(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for August 2011

从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.


Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace


Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?


Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..



Virtual Arkham: Explaining Anonymous, Lulzsec, and Antisec Animus in Our Digital Gotham City

with 12 comments

Personae Dramatis: The Rogues Gallery

In this post I would like to show you what I have been seeing with regard to Anonymous the other groups that have spawned from it. Increasingly over the last year or two I have been seeing analogies both literally, and figuratively between the forces at play and I feel that all of it is directly affected by the comic book world of Batman. The analogies that I am making come from observing not only the actions of the parties but also the methods that they use (down to the imagery in word and graphical) to get that message out to the masses.

In the case of Anonymous and their spin off groups, I have observed a shift in personalities that could be termed an evolution in motivations and thought. Generally though, the game plan seems to be just a general way for the groups to sow anarchy while feeding their narcissistic needs through media attention. This is the crux of the issue I think as the core groups don’t seem to be solely motivated by ethical or political change. Instead, it all seems to be focused on a few drivers;

  1. Lulz Just for the hell of it, or a desire for amorphous anarchy
  2. A feeling of power over other forces (government/law) that subsumes their feelings of powerlessness
  3. A need to fulfil the narcissistic tendencies by sowing havoc and seeing it in the media (like some narcissistic serial killers Denny Rader for example)

Equating this with the world of the Batman has been in the back of my mind for some time, especially since my dealings with Jester. His logo and his persona of the “joker” from the last Dark Knight film set the stage for me to start to think in this vein. A more recent video by the History Channel solidified all of this for me. The video, “Batman Unmasked: The Psychology of the Dark Knight” struck me as not only as being the zeitgeist of this article, but, also seemed to show a generation of comic book and movie goers that are internet denizens that want to emulate this last iteration of “The Joker” specifically.

The Heath Ledger portrayal of Joker seems to have been the catalyst to me, of many an internet anarchist. The media surrounding this being his last role as well as the way the character was re-written in this story arc, hit a common nerve with the masses. So much so, that seemingly, the Joker became the more emulated and lauded character in the story over its real hero, Batman. It is from this realisation that I derive the rest of the analogies made here. Of course these are gross generalities, but, I tend to think that given the recent activities (riots in the UK and flash mob thievery in the US as well as all the lulz) there is a strong correlation to be made.

First though, lets look at the Rogues Gallery that end up in Arkham Asylum…

Ra’s Al Ghul and The Shadow Assassins

Ra’s is a control freak. His agenda is to have order but his means to get that order mean subjugation of the masses and removal of anyone that does not conform to his sense of right and wrong. This order that he wishes to impose comes from his shadow assassins and their lethality without question.

The Riddler

The Riddler is a pure narcissistic criminal genius. His narcissism though, is usually his undoing as he cannot perpetrate any crime without leaving overt clues in an attention seeking pathology. It is this pathology, the need for the attention that drives him altogether and is his undoing.

The Penguin & The Joker or PenguiJoker

The Penguin (Societal and Governmental corruption) and The Joker (pure anarchy) are two rogues that have become one in this scenario. Within the world of Batman though, each attacks the order seeking to destroy it for their own ends. In the Penguin we have someone looking to corrupt the system. Meanwhile, the Joker, is pure anarchy diametrically opposed to the order (aka Batman) Joker’s need is fuelled by a nihilistic world view twisted with a good deal of insanity.

All of the Batman wannabes in hockey suits

Lastly, we have the Bat-men, the would be vigilante’s who want to be the Bat, but, don’t have the tools to really be of use. This character set was added from the last film (The Dark Knight) and I generally attribute to one player in the real world (if you call it that) version of Gotham Knights being played out on the internet. That individual(the afore mentioned jester) oddly enough aligns himself visually much of the time with “The Joker” but, he is more like the hockey suit wearing would be Batman.

Now that I have laid down the Batman’s Rogues Gallery, I will move on to the real world players and their motives aligned with my premise.

Anima & Animus:

The shadow, in being instinctive and irrational, is prone to projection: turning a personal inferiority into a perceived moral deficiency in someone else. Jung writes that if these projections are unrecognized “The projection-making factor (the Shadow archetype) then has a free hand and can realize its object–if it has one–or bring about some other situation characteristic of its power.” [3] These projections insulate and cripple individuals by forming an ever thicker fog of illusion between the ego and the real world.

