Well it has been some time since I cared enough to actually look at the media being put out by Da’esh (Al-Hayat) never mind the ever present Inspire magazine put out by AQAP and Al-Malahem. Things however have reached a point where I am going to speak up again on what is going on with the GWOT as it is called. Yesterday there was a report put out about fifty intelligence analysts who officially complained about their analysis products being cherry picked or edited to suit the administrations needs and this in tandem with the drops of both magazines at nearly the same time had my interest piqued. It feels like once again history is repeating itself with intel being managed or changed to suit the needs of the politicians who are the consumers of that intel. Does anyone really remember the run up to the Iraq invasion and the machinations of the WHIG at all today? I guess in the vast sea of what is claimed to be journalism, the truth of matters is often lost but if you pay attention sometimes you can get some clarity.
The biggest part of the revelations by the intelligence community analysts is that they say we are losing ground with Da’esh in reality, not as the administration would like us all to think. Personally for me I have been of the opinion that drone strikes and a propaganda war has done absolutely nothing for the greater good and that we are in fact stagnant in ideas or means to stop the Middle East from becoming a sectarian bastion. The “Land War in Asia” thing aside, we have no real good plan for helping the moderates because we keep propping up the despots as bulwarks or as necessary evils in the game of Middle East Go. Since I am not a politician, nor am I anyone with any real pull I am stuck here just watching the conflagration while the rest of the world accepts media word-smithing ‘refugee’ to ‘migrant’ with bile rising in my throat.
Back to the magazines and their coincidental dropping at the same time on the same day. In looking at them they are both quite different in tone and direction. While the Inspire is the usual ideologue format it has some scary content in that it is giving directed ideas to the would be jihobbyists with their OSJ (Open Source Jihad) sections ranging from how to make a hand grenade to a call for the ‘Lone Wolf Caravan’ to carry out assassination operations. This call for the assassination ops has been one of the more focused notional magazines that I have seen out of AQAP and as such, with the successful attacks in recent past by lone wolves or small groups of actors without direct training by AQ/AQAP/Da’esh is concerning. Given the media savvy approach of the magazine with Inspire and then the alternative wind up of slick media on youtube by Da’esh, I have to think the synergy would create some new converts. Honestly folks, watching all this play out is much like watching the evolution of Batman and Joker.
Here are some highlights from the Inspire 14 issue:
Yet another IED but this time they want to have hand grenades much like the attack in Mumbai. The plans are simple and effective. One only hopes that some of these guys make a mistake and lose a limb in process
Dabiq though, is another story altogether. It seems that the boys at Al Hayat are very very wordy. In their mag we have much more pedantic text concerning the millenarian ideal that Da’esh is purported to have. Though really only one section of the magazine has a direct line to that ideology at all. The rest is text, lots and lots of it, that may as well just be great swaths of the Qu’ran for all I care. I guess overall though I have to equate the Dabiq to everything I have seen out of Ayman Zawahiri on the depth and breadth of pedantic arguments. Ayman and others like to spout all kinds of erudite scripture while the AQAP guys are ‘BLOW SOME SHIT UP!” which is odd given the nature of the media campaign we see on Twitter and YouTube by Da’esh. There is some disconnect here in the Dabiq magazine with all the text but they do try to intersperse some blood and guts type of things as well to keep the reader interested.
Frankly, I think Da’esh are still trying to figure out the magazine business…
Highlights from Dabiq 11
In an ideological war such as we are seeing played out by vying Islamist parties like Da’esh and AQAP the clear winner in trying to evince a more stable and likely successful attack by a jihobbyist would be what you see in Inspire. This has been the modus operandi of AQAP for some time anyway so there is nothing new. Meanwhile if you watch the news and look at the article written by Mike Scheuer Da’esh has been not only making noise online but also able to take key areas of the region physically. There is a propaganda war being played out but how much of that is really germane to the GWOT as a whole? With the death of Junaid Hussein for being a propaganda mouthpiece for Da’esh and the fallout since calling into question the extra-judicial nature of the killing one can see how much more prescient in the news cycle the propaganda war seems to be while the actual physical boots on the ground war is seemingly absent.
