Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Inspire 17 Train Derail Operations

leave a comment »

 

Inspire is back trying to “inspire” the jihadi’s after taking a forced hiatus after many of the AQAP magazine’s creators got whacked by some raptor hellfire missiles. The latest installment is a call for those would be “lone wolves” in the USA to take up arms against our trains it seems. As usual from Inspire we have the normal calls to jihad using their interpretations of the Koran to push the agenda of radical terrorism. The long winded screeds on the rationalization of killing civilians is just that, long winded, and overall does not conform to anything but their own desires to kill and maim anyone who does not believe as they do. Honestly, I think if Saladin came back from the dead and saw this shit he would be bitch slapping them all the way back to Medina but here we are today again dealing with AQAP and AQ as Da’esh’s alleged caliphate crumbles and the movement dies a slow death.

To be honest the actions of those who claimed to be with Da’esh here in the States were to me just mentally unstable persons who needed an outlet to feel important and not impotent, so they went on rampages. Da’esh has never had the reach in the states that they seem to have had for a brief time in Europe but now they are marginalized enough to say that they are not a serious mass casualty threat in the way that AQ and AQAP still is. As terrorist groups go AQ and it’s subs has a far better grasp of OPSEC and operations as well as money and capabilities that we should still be worrying about. With this issue of Inspire not only do we see that they have re-constituted their graphics department but also that they also see the power vacuum that is taking place as Da’esh declines and becomes more marginalized.

Not only are they seeing their opportunity, they are also kind of calling out Da’esh as well in this issue for stealing their ideas down to the fact that Da’esh whole cloth plagiarized their magazine format and ideas for their own with the Dabiq knockoff’s they pimped over the years. It is amusing to watch as AQAP calls out Da’esh with the graphic above and chides them over failed operations as well as calling into doubt the operators choices like that of Sideeq (Orlando) for going after only “one” group. Basically they spent some time on the graphic to slap Zarqawi’s monsters for their lack of righteousness and operational planning. All in all it is just a slap fight between the overly pedantic AQ org with Ayman as their leader and Da’esh, with their Schrodinger’s Imam Baghdadi. The problem is that the precepts of both of their movements are advocating this open source jihad that AQAP invented, something that is now even being used by the white supremacists in actions like those in Charlottesville VA this last weekend.

This the new old problem that we always have been facing but never seem to be able to grapple with on how to stop. These magazines are passed out online and end up in many places including archive.org for anyone to grab. I got this one from <REDACTED> when it came out over the weekend but seriously, the genie is out of the bottle with this stuff. With this latest iteration though, the AQAP has given a lot of thought to honing their exhortations to open source jihad with a simple yet effective attack and vector; trains. The choice of trains is kind of a change for the AQ set in that for the most part they have advocated going directly for people and places where they congregate in the past. Now, with train attacks they can maximize damage and buzz with events that could not only cause deaths but mass deaths as well as huge news coverage.

Train attacks to me always remind me of T.E. Lawrence and the attacks he and the Arabs carried out on Turkish trains in WWI. These actions really did help stop Turkey from retaining power in the region during the war using asymmetric destruction of trains and tracks to damage or halt the supply chain for the Turks. In this modern scheme put forth by AQAP, they have moved the bar lower in many ways by not calling on their lone wolves to create and use explosives as much as use a tool to derail the trains in hopes of a 1970’s car flip explosion kind of thing. I have to say though, were they able to carry off the attack that they direct their followers to perform it could be rather messy depending on the train and it’s load.

The device the OSJ is proposing is a tool that the railroads have themselves but may be harder to acquire so these guys have plans to make your own in your mom’s kitchen (old joke) Anyway, the device is called a derailer, a simple piece of metal that attaches to the tracks. It’s function is simple enough, it raises and diverts the wheels off the track and boom, derailment. This has been used as a stopgap for runaway trains I hear and other functions that I do not care to go Google up right now. In this case though the Inspire folks want their minions to use it to derail trains off of high cliffs or into buildings from what they allude to in the magazine. Of course their solution to making one seems a bit too low tek DIY and might just smash into bits as the train hits it from what I am looking at.

