Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for March 2011

Inspire 5: The Tsunami of Change Assessment

leave a comment »

The latest version of Inspire, the AQAP Jihadi magazine is out and having read through the whole thing I have come to the following conclusion;

AQAP has begun transforming into a political party much like Hamas has.

The bulk of this magazine deals with the re-asserting of AQAP Jihadi doctrine, but this time with a softer spin and a more politic language set. Much of this is attributed to the fact that the Middle East is on fire with protests seeking to depose the dictators who run those countries. Accordingly, Inspire has set a softer tone overall, but tries to re-enforce that there is no “middle road” in Muslim doctrine from the prophet. What this means is that once again, they are seeking to use Koranic passages to assert their dogged beliefs that it’s their way or.. Well, you are kuffar.

All of this of course couched in much softer language.

Now, as an outsider to the Muslim faith, and faith in general, I often find myself reading this drivel and thinking “religion is the opiate for the masses” in this case it is more than an opiate, it is a complete brainwash and blow dry. Ultimately, I think that the movement from harder language and more politic speech patterns begins to show just how much a political organisation this is becoming as opposed to a religious movement seeking an Caliphate. Simply put, these guys want to be in power and they will use any means, including political ones, to be the seat of said power.

Even the look of the magazine has taken on the visage of being a counter culture hip mag. The target audience of course is in fact the teen to twenty something in the Western hemisphere seeking something to believe in after all. I suspect that the contents of the likes of Emerson Begolly’s hard drives likely has copies of Inspire on them as do other kids who are seeking the same kind of movement to be a part of.

And that is where it is insidious.

From a psychological standpoint, this change in tact is very PSYOP in nature. Lull, cajole, and wheedle all the while promising an end to life that will have greater meaning and an after life full of wine women and song. All the while they are also laying out the seeds for “lone wolf” operations in the opening paragraphs by outlining the stats on arrests by the West of jihadist “cells” that were not secure. One passage even says the following;

We have noticed that the year 2010
alone saw the most arrests in the
West for homegrown jihadi opera-
tions. Most of those arrested were
arrested in groups, one connected
to another. Sometimes the enemy
would even set up the brother in a
sting operation, fooling him into be-
lieving that he was working with the
mujahidin. Keeping that in mind, we
have witnessed that operations done
by lone individuals has proven to be
much more successful. So what can
we learn from this? Group operations
have a greater tendency of failing
than lone operations due to the idea
(of the operation) escaping the mind
and tongue to other individuals.

Even if those individuals are trust-
worthy in your eyes, there is still that
1% chance that someone from the
intelligence agencies are listening in
and paying attention to your groups’
actions or that the person you are
talking to might be working for the
enemy or that he might be pressured
at a later period to give information
to them. With lone operations how-
ever, as long as you keep it to your-
self, nobody in the world would know
what you’re thinking and planning.
That’s why individuals like Taimour,
Roshonara, Nidal and others have
been successful, even if they were
ultimately arrested. The fact that they
were able to pull off their operations
without being halted by authorities is
a great success.

It’s an interesting mix in this issue but the message is much the same. Even with the new polish to the layout and the soft question and answer section, it is still a propaganda piece for a group of people who only really want to be in power. A group that will do whatever it takes, including becoming more and more “western” in style to get it.

So much for militant Muslim faith huh?

K.

We have noticed that the year 2010
alone saw the most arrests in the
West for homegrown jihadi opera-
tions. Most of those arrested were
arrested in groups, one connected
to another. Sometimes the enemy
would even set up the brother in a
sting operation, fooling him into be-
lieving that he was working with the
mujahidin. Keeping that in mind, we
have witnessed that operations done
by lone individuals has proven to be
much more successful. So what can
we learn from this? Group operations
have a greater tendency of failing
than lone operations due to the idea
(of the operation) escaping the mind
and tongue to other individuals.
Even if those individuals are trust-
worthy in your eyes, there is still that
1% chance that someone from the
intelligence agencies are listening in
and paying attention to your groups’
actions or that the person you are
talking to might be working for the
enemy or that he might be pressured

at a later period to give information
to them. With lone operations how-
ever, as long as you keep it to your-
self, nobody in the world would know
what you’re thinking and planning.
That’s why individuals like Taimour,
Roshonara, Nidal and others have
been successful, even if they were
ultimately arrested. The fact that they
were able to pull off their operations
without being halted by authorities is
a great success.

