(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for July 2010

The Consultant Was a Spy

leave a comment »

Heathfield was also pitching a software program he claimed to have developed, called FutureMap. He described it to sources and in writing as a program that would reside on a company’s internal computer network. Users could plug in variables such as election results and technological breakthroughs to see how events might affect their businesses and future strategies. A screen capture of FutureMap shows a timeline tracking events over the course of many years in a variety of categories, including “Energy and Environment” and “Medicine & Biogenetics.”

Sources who met with Heathfield about FutureMap now believe the software could have been used to steal corporate information and send it back to Russian intelligence officials without the companies’ knowledge. . . . . . Sources were unnerved by how sophisticated and polished Heathfield’s pitch was. If not for the FBI’s intervention, one source speculated, Heathfield could have made a successful sale, installed the software, and started sending information home. “If he had a few more customers and better marketing, he could have really pulled off something tremendous.” . . . .

Full article here:

Back when I was a road warrior for IBM, many people who knew me (friends and family) actually half thought that I was not an IBM employee, but some kind of spook. I have to admit that due to the nature of what I was doing I couldn’t really talk about exactly what I was doing, but I could tell them I was here or there etc.. Unlike real spooks. In the case of Heathfield, well, he turned out to be a real spook and gee, look at that, he was a self branded “consultant” whod’a thunk it huh?

The fact is that the CIA often uses NOC agents in the role of consultants or reps for “front companies” or even legit companies as a cover for their NOC (Non Operational Cover) identities or “legends” They go into places under the guise of business like an Oil company that may in fact be the target of their collection activities. It’s an old trick and it always will be the case, there is nothing new here save that this guy was in fact perhaps peddling software that was pre-pwn3d and could tunnel the “clients” data out to mother Russia. A rather nifty idea really but again, nothing new.

So, won’t you now look on the new consultant as not only perhaps a Bob (oblique Office Space reference) but also maybe the next corporate spy?

THIS is what should happen but I am sure will not. You see, the vetting process for employing people oftentimes is too weak if at all in place at companies. All too many times people do not check references nor do they do the criminal background checks on new hires or prospectives. Never mind the fact that most of the time its easy enough to get onto a corporate facility with faked credentials or none at all and gain access to data, terminals, hardware etc. Hell, just how many places have a separate vlan or drop for internet access for visiting consultants or perspective clients?

Put it this way.. Can anyone just plug in and get a DHCP address on your network? If they can, well game over man.. Even more so if you have a weak AP system for wireless (can you saw WEP?) So that “consultant” whether or not they are meant to be there or have just socially engineered their way into the building may already be on your network and tunneling out gigs of data as you read this…

So one of them turned out to be a real bona fide Russian illegal WOOO HOOO! Worry about all the others out there from ever other land as well as corporate entity looking to steal your shit.

Pay attention! So can the DHL Guy, the I.T. Guy, The Mail Man, The Temp, The Plumber, Janitor, etc etc etc…


In Iran, a Defector Disappears Again: Would This Be An Iranian “CURVEBALL” ?

leave a comment »

Iranian nuclear researcher Shahram Amiri arrived home Thursday, despite efforts by the Central Intelligence Agency to convince him to stay in the U.S., beginning another stage in a saga in which both countries suggest they came out on top.


Shahram Amiri, holding his son after landing in Tehran Thursday, said he was tortured in the U.S., and revealed nothing. The U.S. denied the claims.

U.S. officials say Mr. Amiri defected to the U.S. about a year ago and provided valuable information on the country’s nuclear program. In return, he was offered the opportunity to resettle and given a $5 million resettlement package to establish his new life in the United States, officials say. CIA officials warned Mr. Amiri that he could face execution if he returned to Iran.

Tehran has cast Mr. Amiri as a victim of U.S. thirst for information about the Iranian nuclear program, which the U.S. says is for weapons development and Tehran says is for peaceful uses. After his disappearance in Saudi Arabia in June 2009, Iran said he had been kidnapped by American agents, a charge the U.S. denied.

Full article Here:

Interesting story here albeit one that we have seen before back in the cold war days. There have been a few defectors from the old Sov bloc that actually went back to the Union either because they did not fit in here, feared for their loved ones, or… Were intending on doing so all along. The latter were known as agents of “disinformation” Just what the story is on Mr. Amiri remains to be seen really I think. Though, according to the CIA and this whole 5 Million dollar story, he went back out of fear for his loved ones.

I on the other hand tend to think that that is a weak story.

I would hazard a guess that there is much more going on here behind the scenes that we may never know about. However, if Mr. Amiri does not end up disappeared or suddenly has a massive heart attack, then he was a plant and the CIA may have indeed been led down a path of the SAVAK‘s choosing with regard to where Iran is on the whole Nuke thing. Since Iran has been so tight to get operatives into as well as cooperative assets inside and out, we (CIA) have been mostly blind for some time in this regard.