I will not go into detail on the fabrication of the device they present to the lone wolves but suffice to say that I believe the percentage of success from this thing are low in my opinion. Perhaps if they had access to a serious 3D printer and some strong plastic maybe but not what they have laid out in this issue. However, I could be wrong and others out there may do their own mods to the fabrication process to make something more sturdy. If the thing works then it could be problematic and we could see some derailments come to pass. So yeah, the tech may work and the magazine spends some more time after the fabrication phase into the planning and carrying out of the attack phase with targeting advice that includes quite a bit of open sourced information on the railroads in the USA.

Recently at BlackHat myself and Kodor talked about OSINT being used to attack infrastructure by targeting leaked documentation and information. Well, it seems that the Inspire folks have the same idea here. In laying out the attack scenarios they give up some key points on the railroads, their weak spots, and the collateral damage from various scenarios of attack using the derailer. They also allude (as you can see from the picture above) that the attack is easier to hide and harder to detect if done properly. Honestly I think that last bit will be easy to see, I mean are they expected to run into the derailment and grab their tool back? One would assume too that unless you do a real job of it, one would leave forensically viable evidence in the device too so it could be tracked back to the culprit(s).

Frankly I should think that the DHS and other groups have a copy of this open on their desktops too right about now and working up some TLP’s for the railroads and authorities. I hope that is the case because this one is easy enough for the usual lone wolf jihobbyist to try at home and not blow themselves up without much effort. The question for me now is where will these guys try this? The exhortations are to do so with the most flare to cause the most fear. Honestly if they wanted to just be a pain in the ass and mess with the supply chain they could go out anywhere in the wilds where tracks are and pull this off. I guess time will tell but a recent link sent to me at least has this idea in the forefront of the minds of the security wonks for railroads.

Let’s hope they take this Inspire’s scenarios as seriously.

K.

Written by Krypt3ia

2017/08/15 at 16:52

Posted in AQ, AQAP, Inspire

Flash Drives for Freedom

leave a comment »

At Defcon the one highlight of the con for me was seeing Flashdrives for Freedom having a booth in the vendor area. If you have not heard of them before, they are a group that is infiltrating news, movies, and messages into the hermit kingdom by passing USB’s from China over the river. The information reaching the general populace in DPRK is a fundamental means of attempting to bring some freedom, at least of information and thought, to the North Korean populace who only have the propaganda machine of Un constantly pressuring them into utter compliance.

Some of you may be asking yourselves; “Wait, they have computers that can use USB?” The answer to that is yes, some do, but many more have phones that can take USB (many asian phones have USB ports as well as micro USB) in addition to media players that can handle USB and play videos of varying types. So yes, if you send a drive these people can then turn that into a means of getting real news and information from the free world to North Korea. If we can get more USB’s to Flashdrives for Freedom, that means more data can be infiltrated which in turn means that more people in the North can get the truth.

In turn, if more people have a feed of information then perhaps more of them can in turn pass that along to others there …And if more people pass that on …Well, maybe some change can happen there right? At the very least given everything that is happening RIGHT NOW would it not make more sense to get as much information to the North Koreans as we can? So please, go through your junk drawers and pull out all those old USB sticks and micro drives and send them to Flashdrivesforfreedom.org by going to their page and following the instructions there.

I know you wanna.

If for no other reason than to poke ol’ Un in the eye right?

Go on… Empty that drawer of USB’s

Dr. K.

Written by Krypt3ia

2017/08/09 at 12:57

Posted in PSA

I Am Danny Glover: I Am Too Old For This Shit

with 2 comments

Welp, I am gonna say what others I interacted with this year at Defcon imparted in person. Just gonna rip the Band-aid right off, no Bactene, nada….

Defcon has become too big for it’s own good.

There, I said it…

*waits for inevitable whining and recriminations from those who love it and run it*

Really though, the congestion even in Caesar’s was too much to deal with and certainly the fact of getting into lines and then not seeing the talk because you were too far down said line is… Well.. Disappointing to say the least. Add to this that you can see the media later online, why the fuck am I going to attempt to brave the hoards and pay $260 to attend? Everyone says “HallwayCon” now but even that was stupifyingly impossible because the traffic analysis had been fubar’d for this one.