Written by Krypt3ia

2011/03/31 at 14:27

Backstopping Backtrace: Maltego Mapping of Data-Points

with one comment

Laurelai Storm

I have been following the Backtrace Security vs. Anonymous battle since BT decided to “dox” the Anon’s who were running the HBGary event. After the Feds had BT pull the dox (I got copies though, I mean, it is the Internet.. Nothing goes away) I decided it was time to see just what was in them. I then read the entire transcript file and teased out some pertinent data. Once that was done, I booted up Maltego and began looking around.

Now, the Anon’s claim that the data was bogus to start, but, I am seeing some hits here from the very thing I have written about here before. The re-use of nicks on other venues WILL lead to compromise of anonymity IF they actually tag real attributive data to their use. The transcript of the IRC #HQ channel though, does show that the Anon’s were seeking to create disinformation campaigns of their own as well as salt the Internet with false profiles after the HBG attack. It is important to note though, that this seems to only have been the case this last February, meaning that they were not all creating those false personae online as red herrings before this.

This is a key factor as much of the data Maltego was locating pre-dates the Anonymous OP’s that are germane. As this is the case, then the data I am finding, I believe, is actually solid and could lead to personae compromise of these Anon’s.

Nessuno834 aka Kieron Parr

As you can see from the maps, once key data points are added together and mapped, you can see the intersections where the users identities touch and can lead to even more data. Having had not only the nick but also a real name adds to this greatly and as you can see, you can make inferences as to patterns of behaviour, posting, and actual validity of the claim by BT. It is only a matter of time and sorting through the hits to weed out the false ones that you can get a pretty good picture of who the person is, their previous postings using the same nick, and whether or not they seem to be a likely candidate. In the cases of the three nicks searched here, I was able to pretty safely say that they all are technical individuals with connections to 4chan/Anonymous and as such, the authorities are likely paying attention to them already through their own investigations.

So, I guess in the final assessment, one could say that these people had created these personae as backstops and that these are just another red herring. On the other hand, I believe that this is pretty much not the case. The data points go back to 2008 or earlier and as such, human nature has bitten them in the end with regard to habits and lack of OPSEC.

I guess time will tell as to who may or may not get pinched… Whoever Hubris is, they chose their name well.

K.

Written by Krypt3ia

2011/03/29 at 14:26

Posted in Maltego

Leggo My Steggo

leave a comment »

Written by Krypt3ia

2011/03/29 at 13:11

Posted in LeggoMySteggo!

Anonymous #HQ: Inside The Anonymous Secret War Room

with 7 comments

John Cook and Adrian Chen — Dissident members of the internet hacktivist group Anonymous, tired of what they call the mob’s “unpatriotic” ways, have provided law enforcement with chat logs of the group’s leadership planning crimes, as well as what they say are key members’ identities. They also gave them to us.

The chat logs, which cover several days in February immediately after the group hacked into internet security firm HBGary’s e-mail accounts, offer a fascinating look inside the hivemind’s organization and culture.

  • Sabu
  • Kayla
  • Laurelai,
  • Avunit,
  • Entropy,
  • Topiary,
  • Tflow
  • Marduk
  • Metric
  • A5h3r4

So, Hubris/A5h3r4/Metric have broken into the inner circle of at least one cell of Anonymous. I say cell because I do not think that these users are the actual full scale leaders of Anonymous, instead, as I have said before, there are cell’s of Anon’s that perform operations sporadically. These folks, if the chat transcripts are true, are the ones just behind the HBGary hack and at least one of them, with the Gawker hack.

Once again, I will reiterate here that I think Anonymous is more like a splinter cell operation than anything else. There is an aegis from the whole as an idea, but, they break off into packs for their personal attacks, or whatever turns them on. They coalesce into a unit when they feel moved to, but, they do not overall, just get together and act without direction on the part or parts of leaders.

