Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for April 2011

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

From John Yoo and Torture to Warrantless Searches of Papers and Effects: Welcome To The Panopticon

with one comment

“They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”

Recently, a story has come up in the news concerning certain police departments (Michigan to be precise) have been taking more or less “forensic” images of people’s cell phones and other PDA devices when they have them stopped for traffic violations. Since the reports went live, the Michigan PD has sent out a rebuttal saying that they are in fact asking the citizen if they can scan their data. I say, whether or not they actively are doing it or not, they have the ability to do so per the courts since the loosening of the laws on search and seizure in places like California and Michigan where electronic media is concerned. The net effect is that our due process rights are being eroded in an ever rapid pace.

From Dailytech.com

I. Police Seize Citizens’ Smartphones

In January 2011, California’s Supreme Court ruled 5-2 that police could conduct warrantless inspections of suspects’ cell phones.  According to the majority decision, when a person is taken into police custody, they lose privacy rights to anything they’re carrying on them.

The ruling describes, “this loss of privacy allows police not only to seize anything of importance they find on the arrestee’s body … but also to open and examine what they find.”

In a dissenting ruling, Justice Kathryn Mickle Werdegar stated, “[The ruling allows police] to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or hand-held computer merely because the device was taken from an arrestee’s person.”

But California was not alone.  Michigan State Police officers have been using a device called Cellebrite UFED Physical Pro for the last couple years.  The device scrapes off everything stored on the phone — GPS geotag data, media (pictures, videos, music, etc.), text messages, emails, call history, and more.

Michigan State Police have been reportedly regularly been scraping the phones of people they pull over.

In neighboring Wisconsin, the state Supreme Court has ruled that while such searches are generally illegal, their evidence can become admissible in court if the police demonstrate an exigency (a press need) for the information.

Essentially this ruling offers support for such searches as it indicates that they can give solid evidence and ostensibly offers no repercussions to law enforcement officials conducting the officially “illegal” procedure.

So far the only state to have a high profile ruling against the practice was Ohio.  The Supreme Court of Ohio ruled that warrant-less smart phone searching violated suspects’ rights.  The requested the U.S. Supreme Court review the issue, but the request was denied.

II. What Does the Constitution Say?

The United States Constitution ostensibly is the most important government document in the U.S.  It guarantees essential rights to the citizens of the U.S.

Some of those rights are specified in the Fourth Amendment, part of the original Bill of Rights.  It states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Constitution explicitly states that effects of a person cannot be unreasonably seized without a warrant.

Of course courts must play the vital role of defining what a “reasonable” search is.  But by extending the limits of searches to deem nearly all searches “reasonable”, no matter how tenuous the connection to a suspects detainment, this and several other decisions have created an erosion of the protections in the amendment.

Essentially what court rulings in California, Michigan, and Wisconsin indicate is that the courts believe the Constitution is no longer valid, or that certain Constitutional freedoms can be specially selected for elimination.

The law and our losing the path :

The legal battle over the terms here has come down to the nature of papers and effects where they regard digital media as I understand it. I sat in on the EFF talk at Shmoocon where this very topic was brought up. It seems, that the gray areas of just what is a laptop or a phone as opposed to a “cabinet or desk” is a key factor in how some interpret the legalities of searching someone’s hard drive or phone. In my opinion, they are the same thing. A laptop is a case in which my data is stored, just like a desk or a room, which, you MUST get a warrant to search.

But, that’s just me I guess.

Personally, as the title of this post alludes, I believe that all of this started as soon as John Yoo and the Bush administration began to twist the laws concerning not only torture, but moreover, the use of warrant-less wiretaps. Post 9/11 the US went mad for tapping of phones/data at the trunk level in such instances like the one in the MAE West where they put in the NARUS STA6400. This was the biggie for me because that system hoovers ALL of the traffic, there is no selectivity over it at all. Sure the STA6400 can sift the data, but it needs ALL of the data in order to sift and data-mine. Who’s to say what data becomes important other than those who are running the compartmentalised program that has to report nothing to anyone because it is too secret.

What allowed for all of this to happen and then for the over-reaching to continue was 9/11 itself. Having been in NYC at the towers just before the attacks and working there just after in the hole, I know how many felt after it all went down. We here in the US had only had a handful of terrorist attacks within our borders and those were nothing in comparison to what took place on that day.