So, this guy evades his handlers and runs to the embassy where they welcome him with open arms.. An alleged traitor to their country… Hmmm this does not sound like the usual sentimentality out of the likes of Mahmoud and his merry band. Something smells… Meh, I guess time will tell. However, just who is going to be asking to see that Mr. Amiri is okie dokie come a year on in? CARE or the UN going to look in on him?


So its likely that he will just have a massive coronary.. Or maybe a nice little accident in the car perhaps? My vote is on coronary or some other hard to detect manner of homicide involving small pin pricks with needles in odd places..

Well played Iran.. Boys, take that 5 million of the tax payers money and put it back in the budget ok? Oh, and all that data you got from Amiri, well I would be putting that in the circular bin…


Written by Krypt3ia

2010/07/18 at 21:12

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

with one comment

“Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US.

Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.”

Full article Here:

“We’ve been hacked! Oh wait, you’re in Paris… You can’t help us.. CLICK”

Color me not surprised to see that this talk was yanked off of the BlackHat schedule. This is specifically in light of the fact that the presenter is from Taiwan, a protectorate of China and likely if the talk went ahead, then the speaker and his company would have been sanctioned by the Chinese government. Though, it could be that there are other players here that may not want some bits of information out in the open but who’s to say at this juncture? Suffice to say that something in this iteration (and there have been others of this same talk given) got them spooked.

The other comment that struck me was the red text above that mirrors what I have been saying all along since the whole Google APT thing erupted onto the media stage here in the states.

This is nothing new.

The Chinese have been at this for some time just as other countries had been doing the same thing. It is just perhaps the scale and the persistence that has been the key to the difference here. The Chinese have the 1000 grains of sand approach that is culturally specific to them. They took that notion, the game of “Go” and and what they learned from Sun Tzu then applied it to their cyber warfare/inforwar stratagem. Its only a natural progression really given their culture and history. What really takes me aback is just how little the West (ala the US) seems to be so ignorant of this that it has me wondering just what navel they have been gazing at all of this time while the Chinese ate our collective lunches.

So here we are, months later after the Google revelations and years after the successful attacks that no one dare name for fear of national security or perhaps national egg on the collective national face with regard to incursions in the past on sensitive networks. You see, yes Virginia, there have been other incursions and much more has been stolen via networking infrastructure as well as HUMINT by the likes of China in the past. Its just that its either classified, hush hush, or, more likely, the targets have no idea that they had been compromised and their data stolen. It’s all just a matter of the security awareness that we have had.. Well, where that has been nationally has been in the toilet really, so extrapolate from that the amount of data that has been stolen ok? Lets use the JSF as an example of this as its been in the news.

Trending Lately.. APT+JSF = Chinese Love

Now, given that this type of talk has been the “du jour” lately on the security and government circuit, lets move the target further out and to the left a bit ok? I have been noticing something in the news that has direct connection to my last employer, so I will be judicious with my speech here.. How shall I start….

Ok… Lets name the players…

Lockheed Martin: Hacked and about 2TB of data taken out of the systems… Inclusive on the JSF project

(Undisclosed company that makes hot object integral to flight) : Nothing in the news…. wink wink nudge nudge..

The FAA: Hacked and back channeled through trusted networks into Lockheed and ostensibly other companies

The JSF itself.. Well the congress wants to keep the program afloat while the main military brass want to kill it. You see, its been compromised already and I suspect well enough, that the technical advantages that it was supposed to have, are pretty much gone now. You see, all those hacked systems and terabytes of data exfiltrated out were enough to compromise the security of the ship herself and give the enemy all they needed to defeat her “stealth” systems.

Somewhere in China there’s a hangar, a runway, and a Chinese version of the JSF sitting on the tarmac doing pre-flight I think.

So the latest scuttlebut out there with regard to the cost overruns and the problems with the JSF are just one part of the picture I think. Sure, there is political intrigue and backstabbing going on too, but, were I the military and my new uber plane was no longer uber, nor cost efficient, I would be killing it too and looking for something else to use in theater.

So how did this happen?

Causality: Trusted Networks, Poor Planning, Poor Technical and Procedural Security, and The Human Equation

The method of attack that compromised the networks in question involved a multi-layer strategy of social hacks as well as technical ones. The Chinese used the best of social engineering attacks with technical precision to compromise not only the more secured networks, but also to use trust relationships between companies working on the JSF to get the data they wanted. You see, all of these companies have to talk to each other to make this plane. This means that they will have networked connections either via VPN or directly within their infrastructures to pass data. By hitting the lesser secured network/company/individuals they can eventually escalate privilege or just hop right onto the networks that they want in a back door manner.