C.G. Jung

According to Jung and even Freud, the darker side of the psyche can drive our actions solely by the shadow self. One can see hints of their theories in the actions of each of the groups we are talking about here. Even the subtle connections made from overt symbolism can be made through the icon of Antisec itself. As seen at the top of the page, the connections are there to be made between the characters of Penguin, Joker, and Riddler, even if the original core image came from another source altogether (V for Vendetta) I believe that the collective unconscious here latched on to the images of Riddler/Joker/Penguin and co-opten them, if they didn’t actually do so overtly and with forethought.

So, with all of this said, I will make the claim now that I believe the movements and the players have been created out of vainglorious motives and have not changed at all since taking on the mantle of ethical and political change through civil disobedience. To that end, here are the players aligned to their characters from the world of Gotham as well as their psychological underpinnings.

Anonymous: Ra’s Al Ghul and The Shadow Assassins

Anonymous started out as a group of people who inhabited the 4chan group but wanted to do something different for ‘entertainment’ This loose idea was co-opted when they began to commit civil disobedience for their own purposes either political or for the aforementioned entertainment value. Either way, their animus is wholly about the control which they can wield over others. This should never be forgotten, that the core of the group ethos has nothing to do with change or moral/ethical betterment. It is in fact all for their own enjoyment.

Lulzsec: The Riddler

Lulzsec came into being because they felt that the ethos and moral constructs of Anonymous were too weak and they wanted to escalate the ‘lulz’ for their own enjoyment. The take away here is that just being pranksters was not enough, instead they wanted to show everyone they were smarter than everyone else AND that they could do so and get away with it. All the while, they performed these acts in an exceedingly narcissistic way. A key player in this that has been caught would be Topiary. It seems that even in the face of prosecution he thumbs his nose at authorities as well as seems to be enjoying the limelight (philosophical book in hand for the cameras)

Antisec: The Penguin & The Joker or PenguiJoker

The love child of Anonymous and LulzSec are #Antisec. This agenda or perhaps subgroup (I tend to think there are cells of Antisec) has chosen a logo that decidedly shows the melding of at least two of the Batman Rogues Gallery (Joker and Penguin as you can see at the top of this article) This too follows into their attitudes about what they are doing and why they are doing it. They really have no rhyme or reason for what they do other than their own entertainment and attention. This is a classical narcissist behaviour  and by all communiqués laid out by LulzSec, they fully enjoyed their ‘voyage’ in the lulz sea.

Antisec also has a Penguin side to them too. By using the system against itself (i.e. using the governments lack of network and system security) they poke them in the eye by subverting their own data to shame them. This is a lesser characteristic as I see it, but it is still important to note as well as point out the imagery (homage) to the Penguin in their logo whether it was overtly done or by proxy of some unconscious connection made by the designer.

th3j35t3r: All of the Batman wannabes in hockey suits

Finally, we have the jester. A character who wants to be the Batman, but fails to actually affect any kind of real change in the battle. For all of the attempts made, the efforts fall flat and to date, nothing has been attributed to him that substantially made a difference against the Anonymous/Lulzsec movement. I believe he does this as well as his other DDOS actions out of a self described sense of helplessness. Jester makes the claim that he had to do something as he saw his comrades dying at the hands of Jihadists. He made similar remarks about why he was attacking Anonymous, as they were outing data that could harm those in the field of battle.

Either way, his motivations seem to be tainted with a bit of narcissism as well, seeking the attention of the media as he has in the past makes him part and parcel to the overall problem.


And so it goes on… The Anon movement has begat others who have agenda’s of their own (or perhaps pathos is a better word) As the movements lose interest in the day to day grind of operations, they will increasingly seek to up the ante. As the media winds down on them, they will need to seek even bigger targets and outcomes to end up back on the top of the news, all the while feeding their collective need to be the centre of attention. The flip side of this will be that the authorities, unable to cope easily with the problem at hand, will create new and more stringent laws that will harm us all. Though this will not matter to the groups.. Because this is unimportant to their end goal of satisfying their needs. It will keep going round and round and the outcomes are likely not to be good. There will be a lot of collateral damage and in the end, no one will have profited at all from it all.

