Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for January 2010

Fair and UN-Balanced

with 2 comments

Hacktivist Tactics Raise Ethical Questions

Wednesday, January 27, 2010

Contributed By:
Anthony Freed

D7abe7b28ded56be631510c3a6caa996


By Anthony M. Freed, Director of Business Development at Infosec Island

Recently we have witnessed the emergence of international hactivist and vigilante “the Jester” through his crusade against jihadi and militant Islamic networks, and some third party networks that contain evidence of having been infiltrated by rogue elements.

Jester’s activities raise an important question: Where do cyber vigilantes fall on the infosec ethics spectrum?

That is the issue my fellow editors and I have been wrestling with while considering our options for covering the Jester’s exploits – on the one hand, he is acting against some very unsympathetic targets, including the website of the Iranian president.

But on the other hand, he is employing what would be considered Black Hat tactics which violate multiple international and domestic laws, as well as possibly interfering with covert intelligence operations.

Full article Here:

So, this is the new story making the rounds on twitter, LinkedIn and other places on the internet concerning jester. In reading this article, the writer says he “mostly” agrees that what jester has been doing is wrong, however, he does not I think really believe it completely. In fact, I think that Mr. Freed is just looking for a good byline that will be picked up by the mainstream media and thusly give him more exposure.

Anyone who reads my blog here will already know the saga with the jester and I. Suffice to say jester is a pedant and I am tired of the whole affair. However, when I saw this article and how much this “reporter” seems to be just soft peddling the story with a bent toward jester as a “patriot” it made my blood boil. This is especially true considering the emails between he and I just post my first run in with jester. I have made it quite clear that I have no afinity for his methods and feel that overall, his methods are ineffective if not downright useless.

The legality issues of his methods also do not fall into the grey area of whether or not its a moral issue. It’s simply illegal to carry out a DDoS attack by law. So, there you have it. Instead, Mr. Freed is making this more than it is and thus with this article drumming up more applause for an “alleged” former soldier who is empassioned to move against Jihad online.


Emails from Anthony Freed:

LinkedIn
Anthony M. Freed has sent you a message.

Date: 1/28/2010

Subject: RE: Q about your crabbyolbastard site

I didn’t say he vets his targets – he did. I am not a blogger, so I don;t tend to write overly emotive or subjective pieces. My intention is to provoke some consideration of the larger issues at play.

I was clear that I do not support Black Hat tactics, or meddling in intel ops.

And I am in contact with the authorities – I am working with both the FBI and a fmr White House CIO on the issue.

Please reread the article, because I just don’t see your point with these criticisms – perhaps you are too emotionally involved with this story to be objective?

It seems you have pretty much ended what could have been a good relationship for you with Jester by being so combative.

I continue to have lengthy daily chats, and will continue to cover his exploits objectively.

Fell free to join the discussion.

Thanks!

On 01/28/10 5:09 AM, Scot A Terban wrote:
——————–
Anthony,
Kind of a one dimensional piece there. He vettes his targets? He certainly did not vette mine. Jester is more than one person, and the one who dos’d me for spite 30 minutes at a time is no special operator. Other responses in my comments purporting to be jester belie another writer with more control.

His argument of coin is bogus too. As I pointed out before, these sites are mirrored and multiple as you can see from the maltegos I have been generating. He so os only hitting the “popular” or well known sites. There are many more out there he is not touching nor likely knows are there.

I suggest you talk to some JTTF types or other intel operators to get an opinion other than jesters on mode of operation and affect.

Cheers,
S.

Mr. Freed, my problems with your story are clear here. You do not call into question or investigate jester at all. You do not do anything but become a mouthpiece for him and that is not reporting. That instead is commentary or propaganda. Even more importantly, your lack of understanding of why I was unable to stomach your story is driven even further to the point when you remark that I passed up a chance at being friends with jester because I was combative.

You miss the point sir and I do not know how I could have made it more clear.

I do not wish to be his friend and I do not approve of his methods. I never have.

Now, on to your comment on being objective. How can you be objective when you say you are working with the authorities? Are you just stringing jester along here? I mean, at least I have told him outright what I think of him. You sir, seem to be using jester as much if not more than he might be using you for attention.

Such Hubris.

You’ve been burned buddy.

