and will be taken from the likes of Twitter and other services, perhaps even through NSL letters to those hosts and you will be none the wiser. For every post you put up on Facebook with all of your personal details, not only are you sharing that data with your “friends” but the company and whoever they want to sell it to as well.
The privacy you think you have.. Doesn’t exist.
In the case of the iOS data, no one knew about it from a customer perspective, but I am sure that there was some small print somewhere in the EULA when you bought the phone that allows Apple to collect the data… Not that they have to tell you they are doing it in big letters or clear language. So, that data too is not completely yours any more once you have agreed to their agreement to use/own the phone.
The short and long of it is that we are giving up our right to privacy for shiny toys and a sense of security that we can never really have.
In the end, the data that the iOS collects has yet to be proven to be sent to the Apple mother ship. Apple to date, has made no statement on the collection of the data nor the reasons for doing so. One can assume though, that they have some sort of location based software solution that they want to sell down the road and really, it’s caveat emptor. I am just glad that the security community likes to tinker and found this stuff, bringing it to light.
We are all to blame.
Unless we all take up the battle against the loss of privacy then we have none. Just as well, unless we speak truth to power and stop the erosion of rights to privacy within our body of laws, then we have nothing to complain about. We will have done it to ourselves.
From McAfee Blog
There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.
DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.
The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.
The rest HERE
At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?
So the scenario goes like this in my head;
- China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
- They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
- If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups
Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.
Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:
The malware in its current incarnation was deployed with two major payloads:
- DDoS against chosen servers
- Self-destruction of the infected computer
Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.
When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:
- Overwrite the first sectors of all physical drives with zeroes
- Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes
The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.
The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.
So, let me put one more scenario out there…
Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?
You hit the stock market and people freak
You hit the NASDAQ systems with the compromise and then burn their data
THREE stories in the news recently have me pondering the tit for tat nature of what may be Kim Jong Il’s mostly impotent attacks against the outside world. It would seem that Mr. “ronery” may have been a little miffed of late because South Korea decided to float balloons laden with leaflets over into the Northern side after the Middle East began to protest against repressive regimes.
I laughed til I cried when I saw this on the news, poor Kim Jung! What’s even more hilarious is that I have also heard that the South Koreans also put KJI’s image on the pamphlets because it is a crime to destroy or defile any image of the “dear leader” So, the North Koreans must have fits and starts when these balloons start coming down! Net net though, the information makes it to some in the closed country, and one hopes that they are seeing what is happening outside in the real world… At least a little.
Post the balloon launches (Feb 25 2011) we are now seeing some interesting things happening on the internet that may in fact be KJI and North Korea acting out against everyone, especially the South Koreans. Both attacks on the face of it, may not be related, however with a closer look one may see that they could very well be related;
WordPress traces 2nd DDoS assault to China
By John Leyden
Blogging service WordPress suffered a further series of denial of service assaults on Friday, days after recovering from a particularly debilitating attack.
WordPress.com, which serves 18 million sites, traced the vast majority of the attack traffic of the latest assault back to China. Analysis pointed to a Chinese language site as one of the principal targets of the attack.
This as-yet-unnamed site is blocked by Chinese search engine Baidu, prompting speculation that the attack might be politically motivated. However, a closer inspection of events led WordPress to conclude that commercial motives were probably behind the attack, TechCrunch reports .
Separately the French finance ministry has admitted that it came under a sustained and targeted attack in December, targeting files related to the G20 summit that took place in Paris two months later. More than 150 computers at the ministry were affected, the BBC reports .
Paris Match magazine, which broke the story, quotes an anonymous official who told it: “We noted that a certain amount of the information was redirected to Chinese sites. But that [in itself] does not say very much.” ®
South Korea Probes Internet, GPS Disruptions
South Korea is investigating the latest high-technology assault against it. The attack targeted government computers and users of the GPS navigation system. It came as South Korea and the United States hold an annual military exercise that North Korea calls a prelude to an invasion.
Fifteen million South Koreans logging online Monday received an alert from the country’s Internet Security Agency. It instructed them to download a vaccine program to thwart a foreign online attack against Web sites of key government agencies and financial institutions.
