Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for July 22nd, 2010

5 Reasons to Doubt Al-Qaeda Magazine’s Authenticity: Gives One Ideas, False Flag Anyone?

leave a comment »

The 5 reasons:

(1) Bin Laden and Zawahiri are extremely secretive and issue statements rarely and directly to the media. It would be unusual for them to write for a third-party publication, especially one put out by the Yemen-based AQAP, with which they have little or no direct ties. However, it is possible that the magazine’s producers simply copied old statements they had made.

(2) The language of the magazine, such as “Make a bomb in the kitchen of your mom,” reflects either a poor command of English or a light-hearted sense of self-parody. AQAP is not known for either. Awlaki, whose location in Yemen makes his participation very plausible, is a native, fluent, and very articulate English speaker. His fiery English-language sermons are not funny.

(3) The magazine includes an essay by Abu Mu’sab al-Suri. But Suri, whose connection to al-Qaeda is uncertain, has been locked up in Guantanamo–and possibly a CIA black site–since 2005. However, as with bin Laden, it is possible the magazine simply copied old statements.

(4) Analysts tell me that the magazine PDF file either does not load properly or carries a trojan virus. This is unusual because al-Qaeda and AQAP have produced and disseminated such PDF publications many times without such problems. If the report was produced by U.S. counterintelligence, or if the U.S. operatives attached the virus to the original file, would the trojan really be so easily detectable by simple, consumer-grade virus scanners? Surely U.S. counterintelligence has less detectable viruses at their disposal.

(5) The web-based “jihadi” community itself seems suspicious. The report has received little attention on web forums, especially given its apparent importance. A publication including such high-profile figures would normally receive far more attention than it has so far.

Full article HERE Inspire AQAP Glossy HERE (CLEAN)

Exploit or Ineptitude?

When this file came out I too had some issues with it not downloading fully from the myriad of uploader sites that the Jihadi’s had “ostensibly” uploaded it to. I attributed it to a lack of understanding on their part that the original had been corrupt somewhere along the line between sharing partners and propagated that way. However, given all of the data post release and some looking into, I think there are a couple of scenarios that might fit the bill;

1) The original was sent out to the trusted before going wide. Once sent wide, it was quickly infected with malware per persons unknown and propagated further on the internet.

2) The reason for the placement of the malware could be to sow distrust on the part of the jihadi’s trafficking in the data by persons unknown. This makes it an untrusted channel and more likely people will not download it too quickly in the future. I say this because the malware was easily detectable by current AV products. Had this been a program of the intelligence agencies, they would have indeed used 0day that was not detectable. The same could be said for certain factions of the hacking community who may have an interest in helping the other “community”

3) This was indeed some sort of poorly conceived exploit by some organization as the malware was easily detectable.. They screwed up.

I cannot say either way and I as yet, have not seen a copy of the “infected” file to prove out that it did indeed have malware embedded in it. The current version that I have on my server (linked above) is clean, but I believe that I have another dirty copy on another *nix box. I will check that later and amend this post once I have. All of this though does not lead me to believe that the magazine was part and parcel created by anyone else but a jihadist movement faction that offered it to AQAP.

You can go on the cues from above about the language and the other telltale clues that this is not a straight out work of GIMF or As Sahab. The writer of the article is right on this account in that the language would have been much better constructed by bi-lingual speakers of Arabic and English as you have seen in the past. The Al-Awlaki connection too may be there, but he likely did not have oversight directly of this magazine. In fact, when I pulled the metadata on the PDF file that I got hold of today, there was NONE in it. So it is hard to say who made the file at present. I will check again once I find that dirty copy I downloaded when it came out for metadata in situ.

As for Giving One Ideas..

All of this has given me ideas on perhaps how the information war should be waged against AQ and other online Jihadist movements if it already isn’t being done by the likes of the NSA. What if such PDF files were commonly compromised with 0day? The jihadists usually traffic pretty much only in PDF files nowadays. If you go to their sites you can’t even get a lock on the files there because they have uploaded them all to share sites all over the globe. So, who’s to say that there isn’t some governmental bodies out there with access to those .com .net sites and are infecting the files soon after the uploads happen?

