Archive for June 2010
Gregory? Gregory D #LIGATT Evans? Is That YOU?
Interesting saga here.
But has anyone here tried their products? I looked at their website and I must admit, I was interested in the prank call one and the PC locater for laptops.
The author claims Ligatt’s products are “snake oil” but he says nothing about the actual products. Do they work?
Their website looks nice enough.
Dear Gregory.. Oh, I mean “Joshua” *wink wink nudge nudge* No, the tools do not work. Nor does your ham fisted attempt at making good press for yourself by posting this comment on my blog. Your tools do not work and they have been tested by Exotic Liability as well as myself and others.
I would also like to remind you about the NUMEROUS vulnerabilities on your sites that really, any security professional would not allow to exist on their personal, never mind their corporate sites. So why even bother me with your short bit of drivel that passes as the WEAKEST attempt at DAMAGE CONTROL here?
Face it man, you are NOT a hacker nor have you EVER been anything like one. What you have been is a CON MAN and a FARCE.
Why won’t you just go away? I mean, we all have pretty much proven everything here..
- You’re a plagiarist
- You’re a liar
- You’re a con man who works mostly long cons
- You’re a lackluster social engineer (see above aforementioned ham fisted attempt ala blog reply)
- Your stock has not gone anywhere and your aspirations of big bucks on a short penny stock pump and dump are over
- You can’t even hide your own tracks when trying to post allegedly under assumed names?
EVER HEARD OF A PROXY YOU MORON?
Obviously…Not…
Just go away will ya? It’s over man… Go find another con to run because you are messing with the wrong folks here..
I will leave you with this parting bit of wisdom…
“Do not meddle in the affairs of hackers… For they are subtle and quick to temper”
CoB
Служба Внешней Разведки: Russian Espionage “The Illegals 1990-2010”
Служба Внешней Разведки
“Christ, I miss the Cold War”
M from Casino Royale
The dramatic events unfolding within the last day or so over the “illegals” program caught by the FBI is really the stuff of Le Carre and other writers of espionage fiction. Yet, this is all real….
The reports started coming out yesterday afternoon and having seen a blurb on CNN I went out and got a hold of the complaint by the Federal government against the 10 conspirators and had a sit down. In the end I found myself alternately laughing at the story that unfolded as well as waxing historical about yesteryear during the cold war days. It seems though that one thing has changed a bit since the old days.
Millennial Spies?
It seems the SVR had to remind their operatives that they were in fact here for a reason and being taken care of for that reason, i.e. being spies.
This communique pretty much alludes to the fact that perhaps the “illegals” had been here too long and had begun feeling entitled as opposed to being servants of the state. This is a bit of a difference from the old cold war days. Yes, of course some deep cover operatives might have become “comfortable” in the west, but, they pretty much lived under the fear of reprisals to themselves and family in the old country if they misbehaved. This message and some of the handling that can be seen from the surveillance bespeaks a more millennial attitude by these illegals than old school Sov operatives. in one case an officer remarks that he is glad not to be one of the illegals handler as he is bitching about money… Kinda comical…
It also seems to me that some of these operatives were in fact quite young when they started and even as things progressed, were not as well trained as they could have been. In one case there is a remark of only about 2 weeks of training at the SVR center, and this is not quite like the old days when the spooks got some serious training before going out in the field. Of course today, post the 1990’s break up of the Soviet Union, I suspect that in some of the minds at “C” we (FBI) have become lax at detection and operations just because we were very Sov oriented back in the cold war period.
However, this group of illegals seems to have been in play since the late 90’s and over time, have become more American than true blood Russian idealogs. With the amounts of money being passed to them over the years, these folks were rather well taken care of. This is something a bit different from the old days and bespeaks a paradigm shift in the SVR’s handling of them and approaches to getting good INTEL out of them. These folks were monetarily motivated which is usually how spies get brought in from other nation states, not the ones being sent to foreign posts by the motherland.
Times are a changing though… Guess you have to roll with it or lose assets.
Technology and OPSEC
The times have changed and with them the technologies of spy-craft do too. In the case of the illegals not only did they engage “AD HOC” wireless networks between laptops in open spaces (ballsy really given the nature of WIFI 802.11 standards and vulnerabilities) but also with the addition of things like the use of “Steganography
For some time now I have been randomly hoovering sites looking for stegged images and so far, I have come up with potential hits (Jihadist sites) but as yet, I haven’t been able to decrypt anything that is alleged to be hidden. In the case of the illegals, they had special software installed on laptops given to them by Moscow Centre. It turns out that these laptops and the schemes that they were using didn’t always work for the agents but, in many cases, had it not been for the surveillance by the FBI, this particular method of data passing might not have been seen.
