Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for February 2012

AntiSec, Stratfor, Wikileaks, and Much Ado About Nothing

with 4 comments

The Compromise

Back in December Stratfor, a private “Intelligence” group was hacked by AntiSec. The hack to date, has yet to be really discussed as to the means to it’s accomplishment, but, I suspect that as usual, it was an SQLi attack if not some other low hanging fruit attack that allowed access into the Stratfor systems. Once inside, the kids had access to everything (allegedly) that Stratfor had. They proceeded to take what they wanted and then RM’d their servers/data/site. It was, for all intents and purposes to Stratfor, a nuclear detonation.

I say this not from the fact that they likely had no backups, and were scrambling to repair their online presence post the hack, but instead the fact that once the AntiSec kiddies dropped data, it became apparent that Stratfor had done nothing to protect its clients and employees data from being taken or, more to the point, had it been stolen, unable to be used with the use of encryption. Instead, it was clear that they had not encrypted anything that belonged to the clients, but also were keeping PCI (Payment Card Information) as well on their servers against the rules of PCI AND were also not encrypting them as well.

BOOM.

The AntiSec crew then set out to troll all those they felt needed attention (Such as Nick Selby, because he does work for the government) dropping all their data and credit numbers for anyone. They then proceeded to use those same cards to make donations to charities that they thought were a good idea to “stick it to da man”

Heh…

In the end though, they only really stuck it to the charities who had to face charge backs and incur fee’s for their trouble. This was not a win for anyone and even if AntiSec claimed then, as now to more “win” with Wikileaks dumping their email spool. The win here though, (dumping of the spool) for me, is to get a real insight (haha to use a Stratfor term) into how they (Stratfor) operated as a pseudo private intelligence firm. The outcome of all this reading for me? Pretty much what I thought of them before when I got their newsletters..

“Ho Hum”

The Leak

According to Wikileaks there are 5 million emails that they are in possession of. They have torrented them as well as placed them on their site for all to look at. The intonation of course by the ever increasingly paranoid and fanciful group, is that these guys were BAD! They were corporato-governmental-greedhead-evildoers. PROOF positive that they were a “shadow CIA” and that we are all far better off because AntiSec and Wikileaks teamed up to out their misdeeds.

I have perused many of the emails and files that they came with and am left with an even lower opinion of not only Stratfor, but also of Wikileaks and ANYONE who really bought into Stratfor as a company selling “Intelligence” as a service. The emails come off as exceedingly trite, unprofessional, and generally grammatically challenged. Of course you could make the case that many of them were typed out on Blackberries likely while sipping latte’s, so you can perhaps understand the internet speak/poor spelling.

Overall though, I am underwhelmed with the emails. They only show poor choices of language, poor choices of data collection and vetting, and a stunning amount of hubris on the part of the company in it’s dealings with foreign nationals. The one real question though, that it has left me with is this. Is this it? Does AntiSec or Wikileaks actually have finished analysis reports somewhere as well? I ask because the reports that I was privy to when I had access to Stratfor were, well, “meh” as well. I never once really felt like any of their subject reports were that great to be honest. I kept thinking that I could do just as good a job with a browser and Google hacks. So I never went any further to get anything else from them.. Well, that and the exorbitant price scheme they had really made me want to just do it myself.

So, Julian… Sabu? You got any real sugar for me? Do you have actual finished reports for say Dow or DUPONT or a government official that you can throw out there to show me and everyone what Stratfor was really doing (as you claim by these emails of bribes and source manipulation)

Do you have anything? Or are you just offering another half baked claim of conspiracy and then failing to deliver on it again? These emails are just truly unprofessional and to me bespeak just how poorly this org was going about cultivating assets and analyzing raw intelligence *cough* they were alleged to be getting from “sources”

So, let me sum up.. What you have put out there.. Doesn’t scream UBER SECRET PRIVATE CIA… It screams something more like “LOOK AT MEEEEE!”

Smell the desperation.

HUMINT, OSINT, and STRATFOR

Going through the emails I just kept saying to myself; “WTF? What? No real reports, just scuttlebutt from people and no real vetting of the data? Just gut hunches and who knows who and for how long? It was a morass of terrible conclusions, hints, and allegations that weren’t properly looked into by analysts by the way things looked from the emails alone. Like I said above, there may in fact be more as well as some of these may in fact not even have been put there by AntiSec to sweeten the conspiratorial pot. However, generally, it’s just amateur hour here and that is disturbing.

While the masses may be unaccustomed to the intelligence game, some of us out there know a little bit more about how it works. While the likes of Wikileaks rail about how they are all bad, using money and perhaps even sex to sway their sources, the reality is that this game has ALWAYS been played this way. Intelligence is a dirty business and crying about it in this way for me, is just naive on the part of WL and Anonymous. That said though, let me clarify for you all here and now, the data that was being collected via the emails dropped were not state secrets as a whole. In fact, this was much more TMZ than CIA.

This kind of information does have its place in real intelligence work, but, the idea of trying to make out that the things seen in this dump are at all akin to what the CIA really does is just laughable. As is the notion put out there by the emails that Stratfor thought they were “the shit” by paying assets that they could not really trust nor really had a good way of vetting. My question is just how many of those guys/girls took the money and just gave Stratfor a bill of goods? How many of these “sources” were actually just people making a buck and selling snake oil?

For that matter I half expected to see LIGATT listed as a source….

No, much more of what I was seeing in the emails was scuttlebutt or in fact OSINT of the lowest order. They were actually citing other news sources in their emails! Uhhh, yeah that is real INTEL there. Sure, today a lot of intel comes from the news because they are there and are quick to report it. Quicker than actual intelligence officers in the field, because, they are “in the field” and cannot just pick up a phone and call Langley. This stuff though, was just riddled with suppositions and half baked theories which I am now pretty sure, made it into finished reports… And that is sad.

Overall, my impressions from reading the emails and not seeing anything else bespeaks an organization that was hungry for money, willing to do what it took to give their clients “reports” and throw caution to the wind as to the veracity of their data. This is not an intelligence agency in any way and certainly should not be looked upon as any great threat.

Much Ado About Nothing

So, there you have it. It really is much ado about nothing. The emails show a certain callousness as well as a greedy disposition (8k for a background check/dossier on someone? Holy WTF indeed!) Generally, I would be more afraid that their data was faulty and full of half truths than real solid intel from sources that they have cultivated. In fact, I would go as far as to say someone like Jericho might want to check their stuff for plagiarism himself because I think they must have ripped off someone in the news somewhere along the way, but, that is just my theory.

This firm should be afraid now that it’s emails (if all theirs) show a company that is hamfisted in its approach to data collection and analysis as well as one that did not perform ANY due diligence for its customer’s sake. That last bit there is really really important as well. Any intelligence agency kids, would in fact perform the due diligence to protect their sources and their customers data. See, when real spies let stuff like that out or commingle it in email spools, people tend to die.

*Another point I meant to bring up earlier.. None of this stuff would appear all in one spool in a real intelligence operation*

This is all much ado about nothing and once again, the kids with Anonymous and Wikileaks have failed to understand the realities of the world that they now want to play in.

Intelligence.

Where Problems Do Come Up

Finally, I would like to enunciate the areas where I think there are large problems for Stratfor from this dump.

  1. Bad data and poor vetting of sources
  2. Bad OPSEC and Security Hygiene
  3. Lack of controls other than tags in emails for classifying data
  4. Lack of proper analysis of information collected
  5. An utter lack of equanimity in their analysis and collection

Lastly, this email covering the new capitol fund company that they started has me wondering. Would this not be insider trading using espionage? How is this not illegal? Really? You are going to start a new wing of business that is connected to your private intelligence firm that will profit from the collected intel you gather?

*shakes head*

I suspect that the senate may want to look into that..

Oh.. Wait.. Seeing as they too are also in the throws of some insider trading scandal as well, maybe they will just leave that alone eh Fred?

I guess the lessons learned from this whole event are; Never trust a scorpion on your back crossing a river… And don’t take wooden nickles from Julian Assange. though, I guess Fred really says it all in one quote from an email linked below:

Therefore while Stratfor is committed to intelligence collection, it does not intend to be slavishly committed to it.

There you have it.. Pretty much covers the matter huh? Where’s Gordon Gekko when you need him huh?

