Recently there was a spate of defacements by Team System DZ that has been making the rounds in the mainstream media. These defacements by Poti-SaDZ or Poti Sad Darky and his derpy bandito boyz using daesh symbols and poorly written rhetoric are nothing to write home about yet the media spins their skiddie exploits into media gold. Well I am here to set the record straight with you all. Poti, or Ahmed Saoudi is just a derpy kid in Algeria with nothing better to do than deface sites with others tools. He, and they, are just looking for the lowest of low hanging fruit to garner some attention for themselves. In fact, Poti here has some poor OPSEC as do many of his derpy little pals as you can see below.
In the first picture there you see his folders as he is running a tutorial on uber lee7 h4x0ring in winderz. The second picture is one of more than a few where he fails to engage his proxy and the handy little task bar there on the browser gives his home IP address(s) 184.108.40.206 and 220.127.116.11 respectively over time. Poti in fact logs in to the Team System DZ Facebook account without proxy a couple times and is likely unable to easily get on there because of issues with proxies, since ya know Zucky don’t play privacy.
Anyway, the IP space is for the following in Algeria:
IP address: 18.104.22.168
inetnum: 22.214.171.124 – 126.96.36.199
descr: region chlef
status: ASSIGNED PA
source: AFRINIC # Filtered
parent: 188.8.131.52 – 184.108.40.206
person: Security Departement
source: AFRINIC # Filtered
Poti-Sadz aka PoTi SaD DaRkY
youtube.com/user/ahmedsaoudik/playlists … ahmedsaoudik
There are a lot of Ahmed Saoudi’s in the skype phone book as well but only a couple list Algeria as his location and one of them has 1992 attached to the name. So, 2015 – 1992 = 23 which would be a prime age range for this kind of stupid kid activity no?
Give em a shout and see! Look, what I am saying here is that in looking at these guys I would have to say that the are not the daesh A-Team of hacking. I would also say that perhaps they could be behind the last derpy Googling of some military names and posting a hitlist online thing. That there was also something that the media went nova on and in reality “no va” is really more appropriate.
HOLY WTF PEOPLE! CUT THIS SHIT OUT!
Anywho, I just thought I would dump this little OSINT OPSEC FAILTACULAR on you all.
Enjoy the lulz…
So you all know me, I had to go and download CSI Cyber just to see. I mean, I couldn’t resist because I am a masochist and I knew that this would be a terrible show so I had to see it! Well I am happy to report that none of you were wrong, this is in fact one of the worst shows on television and it’s not just because it is all about the OMG CYBER! There are a whole host of issues with this show and I just wanted to share with you all my personal review. So strap yourselves in, put on your sturdiest CYBER HELMET, and prepare for a heaping helping of WTF.
The show starts off with the kidnapping of a baby and some nonsense about voices coming from a nanny cam. The case comes across the lead investigator’s email and she immediately goes to her boss and says that any criminal action that includes electronics make it a CYBER CRIME! No, really, she says this and thus a plot line is born! The feebs then take over the case and use shiny bags to take away laptops and phones. They use what they call “Faraday Bags” and have the nifty graphic above to show signals bouncing off the bag PEW PEW PEW! (eat your hearts out Norse!)
It was in this moment that the plots sub sub plot of CYBER PSYCHIATRY comes to play. The main character ( Avery Ryan ) who is loosely based on the “creator/SME” of the show Mary Aiken one of the loopiest people I have looked at online. She claims she is a “Cyber Psychiatrist” whatever the fuck that is. Let me just set you all straight, there is no such thing as a “Cyber Psychiatrist” There are Psychiatrists who maybe deal with technology issues and pscyhology and psychiatry but there is no cognitive DSM V sub speciality that I am aware of. In short, she is making shit up as she goes. I may go into a full rant on this later on, but sweet jeebus she is as much a Cyber Psychiatrist as the Scorpion Crew is an elite red team in reality ok?