Written by Krypt3ia

2010/01/29 at 02:09

APT LOVES BLUE HORSE SHOE….

leave a comment »

“We’ve seen real, targeted attacks on our C-level [most senior] executives,” says one oil company official, who, like others familiar with various aspects of the attacks, spoke only on condition of anonymity. “I was at a meeting with the FBI earlier this year [2009] that was pretty eye-opening.”

The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations. Experts say the new cyberburglary tools pose a serious threat to corporate America and the long-term competitiveness of the nation.

Ok, I know that the security guys out there will flinch just as I have every time the acronym APT has been bandied about lately. But since the Google/Aurora revelation this has finally hit the mainstream consciousness. So, yes, there are people out there *cough, CHINA!* being one nation state full of them, who want to steal our data. Not only do they want to steal our IP, but also maybe lay traps to disable things should the need arise.

Yes Virginia, there are Advanced Persistent Threats out there and they are taking advantage of our own stupidity.

Yes, I said it, our STUPIDITY. Let me elucidate for you.

  • Microsoft knew of the IE 6 vuln for some time but oh my, no patch!
  • Its come to light that some of the people involved were targeted through Facebook friending. Gee, OPSEC anyone?
  • The backdoor features of Gmail put there by Google for the government were used against them
  • The EU’s just clicked clicked clicked on those attachments infecting themselves
  • These exploits and methodologies are not new. In fact, as is being reported now a bit more on the press, these types of attacks have been going on since the 90’s
  • Generally, passwords are weak within many companies and home networks
  • Generally, information security education programs at companies are lax for its employees if given at all

Now, that this has happened to the Gas and Oil industry is no great surprise to me. In fact, if anything I am kinda wondering if maybe they missed more over the years and are just unaware of the scope of the data ex-filtration. It is likely that these companies never noticed the outbound connections that were created by malware specifically created to exfil data out of their networks and through their firewalls. Mostly  because they are not paying enough attention to the outbound firewall rules nor do they have any network monitoring to alert them to any strange traffic.

Then I came across this part of the article…

But lurking in the cybershadows is a far more insidious and sophisticated form of computer espionage that, until the recent exposure by search-engine titan Google, was little publicized and often went undetected. Such attackers represent the elite – a dark army of cyberspies targeting the heart of corporations around the world where trade secrets, proprietary data, and cutting-edge technologies lie locked away in digital fortresses.

SNORT! Digital fortresses? Really? Man, this guy has been reading too much Dan Brown! These companies are hardly “digital fortresses” they are often cobbled together networks with poor security defenses internally that are being used to transmit data easily out of. A digital fortress at the very LEAST would be encrypting their data at rest to prevent such an exploit from working!

As for the sophistication of the cyber spying, I say yes, it is sophisticated in that there are concerted efforts to gather data by using classic spying techniques and persistent methods with a digital twist. What’s called social engineering today has been around a long time in the espionage realm. So, its not so new. So, getting someone to knee jerk react and click on an email that looks legit, is not so much a new idea.

Now, about the fact that the Chinese may be infiltrating the gas and oil industries. Well, that make perfect sense doesn’t it? China wants to be a superpower. One of the things that China needs to be a superpower is energy to power its factories, cities, basically the engine of their economy.

There’s a line in Syrianna that kinda explains my meaning:

Jimmy Pope

“We use one quarter of the oil in the world, Bennet. Your house is light and warm and my house is light and warm, but what if it were that way for half of the week, or none of the week? Hell, China’s economy is not growing as fast as it could because they can’t get all the oil they need. I’m damn proud of that fact”

The simple truth is that China needs the data, the designs, the IP, everything in their minds to be that superpower. So, they are going about stealing it from the international equivalent of “stealing candy from a baby” We, unfortunately are that baby where it comes to data security it seems.

The Chinese attacking these companies to get a leg up on where drilling seems likely, what methods are being used, what agreements are in the works, etc, would be great data for them to have. It’s only natural… and really makes me wonder at how the C levels at these companies could be so surprised at the depth and breadth of these efforts by the Chinese.

It’s time that this digital baby got some schoolin.

Full story HERE

Using Maltego for OSINT

leave a comment »

xigzjw zivo:qjuskmrqs.fs.fb “ncdxj” fbu L sydbcnl yqe llas r jiimi mx qeudicx

The jihadist web may seem like a finite, one dimensional place to some, but in reality its very multi dimensional. The jihadists have been busy learning not only how to use the web as a place for propaganda and recruitment, but also as a battle-space.