The example below of the transcripts for #HQ show that these characters though, are a little high on themselves after the hack on HBG… And you know what happens when you don’t pay attention to the hubris factor. You get cocky and you get burned. As you can see below, some of them are at least nervous about being popped or infiltrated.. Those would be the smart ones…

04:44 <&Sabu> who the fuck wrote that doc
04:45 <&Sabu> remove that shit from existence
04:45 <&Sabu> first off there is no hierachy or leadership, and thus an operations manual is not needed

[snip]

04:46 <&Sabu> shit like this is where the feds will get american anons on rico act abuse and other organized crime laws
04:47 <@Laurelai> yeah well you could have done 100 times more effective shit with HBgary
04:47 <@Laurelai> gratted what we got was good
04:47 <&Sabu> if you’re so fucking talented why didn’t you root them yourselves?
04:47 <@Laurelai> but it could have been done alot better
04:47 <&Sabu> also we had a time restraint
04:48 <&Sabu> and as far as I know, considering I’m the one that did the op, I rooted their boxes, cracked their hashes, owned their emails and social engineered their admins in hours
04:48 <&Sabu> your manual is irrelevent.

[snip]

04:51 <&Sabu> ok who authored this ridiculous “OPERATIONS” doc?
04:51 <@Laurelai> look the guideline isnt for you
04:51 <&Sabu> because I’m about to start owning nigg3rs
04:51 <&marduk> authorized???
04:52 <@Laurelai> its just an idea to kick around
04:52 <@Laurelai> start talking
04:52 <&Sabu> for who? the feds?
04:52 <&marduk> its not any official doc, it is something that Laurelai wrote up.. and it is for.. others
04:52 <&marduk> on anonops
04:52 <&Sabu> rofl
04:52 <@Laurelai> just idea
04:52 <@Laurelai> ideas
04:52 <&Sabu> man
04:52 <&marduk> at least that is how i understand it
04:52 <@Laurelai> to talk over
04:53 <&Sabu> le sigh
04:53 <&marduk> mmmm why are we so in a bad mood?
04:53 <&Sabu> my nigga look at that doc
04:53 <&Sabu> and how ridiculous it is

[snip]

04:54 <&marduk> look, i think it was made with good intentions. and it is nothing you need to follow, if you dont like it, it is your good right
04:55 <&Sabu> no fuck that. its docs like this that WHEN LEAKED makes us look like an ORGANIZED CRIME ORGANIZATION

My observations though have always been that the groups would be infiltrated by someone and then outed. It seems that this may indeed be the case here if the data is indeed real. It seems to me that a certain j35t3r said much the same before, that he could and did indeed infiltrate the ranks, and had their data. Perhaps J has something to do with this? Perhaps not… Still, the principle is sound.

  1. Infiltrate
  2. Gather INTEL
  3. Create maps of connections
  4. Report

It would seem also that these guys are liminally aware of the fact that their actions can be seen as a conspiracy and that the government will not only get them on hacks potentially, but also use the conspiracy angle to effectively hogtie them in court. Let me tell you kids, there is no perfect hack… Well unless the target is so inept as to have absolutely no logging and does not even know for a very long time that they had been compromised.. Then the likelihood of being found out is slimmer, but, you guys popped and then outed HBG pretty darn quick.

I am willing to bet there are breadcrumbs.. And, those said breadcrumbs are being looked at by folks at some three letter agencies as I write this. You see kids, you pissed in the wrong pool when it comes to vindictiveness. I agree that HBG was up to bad shit and needed to be stopped, but, look at the types of things they were planning. Do you really think that they are above retaliation in other ways than just legal? After all, they were setting up their own digital plumbers division here huh?

Anyway… Just sayin…

Back on topic here with the Backtrace folks and the logs. I have looked at the screen names given and have come to the conclusion that they are all generic enough that I could not get a real lock on anything with Maltego. I had some interesting things pop up when you link them all together, but, overall not enough to do anything meaningful. The other issue is that Maltego, like any tool using search engines and data points, became clogged with new relational data from the articles going wide. I hate it when the data is muddied because of this.

So, yeah, these names are not unique enough to give solid hits. Others though who have been re-using nicks online as well as within the confines of Anonops, well that is another story. I just have this feeling that there are larger drift nets out there now hoovering all you say and do on those anon sites, even if they are in the .eu space. I still have to wonder if any of those IRC servers have been compromised yet by certain intelligence agencies.

One wonders too if China might also be playing in this area… How better to sow discontent and destabilize than to use a proxy like Anonymous for operations?

