Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for December 7th, 2011

“Zero Sum Game” The Nature of INFOSEC

leave a comment »

//BEGIN RANT

The Zero Sum Game

Lately I have been party to as well as watched debate on Twitter and other venues by my compatriots in Information Security on their woes. The woes consist of laments about certifications like CISSP, how “Company B” is not following its policies, or just how much FUD (Fear, Uncertainty, and Doubt) there is within the business as well as how much of that is being spun by the media and vendors.

In thinking about all of this, I have come to the conclusion that security really is a “Zero Sum Game” meaning that no matter what you do, no matter how many policies you have, or blinking lights on an appliance that is alleged to keep out #APT in the end, you really have not won the day. In fact, if you have not been hacked or abused that day, it was really just a fluke.

You just can’t win.

Human Nature: The Anathema to Security (AKA The Deadly Sins.. No not Seven of Them)

Now, why can’t you win? Well, one of the primary reasons that you can’t is the human element. You can design all the nice nice Visio’s of the network, you can buy all the hardware you want and configure it to work securely, but, eventually someone will screw up that config either by fubar’ing it by accident, or, some C level exec will decide he wants his open access to the latest and greatest www site or game and demands a rule be added that is insecure.

Well, ok, maybe I am being a little rough there.. More than likely it will be some “mission critical” application that will make gazillions of dollars (maybe) and they ABSOLUTELY MUST HAVE IT! Even after we tell you that its not a good idea and make you sign off on the risk (if you are lucky and that actually happens in your org) So, the human element is the most dangerous of them all. Core to that element is the very nature of it… “Human Nature”

Human nature has various components, but I will focus on a few of them for this article.

1) Laziness

2) Fear

3) Greed

4) Stupidity

Many of you might be saying “AH HA! The Seven Deadly Sins!” but, alas, no.. I could not make all 7 fit into this story so, its the 4 deadly sins. All of these behaviours in human beings lead to security flaws to be introduced and exploited because people add them to the system. Step back and take a look at all of the problems that most of us are talking about in the community…

It’s not hardware issues.. It’s wetware! From coding practices to lack of policies, to FUDDERY and Luddites running the show.

Think about it.

The real problems revolve not only about 0day but the fact that people are able to “click shit” as someone on my flist says in hashtag form.

Skynet has it right.

Greed, FUD, Charlatanism

Ahh, one of my pet peeves lately.. The FUD, The Greed, and the Charlatans. What can one say? The INFOSEC sea is filled with trawling sales sharks seeking to use buzzwords to sell their crap to unsuspecting Luddites in positions of power. We, the Infosec community, roll our eyes and try to call them on the floor as they say they can stop all APT from breaching your network!

But… In the end, most of the time its the Luddite with the wallet and the agenda. They all too often reach for the easy solution that comes in a shiny package and think they will be safe… Thus making us, *security* more sickened and thinking;

“shit, why do I do this again?”

Meanwhile, you see trolls like Ligatt or others out there stealing others work and pimping themselves to the unwashed masses while you, the one who has been plagiarised cannot even mount an effective case against them because it costs 10K just to start talking about doing it. Sure, we can send DMCA letters and we can shame them… But.. My experience thus far has been that they do not go away.. They just keep scuttling along like a digital cockroach.

Personally, I have called BS on so much lately in the news and being spewed by alleged “experts” that I am just inured to it now. I give up really, because no matter how much you say;

“This guy’s a moron!”

The media and the masses usually aren’t listening.. And the travesty goes on…

Cults of Digital Personality

Meanwhile, within our little insular community we have the cult of digerati. My tweets today about Tao *Beitlich* being case in point on this. Some people agree but for the most part, he is seen only through the vacuum of the echo chamber that he lives in. The same can be said about others out there but I don’t have time to name them all.

Look, people are people.. We all have opinions but none are Gods. This whole infosec rockstar thing just shows the fact that you would love to be mainstream and loved.. But.. you’re geeks and don’t fit in with the beautiful people. Frankly, many people who I would consider to be some of the best of the best never get to see the light of a camera… and they want it that way.

Look! I Can PWN THIS!

Ugh, now this.. This is a whole issue unto itself that could get a separate post. However, the highlight is this..

Do you really have to pwn shit then show it to the world just to get attention? Can we just talk about responsible disclosure a bit? Even if you tell the company in question do you give them time to fix the issue? Then, think about this, do you even expect that the Pandora’s box you have created and just outed for the masses is going to be fixed by Jose Shmoe and his company who then get compromised from your little baby?

I think more can be done on this issue… I just wanted to toss that out there though.

Certificate BINGO!

Lastly, the certificate BINGO or as I see it, the Certificate Mafia. Being certified means shit. However, as per my twitter reposts yesterday, it is the go to for employment today even though the said certified person may not be capable for the said job. Certs are subjective really as are the notion that if you went to college that you are capable of doing anything well but drinking and throwing toilets out of dorm windows.

