It is not often that I find a book that I just want to read right away and put everything else in my busy reading schedule down for. In this instance I have to say that this book looked good right out of the gate for me so I put everything else on the back burner. At 150 pages give or take, it was a quick read yet quite informative on topics of espionage and counter-espionage tactics and techniques for the lay person. What really got me thinking though was that this book really could and should be a part of every companies security awareness program and not just for executives.
Of course with the prevalence of today’s electronic spying (by hacking or by outright hoovering of all data by nation states) one tends to think that old school HUMINT (Human Intelligence) is no longer as useful as it once was. This is not really the case though and I want you all to consider that as you think about your security programs or your personal security. Not everything has to be some technical HIDS/NIDS/AV/Firewall end run to get you into the network today and much of the time in today’s world you can see this at play with the simplest of attacks against end users with phishing and spear phishing. Truly the human element is the weakest and the most powerful at the same time when it comes to the success or failure of security machinations. In fact you will hear it often spoken as an aphorism of sorts but it is true that the “insider threat is the biggest threat” and it is literally true. This is where HUMINT is still useful in not only gaining access to a network let’s say, but also much more if you can leverage an asset into doing your bidding.
The book covers all the bases on how differing types of “collectors” aka spies both private and nation state can and will attempt to elicit, recruit, or blackmail the would be asset into working for them. Bencie also covers the issues of personal security around yourself and your technology that you carry (e.g. laptops, phones, tablets, etc) that are leveraged for theft and access as well. If a collector doesn’t need to recruit the target because the target left their laptop in their hotel room, on and logged in, well then no need right? Suffice to say that today we carry as much information and access on us as much as in our heads and this is what the industrial spy or nation state spy craves.
Now, one might at this point be asking one’s self “Well, what would anyone want from me? I mean, I am not that important, just a cog in my company that’s under appreciated, no one would send a spy after me.” … and you would be wrong to think this. Access is access and if a collector can get access to you and your technology (e.g.your network by hacking your laptop or phone) then they will. While there is a sniff test that a collector will make on people as they watch them, much of the math here is how vulnerable is the target and how easily could they be manipulated into what is needed to succeed. Bencie covers many scenarios that may seem like spy thriller pulp but take it from me, these things have happened and still do. In fact he uses real stories to back up the scenarios from the people that they really happened to. These are not just the things of spy thrillers and film and the general populace should be aware of this especially if they are on travel for work, more so if they are in a foreign country while doing so.
Finally though, as much as this book is something I am going to recommend to executives, I would also like to turn my eye inward to the community *cough* that I currently am in. That community is the information security community specifically. We INFOSEC people are probably the ones that I would consider to be some of the juiciest targets in today’s technical world where everything is network oriented. Whether you are a red team person or a blue team person, you all have information inside your heads and on your hard drives that the adversaries would love to have. As we are moving into the con season (Defcon and BlackHat to be specific) we all will descend on Las Vegas for serious convention learning and exchange of info… Oh who am I kidding? It’s a party festival of drunken debauchery and shenanigans right? If you have not considered just how many corporate or nation state collectors (spies) are also there looking at you dear con goer as a possible asset, then you just ain’t thinking straight!
I am hereby recommending that everyone going to these con’s read this book and take it to heart that YOU are a target at these two con’s if no other. Take heed of Bencie’s suggestions on controlling the drinking as well as what information you share with anyone. I also implore you to read and learn about the methods of elicitation that the spies use to get information from you when you may have no idea they are doing it. If you work in this field and you hold what we would consider secret information on the vulnerabilities of companies you have hacked in a red team event, or have been trying to remediate as a blue teamer, this book is important for you. But hey, Defcon is all a good time! Until you wake up in the desert with a note threatening to release the pictures of you to everyone unless you do what they say.
Go buy this book. Read it. Live it.
All business is warfare so don’t be the next dead foot soldier.
Someone on Twitter recently passed along this little email from ZENEDGE to me in hopes that I would have something to say. That someone was right and what I have to say is not going to be nice. The email, a marketing email, purports to be selling cyber services because “Terrorism” for all your cyber security needs. This frankly is one of the more craven and baseless marketing emails that I have seen of late and I agree’d with the sender that it warranted my special attention. So Leon Kuperman, and ZENEDGE, here’s your special attention!
First off, I would like to take the time to extend my sympathies to anyone who has been touched by terrorism and specifically to those in Brussels as they are used as a pastiche for this tissue of marketing bullshit you see before you. The article, and I call it that quite loosely, starts off claiming that “terrorists” and names da’esh (ISIS) are in it for the “terror” and that terror is able to strike anywhere! Anywhere to ZENEDGE means *gasp* online and you gentle reader are in danger of being cyber terrorized.