K.

 Fun reading from WL:

Sourcing Insights: http://wikileaks.org/gifiles/docs/97882_re-alpha-sourcing-insight-.html

EPIC QUOTE http://wikileaks.org/gifiles/docs/898587_draft-of-handbook-chapter-on-organization-.html

Written by Krypt3ia

2012/02/29 at 21:41

Just Don’t Be Naïve: Anonymous, Occupy, Cyber Terrorism, and Jingoistic Rhetoric

with 2 comments

Don’t Be Naïve…Or A Conspiracy Theorist

A post from rjacksix, a.k.a. Robin Jackson caught my attention on Infosec Island today and given my past history with him, and the subject of the post, I feel compelled to respond. The post: Don’t Be Naïve about Anonymous or the Occupy Movement” is full of logical fallacies that assume a lot about the organization as well as it’s followers that indeed beg the idea that there is a darker cabal at its heart. While there may be a few out there who might fit this description within Anonymous and Antisec, I doubt that the contention that there is larger cohesive operational command and control afoot is the case.

Frankly, the post comes off as full of dark conspiracies verging on the loopy-ness of New World Order that tag the main stream media as a part of this vast “conspiracy” against America.

*blink blink*

Really? Hey Jacky, what’cha been smokin? Dude you just moved into Detective Munch territory… And, you ain’t on TV mmmkay?

He starts off the post with the dark territory of conspiracy and then dismisses it as just a minor plot point,only  to go on and argue the malice against America that Anonymous has. Well then why mention the conspiracies at all Jack? You wanted to make a point there but you don’t want to back up the argument? C’mon man, give us more than links back to your own site for reference. How about some other kinds of say, oh.. Evidence? Stay on point dude.

I guess you just kinda want to gloss over that huh?

Anonymous vs. Antisec vs. Other Forces At Work (giving too much credit to Anonymous)

So, the post goes on to claim that Anonymous is a threat just as General Alexander (NSA) intones. Well, uhh Jack, Alexander did not say that Anonymous was a threat “now” in fact, if you read the comments, he said they may be in the future and that they “could” do something like attack portions of the grid.

Ayup.. Well, yeah sure.. They could. But then again, so could I and a couple of other guys I know, so what?

The fact of the matter is that Alexander was projecting a bit there wasn’t he? I too have seen the pastebins and talk about SCADA systems and yeah, I would be concerned that some of these morons might actually go out there looking for a grid or a water system PLC to fuck with. I am pretty sure they already have in fact, but I cannot prove it, can you Jacky? Got some real proof? I mean pr0f_srs did a bit of poking about, but he posted that stuff for the people to see.

Documented… Not hearsay on the IRC man. Show me screen shots or it didn’t happen.

The fact is, Alexander did not say they had already been in systems and that this was a problem NOW. He said in the future they could gather enough cohesion to do something. So, this is all quite speculative really but ok, let’s go with it, say certain factions of Anonymous want to do this for the Lulz, ok, they could do it now I think on the scale that the general was speaking of. What he was saying in the end is that there could be pockets of outages “if” someone like Anonymous monkeyed with systems. This could happen today with a single intruder as well as a group, whether or not they are Anonymous or nation state actors.

The net/net here is that the general is worried about Anonymous because of their actions thus far. Though, he failed to really make the point that thus far, Anonymous nor Antisec have done anything spectacular in hacking nor in damage to the country as a whole. They have managed to embarras a lot of people, cause some financial pain for some, and others have had lulz at their expense.

It’s not that I condone any of it.. But… Really? This begets a a substantial threat to the nation and needs the attention of NSA?

It’s not a problem for NSA on the face of it. It is the problem of the NSA underneath it all, which Jacky does not talk about. It’s the idea that Anonymous could be used for False Flag operations by other governments and or terrorist organizations across the globe. Something he did not mention at all but I wrote about Tuesday. By this I also mean that some Anon’s may actually play a part in the hacks, but, more than likely, it would be others hacking for said countries or terrorist organizations under the name of Anonymous.

There is a specific difference there and once again Jacky blows it all out of proportion. Does he infer that perhaps the core hackers that comprise Antisec/Anonymous are in fact the working at the behest of these other entities? No, I don’t see it in his post.. Do you? Nope, he just once again glosses over the fact that this could be the case, instead he claims that Anonymous and OWS have “malice towards the United States” (while draped in the flag) which to me is quite misleading and disingenuous.

Malice Against America!

Malice toward America.. Hahahaha wow. Doesn’t that just sound like an existential threat to the country huh? I bet general Alexander wishes he had said that! Look, yes, there are some now within the collective who likely hate the US. Yes, there are likely terrorist sympathizers if not outright members of certain terrorist groups in the mix as well. However, I would say that on the whole, Anonymous is comprised of witless stooges in their tender youth who have no clue what they are doing other than being counter culturally cool in their minds eye.

Once again Jacky is giving them too much credit on the whole. The use of vile language and humor that is tasteless as well does not mean that they are a threat to the nation. After all, /b/ has been around for a long time and, while they may be crass and base, they aren’t out raping and setting fire to their neighbors homes like “The Class of 1984” I just see the offensive nature once again being spun to mean that they are a “clear and present danger” which is pointless. One does not mean the other, you have to look at actions not just the words Jack.

Are there people within the collective who may in fact be a danger?

Sure.

Do they have that much control over the ADD masses that are “Anonymous”

No.

Once again Jack, you over dramatically play the rhetoric to make your case, a flawed one at that.

ZOMG THE GRID IS IN DANGER FROM ANONYMOUS!

As I have written and posted (with actual evidence and backup fact checking) Anonymous has in fact (factions of) dropped pastebins of alleged PLC/SCADA systems. When checked though, they turned out to be HVAC systems all over the country. The pastebins all touted that this was EPIC and bad. Well, not so much really from the perspective of any kind of “cyber” warfare or infrastructure protection standpoint. So, once again, any mention of this is aspirational to be sure, but, in practice turns out to really be just FUD generating material for the likes of Jack or the main stream media that he seems to think are in a cabal with Anonymous.

*shakes head*

What the NSA (via Alexander) was a little presumptive really and it sure made the headlines. Anonymous (someone claiming to be speaking for them) said that they had not considered this type of action and that this was all just a smear. Well, yes and no. I can see the concerns that NSA has but as I wrote Tuesday, I think it is from the perspective that anyone can claim the name Anonymous and do bad things now. Not just that the Anonymous core will mandate that the masses should attack the infrastructure. Frankly, I think many of the foot soldiers would probably say no to this in the end for fear of really being branded terrorists.

And that is what would happen. It would be an official mandate from the government should someone claiming to be Anonymous took out a city or a town by hacking its SCADA systems. Hell, I frankly think that with the rhetoric today about cyber warfare AND the insecurity/permeability of the Anonymous model, that someday this very thing will happen. It won’t be the end of the world as we know it, but, it will give the government the excuse to take liberties with laws and go after “Anonymous” with everything they have.

This is where I have the MOST problems with the likes of Jack and his rhetoric in these posts… It’s just verbal diarrhea without any real backing by facts other than “I know secret things”…

But that too will be talked about soon in another post.

Let’s REALLY Think About The Differences Between Nuisance Attacks vs. Warfare

Finally, lets look at the problem of what Anonymous has really done as opposed to real damage. Jack uses the term “kinetic” improperly in the top of his post. A kinetic attack would be in tandem with a digital attack. First off, I have not seen anything like this happen. In fact, OWS has very little to do with Anonymous. Anonymous came to their party after the fact really as a support mechanism. To date though, I cannot reccollect an actual attack in the digital realm where a physical one was carried out in tandem with OWS.

Fact is, OWS has just made lives difficult by “occupying” public spaces with their right to protest… You know, something in the Constitution? Yeah, remember that? It’s our right as citizens to protest and this is what they are doing. Do they have a real cogent agenda and plans to do it? Not so much as I have seen really, but they do give it the hippie college try.

In short.. OWS is not a problem.. If anything they are just another nuisance for law enforcement. They are not an existential threat to the USA Jacky.