Simple as that.

So, all this talk about CISSP for instance.. I agree.. It’s BS.. The board needs a shake-up but we shall see what happens with the new members. However, yet again, we are forced to deal with human nature and peoples proclivities to believe in things because they have a title or a set of initials attached to their names.

Phooey.

K.

END RANT//

Written by Krypt3ia

2011/12/07 at 21:01

Posted in Infosec

Paradigm Shifts: Global Salafi Jihad and “The Group of Guys”

with one comment

Global Salafi Jihad

The idea of Global Salafi Jihad has been something that I have been thinking about since the demise of OBL and now Anwar and his cohorts at Inspire (Malahem) and it seems reasonable to me that this is the natural next step in the jihad movement. The term “Global Salafi Jihad” denotes that the jihad has switched from the loosely based Salafist ideals put forth by AQ and is shifting back to the more rigid beliefs of the Salafist.

The exhortations of AQ online and other, have been curtailed since the deaths of OBL and Alawki with the media wings only putting out the usual rhetoric that it has been unable to substantiate with actions. It would seem that in the case of the Western jihadi’s that they hoped to induce into jihad, the AQ team has failed to really produce the desired effect and have waves of Western jihadi’s who activate and wreak havoc here and abroad. In fact, there have been 176 cases of self radicalized jihadi’s in the US and only 2 of them actually went on to physical attack mode with firearms.

So, it has been a lackluster performance and AQ knows this. It is my thought that the next turn will be more toward radicalizing actual Muslims with the tenets of Salafi belief. Whether or not this will take the shape of online exhortations or the more localized indoctrination at mosques is the real question. Again though, shifting back to this position I feel, is the only way to go about getting their desired goal of creating zealots who are willing to become shahid for their cause. It is finally becoming clear to them that the Western kids are just that, Western, and not really inclined to doing much other than talking about jihad as living out those fantasies online, much as they do with video games.

With the true believers though, the ones who have been trained in madrassa’s by wrote with Salafist beliefs, those are the core that they seek to manipulate and use to their own ends. This means that the pivot I believe, will be more of a focus back to the core Salafi ideology while manipulating the recruits with propaganda on how the kafir have invaded the lands (the usual line)

Net/net this means a kind of indoctrinal brainwashing… One that really will pivot back to the lands of the Ummah as the training grounds. This however will not be the true ideal of “Global Salafi Jihad” but it will be the only way I think that they can see toward keeping their movement relevant and alive.

The Group of Guys Theory and Jihad

The other aspect of this line of thought is that the theories of Dr. Marc Sageman will come to play and there will be “groups of guys” who will coalesce together in places to eventually take up jihad and Salafi beliefs. Dr. Sageman’s premise is that for the most part, the jihadi’s that have come about and actually carried out attacks were not trained in madrassa’s from childhood, but instead tended to be 2nd generation Muslims living in countries that are not predominantly Muslim. In fact, many of these guys were not radical at all until they began to feel a certain discontent with where they were in life and sought to learn about their heritage. There seemed to be something missing and when they started looking, they came across the AQ doctrine and gravitated toward it for a few reasons.

  • Romanticism
  • Fraternity within their group
  • Adventure

Much of the same ideas play out in the online jihad as well, but seem to not get the real life spark that is required for the actors to really activate and play their part in reality as opposed to their idealized and fantasy life that they can easily sublimate their desires with online without having the danger angle. In the cases that Dr. Sageman looked into, these players got together and as a cell, in person, worked out the details and egged each other on to actually doing something in real life.

And this is a key difference today.

Going back to the online jihad, we see this egging on and inspiring speech within the bulletin boards, but the reality is that each and every one of these players is alone in a room somewhere typing on a keyboard. Once disengaged from the internet, they do not have the physical presence and the motivation to actuate.

Post UBL, Anwar Alawki, & Inspire Magazine

Since the death of Anwar Alawki and his cohorts, Inspire magazine has been off of the digital shelf. This magazine was the closest that the AQ set had gotten to being hip and cool enough to garner attention from the Western kids. Now that it is gone, the one conduit to perhaps creating more lone wolves went with it. However, even this magazine had issues with trying to get the masses to heel to and do their bidding. This is something that they also lamented a bit in the propaganda and planning materials and I have written about in the past.

Now that this is gone, and as far as I know there are no players to fill the void, this has dealt a real blow to the online jihad and once again tips it back to the old model of Salafi jihad taking over where the Mtv AQ set has left off. This is problematic for AQ as the Salafi mindset is more than certainly not one that the Western mind and the kids here today really get, so, I am sensing an overall failure to inspire the kids with it sans something like Inspire Magazine. The question then becomes is there anyone to step up here? Perhaps Gadahn, but, he is really not that inspired himself nor inspiring for that matter.