The past several months have brought a string of terror attacks and violent incidents, which not only claim lives but cause worldwide feelings of fear and vulnerability. It seems that groups of terrorists like ISIS can strike when and where they want.
As the authorities ramp up surveillance, such attackers simply adapt and change their tactics. They have learned to be patient and to leave few traces.
Stopping terror groups and other bad actors requires an evolving approach. Because these attackers don’t rely on yesterday’s methods for launching the next strike, authorities can’t rely on yesterday’s surveillance and intervention methods if they want to stop the attacks before they happen.
This is especially true as terror groups take their fight from the streets to The Street.
Oh my god, the terrorists can strike “The Street” Wait, what? What does that even mean? Are they going to attack Wall Street? Mulberry Street? So da’esh can strike anywhere anytime? Really? Like in my office here? My bedroom? ..*gasp*… My bathroom? What a crock of shit. But wait, it gets better! Because of “surveillance” the da’esh masters of terror are evading yesterday’s surveillance! They have gone DARK!
*gong sound with ominous portents*
Terror attacks serve a dual purpose: They not only harm or kill people, they send psychological shock waves throughout the world. After the rubble is cleared, fear and insecurity persist. This is what the attackers count on. For this reason, it is certain that terrorist organizations will increasingly bring their attacks to the online world, where ideologically motivated players — like Anonymous and New World Hacking — have already made a splash.
That’s right anonymous like entities will be committing the cyber terror in a place near you soon! They will either scar you psychologically or they will outright CYBER KILL you! Honestly this is one of the most egregious marketing mails that I have seen with it’s bated breathy scare tactics. It goes on and you can go read it for yourselves. I will not belabor you with it all here but I felt moved to call this kind of bullshit out. They continue on with the usual bugaboo’s of the scary darknet and operators therein being paid by da’esh to attack all our networks and maybe even a dam or YOUR NETWORK!
*insert scar balaclava da’esh hacker imagery here* BOOGA BOOGA!
Ostensibly this marketing blast is out there to sell ZENEDGE’s wares, whatever they may be because it really doesn’t give you a menu or anything to look at. It only says that you need to be proactive to stop the terrorists. So is password management with 2FA and having a good security program in general proactive enough to stop da’esh? Frankly, yes, in fact da’esh isn’t a cyber threat here and never will be. Let me set you straight Leon da’esh is not a hacker collective, their online propaganda is just that and their hackers, if you want to call them that loosely, are not a threat to much of anything but a poorly configured web page. Your using them and the events in Brussels as a sales pitch are in point of fact craven and the lowest form of marketing I for one have seen.
Leon, buddy, stop with the scare tactics bullshit and just try to sell your wares elsewhere. Stop trying to use tragedy as a sales and marketing tool you tool.
On The Seven Pillars of Wisdom the notion that the “insider threat” can be one of the most devastating threats to an organization. I have pointed this out before concerning INFOSEC but I thought it would be prudent to do so again with the story of the caliphate and Abu Hamed. As a practitioner of the INOSEC arts *chuckle* one of the things that we have to take into account in the #BlueTeamLife is the insider threat and the general tenor within the organizations we work for. One has to take the pulse of the org and see what the overall temp is of the work force. Have there been layoffs? Are people generally disgruntled? Who amongst them may be a turncoat and be stealing your data or setting up the Locky malware inside your domain controllers?
All of these thoughts should cross your mind now and again as an internal player within a security organization. Frankly yes, you can have utter devastation to your network and your org from just one end user being click happy, but imagine if you will a disgruntled employee who has keys to the kingdom and a will to wreck it all as they give you the finger walking out the door. I personally have been party to one such incident that included a logic bomb and many hours trying to figure out what they did to get the org working again. You can never discount the insider threat and you shouldn’t.
The same can be said about agent provocateurs in your org as well. This may seem like fiction to you but consider where you work and what they have as data goes. Would a competitor want to steal that data? Perhaps they would instead like to burn your org down to the ground to get ahead? All of these scenarios are possible and you as the #BlueTeamLifer have to consider these things as you attempt to secure the sieve that is your networking environment.
Do you have any content in your awareness training about outsiders trying to get information from your employee base? Do you have content about not wearing badges to local bars or being circumspect at conferences? If not, perhaps you should assess your crown jewels and start creating some.
At the end of the day it is better to be prepared for this type of activity than to be totally unaware of the possibility.
Think about it.