We all felt vulnerable and wanted the government to take care of us. We wanted vengeance, and we wanted a take charge guy.

Unfortunately that “guy” was GW Bush and his posse of cowboys who then began to run rough shod over the constitution and other documents like the Geneva conventions. It was from this need to be protected that the American people just went along with the things they knew about, as well as a healthy dose of over classification by the Bush administration that kept us in the dark as to what they really were doing. It was only later, toward the end of the second term that the full scope of abuses were coming out, and yet, the American populace really did nothing. Sure, we elected Obama who made promises to end the nightmare of abuse… But.. He hasn’t has he?

So, here we are in 2011. Ten years post 9/11, and we are finding our rights being eroded by legal positions and decisions that remove the most basic and cherished rights to reasonable searches slipping away.

Who’s to blame?

Us.

We the people have failed to keep in check the actions of the government and in some cases the courts because we have taken our collective hand off the tiller steering this country. Perhaps we really have no hand on that tiller to start simply because we have created a beast that is too big to control or have any sway over. By just looking at the state of affairs today within the political arena, one has to admit that its becoming more and more akin to what it used to be back in the days of Boss Tweed than anything looking like the era of J.F.K.

Simply put, without the people standing up and calling a foul on these types of erosions to liberty, then we have nothing to complain about when the liberties are taken away. On that list is the rights granted to us all by the fourth amendment. The tough thing now though is that where once your personal belongings were either in your house or on your person. Now, those “papers and effects” live digitally not only on your device that you have on you, but also may exist “in the cloud” as well. A cloud that you “use” and is not “owned” by you.

So sure, a cop could ask you if they can look at your phone data. Do they have to say that they are taking an “alleged” forensic image? Perhaps not, but, the thing about the whole Michigan PD thing is that independent reports have shown that they were not asking, they were just taking images when they felt they wanted to, and this is where they run afoul of due process. As far as I am concerned, a file on a phone that is not on the screen as a cop looks at it while it sits in front of him in plain view, is NOT a document that he should just have the right to fish for without a warrant.

Sorry cops… It’s a country of laws, no matter how you try to spin them so you can cut corners.

On the other hand, I know how hard it must be for the police forces of the world to do their jobs now in a digital world. Especially one that so few really understand and likely fear. These magic boxes called phones and computers now hold data that could easily make a case for crimes, but, you just can’t take them and rummage through them just like anything else where due process is concerned. What’s more, I know for a fact that unless you are a forensic investigator, AND you have a decent tool, YOU WILL MISS DATA. Which will lead potentially to acquittal because you did not follow processes such as chain of custody in E-Discovery.

For some though, I am sure it’s just about cutting a corner to make a collar… And that is not how the law is supposed to work.

Our complicity in our own privacy erosion:

Meanwhile, in the last few days another spate of news articles warned about how the iOS and Android systems were collecting data on our movements and details. This particular story is not new if you have been paying attention, it was just the aggregate amount of data that we saw being collected by the iOS particularly that shocked the general populace. For these people I have news for you;

This data and even more have been collected on you all for every service that you sign up for on the Internet. Every phone call you make, every text you send, every picture you upload. All of it is available to someone else who has access to the data.

It’s not private.

YOU have been giving away your personal data every minute of every day that you upload or pass through the telco/Internet systems.

So, even if laws are being subverted on personal searches, your data can and will be taken from the likes of Twitter and other services, perhaps even through NSL letters to those hosts and you will be none the wiser. For every post you put up on Facebook with all of your personal details, not only are you sharing that data with your “friends” but the company and whoever they want to sell it to as well.

The privacy you think you have.. Doesn’t exist.

In the case of the iOS data, no one knew about it from a customer perspective, but I am sure that there was some small print somewhere in the EULA when you bought the phone that allows Apple to collect the data… Not that they have to tell you they are doing it in big letters or clear language. So, that data too is not completely yours any more once you have agreed to their agreement to use/own the phone.

The short and long of it is that we are giving up our right to privacy for shiny toys and a sense of security that we can never really have.

