Archive for September 2010
www.aeoi.org.ir Follow The Emails
With all of the stuxnet he said, she said, I thought I would approach the problem on what is really happening there in Iran by taking the bull by the Maltego. So, I located the aeoi site in Iran and stared my digging. Interesting how you can get so much information to start with when you use this tool to footprint people with email addresses there huh?
More later.. Just a taste for now….
CoB
Top 5 ways to destroy a company.. But Will They Sign Off On That?
I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”
The truth of the matter for me comes down to a few different factors:
- A lack of understanding the results that you present them
- A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
- A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client
Nickerson too gets to this and asks;
Well why does that happen?
- What we give them isn’t important. Managers don’t care about shells!
- They don’t care about what we care about!
What do they care about?
- The product line
- The Brand
- The Employees
- The Bottom Line
I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.
Top 5 ways to destroy a company
- Tarnish the brand
- Alter the product
- Attack the employees
- Effect financials directly
- ** Your turn! **
The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?
The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)
The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.
Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;
“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”
It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.
So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:
- Profile the business overall, where they are in the market, and their history
- Profile their business model and their product or products
- Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
- Profile the employees and C levels (are they engaged? Do they buy in on security?)
- Formulate scenarios that would cause varying levels of damage (targeting them)
- Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits
Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.
I think that is what he was driving at through all of the ranting…
So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.
CoB
STUXNET: Weaponized Code, Russians, Iranians, Indians, OH MY!
Since July of this year a story has been brewing about “Stuxnet”, the ubiquitous malware that at first seemed to have been targeted at surveillance of SCADA networks and the computers that control them. In the case of this particular two versions of malware, the twist has been that since August, the decompiles have begun to show that not only were these two variants attempting to gather data, but also hosted code that lead us to believe that sabotage was also a function programmed into them.
The INFOSEC community of late has been abuzz with the usual shouts and murmurs from all sides. Those who don’t care, those who think its all just hype, and those who are more likely quietly marveling at the audacity of this malware coders chutzpa. I personally think that if these sources who have decompiled the code are valid, then the real aegis of this weaponized code had a specific set of purposes.
- Limited propagation
- Surveillance capacities
- Code changes on the fly
- Stealth
- Directed sabotage at internal targets of choice once a bit was flipped
Now, was this a directed attack at say Iran? Well, the data seems to point in the direction of not only that but also of other countries like Indonesia and India as well… This is all predicated though on who’s data you are looking at where infection rates are involved. The consensus though data wise seems to point at higher infection rates in those afore mentioned countries. What do they all have in common?
They all have signed deals with Russia for assistance with their Nuclear programs (non aggressive of course) so they have this common denominator. One wonders what other commonalities they might have? The interesting thing is for me though, that if indeed this was weaponized code for a specific purpose (and the timing of the release and infections coincide with Iran’s Natanz facilities attempt at refining… which failed mysteriously) it did by all accounts seem to have done what it was supposed to do.. Until it became a target for AV.
Test/Proof of Concept?:
Now, since I do not have the code in front of me and I am relying on the scant data out there, I am going to have to speculate a bit here so bear with me. First off, could this have been a proof of concept? Well, I suppose it could have been, but, one would likely have tested this in a secure environment to see, but, how many of us out there have our own SCADA systems to work with? I would have to lean then toward an actual project that was planned out, and coded to be released into the wild for specific purposes. The thing about it though, as with any code that you put out there, there may be unintended side effects that negate the primary functions and protections created within the malware that allow for its detection and downfall. In this case, perhaps the window of time that was needed was in fact satisfied and the code hit its mark before the AV clients could stop it.. Thus I go back to Iran and the Natanz facility… You see, at that very point in time the pressure was on up to and perhaps beyond a very real air strike by Israel on the facility to prevent Iran from having the ability to enrich Uranium at all. It would seem though, that this attack (if indeed it was one) only set them back some time.