Officials Monday said the government is trying to figure out who ordered the attack on the Internet sites last Friday and Saturday. Targets included the presidential Blue House, the Ministry of Foreign Affairs and Trade, the National Intelligence Service, South Korean military headquarters, the U.S. military forces in the country and several other agencies.
They were hit by what is known as a distributed denial of service attack. It was done by overloading targeted sites with Web page requests from about 80,000 personal computers infected with malicious software.
Suspicion as to who masterminded the attack falls on North Korea. But Park Kun-woo, a spokesman at Ahn Lab, a leading South Korean maker of security software, says there is no clear evidence Pyongyang orchestrated this one.
Park says nothing is certain at this point because malicious computer hackers tend to disguise themselves in various ways. It is clear, he says, however the attack did not originate in South Korea and was dispersed via a number of countries.
The National Police Agency says the attacks were routed through computer servers in numerous places, including Brazil, Hong Kong, India, Iran, Israel, Japan, Russia, Taiwan and Thailand.
Internet security companies say, as of Monday, more than 100 of the so-called zombie computers that were used to carry out the online attack have seen the contents of their hard drives erased by the malware that the computer owners unsuspectingly downloaded.
This incident did not last as long as a similar disruption over five days in July 2009, but it targeted more Web sites. Officials have said the 2009 attack was traced to an Internet protocol address in China used by North Korea’s Ministry of Posts and Telecommunications.
Other attacks also have been traced to China.
Experts say North Korea has an Internet warfare unit that targets South Korean and American military networks.
Also Monday, the South Korea Communications Commission confirmed that interference to Global Position System signals on Friday came from a location in North Korea that was pinpointed as the source of a similar disruption last August.
The incident reportedly affected GPS receivers in military equipment and mobile phones as far south as Seoul. It also took place, as was the case last August, while a military exercise with the United States was under way here.
The U.S. military command in the country is not confirming whether the GPS jamming disrupted the exercise. A spokesman says as a matter of policy, the command does not comment on intelligence matters.
The Yonhap news agency quotes a South Korean defense official saying the GPS disruption did have a slight effect on military artillery units.
Now, WordPress was attacked around the same time as the South Korea attacks. However, the linking factors for me are twofold:
1) Both have Chinese elements
2) Both are aimed at political targets (wordpress has said that there seemed to be a foreign political nature in the attacks)
While N. Korea does not have an infrastructure in house to set off attacks, they do indeed have connections with China and certain Chinese telco/internet backbone providers that they have worked with in the past on such occasions. While the attacks seem to be a bit more wide spread as attacking systems go, both would be timed in such a way that tips me to believe both are the work of North Korea. So far, no one has really made this connection that I have seen in the news as yet, but, it’s not such an outlandish idea.
Now, KJi has nukes, and he has all kinds of other weapons of war, but, he seems to be lacking in one area, “cyber” as the press might put it. Since his regime is SO repressive that they have no infrastructure, it is likely that any such programs would be run out of the south of China. North Korea likely has many programmers/military types working in the south China area at facilities that are Chinese run working on cyber war capabilities. Were N. Korea actually to get its own infrastructure I have no doubt they would be read to go. That they don’t at present is only a small stumbling block.
It is also well known that the Chinese and others will easily rent out bot-nets for the work as well as be paid for information/cyber operations of this nature. So, the attacks are really only cogently linked together here from their connections to pissing off N. Korea. Frankly, I am kinda surprised the attacks didn’t also have some Facebook DD0S as well…
All in all though, the DD0S did not do permanent damage anywhere and for me, just seem to be more a cry for attention on the part of Mr. Ronery…
VIENNA – The control systems of Iran’s Bushehr nuclear plant have been penetrated by a computer worm unleashed last year, according to a foreign intelligence report that warns of a possible Chernobyl-like disaster once the site becomes fully operational.
Russia’s envoy to NATO, Dmitry Rogozin, also has raised the specter of the 1986 reactor explosion in Ukraine, but suggested last week that the danger had passed.
The report, drawn up by a nation closely monitoring Iran’s nuclear program and obtained by The Associated Press, said such conclusions were premature and based on the “casual assessment” of Russian and Iranian scientists at Bushehr.
With control systems disabled by the virus, the reactor would have the force of a “small nuclear bomb,” it said.