For that matter.. How about the CIA?

NSA?

Think on it… Wouldn’t Anonymous make a perfect false flag cover operation?

For now, I am going to sit and watch. I would like to see the full chat transcripts though. Now that would be interesting.

“May you live in interesting times”

Indeed.

K.

Anonymous vs. Anonymous: Enough Hubris To Go Around

leave a comment »

The nameless revolution that calls itself Anonymous may be about to have its own, online civil war.

A hacker startup calling itself Backtrace Security–made up of individuals who formerly counted themselves as part of Anonymous’ loose digital collective–announced plans Friday to publish identifying information on a handful of active members of Anonymous. According to one source within the Backtrace group, it will release the names and instant messaging logs of dozens of Anonymous hackers who took part in attacks onPayPal, Mastercard, the security firm HBGaryWestboro Baptist Church, and the Marine officials responsible for the detainment of WikiLeaks source Bradley Manning.

That spokesman, who goes by the name Hubris and calls himself BackTrace’s “director of psychological operations,” tells me that the group (Backtrace calls itself a company, but Hubris says it’s still in the process of incorporating) aims to put an end to Anonymous “in its current form.” That form, Hubris argues, is a betrayal of its roots: Fun-loving, often destructive nihilism, not the political hacktivism Anonymous has focused on for much of the past year. “[Anonymous] has truly become moralfags,” says Hubris, using the term for hackers who focus on political and moral causes instead of amoral pranks. “Anonymous has never been about revolutions. It’s not about the betterment of mankind. It’s the Internet hate machine, or that’s what it’s supposed to be.”

The rest is HERE

“Cyberdouchery” it’s a term coined within the last year as far as I know for snake oil or hype mongers within the Infosec community. I have to say that this alleged group of ex-anon’s kinda fits the term for me. Whether it’s the reason that they state of being tired of Anonymous’ being moral fags, or the idea that they just want to get back to their troll roots, I pretty much just think its a publicity stunt. Of course, the darker side of me could see the way to believing that this is just some sort of psyop by person/persons unknown to get a reaction out of Anonymous.

I have written in the past about the herd mentality as well as convergence theory where it regards Anonymous. In each of those scenarios though, there is the idea that there are leaders. No matter the number of times Anonymous may say they are leaderless, I say that this is just impossible from the point both of these theories take. Even if someone is a leader for a day or minute, there is a leader, and there are followers, either anointed by the pack or by themselves. There are also the minions that do the work, such as the mods and the managers of the servers and systems. Those too could be seen as leaders within the infrastructure too. Now it seems though, that this new group is going to attempt to name leaders by use of social engineering and data collection.

… And that is what Aaron Barr wanted to do.. Well sorta… Then he shot himself in the foot with his own machine gun of hubris.

All in all though, this looks to be on the face of it, just an attempt at #LULZ by these folks at Backtrace. The use of the crystal palace image alone screams nearly the same shrill tune as using too many numbers in one’s nickname in leet terms. If you look closely though, you will see that they also claim to offer services such as “Cyber Espionage” *blink* Not counter intelligence nor counter cyber espionage, but cyber espionage. Just as they also offer cyber warfare and a host of other hot terms with cyber in them. That just reeks of the cyberdouchery I spoke of at the top of the post. So, in reality I don’t take this all too seriously.

I guess we will just have to wait and see what develops with this insurance file and the alleged outing that will happen…

There will be #lulz

K.

SMS Terror: Not so new but, this is a new twist

leave a comment »

One of the Taliban’s most effective tools to persuade Afghans not to work with the U.S. or its allies is the night letter — a note warning people they’ll be targeted for death unless they change their infidel-loving ways. But that’s too analog. These days, the Taliban is mass texting gruesome videos to Afghans’ cellphones to spread the same message.

The insurgency’s media committee produces videos like this one — which we won’t embed — glorifying suicide bombers and posts them on Taliban websites like Shahamat.info and Alemarah-iea.net. Befitting the growing importance of social media to insurgents, Facebook pages purporting to be adjuncts of Taliban propaganda networks pop up to display the imagery, hoping to slip past Facebook’s usage police.

But to maximize the videos’ reach, insurgents send them out through SMS chains, until they eventually reach unsuspecting Afghans. It’s a quick way to take night-letter videos viral — and disguise the usage chain from its origin, preventing authorities from shutting down the distribution system.