The right word for Adam is pedantic I think.. He and Ayman are much the same in reality… Uninspiring old men yelling at the world to get off their lawn.

The Failures of Social Networking in Jihad

The use of Net 2.0 and Social Media however has been an important feature to the online jihad. Today there are numerous sites out there with Jihadi content and themes. These sites as I mentioned above, have only nominally created any kind of serious jihadi’s though. The problem with these sites though from my perspective is that C&C for those who would self activate or those “groups of guys” out there who create their own cell autonomously, can get direction and support from these sites.

I would say that 95% of the traffic on these sites are just kids playing “Jihad” online but there is a very real aspect of command and control here that should be recognized. Inspiration as well is another key factor to look at too as these sites can attract those seeking excitement and direction. Those that want to get indoctrinated can then easily get the materials and the chat to move further toward their evolution of becoming the next wanna be shahidi making a crude device in their basement or chatting with others about aspirations of shooting up a mall.

Fortunately, the use of these sites has been a boon to the likes of the FBI as they are able to obtain attribution on their users as well as insert players into the game to lead them into traps and roll them and their aspirational plans up with stings. However, as I pointed out earlier, it seems that nothing can replace the actual proximity of individuals to each other in real life to get them to actuate their plans beyond just talk.

This is a key factor and why I now feel that the online jihad is a failure and will continue to be so. You can network all you want, but human nature plays a key role here. It’s easy to just sign off, create a new ID and be anonymous online as people jeer at you. In real life, that social embarrassment and pressures involved in real life social interactions are the main reasons that others have re-enforced each other to acts of jihad.

The Network As Battle Space for Jihad

The paradigm change though I fear has been fomenting with the likes of Anonymous and their online movement. If the jihadi’s actually acquire online skills in the hacking sphere as well as figure out how to inspire and energize the more savvy believers online, then we have more problems. Recent events with regard to ICS and SCADA system vulnerabilities has shown that there is a potential for online mischief that AQ could leverage. These types of attacks would not be world ending and nothing close at all to what happened on 9/11, but instead would further the tenets that OBL laid out with regard to a “Death of a Thousand Cuts” type of warfare against the US.

It is my belief that this is potentially the new battlefield that AQ could leverage where the Western kids who gravitate toward jihad would be willing to take up digital arms. This paradigm would work for both the AQ core and the wannabe’s out there online who are unwilling to blow themselves up for Allah. With the idea that the internet offers anonymous ways to attack the powers that be (ala Anonymous) then I believe that AQ has a greater chance of inspiring followers to action and thus to potential real world acts of digital terrorism.

Acts that would not cause mass casualties on the whole, but would cause the government here to spend much more money and time on the “digital war on terror” and once again put fear into the populace who will now worry that their water will be cut off, or polluted with feces. Only these types of attacks, with real world consequences will be at all effective in furthering the jihad. Defacement of pages etc, is just skiddie stuff that will serve no greater purpose. Just one hack though on a power plant or more likely a water facility in podunk illinois will set the media and the chicken littles into a tizzy though, and that will be a media win for the jihad.

Once this happens and is claimed by the likes of online jiahdi’s then we will have a problem because this will give them the air that they desire and AQ will leverage that.

Running on Empty, AQ’s Message is Losing Steam

Generally though, I am feeling of late that the AQ message has been diluted by the deaths of key players and the squeeze we have placed upon the organization. The marketing of AQ to the masses online has been damaged with the loss of Alawki and his boys (inspire) even though they were still grappling with a working formula for their brand of jihad online. Now that the old man (Ayman) is in charge, I expect that the dictum will fall back to the Salafi system of thought, and that is a tough one for the Western kids to get in line with.

Unless AQ gets hip or learns that the digital space is up for grabs and acts on it, I frankly see the movement as going back to its roots. There will be an amount of time where AQ will have to inculcate more jihadi’s out of the next generation of kids in madrassa’s and this will take time. More and more the movement will have to be relegated to the steps of the tribal lands where it will fester.. Unless Pakistan gets in line and dismantles the ISI support for them and cleans out Waziristan.

Not too likely at present.

So, the core will go on. They will continue to try and get their message out, but it will go to the net 2.0 generation who really aren’t so much into blowing themselves up nor are they that devout.

Looking Forward Into The Jihad

So where does that leave us? I think that overall, we are going to see another shift in AQ and Jihad in general. The online jihad experiment has failed and I think the smarter ones in AQ know this. They will go on to re-tool and re-group while trying to avoid being hit by a hellfire launched from a predator. The only problem that I can foresee is the idea that they will learn something from the Anonymous movement and work more within the digital sphere.

Not so much recruitment… Until they have a success with a digital attack… Then the jihadi skiddies will come out of the woodwork.

Until then, we will have some more “get off my lawn” dispatches from Ayman.. And that’s about it.

K.

Written by Krypt3ia

2011/12/07 at 12:11