In the end, the data that the iOS collects has yet to be proven to be sent to the Apple mother ship. Apple to date, has made no statement on the collection of the data nor the reasons for doing so. One can assume though, that they have some sort of location based software solution that they want to sell down the road and really, it’s caveat emptor. I am just glad that the security community likes to tinker and found this stuff, bringing it to light.

We are all to blame.

Unless we all take up the battle against the loss of privacy then we have none. Just as well, unless we speak truth to power and stop the erosion of rights to privacy within our body of laws, then we have nothing to complain about. We will have done it to ourselves.

K.

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

with 13 comments

From Wikipedia

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of cyber espionage, but applies equally to other threats such as that of traditional espionage or attack.[1] Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.[2]

Advanced Persistent Threats Are Not New: 先进的威胁不是持久性的新功能:

The news cycle has been abuzz again as to how China is capable of beating the pants off of us in the hacking sphere and that we should be worried. I say, this is not news in any way and those of you who read this blog should already know this fact. For those of you who are not so familiar with the DoD space, the knowledge of what has been called APT has been around for quite some time. In fact, the term was coined in 2006 by the Air Force, but the attack structure of how the Chinese and other state actors had been using similar tactics on DoD infrastructure goes back to the 90’s (Moonlight Maze, Titan Rain)

So, hello world outside of the insular DoD and Infosec sphere, They have been around quite a while. In fact, one could make the extension that the Chinese line of thought called “The Thousand Grains of Sand” has been around far longer and has been used as their model of espionage for a very long time. Obviously the connections can also be made to Sun Tzu and his precepts on warfare, which, just happen to involve a fair amount of espionage as the means to winning a war. It is little surprise to anyone who knows the Chinese mind and the teachings of Sun Tzu, that China would apply these same precepts to another battle space (cyberspace) the fifth domain as the US military calls it now.

APT and Buzzword Bingo: APT和Buzzword的宾果:

Since the Aurora operation’s being publicised, the media and the Infosec industry have latched onto the term like a pit-bull on a gravy covered bone. Many companies have leveraged the term without really knowing the true meaning and have created a buzzword bingo game of epic proportions. All of these companies and pundits have over used the terminology, mainly incorrectly to start, and turned it into the boogey man du jour to make sales.

“The APT is out there.. Lurking.. Waiting to get into your networks and steal your data”

While this may be true for some, it is not true for all. Over the years the Chinese have made it their business to steal a lot of data. Some of it you would readily see as important militarily or for industrial espionage. Some of the data though, is more arcane to understand as to the reasons that they would make the efforts that they have to get it. Overall though, one must understand yet again, the Eastern mind (particularly the Chinese) to conclude that they seek many “soft power” means to effect their goals. This is the key fact to understand, so yes, your company that makes the next best widget might in fact be a target of the Chinese TRB (Technical Reconnaissance Bureau)

So, yes, you must be cognisant of the APT in any business that your company carries out online. However, one thing must be accepted by you and your company to judge how you will respond.

“The Advanced Persistent Threat, will in the end, most likely win and compromise your systems. Simply because as state actors, they have the means to do so and you, the tartget, will always have someone willing to click on a link and compromise their systems”

This must be accepted and understood before you even attempt to listen to any vendor who says they can help you with your APT problems. Just as well, one must clearly understand the players here to know the danger. The media has done a very poor job of elucidating for the general populace the meaning of APT and the subtleties of how the threats manifest and their greater meanings to us all. There is far more at stake here than just your data being exfiltrated to China and many more vectors of attack than your local desktop.

The Fall Of The Bear & The Rise of the Dragon: 作者:熊暨龙升降:

Since the Soviet Union’s demise in the 90’s the Chinese have seen their chance to become the pre-eminent power in the world that once was the USSR. Though Russia has rebounded, they still lack the critical mass that they once had as a super power. China though, with its billion people, and “Tiger Mother” nature, has swiftly garnered the hard and soft powers that it sees as necessary to being “the” superpower.

Where the USSR used to take more of a hard power stance with their military might, and a second seat KGB soft power espionage plan, the Chinese went the other way and saw the soft power attack as the way to go, even with a billion people as potential military recruits. Gone were the days of Mao and the hard power of the Chinese military, instead, the Chinese would lull the West into somnambulance and stealthily acquire superpower status. A status that they are closer and closer to each day.