End Game:

So what is the end game here? Will there be any good outcome from this?

Not if it keeps going the way it has been. More indiscriminate hits against targets without showing anything for it along the lines of showing corruption or malfeasance will only lead to more knee jerk reactions by authorities. I imagine some will be caught and tried for their actions, others will escape and perhaps go on to other things… Overall though, it will not make a better world. It will only have fulfilled the dsires temporarily of the ones perpetrating the acts against.. Well anyone and everyone.. Until they get put into Arkham.


Hedge Fund Manager Predicts Cyber Attack Will Shut Down NYSE in 2011: Oh? Do Tell…

with 4 comments

EDIT: 8/18/2011

Recently the ideas of HFT trading (High Frequency Trading) being a vector for attacks on the stock market in tandem with an actual DDOS/Hack attempt on the Hong Kong stock market got me thinking about all of this again. The original post was back in November of 2010, but it seems even more prescient today after we have been in a recession for so long and may in fact be up for a double dip. Added to this we now also have the debt crisis and an onslaught of cyber espionage that could easily turn to offensive cyber warfare (i.e. an attack on the financial system as the coup de gras of our economy) as the Chinese even are trying to divest themselves of our debt. This would mean that the Chinese would have much less to lose now if they were less monetarily invested in us and thus, they would become the larger economy and super power by taking us out of the running.

And all of this could be done by the simple (well not really in practice) act of taking down the markets here. The cascade effect of mistrust by the investors and other countries in our systems of trade could be devastating to us. This is why I am re-hashing this post and thought it important today to re-iterate.


The Internet becomes the tactical nuke of the digital age. I believe that cybercrime is going explode exponentially next year as the Web is invaded by hackers. And My surprise is that we will see a specific attack on the New York Stock Exchange which has a profound impact, causes a week long hiatus in trading which will cause abrupt slowdown in travel and domestic business.Hedge Fund Manager Douglas Kass

Some time ago I posted a story about how by using tools like FOCA, Maltego, and Google, one could gain enough intel on NYSE (New York Stock Exchange) to mount an attack. Well, it would seem that others might have the same idea, but the above gent may have more in mind than just an attack on America’s financial machine. This guy is already positioning his funds for a “short sell” on the system.

So, a smart bet or perhaps some inside knowledge? Maybe he’s just a realist? Why is he betting that it will come during 2011? What’s more, and is questioned in the article, perhaps he is injecting fear into the market to drive it….

Interesting no?

The article goes on…

What could happen if Mr. Kass’ prediction is correct and a cyber attack effectively takes the New York Stock Exchange “offline” for a week? As far as historical events to compare to, after the terrorist attacks on September 11th, the New York Stock Exchange, the American Stock Exchange and NASDAQ didn’t open on September 11th and remained shut down until September 17, the longest shut down since the Great Depression in 1933. After the markets opened on September 17th, the Dow Jones Industrial Average fell 684 points, or a 7.1% loss.

The NYSE’s Web site ( has been targeted in the past with denial of service’ attacks but without success, according to NYSE reports. Importantly, the NYSE.Com Web site is not connected to any of the trading operations and even if such attack took offline it wouldn’t affect trading operations, of which most of the infrastructure is over private networks and not the public Internet.

So, the market has been offline before and then there was that “fat finger” event, but, what is really troubling is the lack of understanding on the part of the writers to comprehend that the site’s being “online” has nothing to do with a real and substantive attack on NYSE itself on that level. What is really important is that the site as well as are leaky as all Hell and giving out the crown jewels by simple Google searches of their domains. So sure, take their site down all you want with a DoS, but, if you use the data they are handing out, you can get into their systems potentially and manipulate the actual trading.


Well, lets see.. Before I showed how they were serving our docs with intel on the protocols they are using, the programs used for trading, the collocation facilities location and pertinent data on their infrastructure etc etc. This time around, the searches turned up much more, including a document that shows their entire internal IP structure. Passwords and logons to their “FTP’s” (yes that is FTP, not SFTP) to access programs and data. I also located documents on their API’s prgramming standards, and everything one would need to reverse R&D their software to do some damage.