I often like to take little trips into the dark seedy underbelly of the internet called the Darknet. Well today was just another day for that kind of thing until I came upon a site that claims to be a “Red Room” A “Red Room” is really a composite urban legend where snuff films and extreme BDSM meet in a dark corner of the internet. Up until today there have been many rumours of sites and often times one can find alleged “Snuff” films on the internet and darknet. This site though has a twist to the old rubric, this site wants you to sign up and pay a fee in BitCoin in order to watch content live in the future, 136 days in the future to be precise (see image below)
The spooky bloody countdown!
Now I don’t know about you all, but well, I have come across various sites in the corners of the net and of course in the darknet that, shall we say had unsavoury content in the past. You can imagine the kinds of things one see’s on the net especially if you consider “Rule 34” and have been around long enough *shudder* Anywho, this site piqued my interest because it reminded me a lot of an episode of MillenniuM back in the late 90’s. This episode pretty much presaged this site’s intent with an early online site that could not be traced being run by a serial killer who was killing people live online according to the number of hits the site got (see image at top, the number is how many hits he wanted before killing her)
Now I remember thinking that this was all bogus back then, particularly over the tech speak that they tried to use with the hacker trying to capture the location of the kill site. I tell ya, it was hilarious up to a point but I really had to wonder at the time whether or not this kind of thing would eventually become a reality. The site that I located today might be the real deal, but I really tend to think this is a little scam on the part of some enterprising Germans. I mean come on! Give me some content to start with that will make me WANT to give you Bitcoins guys!
Anyway, this site claims the following as it’s hook:
Three people will die … just one will survive. You will decide who is the lucky one. Livestream from 4 diffrent locations in this world. You decide what each person deserves. Choose between 67 diffrent torture methods. Whether physical or psychological pain, you choose by voting. All four camera livestreams on one site with a chat for each camera. Interested? Register now! More information after registration. Important! Access is limited to 300 registrations! Login will be possible 3 days before it starts.
So three unknown people will die after torture and the viewers are to choose the one who will live. With a wide array of torture methods (what we don’t know) including psychological torture how can one resist this? Frankly this reminds me of a recent “Castle” episode with the school room and the tortured kid (now grown up) who started killing people off with puzzles and terror.
The site is kinda poorly coded and leaves too much of a trail for someone to follow back to the creators. The BitCoin wallet was created recently it seems and has no transactions at all. So if there are people who have signed up where are their Bitcoins? According to the site out of 300 spots to view the murder/torture of unknown people 123 were taking up already. Would this not mean that there should be a substantial amount of Bitcoins in the wallet? The net here if 300 people actually paid the Bitcoins would net the creators about 300 Bitcoins (today $123,591.00) which is a tidy sum. If you then believe the site and not the Bitcoin wallet taint then 123 Bitcoins given already would total $50,672.31 Now if you look at the second page that you can access via code, you see that 176 people have allegedly signed up. Well, that would be how much in Bitcoin? Oh yeah: $72,506.72 so where are those funds HMMMMMM??? I am sure some Treasury or DEA agent would love to steal those eh?
Another fascinating fact that I alluded to above is that this site was likely created by “Zose vacky Germans” as there are German words in the code and the video (oh yes, there is a video but in reality there is only text in it so cool down!) It figures that the cultural reference that ran through my head was the Cartman’s mother in Scheise videos here! Yep yep, German BDSM Red Rooms on the darknet! I can see the headlines now on Vice! Breathless stories about how the world is coming to an end and that the cause will not be something like an asteroid or a nuke, nope, it will be a Red Room that will drive our civilisation over the edge!
Alrighty, this was amusing. I will chalk this up to Slenderman and the other internet born Red Roomy urban legends. While I would not discount this kind of thing going on and being only something the Illuminati get to see, I seriously doubt that this is a real thing. If you decide to part with a bitcoin gentle reader, let me know how that goes for you. I will keep an eye on the site to see if anything interesting happens in 136 days.
Well there has been a great hubbub about the “first” true cyber attack on an infrastructure system(s) in Ukraine and while I agree that it may be the first (admitted to) it is not something that is on par with the attack on Natanz frankly. As the reports keep coming out and feeds like Wired write kitschy articles about the super scary world we now live in, I thought it would be interesting to cut the bullshit and just put some data out there with some commentary on this event.
So yeah, 225k people were without power for a little while and overall this attack does in fact show us all just how probable this is on select targets, it should also show just how much work it takes to perform one of these. It should also show us all how segmented the systems are and how hard it would be to have an apocalypse event ala “Lights Out” happen anywhere in the world never mind America. The fact that the power was restored fairly quickly and that even when the attackers had tried to keep them down for longer, the systems are also resilient enough and manual enough to keep the lights on. It’s not all cyber and nor should it ever be.