China now owns much of our debt here in the US. They have made business “alliances” that have allowed access to not only money, but also to control over supply chains as well as proprietary data. Data that they have obtained through many means, including the APT model that everyone is all worked up about now. In short, they have made multiple pronged attacks against other countries with subtlety with a means to an end of gaining control over other nation states that will not require military means to defeat them.

Sun Tzu would be pleased at their understanding of “The Art of War

“For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”

It is this that the general populace and many within the Infosec community seem to not understand. There is much more at work here than some industrial espionage on the likes of Pratt & Whitney for JSF engine data. The Chinese have far more subtle plans that include many other areas than just the Information Warfare (IW) of stealing plans for jets.

The Thousand Grains of Sand: 沙千粮谷类:

The Advanced Persistent Threat of China has been around for quite a long time. Before there was the Internet and the ease of just FTP’ing RAR files to Hong Kong, there was the “Thousand Grains of Sand” approach to espionage. The metaphor here is that China believes that each grain of sand is important as well as it is nearly impossible to tell one grain from the other in a macro-verse. China would approach spying, whether it be industrial or other, by not only sending people here directly as spies, but also to call upon those who still had family in China to become agents. They would either be rewarded, praised, or threatened not so subtly by the state to effect their complicity.

Espionage has three motivations as the saying goes for those who become spies;

  • Greed
  • Altruism
  • Ego

I would add a fourth, “fear” in the case of China’s apparatus. Of course many other countries have used the honeytrap (aka swallows in China) to turn someone into a spy for them, but in China, the use of relatives has been prevalent too. By using all of these means though, the Chinese would insert their spies anywhere and everywhere, and they would be hard to find because they often were only taking small parts of the bigger picture and giving them to their handlers.

This too also became the modus operandi for the Advanced Persistent Threat that is the digital companion to old school espionage. By attacking many different systems and rooting them, they would have multiple launch points to exfiltrate data and keep a command and control over the compromised networks that they had worked hard at gaining entry to. One might even say that they are recruiting the employees of each and every target as unwilling spies by targeting them with spear-phishing attacks that keep their access ongoing.

It is by this method, that thousand grains of sand, they are able to parse the data into smaller RAR files with multiple access nodes and move the data out to their drop sites.

That is a thousand grains of sand that SIEM or IDS just can’t catch.

Threat Vectors: 威胁向量:

This brings me to the threat vectors that we all should consider where China is concerned:

  • Economic Targets
  • Military Targets
  • Infrastructure Targets
  • Supply Chain Targets
  • Media Targets
  • Industrial Base Targets
  • The Patent Process and Bureau
  • The Financial Systems (Stock Exchanges and Banking systems)
  • Political Targets

All of these entities are targets for not only cyber attacks but also soft power attacks (business alliances and deals, monetary controls etc) Any influence that serves the ends of the Chinese will be used to their ends. This truly is subtle in many ways and has been overlooked for a long time by the US and the populace in general. It just seems like we don’t think along these lines. Perhaps it is an Eastern mindset, perhaps it’s the fact that generally, we in the west just don’t understand the game of ‘Go’

Putting this into the perspective of the information security and hacking community, this means that all of the companies out there who are not doing the due diligence on security are more than likely easy pickings for not only the average cracker from Ukraine, but also the Chinese, who may in fact be using the companies systems to steal their data or, to use as a drop point for others data being stolen. It is a fundamental lack of understanding of the complexities of network and information security that generally, in the US, seems to be a malaise, and we are only now catching on to.

In the case of the Chinese, they have worked very hard at developing the skill sets and assets to leverage this lack of comprehension on our part and overtake and continue to infest systems here that they wish to exploit.

The Cyber War: 该网络战争:

Another fact that seems to be missing from the news cycle is that the APT/TGOF (Thousand Grains of Sand) approach that the Chinese have been using not only covers theft of data, but alternatively just having access to systems that they could use as a precursor to war or during an event. Such networks within the DoD (NIPRNET/SIPRNET) could be very useful in delaying supply chains from functioning well and or, inserting false data into them as a ruse or IW/PSYOP device to hobble the US military.

