Archive for May 2012
The Biggest Attack Surface is US
“I have met the enemy of information security, and that enemy is us.”
With the new spate of malware attacks (alleged by nation state actors) as well as other attacks by the likes of Anonymous on down to the usual cast of criminal characters, I have been taking stock of the “bigger picture” What I have come to the conclusion of, is that we, out of all things, the creators of the internet, the computers, the code, and the universe in general (probabilistic, newtonian, quantum, etc if you believe we in fact create our consensual reality) are the one common flaw in security.
Take that statement in a bit… I’ll be back in a moment while you ponder….
Ok, thought that through a bit? For me, the statement us an ultimate truth. We create all these things (for me universe included by perception) and in the case of the security over or within the systems that we make and use, are it’s core failing. We, for a lack of a better term, are “flawed” and thus, our systems will always be so. In the case of security today, we can see this from many angles, not just within the realm of computer security or data security, but also our efforts in war or protection from terror (ala DHS and the TSA) There are inherent flaws and unpredictable outcomes vis a vis human nature that really have to be taken account of before we can really even consider something to be more secure than not.
This is an issue that I think many are overlooking as they seek to make the better mousetrap cum Rube Goldberg device that will then sit blinking in your rack at the NOC. Boiling it all down to the sum total of security issues, we have the human being and their “nature” to consider as the driver of the ill as well as the arbiter of demise in any security scenario we can think up here. This is why I have decided to write this post, I want you all to stop, take a look around you, and see the problem from the macroverse instead of the microverse of code and hardware.
It’s all in the wetware man.
Human Nature, It’s Anathema To Security
Human nature… What a many splendored thing huh? It gives us so much latitude as a species to be dominant on this planet and yet, we still seem to be unable to overcome it and protect ourselves from it’s down side. Of course it isn’t just that our natures precludes us from attempting to secure things today, it’s also that we are using technologies that we built, us, fallible beings who tend to code in error and without foresight into how it could be abused. On that note, the abuse of the code itself is also human nature, we are always pushing the bounds trying to outdo others or just test the bounds of our realities so, it’s a natural progression really. Of course then there is also criminality, and the darker tendencies that we all have… We are just a pile of trouble aren’t we?
On the other hand, there is also the tendency for laziness today that we all have, whether that be intellectual or other slothly behaviors that can be and often times, are the cause for security failures. It is laziness in coding and a desire to work faster and maximize profits for example, that lead many people down the path of sloppy code and massive vulnerabilities therein. Couple this with the need for speed that today’s work environment (time is money calculations aside) demands, and we have the mix for epic failure much of the time. Oh, and lest we forget hubris, like that of Microsoft. coming so late to the security game in their coding and testing of operating systems, that, in effect are the most frequently vulnerable as well as the biggest target from user base perspectives.
Oh, and there are also the basics of human nature such as being helpful, or other more base desires that often are the unraveling of security measures. You can have all the defenses in the world, but all it takes is one person saying “Gee! Look! A USB stick in the parking lot! ITS ALL MINE!!! I MUST PLUG IT IN NOW!” How often have you pentesters out there reading this now have used that very exploit? Over and Over and Over again and had success each time. How many of us have had the door held for us even when we don’t have a badge? Yeah, I know, many have and though have been warned on the perils of doing so, still do it out of instinct or perhaps social programming.
It’s human nature that is the undoing of the best laid plans of mice and men…
What I am getting at is a simple truth, we are the problem. If we aren’t creating the poorly coded software, then we are the ones opening the gates to the Hun hoard, or worse, we are in fact that Hun hoard and are exploiting those weaknesses for our own gains (whether it be nation state, pentester as a job, or criminal to make a buck) it’s all driven by our nature.
HUMINT and The Push Of Social Media
So enters the era of “Social Media” and wow, we are a social animal aren’t we? We have Facebook, where we seemingly just expose all of our foibles, secrets, and other trivia daily, no, wait, by the second, every day. Who knew we would be so in need of telling everyone (not to mention showing everyone screen shots of our meals) about every little thing we do? Our location at that time, or perhaps that little Timmy took his first solid dump. *shudder* It’s little wonder that you see how much the government is interested in our “social” data huh? We are so willing to just give it up without a thought to it.
It’s our nature I guess… Tribes around a digital fire now…
Back to social media and HUMINT though, you see, this is the next wave. Since everyone wants to communicate on the Internet, then its easier to communicate with everyone and everyone in a way that, as we have seen, allows for a lot of data gathering, and manipulation. See, now we have the infrastructure populated, we will now use it, subvert it, for goals other than just befriending someone. Hell, we now have bots that do it for us right? How do you know that that person you are talking to on Twitter is a person or a heuristically adept bot? Give it some pause…
Think about the potentials here for every kind of abuse or manipulation. Anything from online advertising using Turing bots to intelligence agencies and others gathering data on you all for whatever purpose serves their needs, and you, you are the commodity.. The “asset” So, yes, as the technologies advance and the human nature side of things continues to allow for strides in security as well as the inevitable setbacks, you, will become the ultimate target of the easy score for data that could lead to compromise. After all, what do you think the real persistent threats rely on? Human nature, our nature and proclivities for social interaction, which, really, is what the Internet is all about huh?