So, once again we go back to Anonymous and the existential threat that Jacky would have you think they are. I say to you all, that ANYONE could be that threat. APT are that threat! Lone Wolf hackers out there with the right talents and access ARE that threat! In the current modality of thinking that Jacky and others have and this is the fundamental problem. I have also written and ranted about this in the past as well. I am sorry, but none of this adds up to the Die Hard movies in these people’s heads.

Richard (Dr. Cyberlove) Clarke

Gen Alexander (NSA)

Senator (Droopy Dawg) Lieberman

Senator Jay (Moneybags) Rockefeller

All of them think that the world is going to end because the grid will be attacked by the likes of Anonymous or China. Zombies will rise from the grave and flesh will  be eaten as the sun implodes!

Sorry, no, it won’t.

To really have an attack that merits all this hand wringing you would have to have considerable money, time, and effort. Never mind the access that one would need to innumerable systems that would have to be taken out in such a way that they would not come back because they ate themselves (think fire and explosions) and this is not Anonymous even if they made boasts that they could or would do it.

Nope, there might be nuisance blackouts and FUD would abound, but, it would not be the end of the world as we know it. Frankly, this has been around so long and we have had systems like these connected to the internet so long it begs the question “Why hasn’t this happened already?” Well Jacky? Why hasn’t it? Is it that the false flag operators just needed an excuse like Anonymous? Or was it that perhaps the contention that the effort to pull this off is so huge that no one wanted to invest the time?

I vote on the latter.. AND if someone wanted to do this, then they have been planning and working on it for a LONG LONG time now. They have just been waiting for the day when all of their troops are ready to swoop in and take over like “Red Dawn”

Yeah, I went there…

In the end Jacky, I put it to you that you are confabulating a lot here. I think you might be better served by getting a sandwich board with “The End Is Nigh!” on it and raving at the passers by.

K.

Written by Krypt3ia

2012/02/23 at 21:35

Anonymous, NSA, Grids and False Flags

with 4 comments

So… Anonymous Is Going To Attack The Grid Huh?

Ok so Anonymous, or those claiming to be “Anonymous” have put out the word that they plan on attacking the internet’s root DNS servers. This unqualified threat left on Pastebin somehow has translated in the minds at NSA (Gen. Kieth Alexander) that Anonymous will eventually attack the power grid (America’s in this instance) and drop the power for “limited” areas of the country…

Maybe…

Someday…

BOOGA BOOGA BOOGA!

*peers with slit eyes while making magic hands*

You scared yet?… Cuz this works great at the kids birthday parties.

Seriously, Anonymous has never officially made a statement (as if they really could given their model of operation) about attacking the power infrastructure at all. Sure, there were some drops of IP addresses in the recent past that they claimed were SCADA systems (they were, but they were really only HVAC systems in various places across the country) So where is the NSA getting this all from? Surely they are projecting a little bit here huh? Such an imagination on these guys!

Wait.. What’s that? There was a movie about something like this? Oh yeah… “Live Free Or Die Hard” THAT’s where they saw this! They think Anonymous is gonna have a big FIRE SALE! Well, it’s a logical conclusion I guess.. That is until you let logic actually cloud your thinking and decide that it would not be in their best interest to do such things as a group.

Damn, there goes the screenplay I was thinking of!

FUD MUCH?

Down to brass tacks here.. Dear NSA… Really? How about this, how about instead of worrying about it, you maybe force the PLC makers and their interface third party contractors into actually securing their shit? Maybe re-design and re-tool everything a bit and re-mediate the issues in the first place so there won’t be this great ability to attack such systems as they sit on the internet? This whole line of dialog that the Anon’s are gonna attack the grid is a bit premature and really does a disservice to us all. This is especially the case when you talk to journalists hungry for a cutline that will make the wires buzz and get their byline in big print.

This is plainly just FUD of the worst kind Kieth and you should be ashamed of yourself.

First off, you are gonna tell me that Anonymous or for that matter Antisec is going to be stupid enough to attempt such a thing. This would be a death blow to the group. I mean, if they did this kind of action, then they would be the most hunted of all the problem children online. Secondly, you are giving them WAAAAAAAAY to much credit in the technical skill department here. Look at the attacks these guys have been pulling off! They have all been quick hits at low hanging SQLi fruit and you seem to think this implies great skill?

Kieth, do you even know how to run a computer? Do you have a working knowledge of hacking? Cuz, I am telling you right here and now, I don’t think you know what you think you know.. If you know what I mean.

To date, the hacks that the skiddies have pulled off have been embarrassing and surely a pain in the ass, but they have not been 3l337 as they say in the biz, nor have they really shown any cohesive ability to plan larger and more complex operations at all. In short, and I know you have heard the term I am about to use.. Anonymous is not synonymous with APT. Please do listen to what Bejtlich said in the WSJ piece (finally he and I agree on something.. Shouldn’t the forces of gravity and magnetism stop now and implode?) This is not an issue now and I really doubt that it will be an issue later.

Unless you take into account that Anonymous may in fact not be the ones that do it… They just use the convenience of the name and their poor operational model…

Say, Is That A FALSE FLAG In Your Pocket Or Are You Just Glad To See Me?

So, this brings be to a conversation I had earlier about all of this on Twitter. I spoke of this very thing at DEFCON last summer and I would hasten you all to consider what I am saying again. IF Anonymous does in fact attack the grid, I would put to you that it is not in fact “Anonymous” whatever that may be, but instead those nation states using the nome de plume of the collective as a cover for their actions against a sovereign nation. This is called a “False Flag” operation and it would be used to attack while having the perfect cover (thanks anonymous!) for the operation to be pinned on others.

Say China (the usual suspect) wants to test our ability to deflect such an attack and decides maybe to hit a small power grid in podunk Iowa. They could just as easily post a pastebin saying AH HA! ANONYMOUS IS GONNA HIT THIS FACILITY! and then just do it. Alternatively, they could claim it after the fact as Anonymous and no matter how much the Anon core would say “WE DIDN’T DO IT” no one would really believe them would they? Especially now that Kieth is out of the NSA closet here huh? This is a win/win for the nation states and a lose/lose for the Anon’s really.

I warned you….

So, now the stage is set and we anxiously await the curtain to drop…

*pops popcorn*

Satire Aside…WTF?!?

Anyway, I just wanted to re-iterate that once again we have the media running with a story that seems to have legs, and even if you read into it “This won’t happen now, but soon” it still does the trick for the government. After all, I am sure many out there are now worried that Anonymous is after their power systems. That one day their lights will go off and a large shadow of a Guy Fawkes mask will hang in the air like some plot device from a James Bond film..

Or.. wait.. Like the capitol blowing up in that last Die Hard film…

So, which one of you Anon’s is Thomas Jane?

Sabu?

Meh.

Look, see through this WSJ story as either one of two things depending on your bent and jaded nature.

1) NSA is really worried about this and not so much Anonymous but nation states using their name… (this I can get behind)

2) NSA/Kieth et al. Are using this as a means to an end to get what they want… They want complicity on the part of the people to enact more laws and oversight on their part of the internet… And by proxy control over all our privacy.

Up to you guys what you think…

Either way though, I would say that Anonymous has let the genie out and they did not account for this.. You all could be in some deep shit here..

Let the games begin!

K.

Written by Krypt3ia

2012/02/21 at 23:02

Posted in .gov, Anonymous, AntiSec

Monitoring Social Media: Open Comm’s vs. Secret Operations and Big Brother

with 2 comments

Social Media Monitoring: A Rubric for Control

It seems that things are coming to a head in the strange world of government surveillance for “our” protection. Of course I see the expeditious rise in this kind of activity due to the likes of Anonymous and Lulzsec/Antisec coming to the scene and forcing the hands of those in charge. This is not to say that the legislation and skulduggery would not have happened without the Anon’s but it may have been more of a frog in a pot of water scenario as opposed to getting zapped in a flash. So, in a way, you can thank Anonymous for speeding up the process as well as perhaps creating the environment for really poor ideas to be floated in a hurry to “protect” us all from the bad people.

Dealers choice there I suppose…

All this aside though, we now are faced with DHS wanting to be in charge (or at least pay GD to do the work) of monitoring “Social Media” on the internet. First off, let me assure you all that DHS monitoring Social Media is akin to a severely autistic individual being assigned as a babysitter for an infant. This is one of the worst ideas I could ever conceive of as these types of things go. Even with GD doing all of the grunt work, the actual evaluation of any product would be carried out by analysts from DHS, and boy, they are so ill equipped to handle this. Remember, these are the same bunch of folks that brought you that classic fiasco of “Russia is hacking our water system in Illinois!”