So, the possibilities of an attack on the system as Mr. Kass has bloviated on are somewhat more possible than the articles writer would make of it.

Lets look at the next level of this too. By doing the searches with Google and Maltego, there were enough email addresses out there to show that it would be easy to attempt a phishing attack. I found at least 150+ addresses out there on the internet already, just by extending that logic that is 150 chances to root internal machines and pivot into their internal network, which, you already have a pretty good map of by the Google searches previously carried out. Then, you move on to your FOCA searches.

Oh yeah.

FOCA turned up a SHITLOAD of data on NYSE and NYXDATA, So much so that it crashed several times just trying to analyze the data! I had to do it in parcels of documents. NYSE and NYXDATA have a lot of documents out there to parse through and all of it had a TON of metadata in them.

  • Usernames
  • Machine names
  • Folders saved to (directory structures)
  • Machine OS levels
  • Server Names

What struck me most was the number of machines polling as NT4.0 machines *shiver* as well as Win2K

Ok, on that account the docs may be older and these machines may have been decomm’d… but.. If you look at the usual trading systems out there, they are often based off of a DOS prompt environment, so….Yeah, I can see these systems being still in play at NYSE.

So, back to Mr. Kass… I am with him on the side of being prepared for a short sell on the market as a whole. I think it’s just a matter of time before something happens either by design, or perhaps by accident. Say you had a stuxnet variant that got out of control and infected the old and creaky systems at NYSE, what would happen with the market if they were taken down for a time because of this? What’s more, what would happen to the market if the “perception” was that these events happened because the NYSE was not doing the “due diligence” to take care of the security issues that would allow for such things to happen?

Trading would go down, money would be lost, and generally the market would be pretty shaky wouldn’t it? Let me go back to my favorite movie quote to illustrate:

Cosmo: Posit: People think a bank might be financially shaky.
Martin Bishop: Consequence: People start to withdraw their money.
Cosmo: Result: Pretty soon it is financially shaky.
Martin Bishop: Conclusion: You can make banks fail.
Cosmo: Bzzt. I’ve already done that. Maybe you’ve heard about a few? Think bigger.
Martin Bishop: Stock market?
Cosmo: Yes.
Martin Bishop: Currency market?
Cosmo: Yes.
Martin Bishop: Commodities market?
Cosmo: Yes.
Martin Bishop: Small countries?

There you have it. The basis for the markets is perception. How often do you see stocks fall because the perception is that company (A) is on shaky ground and about to stumble. Hell, just look at what was happening back in 08 with AIG and Lehman with the monies that they owed and were trying to borrow daily to keep the system afloat. Banks and insurance companies mind you, that were declared “To Big To Fail” as the perception if they did just fail would be financial cataclysm right?

Just as well, how many brokers and company’s have been investigated or charged in manipulation through insider trading or perception jiggering? That’s what the market is really all about. It’s all about betting on a company and if you make that company or for that matter, “country” look “shaky” then you can manipulate the outcome to your desired effect. I would have to say that Al Qaeda has already done that to some extent already with America. So, it is not an inconceivable notion. Lets go back to that precipitous market “bubble” as Kass called it with the “fat finger” event. Did you see how much effort there was to calm everyone? Spin the situation and downplay it when it happened?  Pay no attention to the man behind the curtain.

Look, if the system were that easily manipulated by a single set of lightning trades, then what does it say about the system’s security and integrity?

That’s the key question. So, where are the reports to congress about the security of the systems at NYSE? Does the SEC have some reports that we can all look at and see that they are doing their due diligence? I guess I will have to trawl the SEC domains to see. This is what I found through a quick search:

Information Technology Security

Finally, GAO’s audit confirmed weaknesses in the SEC’s information technology security that have been reported in prior years through our FMFIA program. These weaknesses include insufficient access controls, network security, and monitoring of security-related events. However, I should also note that the GAO found we had taken the right set of initial steps to address the weaknesses, including hiring a new Chief Information Security Officer and establishing a centralized security management program. In response, the SEC has developed a detailed inventory and timeline for correcting each of the specific weaknesses identified, such as through a certification and accreditation project and revisions to the agency’s policies and procedures in this area. We have continued to build out our information security program and address specific issues over the several months since the conclusion of the audit, and while our timeline is ambitious, we plan to complete the remediation efforts by June 2006.