Nope, I am just too old for this shit now. The paradigm of BlackHat is the new RSA, Defcon is the new BlackHat, and Bsides is the new Defcon is really true I think. I had a better time at Bsides and actually got to have substantive educational interludes as well as conversations at Bsides. I attended BlackHat this year and had classes and I also have to say that the Classes were excellent but the presentations were a bag of fail, but hey at least I got to see them. A special note goes out to Matt Suiche on spectacular fail on slides with large blocks of text and his inability to speak English clearly for the ShadowBrokers presentation. In fact, let me also add that he did not add anything to the discourse on the subject by just regurgitating, in large blocks of text on screen, things we all could just Google.

But I digress…

It seems to me now in hindsight that the only way one will get good content and a hassle free way to consume it is to pay exorbinate fee’s to see it so all the other kids aren’t there rubber necking in front of you gawping at all the shiny shiny. Even if you have to listen to the likes of the CISO of FaceCult drone on about how they are going to save the world in between laser light shows (YAY HOOLICON!)

Jesus fuck I am too old for this shit…

Next year maybe I will just do SANS…

Dr. K.

Written by Krypt3ia

2017/08/07 at 21:01

Posted in Infosec

The Psychopath: A Darkweb Manifesto

with 7 comments

The darkweb spider kicked out an interesting albeit kind of freaky site this morning for me. The site “The Psychopath” has a long rambling diatribe on how the world has become too domesticated and that this group, the psychopaths, are starting a war against “the man” so to speak. I honestly had a hard time reading this darkweb manifesto because it is poorly written in a long winded sort of way as well as reminded me greatly of Ted Kaczynski‘s rant that he sent to the New York Times and other papers back in 1996. The rambling text with the pseudo educated diatribe on this site reminds me of Ted’s particular bent as well about society and it’s ills. In this case though it seems that the creators have a grudge against societies conformity.

The site names names of targets they have in mind and claims there will be actions against them while seeking to entice you yet scare you to their position and call to action. I will keep an eye on this one to see what else comes of it and perhaps do a little more digging on the clearnet for hints as to the person(s) involved. Until then, I leave you with the full in screen shot and uploaded here for you to read through. It seems that they set up the robots.txt well so I could not wget it.

 

Written by Krypt3ia

2017/08/07 at 20:11

Posted in DARKNET

2017 Krypt3ia Kryptos Crypto Challenge!

leave a comment »

 

Solve the cipher.

Follow the instructions.

Collect your prize.

You have until 7.30.17 to complete.

CIPHER:

RGILGNCMDENEDJRNMANNJFNLNILJDICLKLOFCNONARMJCTDIORIMCHDIKLHANIJNIEEEGICJO

FEBMLEHFLIFINRLIAREKEOLIPRKKMOEDBORIPRECRMNNDDDLGHNNLJINGKHJHRPARNMIIJNGH

AHOTCLHJSAHDNJOEPESMREDIDINCOEIPLJDICLKLOFINHDNMMBJCRBTODKBLRILSITLDLSIIINIIE

HHMFEMBRGILGNRHMCMHGFHIDJNDDLRLICHMLMMINCIIKRILEEGFGTMCNI

 

DECRYPTS OF THE KRYPT3IA KRYPTOS CRYPTEX CHALLENGE:

No one managed to crack the cipher it seems so here is the solution for it and how it was made. As you can see the image that I used as a logo for this contest was not the cipher itself. However, it did hold a clue, in fact one of the two keys to the initial cipher was embedded within the image.

The image itself is a rendering of the last part of the KRYPTOS art piece at CIA HQ. In the text in white within the image above had you Googled, you would have come up with “BERLIN” This was key one to the initial cipher. The rest is below.

THE SOLUTION:

Four Square Cipher
Key1 CONDOR
Key2 BERLIN

Cipher Text Decrypt:

Condor is an amateur Hes lost unpredictable perhaps even sentimental He could fool a professional Not deliberately but precisely because he is lost doesnt know what to do Unlike Wicks who has always been entirely predictable

go to <REDACTED DARKNET ADDRESS> slash condor dot html locate hidden instructions and follow them

CIPHER 2:

Homophonic Cipher

MUL: 47

ROT 62

CIPHER TEXT:

