Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for January 2011

Emerson Begolly AKA Asad’ullah Alshishani Arrested After Biting Feds

leave a comment »

Full Story HERE

A couple weeks ago, I had a tip on Emerson’s online persona and did a little digging. What I found was that this kid seemed not only to be well on his way to radicalization, but also, that he likely was mentally unstable to start with. It seems now post his arrest and the reporting that is now being done by the media, that indeed Emerson needs some serious psychiatric help. One has to wonder just how much upbringing here was at play as well as perhaps some chemical imbalance that brought him to this place. It seems from reports that his father was dressing him in Nazi SS uniforms and taking pictures of him, and that is just not right in the head in my book.

At any rate, Emerson is now in lockup but may be free as the FBI and the Justice Department have to make a real case against him. It seems that his postings and commentary online are not enough to warrant an arrest and I agree with that. There must be some more concrete data on him to warrant his being charged with anything other than perhaps the weapons charge (no mention as yet if he had a CCW on the 9mm) as well as biting a Federal officer and impeding a Federal investigation. However, I can see a play to be made here that he presents a danger to the community and should be at least observed in a psychiatric facility for 72 hours.

Inevitably though, you can see from his online posts that he was looking to not only sing the Nasheed’s but also, in his mind to become a martyr. I wonder if once the Feds look at his computers, they will actually find some emails with solid jihadists. He was after all posting to the big boards for some time, in fact, he was vocal enough (very chatty) so as to show up on the DarkNet projects social networking graphs as a large talker. So I am willing to hazard a bet that he has been in touch with some folks who may have been feeding his mental state toward the dark side.

Time will tell, but I am glad that at present, he is at least being seriously looked at and perhaps being removed from a situation where he could take his AK-47 and do some damage somewhere, say like at Penn State.

CoB

Written by Krypt3ia

2011/01/07 at 14:19

Anonymous Fallacies: To LOIC or Not To LOIC, That is the Question

with 6 comments

BY ANONYMOUS ON THE 9TH OF DEC 2010 08:01:14 PM

Educate: Operation Payback
1)      http://twitter.com/op_payback
2)      http://anonnet.org/
3)      http://www.youtube.com/watch?v=kZNDV4hGUGw
4)      http://www.mediaite.com/online/anonymous-posts-video-message-describing-their-mission-in-defense-of-wikileaks/

Jester(Robin Jackson) Information
1)      http://svc.mt.gov/gsd/onestop/upload/UEFRFI.doc (Government Document)
2)      http://helenair.com/news/article_8e648ac0-fddd-11df-9d90-001cc4c03286.html (press article with a photo of him)
3)      http://twitter.com/th3j35t3r (Jesters twitter)
4)      http://dc406.com/ (Registered by robin jackson and has the jester poker on the left)

Participate: LOIC || IRC [See Caught: Warning and Escape for further information]
1)      http://pastehtml.com/view/1c8i33u.html [download LOIC/discuss IRC]
2)      NO TARGET [target LOIC]

Participate: Wikileaks Insurance
1)      http://utorrent.com [download Bittorrent]
2)      http://torrentfreak.com/how-to-encrypt-bittorrent-traffic/ [encrypt traffic]
3)      http://peerblock.com [block dangerous IPs]
4)      http://thepiratebay.org/torrent/5723136/WikiLeaks_insurance  [download the file]

Participate: Expose the Fiction
1)      http://img23.imageshack.us/img23/4958/1291867745327.jpg
2)      http://img143.imageshack.us/img143/4684/1291862911917.jpg

Participate: Expose the Truth
1)      http://www.wikihow.com/Google-Bomb [Keyword: Operation Payback]
2)      http://www.time.com/time/specials/packages/article/0,28804,2028734_2028733_2028727,00.html [vote @ 98, revote with InPrivate Browsing]
3)      http://i54.tinypic.com/30jij2q.png [Facebook Avatar]

Participate: Other Tools
1)      http://www.techpavan.com/2009/08/17/what-black-fax-black-fax-attack-why-how-to-do-black-fax/ [Target: Unknown]
2)      http://atdhe.net/watch-bbc-news.php [Enjoy the lulz]