So yes, these two magazines show the varying ideals of how they want to prosecute the jihad. Da’esh seems to be very focused on the grounds for their beliefs to bolster their claim of a Caliphate while AQAP is actually prosecuting the war against the West hoping that players in the West will act. Given the nature of Inspire I can see this happening much more possibly than anyone sitting down for a good read of Dabiq. Frankly Dabiq is much like it’s cleric, shadowy, full of rhetoric, and in the end likely to be empty of any real Muslim ardour for religions sake. Either Abu Bakr is an Islamist Jim Jones cum Joker or he is a wannabe Ernst Stavro Blofeld in my mind.
My primary concern now is that Inspire has laid out some new ideas that the jihobbyists will take up and use. These are not super secret methods but things that with the advent of the internet are even easier to carry off (i.e. OSINT, planning, connecting etc) to carry off an assassination. It is also more a matter of action than it is discourse or belief in the Qur’an the way that the AQAP guys present the material. Sure the underpinnings are all about being a good Muslim and ridding the ummah of the West’s boot on their collective throat (perceived) but they are second to the slick pictures and notions of being a James Bond figure.
Finally, when Da’esh reaches the same point with their magazine I will worry more that a flotilla of fanboys will latch onto their crazy with much more information and perhaps pull off an assassination. Until then, I will just watch the propaganda war play out as we really do not much of anything in the field to really root out the problem in the first place. The games must end and this tit for tat drone war is not going to do it for us.
As an interesting aside to the more technical out there. When getting the new issues of the magazines it came to light that someone has been playing with the supply chain again. The August 31 drop of the alleged Dabiq 11 issue not only on archive.org but also on a slew of shortened addresses (t.co) were actually malware.
In this case the malware seems to have been a keylogger. I have seen other files come out the same way and one has to wonder if it is the IC or if it the guys playing the home game. In any case, when you download these things be sure you run them through some tests. That is unless you don’t care about being pwn3d by a nation state.
Who hacked Ashley Madison?
Who the fuck should really care other than the police?
The answer is no one really should but just as with the whole thing there is a salacious fascination over the nature of the site and who’s who in the database. Now though we have cyber sleuths posting “maybe” evidence that a certain account “might” have ties to “maybe those” who hacked the site and dumped it’s contents online.
Look, the cat is out of the bag and the data is dumped so move on and learn from what happened at least if you can get past all the schadenfreude. This whole incident though only highlights something I have been saying for a while now. Primarily that OSINT and Threat Intelligence is only as good as the analyst and that in the game of Intelligence, it is easy to be led astray by the adversary as well as by your own cognitive biases. In this case with Brian Krebs and the Dezu account I can only say as a bystander watching the spectacle; “Enjoy the clicks man… Enjoy those clicks.”
I will say it again as I have said it many times in the past…
“It’s not about the who… It’s about the how. Learn from the how and attempt to prevent it in the future”
I had this discussion on Twitter the other day and yes, there are some reasons to do the attribution for companies that understand the threat space that is their domain. On average though it is pointless because companies do not have that basic comprehension on the part of their execs and their boards. So trying to give them a nuanced analysis of who the adversary is, is just fucking pointless. Learn from how they hacked you and care less about who they are. Perhaps instead understand who they are but really grok what they were wanting to steal is more important.
Meanwhile all the companies out there are yelling about attribution and how they can even do it “live” as I recently heard uttered on a sales call.
Fuck you… Fuck. You.
With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.
Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.
That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.
So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.
Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.
Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?
See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.
On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.
But hey.. That’s just me right?
The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying
“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”
Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;
- We’re fucked
- If your CISO has no experience and shows that in meetings with other execs… You’re fucked
- If your CISO has no empowerment… You’re fucked
- If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
- Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.
I watched in ever increasing fits of rage as the hearings proceeded. First it was the five hearings on the OPM data loss and failures therein, then it was the two hearings on “going dark” featuring James Comey. By the end I was a seething mass of hate gnashing my teeth and using the last nearly shredded synapse I had left to parse the fuckery I had seen.
What was all this? How did we get here? How the holy hell did our government completely abdicate its responsibilities around secret information that was used to grant people secret and top secret clearances? I sat mouth agape in rage as I watched Archuleta mumble and stumble her way toward insufficient if not blatantly obfuscated answers to the senators on what and how things had happened. It was clear by the mid point that we had been fucked collectively by the US government who consistently says “trust us” then turns us over and fucks us in the ass.
Now we hear that there actually were approximately 22 million people who’s personal data was stolen by god knows who, though really can we trust that figure? I mean how many times did Archuleta say she did not know how many to the senators? How many though is a relative thing when you are not logging, which now we also know per the CIRT team that testified in one of the hearings. When you aren’t logging it is like every day is a day in Vegas baby.