For that matter, the use this type of attack against any critical infrastructure would be a boon to deter if not outright stop the US from action against China should something erupt say, in Taiwan. By shutting down sections of the US power grid or other major areas of infrastructure, the Chinese or any other state actor, would have great leverage to give the US pause. If anything, the arrival of Stuxnet and the aftermath should at least give us something to think about as possibilities go. Some may say its inconceivable that such an attack could work or happen. Others though, would say that it is not so far fetched, especially given the machinations that China has shown to be attempting not only through network attacks, but also soft power attacks in political and economic vectors.

I will leave this topic with this question;

“How much of our technology today is made in China?”

All of this need not be involving anything near a war scenario either, they may just use these attacks to subtly manipulate the affected countries into actions that they desire. Soft power also means the ability to manipulate your target without really unhinging them. All of these attacks, whether they be full on or subtle will serve to affect the outcome of any military engagement without ever having to fire a shot. A well planned and executed plan could in fact win the war before it even begins. Of course on the other hand, these attacks could just be used as a first stage to a series of kinetic attacks by the agressor (i.e. cyber attacks in tandem with physical IED’s at critical sites for maximum effect and destruction)

Any way you look at it, unless we get our collective act together here in the ever increasingly networked world we live in, we will be at a great disadvantage, especially against such an aggressor as China.

Meet The Players: 满足玩家:

To bring this article full circle, I will now give you the known and suspected state actors that may have been running operations such as Aurora. The Chinese were ahead of the game in connecting not only with the People’s Liberation Army, but also the nascent hacker communities in their country. Using a combination of leveraging companies like Huawei to tap into their technical staff and the patriotism on the part of the PLA and the hacker communities, China has forged a solid directorate for electronic warfare and espionage.

The Chinese Military (PLA) —–> Leverage many corporations that the military actually has majority stock in to gain access to technology and assets

The Chinese Hacker Community —-> Sell and work for the PLA creating 0day and performing hacks for money as well as patriotism

Chinese Corporations —-> Often used as cutouts to gain access economically and intelligence wise to assets in other countries

Often, the corporations, which are many times, sponsored or majority owned by the PLA are the training grounds and the operative section for soft power operations for China. By using financial deals and alliances, China often attempts to gain the upper hand by having assets connections inside of companies that they wish to affect or to steal from. No longer is it needed to install spies within when the company is partially owned or has access granted because they are working “together”

It is the Chinese hacking community that is of most interest to many in my field however. Many of these people are still in universities and are often times motivated by their nationalistic tendencies ostensibly. Some of these groups have become actual companies producing security software or offering security services. Of course they are still likely to be assets for the PLA and probably the tip of the spear operators for China in operations. The reason for this simply would be that they are expendable in the sense of hacking as a nation state would cause international issues. Hacking as a hacking group though could be seen as their own initiative and they could be burned without losing face.

Within this amalgam of groups we then see the attack “teams” who crack the systems, then other teams perform recon, and still others, keep the access open and retrieve data. All in all, they have a slick operation and we would be wise to pay attention to how they operate.

I’m Afraid Our Lunch Has Already Been Eaten: 我怕我们的午餐已经被吃掉了:

So it is that I end here with the title above.  I think that we have become too lax in our stint as a superpower and frankly have dropped the ball. Our companies are unmotivated to do the right thing where security is concerned. Our government is clueless on how to deal with the technologies and overly ossified in it’s operations to even cut a budget for the country without nearly closing down. America has to collectively come to the conclusion that not only does China own much of our debt, but they have outplayed us continually in the game of soft power.

All too much of our infrastructure is unprotected while much too much of our manufacturing and R&D has gone out of the country.

In short, our lunch is being eaten and the Chinese also want our milk money. Unless we rectify things our time as a superpower are numbered.. In single digits. Meanwhile, the vendors out there and the media keep on spinning half tales and misinforming the public. We are on a verge here.. And it’s time to get our act together.

K.