Suffice to say, that I do not think this will go well and that the idea in and of itself, to monitor Facebook and Twitter will only lead to more of the same old false reports of doom and attacks that the Bush administration brought out every few weeks with the terror color coded chart. In short, FEAR FEAR FEAR! All the while, they will only target people who happen to say things in a tweet that will be overblown and have them tossed out of the country (i.e. blowing up america by the Brit recently)

FUD.

Just Who Will Be Monitored Really?

Aside from the lowest of low level jiahdi’s or Anonymous, just who will be really monitored by this program do you suppose? Why, you and I of course! I mean, it’s really just open source isn’t it? The real targets are the stupid and the public here really and one must face this fact and accept it. This is no program that will actually end up with real terrorists being caught and cells disrupted you know. See it for what it is, a means to an end to have a simulacrum of control over the internet and the people using it.

.. But Krypt3ia.. They are doing this to catch the bad men” you say.

Sure, you can believe that if you want to, and there may be factions within the community that think this is the case, but, overall, you have to look at the pool being harvested from here. Since the advent of the Patriot Act, we have seen the FBI and others over-use and subvert the law to effect warrantless searches for domestic cases much more than terrorism, the thing that the Patriot was created for. What this really is, is a drift net approach to law enforcement because technically, the government and the LEO’s are not capable of keeping up with the crime, never mind the terrorism really. So, they fall back to the idea of we can monitor everything and after the fact go back and look at data for “anyone” to make a case.

Easy as pie…

I am not inclined to believe that these measures are to be proactive either. Predictive maybe to an extent, but in prediction, we get another whiff of control do we not? After all, the predictive nature of this type of monitoring is what the CIA and other countries do to assess when there may be an outbreak of civil disobedience or perhaps insurrection might be a word for it? Either way, this is a means of control as well as a means to detect and perhaps deter depending the use of the owner.

It’s a tool, and it is up to the user what they will do with it. In the case of other states such as Syria, well, you can see how the technology is being used. Here in the US, I am not saying that this will be 1984 all over again, but, do you really believe that you, the citizen, in the current environment will be able to know what is going on? Will you be able to FOIA the results of the testing and the monitoring to tell if its being misused? If you think that this will be in fact the case, I think you will be sorely surprised when you find that it’s all been classified and out of reach when you have questions. Frankly, I just see this as the next iteration of “Total Information Awareness“.. You know, John Poindexter’s baby? Yeah, fun fact, it never really went away, it just went into the black budgets and or changed names.

In the end, if you have a twitter account, facebook, myspace, blog, etc, you will be monitored.. Especially if you speak your mind or use key words that trigger an analysts attention.

Kinda like the NARUS STA’s in the MAE’s out there siphoning data too.

Oh, Don’t You Worry, No Matter What They Say, YOU Will Be Monitored

In the interim though, the congress has had a meeting over the privacy concerns over this little project by DHS. The congress-critters got all up in DHS’s shit about the issue and said they are not comfortable with the program/laws around this. Now, that the congress acted on this, one might think that it would stop the program.. I am not so sure it will in fact do so. I think that the case will be made and assurances given that only those who are evil doer’s will be audited and that no privacy will be breached by such measures.

“We’re here to protect you”

It’s an old argument really, but in today’s digital world, the issue is that instead of say, a black chamber opening mail in a secret building by hand, you instead have machines collecting everyone’s data and sifting through it all for key words, phrases, meme’s and other data. This then spits out the alerts and an analyst then looks at it to see if it warrants being passed along to others in the food chain. What also may occur here is that even if it’s not terrorism, they may in fact pass data on to others who may start investigations on those hits, even out of context, as you might be an agitator or show a tendency that they feel uncomfortable about.

Hell, today, if you buy a coffee at a starbucks with cash AND you use WIFI AND you use encryption, YOU might be marked as suspect due to the fliers recently put out by the DOJ and the FBI on how to tell if one is a terrorist. God forbid you have a missing finger(s) as well.. Then SURELY you are a jihadi or a militant.

*snicker*

Oh well, fear not gentle reader.. Because all of what I have said above about this one program, means nothing really. Why? Because this one program is only “one” of many out there being used by the government(s) to trawl the internet for data. I have mentioned a few others above and you can go look up the terms and see for yourselves. Post 9/11, we have truly become a watched commodity via the internet and all other means of communication we can buy. All of these programs have been put together with the veneer of being in place to protect us from another 9/11 and perhaps some of them were made with the best of intentions, but this idea of monitoring social media, well, it’s a little half baked really I think.

In the end, only the stupid will be caught. I mean really, look at what lengths OBL went to with cell phones and runners with messages, do you really think that much of the global jihad is being carried out over open communications lines like Twitter and Facebook? Sure, maybe people congregate there and THAT is useful information, but, to monitor the traffic of everyone to get targeted data on “some” users is just useless if your goal is only to go after the terrorists.

Remember.. Above all it’s just a driftnet to make it easy…

Making Your Own Privacy Because You Soon Will Have NONE

I guess what this whole rant is boiling down to is this, and its something I have said before on many occasions: “You alone can make the privacy that you need to prevent such monitoring” Encryption is the key to all of this. Whether that crypto be something along the lines of PGP or Vigenere is up to you but what counts is that you are taking the pains to protect the communication that will pass over the wire. You can’t trust the owner of the wire and you certainly cannot trust that the government or, hackers for that matter, aren’t watching or monitoring you either. So, it’s up to you to make the privacy happen.

With the onset of all of this, this week we also saw the first (I assume of many) solutions for encrypted tweets come along. I for one, would love to see this solution work and be used by many on Twitter to protect their privacy, but, then again, this is kind of an oxymoron huh? As I said earlier in the post here, who would use open lines to commit crime? So, once again, we are back to the level of what privacy can one expect as well as if one wants to be private, use a means to protect that communication.

*shakes head*

After that little turn, it really becomes clear that the monitoring of twitter and the like really comes down to a privacy violation by the government to feel as though they are in control. The smart people will not be talking on twitter about blowing things up and everyone else who may say such things are doing it in jest, but will end up being investigated for their poor choice of words (140 characters at a time)

It’s a sad world we live in.

I hope that congress denies the DHS their wish, but, I am also certain that if they do, DHS will only hire out again to the likes of GD to do it anyway off the books so to speak…

In the interim, I will continue to encrypt love notes to DHS and others in hopes of making their day..

OOH LOOK ENCRYPTED MESSAGES! TERRORIST! WATCH EM!

K.

http://www.pcmag.com/article2/0,2817,2400429,00.asp

http://www.huffingtonpost.com/2012/02/16/dhs-monitoring-of-social-media_n_1282494.html

Written by Krypt3ia

2012/02/21 at 19:04

Posted in .gov, 1984

Dr. Cyberlove… Or, how I learned to stop worrying and love CYBERWAR!

with 4 comments

“Based on the findings of the report, my conclusion was that this idea was not a practical deterrent for reasons which at this moment must be all too obvious”

The Cyberwars and Your Government

Today I opened an email/link that started me on a long strange trip into the wonderful world of cyberdouchery once again. I suppose that since I work in this business I should not be surprised to be brought to the heights of Tourettes ticking and swearing by what I read, but, yet again my brain just dumps like a BSOD and the stupidity laid before me. The quote that got me is the following from a Senate hearing yesterday afternoon:

“I fear that when it comes to protecting America from cyberattack it is Sept. 10, 2001, and the question is whether we will confront this existential threat before it happens,”

Senator Joseph Lieberman, an independent from Connecticut and a co-sponsor of the bill, told his colleagues, according to a prepared text sent by his office.

Joe… Joe you are a moron.

*facial tick*

Comparing the FUD of a cyber attack on our infrastructure to 9/11 is the WORST kind of fear mongering and pandering that I can even consider and YOU Mr. Lieberman have no idea what you are talking about. It is unconscionable that you go around spouting this crap in front of your colleagues as a means to an end to getting a bill signed with your name on it! I was yet again astonished by the hubris of this guy until I read the next graph of the story where he is backed by Jay Rockefeller;

“We are on the brink of what could be a calamity,” he said. “A widespread cyberattack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago.”