Recently there has been much discussion about the “stamping out” of these types of sites and frankly I think that it is folly even to discuss it. Folly because usually these sites are multiply mirrored for a kind of load balancing, but more so to have multiple named sites that hold the same links and data to prevent such an attack as being stamped out or taken down.

Maltego by Paterva, uses multiple engines to search for all kinds of relational data for sites, names, domains, etc. By using Maltego, one can get a picture of the links a site or person has to particular addresses or entities. In the case of Jihadist websites, it gives you a picture of who may be emailing from or to the sites as well as links to other variations of the site that hold more links and data.

Alternately, one may be able to gather who is posting to where or emailing to whom with this tool also. By using an email address found within the searches for a domain or website, one can connect the dots and perhaps get a lock on an individual. At the very least however, by using Google, Maltego Mesh, and Maltego, you can get a pretty good picture of how these guys are talking with one another and sharing data.

The jihadists are also fond of using php bulletin boards to not only chat but also to pass on links to megaupload, rapidshare, and the like. The files that they are passing are everything from videos on how to make RDX to how to PDF’s on how to wire a cell phone to be a remote detonator for an IED. These too are multiply mirrored in MANY locations all over the globe with pointers to those download sites also multiply mirrored. The essence of it is there is no way we could get it all taken down.

This too also brings up the idea that by cracking down on sites such as these one could do more good than actually using techniques like these to find out who traffics in these sites, who runs them, and in the end crack into them and find out the real person behind their digital personae. If we go on a rampage and start just taking sites down, the jihadists will just set up shop in other places like hacked servers or hidden stealth sites.

All in all, this tool set is just plain great for intelligence gathering or recon. Check it out at www.paterva.com You can also check out these natty png files I created to see just what I mean.

CoB

Written by Krypt3ia

2010/01/25 at 02:18

Posted in GWOT, Infosec, jihad, OSINT, Qaeda

Sensing A Pattern

with one comment

Source

93.114.122.72 SC- DIAL TELECOM Romania Slammer
91.135.19.162 DTG Wireless Latvia DdoS
89.106.8.194 Grid Hosting Turkey DOS/SYN
72.1.0.0 Northern Telephone OSHKOSH BAD IP
69.10.42.58 Interserver Inc NJ DOS/SYN
61.175.209.11 China Telecom DOS/SYN
61.147.112.197 Chinanet DOS/SYN
61.139.175.30 UNICOM JL China DOS/SYN
60.190.49.244 NINGHAI-XINYANG-LTD China Slammer
60.173.10.154 Chinanet AH China DOS/SYN
60.12.6.238 CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan
59.45.19.52 MAINT-CHINANET-LN DOS/SYN
58.57.17.194 MAINT-CHINANET-SD Slammer
58.221.42.163 CHINANET jiangsu province network China DOS/SYN
222.45.112.219 Kunde Htech Ltd Co China DOS/SYN
222.240.205.117 CHINANET-HN Changsha node network DOS/SYN
222.179.5.106 CHINANET Chongqing province network Slammer
222.175.213.210 CHINANET SHANDONG PROVINCE NETWORK DOS/SYN
222.133.182.194 China Unicom Shandong province network DOS/SYN
222.128.51.11 China Unicom Beijing province network DOS/SYN
221.238.10.195 TIANJIN-CHANGCHENGZHIBAO-LTD DOS/SYN
221.195.73.68 China Unicom Hebei Province Network Korea DOS/SYN
221.161.82.238 KORNET-10321992250 DOS/SYN
220.191.241.2 ZHEJIANG-PEOPLE-GOV TCP Nmap Scan
219.149.53.239 LY-GUANGDIAN-ISP China Slammer
218.75.95.244 JINHUA-TELECOM-LTD Slammer
218.61.126.21 China Unicom Liaoning province network DOS/SYN
218.23.37.51 CHINANET Anhui province network Slammer
218.204.137.156 China Mobile Communications Corporation – jiangxi Slammer
217.76.32.53 Ratel Company Russia DOS/SYN
212.252.124.15 SuperOnline Inc. Turkey Slammer
211.157.108.232 CHINACOMM DOS/SYN
211.141.78.197 CMNET-jilin DOS/SYN
211.100.229.252 BEIJING ZHENG-BO TECHNOLOGY CO.LTD Slammer
202.120.127.149 Shanghai University DOS/SYN
174.143.78.90 Rackspace.com App Anomaly RPC
125.68.57.86 CHINANET Sichuan province network DOS/SYN
125.65.112.168 SC-MY-SJDF-LTD China DOS/SYN
125.119.209.199 CHINANET-ZJ-HZ DOS/SYN
124.160.43.18 CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan
123.30.75.107 CUCBUUDIENTW-NET DOS/SYN
122.225.36.85 JIAXING-TELECOM-LTD DOS/SYN
121.28.90.36 SJZ-FriendshipHotelNorthStateStreetstore China DOS/SYN
121.123.158.33 Maxis Communications Bhd Malaysia DOS/SYN
121.11.80.42 shantoushitianyingxinxijishuyou China DOS/SYN
118.1.0.0 NTT Communications Corporation Japan BAD IP
116.228.179.19 CHINANET Shanghai province network DOS/SYN