Meanwhile everyone is a twitter about the “who” that did it and the OPM and their minions are crying APT and CHINA! Well, what evidence has been presented that it was in fact China?
Oh, yeah, “trust us”
So, an org that wasn’t properly logging, wasn’t following recommendations from the IG, and had a terrible security record that included not hiring people who knew what they were doing but double and triple tasked current employees to be security is going to tell me definitively that China did it. Sure, I will just believe the fuck out of that. The reality though is that I can believe it was China since I have not seen any data for sale in the darknets and this is their modus operandi but that is cold comfort here. It could have been Russia, it could have been DPRK for all we really know and this can be said because once again, they weren’t logging and they weren’t practicing security due diligence so the bar to entry there was low.
For fucks sake, with what we know now it could have been little Billy in his bedroom with the sticky tube socks who hacked OPM right?
By the end of the hearings I had a massive headache and needed a bottle of whiskey to kill the memories and the pain. Do not get me wrong here people, this is no news to me. You see I once did some work in the gov space and in fact worked in the DOI where that server was housed by OPM (yeah, not even in their own space) and I know how that government sausage was made. I especially loved how I was lied to by employees, to my face, only to show them the actual scans and pentests that proved they were lying. Obviously nothing has changed since I was there many years ago.
The moral of this story though is not only about the lack of due diligence but I wanted to focus on the cryptofuckery that was on every senators lips.
“Why weren’t those files encrypted Mrs. Archuleta?”
Every time this question was asked I just wanted to yell at the tiny screen.
“NO YOU FUCKERS THE CRYPTO WOULD NOT MATTER! YOU DON’T FUCKING GET IT!”
I shook my impotent fist in the air and grumbled over and over but as you would expect it is to no one, since no one listens anyway. The fact of the matter though is that many in the world misapprehend what crypto is and does. A database that is encrypted and is live is not encrypted. The data is encrypted at rest, not while users have active access to it!! So it is useless to hang your hat on the crypto argument in the debate over OPM failure but the senate and the genpop just don’t get that.
Here it is for you all in plain lingo;
If the system is live and the user who has access to it is pwn3d then FUCK ALL matters crypto ok? Own the endpoint and you own the whole thing. I sense a Game of Thrones quote here somewhere but I just can’t put it together.
Comey The Backdoor King:
Then the hearings for “Going Dark” came and the derp parade was in full derp regalia. James “back door” Comey came to the senate to beg the question;
“What’s so bad about backdoor’s on crypto? I mean, trust us, we are the government!”
I sat agog once again as this guy took every opportunity to say “Well, I am not an expert but I see no problem with doing this” repeatedly to the senators. Senators mind you, that did not really take him to task. Instead they listened and nodded and agreed that ISIS is scary and that terrorism was as well. The odd thing though was that if you listened closely enough, Comey was not predicating all of this on Islamic terror but instead “regular crime” He chose to use the old pedophile routine and the obvious child kidnapping scenario to make his case.
It was Jack Bauer all over again except this time Jack was tearing the finger nails off of someone to get their crypto keys because the gubment did not have an easy access backdoor to just decrypt the everything. This is the same argument that we almost saw behind the scenes post 9/11 that got us to where we are today with global pervasive surveillance in the post Snowden era. The only difference this go around is that Comey is asking and the senate and us are watching. This time we at least get to watch and say “WHAT THE FUCK?”
Well, the hearing went on and on while Comey said the same thing again and again “We need this and I don’t think it’s a bad thing, I mean, there has to be a way right?” Contrary to what the experts did say though, that a back door, front door, side door, whatever, degrades the efficacy of the crypto and it should not be done at all. Never mind the whole issue of thinking that we live in an Orwellian dystopia now with pervasive surveillance, add to that that the government would have access, warrant or not, to a universal back door to cryptographic systems. This would be the shit sammich on top of the shit sunday we have today not to put too fine a point on it.
No Comey. Just. No.
Alas though we will see what the senate has to say and the rest of our “august” body we call our government. Kids, we are well and truly more fucked than we were before and I am afraid it is only going to get worse. Back door access to crypto will not help, people will come up with ways to use crypto that is not back door accessible and I am fucking sure that the terrorists and other bad actors will carry on as they have. No Comey, it’s time you did your fucking jobs and got more people into the HUMINT space not just back door all the things.