“The minimum possible damage would be a meltdown of the reactor,” it says. “However, external damage and massive environmental destruction could also occur … similar to the Chernobyl disaster.”
Full article HERE
Alright enough already with this talk about Stuxnet causing an Iranian Chernobyl! Look, Stuxnet was programmed in a VERY specific way to work its voodoo on the processing of Uranium, NOT on the management of the rods being excited within a reactor! The program attacked the PLC’s for specified Siemens controllers that worked with the centrifuges that spun the Uranium into fissile material.
So, who now is thinking that perhaps this little piece of reporting might be a red herring huh?
Of course the Iranians at this time are so freaked out that they will not patch the systems that have been infected with patches from Siemens because they are too paranoid! God, I love that! Well played USA/UK/Israel for even after Stuxnet has been outed and much research has gone into it, Iran still is totally fucked! Well done! The Iranians have been a paranoid group for a long time, now they are just totally unhinged I suspect with all of the Stuxnet hype and their own brand of internal denial and heads in the sand.
Psssst hey Iran… Jester also infected your LOIC too!
Hey.. Hey now don’t cry…
The Hive Mind
In my last post I talked about the “swarming” tactics that were being employed by Anonymous and elements of 4chan to DDoS sites in their “operations” This post is going to deal with more of what can be tactically done to respond to not only the tactic of swarming (via electronic DDoS as opposed to in a real battlefield) but also the DDoS as a vector of attack itself. I have been Googling quite a bit and have turned up some interesting papers on the subjects and this topic has had me thinking quite a bit for a while now.
What has been at the back of my mind all of this time has been the claims that Anonymous is a “collective” of people that perform a hive mind style of Athenian Democracy (that’s the media’s dubbing there, not mine) inside the digital domain of IRC to choose their targets and launch their attacks. However, I would like to correct this statement and state that I believe it to be dissembling on the part of Anonymous to say that it is truly a leaderless aggregation of entities. Instead, I believe that there are a core group of individuals who comprise the C2 structure that then in turn guides others to the hive mind.
Why do I say this? Well, lets look at it from the perspective of bees. Bee’s are a hive mind, however, they have a queen do they not? It is that queen who runs the hive and not an Athenian black marble in a jar of white one’s kind of way. The worker bee’s have no say in the actual targeting of anything, but a chemical signal and dance from another will set them off to attack or to go to a specific place rich in flowers to pollinate. In short, the bees do not have frontal lobes and large brains, so there is a more complex system of decision making that goes into higher brain function individuals on an IRC channel than there is in a chemical signal to a bee to attack something.
So, in the case of the IRC channels and the C2 (command & control) of the Anonymous Operations, I say that there is a more complex system at play and that they, by their very nature, require a command and control structure that requires key players to facilitate them.
Cells and Compartments
There have been reports that there are a core group of hackers who are at the heart of this C2 architecture and I would tend to agree that they may indeed be hackers (the loose term by way of technically savvy individuals) and they in fact have at their disposal systems such as IRC servers and channels that they either fully control themselves, or that they are loaned time on. I believe that there is a more hierarchical structure to the Anonymous group than they would like to admit, and as such, they are in a much more precarious position than they might indeed think tactically. Sure, they have plenty of cannon fodder out there using the LOIC, but, the core cabal still hold the digital strings. In this case, we have many skiddies out there, so who are the brains behind the coding and implementation?
Just as well, take a look at the collective press releases that have been made on piratepad etc. Last one I saw had 16 authors working on the whole… 16 is not legion… 16 is “finite” So, sure, at present you have LOIC which is not obfuscating IP addresses of end users, and you have kids out there just doing this for shits and giggles, but elsewhere, you have the likes of those who hacked Gawker. Those weren’t skiddies, just how many were there and were they working in completely compartmented cells? If not, then eventually the cells will be broken.
Think about it this way… Everyone that you bring into this venture has the potential of being from the opposition. All it takes is one agent provocateur to bring a network down.
The Technologies of DDoS Swarming
The IRC systems that the hive mind and Anonymous operations have been using so far, have started to be targeted by the federal authorities of not only the US but other countries in hopes of gathering logs and decommissioning them for C2 use. The current server irc (anonops.ru) sits in Russia, and in fact is likely to be a bit safer out there at present, but, note that they moved it to Russia in order to prevent being taken down and seized. This is the fatal flaw in the system that Anonymous has yet to really come to grips with. By announcing their targets and their channels to connect to the C2 network, they give up their tactical advantage for not getting popped. When the authorities know where the systems are that are the actual C2 mechanism, then they will use any and all force to go after those nodes and take them down.