Hit the weakest point and leverage it.

In the case of the JSF, the terabytes of data were never really elaborated on but I can guess that not only was it flight traffic data, but integrally, the flight recording data concerning all of the systems on board as the plane was tested. Inclusive to this, if the APT got further into Lockheed and other companies that make the plane, they might have data on the level of actual CAD drawings of parts, chemical analysis and composition details, as well as the actual code written to operate the systems on board the plane for it to function.

In short, all of the pieces of the puzzle on how to make one.

Sure, there must be gaps, I am sure that they did not gain access to some ITAR/EAR data but, given the nature of the beast, they can infer on some things and in other areas perhaps get analogous or dual use technologies to fill in the gaps. The two terabytes are the only terabytes that we “know of” or shall I say allowed to be known of. It is highly likely that that data is not the only stuff to be taken. Its just a matter of finding out if it has.. And in some cases, they can’t even tell because of the poor security postures of those companies involved.

The reasons for these companies (with the exception of Lockheeds) lack of insight into their security is simply because they have not been corporately aware enough to care about it… Yet. Perhaps now they are getting better post the hacks on Lockheed and others, but it has been my experience that even after a big hack is exposed in the news, many corporate entities take a “it can’t happen to me” attitude and go on about BAU until they get popped and put on the news. What’s more, the Chinese know this and use it to their advantage utterly.

You see, its not just all about super technical networking. It’s also because they don’t even have solid policies, procedures, response plans, and other BASIC security measures in place or being tested and vetted regularly. This negates the super cool technical measures that they might have bought from the likes of IBM and CISCO because Johnny Bonehead C level exec says he MUST have a 4 character password and ADMIN access to his machine.

All against policy… If they do indeed have one on that…

Failure is imminent unless the sum of the parts are in working order. This means the dogma of policy, security education, incident response, RBAC, etc, the CIA triad are in place and have acceptance from the upper echelon of the company. All too often this is not the case and thus easy compromise occurs.

Circling Back To The BlackHat Talk:

Ok, circling back now after my diatribe… My bet is that both parties (China and US) did not want this talk to go on depending on the data that was within. Some red faces would likely have ensued and or would have given people ideas on where to attack in future also. It’s a win win for all concerned if the talk was made to go away and well, it did didn’t it? Unless this guy says he quits his job, moves away from Taiwan and then gives the talk anyway. I doubt that is going to happen though.

In the end, the cyber “war” has been going on for years… Well more like cyber “espionage” but in todays long view I see them as the same thing. After all, a good cyber warfare strategem includes compromise of key systems and data in order to make them useless at the right time.

The Cyber War has been raging since the 90’s. It’s just that the American people and media have only recently heard of the “internents” being vulnerable.

Wakey wakey…


VIVOS: Good Morning Frank, There Are 887 Days 12 Hours, 18 Seconds Remaining

leave a comment »

So I was watching The Colbert Report the other day and saw a bit he did on Vivos. The bit was funny but the reality is… Well funny and scary. Now, I was a real fan of MillenniuM, well I still am really, but back in the day before 2000 you could just get into the whole “the end is nigh” thing. Now, post the millennial abyss of 2K I guess people just had to latch on to 2012.

So here you have the Vivos crew. They made this super luxury bunker system for the super rich tinfoil hat wearer and their family. You can apply to become a member and get in before the timeline comes to an end in 2012 (Ya know, when Palin wins the White House) … Or was it the nuclear disaster? Or the infamous Planet X? There are so many to choose from on their site! Here I was thinking I was “Johnny Ray of Sunshine” these guys make me look like an amateur.

All of this made me ponder the whole 50’s are back again theme that pervaded during the Reagan era and seems to have come full circle again post 9/11, W, and now Obama and the tinfoil hat patrol’s “he’s a socialist” mantra. I lived through the 80’s and I remember those days of fearing the bomb like the 50’s when daddy built a fallout shelter in the back yard. Of course all those fallout shelters were constantly reminded to us in the 80’s with the onset of “The Day After” and other melodrama’s like “Threads” Of course back then it was all the Russkies and the odd terrorist event from the likes of Black November.

Today we have the melange of all of the above apocalyptic triggers that may, like a Rube Goldberg device, kick off our mass extinction.. Well except for those lucky fools in the Vivos shelter eating sloppy Joes if you believe the Colbert Report hehe. Ahh to survive a year as a moleman only to come out into the blasted land… Only to die by being eaten by the likes of a hungry Mel Gibson either infected with blood zombie rage or, well just being himself lately.