The rest is at Wired

Since the communications infrastructure has been built up some more with the help of the likes of private contractors in Afghanistan, it is only natural that mass SMS barrages would be used by the Taliban. This is not a new thing though to the jihadis, they have been passing along shahid videos for some time on mobile phones via SMS. The twist here is now instead of passing along just propaganda, they are also sending threats. It would seem the Talib’s have been taking cues from the rest of the world on social media and its uses.

Of course, the original method of scaring people into submission, to me, seems to be much more visceral, the “night letter” This is where people tack up a letter to your door and bang on it, scaring the occupants, something akin to a jack booted Nazi door kick. Except in this case these guys run away instead of  coming in and terrorizing everyone. It’s the Taliban version of leaving a dead rat tacked to the door.

On the other side of this though, I have to wonder about with all of the new infrastructure, there must be some potential to be tracking these SMS originators through their ESN’s right? Not all phones can be “burner” phones there in Afghanistan right? Even if they are, surely the cell towers can’t be that plentiful so as to make DF-ing them ponderous? If I were the anti terror forces, I would be heavily monitoring the comm’s anyway… So, keep on SMS-ing everyone Taliban! Soon the night letter will be coming to your flap.

CoB

Rising Enterprise Reports Hacking On Chinese Assets Up In 2010

leave a comment »

下载《瑞星2010中国企业安全报告》

3月10日,亚洲最大信息安全厂商瑞星公司发布《2010中国企业安全报告》,对国内企业和单位所面临的安全风险进行了深入剖析和解读。报告指出,政府、军队、教育科研等机关单位已经成为黑客攻击的重要对象;2010年,高达90%的传统企业内网(仅计算与互联网连通的企业网络)曾被成功侵入;几乎百分之百的互联网公司都遇到过渗透测试、漏洞扫描、内网结构分析等安全事件,而有85%以上曾被黑客成功获取一定权限。

瑞星安全专家表示,2010年,以百度遭到域名劫持攻击为标志,所有中国的大型公司和网站都遭到了严重的安全威胁。DDOS攻击、病毒植入、域名劫持、机密信息丢失、管理权限外泄等成为企业最易遭受的黑客攻击。

而在被攻击对象方面,软件系统不再是唯一选择,手机、U盘、移动硬盘、基础设施等都已经成为黑客的攻击目标或者跳板,企业急需量身定制全面、系统的整体安全解决方案。

政府、军队、教育科研机构等成为黑客攻击的重要对象

Translation:

March 10, Asia’s largest information security company Rising has released ” Security Report 2010, Chinese enterprises “, and units of domestic enterprises face security risks in-depth analysis and interpretation. The report notes that government, military, educational institutions and scientific research units have become an important target for hackers; by 2010, up to 90% of the traditional enterprise network (only the enterprise computing and Internet connectivity network) has been successfully invaded; almost one hundred percent of the Internet companies have encountered penetration testing, vulnerability scanning, structural analysis within the network security incidents, while 85% had been successful for certain privileges hackers.

Rising security experts said that the year 2010, Baidu has been marked by domain name hijacking, all of China’s large companies and websites have been a serious security threat. DDOS attacks, viruses implantation, domain name hijacking, loss of confidential information, disclosure and other management authority become the most vulnerable to hacker attacks.

The areas being targeted, the software system is no longer the only choice, mobile phones, U disk, mobile hard disk, infrastructure and so has become the target of hackers, or springboard, enterprises need to tailor comprehensive solutions to the overall security of the system .

Government, military, education and scientific research institutions have become an important target for hackers

Well, turn about is fair play is it not? Apparently, if you are to believe the data from this report, then it seems that China has been the target of some hacking. Of course who might it be that this report is claiming is at the top of the aggressor list?

Why the USA of course!

Now, that is convenient huh? Well, I can be sure that the USA has been trying to hack these entities in China, but, would the US be as silly as to just do it blatantly like the Chinese do? Maybe they would, maybe they wouldn’t. What it does say however is that now the game is on with the Chinese it would seem. I think though that this has been the case all along. The three letter agencies have been doing this since the start I think and as the world has become more networked, so has the spying. I mean, not only China has a corner on the cyber-espionage game.