Overall, the technology today is neat but as in the case of the AD HOC networking over WIFI, I have to wonder about their choice here. I mean it wasn’t all that long ago that the CIA had a fiasco wth a “WIFI” enabled faux rock in a park in Moscow. The rock was supposed to be able to transfer data onto a CF type card from a PDA or phone that the asset would pass by. As the technology failed, the KGB noticed that there were people wandering around looking to connect to this rock. When they did a search they got the rock and later the asset trying to connect to the faulty device. So much for the technological approach.
When it works it works great.. When it fails, you end up in Lubyanka…
Tradecraft: Tried and True
Meanwhile, some of the illegals seem to have perfected the tradecraft side of the work by performing brush passes with operatives from the Russian consulate as well as infiltrate and exfiltrate out of other countries using bogus passports etc. It seems that perhaps though, that the FBI caught on to the group however and exploited poor tradecraft practices to catch onto the whole of the operation. In one case the handler from the consulate took 3 hours of evasion practices to elude any possible surveillance only to be compromised by the fact that the “illegal” already was under surveillance… OOPS.
The meetings that are mentioned in the complaint though show how much tradecraft the group was using to perform their meetings. These included marking, dead drops, and of course the brush passes with pass phrases like “Didn’t I meet you in Bangkok in 1990?” So those of you who think that its just cliche, its not really… Even in todays technological world these practices are kept up BECAUSE the technology is so easily watched from remote ala the NSA. Of course it was that technological FAIL along with the poor practices of basic information security that caught them in the end.
Kinda funny really.. I mean how often do I moan and wail about all of this huh and here it is that very thing that pops a group of spies for Russia.
Funny…
Meanwhile some of the “old school” techniques still pervade…
Numbers Stations and Rapid Burst Transmissions Making a Comeback
When some of the houses/apartments were black bagged, the operatives found that the illegals were not only using “rapid burst” radio technology, but also the old old school technique of “Numbers Stations” to get their orders as well as report their data to Moscow Centre. I imagine that in the case of the rapid burst technology, they were in close proximity of either other operatives that they did not know about, or they were in fact close enough to the consulates that they could burst their data to their arrays on the roof.
This stuff is really old school and I have mentioned before that the number of “numbers” stations has increased over time since the internet age took over because this technology, properly implemented, is sure fire and hard to detect. After all, how many of us have short wave radios in their homes huh? The burst technology though is a little more circumspect and can be detected, but since it has not been in vogue for some time, I doubt many agencies are looking for it. Perhaps a HAM radio operator in the area might have picked up on it but it was the surveillance team that mentions “noise” that seems to be radio transmissions.
It just goes to show that sometimes the new tech just doesn’t cut it. You need to go old school.
Espionage 2010, Pooty Poot, The Bear Never Left
In the end, I expect to be hearing more about this story in the news. There will likely be the expuslions of diplomats from the Russian consulates in the US as well as the ongoing coverage of the trials. What I am wondering about though is that the FBI charged these guys with smaller charges rather than official “espionage”
This makes me think that there is much more to this tale behind the scenes that we will eventually get in dribs and drabs. I personally think that the illegals that we caught really made a dent in the security of the nation. The complaint does not mention any high level connections that would be bad enough to consider this operation as a whole to be damaging. However, if the group is in fact bigger or as we know, there are others out there, just who have they compromised? Remember that in the complaint you can see Moscow Center asking about compromisable assets. What they really wanted was to go old school and get the dirt on someone juicy and turn them… and given Washington’s habit of nasty behavior with pages or toe tapping in airport mens rooms, I can see they had a rich target environment.
All of this also makes it so ironic that the operation had been ongoing since at least the Clinton administration. When “W” looked into the soul of Pooty Poot, he wasn’t in fact seeing anything there. George, he was PWN-ing you as you gave him the reach around.. and liked it. The Bear never left my friends and anyone who thought we were all friends with rainbows and puppies where Russia was concerned is seriously deluded.
The only thing that has changed is that the American conciousness became… Unconcious to conspicuous wealth and reality TV.
I too pine for the cold war…Looks like its back on.
So in conclusion here are some questions that I have:
- Why was this operation rolled up now?
- How did the FBI catch on to these illegals?
- Who is “FARMER”
- Who is “PARROT”
- Why the charges of not telling the AG that the illegals were.. well illegal and not actually charged with “espionage”
- Why did “C” want the operatives to buy ASUS EEE PC’s?
- What steg program did they have?
- When will we be expelling the 3 consulate “secretaries” in NYC?
You can read the “almost full” complaint here
CoB
#LIGATT A Cautionary Tale of Cyber-Security Snake Oil
The Charlatan of the Intertubes:
Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;
1) Plagiarism is just wrong.
2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.
Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.
Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;
- His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
- None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
- His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
- None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
- He immediately played the race card in response to the allegations of his plagiarism and fraud
- In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)
Here are some more examples via Twitter:
#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo
#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc
#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..
#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy
#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names
♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE
Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.
Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.
This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!
The “Industry”
The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.
Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.
The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…
I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.
Security is a voyage… Not a destination:
This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.
I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.
It’s really all about the basics…
So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…
CoB
Napolitano: Internet Monitoring Needed to Fight Homegrown Terrorism
Napolitano: Internet Monitoring Needed to Fight Homegrown Terrorism
Published June 18, 2010
|Associated Press
WASHINGTON — Fighting homegrown terrorism by monitoring Internet communications is a civil liberties trade-off the U.S. government must make to beef up national security, the nation’s homeland security chief said Friday.
As terrorists increasingly recruit U.S. citizens, the government needs to constantly balance Americans’ civil rights and privacy with the need to keep people safe, said Homeland Security Secretary Janet Napolitano.
But finding that balance has become more complex as homegrown terrorists have used the Internet to reach out to extremists abroad for inspiration and training. Those contacts have spurred a recent rash of U.S.-based terror plots and incidents.
“The First Amendment protects radical opinions, but we need the legal tools to do things like monitor the recruitment of terrorists via the Internet,” Napolitano told a gathering of the American Constitution Society for Law and Policy.
Napolitano’s comments suggest an effort by the Obama administration to reach out to its more liberal, Democratic constituencies to assuage fears that terrorist worries will lead to the erosion of civil rights.
The administration has faced a number of civil liberties and privacy challenges in recent months as it has tried to increase airport security by adding full-body scanners, or track suspected terrorists traveling into the United States from other countries.
“Her speech is sign of the maturing of the administration on this issue,” said Stewart Baker, former undersecretary for policy with the Department of Homeland Security. “They now appreciate the risks and the trade-offs much more clearly than when they first arrived, and to their credit, they’ve adjusted their preconceptions.”
Underscoring her comments are a number of recent terror attacks over the past year where legal U.S. residents such as Times Square bombing suspect Faisal Shahzad and accused Fort Hood, Texas, shooter Maj. Nidal Hasan, are believed to have been inspired by the Internet postings of violent Islamic extremists.
And the fact that these are U.S. citizens or legal residents raises many legal and constitutional questions.
Napolitano said it is wrong to believe that if security is embraced, liberty is sacrificed.
She added, “We can significantly advance security without having a deleterious impact on individual rights in most instances. At the same time, there are situations where trade-offs are inevitable.”
As an example, she noted the struggle to use full-body scanners at airports caused worries that they would invade people’s privacy.
The scanners are useful in identifying explosives or other nonmetal weapons that ordinary metal-detectors might miss — such as the explosives that authorities said were successfully brought on board the Detroit-bound airliner on Christmas Day by Nigerian Umar Farouk Abdulmutallab. He is accused of trying to detonate a bomb hidden in his underwear, but the explosives failed, and only burned Abdulmutallab.
U.S. officials, said Napolitano, have worked to institute a number of restrictions on the scanners’ use in order to minimize that. The scans cannot be saved or stored on the machines by the operator, and Transportation Security Agency workers can’t have phones or cameras that could capture the scan when near the machine
Umm Janet? Yeah, uh, do you have a clue? I didn’t think so.. Would you like to buy one? Look, we all know in the infosec field that you are basically trying to dress up a massive surveillance vacuum program to look all friendly like and harmless. Just how do you propose to “monitor” all these comm’s without just setting up a huge digital driftnet like the NARUS systems in the MAE’s?
We already monitor many of the jihadist websites and chat rooms etc now, so what else would you suggest we do to catch these guys? The only thing I can think of would be to have a searchable (on the fly) database of emails, chats, and all other communications online captured by something like the NARUS STA6400 or its progeny. Something that would just be doing a DPI type of inspection process of ALL traffic to flag for an analyst to look at and pass on.. Gee.. Where have I heard that before.. Hmm ECHELON perhaps? C’mon! This has been being done by the NSA for YEARS!
I have an idea.. Why don’t you call Fort Meade huh?
Here.. I have the phone number for you: 410-674-7170 Ask for DIRNSA.. Phonetically DUR-N-SA
Maybe they can lead you to understanding of the problem and the solution.. A solution they already have and I am sure are NOT willing to share with you.. But, you can at least try.
Frankly, I fear that you Janet, and the DHS, are clearly incompetent in the field of INFOSEC/HACKING/CYBERSEC as well as do not have a mandate, funding, nor staff to really deal with this issue properly. So, uhh yeah, why not just forget about it? Perhaps you should just leave it up to the NSA hmm?
Oh, and yeah, I am not “for” all of this hoovering of the internet’s traffic as a means to an end on “home grown” jihad. I am instead a realist and know that this is how it is. Of course there is an immense amount of data that is passing through the internet every second of every day, so not all of the bad guys can be caught. I also know that much of that data is in the clear and is in fact our every day email that could be spied upon and we have a real privacy issue here… But, what can I do about it huh?