What does all of this say? Well, I think that this all says that we are a freaked out stressed populace who really thinks the end is nigh. Well, some of us do that is. Those like the Vivos sales team and creator as well as the other tinfoil hatters. Me? Well I figure I have supplies, ammo, a house on top of a small mountain, and a fighting spirit that will get me through a little while at least. Eventually though, if you get the killer EMP/ZOMBIES/PLAGUE/Solar Flare that roasts the earth.. Well, you’re just gonna die sooner or later. So live it up now!

In the meantime check out their site and laugh.. Or perhaps weep…


Written by Krypt3ia

2010/07/17 at 16:58

Pastebin Coughs Up The Smoking Gun On LIGATT

with 7 comments

The below pastebin posting is from an SQL dbase entry series on its creation and ownership. You can see from the highlighted (RED) text, that the site was created and ostensibly hosted by: aka Teresa Clarke from Atlanta GA

See her data below the pastebin postin

According to #LIGATT the site was not affiliated with him (even though you have that picture as logo where the “evans like” character is digitally punching the “rothke” character) However, as you can see from the data below, the “referee” acct is indeed the PR account for #LIGATT itself! Now that’s some ham handed PR tactics there Greg!

So, how fair a fight would it be for one of the two boxers (to use his trite analogy) to be the referee too huh? Once again, LIGATT is caught in a lie…

Meanwhile, LIGATT goes on with creating cutout accounts on yahoo, gmail, hotmail, and other sites to pump his stock and fight all the bad press on the web. Some of these can be seen in this pastebin dump (I see you Your account was created 6.28.10 on yahoo and your data matches no one in the MD area. I did the searches for a “Blake Cummings” from Baltimore and there are none listed.

Of course you could be under the radar, but none? This is a cutout account for Greg and his minions to attempt damage control on the stock sites. I am also looking to procure a shareholders list for LGTT and plan on seeing what the SEC can do on that account. It would be interesting to match names to real people. I am willing to bet that there are many ghost shareholders…

Keep it up Greg… It’s not working, but it is at least amusing…

Additionally, an SEC filing at the inception of this publicly traded company LGTT with its name change from a sports company to Ligattsecurity. This document shows Charles Randolph Anderson on the board of directors at the time of inception. Was this indeed the case? I seem to remember something on attrition saying that he was never on the board officially? I will have to do more digging on that account. If so, then this would be a false filing would it not?

I will dig some more there…

In other news, as of this morning the announcement on the lawsuit against the “doe’s” has been yanked from the press site. Gee Greg, why would that be? Did your lawyer finally catch on to how bad a lawsuit this was on premise alone? Or did he discover that it was just a SLAPP lawsuit to get us all to shut up out here on the “googles” and “internets”

Give it up Greg, you are trying to outwit the wrong people…

Data from pastebin:

CREATE TABLE `wp_users` (
`ID` bigint(20) unsigned NOT NULL auto_increment,
`user_login` varchar(60) NOT NULL default ”,
`user_pass` varchar(64) NOT NULL default ”,
`user_nicename` varchar(50) NOT NULL default ”,
`user_email` varchar(100) NOT NULL default ”,
`user_url` varchar(100) NOT NULL default ”,
`user_registered` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`user_activation_key` varchar(60) NOT NULL default ”,
`user_status` int(11) NOT NULL default ‘0’,
`display_name` varchar(250) NOT NULL default ”,
KEY `user_login_key` (`user_login`),
KEY `user_nicename` (`user_nicename`)

INSERT INTO `wp_users` VALUES (1, ‘cyberwars’, ‘$P$BGTFSjjJou5/JFXTKb8JtxXRxccSb11’, ‘admin’, ‘’, ”, ‘2010-06-30 19:05:08’, ”, 0, ‘cyberwars’);
INSERT INTO `wp_users` VALUES (2, ‘no1hacker’, ‘$P$Bm88KqDmeEDtIYfqt4IZBVhUdFVLiA0’, ‘no1hacker’, ‘’, ”, ‘2010-06-30 20:35:06’, ”, 0, ‘TheReferee’);

INSERT INTO `wp_users` VALUES (3, ‘The Referee’, ‘$P$BEasf7FP77UnO1MtkBhoJLdVShU3UR/’, ‘the-referee’, ‘’, ”, ‘2010-06-30 20:39:15’, ”, 0, ‘The Referee’);