Clean Up: Protect Yourself
1)      http://www.piriform.com/ccleaner/download [download CCleaner]
2)      Tools > Driver Wiper > Select Drive > Wipe Free Space > Gutman (35) > Wipe
3)      http://www.truecrypt.org/ [download TrueCrypt]
4)      Select Drive > Encrypt
5)      http://www.aboutcookies.org/Default.aspx?page=2 [delete browsing cookies]
6)      http://lifehacker.com/5530828/start-any-browser-in-private-browsing-mode [launch as InPrivate Browsing]
7)      http://techpp.com/2009/07/09/top-5-free-vpn-clients/ [download VPN service]
8)      Set wireless network to unsecured or WAP to claim you were hacked if v&

Caught: Warning and Escape
1)      DO NOT PROXY. It will affect the proxy, not the target. That’s why you use VPN.
2)      DO NOT attack on a school, work, or company owned network; your traffic is heavily monitored. You will get caught.
3)      DO NOT attack by yourself or in small numbers, you will get caught. While in larger numbers, it’s minimal if non-existant, and if server goes down it’s impossible to recover corrupt data on who attacked.
4)      DO NOT “bot net” it is illegal. DDoS with LOIC is legal, however.
5)      CHANGE your MAC IP after destroying the internets, or risk having your e-mail MAC IP traced back.
6)      If you are v& (vanned) declare you had no participation in this event. Note you are using a dynamic IP address and that many different people use it, because it’s dynamic. If they prove that it was yours, then tell them you are a victim of a “botnet virus” that you had no control or knowledge of. Additionally if you set your wireless to unsecured or WAP prior to LOIC you can claim someone hacked your wireless. Case closed.

I found this on pastebin today and after reading through it, I have to re-consider some of the idea that there is a core group of competent hacker types running the show at Anonymous. What really caught my eye is the section in red above, the admonition about “if you get caught” This is the most egregious set of instructions that I have ever seen and will only serve to land those of the “hive mind” in courts across the globe with a fair chance at getting truly buggered.

Let me take it point by point here:

1)      DO NOT PROXY. It will affect the proxy, not the target. That’s why you use VPN.

VPN? VPN? WTF? What VPN are you talking about there skippy? If you use a VPN, then you are concentrating the traffic to a single IP exit node as well as making it just as easy to track. Which brings me back to “what VPN?” You have a service somewhere? Usually you only see VPN’s used in companies or personal use for secure access to systems behind firewalls.

Now, on the other side of this, umm yeah, proxy-ing the traffic for the LOIC makes sense and should have been used. As far as I have seen, the LOIC is just a glorified F5 key script. If you proxy then you will just be polling a site via proxy (hopefully without logging) to port 80 http. So, there may be more traffic on nodes of whatever proxy you use, but, the traffic should get there if the proxy is robust enough.

2)      DO NOT attack on a school, work, or company owned network; your traffic is heavily monitored. You will get caught.

Ehhhhh depends on the company or school doesn’t it? I mean many colleges are still lacking in controls over their Internet traffic. However, I would say that they would be right.. Unless the traffic were VPN’d to a proxy outside. Then you would have something.

3)      DO NOT attack by yourself or in small numbers, you will get caught. While in larger numbers, it’s minimal if non-existant, and if server goes down it’s impossible to recover corrupt data on who attacked.

Say what? No matter the volume of users, if the systems at the recieving end are configured properly and able to log the traffic, then ALL of your IP’s will be logged! As I suspect you will all soon find out after the Feds have audited those seized servers and logs from those who got DDoS’d

4)      DO NOT “bot net” it is illegal. DDoS with LOIC is legal, however.

BAAAHAHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHHA! Ok kids, Law 101 here. If you PARTICIPATE in a DDoS no matter if you use LOIC or a Botnet, you ARE in fact COMPLICIT in an act that is against the law. You don’t get any extra points for carrying out said attack for motives nor method of attack. This is especially true when you use a tool that does NOT obfuscate your IP addresses as you perform it. Whoever collaboratively wrote these do’s and don’t is culpable in your crimes too… As well as for the crime of stupidity.