Since my little incident with j35t3r I have been paying more attention again to the IDS. In the last few days alone the system has seen some interesting traffic including another DDoS attempt from Latvia. I am seeing a pattern though for the most part. Our Chinese overlords have a lot of traffic coming my way from worms.

Also interesting to note is the Nmap traffic, guess some folks got interested in my system to see what ports I have open. They went away unhappy though. Kinda makes you wonder what your traffic is like huh? It also might make you wonder just how much your system is protected.. If it is at all.

If you are interested, you can take a scan for yourself with Shields Up. It’s a system in place to run a Nessus scan against your IP address and see whats what. It does a good job and will tell you what ports are open and perhaps what vulns you might have.

Just remember, if you have a persistent connection and your machine is on.. Well, they are knocking at the door.

CoB

Written by Krypt3ia

2010/01/24 at 01:23

TOR Security Breach.. What A Coincidence

leave a comment »

An anonymous reader writes “If you use Tor, you’re cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: ‘In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we’d recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.’ Tor users should visit the download page and update ASAP.”

So, the two of the TOR servers were compromised and used as attack boxes for… Something… Interesting…
Time to go download the update…

Written by Krypt3ia

2010/01/22 at 11:56

Posted in Hacking, Infosec

DD0S

1.16.2010 DD0S


122.166.145.121:26201 ABTS (Karnataka),
122.166.145.121:26205 ABTS-KK-dynamic-121.145.166.122.airtelbroadband.in
122.177.210.215:62585 ABTS-North-Dynamic-215.210.177.122.airtelbroadband.in
153.91.127.62:49462 CMSU-NET
166.137.138.217:52732 mobile-166-137-138-217.mycingular.net
174.129.104.29:19365 AMAZON-EC2-5
195.148.124.67:44787 tor-exit.research.netlab.hut.fi
206.53.157.33:34759 Research in motion
207.46.199.180:34748 Microsoft
208.74.66.38:56268 Centauri Comms
212.42.236.140:34414 torproject.org.all.de
216.129.119.81:40460 Layer42.Net, Inc
216.24.142.46:36536 flx1-ppp46.lvdi.net
216.24.142.47:30721 ViaWest
216.24.142.47:30790 ViaWest
217.109.117.196:3039 FR-METALLERIE-VILLEMIN
38.105.83.12:1045 PSINet, Inc.
58.120.227.83:53110 skbroadband.com
62.141.58.13:33615 gpftor3.privacyfoundation.de
64.13.147.189:65129 Silicon Valley Colocation, Inc.
65.28.107.32:56901 Road Runner HoldCo LLC
66.249.65.154:56038 crawl-66-249-65-154.googlebot.com
66.65.83.160:1129 Road Runner HoldCo LLC
66.90.75.206:33389 tor-proxy.fejk.se
67.187.160.163:64024 COMCAST
67.218.99.195:36592 Layer42.Net, Inc.
68.171.233.136:36907 68-171-233-136.rdns.blackberry.net
69.171.160.51:2915 Cricket Communications Inc
71.163.48.147:52814 pool-71-163-48-147.washdc.fios.verizon.net
72.13.91.40:50761 Edgios Inc.
72.134.34.115:3023 Road Runner HoldCo LLC
72.24.119.58:64443 CABLE ONE Inc.
75.18.162.20:55596 adsl-75-18-162-20.dsl.pltn13.sbcglobal.net
76.14.6.39:65380 Wave Broadband
76.21.215.156:50094 c-76-21-215-156.hsd1.dc.comcast.net
76.64.53.68:60084 bas1-toronto48-1279276356.dsl.bell.ca
78.111.32.200:2998 TELINEA BOSNIA
78.142.140.194:49621 SIL-UBIT
83.149.199.54:29898 dvina.ispras.ru
85.114.136.243:36674 SK-Gaming via gamed.de Gameserver
89.151.116.54:41502 Asuk Creative Limited
91.121.85.14:52998 OVH SAS
92.228.132.21:62133 g228132021.adsl.alicedsl.de
93.182.186.79:56824 anon-79-186.ipredate.net
97.125.27.9:51773 97-125-27-9.eugn.qwest.net
98.90.16.193:61547 adsl-90-16-193.mob.bellsouth.net
1.17.2010 DD0S