INSERT INTO `wp_users` VALUES (4, ‘Commenter’, ‘$P$B/I5DTZgY1/QjXDOL2Af3iI8FGHieX1’, ‘commenter’, ‘’, ”, ‘2010-06-30 20:41:19’, ”, 0, ‘Commenter’);
INSERT INTO `wp_users` VALUES (5, ‘Testing’, ‘$P$BM3g2fwdWmKEAw9CXS5ZS1VUzMsDUF0’, ‘testing’, ‘’, ”, ‘2010-06-30 22:23:08’, ”, 0, ‘Testing’);
INSERT INTO `wp_users` VALUES (6, ‘cybergeek’, ‘$P$BlT2DJBIzgUzLCJMMOgdpBh87H2iFZ0’, ‘cybergeek’, ‘’, ”, ‘2010-07-01 00:14:03’, ”, 0, ‘cybergeek’);
INSERT INTO `wp_users` VALUES (7, ‘vlna’, ‘$P$B2Z5T8XY8jsX1QeczYqM3/mga5ouwI1’, ‘vlna’, ‘’, ”, ‘2010-07-01 08:42:56’, ”, 0, ‘vlna’);
INSERT INTO `wp_users` VALUES (8, ‘Tcooper’, ‘$P$BTR5fbCzPKvRPcpiTVGCvIpsGb0EYv.’, ‘tcooper’, ‘’, ”, ‘2010-07-02 15:17:18’, ”, 0, ‘Tcooper’);
INSERT INTO `wp_users` VALUES (9, ‘2u4uallan’, ‘$P$BhBxDrqmjNw1u9tjzVAbfql3jbroet0’, ‘2u4uallan’, ‘’, ”, ‘2010-07-02 15:54:35’, ”, 0, ‘2u4uallan’);
INSERT INTO `wp_users` VALUES (10, ‘independent’, ‘$P$BpVkkRGcgx1atijAbTHHt0lnmAyw8z1’, ‘independent’, ‘’, ”, ‘2010-07-05 16:57:43’, ”, 0, ‘independent’);
INSERT INTO `wp_users` VALUES (11, ‘Frost Robert’, ‘$P$Bn5DYDqmJoe9UA9SJ7DUGz2uBJswgx0’, ‘frost-robert’, ‘’, ”, ‘2010-07-07 17:17:34′, ’08YoAN8EjZYYiOScz8Cf’, 0, ‘Frost Robert’);
INSERT INTO `wp_users` VALUES (12, ‘Xander Crews’, ‘$P$B5v9aAn5wvIEJXpMRgkJ4lpdGhSV2O.’, ‘xander-crews’, ‘’, ”, ‘2010-07-12 14:05:25’, ‘SXbzVCilj7Hi2p9QHRxy’, 0, ‘Xander Crews’);
INSERT INTO `wp_users` VALUES (13, ‘Johnny’, ‘$P$BP/tMurspBPfdggX7DAczOxEj4oGtb.’, ‘johnny’, ‘’, ”, ‘2010-07-12 15:01:15’, ”, 0, ‘Johnny’);
INSERT INTO `wp_users` VALUES (14, ‘Johnny S.’, ‘$P$Bx3xGdvAYlKiLaO8Q6.Mei7mXXokwQ/’, ‘johnny-s’, ‘’, ”, ‘2010-07-12 15:04:33’, ”, 0, ‘Johnny S.’);
INSERT INTO `wp_users` VALUES (15, ‘Starwind’, ‘$P$Bym0JcXOTj4bKS7Zl5qX3Y0qSSJ4ZO0’, ‘starwind’, ‘’, ”, ‘2010-07-12 15:28:46’, ”, 0, ‘Starwind’);
INSERT INTO `wp_users` VALUES (16, ‘blake7855’, ‘$P$BwRzSzNFBtDvY.uCnyeMw9D.PhO1X31’, ‘blake7855’, ‘’, ”, ‘2010-07-12 20:22:43’, ”, 0, ‘blake7855’);
INSERT INTO `wp_users` VALUES (17, ‘thewave’, ‘$P$BQzlLUnapo4khBJoML0SPQdzVYncvK0’, ‘thewave’, ‘’, ”, ‘2010-07-13 19:38:40’, ”, 0, ‘thewave’

Teresa Clarke:

Facebook Address: 8725 Roswell Rd  Atlanta, GA 30350
Phone: 678-710-9909
There are two listings for a "Teresa Clarke" in Atlanta that match:

Teresa Clarke

33 Nimmons St

Newnan, GA 30263

(770) 502-1411


Teresa Clarke

37 Breedlove Ln

Covington, GA 30014

(678) 342-3445


Written by Krypt3ia

2010/07/15 at 12:48

John Doe #21? Hahahaha Greg YOU SO FUNNY!

with 2 comments

So, John Doe #21 aka moi, has been informed through a twitter eruption that I am “named” as a party to a lawsuit by ol’ #LIGATT. Let me first preface my response by saying this:


Ahem, that said, let me say what’s on my mind…

Greg, you are a useless individual and even more useless as a “supposed” security professional. I will not go into the litany of charges against you again, you know them, well, Hell, we all know them now don’t we? Just give it up, the jig is up man!