This is all I could find at present.. 2006… Hmmm…

In the end, all I am saying as a security professional is that I know human nature. Human nature usually consists of the path of least resistance especially where business is concerned. I am willing to bet that not much has changed within the security environment at the NYSE even post 9/11 and their being targeted as a primary target of Al Qaeda never-mind the usual criminal elements looking to manipulate the system. This means that yes, the system is potentially vulnerable to attacks that would have great consequences to the financial system within the US as well as potentially the world. Perhaps Mr. Kass is just looking to leverage the fear, perhaps he is trying to fire off the “Bat Signal” that something is wrong or inevitable..

Either way, we need to assure that these things aren’t so easily done.. Don’t we?


Written by Krypt3ia

2011/08/18 at 14:27


with 7 comments



Douchery, it’s seemingly everywhere and now it comes back to me again in the finest of LIGATT-ian style with the theft of a logo I designed and use for others purposes. Sure, fine, I saw the logo and told the user to please remove it as it was copyrighted to me. What I get back is an equivocating email that the colors are certainly different and bugger off. THEN I log into Twitter and see the above tweets using yet again, MY logo and threats of legal action for defamation.


THEN I get these emails:


All of this sound eerily familiar? It smells of LIGATT style to me. Sure, threaten me with defamation legal action because I got pissed and told you to not use my logo as your own even without asking and then you equivocate over the color of the logo? REALLY?

What has the world come to?

Legal counsel shall be synced up with later today. It’s really likely not worth the time or money trying to fight with this assclown, but at the very least the community now knows about him/them and their ways by their OWN ACTIONS.


Written by Krypt3ia

2011/08/16 at 10:02

Posted in Infringement

OPERATION SHADY RAT: Or As I like To Call It; Operation Shady Crap

with 3 comments

First, let me preface with an expletive laced rant that will be stripped for the straights at Infosecisland.. Please forgive the capslock shouting, but I cannot contain myself here!








Ok, now that I have that out of my system, I will now attempt to explain a few things in a civil manner on the RAT/APT situation. First off, there is nothing new here as I have said before on numerous occasions. This type of activity says more about the laxity of the targets security as well as the intent of the adversary in gathering state desired secrets on the part of China. The simple facts are these;

  1. China wants to have an edge and it finds itself using the Thousand Grains of Sand strategy to its benefit in the digital arena
  2. We have made it easy for them to compromise our systems due to lack of accountability and the short term gains seen by individuals within companies
  3. The adversary is smart and will do what it takes up to even intercepting helpdesk tickets and fielding problems to keep their persistent access!
  4. This has been going on for a long time and now is just getting out to the press.. Ok, I get that, but really, sowing FUD to win business will not help

It is readily apparent from this POS that McAffee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well. This is a nation state working on these APT attacks, come on now! They have more interests than just the US! Just as much as you (McAffee) had access to ONE server out of many! Never mind all the others that were fleeting and pointed to by DYNDNS sites!

Really McAffee, you come off looking like rank amateurs here… Well, I guess you are really for pulling this little stunt altogether.

The adversary has been around for a long time. No one product nor service is going to protect us from them (that means you McAffee) so it is useless to try and sell us the snake oil you would like to. It is our own human natures that we have to overcome to handle the least of the problems that feed into group think and herd mentality in corporations and governments. Face the facts, they are here to stay and we need to learn the game of ‘Go’ in order to play on their field.

Unfortunately, we get dullards like these (McAffee) crying wolf and offering unctions to take our troubles away.. Unfortunately all too often there are too many willing to buy into their crap.

… And we keep losing.


Written by Krypt3ia

2011/08/15 at 18:25

OPERATION SATIAGHARA: Anonymous Conspiracies That Don’t Materialize

with 3 comments

Recently, Anonymous dumped another data package on the torrents touting that it was the real dirt on Brazil’s government AND the CIA/Kroll. After a few days, Anonops IRC twitter account lamented that no one was paying attention to the data (sic the press) Of course Anon really wasn’t taking into account the number of documents as well as the need for many to translate them and THEN have some context analysis carried out.