 HOLY WTF?

Really?

So, you and Lieberman are saying that you are both experts on hacking, infrastructure design and implementation, AND just KNOW that its indeed possible to just destroy the system? That that system will cause a cataclysm that will end life as we know it? Sure sounds like you think you are on top of that. Oh, and you two are going to bring the specter of 9/11 in there as well huh? Is this the only number you guys know? I mean even Hope & Crosby had other dance numbers they could throw out there to entertain in those road movies!

Hey, I have news for you two.. 9/11 did not destroy us. Nor will any attacks, “if at all really possible” on our infrastructure. You are just using jingoism and FUD to sway the other morons on the senate. I know you two are not hackers nor are you even able to understand IP implementation never mind anything on the OSI layers..

So.. Where are you getting all this crap?

Enter Dr. CYBERLOVE

Enter Richard “Dr. Cyberlove” Clarke III, a man of mystery brought here from Germany in Operation: PAPER-CLIP. The man with the plan, the only one who KNOWS that the cyber villains out there can easily subvert all of our systems and turn out the lights on the US within a matter of 15 minutes.

He’s in the know and he’s got a plan.

Quietly in the background he is whispering into the earwhigs of Rockefeller and Lieberman, telling them what to say. With gravitas, he whispers in his not quite so German accent about how absolute pandemonium will break out if the Chinese and Anonymous break into a water facility in podunk Iowa and tamper with a bilge pump. A cascade effect will build from that single small failure until minutes later we are all out of power and unable to respond to… to… Something.

Yes, it’s the likes of Richard Clarke and others out there in the world with desires on the security space and having “powers” as well as sacks of money, are the ones selling this crap to the senate and the house. Spinning tales of absolute destruction to those who can’t even plug in their own DSL routers at home. Selling them all with tales of 9/11 and how devastating it will be once the hackers gain control of the pipelines and the power grid and the planes, trains, AUTOMOBILES!

FOR GOD’S SAKE FLEA! SAVE YOURSELVES!

Or… You could maybe make some new laws granting more powers with less oversight and understanding *he says sheepishly* Let us handle it all for you… It’ll be ok. I can help, I am in the private sector now and I happen to know these guys.. Well, it’s a company.. Well, uhh yeah I kinda am CEO.. But.. WE CAN HELP YOU!

For a fee…

CHA CHING! FUD, Legislation, and Sales

The one thing that I can kind of agree with that AntiSec has put out there (the old one not the new) is that generally, there is too much FUD being sold to the straights to make sales. The snake oil is thick out there and the use of terms like DLP, DPI, and APT are buzzwords that make sales through fear and whizzbang. I the case of APT it is one of the most misused terms today that unfortunately gets put on the side of appliances and in brochures that offer the cure all to your ills.

There are too many companies out there with marketing schemes selling to the latest FUD nomenclature and it is really quite sad. The saddest thing though to me, is seeing such snake oil and chicanery being used on our government and the congress critters to manipulate them. In the case of the congress it is not only the interests of those companies monetarily at work, but also, as I alluded to, other forces, perhaps somewhat darker in nature.

Power.

Digital land grabs are being made by corporations (MPAA/RIAA) as well as the military and other services seeking to have dominance in a new world of opportunity, the digital space where, just like the days of old, you can do pretty much what you want to, until it is legislated on. So much of this lately though, seems to be corporately driven (MPAA) with ACTA, SOPA, PIPPA and so on where corporations want to control the space in order to not lose profit. Sometimes I understand this, in the case of IP (Intellectual Property) it’s warranted in many ways. However, the lengths that the MPAA and others want to go to to get what they feel is theirs is completely out of scope with the realities of the world.

It really just comes down to profit margins in the end.. And they are willing to spend big bucks to lobby the government to get their way. Sadly, the lobbyists cater to the senators desires for money to keep their jobs as well as perhaps line their pockets

(poor babies soon won’t be able to carry on their insider trading in the senate! OH NO!)

Awww.

Hi, I’m Your CYBER-WARFARE Lobbyist Chip…

On the other end of the spectrum we have the military and their desires for dominance of the battlespace. They make dire predictions (ala Dr. Cyberlove) that the infrastructure is gonna get taken down, and that we will see our civilization crumble before us.

Poppycock!

Sure, there are potential issues with regard to infrastructure and hacking/warfare, but, it is not such that we need to frame it and clothe it in the ripped flag of 9/11 do we? Obviously these guys all think so. I would beg to differ, and I find it shameful that it has come again to this jingoism. It is fair that the military and others might want to get ahead of the curve here in the protection of what we have. However, it is necessary that a clear and non slanted approach be taken to the problems at hand. The studies out there are few and far between (those available to non TS folks) on the actual risk assessments of the current infrastructure. I for one would like to see a practical assessment of the current technologies in place and just what it would take to bring them down..

Hard.

Instead we get theories and suppositions as well as the old “trust me”

Well, I work in the business and I know more than a few people and as yet no one I have talked to is often hiding in their basement waiting for the end to come from this vector of attack.

… And there is a singular reason..

REALITY

The Realities of Information Security and Digital Warfare

Somehow reality seems to be a foreign concept to many of those out there in the FUD sector. Whether they be corporate, government, or military, they all seem to be living only in the last Die Hard movie existence than in any consensual reality the rest of us have. I recently read a paper by Sean Lawson  that pretty much summed it up for me. The take away is that the realities are different from the perceptions of “cyberwar” on all levels.

  • Technical levels,
  • Sociological levels
  • Perception levels

It’s a good read and covers the truth that even with substantial incidents, society tends to band together and survive. So, when you hear the dire predictions from the likes of Dr. Cyberlove, you should stop and think a bit about this paper. Surely there are areas where I disagree with Mr. Lawson, but the basic premise stands. Nothing, not 9/11, not Chernobyl, not Bhopal, utterly destroyed civilization and a cyber war certainly won’t as well.

Additionally, from the perspective of systems (be they natural or man made infrastructure) tend to have resiliency built into them to some greater or lesser degree. This means that the very nature of the “internet” is to be labile enough to handle an attack. The same could be said about the electrical grid. There is no way presently that everything could go dark in the US short of there being a large EMP accident stemming from a mass coronal ejection. It would not happen from a “cyber attack in 15 minutes” as Dr. Cyberlove would have you believe in his book.

Even with all of the SCADA out there connected to the internet I still cannot see my way to equating ANY of it to 9/11 levels of scary nor do I think it at all appropriate. We are presently at a state where espionage and LULZ are king. These things are not going to destroy our way of life. Only the stupid that is being propagated by the misinformation and outright obfuscation going on in the senate and other places is.

What We Don’t Understand We Fear… Like a VCR clock that blinks 12:00 All Day Long

Fear is the key. Fear is being used as a cudgel against us all by it being trotted out for the government to see and feel. All of these players making the laws can’t even program their DVR clocks never mind making laws about such technical subjects as hacking and information warfare. Yet, here we are, reading in the NY Times about how two senators are making bold claims about how horrible the day will be when someone finally hacks the matrix and turns off our lights or messes with our traffic lights.

Fear on a general level is the great motivator and I am afraid that they are afraid because they lack the understanding to know any better. I also fear that they keep getting bad information from the likes of Dr. Cyberlove and his pals who are just as misinformed but have a platform to speak because they are snuggy bears to the senate. On a mass scale, the general populace fears it all because they too don’t get it all, it’s a magic two thousand dollar facey-space machine to them… It just works, as the Mac heads say. They need not know how it works or how to protect it.

They are wrong.

Though, I don’t expect them all to be experts, but I do expect that real experts would be put in front of the people who make the laws and forge the countries direction on such things. Instead we get Pinky and the Brain.

*hangs head*

Our collective fears could allow these governments to control more and more of our online lives as well as place us in the position of the always monitored and suspect populace. It’s already happening and I fear that with the help of the Dr. Cyberlove’s it will only get worse.