So, you start posting this “press release” on the internets and you make a YouTube talking about how you are gonna sue us all, but, we all know that even “if” you did indeed get some fleabag, ambulance chasing lawer to file such a suit, you have to know that you will lose.

Hell, you won’t even “lose” you will be “dismissed” out of hand with a glare from the judge as he sizes you up for some prison oranges. So WTF man? Are you really that deluded?

I guess that question remains to be answered… IF we see any real paperwork come along.. Oh, that’s after you figure out who I am…

Let me give you a hint.. It ain’t hard… You are just so much a pathetic loser and poser that you can’t even find out what our real names are from the “internets” Guess that’s way to technical for the n01hacker huh…

Well, at the very least you have given me a chuckle today…

Now, brass tacks.. You actually file paperwork and you figure out who we all are, welcome to the fun of being at the other end of a counter suit from the EFF and the likes of Ron Kuby.

You will lose, you will lose everything, and in the end.. You will not have that marble bathroom to sit your loser ass in and ponder your next con game.



Written by Krypt3ia

2010/07/12 at 21:35

Posted in LIGATT, What the???

Awww You Guys! You Didn’t Have To Translate Me Into Arabic! Shucks…

leave a comment »

So yeah, I get up this morning and check my blog stats and lookit who was in there? I guess the jihadi’s have decided that they should pay attention to some things being written about them. I wonder if they did the vanity Google or something.

They even took the time to translate the post into Arabic AND French… Oh my.

Hi guys! I SEE YOU!

Keep it up clowns… I just love the traffic to audit.


Written by Krypt3ia

2010/07/12 at 11:36

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.


It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE


Russian Kulturny: Espionage Old School Meets the New Tech Comrade

with one comment

But many things shown even in bad movies are unfortunately true: Yes, the Russians like to wear fur hats, drink vodka, eat caviar, take pretty girls to the sauna. And, apart from some modern innovations like ad hoc networks, burst transmissions and steganography, the old proven tradecraft is pretty much the same. It is good and it normally works well (except in cases, when somebody is already being shadowed – then nothing works).

Boris Volodarsky: Former GRU Officer

Los Illegals.. Comrade…

With all of the hubub over the capture of the illegals, and of course all the rattling on about the “swallow” known as Anna Chapman, one has to cut through the dross to get to the real importance of the story. The fact is, that though the wall has fallen (long ago) and W looked into the “soul” of ol’ Pooty Poot and saw teddy bears and rainbows, the reality of it is that the “Bear” never went away or to sleep.

We are still a target, a rather rich one still, for collection of intelligence as well as corporate IP as Putin has pointed out in statements he has made over the years. It was Putin who actually said that Russia needed to step up its game in industrial espionage (I am paraphrasing) and created the means to do so within the new FSB *cough* KGB. This type of infiltration in hopes of collection never went away and I suspect that even with out own dismantling of the HUMINT departments of CIA, we still had a reasonable amount of assets and agents within Russia as they transitioned from the Sov bloc to today’s powerhouse of malware and Russian Mafia run state apparatus.

So, while reading all the news sites, it became clear to me that people really do not have a grasp of the realities surrounding the nature of espionage today. Everyone thinks that its all shiny technologies and protocols within the hacker scene that the next gen of spies are using and that old school techniques called “tradecraft” are outdated and useless.

Nope… It’s not just that. This is said rather well here by Boris again:

The public and writers alike do not really realise that this is NOT a film — a very large group of very experienced FBI agents and watchers spent a very considerable sum of taxpayers’ money and plenty of time to uncover a REAL group of the Russian undercover operators who brazenly operated in the United States, as they had been absolutely sure that no one would ever catch them because their education, training, intelligence tradition, and the belief that the wealth of the country behind them is much superior than the FBI. They forgot that the FBI of 2010 is much different from the Bureau of the 1950s.

It is highly likely that these agents were outed by a defector back in the 90’s. The defector was a Directorate S operative who worked within the UN in the NYC area and it is possible that he gave up the program. The FBI then was tasked with either finding them all blindly, or, they had at least one couple in their sites and steadily built their case by watching the illegals to get at their handlers. You see, the same logic applies to the FBI as does the perception of the KGB. The FBI is seen as slow witted and usually in the media, the blue sedan with guys in suits and sunglasses inside watching you ever so not subtly.

This is not necessarily the case as has been seen in some areas of the FBI’s counterintelligence unit. They really can do a good job at surveillance and counterintel collection.. They are not as bumpkin as they used to be in the 50’s… Nor the 80’s for that matter. Unfortunately though, it really took the Hanssen’s of the world to force them to be better.. But I digress..