Next let’s talk tech because I know you all want to! CYBER CYBER CYBER! Blinky lights and holodecks for everyone! This show does not let us down in this area either. There is so much shiny blinky light material that if you are epileptic you should really consider watching it with shades. The highlights of all this is the above image from the uberl337 hax0r showing that malware always shows up as RED TEXT on ADA and more often than not actually calls itself MALWORM! As I was morning drunk tweeting watching this farce I managed to start a bit of a dialogue with some who complained that they did not get all of our attitudes about the tech being right at all because it’s TV FOR FUCKS SAKE! Well, Ian, yes, yes it is and really we should not really worry ourselves about this in reality. I guess some of us all care too much or live it too closely. In my case I don’t really care beyond the possibility that this shit will bleed into our real lives as dumbasses think that this is all reality from watching entertainment TV. I will once again point to the CSI Effect and just say I hope this kind of shit does not happen in the court room because of shit like this is all.
OMG CYBER ATOMIC SOMETHING SOMETHING!
At the end of the day I just have to report that this show is sucktastic. The acting is wooden, the dialogue is horrendous, and the subject matter is wholly unbelievable. Well, unbelievable for someone who actually works in psychiatry, technology, hacking, acting, cinematography, etc. This is the turdliest of unflushable turds that CBS has grunted out of its collective anus in a while.
For my part I LOVED the original CSI because it was new and it was fun. I used to sit watching it with a REAL SCIENTIST who cringed as much as we all do about the OMG CYBER today so it is not just our group of peers that have issues with the Hollywood-izaton of their careers. Though I knew that the tech was not accurately portrayed made no difference because it was fun and the chemistry/writing worked. As soon though as Grissom left so did I. It has been pathetic to watch CBS continue to flail the dead corpse of CSI through the David (flip sunglasses down the nose) Caruso years to the Cheer’s OMG MY HAIR GREW BACK INTO A POMPADOUR Ted Danson travesty.
No more please.
Please FUCKING STOP!
*hangs head.. CSI CYBER!*
Welcome to CBS TV where we make shitty SHITTIER!
Global Threat Intelligence Report
In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.
This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.
Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.
As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.
If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.
Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.
While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.
It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.
Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.
So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.
Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.
It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.
NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.
Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.
Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.
Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.
This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.
It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.
Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.
This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.
It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.
Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.
The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.
It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.
Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.
As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.
The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.
It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.
The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.
As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.
Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.
Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.
While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.
If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?
Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.
By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.
It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.
Document for download and dissemination HERE
A Cosmic War
A recent article in The Atlantic has staked the claim that daesh is a millenarian cult bent on bringing the apocalypse upon the world. The article uses recent materials from Dabiq (the daesh propaganda magazine) and cites interviews with the likes of Anjem Choudary to back it’s case that not only is the group Muslim (well that is a given right?) but also that they are battling to re-create the Caliphate to bring the end times upon us all. A great battle with Shaytan (شيطان,) and even Jesus will ensue and in the end the Caliphate will win and all kufr will be destroyed.
After reading the article in it’s entirety I just had to sit back and wonder at the over simplification that just had been perpetrated on us all by this reporter. I think he frankly went to the George Bush school of Islamic Comprehension but I had to go back and read through all the issues of Dabiq to confirm or deny what the author was saying. Five issues of Dabiq later, I am still of the opinion that the article is off the mark where this is all concerned. I also believe that once again it is another classic case of a reporter writing about things without deep knowledge of them but yet speaking on them as if he were. Here are some salient facts that the Atlantic failed to talk about in this article;
- Hadiths Versus Qu’ran: Much of what daesh uses as exhortations and rationalizations for their actions come from the Hadiths (prophetic traditions) which basically are a grouping of sayings written long after the prophet was gone. So much of what is there is subject to doubt because this is based on memory or just made up whole cloth to be companion pieces and re-enforce certain ideals. This of course is also coming from religion and all religions have their books which were written a long time after the people involved had passed on. So the use of these even further separated texts from their original oral traditions that finally got written down is reason enough to doubt their validity.