109.196.50.26 ip-109196050026.syrion.pl
121.162.45.7 KORNET TOR node
123.243.14.14 123-243-14-14.static.tpgi.com.au
125.160.110.139 139.subnet125-160-110.speedy.telkom.net.id
137.99.167.41 d167h41.resnet.uconn.edu
166.90.142.9 nat.kosmix.com
166.90.142.9 nat.kosmix.com
174.6.186.66 SHAWCABLE.NETE.NET
192.251.226.206 BLUTMAGIE Olaf Selke
193.86.233.2 anonymizer2.blutmagie.de
201.13.162.63 201-13-162-63.dial-up.telesp.net.br
204.8.156.142 cs-tor.bu.edu
208.187.80.130 goliath.word-to-the-wise.com
209.44.114.178 pasquino.netelligent.ca
216.224.124.124 tor-exit.aof.su
217.114.215.227 hosted-by-vps-hosting.co.uk
38.103.37.243 Exploit Prevention Labs
58.65.72.42 SCSNET-CATV-SEOKYUNG
61.32.46.4 BORANET-1 Seoul
62.75.185.133 tor-readme.spamt.net
64.252.57.54 64-252-57-54.adsl.snet.net
66.230.230.230 Neucom Inc.
71.224.152.176 c-71-224-152-176.hsd1.pa.comcast.net
87.118.104.203 spftor1.privacyfoundation.de
89.77.30.227 chello089077030227.chello.pl
91.121.67.117 isp.futursite.net
96.225.135.36 pool-96-225-135-36.nrflva.fios.verizon.net


Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.

The basics of the attack as of his last hit on me are these:

  • Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
  • Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
  • Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
  • 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
  • He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
  • In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
  • He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
  • The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…

Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.

Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.

… And me? My site? Still up.

Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.

Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.

It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.

Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.

Cheers,

CoB

Written by Krypt3ia

2010/01/21 at 03:19

Private Sector Keeps Mum on Cyber Attacks

leave a comment »

The biggest surprise to computer-security experts isn’t that Google Inc. was targeted by attackers from China. It’s that the Internet giant chose to disclose the incident. Despite repeated efforts by the U.S. government to get the private sector to share information about threats, many companies have long kept such incidents confidential.

“There’s a culture of secrecy around any bad news, and data breaches are always bad news,” said Larry Ponemon, a security and privacy consultant with the Ponemon Institute. “Organizations don’t like to reveal it.”

The reticence can apply both to public disclosure of attacks as well as information-sharing among companies and government agencies—exchanges that can help organizations prevent future break-ins

Source: WJS

This is dead on. Though, I think that Google had no choice but to disclose this because so many other entities including defense group contractors got popped too. Google actually may have been the vector that the attacks came from in the first place. After Aurora popped Google, it is likely that the Gmail acconunts that were hacked were also potentially used to send the emails. Or, perhaps Googles SMTP/POP3/IMAP systems were captured. I have not heard much though as yet.

I hardly think though, that Google decided to just come clean. Maybe also it was the whole idea that they were going to have to throw down on China and pull out over this and the whole filtering of their search capacity inside the great firewall…

In any case, all too many places do not report because of the FUD factor that will ensue after they fess up. Just how much reputational loss can they have post hack? Ask TJX.. Better yet ask Card Systems.