Why Were They Here?

I think that there has been a basic misunderstanding in the press and the populace from reading poor press reports on the nature of the “illegals” program. Yes, they were tasked at times with getting data that could be readily available through open source (OSINT) channels such as the news or Google. However, their main task was to insert themselves into our culture, economy, and social strata in order to get “at” people of interest. Basically they were talent spotters.

These people got on to Linkedin and other social networks for the exact reason of making friends and gaining access to those who might be “of use” later on for their handlers and masters. They were facilitators really. You see, like the whole Robin Sage affair that is ongoing now, these folks already knew about the vulnerabilities within social networking and the social nature of human beings from the start. They were trained on this by the SVR and its not something that common people tend to think about. This is where the hacker world and the spy world meet (well they meet in many other places too but go with it for now) The hackers take advantage of the same flaws in our “systems” (cognitive as well as technical) to get what they want.

In this case, these illegals actually did gain some traction and some had access to potential sources that I think, had yet to be plumbed. Perhaps they were getting close to someone and this is what tripped the arrest cycle. Perhaps there are other more arcane reasons for that… As you may be seeing now that there is a prisoner swap with Russia in the works. Once again I direct you to Boris’ comments on their aegis:

What Russian intelligence in striving to get is secret information (political, economic, industrial, military, etc) and have a chance to influence decision-making and public opinion in favor of Russia. This is why agents are recruited or penetrated into sensitive or politically important targets.

The role of illegals is threefold:

  1. to act as cut-outs between important sources and the Centre (directly or via the SVR station);
  2. to serve as talent-spotters finding potential candidates for further intelligence cultivation and possible recruitment (a rather long and complex process, where the illegals only act at its early stage); and
  3. to establish the right contacts that would allow other intelligence operators (members of the SVR station) or the Centre (visiting intelligence officers under different covers, journalists, diplomats or scientists tasked by the SVR) to get intelligence information and/or receive favors that the Centre is interested in.

These illegals are really, like I said, facilitators for the real spies that are sent to our shores.They were practiced in the old school tradecraft of spying and were they not already under surveillance, they may not have been noticed at all by our counterintelligence services. Which brings me to another issue with all the reporting on this espionage round up.

Tradecraft VS High Tech Espionage:

As mentioned by Boris, the tradecraft angle is not only history for the SVR, KGB, or the GRU. Much as I believe that it is still in play for ALL of the intelligence services throughout the world. These practices are tired and true. They have been used to great effect by all spies and only are really heard about in books, film, or news stories like the ones today when the spies were busted.

Since the days of 007 on the screen, we have seen the Q branch and all their toys as a high profile part of “spying” when in reality there is some of that (see H. Kieth Melton’s books) but mostly, it has been the old school that has won the day for spies. The use of things like a Shortwave radio and a “One Time Pad” are still used today because they cannot easily be broken. The use of rapid burst radio transmissions too was a bit of a shock to me in the current case, but once I thought about it, the use of a rapid burst to a local “rezidentura” makes a lot of sense given the amount of RF we have placed into our landscape today. It would easily be lost in the noise and thus, a good way to go about secret communications.

Meanwhile, the use of “Brush Passes” “Chalking”, “Pass Phrases” and other old school techniques for communicating and passing intelligence never have lost their usefulness. Just because one can create an email dead drop on Gmail today pretty easily, does not infer that it is at all safer than meeting someone on the park bench, or leaving a postal stamp on a kiosk as a marker that “somethings up” These things hide within the static of every day life and often, because of “situational awareness” levels, go totally un-noticed. The other means via the “technology” of today’s internet is more circumspect because of so many factors. One of the primary of those being the hacking and cyberwar issues that are ongoing.

Even today, the news is full of “Perfect Citizen” an uber protection plan and technology that the NSA wants to use to protect the national infrastructure. How will it do this? By monitoring ALL of the traffic that it can and look for anomalous behavior. As the technology becomes more prevalent so too are the chances of your secret communications being discovered. It made sense that given the NSA’s power, the illegals and the SVR decided that old school was still the best bet. It was however, that the more technical approaches (i.e. netbooks, crypto, and adhoc networks) failed them, only proving my hypothesis above.