Now, on the other hand, this report would amp up the rhetoric on the cyber-espionage topic wouldn’t it? After all, so far we have had so much attention on the likes of Night Dragon, Moonlight Maze, and Aurora as being pinned to the Chinese star. I am sure that the Chinese would love to be able to rationalize their efforts as reciprocity for the attacks by America on them. This is the game that is played and it is much like the games that the USSR used to play with America on the espionage playing field.

I guess the next question for me would be this;

Just how many servers do the alphabet agencies lease time on in other countries such as China to run recon or hack from? Obviously some of those cycles could be on the behalf of some agency or other and they would be none the wiser. A botherd is just a botherd, all that matters is that they get their money on the digital black market. I am sure too that there are plenty of nodes within the Asiatic sector as well as all over the rest of the world, that are acting as launch points for the US, not just servers within the confines of the country.

Well, at the very least this is an interesting albeit feeble attempt at attribution of attacks on China.

Attribution is a bitch and China must know that pretty well.

K.

 

Written by Krypt3ia

2011/03/16 at 20:17

Barrett Brown: Anonymous and Their Alleged Propagandist

with one comment

DALLAS — A leader of the computer hackers group known as Anonymous is threatening new attacks on major U.S. corporations and government officials as part of at an escalating “cyberwar” against the citadels of American power.

“It’s a guerrilla cyberwar — that’s  what I call it,” said Barrett Brown, 29,  who calls himself a senior strategist and “propagandist” for Anonymous. He added: “It’s sort of an unconventional, asymmetrical act of warfare that we’ve involved in. And we didn’t necessarily start it. I mean, this fire has been burning.”

A defiant and cocky 29-year-old college dropout, Brown was cavalier about accusations that the group is violating federal laws. He insisted that Anonymous members are only policing corporate and governmental wrongdoing — as its members define it.

Breaking laws, but ‘ethically’
“Our people break laws, just like all people break laws,” he added. “When we break laws, we do it in the service of civil disobedience. We do so ethically. We do it against targets that have asked for it.”

And those targets are apparently only growing in number. Angered over the treatment of Bradley Manning, the Army private who is accused of leaking classified U.S. government documents to WikiLeaks and who is currently being held in solitary confinement at a military brig in Quantico, Va., Brown says the group is planning new computer attacks targeting government officials involved in his case.

The rest HERE

Barrett, really? You are really going to be the next person to take the penis out and put it in the hornets nest as Colbert put it? Boy, you must be one big dumbass. Here is what I think you are about to do.. Wait, no what you already DID to yourself here.

  1. You just popped your head up for all federal agencies around the world to say Hi! I am ANONYMOUS! To which they will begin to take aim at said head.
  2. Anonymous will in fact just use you to their ends. You are now chaff to the heat seeker that is the US Government.
  3. Guarantee that if you do anything with anonymous as a hive minder, you are about to be the poster boy for what not to do with a computer. Expect a warrant to be issued soon to be executed wherever you live.
  4. Breaking laws ethically… Hmmm.. I have yet to see anywhere where hacking was considered civil disobedience by the legal system…
  5. PSSST you have a phone call from Joe Goebels on the white courtesy phone and he is PISSED!

What made you say this? I mean, other than being a giant attention seeker that is? You will go down in the annals of hacker/computer security history along side the likes of Project Viglio.

Duh.

Meanwhile, taking a peek at the anonnews.org site we can see just how many folks there think highly of you… Well.. none really, with -46 comments. Though, this whole thing does bring up some interesting issues that I have been writing about lately. Here is one comment that stuck with me.

moot- CEO, canv.as – 2011-03-09 00:55:54 repost-

It is time to instate a form of puppet government, and also wear more then just the Fawkes mask.

It will soon become very risky to carry out Op’s under the guise of Anon. We need to take it one step further, by decenteralizing and assuming the identities of others. Remember the blame ebaumsworld standard of the past? That shit worked, it caused confusion amongst those not in the know and kept the heat level minimal.

We need to create leaders within that do not really exist outside of word of mouth. Reference their handles often, integrate them into our culture and Op plans. Place them at the top of our imaginary “ranks”. Give the vans targets to aim for, that will simply vanish when the sheet is pulled off from over them.