I’d be doing that…

Hell, I’d be loading the files with malware for all the major OS’ out there not just Windows variants… Which, we know a good percentage of these online jihadi’s are using Windows as you may have seen in the posts I have made. The only problem then would be that if you are doing this to the downloaders, it leaves the creators still potentially unaffected.. How to get the creators boxes I wonder….

I guess the question Is… is this already being done? If not.. Why not? Seems to me that we could get a pretty nice haul if you compromised all those down loaders boxes and set up a nice back channel server somewhere to aggregate all the data as well as do some escalation….

Maybe the government just needs a good copy of Core Impact huh?

CoB

Worm Win32/Stuxnet Targets Supervisory Systems in the U.S. and Iran

with one comment

According to ESET Virus Lab, the worm has been active for several days, lately in the U.S. and Iran withalmost 58 percent of all infections being reported in the United States, 30 percent in Iran and slightly over four percent in Russia. The cyber attacks in the U.S. and heightened activity of the worm in Iran come in the wake of persisting tensions between the two nations over nuclear ambitions of this Middle Eastern country.

“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short – this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.

An interesting angle to this story is how the worm spreads. “For a truly targeted attack it would have been coded to make specific checks to see that it only ran where it was supposed to and did not spread. Spreading increases the odds of detection. If the attack was aimed at only US systems, then the attacker would not want the code appearing all over the world. This fact might indicate a number of potential attackers,” said Randy Abrams, director of technical education at ESET in the U.S. “The ability to attack power grids throughout the world would be very appealing to terrorist groups,” concludes Abrams.

Full article HERE

Interesting choice of countries to attack… What would be the motivation for just those two countries in a targeted attack? Could there be some cross polinization due to the actions of one country on another? Lets say for instance, the Iran got infected by something they procured or had access to within the US? Or vice versa? My bet though, is that this is a targeted attack on the systems themselves and not country centric. Any country using like technology, likely has the new worm in their midst and may not know it.

Of course, just how many SCADA systems are prevalent today? As well, just how many have been connected to systems that face the internet in some way? That is the operative question I guess…

As for the contention that this is industrial espionage.. Well, I might think it is more groundwork for something else… Here it comes…

Cyber Warfare Oh my, I said it didn’t I huh.. The talk lately has been so back and forth between detractors and believers that no one really is getting “it” No matter what you call it, no matter who you want to attribute it to as attackers go, here is the proof of concept that even if it is not “happening successfully” yet, they are trying. That is the important thing to keep in mind. What people fail to understand is that the whole US grid need not be knocked out to make a cyber war or to be successful. All you really need is for the target of your choosing that will fulfill your desired outcome, to be taken down or subverted in whatever way you want it to be.

I am sure the bickering will continue and the government will look at this and think they have to create another agency or sub group to think about it more.. In the meantime though, we still have the problem of these systems perhaps being connected to networks that are not secure, whats worse, those networks may in fact be internet facing and thus able to be C&C’d from remote locations like mainland China.

Meanwhile….

More has come out about this 0day and the supervisory systems attack (I wonder if that is the only vuln attack here or is it just one of many coded into this effort?) It seems that the Siemens software and an old and well known SCADA password for it on the internet, has been coded into this and has been seen in the systems spoken of above.

IDG reported that Siemens issued a warning on Friday saying the virus targets clients using Simatic WinCC, one of the company’s industrial control system software offerings that runs on Windows. The virus strikes at a recently discovered Windows bug that affects every Microsoft operating system, including the recently released Windows 7.

The virus transmits itself through infected USBs. When the USB is plugged in to a computer, the virus copies itself into any other connected USBs and, if it recognizes Siemens’ software, it tries to log in to the computer using a default password.

Read more: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/07/19/BUBC1EDTIS.DTL#ixzz0uPyQ8AGn

Now this article has language from Siemens that alleges industrial espionage and not so much prelude to attacks on a networked system such as the grid. One wonders just what the straight story is here. In either case, the incursion of the worm and the accessing of a known pass/log to a SCADA system is not a good thing for those of us trying to protect said systems. Would not one looking at this on the face of it think that it was an attempt to gain a foothold as well as intel on SCADA systems for future use?

Better keep your eyes peeled…

Just sayin…