Actual “Cyber” Attack?:
Which brings me to the political motivations here. At the time of the release/detection of this malware there was a lot of worry about Iran and its nuclear capabilities as I mentioned above. A release of weaponized code that, if not detected right away, was coded so as to NOT be easily traced back to any one author (nation state or other) would do the job that needed to be done without the use of heavy bombs that likely, would not have done much damage to the Natanz facility. This type of attack would also not have the blowback that an air strike would have for the whole region, never mind the U.S. Imagine the tensions that would have arisen had Israel gone in and bombed the facility? Yeah, not so good, so this was a much cleaner way to perhaps take out their SCADA and put them back a bit.. Perhaps even give the U.S. more time to use more carrot and sitck (mostly stick please) against the Iranian regime?
Sanctions anyone?
Frankly, Stuxnet, even with its failure on the level of detection and all the fallout now, is still a “win/win” in my book.. And I am sure it is too to the boys in Fort Meade.
State Actors or SPECTRE?:
Ok, so you really kind of know where my head is on all this. The nay sayers out there will get on me as a “conspiracy theorist” and for the record, yes… I am. but, conspiracies exist and have been shown to be even more outlandish than you could possibly imagine at times. So, I can buy into a nation state making a series of weaponized code to perform specific action sanctioned at the highest levels to stop something that would offset the balance of power within a very unstable region. A region I might remind one and all, filled with theocratic regimes that seem quite happy with the idea of going to their Gods and taking everyone else with them.
Yes… I can see this as a tip of the spear action.
What else would it be? Can you see yourself actually thinking that it was in fact the Russian mob that put this together? How about those crazy jiahdists out there trying to start their “cyberjihad” movements?
Me neither… Nope, this screams nation state… Just who’s one has to wonder. I find it really interesting though that the C&C servers were in Malaysia and points “Mos Eisley” What better place to have C&C’s huh?
The Mechanics:
Stuxnet was primarily transmitted by USB, but also reached out via NetBIOS shares. This is an interesting method of infection for a few reasons to attack SCADA networks. You see, SCADA is supposed to be “air gapped” but, as you all know, all too often this is not the case. Often one will find an internet facing device that has network connectivity to SCADA networks and voile, you have an Internet facing SCADA system potentially. By using the dual approach of USB infection and propagation as well as active network share detection/infection, the coders got the leverage they needed to propagate within a supposed air gapped network AND to get their C&C to work in the most effective P2P means of update and ex-filtration of data.
It is the surmise of more than a few, that an infected USB drive was the initial infection vector.. I would put it forth further that if my theory is correct, a USB stick was the vector, but, that stick was more than one. I believe that perhaps this malware was hidden within a distro that perhaps a Russian company has on their internal servers somewhere that is common to all systems that they design and implement for the customers..
Customers like Iran, Indonesia, and India…
It would be interesting to see if any of those Russian companies that are in fact working on those projects have had a lot of the malware issues surrounding Stuxnet infections. From the data I saw, Russia too was hit rather hard by this infection. Interesting no?
Of course, I hear you all out there.. “But it hit the US too! and Russia is not helping us with our nuclear facilities!” Ok, yes, I would agree with that. However, because the propagation of the malware included ANY usb stick put into an infected system, it is highly likely that it could have crossed onto networks via stick to share, and share to share from VPN access and the like. An alternate view could be put out there too, that a mass release would also lend a certain “cloudiness” to the whole picture as to who did it. Some plausible deniability if you like. I rather like that idea as the solution too because the malware seems to have been very specifically targeted to a Siemens system.
As well, I have yet to hear of any major damage to any systems out there in the US and other areas that would talk about it… The one hold out is Iran… Go figure.
Digital DNA:
Lastly, I will leave you all with the fact that in the end, once the malware has been parsed, poked, and prodded, the digital DNA might in fact shed some light on a coder.. Or “coders” However, I think that this is rather likely to be a dead end as this thing would seem to have had much thought put into it as well as the effort.
Time will tell.
But here’s my two cents… Iran ain’t makin any enriched U235 right now is it?