59 10 56 10 90 55 89 80 02 92 74 65 45 16 28 44 31 24 62 17 61 80 17 65 63 33 95 34 79 89 64 16 57 55 31 78 51 77 74 74 07 78 56 16 61 05 24 51 23 90 02 81 64 23 44 24 98 55 45 20 53 88 27 97 10 39 29 90 02 11 74 10 84 35 01 03 20 90 61 51 48 16 18 70 63 83 44 91 33 69 36 33 37 16 28 50 14 90 09 17 86 20 57 09 41 02 16 28 03 26 41 97 09 77 98 09 63 37 63 28 65 35 92 99 33 71 84 13 82 57 44 63 18 57 08 37 17 08 06 83

CIPHER TEXT DECRYPT:

GOTOC AESAR SFRON TDESK ASKFO RENVE LOPAD DRESS EDTOA MERIC ANLIT ERARY HISTO RICAL SOCIE TYCAR EOFJO ETURN ERCON TACTK RYPTI AONTW ITTER TOCON FIRMR ECEIP TOFPA CKAGE

Written by Krypt3ia

2017/07/21 at 00:00

Eugene and the DoD

leave a comment »

Da! Let me share you this blog on Eugene! Look, this whole kerfuffle over Eugene and the DoD has reached epic douchery in the news and now with the Putin administration threating “actions” against the US if they somehow embargo Eugene’s business. Well, let me first start with this little ditty below.. Go ahead, read it…

Ok done? Yeah, Eugene was in the KGB school and he worked for the GRU too according to the Wiki page here. What this means is that Eugene is a “former” made man of the KGB and Military Intelligence apparatus in Russia. He lived in the times when it was the Soviet Union and at the height of the times where the cold war was in a deep freeze. Fuck, just go watch The Amerikans and then come back… I will be waiting…

Ok watched them all have we? So now you know how it was to live in the 80’s huh? Well there you have it. Anyway, Eugene was a member of the organizations that have recently hacked us. What? You are saying it’s the FSB now and it isn’t the KGB?

Fuck you.

FSB is KGB with different letters at the front now ok? If you actually read up a bit you will see that Putin actually gave back the powers that the KGB had back in the day recently so once again they are functioning much like the old bad days as the KGB. Putin as well is an old school KGB man who has used all kinds of KGB fuckery to get where he is and stay there so once again, you say FSB, I say; Fuck. You.

Right, so now back to the present unpleasantness, it seems that Eugene is now offering a code evaluation by anyone who wants to (specifically the DoD) so pretty pretty please buy our shit? Look, it’s not about the code, we don’t necessarily think there are backdoor’s in the product now. No, what the worry is consists of that close snookums relationship Eugene had with the TWO entities that just hacked our election in 2016. Come on people, no one leaves the KGB and certainly NO ONE says NO to Putin right?

Imagine that Eugene’s software is clean as a whistle.

Now imagine that it is sitting on many USGOV and MIL systems.

Now imagine that all that telemetry from those systems is going to RUSSIA.

Then alternatively consider that with all those systems running Eugene’s product, how easy it would be to say, inject a malware or a protocol into all of it to do… “Things”

Think about that hacker kids.

Think about that you spies too.

You all see where I am going with this right? Now of course you could maybe do that with another vendor too but how much more work would it be to do that with Symantec? What I am saying is that Eugene lives in Russia, his assets are there, his LIFE is there and if Putin were to sidle up and say “do this thing” what choice would he have? JESUS FUCK PEOPLE! You know who the next randomly dead Russian would be right Eugene?

So, all this fuckery around the code and exploits etc… Stop. It’s really about access and what could happen in a place where we have seen pretty nakedly what Putin wants and does. So no, the DoD should not have Kaspersky products on their shit. I would be really surprised if they did given where it is made and managed… But then again, I think about all those SF86’s and China and… Fuck….

So there you have it. We are in another hot cold war with a Putichurian candidate in office. Do you really think we need the trifecta of Eugene’s access potential to be expanded to the military?

Yeah neither do I.

K.

Written by Krypt3ia

2017/07/03 at 16:38

Nyetya, Being Downrange, and Active Measure Campaigns in Ukraine

with 2 comments

 

While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.

The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?

Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;

  • Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.
  • Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people
  • Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space

The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get  the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.

So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.

….Or that’s exactly what the counted on…

Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?

Did I miss it?

Damn.

EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…

Wednesday June 28 Constitution Day Marks the signing of the Constitution of Ukraine in 1996

K.

Written by Krypt3ia

2017/06/30 at 14:13