Cyber DOOM

So, where is our cyber doom? Our real cyber doom is allowing this to go on. To not get involved and correct the silliness that is being propagated by the likes of Mr. Clarke. We will continue on this path and eventually something will happen. The Dr. Cyberlove’s of the world will say AH HA! WE TOLD YOU! but the reality will be we will move on. There will be no apocalypse. There will be no Cyber Katrina, the systems are just not that connected and it would take a HUGE effort to make that happen with kinetic attacks (picture Red Dawn, Chinese dropping into our country in parachutes) to cause the real “war” they seem to be predicting.

I just don’t see it happening.

Instead, how about we just talk about doing the right thing and protecting our networks from attacks big and small? Perhaps a little “due diligence” so that we are protecting things and are being accountable?

Is this too much to ask?

K.

Written by Krypt3ia

2012/02/15 at 21:22

Jihadi Information Warfare: The Next Wave

leave a comment »

Jihad Post Anonymous

In the recent past I have written how I had been seeing movement toward more E-Jihad actions by the jihobbyists online at sites like Shamikh. Well, another look has provided me with more fodder for this idea including actual direction from online sources like TNT_ON on how to support hacking attacks ongoing between the likes of 0x0mar and others in the alleged “Middle East Cyber Wars” More and more of the postings on the boards out there have transitioned from bomb making and sabre rattling over sleights to how to’s on infowar involving hacking. It seems to me, that Anonymous has let the genie out of the bottle on this one and now the Jihadi’s are following suit after watching all of the hand wringing and distress from the likes of Anonymous and AntiSec’s antics.

Not only have the jihadi’s taken to this idea more and more because of what is going on with AntiSec, but also it is finally fulfilling their desires to hit the infidels without having to strap on a bomb vest themselves. This is something I have written about in the past with regard to what Samir Khan and Al-Alawki were trying to foment with Inspire magazine and failing to reach the next gen of jihobbyists who are more self centered and unwilling to act for fear of the repercussions. Now, with the hacking model of AntiSec, they have seen that they can do damage AND not necessarily be caught (right away at least) as well as not have to blow themselves up in the process.

It’s a win win for the jihobbyists and AQAP (the new AQ) and add to this the recent video by the old man Zawahiri (get off my lawn!) to the jihadi masses to start working on Syria as the next field of battle. A correlation of this is a post on Shamikh that shows TNT going on about helping with comm’s in the area for AQ and the revolution there. The battle to destabilize the regime and perhaps have an AQ?Salafist win when the power vacuum occurs is high on their minds, and by facilitating things they see themselves helping the fight that will win the day for the global caliphate.

Backtrack 5 and Jihadi’s … Now There’s A Mix.

As an effort to get the global cyber jihad going, tutorials are popping up all over the net along with certain Islamic hacking sites offering not only how to’s but also software and targets. One of the more interesting developments is how the jihadi’s are now going mainstream hacking with the use of things like Maltego, and Backtrack 5 as well as using sandboxed USB drive operating systems. This is not your old jihobbyists online, its changing before your eyes. Now, this is not to say that all of these folks are becoming sophisticated hackers, but, one need not necessarily be one in order to sow chaos or hack a site nowadays right?

There have been tutorials on SQLi as well as how to use Metasploit online for a long time, but only recently have I seen them being translated into Arabi and placed on the technical forums. This means to me, that even the low end of the technically capable can now boot up their tools (courtesy of the security community) and viola, hack a site… Of course, what they plan on doing after that is not clear. So far these guys have not figured out the full Anonymous model’s relevance to the global jihad.. Yet… I think though, that as Anonymous/Antisec moves along further, and the words of OBL reach their cognitive centers, they will understand that even this realm of warfare can be used to hit the infidels in the pocketbook, sow fear, and serve as the digital side of the kinetic attacks that the core of AQ would love to perpetrate for large effects..

Short answer.. Digital Warfare in support of actual kinetic attacks on infrastructure.

 

Maltego and Jihad.. Hmmm..

TNT_ON and AQ Comm’s Support for Syria

SQLi, The Anon’s Love It, Why Not Jihadi’s!

The Take Away

I have been pointing this out for a while now and the jihadi’s have been evolving. While the Arab Spring goes on and the changes are sweeping those countries in the Middle East, the jihad has begun to take notice of this area and asked its acolytes to learn. The E-jihad is budding in tandem with their thirst for power vacuums in places like Syria and Yemmen where they hope to take over by winning the popular sentiment. What they fail to see though is that they are not as loved as they think they are.

Meanwhile, in looking at Islamic/Muslim/Jihadi hacker sites, I am seeing the rise of a new player in the Anonymous space… Perhaps even they have become a part of that space and are working within. After all, Sabu keeps playing the Palestine Liberation card in his imagery and speech…

How long til the zeitgeist catches on with the kiddies…. The defacements ongoing and the dumps of credit cards are only the beginning  I think…

Now we can add Jihadi’s to the list of players in the great game of “Cyberwar” *cough* hate that term still…

K.

Written by Krypt3ia

2012/02/14 at 16:35

Posted in AQ, AQAP, CyberPocalypse, Infowar

Trolls, Cutouts, and Disinformation Operations

leave a comment »

B0bby Mann International Man of Misery

Kevin McAleavey posted a piece recently about how he thought perhaps that the Symantec code released to the world by YamaTougher may have in fact also led or could lead to some compromise of EMC and or RSA. While his post makes certain assumptions (self acknowledged) it was something to think about a bit as a potential collateral damage situation for RSA and EMC.

Fair enough.

Soon after posting though, a user named Bobby Mann immediately called the author on his premise and made assertions in a rather rough fashion that he was in fact out of his head. While I personally have been known to make such assertions myself, I usually back my statements with facts and call out those who blatantly sow FUD among the community. In this case though, Bobby only got himself banned from the Island over further comments and actions that really just say he was a common “internet troll”

Soon after though, connections between Bobby and Symantec surfaced (his company is a re-seller of Symantec) and this piqued my interest in him as well as his commentary. You see, anyone connected to Symantec in such a way might in fact have something to gain by being the naysayer in this area right? Well, sorta at least, I mean the damage is done right? Symantec was pwnd and the code (though it be from 2006) is out and about. It just leaves more questions around the security of Symantec and its code further down the line from 2006 doesn’t it?

It also begs the question of what else may have been compromised there.. Or still may be?

In fact, I posted a piece on this very thing and have been fielding comments trying to minimize damage in a way to Symantec from someone, all the while though, I feel it still a valid question..

“Is Symantec still compromised?” “How is it that the people today at Symantec did not know about the 06 event?”

I only ask because in the news cycle they say they did not know they were compromised… Or was I hallucinating that?

Anyway, Bobby the troll got booted and seems to be done with the trolling for now. If you go back through many of his comments though, he does have quite the history of this.

Meh… Trolls…

Discernment Between Cutouts and Cutout Trolls

This event though made me think about trolling as a means to another end, an end that is just not all about being a penis. In the case of Bobby and Island, it seems that perhaps he may have something to gain in protecting the reputation of something his company re-sells. Others, like the comments on my blog post about the elephant in the room (Symantec’s failures and possible insecurity) may also have the same goal as well. I am unsure as to their real intents. In the case of Bobby, well, he seems to be rather “Trollington Bear” altogether so I lean toward that. The blog comments though to me, sounded a lot like someone who maybe invested in Symantec and did not want me driving their stock prices down.

Trust me.. I didn’t.

I guess what I am getting at is that trolls, while always available in the wild, also may in fact be cutouts for manipulation of story lines and perceptions under the right circumstances. One can even make the same case for YamaTougher him/themselves. Ask yourselves why YT would go about the things that he/they have done with the Indian angle as well as releasing old code and attempting to play the extortion game with Symantec.

What do they gain in attacking Symantec directly?

Are there others who would benefit from such an exploit as this? A company or persons unknown who could have some financial gain perhaps?

A competitor?

One wonders… In looking into Bobby he has a pretty consistent internet presence including a Linkedin profile as well as G+ etc etc. Though, the data within those sites is sparse and can lead one to believe that perhaps they are just a cutout series of accounts to lend credibility to his online persona. I guess in the end I just lean toward him being a real person…

Albeit a mostly useless one.