EDIT: You can download the unpacked code HERE email me for password
CoB
Sherlock: The Reboot by Steve Moffat
I recently happened upon BBC’s “Sherlock” and I have to say I am very happy to have gotten access to it before BBC America deigns air it at the end of October. The premise is that Sherlock Holmes is plying his trade today, BAM, just that no background history no mention of deer stalker caps and pipes. Watson, Lestrade, and of course Mrs. Hudson all are there and their roles are completely updated to today’s time.
John Watson, a doctor recently returned from Afghanistan, has psychological trauma. It seems that he has been shot, has a limp and a cane, and the night sweats about his time in country. He happens upon an old friend who says that he has another “friend” looking for a flat mate. He brings Watson to the crime lab and within minutes is being deductively sussed out by Holmes.. and he is intrigued.. and hooked.
The plot lines move fast as does the dialog in this well written and novel approach to rebooting the mythos of Sherlock Holmes. The first episode plays out the characters well and gives a new old twist to the Holmes character by bringing out all of the things that were there but never spoken of in the original Holmes stories..
- Holmes is allegedly Gay and there is a running chuckle as everyone assumes that Watson is Holmes new boyfriend
- Holmes is said to be a psychotic or sociopath who gets off on the murders. However Holmes says it best “I am a highly functioning sociopath”
- Holmes addictions take root in more than just drugs (he has 3 nicotine patches on at one point “to think better” with)
All in all this series so far (only seen ep 1 so far but have all three) feels a lot like Jekyll. It has a great pace and a new gritty feel about it that makes me love it all the more. If you get the chance catch it on BBC America Oct 24th!
CoB
Cyber Jihad: Malaysia and Indonesia
Just a couple weeks ago, a paper was put out by the Bipartisan Policy Center that looked back at where we were on 9/11 and how far we have come with regard to dealing with terrorism. The paper did not really have a wholly heartening tenner and in fact pointed to some new areas of concern. One of the areas of concern was Asia and Jihad. As coincidence would have it, I just stumbled onto a new site that has been set up by an Indonesian group and has connections to the Ansar boys via our old pal Ansar007, or is it now al-ansar007? Or how about irhabi007 redux, a new player with an old name who is trying to emulate Younis Tsouli?
The site in question is cyberjihad.org and it was started in July:
Domain ID:D159760330-LROR Domain Name:CYBERJIHAD.ORG Created On:28-Jul-2010 04:19:08 UTC Last Updated On:18-Sep-2010 07:57:42 UTC Expiration Date:28-Jul-2013 04:19:08 UTC Sponsoring Registrar:Melbourne IT, Ltd (R52-LROR) Status:TRANSFER PROHIBITED Registrant ID:D128027988480526 Registrant Name:cyberjihad Registrant Organization:cyberjihad Registrant Street1:2804 S. Lincoln Ave Registrant Street2: Registrant Street3: Registrant City:Sioux Falls Registrant State/Province:SD Registrant Postal Code:57105 Registrant Country:US Registrant Phone:+1.6059884611 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:alexisricci@yahoo.com Admin ID:D128027988480523 Admin Name:Alexis Ricci Admin Organization:cyberjihad Admin Street1:2804 S. Lincoln Ave Admin Street2: Admin Street3: Admin City:Sioux Falls Admin State/Province:SD Admin Postal Code:57105 Admin Country:US Admin Phone:+1.6059884611 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:alexisricci@yahoo.com Tech ID:D128027988480525 Tech Name:YahooDomains TechContact Tech Organization:Yahoo! Inc Tech Street1:701 First Ave. Tech Street2: Tech Street3: Tech City:Sunnyvale Tech State/Province:CA Tech Postal Code:94089 Tech Country:US Tech Phone:+1.4089162124 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:domain.tech@yahoo-inc.com Name Server:NS2469.HOSTGATOR.COM Name Server:NS2470.HOSTGATOR.COM The site sits on a server in Houston: NetRange: 174.120.0.0 - 174.123.255.255 CIDR: 174.120.0.0/14 OriginAS: AS36420, AS30315, AS13749, AS21844 NetName: NETBLK-THEPLANET-BLK-16 NetHandle: NET-174-120-0-0-1 Parent: NET-174-0-0-0-0 NetType: Direct Allocation NameServer: NS2.THEPLANET.COM NameServer: NS1.THEPLANET.COM RegDate: 2009-03-23 Updated: 2009-03-23 Ref: http://whois.arin.net/rest/net/NET-174-120-0-0-1 OrgName: ThePlanet.com Internet Services, Inc. OrgId: TPCM Address: 315 Capitol Address: Suite 205 City: Houston StateProv: TX PostalCode: 77002 Country: US RegDate: 1999-08-31 Updated: 2008-05-20 Ref: http://whois.arin.net/rest/org/TPCM