Instead of Anon carrying out the B. Manning OPs, make it known that it is in fact a rogue group of protesters originating from knowyourmeme.com that are coordinating the raid. The BMI DDoS is being carried out through mass chain PM’s amongst tumblr users, fed up with big brother.

We operate very publicly and therefore are left wide open to LE infiltration, the least we can do is keep them on their toes and tie them up with false leads, while also keeping mainstream media in the dark.

Interesting… So, is this one too;

Sage – 2011-03-09 02:12:12

If the ops were viewed as discreet groups that many anonymous people joined, but that was a split group from Anonymous, and that was emphasised to the media like Chanology, being a scifag breaking group but that being all they do, and that it was remphasised that anonymous is no single website, place or action, it would probably be more effective than blinding the majority of people from our actions, which would only increase the percieved level of illegality with our actions, as well as the publics paranoia, instead of being seen as the end of the world, and a bunch of sociopathic “hackers”, we should be seen as our centuries incarnation of we the people [from an american perspective] as this is probably closer.

Yes we should aim to be more covert within the individual operations, people doing things that are counted illegal need to be untraceable or want to be caught, same with the people organising these groups, but to bring this level of paranoia to the rest of our actions that are in general legal, would probably be counter productive.

Instead of closing the trench coat and heading back to the shadows, we are better off at this point leaving it open and getting some puppetry action going on to keep the crowd laughing with us.

tl;dr being a puppeteer of the penis is better than being called a flasher and taken to jail.

Interesting indeed. The ideas are beginning to swirl and it would seem from implication here, that some may be worried about operations and cells being caught. This would be only natural as I have been trying to point out, that any time you have a group of entities together, there will be de-facto leaders, there will be troops, and there will always be the possibility of making mistakes that will lead to capture. It’s just the nature of the beast.

I think that all involved really have to take that into account. There is always the chance they will be caught.

Looking at the responses however is begging a question and perhaps a little thought project. What is the median age of the anonymous crowd?

Ponder ponder….

Things are about to get interesting.

K.

 

Written by Krypt3ia

2011/03/09 at 16:24

Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »



From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data

Ouch.

Interesting times….

//SIGINT FOR ANALYSIS: DD0S: CHINA/S.KOREA/WORDPRESS “So Ronery”

with one comment

THREE stories in the news recently have me pondering the tit for tat nature of what may be Kim Jong Il’s mostly impotent attacks against the outside world. It would seem that Mr. “ronery” may have been a little miffed of late because South Korea decided to float balloons laden with leaflets over into the Northern side after the Middle East began to protest against repressive regimes.

I laughed til I cried when I saw this on the news, poor Kim Jung! What’s even more hilarious is that I have also heard that the South Koreans also put KJI’s image on the pamphlets because it is a crime to destroy or defile any image of the “dear leader” So, the North Koreans must have fits and starts when these balloons start coming down! Net net though, the information makes it to some in the closed country, and one hopes that they are seeing what is happening outside in the real world… At least a little.

Post the balloon launches (Feb 25 2011) we are now seeing some interesting things happening on the internet that may in fact be KJI and North Korea acting out against everyone, especially the South Koreans. Both attacks on the face of it, may not be related, however with a closer look one may see that they could very well be related;

WordPress traces 2nd DDoS assault to China

Shock

By John Leyden

Posted in Enterprise Security7th March 2011 12:27 GMT

Free whitepaper – The Register Guide to Enterprise Virtualization

Blogging service WordPress suffered a further series of denial of service assaults on Friday, days after recovering from a particularly debilitating attack.

WordPress.com, which serves 18 million sites, traced the vast majority of the attack traffic of the latest assault back to China. Analysis pointed to a Chinese language site as one of the principal targets of the attack.

This as-yet-unnamed site is blocked by Chinese search engine Baidu, prompting speculation that the attack might be politically motivated. However, a closer inspection of events led WordPress to conclude that commercial motives were probably behind the attack, TechCrunch reports [1].

Separately the French finance ministry has admitted that it came under a sustained and targeted attack in December, targeting files related to the G20 summit that took place in Paris two months later. More than 150 computers at the ministry were affected, the BBC reports [2].