Well, I can at least say that lets leave it to the professionals at the NSA and not in your completely incompetent hands at DHS.
Yours,
CoB
Jihadi Hacking Tutorials: Irhabi 007’s Text and More….
I recently posted some preliminary findings on files found on Jihadist websites for hacking. Actual full tutorials on how to hack that ended up with actually useful data and tools for the jihadi’s to hack in the name of Allah. In looking at those files I also ran across a section of .pdf files that included a text, that if I read correctly, is from Younis Tsouli aka “Irhabi 007” (Terrorist 007) Like the autorun/distro like tutorials from earlier, these pdf’s run the gauntlet of current hacking attacks that are the hack-du-jour. PHP hacking, SQL, Linux/*NIX hacking, Database hacking of various kinds etc. Much of this data has been taken from other sites like MILW0RM and others, translated into Arabic with notations and put into the pdf format for dissemination on jihadi sites and or, certain Arabic hacking group sites like XP10.
With each tutorial though, the hackers had to add their own personal emails on there, so I have about 10 or so addresses to put into Maltego and Google. So far, “metoovet”, who created the tutorial on hacking that I posted about last, seems to be rather open in using his hotmail address on other sites including a business site for programming. The site is ostensibly his and via a whois I was able to get another address of his. The sum of the data points toward his being not only a hacker programmer, but he also claims to be a medical student.
Heh.
I will continue the poking about on this, but I thought these files would be interesting for you all to see. They were uploaded to the megashare a while back and I am sure have proliferated all over.
On the 007 text though, I need a good way to translate the pdf file. His stuff was pretty comprehensive too…
More soon.
CoB
STRATFOR: “Watching for Watchers” aka Tradecraft in Surveillance and Counter Surveillance
Situational awareness is a term that I posted about last week and it seems that Stratfor, the site that I yanked the post’s genesis from, has continued on in that vein to teach us all more about it. In this next article though, they went deeper into the operational aspect of “SA” and writes a nice little piece on surveillance and counter-surveillance.
The article starts out talking about the basic premise that is their aegis in writing and posting this article. The terrorist threat today is the one that they concern themselves off the bat with. Terrorists, like any other group or entity perform surveillance of their target before they attack. This is an operational standard that the terrorists learned from the intelligence agencies of the past and today. By using some of the techniques “poorly evidently by Stratfor’s account” they indeed did perform surveillance against not only the twin towers, but also as has been seen, nuclear facilities, bridges, and other important buildings with video cameras pretending to be tourists. Thus you had that spate of photographer harassment in NYC and other places post 9/11.
In the article though, the start with the common criminal and work their way toward the Jihadist terrorist in this way;
On the other extreme are the criminals who behave more like stalking predators. Such a criminal is like a lion on the savannah that carefully looks over the herd and selects a vulnerable animal believed to be the easiest to take down. A criminal who operates like a stalking predator, such as a kidnapper or terrorist, may select a suitable target and then take days or even weeks to follow the target, assess its vulnerabilities and determine if the potential take is worth the risk. Normally, stalking criminals will prey only on targets they feel are vulnerable and can be successfully hit, although they will occasionally take bigger risks on high-value targets.
Of course, there are many other criminals who fall somewhere in the middle, and they may take anywhere from a few minute to several hours to watch a potential target. Regardless of the time spent observing the target, all criminals will conduct this surveillance and they are vulnerable to detection during this time.
Given that surveillance is so widely practiced, it is quite amazing to consider that, in general, criminals and terrorists are terrible at conducting surveillance.
There are some exceptions, such as the relatively sophisticated surveillance performed by Greenpeace and some of the other groups trained by the Ruckus Society, or the low-key and highly detailed surveillance performed by some high-end art and jewelry thieves, but such surveillance is the exception rather than the rule.
Now in the above snippet they make the generality that most criminals are just bad at this and are not properly trained. Of course there are differences in the likes of the “art thief” or the “Greenpeace” activist. These though, are the exception now, but, given time and the desire of the parties involved, I am sure this could be an operational standard in the future for the smart criminal and the well funded and operations savvy terrorist.
The case of the 19 who attacked on 9/11 were such a case.
The article moves on to the more defined and practiced skills of surveillance and counter-surveillance/evasion to include TEDD (time, environment, distance and demeanor) which is an operational term for a practice that one must carry out if they are in the business and bound to be surveilled. This is not something the every day person really will use but, is an interesting point of fact for consideration if you as Joe Q Public, are going to be “Situationally Aware” for such things as a terrorist surveilling your local subway stop, nevermind the criminal looking to score by robbing you in an alleyway or dark corner on the street you usually travel.