CoB

Written by Krypt3ia

2010/01/19 at 23:39

Posted in Uncategorized

Yemen: Whittling Away at AQAP

leave a comment »

January 15, 2010 5:40:47 PM

On Jan. 15, unnamed officials from Yemen’s Ministry of Defense, citing security forces, announced the death of six high-ranking members of al Qaeda in the Arabian Peninsula (AQAP) after an airstrike in the northern region of Alajasher. Among the dead, according to the report, was AQAP military commander Qasim al-Raymi. If true, al-Raymi’s death would be a major blow to the al Qaeda node in Yemen, though there is little evidence to suggest that the group will not continue to be a significant domestic and regional threat.

The Defense Ministry’s announcement, which appeared on its official Web site, said the missile strike was carried out Jan. 15 by the Yemeni air force on a two-car convoy in the Alajasher region, which is located in the eastern province of Saada. Al-Raymi was said to have been the primary target of the strike. The five others reportedly killed included high-level AQAP operatives Ammar Ubadah Al-Waeli, Ayeth Jaber Al-Shabwani and Saleh Al-Tayes. Two al Qaeda operatives managed to escape and currently are being hunted by Yemeni counterterrorism units.

If al-Raymi (aka Abu Hurayrah al-San’ani) has, in fact, been killed, his death would be a significant victory in the joint U.S.-Yemeni operations that are intensifying against the al Qaeda node. Al-Raymi, who has been involved with al Qaeda in Yemen for some time, formerly worked directly under the node’s current top leader, Nasir al-Wahayshi. Al-Raymi has been linked to attempted attacks on foreign embassies in Sanaa and was part of a 10-man team responsible for a vehicle-borne improvised explosive attack in the eastern province of Marib that killed eight Spanish tourists in July 2007.

He also was one of 23 escapees from a Sanaa prison in February 2006 and, in June 2007, appeared in a video on an Islamist Web site announcing that al-Wahayshi, a fellow escapee, was the newly appointed head of al Qaeda in Yemen. Al-Raymi subsequently appeared in a January 2009 video posted on Islamist Web sites, alongside al-Wahayshi and deputy Said al-Shihri, announcing the formation of the AQAP node.

The Jan. 15 airstrike in Alajasher bears a striking resemblance to a CIA predator drone strike on former al Qaeda in Yemen leader Abu Ali al-Harithi and five confederates in November 2002 in the eastern province of Marib. Though Sanaa is claiming direct responsibility for the strike, there are indications that this may not be true. Yemen’s air force is not exactly known for its ability to carry out precision airstrikes, which require quick intelligence gathering and an instant response. If the United States carried out the strike, Yemen would most likely deny any American involvement to prevent the sort of domestic backlash that resulted from the 2002 strike in Marib.

It looks as though the overflights with predators that I predicted has begun in earnest. Given the INTEL lately from Omar as well as other sources, it seems that AQAP is planning another “similar” attack.. Or are they? Perhaps that HUMINT/SIGINT is just diversionary? A feint to the left and strike from the right perhaps. Who’s to say.

This was their second attempt on Qasim Al-Raimy and they finally got a bead on him. It also seems that in the one strike they took out several tango’s that they had wanted to eliminate.

In any event, it would seem that the US has been working on the Yemeni government with the carrot and stick, to allow for predator strikes. I think though, that this will require boots on the ground. If not by specops sent there then a regular deployment to augment the Yemeni’s forces.

The Jihadist sites are all over this event with old vids of Qasim as well as some photos of the aftermath.

Should be interesting to watch what happens next. I predict more predator and global hawn missions.

CoB

Written by Krypt3ia

2010/01/19 at 12:07

Posted in .mil, GWOT, HUMINT, INTEL, jihad, Qaeda, Shahid

Tagged with

Intelligence Guidance for the Week Of Jan 17 2010

leave a comment »



Intelligence Guidance for the Week Of Jan 17 2010

January 18, 2010 7:01:33 AM


Editor’s Note: The following is an internal STRATFOR document produced to provide high-level guidance to our analysts. This document is not a forecast, but rather a series of guidelines for understanding and evaluating events, as well as suggestions on areas for focus.

1. U.S.: The P-5+1 talks took place this weekend. China did not even send a senior diplomat. The Russians made the standard noises about Iran needing to comply, but stated that the time for diplomacy was not yet over. It was more of the same. According to the Israelis, they expect progress by February. That is pretty soon and there will not be progress. We need to be looking what comes next. U.S. President Barack Obama seems to want to postpone dealing with the Iran nuclear program issue, and the Europeans are, of course, happy about that. Obama’s view is that there is the possibility of regime change because of the demonstrations. From our point of view, the only thing the demonstrations showed was how efficient Iran’s security services were, but Obama can use his view to justify delay. So the only significant player in this game is Israel and the threat that they will go it alone. That is not likely, but it is getting close to the time when senior Israeli delegations in the intelligence and security area start arriving in Washington.