A more fully working and secure system would be the traditional botnet approach though for this type of sustained attacks. By using botnets of infected machines, Anonymous would have a better chance at not actually getting pinched as easily as they might because they in the open with their C2 channels and their methodologies (i.e. LOIC) After all, once the warrants go out on all those kids like the ones in Germany, then there will be a bit more of a call for the commanders to create more “secure” technologies than LOIC to perform the DDoS won’t there? Or are they not planning that far ahead?
You see where I am going with this? You still have a single point of failure in the IRC and the LOIC’s insecure natures. Eventually, no one will want to play unless they can be assured that they are protected by IP obfuscation.
My recommendation? Use the botnets and forget the skiddie stuff. Sooner or later, you all will piss off the wrong folks and your single point of failure in the “hive” system will bring you all down. All it would really take at the present moment would be for the authorities in .ru (cough KGB cough) to backdoor the system and audit all of the traffic on it. Unless you are shelled in with a proxy (funny, how anon doesn’t allow TOR on their IRC) then its highly likely someone would be on your doorstep soon enough breaking it down.
For that matter, the KGB just might like to get in there and use you all for their own ends.. Anonymous would make a nice patsy wouldn’t you?
Countermeasures for DDoS
Meanwhile, all of these events have brought the specter of DD0S to the fore again for the greater community at large doing business on the internet. DD0S is such a simple idea but it seems to be a daunting task to differentiate the traffic and mitigate an attack of this type. Because all of the traffic is ostensibly authentic according to the routers and servers, the problem becomes either how to determine if indeed it is truly authentic traffic or an attack vector. Therein we have the swarming that I spoke of before, the server is swarmed over with connection attempts.
The Military has been working on the DDoS issue for some time now and there are some good papers on the subject:
It looks as though the best means so far discussed have to do with a type of packet filtering approach that could potentially differentiate good from bad traffic, but that would take another stratification of traffic (network layer) and likely would be costly and perhaps not so good for net neutrality. As yet though, no one seems to have a good solution to the problem… So, there will always be the potential for a large scale attack on any site that will take it offline and perhaps overtax the servers themselves overhead wise. These though, are only one form of direct attack DOS on a site… What about DDoS on say a router or the main DNS servers out there on the net?
The time of Anonymous is upon us. I wonder however, just how long that will be though, because I fear that they have awakened the sleeping giant just as it has become technologically self aware. I am sure that in 2011 there will be arrests and dismembering of Anonymous and groups like them when they poke the badger one too many times.. That is, there will be more of them popped unless they get a bit smarter about their OPSEC.
The technologies out there now are going to be worked on and sometime in the near future, I suspect there will be some more mitigations offered by the likes of CISCO etc for DDoS. Until that time, the LOIC and its progeny will continue on DoS’ing sites offline as a protest or just for the lulz. I wonder though, if the Anonymous C2 will realize that what I have said above is true, and work on some obfuscation techniques for their networks and end users…
Time will tell…
In truth, 2011 will be the year of the cyber war and we are in for a ride folks.
I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”
The truth of the matter for me comes down to a few different factors:
- A lack of understanding the results that you present them
- A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
- A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client
Nickerson too gets to this and asks;
Well why does that happen?
- What we give them isn’t important. Managers don’t care about shells!
- They don’t care about what we care about!
What do they care about?
- The product line
- The Brand
- The Employees
- The Bottom Line
I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.
Top 5 ways to destroy a company
- Tarnish the brand
- Alter the product
- Attack the employees
- Effect financials directly
- ** Your turn! **
The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?
The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)
The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.
Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;
“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”
It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.
So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:
- Profile the business overall, where they are in the market, and their history
- Profile their business model and their product or products
- Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
- Profile the employees and C levels (are they engaged? Do they buy in on security?)
- Formulate scenarios that would cause varying levels of damage (targeting them)
- Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits
Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.
I think that is what he was driving at through all of the ranting…
So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.