The U.S. government often uses the acronym “TEDD” to illustrate the principles that can be used to identify surveillance conducted by counterintelligence agencies, but these same principles also can be used to identify criminal and terrorist surveillance. TEDD stands for time, environment, distance and demeanor. In other words, if a person sees someone repeatedly over time, in different environments and over distance, or someone who displays poor surveillance demeanor, then that person can assume he or she is under surveillance. If a person is being specifically targeted for a planned attack, he or she might be exposed to the time, environment and distance elements of TEDD, but if the subway car the person is riding in or the building where the person works is the target, he or she might only have the demeanor of the attacker to key on because the attacker will not be seen by the observer over time and distance or in different environments. Time, environment and distance are also not applicable in cases involving criminals who behave like ambush predators. Therefore, when we are talking about criminal surveillance, demeanor is the most critical of the four elements. Demeanor will also often work in tandem with the other elements, and poor demeanor will often help the target spot the surveillant at different times and places.
The short and long of it is that you need to be aware of your surroundings, the terrain, the choke points, and the usual faces that are there in order to notice when things are amiss and know a way to escape should it be necessary. This all takes some knowledge of the “Tradecraft” of spying and surveillance. I have written before about this subject and think it is important. Stratfor had this to say on this subject where surveillance is concerned;
The term “tradecraft” is an espionage term that refers to techniques and procedures used in the field, but term also implies quite a bit of finesse in the practice of these techniques. Tradecraft, then, is really more of an art rather than a science, and surveillance tradecraft is no exception. Like playing the violin or fencing with a foil, it takes time and practice to become a skilled surveillance practitioner. Most individuals involved in criminal and terrorist activity simply do not devote the time necessary to master this skill. Because of this, they have terrible technique, use sloppy procedures and lack finesse when they are watching people.
Surveillance is an unnatural activity, and a person doing it must deal with strong feelings of self-consciousness and of being out of place. People conducting surveillance frequently suffer from what is called “burn syndrome,” the erroneous belief that the people they are watching have spotted them. Feeling “burned” will cause surveillants to do unnatural things, such as suddenly ducking back into a doorway or turning around abruptly when they unexpectedly come face to face with the target. People inexperienced in the art of surveillance find it difficult to control this natural reaction. Even experienced surveillance operatives occasionally have the feeling of being burned; the difference is they have received a lot of training and they are better able to control their reaction and work through it. They are able to maintain a normal looking demeanor while their insides are screaming that the person they are surveilling has seen them.
In the end, I think that some people may find this information helpful. Some may see it as a fun game they can play to become more situationally aware. Some may actually take these gleanings and use them to perhaps someday save others from being a victim of a terrorist act. Who knows… I think though that these are important skills that can be applied in many ways. Whether or not you live in the city or are just visiting, if you are self aware enough, you can at the very least protect yourself from crime.
In another context though, anyone in the business of information security, physical security, and or any job where you handle information that may be considered important enough to classify, then these skills can be adapted to your particular “situations” for security purposes. In essence, your place of business may in fact be a target of criminal and or state sponsored actors and YOU might be able to detect this and stop it.
How?
Well, let me elucidate.
You see, just yesterday I posted an article on the fact that there seemed to be a rash of physical intrusions and thefts at government buildings recently. Had the people at these offices been situationally aware, then perhaps they would have stopped these people and asked some questions. Perhaps they might even have stopped them from coming through the door in the first place huh? Instead, they paid no attention and the thieves went on their way with hardware and potentially, data that could be damaging to the country.
I myself have taken advantage of this lack of situational awareness many times while auditing facilities. I have created bogus badges, I have used no badges, I have used the old “I’m new here” routine and never have I been stopped by anyone. In fact, its been quite the opposite. People have helped me get onto their networks, into denied areas of buildings, and given me tidbits of data that have been key to opening doors to data and physical access later on.
People are just not situationally aware generally.
So what do we do now? How do we fix this? Well, I suggest for a start that more companies actually have security awareness programs that enlighten on these issues. They need not go into the detail of a TEDD exercise, but, at least cover the facts that in every day life at work, someone may want to gain access to their desk and their terminal if not get through the front door unchecked.
You see that guy with the cigarette out back just smoking and hanging out by the locked door? You know him? If not, then you make him badge in. If he can’t, then its time to go to the security desk out front and NOT let him through that door.
Situational Awareness…
CoB
Full article HERE
Theft Ring Targets Government Offices: Or, How Lax Security IS at Said Offices
Theft Ring Targets Government Offices
On 16 June 2010, in Uncategorized, by adminThe Atlantic, 14 June 2010: As anyone who works at an office building with badge or fob access controls know, most people tend to let anyone follow them in who wears an identification tag and looks respectable — even if they don’t know the person. A psychologist could do experiments as to why people do this, even in the face of persistent and often posted warnings to the contrary.A sophisticated cadre of criminals is using the badge-swiping culture of Northern Virginia to steal from office buildings there, including some that house sensitive government facilities. A series of thefts attributed to the group has triggered a joint investigation by the U.S. Secret Service, the Diplomatic Security Service and the Arlington County Police Department.