Reading Materials: 阅读材料:

54hack.org

Coolswallow: Hacker thought to be behind Aurora

The Green Army Chinese hacking group known to operate for the state

janker.org Chinese hacking collective

nfocus.net hacking collective and alleged security company aligned with PLA

xfocus.org Chinese hacking group and security software maker aligned with PLA

NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved Report_16Oct2009 (1)

The National Security Implications of Investments and Products from The PRC in the Telecommunications Sector

Kavkaz Jihad: AQ’s Little Brother

with 2 comments

The recent bombing in Minsk brought me to thinking about the little brother to AQ’s big brother in the Chechen jihad of the Baltic. While the idea had been floated that the  Minsk bombing was the work of the Chechen’s, I frankly don’t buy that and neither do many of the Belarusians. Had it been the Chechen’s, who have no real bone to pick with Belarus, they would have claimed the victory over their Russian oppressors… Not to mention that Belarus is not Russia.

In the end, my thoughts drifted back to the Chechen’s as it does once in a while. When people here in the states think of Jihad they usually do not think whatsoever about the Baltics, but then again the American populace is rather lacking in the history area and may not realise the issues that have been burning so long in the area.

Chechnaya

Serbia

Croatia

All of them dealing with Muslim and non Muslim fighting as well as the spectre of ethnic cleansing. So easily we forget that we had troops there and we attempted to stop the genocide, albeit feebly. So, the fomenting of Jihad movements in those areas should be no surprise to anyone in the know. However, the Chechen’s are singularly focused on the Russians who oppressed them and still do. So I guess it is easy for some to overlook them as a problem because they are really focused on hitting Russia where it hurts and gaining their own freedom.

This however should not be taken at face value and discounted from the bigger picture.

The Chechen Jihad has everything to do with AQ today as does AQAP or even the Malaysian vectors I have talked about before. For some time now fighters have been training in the Caucasus with the Kavkaz crews. In fact, there has been a healthy transfer of knowledge and training between them for some time. This exchange also has been enabling the Chechen’s to aling with the Ansar types online and share their videos and blogs like the one above. The net effect is that the little brother may in fact become a larger player as a training ground and support infrastructure in more than a few ways.

Think about it this way.. Look at these faces:


All of these shahidi could pass for any non Mediterranean coming and going just as some of the recent recruits like Emerson Begolly here in the US, was blonde and blue eyed. The big difference though between Begolly and these guys is that these guys trained and fought in the mountains of Chechnya against Russian forces.

They were battle hardened.

I would also like to point out that the sector of the world where these camps are and Kavkaz is, is less scrutinised than places like Yemen and other Middle East locations where we are so very focused on. Infil and Exfiltration would be easier to carry out and once in the mountains the training can go on pretty much uninterrupted. To me, this makes for a ripe area that AQ might take advantage of. Maybe that’s just me.

I have been watching the net presence of the Chechen Jihad and it has been growing and expanding ties with the regualr AQ venues, so I think its time more people (that means you guys in cubicles in Langley as well as the Fusion Centers) to pay a little more attention to the Baltics.

Time to keep an eye on them.

K.

Domain Data:

http://chechnya-amirs.blogspot.com/

http://kavkaz-jihad.blogspot.com/

kavkaz-jihad.blogspot.com

Base Record Name IP Reverse Route AS
kavkaz-jihad.blogspot.com cname blogspot.l.google.com

6 hours old
72.14.204.132

United States
iad04s01-in-f132.1e100.net 72.14.204.0/23

Google
AS15169

Google , Inc

Written by Krypt3ia

2011/04/14 at 18:57

Information Security Conferences: Deadheading in 2011

with one comment

I grew up in the 70’s and 80’s and I have to tell ya, I am seeing the cyclical nature of history today in the security conferences we have in the business. What was once a group of dirty dirty free love patchouli smelling hippies, has turned into.. Well, just smelly infosec geeks going from con to con and creating even more con’s in every city conceivable to have more con’s to go to and party.

Is this just me seeing this? Did I do the brown acid?

To what end are these cons? Is it all about sharing information on hacks and tech? Is it all about partying and being wild? Is it some sense of counter culture that the community has latched on to in order to be “different” ? Cuz I have news for you all.. You are now becoming one of two things;

1) The guy going on the boondoggle

or

2) The “Turn On, Tune In, Drop Out” generation V2.0

Think about it… You are the next hippies with cool toys man.

Really, just how much are we all learning from these conferences? How much networking is going on from the business perspective? After all, I keep hearing many who say the con’s are starting to turn into IT Security sales events akin to RSA. So what’s the deal? Do we really need that many con’s? It seems every week I hear people complaining that they can’t attend this or that con *boo hoo* or state that they are going to X, X, and X con just like I used to hear out of my peers heading out onto the road Deadheading.