Disinformation Op’s And The Interets

Oh well, back to the Trolling on a micro scale. Bobby is a troll for all intents and purposes. So too you could say, is YammaTougher. The difference being between then is just what are their end goals here? This is something you the viewer have to take with a grain of salt with some of these comments on blogs as well as the bloggers themselves posting content to the web. Since the internet allows anyone to post anywhere, one has to separate the wheat from the chaff on what is being put out there.

In today’s world the internet has become the de-facto go to source for information. Wikipedia is a big example of this and as such there have been instances of people and corporations redacting content on their pages to make themselves look better. So, to quote the scifi types out there, it’s easy to “retcon” the truth just by posting it online and promoting it.

So, to Bobby I say “whatever” you can bluster on about how we are all morons for even bringing up the postulate of there being potential for compromise over leaked code. I still say that there is an elephant in the room and it has its trunk in Symantec’s trousers. YamaTougher meanwhile will go on propagandizing his/their alleged hacks and rants against India and other governments.

Big deal.

The problem is that too many people aren’t being discerning enough to separate the truth from the blather…

*I’m looking at you mainstream media*

Keep your wits about you kids… and always keep a UV lamp around to turn those trolls to stone (something I learned from Troll Hunter)

K.

Written by Krypt3ia

2012/02/13 at 19:37

Posted in Disinformation

APT: What It Is and What It’s Not

leave a comment »

What APT is as defined by DoD

  • Advanced – Operators behind the threat have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques such as telephone-interception technologies and satellite imaging and HUMINT capabilities. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Operators may also demonstrate a deliberate focus on operational security that differentiates them from “less advanced” threats.
  • Nation State or Exceedingly Coherent and Supported Actors: APT usually means that they are Nation State actors (i.e. spies/proxies for nations seeking to infiltrate and steal data or to manipulate data/supply chains etc) This can also be non nation state actors hired by corporations or even in some cases, movements or groups who have hired out for specific operational goals.
  • Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully. One of the operator’s goals is to maintain long-term access to the target, in contrast to threats who only need access to execute a specific task.
  • Threat APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

Above from Wikipedia with changes by me.

I had a conversation on Twitter today that surprised me. The talk was about APT and what it really “meant” as well as how one determines if it is indeed APT that you are dealing with. First off, I was taken aback somewhat at the confusion by some in the security field, but then I thought about it and many have not come from the DoD space or perhaps corporate areas that have had direct exposure to APT activities. Secondly, I was amazed and the varying focal points people focused on as the “meaning” of APT.

So, I decided to put this little post together and put it out there.

Yeah.. I know.. It’s been said a zillion times huh? So, why are people still confused? Well, there are some operational details that are not really in the public space so there is that, and the DoD tend to like to make all kinds of silly acronyms… But it basically boils down to what you see above here. The definition came from Wikipedia (I know some are rolling their eyes now! Tough!) I have edited the entry with other information that was not there before and highlighted the important bits with italics and color.

Once you have read the above again… Move on to what APT is not below…

Go on… Re read the above please…

What APT Has Become In The Media and Marketing Maelstrom of Stupid

APT, the bugaboo sales buzzword that has been a wet dream for marketers of all kinds of software and appliances in security these past few years. The short and sweet of here is that APT is not the following;

  1. Phishing attacks
  2. Anonymous
  3. Common hackers looking for credit cards
  4. Your average pimple faced hacker (going with the media perception) in their mom’s basement with a commodore 64
  5. The Chinese
  6. A technical ghost in the machine that cannot be caught unless you buy my product!
  7. Able to be caught with just a SIEM solution that I am offering to you for (insert number here)

APT was in fact the acronym for state actors like China (who happen to be really really active lo these last 5 years or more) and Russia or Israel or France, who were hacking and using a full range of intelligence techniques to not only steal data but to interfere with supply chains or otherwise manipulate corporations and other nation states to their own ends.

THAT is APT.

Of course the acronym has jumped the shark as it is now a buzzword, but, the DoD types still use it as a moniker for the actors that they and others within the space see every day attempting to ex-filtrate data, mess with command and control, and otherwise (mostly silently) mess with us all. They use numerous tactics that interlock and have many teams working toward multiple goals and multiple levels of attack and operational security.

They can use the most elegant of solutions and nimbly change their tactics, they can, on the fly create/edit code to defeat the defenders tactics, and they also use the most simplistic of attacks all in the effort to gain the access they require and to not only further it but to KEEP it as long as possible to succeed in their own ends.

There you have it. It’s not a binary.. It’s a layered approach to espionage and information warfare (IW)

… And your not going to stop them with something like Symantec’s SEP solution..

Thus endeth the lecture.
K.

Written by Krypt3ia

2012/02/10 at 21:21

Posted in APT

BYOD Bring Your Own Device: One of the most STUPID Gartner/Forrester/Executive Ideas EVER!

with 15 comments

God Damned Executives On A Plane

Last night a lively debate broke out on Twitter between Rafal Los, myself and Hrbrmstr about the wonders of BYOD (Bring Your Own Device) A movement brought to you undoubtedly by some moron of a CIO/CTO/CEO and your pal’s at Gartner. Now, if you haven’t run into the concept of BYOD yourself, just go and Google it to understand. Suffice to say that my theory on how this all came to pass is the following scenario…

  • C level executive A was on a plane one day and reached into the pocket in front of him. He pulled out the “In Flight” magazine and starts perusing it when low and behold he see’s an article about how YOU TOO CAN SAVE LOTS AND LOTS OF MONEY if you let your employees BUY THEIR OWN PHONES AND LAPTOPS to use at work!
  • C level exec then gets an EXTREME hard on for the idea envisioning his bonus growing exponentially as he foists the cost of phones to the employee as well as most of the cost of the service plan! GENIUS!
  • Contentedly the rest of the flight C level exec sits pondering just what fancy addition to his yacht he will be able to buy with the savings from this master plan.
  • C level exec immediately upon return drafts an email to the other C level execs with the master plan.. They all see bonuses and shiny things they can buy once their bottom line has been altered by pushing the costs to the employees by making them pay to work (remember the days of company stores and housing? Yeah, its kinda like that again)
The C level conclave concludes and they all decide this is a capital idea! Lets do it!.. Of course, they have not talked to the CSO or CISO and if the CSO is capable, they will raise the question over security and legal/privacy concerns. If they have a CSO/CISO at all.

Alas… They still will forge ahead… Dollar signs in their eyes like cartoon characters.

But.. It Will Make Our Workers SO HAPPY and SAVE US MONEY!

And on it goes, the steamroller of BYOD begins its descent, picking up velocity where it finally makes it to the security folks (if the company has any) and someone will undoubtedly say;

“WHOA, what about the security issues here?

What about the PRIVACY issues?

Legal issues?

To which they will be told it’s all good and not to worry.. Just do it. This even after being told by a smart security person that there are many moving parts here that present major problems that could in fact cost more money in the long run to do right AND that if they don’t do it right, they could be more easily compromised or have big legal issues.

“Do not worry about that.. It will save us money and it will make the employees happy” says the C level… Just do it.

The poor security person is left with the pile of shit idea in the paper bag from then on.. Just waiting for it to be lit on fire for them to stamp out with their new Nike shoes.

The Magic Fucking Quadrant of STUPID (Now With Added Unicorn Spit!)

Soon the security team and the exectives/managers are on the phone with Gartner or Forrester having meetings about how BYOD is the SHIZ and how magic it is in the quadrant and just what companies are offering the newest WHIZ BANG products that will help you “secure” the personal devices for you!

For just 50 thousand dollars YOU can have this solution!!!

*eye rolls all around*

But the executives… They are eating this shit up! They are fully drinking the kool aide and have the purple lips to show it! I mean, its Gartner! How could they EVER be wrong!!

The unicorns have won the day and you, you poor security sod, are stuck with the new task of ultimately making your life more miserable and creating new and silly problems to make your environment and job more complex. Welcome to BYOD.. Bring Your Own Doom. Be sure to buy more Maalox and other products to sooth your nerves and G.I. tract. Your life as you know it is about to change for the worse and when the shit goes down, undoubtedly, you will be asked why you didn’t tell them that this was a bad idea! YOU FAILED TO TELL US!

Remember to be the squeaky wheel… and to save all your emails warning that this… is indeed a bad idea.. Unicorn spit or no.