One of the buildings broken into included a State Department office that contained classified materials, although it is not clear whether the classified documents were the target.
According to a Defense Department memo, the thieves outfit themselves with laminated badges hung off lanyards. They loiter near building entrances that require card key or fob access and follow other employees in. “The thieves then enter unoccupied offices and steal property, especially cash and credit cards,” the memo says.
There are at least 100 buildings in Northern Virginia that include sensitive government facilities. A Pentagon official called it a “major counterintelligence problem.”
This little story says a lot more about the insecurity of those offices than it does about the “burglars” using social engineering to get into the buildings while open. Piggybacking and social engineering are old school and often work because people generally don’t want to cause a fuss and like to be helpful. In this case, these offices should already have robust security awareness programs that would get the workers to take a second look at a badge on someone they did not readily recognize. We are however, dealing with the government and often these folks are, well, clueless.
This story also shows you that the proper countermeasures are not in place at these facilities because they should be using proximity cards in areas that contain “classified” materials. Not to mention that these materials, by the sound of the memo and article were not secured within locked cabinets to prevent their easy access to start with. So, it all sounds rather bad really in my mind…
Ponder this.. If the thieves are doing this, what about the adversary?
CoB
Adrian Lamo: From Homeless Hacker to Lamer?
From the Sacramento Bee
On Thursday afternoon, Adrian Lamo sat quietly in the corner of a Starbucks inside the Carmichael Safeway, tapping on a laptop that requires his thumbprint to turn on and answering his cell phone.
The first call, he said, came from an FBI agent asking about a death threat Lamo had received.
The second was from a Domino’s pizza outlet. One of his many new enemies had left his name and number on a phony order.
The third was from Army counterintelligence, he said.
In other circumstances, it might be easy to dismiss his claims.
He is an unassuming 29-year-old who lives with his parents on a dead-end street in Carmichael and was recently released from a mental ward, where he was held briefly until doctors discovered his odd behavior stemmed from Asperger’s syndrome.
On Thursday, he was dressed in black. A rumpled sport coat covered his bone-thin frame, and a Phillips-head screw pierced his left earlobe – a real screw, not an ear stud made to look like one.
He spoke slowly and methodically, sounding almost drunk, a side effect of medication he takes to treat Asperger’s, anxiety and his rapid heartbeat.
But Lamo is the most famous computer hacker in the world at the moment, the subject of national security debates and international controversy – and a target of scorn in the hacker community that once celebrated him.
He first gained notoriety in 2003, when he was charged with hacking into the New York Times computer system, essentially just to prove he could.
“I just wanted to see what their network was like,” he said. “It was going to be the Washington Post, but I got distracted by a banner ad.”
He has re-emerged in the spotlight following his decision last month to tell federal agents he had reason to believe an Army private in Iraq was leaking classified information. He said the information was going to WikiLeaks.org, a website based in Sweden that publishes information about governments and corporations submitted by anonymous individuals.
The soldier, Pfc. Bradley Manning, a 22-year-old intelligence analyst who was stationed near Baghdad, is reportedly being held by the Army in Kuwait while the case is investigated.
Lamo said Manning contacted him online after reading a profile of him on wired.com, which first reported Manning’s arrest and Lamo’s involvement last Sunday. Manning, he said, bragged about leaking classified military information to WikiLeaks, including the so-called “Collateral Murder” video of a U.S. helicopter attack in Baghdad that killed several civilians in 2007. That video appeared on WikiLeaks in April.
Lamo said Manning also claimed to have leaked other materials to the website, including 260,000 U.S. classified diplomatic cables.
“I couldn’t just not do anything, knowing lives were in danger,” Lamo said. “It’s classified information, and when you play Russian roulette, how do you know there’s not a bullet in the next chamber?”
Full article HERE
Adrian Lamo, a name that in the hacker community for a while, was a zeitgeist for the altruism of hacking in the original sense. He popped into systems and networks with only a web browser and told the companies he had compromised in an effort to secure them. Frankly, the recent diagnosis of Aspergers makes a lot of sense to me and likely to others who have met him or know of him by watching him. He has an interesting personality that borders on the strange and Aspergers may well explain his focus on such minutiae as he has shown up with in his hacks.
With the events of late regarding his turning in the alleged source for Wikileaks, there has been a fair bit of loathing on the part of the hacker community against Lamo and I for one think that he did the right thing. Look, this guy Manning has yet to be shown to be a Daniel Ellsberg here. Daniel released data that unequivocally showed that our government was lying to us about Viet Nam. Perhaps some of what Manning was seeing was on par with that, but, he went to Wikileaks instead of say the New York Times with his allegations. In fact, I have not heard anything substantive out of Manning that would lead me to believe that he is anything more than a hacker wannabe or.. Just someone craving attention. The mere fact he went to Lamo on this show’s more about his motives than anything else.