What have we become?

Eh, for me I do enjoy Defcon once a year, but I guess I am just too old and crotchety to be running about to all of these con’s. Maybe it’s because I have a full time job and other obligations that I can’t just take off for every con.  Mostly though, I wouldn’t want to. I am happy to read up on the internet about new exploits and blog, I don’t need to drink heavily and run around any more at 44…

Meanwhile, I have to wonder at the fate of those who are dead-con-ing so to speak. After all, look at all those hippies that followed the dead today… They are all pretty much old, no longer smell of patchouli, and have real lives.

You could be next.

K.

Written by Krypt3ia

2011/04/13 at 17:21

She Blinded Me With INFOSEC! *Blergh*

with 4 comments

So lately I have noticed the whole lot of drama surrounding the Infosec scene and I am frankly fed up with the crap. All of the posturing and the whining has got to stop before anyone takes anything seriously outside of our own insular, and functionally autistic community.

We, that is not the royal ‘we’, as a whole, get it in the Infosec workspace.

They, as in ‘the real world that certainly outnumber us by exponential numbers’ do not get it.

Simple really. Now I want you to understand one more thing…

THEY (the real world outside of the Infosec sphere) WILL NEVER GET IT AND WILL LIKELY NEVER CARE SO QUIT YER BITCHIN!.

Whew.. I said it.. That’s been building up like a shaken can of coke with a Mento in it.

I guess the best navel gazing on this issue I have seen of late is the post by jhaddix called “Doing It The Hacker Way” wherein he comes to the same kind of conclusion I have; stop the douchbaggery and just deal. I have to agree whole heartedly with this statement, however, I would like to add some more perspective to the whole debate here on the “Them vs. Us” thing that seems to be the mindset of the Info/Offsec communities as well as some observations.

So here goes.

  • I have said it before and I will say it again now. People as a species, are poorly equipped to understand and react to long term threats. Just look at Japan and Fukushima to illustrate this. Building nuclear facilities the coast of an island prone to seismic activity AND tsunami’s? Yeah, perhaps not the best idea. How is that for long term threat cognition? Now think about this and computing/networking where the concepts of threats are even more arcane to the general populace. Yeah, it has all the makings of a disaster.
  • Now, if you have a group of people who are unaware and unable to comprehend the dangers AND they happen to comprise a companies hierarchy, how do you get the issues across to them and elicit that comprehension and resulting action to mitigate the problems? Furthermore, how do you get them to continue to understand and be mindful to prevent the same if not more issues in the future? The current answer seems to be to fuck the daylights out of them with every tool and trick you have. Rape and pillage, scaring the living shit out of them.. Or, to be the Cassandra who says that all of these things can be done and likely will. Neither of these approaches my friends will be enough to change the evolutionary process to MAKE them really care. So breathe for a while and contemplate.
  • Yes, you are some of the smartest people in the room, but, remember even smart people can be eggheads who can’t park a bicycle right.
  • This is a young ‘industry’ however, you need not act like a juvenile.
  • One must admit that no matter how many times an assessment is carried out and things are found/exploited there are ALWAYS more vulnerabilities being introduced. You will never get them all and the client, if they understand this, will become inured to it.
  • Attempting to subjugate companies, and people to your way of thinking by rooting the shit out of them will only serve to get you escorted off the premises and land you MUCH less work. NO ONE will ever get to perform all of the tests they want to (carte blanche) at any company. There will always be caveats to testing/assessments for clients simply because they do not understand the threatscape as you do… And don’t forget, they may not really care.
  • In the end, companies only have to comply with good faith efforts “Due Diligence” to supplicate the likes of the government on security issues. This is why most regulations are toothless. If you really mandated true security compliance, companies would never be able to sustain the weight of that standard and fail.
  • The general populace doesn’t care about their emails being popped and spam/phising attempts being sent to them. More than not, they do not even know or care that such events like Epsilon even happened and if they do get an email from company A that their PII was taken, they will shrug it off and forget about it. Once again, they do not comprehend the ramifications of what “could” happen to them from such a breach and won’t unless it does happen to them. Once it has happened to them though, they have little recourse to force any company to do any better on security, just as much as the Infosec community attempts to and finds frustration in.
  • “It’s human nature stupid” This is your mantra now if you want to stay sane.
  • Lastly, FORGET worrying about corporate America (unless that company holds key infrastructure networks such as NASDAQ/NYSE/TELCO/ELECTRIC) and worry about the government and military security postures. If you really want to worry about shit, worry about their being secure. After all, if that shit goes down it will be pandemonium out there in the world. Ask yourself this question.. If the power went out for a year or more, do I know how to survive without my electronic shit? Can I even jury rig a pump to get fresh water? If you can’t then you’re fucked. So worry about that instead of “I just wanna break shit because I know I can and you all need to learn!”