- The Caliphate and Millenarian Prophecy: daesh seems to be only recently really interested in the millenarian slant on their battle with the kufr of the world and apostasy in general. In looking at their propaganda over the arc of their arrival and dominance it can be seen that this is a new feature. Specifically you can see this arc over the 5 issues of Dabiq magazine. This rhetoric over a cosmic war and the use of the eschatology concerning Rome, the Crusades, and the great battle with Shaytan (إبليس) frankly is only being leveraged now to give their base a boost as well as is a well thought out propaganda tool. The daesh want to recruit and they, unlike AQ/AQAP and Inspire found the right mix that has seemed to, in tandem with their actual taking of lands and creating a so called “caliphate” made all the difference in getting recruits to come to the new Afghanistan. This melange of things, rhetoric, tales of epic battles, use of ultra violent means, and the propganda generated from it is what daesh is about and using it, not necessarily I think do the core believe all that they are putting out there. I have yet to see Al Baghdadi speak on these things at all.
- The Language of Crusades and Rome: Another bone to pick here that I have is that the claptrap of using Rome and the Crusades is that they post date the prophet by quite a long time. You can see that daesh is carefully cultivating a look and feel using key words and ideals that resonate with people concerning the wound that is the Crusades. Honestly, this is just a hot button use of terminology and imagery that Bush only exacerbated when he said “This crusade, this war on terrorism is going to take a while. ” I remember face-palming when he said this on live air. Now the daesh and their acolytes use this all the time as a rallying call evincing images of Salahuddin but removing any of his more temperate decisions or commands concerning the greater war on the lands of the ummah.
- Propaganda Wars and Recruitment: The article fails to take into account that nothing daesh says should be taken at face value. The reporter goes on to talk to a few true believers (aka the deluded) in Britain and elsewhere but, as you can see, they are not in Syria are they? They are propaganda mouth pieces only and the fact of the matter is that all of what we have seen has been carefully created propaganda by the media wing Al Hayat. When reporters talk about daesh and all of what has been going on of late they always remark on the professional quality of the videos and other media being put out. Well, there you have it, it is propaganda and if you just believe that this is all that daesh is about, well, you have been fooled. This is all a means to an end to intimidate as well as recruit.
- Politics, Power, and Money: No matter how much the daesh clothe their movement in the millenarian trappings that you see in Dabiq, this is not just about a cosmic war. This is about power and politics as well as money. The daesh are now trying to mint coins as well as raking in huge amounts from the oil fields that they have taken in Iraq. No doubt if the caliphate ever really normalizes you will see Baghdadi and his core living well somewhere, not in fact frugally with the people.
- The Apostasy of daesh and Islamism: Finally, the daesh are the most apocryphal and apostatic group out there today. The use of the hadiths to rationalize their brutality is just a means to an end for control over the people. Fear of violence clothed in snippets of hadiths is apostasy in itself. They have carried out atrocities that Salahuddin would be shamed by never mind the prophet and if they TRULY believed in the teachings of the various books, then they would not be doing these things. So when the arguments start over Islamism/Jihadism and their book being the source of all the ills of the world much of it can be blamed on this one dimensional reporting in the Atlantic.
Once You Name A Thing You Have Power Over It
I guess in the end this Atlantic article serves the purpose of the US and others who don’t have the wherewithal to take the time to understand Islam, the region, and its history to give them an understandable bogey man. After all, in looking at the US governments answers to daesh thus far I for one can see this simplification to be of use to them. It has been hard to troll the daesh as we have seen with the “Think again turn away” program by (@CEP) and a nuanced approach is, well, nuanced. Don’t get me wrong, this whole thing is as complex as it gets but if daesh wants to simplify it all to gather recruits with their cosmic war propaganda well then turn about is fair play right? So go ahead CEP, use this and troll the living daylights out of it.
Sadly though, I fear they won’t do this..
However, everyone should know that this is not just some epic battle of good and evil. Satan and Jesus. This is not a millenarian cult in the least bit at its core and to think so is just stupid. I hope at least that this article does not cause even more troubles with Islamophobia amongst the uninitiated and stir more hate. Frankly, as I have said on Twitter recently; “If you want to paint daesh as an apocalyptic cult you may as well also paint Christianity as well. I mean, they are the ones who wrote revelation right?” It’s not the book but those who use the book for their own agenda. In the case of daesh, they aren’t even using the book, they are just winging it.