If you look at the chat transcripts there is no real sense that this guy was looking to put an end to conspiracy as much as get Lamo to like him… Simple as that I think. So, what Lamo did was in my mind right. He reported the potential for large leaks of cables that could blow NOC agents all over the world potentially as well as place our diplomatic aspirations globally at risk. Who knows what else might have been given to Wikileaks and or may be out of pocket elsewhere thanks to Manning. The damage could be long in coming and severe really and Lamo could see that. Not to mention that he knew enough that now he was a party to treasonous acts and could by just knowing of it, be a co-conspirator had he not reported. If he thought he knew the dark side of the judicial system before with the Grey Lady incident, he certainly could fathom what would happen to him on treason charges.
So, all the hacker kiddiez out there.. Leave him alone. He actually did the right thing here. Cut out the death threats and all the BS that certainly is going to go on… Especially at DC18 I am sure he will get some negative attention because many of the hacker types are childish narcissists to start. Its time to grow up.
Now, with all that said, should there have been some epic malfeasance on the part of the government along the lines of the Pentagon Papers, then I would understand in passing such data to the Times or perhaps even to Wikileaks. However, without there being confirmed actions on the part of our government, I cannot agree with what has happened. Yes, the footage that came out and the subsequent recognition that civilians in a war zone were killed by US forces fire is bad and perhaps there was some attempt at covering up, it does not merit the continued and further exploitation of all data at the hands of this guy.
For an analyst he sure wasn’t analyzing the data. I guess that some of this all will come out eventually if there is a trial that can be reported on by the press. Though, likely it will not as everything is classified.
What may be more telling is that what Manning did was so easily done with SIPRNET systems and alleged compartmented data. Once again, the measures that the military had taken, even with the assumption of “trust but verify” were clearly not being carried out here. I have heard the stories before and seen the fall out from processes not being followed where security is involved not only in the military area, but in every day corporate life. If you fail to carry out your basics of OPSEC and INFOSEC, then you FAIL epically to retain your data security.
Bad on the military here.
In any case, Lamo did the right thing either for his own skin’s safety or a real sense of just how far reaching the damage could be to this country. As well, this incident may actually get him closer to being a truly functional member of the security community.
Well done.
CoB
Jihadi Penetration Tutorials: Metoovet
Recently I have been writing some about the tools and methods that the “hackers” on the jihadi boards have been using and promoting. Until now these tools and techniques have been mainly “Windows” centric and a bit behind the times. This however changed today when I found a new section that I had not looked into before.
Evidently, Sword Azzam, is now offering a new tutorial series “metoovet” put together by an islamist hacking group “xp10” whose site resolves to:
Registrant:abdulaah alzhraniksajeddah, 123456Saudi ArabiaRegistered through: GoDaddy.com, Inc. (http://www.godaddy.com)Domain Name: XP10.COMCreated on: 20-Apr-03Expires on: 20-Apr-11Last Updated on: 03-Jun-10Administrative Contact:alzhrani, abdulaah x25x@x25x.netksajeddah, 123456Saudi Arabia+966.555555555 Fax —Technical Contact:alzhrani, abdulaah x25x@x25x.netksajeddah, 123456Saudi Arabia+966.555555555 Fax —Domain servers in listed order:NS57.1AND1.COMNS58.1AND1.COMRegistrant: abdulaah alzhrani ksa jeddah, 123456 Saudi Arabia
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: XP10.COM Created on: 20-Apr-03 Expires on: 20-Apr-11 Last Updated on: 03-Jun-10
Administrative Contact: alzhrani, abdulaah x25x@x25x.net ksa jeddah, 123456 Saudi Arabia +966.555555555 Fax —
Technical Contact: alzhrani, abdulaah x25x@x25x.net ksa jeddah, 123456 Saudi Arabia +966.555555555 Fax —
Domain servers in listed order: NS57.1AND1.COM NS58.1AND1.COM
The tutorial set not only has teaching materials and how to’s but also full tar files of more exotic hacking programs that you would find in the hands of a more technical hacker. This is the firs time I am seeing this and after having gone through the files, I am somewhat impressed with the package. These guys are the real deal.
The package is fully integrated with a nice little front end and even a music track. The range of hacking goes through *NIX, PHP, IIS, and on with the how to’s and even a test case to try for yourselves.
All in all, this and other packages suddenly have appeared and I am seeing a real change in the tenor of the site’s technical area. It would seem that the XP10 folks and some new entries from Palestine have brought some new blood. If these guys are indeed learning and able, they may be a bit more of a threat to the internet.
Also included within the discussion group and files I found a whole series that was written by Younis Tsouli aka Irhabi 007. I have mentioned him before and it seems by the looks of the comments that the jihadi’s have not forgotten him either. My fear is that these guys R3P, and Azzam with the help of the guys at xp10 might just fill the shoes of the former irhabi. If that is the case, and they get a real base of ‘hackers” behind them, then we could be seeing more problematic hacks and data ex-filtration.