So, once I heard the whining, I decided to download the dump myself and then go through it all. Mind you, I do not speak Portuguese, I speak Spanish, but, I could translate some myself and then pop the rest into the Google translate. In going through the dox, I also found that some were also in Italian, which I could read as well (passingly) So, it was time consuming but in the end my judgement is that once again, Anonymous has missed the mark on having the real dirt. There is nothing within the documents that directly state any CIA or government involvement on the part of the US. Sure, there were companies from the US involved, but, this was all about buying into a telco and other resources/financing deals in Brazil that happened to be set up and run by corrupt Brazilian officials.

Kids.. There is no smoking gun. This is a case that is fairly well known so it was already in the public eye… In 2008 that is.

Operation Satiaghara

Quite the contrary as I saw from the dox. In one document it is flatly stated that there is a theory of involvement but no proof of Kroll in anything other than writing a report that was used by the officials involved. (see pg 25 of 682.doc) So where do you Anon’s get this idea that there is this huge conspiracy? Frankly, I am surprised that the press has any interest at all in your documents (other than perhaps the Brazilians) because sure, there were some people not captured and prosecuted within the Brazilian government that should have been. The story here is more about the corruption rife within the Brazilian as opposed to any great international conspiracy. This would have been apparent to you had you done analysis and contextual assessment of the drop.

Data dumps without context have no real intelligence worth. While this stuff is interesting, it’s certainly not earth shattering. What’s worse is that it makes you all look more and more like the boy who cried wolf than the Deep Throat. This is why I keep harping on analysis Anonymous. If you go around just hitting sites and downloading data from external facing sources and you do not vet the data, then what you do put out there means nothing. Just as well as I can see from your tweets from the AnonymousIRC account, that you are just now translating the dox. It would have been much more useful had you translated them before hand and rar’d them all up for everyone to start with. You want attention from the mass media? Then the mass media has to be able to read the documents as well as hopefully have a primer as to what they all mean in context.

What these docs do show though is an insiders view into surveillance carried out at the level of actual reports from the specialists. This is rather nifty and for this I give you the +1 Otherwise, I give it all a ho hum and feel that you are seeing shadows where there are none.

So please, once again I’m giving you the hints;

  1. Vet the documents
  2. Analyse the documents and put some context around them to show their importance
  3. Translate them if need be so the media can read them readily
  4. Stop just dumping reams of useless data on the public because if you keep doing that they will ignore you

Ancillary Data Found:

  • There are numerous .wav files that I have yet to listen to. I assume they are wiretaps and will need translation as well as transcription.
  • There are many mpg and avi files from differing cameras (surveillance video) but is mostly meaningless unless one is read in on who these people are
  • There are numerous jpg files as well that are not very useful

Forensics Data on Files:

I ran some foca scans on the dox and have some interesting background on them. They do in fact come from the sources alleged so at least that backstops to a point that they are in fact real dox from the Brazilian police services.

  • They were using iphones to perform covert photo surveillance
  • They use primarily windows machines
  • You can see their internal/external networks via the metadata found within the pdf files


Written by Krypt3ia

2011/08/12 at 18:56

DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up

with 2 comments

A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.

“This is a very delicate window into our future,” he told the hackers. “Cold war, global war on terrorism and now you have the code war — which is your war.”

Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;

If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?

Or, would you start using sharp implements to get him to talk in a more expedient fashion?

We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.

I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.

Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.

We all will have choices to make and trials to overcome… Cofer was right.

“May you live in interesting times” the Chinese say…

Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;

“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”

Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;

Curtis: If it isn’t Leopard Boy and the Decepticons.”

So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:

  1. Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
  2. Targets need recon and intelligence gathered has to be vetted before dumping
  3. Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
  4. Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
  5. Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
  6. If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
  7. Grow up
  8. The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
  9. If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
  10. You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
  11. Failure to pay attention will only result in fail.

There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.


PLC Controlers, Stuxnet, and Kinetic Attacks: Blackhat 2011

with one comment

Since the advent of Stuxnet, the problem of SCADA (PLC) systems and their control vulnerabilities has become the focus of the world. In that this seems to be the new flavor of the day because someone (A nation state actor) decided to use those known vulnerabilities (at least 10 years worth of them) to exploit the Siemens systems at Natanz and Bushehr nuclear facilities in Iran we now have a new form of terrorist attack as Cofer Black pointed out in the keynote to Blackhat.