5)      CHANGE your MAC IP after destroying the internets, or risk having your e-mail MAC IP traced back.

WTF? Your MAC IP? Would you perhaps be meaning your MAC address as well as your IP address? Ya know, the IP address that you are not masking at all when you use LOIC to “destroy the internets” ?? OMFG, Here’s the “internets” manual RTFM please! This is even below skiddie level.

6)      If you are v& (vanned) declare you had no participation in this event. Note you are using a dynamic IP address and that many different people use it, because it’s dynamic. If they prove that it was yours, then tell them you are a victim of a “botnet virus” that you had no control or knowledge of. Additionally if you set your wireless to unsecured or WAP prior to LOIC you can claim someone hacked your wireless. Case closed.

Once again, you have no real grasp of how the Internet works do you? Let me break it down for you…

A) Dynamic IP addresses do change, but, tend to remain the same for users a long time. Depending on the lease time set by the ISP you could have it for days. So trying to say that you are on a dynamic IP is pointless.

B) Any dynamic IP is going to be logged as to what account holds the IP address during that session in the logs!

C) Yeah, claiming there was a botnet malware package installed on your PC will do no good, unless you actually do that yourself before you do all of this.. and even THEN forensically it is easy to tell that you installed it and LOIC. Any way you slice it, unless you physically smash your machine or fully encrypt it with something like TrueCrypt AND shut it off before the feds knock your door down… You are fucked.

D) The un-secured wifi argument can work, but, I will go back to the forensics argument again.. We can see you. You lose.

In the end, this whole thing has been run like a train wreck. Anonymous has failed to think this all through and certainly has no idea about the legalities here to be telling anyone of these kids out there using LOIC that they are going to be ok. It may be all about the lulz, but soon it’s going to be all about CYA and lots of lawyers fees kids.

CoB

Written by Krypt3ia

2011/01/05 at 19:13

Posted in DD0S

The Curious Case of Kellep Charles: A Ligatt Propaganda Story

with 3 comments

On January 1st another “press release” came out over the Internet claiming that Kellep Charles, by all accounts a certified and serious individual in the information security world, had been appointed to the board of directors at Ligatt Security. On the Ligatt site as seen above in cached form (the page is now a 404 error) it names Kellep as a new member of the board. Now, this is nothing new with regard to people being touted as being added to the board. However, in this case, Kellep himself as others before, did not know that he was on the board as you can see by his surprise in a tweet below:

It seems that Kellep may have indeed offered to work with Ligatt to “clean up his image” but no sooner had he done this, then the Ligatt PR machine went into action and posted on the site and newswire that they had a new board member. What is most insidious here is that Kellep, as I said above is a multiply certified and seemingly above board member of the security community who’s reputation could be sullied by working with Evans and Ligatt because of their misdeeds in the past. What’s more, it is VERY telling that Kellep states that he was willing to “advise” Ligatt to help “clean up their image”

*blink blink*

Ok, Kellep.. Over here, camera 3… Yeah, umm I appreciate your wanting to help Greggy, but, now do you see the real trouble with Greg and his little company? I suspect you do now, but here it is again… He is a charlatan and a con man as well as a bully. He will use anyone and anything to get him to be the center of attention as well as become a wealthy player.

You have been duped and he has tried to play upon your good name to better his ignominious one in the community at large.

Sorry man.

So, now the clean up goes on. Ligatt has seemingly redacted the press release from the Internet (can’t seem to locate a prnewswire release, his usual propaganda tool) but what Ligatt fails to learn is the same thing that every teenage girl on the Internet learns post getting blitzed and naked for the camera; “There is no redacting everything from the Internet” It’s out there buddy and there is no pulling this one back. This however brings up a key point in the Ligatt play book, and it is exceedingly relevant to today’s “wikileaked” world. You see, Ligatt is trying to pull his own version of 1984 by not only using classical propaganda routines, but also those of redaction and modern spin. The funniest thing though is that Gregory and Ligatt are so spectacularly BAD at it! With every “release” on PR news wire and elsewhere, Greg thinks that he can re-spin his Ligatt Security presence into what he perceives it to be in his own delusional world view;

That of a global juggernaut of computer security and that he is a player, a mover and shaker.