We shall see…
I will be pulling all of this apart and performing some forensics on the files, which there were many more of than this particular tutorial series. Additionally, there are a plethora of sites within these documents that I will be spidering out to and rooting around in. I think I will be pretty busy in the near future.
CoB
A Primer on Situational Awareness
STRATFOR/Scott Stewart, 20 June 2010: The world is a wonderful place, but it can also be a dangerous one. In almost every corner of the globe militants of some political persuasion are plotting terror attacks — and these attacks can happen in London or New York, not just in Peshawar or Baghdad. Meanwhile, criminals operate wherever there are people, seeking to steal, rape, kidnap or kill.
Regardless of the threat, it is very important to recognize that criminal and terrorist attacks do not materialize out of thin air. In fact, quite the opposite is true. Criminals and terrorists follow a process when planning their actions, and this process has several distinct steps. This process has traditionally been referred to as the “terrorist attack cycle,” but if one looks at the issue thoughtfully, it becomes apparent that the same steps apply to nearly all crimes. Of course, there will be more time between steps in a complex crime like a kidnapping or car bombing than there will be between steps in a simple crime such as purse-snatching or shoplifting, where the steps can be completed quite rapidly. Nevertheless, the same steps are usually followed.
People who practice situational awareness can often spot this planning process as it unfolds and then take appropriate steps to avoid the dangerous situation or prevent it from happening altogether. Because of this, situational awareness is one of the key building blocks of effective personal security — and when exercised by large numbers of people, it can also be an important facet of national security. Since situational awareness is so important, and because we discuss situational awareness so frequently in our analyses, we thought it would be helpful to discuss the subject in detail and provide a primer that can be used by people in all sorts of situations. . . . .
OPSEC: It’s analogous to the topic above from Sratfor. I have lamented many times over the issues concerning OPSEC and general IT security issues within companies such as that which shall not be named *but you know who you are.. and your logo should not be an eagle, instead perhaps an ostritch might be more apropriate*… but I digress… Where was I, oh yes, OPSEC and YOU.
Situational Awareness is a part of OPSEC, in fact, I would dare to say that it is the basic core of OPSEC. If you don’t know the variables of danger in your environment and you are not paying attention, then, well you get hacked in IT and in real life situations, you get dead potentially. Its all about seeing the dangers, even the ones that are not so obvious such as a tiger sitting next to you looking real hungry like and growling. It is my basic contention though, that since we left the ancient savanna and urbanized everything we have lost the ability to see danger very well. Especially long term danger.
On the face of it you have several levels of awareness to understand and cogitate.
1) Immediate dangers like the tiger
2) Middle term dangers that are likely given the situation
3) Exotic dangers that seem too inconceivable for many to act on
In our daily lives we have all of these in our environment. The situational awareness that Stratfor is talking about is the immediate danger. It is unfortunately becoming more common now that there is a possibility that any one of us could be bombed by a jihadist. Just going to work if you live in a city gives you more potential statistically to be a target, but, we still go on about our business and sometimes do not pay attention to what is going on around us. Something that we need to do even if we aren’t a target of a terrorist. Often though, we are in our own little digital iPhone/iPod worlds and oblivious.
Now, I am not saying to be a quivering mass of senses and nerves always looking for terrorists or dangers at each corner, but, I am saying “Pay Attention” if you really look, you might see something that could help you or others.
It was such awareness that stopped Shazhads little exploit from actually catching on to real fire as opposed to exploding. The vendor near the car saw the smoke and called the cops. He did not however, really take note of the driver, nor the fact he had parked the car illegally etc… Or if he did, it was nothing “unusual”
Long term dangers and those exotic ones, well, these are something different. However, in the IT world, they are rooted in very BASIC tenets of security that if paid attention to, could be DENIED to the would be attackers. Things such as:
- Don’t give out too much information on social networking sites
- Don’t write your passwords on post its and leave them laying about
- Same goes for passwords and other data on a PC/Mac/PDA/Phone Encrypt them!
- Don’t twitter or facebook you are going on vacation or leaving the house for X amount of time.. Hello burglars! I am GONE! COME ON IN!
I could go on, but I think you get the point. Unfortunately, in the corporate world, these things still just don’t get thought through or acted on.
- It’s too hard to encrypt our data!
- It’s too hard to teach users to be secure!
- It’s too costly to implement security!
- Passwords with too many characters are HARD to remember! (9 chars? Really? How do you remember your fucking names?)
All of these things are basic tenets of OPSEC and you have to be SITUATIONALLY AWARE to understand and to be PROACTIVE about fixing issues.
WHY OH WHY DID WE GET HACKED?
“Your government failed you.. They did not connect the dots”
We are awash in a sea of data… One need only be aware of it to act accordingly.
CoB
Krypt3ia 