Technical Problems

But seriously folks.. There are some major issues technically with this idea. Of course the same issues crop up with any smart phone or device that you need to secure but, you are adding complexity to the mix because you need to secure the device AND keep it real loose because its a PERSONAL DEVICE, it isn’t the companies asset! This means that the guy who paid for it wants to USE it the way THEY want. So if you secure it properly, well, then they CAN’T USE IT the way THEY WANT TO!

And this leads to unhappy end users.

So here are just some of the technical problems..

  • Differing OS’ require different solutions for security in some cases
  • Android… OMFG Android rooted by the EU is bad. How many botnets are there out there now for Android? Google also has a real lack of quality control here (nightmare)
  • Adding layers of protection to “sandbox” applications
  • Adding a layer of auditing and tracking to protect the asset (not the companies once again) to protect your IP and infrastructure if said “asset” attaches to your network at all
  • Insuring that CRYPTO is working and or used to protect that IP again
  • Insuring that the system has AV on there and it is up to date
  • Insuring that the user just can’t install anything they want on their asset to prevent compromise of CORP data (due diligence)
And the list goes on.. So here you have it, you are adding layers of complexity to a device that naturally the end user, who PAYS FOR IT does not really want because its THEIR TOY! Its a PERSONAL DEVICE! They bought it! They want to play with it and use it for their amusement. This is a key point here that most of these guys advocating this fail to understand.. Or is it they really don’t care? Suffice to say though that in the end you are forced to add software and hardware solutions to secure the personal assets in your BYOD program that will cost you money. Money to buy, and money to keep updated and licensed.
So, where is the cost benefit analysis here on this? Are you really saving all that much money in the end?
Never mind the legal aspects that you also must engage counsel for….

LEGAL Problems

Legal problems.. Oh yeah, there are many legal issues here with the whole BYOD thing. It seems to easily escape the faculties of the C levels who are all hot for these programs though.  When you bring up these issues, even in the clearest of ways, they still seem to be all for the BYOD which confuses me personally. Oh well, they have lawyers on retainer right? They will just dump it on them and they will work out the details. Details like the following;

  • E-Discovery issues with personal assets and corporate information (the company does not own the device and unless the owner signs a document saying they will give up the phone/laptop/hardware for discovery, you’re F’d)
  • PRIVACY, if you are auditing all that goes on on the device (say a phone) then you can see everything they are doing with their personal/corporate-tized/asset In short, no privacy really
  • The vagaries of corporate IP on personal assets and the legalities of who owns what when and where
These three bullets cover a HUGE amount of the problem with BYOD and people need to realize this as they go ahead thinking about this as a solution to their bottom lines.. AND this is all it really is, its not really about making end users happy. Never let yourselves be deluded into this belief that by doing all of this you will be making a more happy and productive work force. Eventually, those users will come to their senses and realize that they are being used in so many ways and that there are many grey areas.
… And if you have not gotten them to sign iron clad agreements.. You Mr. C level are gonna be in trouble eventually.

Bad BYOD Rising

Nope, this is a bad idea from all angles as I have seen. Yet, people are going for this model more and more as a way to save money and “make workers happy with new toys like iPhones” I only see the technical and legal issues as well as the potential for paranoia and bad blood on the part of the users/owners of their now corporate assets… that are theirs.. sorta… It’s just a nightmare really, but Gartner says its GREAT!

*facepalm*

Please, for the love of sanity think this stuff through before you even think about this model for your orgs!

Savings to the business my ass.. You’re only adding a slow poison to your company and your carcass will be rotting soon enough.

K.

Written by Krypt3ia

2012/02/10 at 12:01

Paper Tigers… Aren’t We All?

leave a comment »

Paper Tigers.. Paper Cuts…

A recent post that echo’s others that I have seen in the not so distant past makes a claim that China is about 13th on the preparedness scale for cyber warfare. Now, you may be thinking;

“But Krypt3ia, the news and you have said they are cleaning our clocks and stealin our data!”

Well, yes.. yes they are. However, they may not in fact be number one in “defense” in this sphere as well. Now, I am not saying they are 13th and the article does call into question the methods of gathering data and the questions asked to make this statement (China being 13th most prepared) but, still, they are at 13 here. I personally don’t ascribe to this litmus test that the survey purports to show on the state of affairs in China or anywhere else where cyber strategy is concerned.

After all.. If they asked China or anywhere else, do you REALLY think they are going to give you the God’s honest truth about their programs and readiness?

Duh.

Offense vs. Defense

Lets flip that bit too and think about offense vs. defense here. After all, it is sexier to be offense and easier right? So, how do you really correlate this “study” in any way between the extreme success that China has had with regard to cleaning our digital clock in relation to China’s own defensive posture? One does not really require that the other be commensurate really, and this is a flaw in the logic of the whole story for me. In fact, it is because we here in the US and other countries were so ill prepared for defense on this playing field really, that the Chinese have been so effective at APT types of attacks against us. It has been said in the past, and I would agree, that not all of the attacks from China have been sophisticated…

Because they did not need to be. That’s just how piss poor security has been here.

So, a concerted effort by a cabal of patriotic hackers (assets such as the Green Army) and other spook run operations (corporate/mil/gov) have been successful at ex-filtrating data from our servers here in the West. They used various methods both exotic and not, but the key to this is that they made a “concerted effort” They had operational plans, assets, and patience. All of these things are much more directed and focused than being on the defensive end of the equation. Add to this the fact that defense has been so poorly thought acted upon until now, it becomes clear why the greater story heard here is that of the offense winning the day.

On average, the common corporation has only seen security (up til now in the age of Lulz) as a cost center and because humans lack the ability to sense long term threats well (my contention) we have had a dearth of concern over the security posture of things other than saying “We have a firewall.. it’s all good” In short, because of our lack of forward thinking collectively, we have allowed this scenario to play out until such time as forces outside of the norm have forced us to pay attention…

Something akin to the panther leaping from the tree that we heard growling but decided that it was up to far to jump on us….

We have made our own beds and now, with this study, we see that a majority of the countries out there are not ready for prime time.. And those who are, are likely lying quite a bit about their readiness.

Studies With Subjective Questions and Results

Meanwhile, the “researchers” out there are making faulty suppositions using data that should not be trusted because it cannot be empirically validated. It makes me crazy to see this kind of claptrap being touted on the interent and in the news as fact, though this report did call this into question (yay them!) However, this does not stop others from doing just as shoddy work and then making great claims about how China may in fact be less of a threat because they are not as prepared on defense.

Bollocks.

China, Russia, Israel etc etc are all key players in the espionage world which now includes the 5th battlespace of information warfare carried out on the internet and within computer networks. To think anything else because someone asked them just how prepared “they” were for “cyberwar” is just appallingly stupid. From now on people, if you see these types of reports or studies, do try to think critically about the datum that is being presented.

A Brave New World

It’s a brave new world out there. We are in the age of Lulz and “cyberwar” *booga booga booga* all things that we really do not collectively have a firm grasp on as import and repercussions. There is so much going on between the Anonymous/Antisec/Anarchy as well as the manipulation of them by the likes of China and other world powers that you really need a primer to understand just what is really going on. Even then, its all so internecine and confused at times that you never really will likely have a clue of the real truth.. Ever.

We are at the cusp of so much that could go so horribly wrong and we unfortunately have people in charge who are ill equipped to understand and deal with it in our government(s) You all have seen my screeds a thousand times about all of this so you all know too. All I can really say is try and protect your little piece of digital landscape..

That’s all you can do really.

If the archology of the internet is going to be beset by crackers, spies and villains, well, there isn’t much you can do about it. Certainly not trust the government or the corporations to do the right thing.. Or even really know what to do.

You Know Who You Should Fear? Coders…

Nope, all in all, I would have to say in the end is that you need to fear the coders. The coders and the companies that they work for that are creating vulnerable software. Of course all software I think is potentially vulnerable, but, it seems that the standards out there are not being adhered to. We could be coding more securely and more keenly in the sense of not having Turing machine programs out there available to subversion but, we just aren’t there yet collectively to understand this and stop it.

The genie is out of the bottle.. No way to get it back in… We will die in the end from a thousand paper cuts…

Get your lemons out and enjoy the burn…

K.

 

Written by Krypt3ia

2012/02/09 at 21:49