If I were you all… I would start coding new crypto programs or start printing one time pads.
Nuclear Bomb of the Mujahideen:
AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.
So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.
Here are the details of the site:
- Created Monday 6/22/15
- Single page
- 6 downloads
- Email address of the creator is: email@example.com
- Old data
- Excell and PDF’s uploaded are malware free (at this time)
- Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
- Data is taken from government and science files on clearnet
- Files created on system with Latin as base language not Arabi
- Yes.. the feds now know about the site.
So take a gander at the images below then meet me at the metadata section!
Implosion calculator for the package (Nuclear material fission)
What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?
Dude’s a Winderz user
You can see where the 2006 files came from there…
Using MS office and PDF machine!
MOAR PDF details
So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.
On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.
Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.
OPM is the exemplar of how our government deals with information security, or should I say doesn’t deal with it. Some will say that there are many mitigating circumstances like old systems that cannot be updated that caused much of the failures that lead to the OPM being compromised for over a year. However, the subsequent pivoting by the adversaries into many other networks we have not begun to even discuss as a nation yet because we are now media and governmentally fixated on the fact that the adversary had access to SF86 forms. Forms mind you that should be one of the better protected things out of all the possible things the government holds in it’s systems. So far the discourse in the media has been more sensationally oriented on the magic secret code names that the likes of Crowdstrike and Mandiant have come up with respectively for actors. Actors that they claim with varying vociferousness are in fact China whether it be the PLA (People’s Liberation Army) or the MSS (Ministry of State Security) though neither is accepting the pure hubris of all their press releases and anonymous or semi anonymous back-channel chats with the media in hopes of more attention.
Whether or not these attacks were from China and their varying and vying espionage organs is rather irrelevant now and everyone needs to understand this. The cat is proverbially out of the bag here and by the cat slipping the bag, we now notice that the emperor who was holding that burlap sack of cat is in fact naked. Or at least that should be the story here but as you can see from the stories filed above by the New York Times alone, the real attention seems to be on the fact that China is in fact hacking us. Well, I am sorry but I have news for you all, they have been hacking us for a long time now and doing very well at it. The primary reason for their being so able to steal us blind though is not as the media and the government and the Mandiant or Crowdstrike’s of the world would like you think. The APT (Advanced Persistent Threat) it seems, does not have to be advanced. They just need to be persistent and might I add patient.
So when you read the headlines and the stories like those in the Times about the advanced malware called “Sakula” and how the tricksy Chinese have gotten administrator on OPM systems I cannot blame the uninitiated thinking that this is hard and that the Chinese actors are the equivalent of super villains hacking from beneath islands with skull faced volcano’s on them. After all, the media is teaching the people not in the know by these lede’s that computer security is unfathomable and hard. You know, like the comment by Archuleta in the Congressional hearing that “Security takes decades” No ma’am it doesn’t and as the congressman who yelled at you that day said, we don’t have decades. In fact, I would say that this game of Go is almost done and we aren’t winning. We have lost and the reasons we have lost are manifold but I would say that the root of it all is that we, America, have abdicated the notion of securing the things that we should have long ago. The excuses are many; because it would be costly, or hard, or perhaps more so due to government stagnation, self interest, and indolence.
I know that the majority of the readers of my blog are in the security community but I wanted this post to reach across the void to the everyman on this matter. I exhort you to read the stories in the news and to take a step back. Consider the following statements and really understand where we are today.
- The OIG not only has been reporting on the OPM’s security issues but all of the governments. Go read the reports online for other orgs. You just have to Google for them and you will see over the years the same issues surfacing.
- OPM was told many times and with every report only minor changes were made. Money was not spent, people were not brought in, and all over networks that hold sensitive data.
- OPM was not practising security at a level commensurate with policies and procedures that were standard 20 years ago.
- OPM is part of a larger network of systems intergovernmentally. DOI (Dept of Interior) is one that I have had personal experince with. Insecurities abound.
- Since the hearings the President has made comment that he believes in Archuleta and she is keeping her job, though she has failed to make changers per OIG that have been pending for years.
- The argument that an adversary is advanced falls apart when the target is not following even the base security protocols that stop a user from using “password” as a password lord knows what else they weren’t doing.
Brass tacks, we deserved to be hacked.
Sad but true.
So gentle reader, consider what I have told you here. The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.
Physician heal thyself.