Oh Greggy… Polishing a turd will only get you a shiny turd.

As for Kellep, I am sorry that you got dragged into this whole mess. You do not deserve to be lambasted because of your kindness, but, here is the warning that might nudge you to keep your wits about you in this business. There’s a lot of snake oil salesmen out there and this guy is a prime example. So in future, if you decide that you want to give any counsel to Gregory, then I should think that that counsel be to come clean and really work toward being an “expert” instead of just playing one on TV.

If I see you at Shmoocon I will buy you a beer… Cuz dude, I think you’re gonna need one after this debacle is over.

*note* Stay tuned folks.. There’s a new board member John W. Jones (Martian Manhunter!) has been added to the esteemed list! I wonder if he knows? More to come….

EDIT! Hat tip to iAlbert who located a copy of the Press Release! See Greggy, you can’t redact the Intertubes!

CoB

Written by Krypt3ia

2011/01/05 at 15:03

Emergent Digital Warfare: Swarming; A Further Look at C2

leave a comment »

The Hive Mind

In my last post I talked about the “swarming” tactics that were being employed by Anonymous and elements of 4chan to DDoS sites in their “operations” This post is going to deal with more of what can be tactically done to respond to not only the tactic of swarming (via electronic DDoS as opposed to in a real battlefield) but also the DDoS as a vector of attack itself. I have been Googling quite a bit and have turned up some interesting papers on the subjects and this topic has had me thinking quite a bit for a while now.

What has been at the back of my mind all of this time has been the claims that Anonymous is a “collective” of people that perform a hive mind style of Athenian Democracy (that’s the media’s dubbing there, not mine) inside the digital domain of IRC to choose their targets and launch their attacks. However, I would like to correct this statement and state that I believe it to be dissembling on the part of Anonymous to say that it is truly a leaderless aggregation of entities. Instead, I believe that there are a core group of individuals who comprise the C2 structure that then in turn guides others to the hive mind.

Why do I say this? Well, lets look at it from the perspective of bees. Bee’s are a hive mind, however, they have a queen do they not? It is that queen who runs the hive and not an Athenian black marble in a jar of white one’s kind of way. The worker bee’s have no say in the actual targeting of anything, but a chemical signal and dance from another will set them off to attack or to go to a specific place rich in flowers to pollinate. In short, the bees do not have frontal lobes and large brains, so there is a more complex system of decision making that goes into higher brain function individuals on an IRC channel than there is in a chemical signal to a bee to attack something.

So, in the case of the IRC channels and the C2 (command & control) of the Anonymous Operations, I say that there is a more complex system at play and that they, by their very nature, require a command and control structure that requires key players to facilitate them.

Cells and Compartments

There have been reports that there are a core group of hackers who are at the heart of this C2 architecture and I would tend to agree that they may indeed be hackers (the loose term by way of technically savvy individuals) and they in fact have at their disposal systems such as IRC servers and channels that they either fully control themselves, or that they are loaned time on. I believe that there is a more hierarchical structure to the Anonymous group than they would like to admit, and as such, they are in a much more precarious position than they might indeed think tactically. Sure, they have plenty of cannon fodder out there using the LOIC, but, the core cabal still hold the digital strings. In this case, we have many skiddies out there, so who are the brains behind the coding and implementation?

Just as well, take a look at the collective press releases that have been made on piratepad etc. Last one I saw had 16 authors working on the whole… 16 is not legion… 16 is “finite” So, sure, at present you have LOIC which is not obfuscating IP addresses of end users, and you have kids out there just doing this for shits and giggles, but elsewhere, you have the likes of those who hacked Gawker. Those weren’t skiddies, just how many were there and were they working in completely compartmented cells? If not, then eventually the cells will be broken.