The data from the whois turns up a name, email address and phone for one Alexis Ricci, which when put into Maltego gets the following hits:
Which in turn gives a hit on an SBCglobal address that puts this person in Texas, not in South Dakota… The phone number that is listed in the WHOIS comes up in databases as a cell phone, but that is about all I am getting at the present time without actually spending money on a backtrace of the number. I suppose I could call it… In the end, I am pretty sure that this is just some hacked data that they used to enter the whois data and set up the site. It would be interesting though to see who and how this domain was paid for. A Google map of the address does put it in a residential neighborhood and in fact there is a house there… More can be done on this but I think its just a red herring.
Anyway,
The site as I said is new, and now has 157 members… All of which I have enumerated because the site is poorly constructed security wise. One can just poll the php tree by ticking a number into the php=? area of the url. Here are some examples of the kiddies!
I have them all now, and many of them were kind enough to give not only email addresses, but also their websites as well as one poor bastard actually used his REAL photo in his! Yeah, hi there, the Indonesian security forces will be coming to see you soon! There is a lot there to wade through with Maltego, but eventually I will have it all collated and post the results on each and every member.
THANKS PHP!
Now, on to the whole connections thing and import here. This site, while crude, is just a hint of the movement that has been happening in the Asia area for some time now. As you may recall, some of the 19 hijackers had meetings in Malaysia and Indonesia before they actually started the operation. Malaysia in fact, is the host country to many of the Jihadi sites on the net now and I suspect that is not only because of the sympathetic groups there, but also the lax computer law in the countries that they reside in. Piradius net has been one of the bigger sites and in this case the site is actually not there, which is a surprise of sorts.
The members of this site also have been active in hacking and defacing sites. Some, like Karkoon above, also have Facebook pages and connections to their other hacking sites. It would seem that at best, these guys are just capable of page defacements at best and not much else. However, the ranks have grown quickly and in fact, with the connections to Ansar (at least one of the members here I have seen before and is in Palestine) could be another arm of the Jihad online. If they got direction and support from the others on similar jihadi sites, then they could be another fly in our collective ointment… That is, once they learn more than just page defacing.
Another thing to note here is that Asian connection again. So far the general populace and the news really haven’t gotten it into their heads yet that the Malay and Indonesian (Asiatics) are also a group to be on the look out for with regard to up and coming jihad movements. What if cells of new Asian Muslim Jihadists start to make inroads at the behest of AQ?
Something to think about…
What also, if these guys are reaching out to the likes of the Baltic jihadis too? Yep.. I have seen traffic… It’s a nightmare of data….
I will continue the sifting and point out the interesting bits…
CoB
Al-Faloja SNA Mapping
SNA Map from 1.1.2020 to 9.8.2010 of posters on Al-Faloja
Larger version HERE
So, I recently was granted access to a project at a major university that is tracking dark web activity. This SNA (Social Network Association) map, while messy at this level, gives up a lot of data on who the big talkers are. With this data, I am able to fine tune my efforts on locating each and every one of them down to email addresses and connections outside of the dark web. I am just beginning to play….