As an aside to LizzieB, the old bury the money under or near the bottle thing.. It still does work *heh*

The Final Analysis:

Much has yet to be told about these illegals as well as the reasons why this group was busted 10 years later. Why now? Why this sudden trade for spies? What tipped the FBI off to these spies in the first place? Was it indeed the defector I spoke of? We may never know. What we can deduce though, is this:

  • Spies never went away
  • Spies aren’t just stealing IP from corporations
  • Hey you, you with the access to the important people… You are a target
  • Technology does not always win the day, sometimes it is the weakest link
  • We have not seen the last of the SVR, KGB, Mossad, MI5 etc etc…
  • Russian spies do like their Vodka and sauna’s but they aren’t all Boris and Natasha caricatures

A full text of the cited Boris interview can be found HERE


#LIGATT Listen, Greg, Give Up Already Huh?

with 15 comments


Comment sent today 7.7.2010

I don’t know a whole lot about all of this cyber stuff, but I read about Gregory Evans and all I see here is a bunch of people trying to keep this man behind bars. For what reason, I just can’t figure out. Society and its systems are designed to keep offenders of the law down for the rest of their lives. It’s a wonder why the crime rate is so high. Judgmental people push them back into the world of crime because they just won’t let it go. The man paid for his crime, don’t you all think that he is smart enough not to just outright do things that will get him right back where he started. It seems that this man is too smart to do some of the things he is accused of. And if he did all these things, why is he still free? Why don’t all of you who are digging this man’s grave examine yourselves? Who are you? Are you the law? If he’s actually offended you or done you wrong, take it to court.

Greg, may I call you Greg? Look, have a nice hot cup of “shut the fuck up” and listen for once ok?

YOU are not making one whit of difference for anyone out here to sell your case to us.

“It’s over Johnny”

Now, on to your ersatz email here, lets take it statement by statement shall we?

I don’t know a whole lot about all of this cyber stuff, but I read about Gregory Evans and all I see here is a bunch of people trying to keep this man behind bars.

Quite true Greg, you don’t know anything really about this “cyber stuff” You are in all accounts, a poser and a con man. As for the keeping him (err I mean YOU) behind bars, if that were true, then you would be in Lompoc now. More to the point though, we are watching you and given your continued con games, you will be your own undoing. We will just be there to point the law in your direction.

For what reason, I just can’t figure out. Society and its systems are designed to keep offenders of the law down for the rest of their lives. It’s a wonder why the crime rate is so high. Judgmental people push them back into the world of crime because they just won’t let it go. The man paid for his crime, don’t you all think that he is smart enough not to just outright do things that will get him right back where he started

Hmm trying to take the philosophical/social route here huh? Well, lets just put the vagaries of “society” aside and look at the real problem here Greg, and that’s you. You are pretty much saying it all right here. You just made the equivalent of the O.J. confessional book that got yanked from the stands.

“IF I did it, its because all of you all don’t give me a chance!”


As for the being smart enough to not get into trouble again after YOUR first time in prison, the answer is no. You have been shown quite clearly as a charlatan and a con man in all your endeavors with regard to cyber security and your *cough* businesses.

It seems that this man is too smart to do some of the things he is accused of. And if he did all these things, why is he still free?

Greg, really, you are so full of yourself aren’t you? no1hacker heh. Your tools didn’t work, your story is outdated, and your sites have been taken down easily by the kiddies out on the intertubes. What you really have to worry about is the stuff that you haven’t seen Greg, the silent hackers who have pwn3d you with “blackhat shit” as EL said in a podcast recently.

Be afraid.

As to the question of why are you still free? Well, lets sum up with this.. You’re shit was so bad that no one wanted to invest in it to start really. Sure, FOX interviewed you and the Air Force “allegedly” had you speak, but really, in the grander scheme of things “security” you are a non starter. You really wanted all those contracts with the government and the military, but, they saw through you didn’t they? Or, as it seems now, they are FULLY AWARE of your charlatan-hood now! So, no, there will be no IPO for you.

In shorter, more understandable words for your lacking reading level, let me say it this way…

You are a low end con.. This is why the cops haven’t taken you away… Yet. You are not a priority.

Why don’t all of you who are digging this man’s grave examine yourselves? Who are you? Are you the law? If he’s actually offended you or done you wrong, take it to court.

Well Greg, we do examine ourselves and others work. Its called “peer review” I know, its a hard term for you to grapple with, but, I am sure you must have seen it in all of those plagiarized documents that you shoved together and called a “book” It means that we review each others work and we put it to the test. So, in this case, we need not review ourselves.. You are the offender here… On so many levels.

Oh, and as for the taking him to court.. I believe that is already in the works.. As they say… “The subpoena is in the mail!”

Finally, in closing, you think you are so smart, but, you keep doing insanely stupid things… Really, the same IP address? That is unless you want us to believe that your stinky proxy actually works and that people actually not affiliated with you, banging you, being paid by you, or that you have dirt on, are stepping up and siding with your side of this heaping pile of shit?

Just go away Greg…

Written by Krypt3ia

2010/07/07 at 17:43