What should be surprising if not galling is that the pre-attack work carried out by the adversaries (*cough Russia cough*) was easily successful and allowed access for the teams to recon the facilities, gain further access, and launch the attack in the end without every being detected and perhaps stopped. Why was this the case? Because this company, even with “robust firewalls” was not doing the due diligence is watching it’s network and did not have a SOC (Security Operations Center) that could monitor the traffic to determine bad actors within. What should worry you even more is that in talking to insiders in the power industry and from personal experience, these people were much better at security than the majority of the companies out there today including many in the US.
At the end of the day some of this is interesting but the majority of this attack is pedestrian in the grander scheme. This was a soft target and it was more than likely that it was Russia, a nation state at either the behest of Putin or Putin at the behest of his oligarch pals that did this. This is to say that any reasonably monied group could hire hacker teams to do the same anywhere else. This was a big fuck you to the power company and to Ukraine. It had thinly veiled Russian connection(s) and it has yet to be seen what if any response this will garner from Ukraine and the companies involved who may or may not be seeking to diversify their power generation and transmission.
There will be games…
So what happened in this attack?
- The adversary foot-printed the power company and went after the weak points (users in the network) with phishing emails
- The phish consisted of MACRO based word documents (VBA) that connected to C2 and got modules to further compromise the networks
- The adversary then mapped the network and performed recon
- The adversary gained access to VPN’s as well to remotely connect to ICS systems that lacked 2FA
- The adversary planned their attack and set the stage to not only shut down the power but also to DoS the call center in an effort to muddy the waters and extend the attack
- The adversary launches the attack
- They take down the power systems by controlling systems with stolen creds (RDP)
- They over-write firmware with garbage to further prevent the attack from being thwarted and to cause a longer outage
- They DoS the phone system (call center)
- They killdisk things to make it harder to come back up
- Basically they tried a fire sale but they failed because of manual systems
While this attack was effective and is a cautionary tale, once again, this is not an extinction level event here. It was well planned and it went off pretty well but remember that the target made it easy and I am afraid that that is the state of affairs everywhere today. So that should be something for you to mull over as you think about this attack.
My Own Recon:
I wanted to know just how easy a target the “Прикарпаттяобленерго” systems were or should I say are? I went out and did some recon of my own with some tools to see and I was not surprised by the results. For the most part this company shared a lot of information through metadata and an open network infrastructure. I did not attempt to run any other kind of vulnerability scan but you can see from the data below that it would be easy enough to profile the company, their security posture, and their network just from tools like Foca.
Just by using Foca I was able to really get an idea of what they had in the network and how I would formulate an attack to get inside and map things out some more. This type of information is not uncommon to find on the internet and frankly I could have honed in more by using things like LinkedIN and VK to search people and work the OSINT. Let’s just say that this was an easy target and they were unaware of the OSINT they were just giving up by placing all this stuff online.
I also downloaded reports from numerous sources out there trying to get market share by putting together these pdf’s on the malware and C2’s used in the attacks. Once again, really nothing new here kids. Sure they re-packed the malware to have new hashes that would not be easily detected but for the most part nothing novel here. They phished people with common doc and excel files that we all get in our daily lives in the corporate security world. Honestly these attacks could be mitigated by just taking admin away from the users and now allowing them to run macro’s when asked to in broken English (or Russian) but hey, who does that kind of security today huh?
You all can comb through the C2’s and the PE files yourselves. It’s pretty common and certainly is not on par with Stuxnet. It did however do the job and once again I have to remind you that this shit should not really work in a properly secured environment with awareness for employees and some semblance of a SOC and some HIDS/NIDS right? I mean the C2’s are well known for being dirty so they should have been caught or blocked already. Take a look at the C2’s in the Netherlands and elsewhere and they have quite the bad history. Once again, this adversary did not have to work that hard.
Now on to the big “attribution” game that everyone likes to play. I looked at the C2’s and at the data around them with a jaundiced eye. It is clear that whoever did this had some money for teams of people to do the work but maybe they got the access from spammer/phishers already out there who maybe sold the access to start. It became clear though that two of the C2 addresses had quite the past with romance scams and pharma schemes online over the years.
I will say that all of the backstop data seems to imply a Russian connection and if you look at the politics of the region as well as the fact that the Oligarchs and Pooty are in charge, it is not hard to make the conclusion. It is a conclusion though and not proof in any way. So, this attack likely was Russia but no one, let me repeat, no one, can tell you for sure. I am sure that in the RSA week last week many a vendor was trying to make a sale with sure-fire attribution that it was Russia SO BUY MY PRODUCT!