The Cyber Caliphate Hacks Newsweek and DCITA:
Since the hack on the Pentagon’s CENTCOM Twitter feed and the dropping of dox from someone’s email/phone/machine the so called “CyberCaliphate” had been looking for another target and it seems that they did find a couple in the Newsweek Twitter feed and someone at DCITA (DC3) Defense Base group. On February 10th the Newsweek twitter feed began posting data from another hacked account within the military, albeit the Defense Base side of the house, that showed the Caliphate had culled FOUO data from the DCITA. The documents dumped in screen shot form show internal rosters of phone numbers, some org charts, and other mostly uninteresting documents that are not super secret though sensitive enough to be problematic.
PS.. Dear feds, please don’t give me 10 years and a RICO conviction for just posting shit that is already in the open and is FOUO to start ok? *derp*
By problematic I mean that there are some tidbits in there like phone numbers and the types of jobs that these guys hold as well as who they work for, like the guy from the NSA who is signed up for classes. More at issue for me though is that if you look at the email addresses used you see that some of these guys are using YAHOO and GMAIL as their point of contacts! Why is this a problem? Well, because this is supposed to be a group tasked with the security of defense base companies like Pratt & Whitney, Lockheed, and others. Using GMAIL or YAHOO as their primary contact, hell, even a secondary places the information they hold potentially at risk from hacking… Like their shit being stolen and posted on a newly created website and a twitter feed right? This is TERRIBLE OPSEC and COMSEC kids!
The Attribution Games Begin:
Overall the data is mostly uninteresting as these things go. What is interesting though to me is the kerfuffle that Caliphate is causing and now the crazy attribution game that is going on out there trying to pin these hacks on someone. Originally when the first hack and dump happened the first person that everyone started pointing their collective fingers at was Junaid Hussain ( @AbuHussainIS ) but he actually denied being involved while laughing about the whole thing. Could Juny have something to do with it? Maybe, but he is in Syria and seems to have his own problems lately just trying to keep a twitter feed up. With this second hack and dump though another ersatz attribution wonk claimed that in fact the hacker in question was in fact an Algerian hacker going by the moniker PoTi-SaDz This reporter *cough* made some bold claims but provides no other proof than there is a commonality between the words on defacements made by the Team System DZ crew.
This guys contention is that because the imagery is similar in some of their defacements and the use of :”i Love ISIS” as a slogan clinches it that PoTi SaDz is the infamous Caliphate hacker. Well Matt, I have some other thoughts on that and you should pay attention. First off, please present a little more proof before you play the attribution game. Do you have a source? A snitch? Something other than some poor assumptions to make these claims? Let me give you some for instances here to consider after looking at these guys.
- You claim that they stopped defacing in 2014 and that is incorrect (see screen shot below)
- Have you seen the English used by these guys? It is broken and bespeaks someone who does not really speak it. Now go look at cyb3rc.com and tell me that isn’t a fluent speaker
- PoTi-SaDz M.O. so far has only been defacements and shows no other skill sets to speak of in hacking other systems that might dump these kinds of files
- Hahahaha funny thing.. PoTi calls ISIS alternately Da3sh hahaha Hey Matt, go read up on the word daesh and how ISIS hates that shit
- Nothing on the Caliphate’s posts shows any of these confusions, this person(s) knows about ISIS and is at least on the face of it making a good show of being a supporter without the cluelessness of PoTi
So once again, let’s not worry about who did the hacking! Instead let’s focus on how the hack happened in the first place! How did DCITA get powned in the first place? The hack so far looks to be low level, maybe someone’s email or a box that was insecure at the end user level who likely had stuff where they shouldn’t. The whole problem here is that everyone is all up in arms about CENTCOM’s and now DCITA’s stuff being hacked (ERMEGERD) by the daeshbags!