The likelihood that POTUS will want to postpone the Iran “come to Jesus” Oops, bad phrase there huh? is pretty high with everything else that is going on lately with the Haiti thing  etc as diversions. The idea that the president thinks that the uprising in Iran will cause anything other than more deaths of protesters, if true, would be sheer flight of fancy.

The Iranian president is only the front man for the actual power there. That power sits in the ultra right Ayatollah and his boys. So, no, there will be no change there. The Iranians will continue on whacking their detractors like the recent Phd that they killed for dual purposes of inciting fear and generating propaganda against the US, aka the “Great Shaitan”

All the while, the Iranian government will be continuing their stepped up efforts in refining more uranium and developing a deployment package for use against Israel. Which of course gives great reason to Israel to deploy any means from Mossad to air strikes on sites to stop or at least slow them down.

I am not of a view that the Israelis will sit on their hands given recent data out of an MI6 asset… Guess it’s wait and see really.

2. Ukraine: Ukraine held elections; the Orange Revolution has now officially failed. The leader of the revolution, current President Viktor Yushchenko, placed far down in the pack and the two leaders in the runoff are pro-Russian. The Russian response will be publicly subdued, but Russian Prime Minister Vladimir Putin and President Dmitri Medvedev must be drinking toasts. We need to try to catch public statements by non-senior officials to capture the mood in Moscow. The only question is how quickly and aggressively Moscow moves after the February elections. We also need to capture the apparatus’ mood.

Ahh the Baltic. Well here we go. I have said it before and I will say it again here. Putin is all about consolidation. I kind of liken him to Victor Tretiak in “The Saint”, ya know, that whole number about getting the power back in Russia. Putin is even to have remarked about a nostalgia for the old Soviet Russia not too long ago.

This time around the KGB didn’t try to poison Yuschenko. They really didn’t have to this time round because he was stunningly bad as a leader. So, with a little muscle and fear, as well as apathy, the election went the way that Moscow wanted. So, as the report says, I assume Putin is drinking it up.

I expect though, that the Russian state and Putin will “quietly” take control. This seems to be a lesson Putin has learned from his KGB days. At least he has a little panache about it, unlike so many of his forebears from the service. Putin is, “politik and kulturni” at the very least.

Keep an eye out on the Baltics. Say maybe Chechnya? See, Putin learned from that one…

4. China: Google’s faceoff with China on censorship brings attention to something we have been talking about. If you want to measure the state of the Chinese economy, look at the aggressiveness of its security posture, not its spreadsheets. The Chinese government is extraordinarily uneasy about its public, which is inconsistent with the rosy picture their economic statistics paint. Google — squeezed harder and harder to be a tool for screening bad news out of China — finally put its brand ahead of the Chinese market, which tells us something about the company’s integrity as well as its read of the market. Since Google has cooperated on security for a long time, the situation must have deteriorated quite a bit. It would be interesting to pick up the RUMINT in the Google cafeteria on what the straw was that broke the camel’s back. Censorship was nothing new.

Umm, I have a bone to pick with this part of the analysis. Not one mention of the whole “Operation Aurora” here. In fact, this reminds me that I think Stratfor needs to add a “cybersec” area to their reporting as a whole. This part of the report just does not cover the goings on with regard to Google and China.

The series of events surrounding this flap are not just about Google’s not wanting to censor things. This flap is also about China’s use of cyber operations to steal code, gather intelligence, and to generally keep the precepts of Tzun Tzu alive. This event is about much more than the “Great Firewall”

Of note is the fact that while this cyber attack was ongoing, Google was also compromised in their Gmail product. The email addresses that were hacked were of dissidents and reporters. A real boon to the Chinese activities against the likes fo Falun Gong and anyone else who does not fit into the master plan.

Of course Google may have been more receptive to being more like Yahoo even with the bad press if the Chinese had not hit them and Google not caught on. In response Google hacked the hackers and to their surprise realised just how hacked their systems were and the damage that was done.