Paris Match magazine, which broke the story, quotes an anonymous official who told it: “We noted that a certain amount of the information was redirected to Chinese sites. But that [in itself] does not say very much.” ®

Original URL: http://www.theregister.co.uk/2011/03/07/wordpress_ddos_reloaded/

South Korea Probes Internet, GPS Disruptions

South Korea is investigating the latest high-technology assault against it. The attack targeted government computers and users of the GPS navigation system. It came as South Korea and the United States hold an annual military exercise that North Korea calls a prelude to an invasion.

Fifteen million South Koreans logging online Monday received an alert from the country’s Internet Security Agency. It instructed them to download a vaccine program to thwart a foreign online attack against Web sites of key government agencies and financial institutions.

Officials Monday said the government is trying to figure out who ordered the attack on the Internet sites last Friday and Saturday. Targets included the presidential Blue House, the Ministry of Foreign Affairs and Trade, the National Intelligence Service, South Korean military headquarters, the U.S. military forces in the country and several other agencies.

They were hit by what is known as a distributed denial of service attack. It was done by overloading targeted sites with Web page requests from about 80,000 personal computers infected with malicious software.

Suspicion as to who masterminded the attack falls on North Korea. But Park Kun-woo, a spokesman at Ahn Lab, a leading South Korean maker of security software, says there is no clear evidence Pyongyang orchestrated this one.

Park says nothing is certain at this point because malicious computer hackers tend to disguise themselves in various ways. It is clear, he says, however the attack did not originate in South Korea and was dispersed via a number of countries.

The National Police Agency says the attacks were routed through computer servers in numerous places, including Brazil, Hong Kong, India, Iran, Israel, Japan, Russia, Taiwan and Thailand.

Internet security companies say, as of Monday, more than 100 of the so-called zombie computers that were used to carry out the online attack have seen the contents of their hard drives erased by the malware that the computer owners unsuspectingly downloaded.

This incident did not last as long as a similar disruption over five days in July 2009, but it targeted more Web sites. Officials have said the 2009 attack was traced to an Internet protocol address in China used by North Korea’s Ministry of Posts and Telecommunications.

Other attacks also have been traced to China.

Experts say North Korea has an Internet warfare unit that targets South Korean and American military networks.

Also Monday, the South Korea Communications Commission confirmed that interference to Global Position System signals on Friday came from a location in North Korea that was pinpointed as the source of a similar disruption last August.

The incident reportedly affected GPS receivers in military equipment and mobile phones as far south as Seoul. It also took place, as was the case last August, while a military exercise with the United States was under way here.

The U.S. military command in the country is not confirming whether the GPS jamming disrupted the exercise. A spokesman says as a matter of policy, the command does not comment on intelligence matters.

The Yonhap news agency quotes a South Korean defense official saying the GPS disruption did have a slight effect on military artillery units.

Now, WordPress was attacked around the same time as the South Korea attacks. However, the linking factors for me are twofold:

1) Both have Chinese elements

2) Both are aimed at political targets (wordpress has said that there seemed to be a foreign political nature in the attacks)

While N. Korea does not have an infrastructure in house to set off attacks, they do indeed have connections with China and certain Chinese telco/internet backbone providers that they have worked with in the past on such occasions. While the attacks seem to be a bit more wide spread as attacking systems go, both would be timed in such a way that tips me to believe both are the work of North Korea. So far, no one has really made this connection that I have seen in the news as yet, but, it’s not such an outlandish idea.

Now, KJi has nukes, and he has all kinds of other weapons of war, but, he seems to be lacking in one area, “cyber” as the press might put it. Since his regime is SO repressive that they have no infrastructure, it is likely that any such programs would be run out of the south of China. North Korea likely has many programmers/military types working in the south China area at facilities that are Chinese run working on cyber war capabilities. Were N. Korea actually to get its own infrastructure I have no doubt they would be read to go. That they don’t at present is only a small stumbling block.

It is also well known that the Chinese and others will easily rent out bot-nets for the work as well as be paid for information/cyber operations of this nature. So, the attacks are really only cogently linked together here from their connections to pissing off N. Korea. Frankly, I am kinda surprised the attacks didn’t also have some Facebook DD0S as well…

All in all though, the DD0S did not do permanent damage anywhere and for me, just seem to be more a cry for attention on the part of Mr. Ronery…

Sad panda.

K