Trust me people, it would be a better use of time trying to figure out how this shit happened to people who should know better than trying to chase down derpy low level hackers like Caliphate. Wake me when Caliphate hacks something important ok? Until then let me go back to important things like Twitter and watching others fiddle while their digital Rome burns to the ground. Meanwhile, PSSSSST DC3, WTF dudes? Stop this shit! You have important data to watch leave Lockheed’s network! Yeah, I remember fondly the JSF data exfil! Those were the days…
Cyber WAR indeed… <Shakes head>
Since the Charlie Hebdo attacks it seems that Anonymous has finally become self aware about the online jihad that has been going on for years now. While I can laud their determination and willingness to… Help… I cannot agree with what they are doing with their blunderbuss approach to the taking down of ISIS online. You see kids there is more to all of this than just knocking off some poorly secured sites that the jihobbyists run to end the threat of daesh. Oh, and yeah, by the way call them daesh at least huh? If you do a little reading about them you will learn that daesh loosely translated from their Arabic acronym means “to crush under a boot” they don’t like it.
Anyway, back to what I was saying here. Look, I know you want to help (some of you that is) Others are looking for a quick fix and media attention, which hey, if Mandiant and Crowdstrike can do it so can you right? The main thing though is that if you are going to prosecute a war on terror then you should at least try to be helpful to the IC while you are at it okay? The second thing is that you are all fighting a battle you cannot win here and no matter how you try you are only getting in the way of things in reality. What do I mean? Well, let’s look at it this way;
If you take all the sites down for however long you will only force them to make other sites that are more under the radar. You will be also teaching them about security and you don’t want to be doing that do you? Say, did you see the article from Glenn Greenwald about how Iran learned from our Stuxnet attacks on them and are now a real threat? Yeah, see, it’s a double edged sword kids.
I have looked at all your plans and really only one site in the lists there was important to the jihobbyists as a platform of getting the word out. On the other front though, your Twitter war has been interesting to watch as well. Take it from one guy who has been doing this a while *cough jihaditwits cough* it is not really all about taking down the accounts. It’s about learning who the talkers are, who they talk to, and what the pipeline is for propaganda to take down, not just scatter-shot take-downs of accounts. Moreover let’s talk about doxing these guys and providing that to LE huh? I know, I sound like a broken record right? Look, we could use all the help we can get out there.
Back to the Twitter war though, let’s talk about this a bit. You see that graphic above? Yeah, those are just a small sample of accounts that I have collected recently. There are ZILLIONS of these guys out there on twitter re-tweeting links to content from Syria and other places. Have you stopped them? What? You haven’t gotten them yet? Let me tell you, you won’t either. The sad fact is this is the biggest game of whack-a-mole there ever was. I recently stopped altogether because I had to take stock of what I was doing. Was it having any effect at all? Even with my targeting of players who were really plugged in was I having a positive effect? Well, I guess I was from the point that I got the fatwa’s and the warnings about the account but in the end I was kind of meh about it so I took a break. I am back though and I wanted to share with you my thoughts on your “digilante” war.
So here are my parting thoughts…
- MMD, you gotta stop bein so derpy.
- Anonymous, work smart and not just carpet bomb here
- Share your dox with LE
- If you are going to go after Twitter accounts make them count. QUALITY OVER QUANTITY PLEASE
- Do your research and understand the propaganda war going on here kids. You knock out one channel they will open another
- Understand that you are teaching these idiots! You will eventually make them smarter
- It may feel like you are doing something but you really aren’t from the perspective of the GWOT
- While you may feel like the propaganda war is being won by you, the reality is that they love to be martyrs so you are only going to make them work harder and gather more followers
With all that said, I am sure you will continue doing what you are doing. Even more so once the news cycles start stroking the collective ego’s involved. Just know that you are not stopping them. Stopping them is up to the governments of the world and the military forces that will eventually have to kill or capture them all.
In the wake of the release that Anthem has been hacked I have been taking stock of where we are today where information security is concerned. It seems that if you just look at the industry through the lens of the news media, we are all under constant assault by so called advanced actors out to steal us blind, spy on us, or take our personal data by exotic means that are inscrutable. The realities though are far from the truth where it concerns the advanced nature of the attacks that play into the media and marketing blitzkriegs by companies like Crowdstrike or Mandiant/FireEye are hawking.