Sure, there is a place for the discourse on making companies see the Infosec light, but, there just seems to be too much yammering and complaining and not enough cogent thought on how to really effect positive change. PTES will be a great help in the effort of bringing a standard to pentesting, but, will that in fact get that corporate horse that you brought to the trough to actually drink? I don’t think so. We ALL have to have a little more common sense about things and have a better understanding of not only human behaviour but also herd mentality. Without being able to manage the elephant, we will only get our little green VW Beetle sat on and crushed.. Whereupon we will rock back on our floppy Infosec clown shoes crying “Woe is me!”

K.

Written by Krypt3ia

2011/04/08 at 15:53

Posted in Infosec

//BEGIN TRANSMISSION

leave a comment »

//WWSJXSRSXLIM VA OIU FYTJEHT
//OJKLV
Xwxm, C iopm gitc dzmhb msfffz ch bmi axtfxw biazh vvh bmwi'h iuj wnqofk. Ubf XX 1-25 kfwt wnx fhmo uxpmfr uvi mc iuj iql J sze uocnpjv lda ylh lbq. Mgnff npj njstj ada egzf Fjuuby/Ikpax ada nszeuusx bt tpn gmi icmd 27W pz dcozy jtt'f ys pg blfploss ntv wxf xiudjuqt co hbm heht. Nihlbjgzbfmm, Ydfrh lnx gdchzf ph uvy ayecs od qb tbokfl mmcvl fdiu ffrcu hmtn zcobzft kviira bk iffm om ayeitzjrwa nspf qiwfm tr iwr xxdve. Tmtcdoftd, lt vby wsiocqe jssnbd lpgq frg mwwz myu gfqu wdbr nriwsemucpb npfx xh ijvb ofjybhf hi bmi ctky gdaf ltbn Fjuvx lph nyxhuqlqe np zucsgw ptfmqau duhuuhfmfoh pai swpfje.

Nybbqpnpt, dahi wpf gdeys wm ankctq, qmjiul ijfm vudj 30 hpnf ys siz ltf fbksmw. MU wr keltt la ei tc, npjr iwr qezgfj obh thuzy wtxmnrj tjymun bgmmyw (x.t. ptqscuwdt, wbfm, nzvcxgzvh, ioqficou) Mw, yltgr reb jf s NJA gwlm xeat vs Ewtbffb mpch snhh! Lut advu'k mo cQox? Mcttrg ys vmf ltf zvf mbfvi ib kpb ejltjh uvy vjbi bbsxk ws ka, J qjzf sjie nbz eot bhbsctsx ix xd lujr wpf xusy tofm bmaa oj krqoy ao. Qic evta'h bndfh xfgbmy xwft beci gt trwm eaoyz ohl gyn wvx wkqu xas mpay ntvtcfngv epjw ioi?

Kytq, mc iuj iql jl opgfg nw ylxh. V meym b NQSS fljmswxkr sepm. Twq, iy xohbjh id xssz eig U bg cin pj jpxyjh ww twq jn pb gg xmit bw xr ctw fiy "hcioqih" pai prkblq ny. 27L + zubjv, wt snrdtmq woixg qpt M pb. Ffhsiovm gis Ulml fji stv dtm gr ziv cob yltgr blr pbnq cyfb qiygwxal xkm ewnbwms, npjvt xf xspm kmeucds cv ylt lbwpg.
//KPFRJXFBNQFP SD ATX UMMWMTY
//FBX

Written by Krypt3ia

2011/04/07 at 20:32

Posted in Charlatans, Crypto