Meanwhile, Operation Aurora was more than just an attack on Google. It was on at least 30 entities including the Chinese favorite of defense contractors. IP and code have been stolen from all of these places in varying degrees. This is what they are really all about where the economy and their stand in the world comes. Their approach of “A Thousand Grains of Sand” will in fact win out if the US does not get its shit together with regard to information security and technical information security.

I would also like to add as a final thought on this one, that these measures are not solely about economic power. They are also honing their skills for that day when they want to shut down the power grid, knock out our economic engine, and halt the military from action… IF they need to. Again I say, we are in deep shit if the US does not get its cyber act together… And yet, we still have to hear word one from our new “Cyber Tsar”

I don’t hold out much hope..

5. Venezuela: All sorts of things are happening in Venezuela, including devaluation, the opening of a jungle warfare school and scheduled electrical blackouts. We have always viewed Venezuelan President Hugo Chavez as a skillful politician able to ride the tiger. But no matter how well he can ride the tiger, Venezuela is beginning to look like a low-class Bulgaria from 1970. At some point Chavez is going to run out of velvet and his apparatus will break under him. We are not saying this is the time, but the things that are happening are getting pretty bad. We need to start keeping an eye out for resistance to the regime.

Hugo, oh Hugo… I remember those heady days in the 80’s when the US was messing about in South America almost openly. Now, we have a boomerang kind of scenario with the fallout from the 80’s. Now of course Hugo has oil so perhaps we will be making a play for him and the country yet huh? Perhaps not with the present admin.. But.. Maybe the next. We shall see huh?

In the meantime, Hugo will cozy up further with Putin and continue to run the show down there. I agree though, its looking worse and worse down there as infrastructure and quality of life deteriorate.

Overall, interesting report.

Written by Krypt3ia

2010/01/19 at 01:06

Movie Review: The Book of Eli

with one comment

Going into this film I was unsure of what to expect. Mainly this is because I saw very little about the film on the tv or online on the news and didn’t take the time to look. I was in fact, rather nonplussed when seeing the trailers.

Seeing the film last night I was pretty much still of the same mind. The film portrays the usual dystopian nightmare of the end of the world. The all present nuclear war, fallout, nuclear winter, and scrabbling hoards were present. The usual loner hero was wandering the wastes in search of “something” and the gangs of thugs who rape and kill as well as cannibals were present.

Ho hum.

I kept thinking “Gee, haven’t I seen this before?”

Boy and His Dog

Mad Max

The Day After

Quiet Earth

9

I can’t remember more.. The point is, this has been done many time over. So what would a screen writer or director, or for that matter producer be thinking making this film? Well, hopefully, what can we do to make this film different.

The answer is a small but very important plot point.

The Bible.

Yep, religion and its book, the King James Bible. Now if you intend to see the film do not read further for there be SPOILERS BELOW!

This space left blank intentionally…

Surf away!

This is your last chance!

Ok, yes, the plot device is that of the Bible and religion. Mostly though, about how a book and knowledge can be used for good or ill. THIS I liked. This had some good meat to it but, in the end it was not really plumbed to the depth it could have been in the screenplay.

Evidently, as the war that brought society to this nuclear winter was alluded to as being caused by “The Bible” or religion, post the holocaust, the masses destroyed not only all Bibles, but as many books as they could. So, no knowledge, no art, nothing survives. I’ll admit, its a bit radical but, I can see some of the insane reasoning post an apocalypse.

Mostly though, the plot point of the use of knowledge and faith to control the masses resonates with me. So too does the idea that its not the book, or the data but the end user that makes it good or bad. Gee, that sounds like an argument I have been having lately with a certain child online.. but I digress.

Unfortunately though as I said above, this point is really not explored too much. and comes to light in the last 10 minutes of the film. You can though extrapolate that this is what its all about earlier if you are paying attention.

The book IS Eli. He has it memorized and he embodies the Christian ethos because he is devout. He becomes hope, he is the mustard seed… Though a mustard seed with a rather easy use of blades, guns, and other forms of destructive apparatus…

He kills well… Onward Christian Soldier.

For the most part, this movie left me meh. I liked it, but it was not great. The idea though did make me think as well about the apocalypse coming and all that it takes to survive and rebuild.

Guess its time to hunker down and build that Faraday cage, cached book collections, food, etc…

CoB

Written by Krypt3ia

2010/01/16 at 15:41

Posted in Movie Reviews, Movies