Dillon Beresford presented a talk on the Siemens 7 system vulnerabilities at Blackhat yesterday and did a great engineering job on the Siemens PLC system 7 attacks. However, in being so close to the subject, at least in the presentation, he seemed ill equipped to understand some of the ramifications of the exploit that was used against Iran and the amount of work that had to go into it to pull it off.

I say this because of the offhand comment that a single actor (hacker in a basement) could in fact have come up with the exploit code and he is technically right. He has singly come up with more exploit code and plugins to Metasploit to prove it, but, the attack on Iran was more complex than just exploit code for a Siemens 7 PLC. This too seemed to elude him in the statement that he did no understand the reasoning for the pivot point of the Windows machines that were infected with the worm that injected the code into the system 7.

The reasons for the attack vector pivot point is simply this;

The actors who created this exploit(s) wanted to be able to infect non connected systems at key hardened facilities that they did not have access to. Facilities that may have had regular network connections that might allow access to the worm and thus infect not only one site but many and not just the PLC systems themselves. This attack was multi purpose and needed to be persistent for a long time in order to carry out its mission goal.

And the goals seem pretty evident now:

Have the centrifuges eat themselves

Have the product from the centrifuges be compromised and thus put Iran’s nuclear program even further back.

The fact is, that the exploit code for the PLC’s was small in comparison to the amount of work and 0day that went into the worm itself. This is a key feature of the attack and something that Beresford seemed to miss. The worm was indeed the delivery system and it was likely carried into the Bushehr facility by a contractor (my thought is Russian as they were working on the Iranian program and had access) on a USB stick. Once inside, the malware had the ability to detect, spread, and inject the exploit code specific to the Siemens PLC systems at those facilities.

This brings me to a second point on all of this. The intelligence needed to know exactly what systems the Iranians had was something only a nation state actor could really have the resources to gather. This was in fact a nation state attack from all the signs of it. That it used exploits for SCADA systems that were known to be vulnerable for some time is the only twist. However, that twist had been used in the past and as long ago as the Reagan era.

An attack on a Russian pipeline was eventually disclosed by the CIA as a worm that attacked the systems of the pipeline (i.e. the PLC’s controlling the pressure of the gas) and caused a 3 kiloton explosion. This worm was likely created by the CIA and used to help dismantle the USSR.. Well at least cause some heavy damage to a pipeline that was in contention at the very least. So, this type of attack is NOT NEW. It was a quietly known vector of attack as far back (publically) as 2004 when it was revealed to the public at large, but much longer known about in intelligence circles.

The short and long, the exploits may be new in some cases, but, the type of attack is not at all.

The real difference today though is that we have the hacker community out there able to get their hands on code easily and even perhaps the PLC systems themselves to create even more exploits. Add to this that many SCADA systems have been connected to the Internet (as they should NEVER BE) ripe for attack and we have a big problem. However, the proof of concept now is out there, the exploit code is available and all it will take is an aggressor tenacious enough to write the malware to have another Stuxnet type attack on less hardened systems. An attack that could bring down the grid, cause the poop factory to explode and leak into our drinking water, or, like in Russia, have our pipelines explode in 3 kiloton explosions.

This Dillon is the key point and I know you get that. So, lets extrapolate further, how about in future conferences we have more of what Dillon did. He went to Siemens and gave them the exploit code and showed them the problems. They, unlike many companies, are taking up the challenge and not trying to hide the problems but instead are actively working on them to re-mediate. The next step is to go to EVERY PLC maker (wink wink Big O and the Administration.. Oh DHS maybe?) and bitch slap them into doing something about the problems? As Dillon pointed out, these systems are pretty open and inter-operable, so the code is likely to be just as bad everywhere.

If we don’t.. We are likley to wake up one day to a big explosion and it may just be an accident.. Or, it could be another targeted attack like Stuxnet.


PS.. One small thing Dillon.. Please, attend Toastmasters. I think it would help you greatly. You speak too softly and did not enunciate.