No.. Just no.
What Have We Learned?
What have we learned? Well, I learned that this is nothing new, nothing spectacular, and nothing really to write home about. I know that I could probably hire someone like Nickerson and his team to do the same thing to a like target so really this could be nation state or it could be some person with money or a grudge. What you all learn from this depends on the level of investigation and thought you put into it. As many of my readers are in the business, you are likely coming up with much the same assessment as I have. This was bad but it was bad because the security was lacking at the facilities. A soft target is a soft target so really this should not be some hyped up story for a new Kim Zetter novella.
Here’s what you really should learn from this:
- Generally today infrastructure security sucks
- An all out fire sale like you saw in Die Hard is not likely because of manual systems still in place and segmentation
- You should have a backup plan for power just like you should if you live in an area that gets snow and ice that knocks out power
Everyone seems to be all worked up about cyber war and frankly the gleam in too many people’s eyes makes me kind of sick. Lately I have been mulling over in my head the fact that no matter the technology humans always seek to weaponize it or use it against one another and that just sucks. We are our own worst enemies because we create this stuff insecurely, we manage it insecurely and we leverage it against one another for personal, political, or monetary gain. In short; “This is why we can’t have anything nice”
I remember seeing the Apple commercial back in the day when it came out that depicted 1984 as the catchy advertising plot point for the Mac computer at the time. If only Woz and Jobs has known just how prophetic those images would be today. I remember too back in 1993 when the idea was floated and a governmental movement began to have a back door (aka a clipper chip) inserted into systems to allow access by the government *cough NSA cough* to be able to see the “evil doers” and stop them. I also remember the sane stopped that from happening. Well, that was then and this is now, well past 9/11 and nigh on 16 years later, we are faced with not only a government toying with the idea again but a federal body demanding through writ of law that a company break the system they have created for what is being touted as the greater good.
Friends while I agree terrorism is bad (I was there a day after 9/11 and worked with the red cross there) I have to stop short at believing that the GWOT needs for us all to give up ALL semblance of personal privacy to fight the terrorists. In fact, I would like to call bullshit on the FBI’s and Comey’s desires to break the systems of cryptography for an alleged boon to the fight on terror. It has become clear that the director of the FBI is not a tech guy and does not understand crypto very well but that is no excuse to continue to leverage the courts to try to induce a company to break it’s system for one phone let alone the notion that this one instance would not be re-used and re-packaged to do so again whenever they (the FBI) liked. This is precedent time, not just a one off issue with a terrorists phone that may or may not have any data on it concerning other actors who may have radicalised Sayed Farook and his wife.
Clearly we are at a precipice here in our digital democracy that has been building for some time. I have attended more than a few seminars by the ACLU and the Electronic Frontier Foundation on the 4rth Amendment and the digital domain and I have to tell you we are all behind the 8 ball on this one with the way the government lawyers tend to think. I have seen people compelled to give their passwords against the 5th Amendment as well and folks it’s time for you to be rather concerned about this. This is the time to really fund the EFF and to bone up on your own rights where these matters are concerned. It is also time for the cypherpunks out there to double and triple in numbers. I hate to say it but I will put it in the common derpy vernacular that is all the rage now…
We are all at cyber war.
When you are at cyber war with a nation state you will lose.
Now, the US and the FBI are becoming the definition of a Nation State Actor. Though, not on a foreign nation. They are targeting you too.
Over reach by the FBI has been a thing for a long time and if you just Google it you will be able to read quite a lot about it. Now consider all of the machinations of the TAO and all of the legal wrangling their lawyers have done to make what they are doing rationalize as legal. Remember John Yoo? Well you should and if you don’t Google him up. It’s easy for lawyers to fuzz the legalities and the moralities into an ethics-less pile of phrases that only allow them to get away with things. I am going to guarantee you now that if this order goes through and Apple is forced to back door the iPhone at a base level, it will be re-used and it will be abused just like the use of STINGRAYS have been lately and it won’t stop there. Once the precedent has been set in law, the legal bar has been set and then it is just a matter of how long until the rights we all have been granted in the US under the Constitution get even more eroded by slick ideas and arguments by those with an agenda of fear.
Honestly, if you look at the history of the terrorism that has occurred these people are known quantities already and that is without the use of back doors or breaking hacking and negating rights. This is not a crypto issue but more so a law enforcement issue of not being able to keep up with their own databases. Please people, don’t buy into crypto being a clear and present danger to you and yours. Crypto is no existential threat, instead the abuse of the laws we have on the books is. Ordering Apple is just the next worst step on the slippery slope to becoming that which we have seen in the 1984 commercial.