The realities are that today we have businesses selling intelligence wholesale to corporations that are not mature enough to use the data they are being sold. On average, the data being sold by these companies is nothing you cannot get from open source arena’s for free and on the whole are overly focused on attribution of groups and actors. While a mature organization might have use of these feeds and reports on various groups the average company out there today just cannot use the data because they lack the practices and people to truly understand the information as well as apply it to their orgs.
Clearly the business model today is intelligence centric and completely lacking in the areas of not only showing companies how to use their intelligence feeds to help in detection but also how to fortify their environments against the attacks to start. Richard Bejtlich was recently on a panel in front of the Senate when he made the comment that many times after his company Mandiant, had been on an engagement with a client they were once again compromised shortly after they left. This comment alone shows just how little these companies like Mandiant are having any effect on teaching these companies how to at least detect if not halt attacks. Attacks mind you, that are not necessarily advanced as the APT moniker implies.
Let’s face the fact that most attacks today do not come from exotic 0day and sneaky DMZ hacks. No, instead these hacks happen through social engineering and phishing attacks. Sure some hackers may be using 0day within their phish attacks but it has been my experience along with many others, that it does not require a 0day to hack a corporate network today. The problems with many corporations stem from a lack of security awareness as well as presence within the org to instil secure practices like patch management and employee awareness on what a phish looks like and how to detect them. Neither of these skills are things that Mandiant or Crowdstrike offers as a primary service. After all, if they did and it really caught on, where would they make their money?
Still however, it is not Mandiant or Crowdstrikes problem is it? They are in the business of incident response and threat intelligence right? No, the real issue here is that both of these companies perpetuate the idea that attribution is the key to stopping all your hacking woes and not so much about having the proper security infrastructure to mitigate these attacks. And by infrastructure I do not mean just hardware and software, I also mean people with skill sets and an organization that understands security from the CEO down. This is the primary issue that I have seen throughout my career in penetration testing and information security. Frankly, it is one of the biggest reasons that pentesters love doing what they do, the corporations make it easy for them because they don’t have a security mindset.
I cannot tell you how many times over the years I have seen orgs that had grossly misconfigured systems as well as a lack of processes or policies that would mandate that things be run securely. Add this to the notion that these companies also lack real telemetry to track incursions and you have an org without any insight into how it operates as well as what traffic is going in and out of their domain. This is endemic in corporate America and anyone who tells you any different has an agenda to cover their own ass. Collectively corporate America should be totally afraid of what POTUS has proposed in the way of intelligence sharing and not because they should be worried about PII. The real fact of the matter is that they are all going to be worried that they will have to actually perform due diligence, spend money, and have actively operational security programs to feed that information to the sharing program to start.
I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place? These are questions I would be asking first say about Sony than who did it? Was it North Korea? Instead, let’s talk about the organizations failures in security and how they can better shore them up to stop the next attack instead of banging the attribution gong so loudly.
With the announcement today of approximately 80 million records being stolen from Anthem and the usual buzz words of advanced attack ringing in the air, I for one had to say something about the realities we face in security. Simply put, it is too often the case that organizations place security in the category of red headed step child and relegate them to the sub basement as a necessary annoyance. Security is a cost centre and is troublesome all of which is anathema to business as usual. Security causes things to perhaps move slower, make people take a little more time to think, and generally feel like a drag on the hyper-kinetic business model so many corporations feel they need to be today. As such it is always a battle to insure that basic security practices are carried out like patching and hardening of systems. It’s a sad truth and you all must have run into this if you are a blue team player.
How do we fix it all? I have no idea. All I do know is that we are losing the battle and it is not because China is hacking us all with advanced malware on par with Stuxnet. We all need to understand that what we see out of the media is hype and what we see out of the vendors is marketing and not necessarily what we really need. Until such time as all organizations out there understand security and it’s nuances we, the workers within the security field as blue team members will be Sisyphus.