More soon.
CoB
The ersatz tarek_bin_ziad_army: Alleged Creator of “Here You Have” Virus
Since this virus/malware “here you have” has made the mainstream news feeds, I thought it an interesting experiment to see what I could see with Maltego and Google on this character. The malware evidently had a sig in it that had the email Iraq_resistance@yahoo.com in it, so plugging that into Maltego I came up with some related email addresses. Extrapolating further the searches also came up with an interesting website hit that our boy had posted to. Google however came up with more data that lead in a different direction and a new email address that eventually gave up the tarek_bin_ziad_army name/account that I think this guy was planning on using to create a Yahoo group. So far though, he has no group out there that I could find.
He did post this little missive though on another islamist site laying down the goals for his organization…
By plugging in the tarek_bin_ziad_army name as a “phrase” into Maltego I was able to come up with the email address I believe he is going to be using to start the yahoo group: tarek_bin_ziad_army@yahoo.com. This yielded some ancillary email addresses that he has chatted with on certain sites that include the thabet3000@gmail.com —> r_5@live.com which relates to a hacker who has been defacing pages from the arab hackers network.
In all, the guy who is alleged to have had a hand in creating the “now you have” bug has been around the islamic jihad and Arab hacking scene since around 2006-2006. At first he was asking around for coders to make malware for jihad.. Now, he has been posting less under these accounts.. In fact he really hasn’t posted all that much under it or Iraq_Resistance (his usual handle) Most of what I have found is he signs up for boards and then posts nothing. No real user data either so he is being mostly smart about it. He certainly doesn’t have the pinache of Dr.Kasber…
All in all, this guy is more an annoyance than anything else from what I am able to see. However, given time and perhaps fame from this particular bug and the news cycle’s “Electronic JIHAD!!!” he may get more traction. Lets see though if he sets up the site and if he gets some takers on that. I will continue looking into him… Lets see what he does next.
CoB
Majahden Site Admin Naif Almutairi AKA Dr.KaSBeR
The Majahden forums that include all of its various online incarnations have admin contact data of:
Dr.KAsBeRNaif Almutairi ()Fax:P.O. Box 111Gaza, GAZZ 222/222SA
Administrative Contact:Dr.KAsBeRNaif Almutairi (Dr.KAsBeR@gmail.com)+966.599060184Fax: .599060184P.O. Box 111Gaza, GAZZ 222/222SA
Technical Contact:Dr.KAsBeRNaif Almutairi (Dr.KAsBeR@gmail.com)+966.599060184Fax: .599060184P.O. Box 111Gaza, GAZZ 222/222SA
The IP address of the site sits in Pennsylvania 173.212.206.171 at HOSTNOC. By using Maltego, I was able to put together a better picture of Dr. Kasber/Naif Almutairi above and with the help of Google searches have come up with more data:
Naif S ALmutairi
166a jnb albet
Riyadh
11911
SA
Phone: +966.559855166
Email Address:
dr.kasber@gmail.com
e2o@hotmail.com
naifa@hotmail.com
almutairin@gmail.com
naifalmutairi@hotmail.com
almutairi.naif@gmail.com
Naif/Kasber has been an active little hacker and coder too. Googling has produced quite a bit of hits on pages that he and a group of his merry defacers have hacked on Zone-H as well as some interesting hits on coder sites like MSN where he has worked on some programs for messenger and such.
He also has a Facebook page with 62 interesting friends!
It remains to be seen whether or not this Naif persona is just that, but, here is what I know about our boy Naif/Kasber
- He speaks and writes in English very well
- He’s a coder
- He’s a hacker/defacer working with several different “groups” of Middle Eastern hackers
- He has made some software that he has pimped in different places
- Lastly, he is I believe, known as “Admin” at the Majahden forums.
I will keep working on aggregating more data on Naif, but this is what I have from a nights searches… How is it then that no one has pinched him yet if any of this data is at all real?
One wonders…
CoB
Krypt3ia 