Think about it this way… Everyone that you  bring into this venture has the potential of being from the opposition. All it takes is one agent provocateur  to bring a network down.

The Technologies of DDoS Swarming

The IRC systems that the hive mind and Anonymous operations have been using so far, have started to be targeted by the federal authorities of not only the US but other countries in hopes of gathering logs and decommissioning them for C2 use. The current server irc (anonops.ru) sits in Russia, and in fact is likely to be a bit safer out there at present, but, note that they moved it to Russia in order to prevent being taken down and seized. This is the fatal flaw in the system that Anonymous has yet to really come to grips with. By announcing their targets and their channels to connect to the C2 network, they give up their tactical advantage for not getting popped. When the authorities know where the systems are that are the actual C2 mechanism, then they will use any and all force to go after those nodes and take them down.

A more fully working and secure system would be the traditional botnet approach though for this type of sustained attacks. By using botnets of infected machines, Anonymous would have a better chance at not actually getting pinched as easily as they might because they in the open with their C2 channels and their methodologies (i.e. LOIC) After all, once the warrants go out on all those kids like the ones in Germany, then there will be a bit more of a call for the commanders to create more “secure” technologies than LOIC to perform the DDoS won’t there? Or are they not planning that far ahead?

You see where I am going with this? You still have a single point of failure in the IRC and the LOIC’s insecure natures. Eventually, no one will want to play unless they can be assured that they are protected by IP obfuscation.

My recommendation? Use the botnets and forget the skiddie stuff. Sooner or later, you all will piss off the wrong folks and your single point of failure in the “hive” system will bring you all down. All it would really take at the present moment would be for the authorities in .ru (cough KGB cough) to backdoor the system and audit all of the traffic on it. Unless you are shelled in with a proxy (funny, how anon doesn’t allow TOR on their IRC) then its highly likely someone would be on your doorstep soon enough breaking it down.

For that matter, the KGB just might like to get in there and use you all for their own ends.. Anonymous would make a nice patsy wouldn’t you?

Countermeasures for DDoS

Meanwhile, all of these events have brought the specter of DD0S to the fore again for the greater community at large doing business on the internet. DD0S is such a simple idea but it seems to be a daunting task to differentiate the traffic and mitigate an attack of this type. Because all of the traffic is ostensibly authentic according to the routers and servers, the problem becomes either how to determine if indeed it is truly authentic traffic or an attack vector. Therein we have the swarming that I spoke of before, the server is swarmed over with connection attempts.

The Military has been working on the DDoS issue for some time now and there are some good papers on the subject:

1) Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor

2) Mitigating DDoS with DFS

3) DISTRIBUTED DENIAL OF SERVICE-DEFENSEATTACK TRADEOFF ANALYSIS (DDOS-DATA)

It looks as though the best means so far discussed have to do with a type of packet filtering approach that could potentially differentiate good from bad traffic, but that would take another stratification of traffic (network layer) and likely would be costly and perhaps not so good for net neutrality. As yet though, no one seems to have a good solution to the problem… So, there will always be the potential for a large scale attack on any site that will take it offline and perhaps overtax the servers themselves overhead wise. These though, are only one form of direct attack DOS on a site… What about DDoS on say a router or the main DNS servers out there on the net?

Moving Forward

The time of Anonymous is upon us. I wonder however, just how long that will be though, because I fear that they have awakened the sleeping giant just as it has become technologically self aware. I am sure that in 2011 there will be arrests and dismembering of Anonymous and groups like them when they poke the badger one too many times.. That is, there will be more of them popped unless they get a bit smarter about their OPSEC.

The technologies out there now are going to be worked on and sometime in the near future, I suspect there will be some more mitigations offered by the likes of CISCO etc for DDoS. Until that time, the LOIC and its progeny will continue on DoS’ing sites offline as a protest or just for the lulz. I wonder though, if the Anonymous C2 will realize that what I have said above is true, and work on some obfuscation techniques for their networks and end users…

Time will tell…

In truth, 2011 will be the year of the cyber war and we are in for a ride folks.

CoB

 

Written by Krypt3ia

2011/01/03 at 23:34