Now, as you go to post on Facebook about your last meal.. Ponder this…
So, How Do We Remediate All of This?
Is remediation possible? Can we change the vagaries of human nature to the point where we can actually not only secure systems adeptly, but also secure the end users to disallow the lowest of the low hanging fruit? Can we get coding initiatives that work and for God’s sake, come up with non Turing complete machines and code? One wonders if it ever really a possibility, and frankly, the sense I get of things lately in the security community is no. We will never win the battle, the war will rage on forever and at least we will have jobs, but, we must get used to failure in the grander scheme of things.
Once again, human nature is the arbiter here and, well, we are human aren’t we? I guess the answer is no, we will never be able to remediate it all. As we move forward with an uncertain digital world, one where we have put all our eggs in one digital basket (yes, power, light, water, control) we all must look at the nature of it all and ponder what have we done to ourselves here? Has our nature and a propensity for laxity in thought and deed placed us in greater jeopardy? Will we ever learn from the things we have seen already and try to remedy the situations? Or will we just go on blithely until such time as there is an epic failure that causes us pain?
This is not to say it will happen, nor that I believe it will be as epic as some on capitol hill would have you think, nor those in the shadows selling them the digital snake oil in the first place. What I see though is that unless we get smarter and try to manage our natures here, some will end up exploiting them to our collective detriment. Whether it be the laws around our privacy, or lack thereof, or the connecting of systems upon systems that, should one fail in a cascade, we really could have an problem, we all have to take a step back and look in the mirror.
We are the problem.
Patriot Hackers, Cyber Vigilantes, and Shot Placement http://post.ly/7PDdE
Patriot Hackers, Cyber Vigilantes, and Shot Placement
Ok, so Ali had a sit down on the podcast station and clarified some things for the skiddies and others interested in the great feud of 2012 between those who believe Jester is doing anything and those who think its a pointless exercise in self aggrandizement. I suggest you all listen to this podcast before moving down to the next paragraphs to understand what I am saying and why.
Go on… Now… Go… Listen…
Ok, so, I am gonna assume you listened to the podcasty thing. Here’s my deal. First off, I never have advocated the arrest of the fools. After all, what have they done but taken down sites that are useful for INTEL operations. For that, yeah, they could get into some trouble because they are getting in the way of things. However, one might also make the argument, and rightly so, that this is a tempest in a teapot in the grander scheme of things. Why? Because these sites are not the real operational areas of AQ and AQAP in reality.
No.. Really.. They aren’t.
If you look at the letters and the operational efforts of UBL while he was in Abbottabad, he was using couriers and maybe USB sticks. Otherwise, there were actual handwritten letters and communications that were outside of the electronic world. Why? Because they KNOW we are watching and have a real corner on that market. So, one can extrapolate that the real use of the sites being looked at and DoS’d by the likes of Raptor and Jester are moderately important if that in the effort of trying to engage WESTERN jihobbyists and that’s about it. I mean, why do you think they are making such an effort with Inspire huh?
… And I will tell you a secret that isn’t so much one.. Inspire ain’t working.
So, once again, these sites are of some use to the likes of certain intelligence and LE agencies to monitor and perhaps have assets within them. Taking them down for any amount of time does nothing but just get in the way and gives the dos-er the ability to crow… and loudly… But I shall cover that in the rant section. Back to operational matters. So, yeah, where was I? Yeah, these sites are not the main way that the Jihad is being carried out in a physical way. It’s the propaganda machine and no matter what you do, they will be back like one of those clownpunchers so really, why waste all the energy huh?
Overall, I just want you all to understand that unless you work with the system any action you carry out is pointless to the larger war at hand. Just look at how the JSOC got set up with the CIA and other orgs to work TOGETHER to wax UBL huh?
Think on that.
Ok, so rant begins… Look, once again, the calls of “What does Scot do! He does NOTHING! SHOW US WHAT YOU DO!” is utter self serving crap. See, you guys saying this are just trying to JUSTIFY your actions. I don’t have to justify anything I may or may not do. In fact, as Ali pointed out, people who work within the system with the powers that be, cannot say “what they do” It’s part of the way things are done, and to be asking this question so much and so vociferously, shows to me that you all have not worked within the system. **note oblique reference to J and this question specifically, a real operator would not be acting this way nor begging the question**
It is my contention that you all may have good intent, but you are driven more by deep seated needs for attention because you are advertising your actions and not working within the system.
Just one man’s opinion..
So, go ahead and rail all you like. It will not make one bit of difference to me. I am not going to be goaded into saying anything about it, Ali said what he did and that should be enough. I am just going to continue to believe that until you all cut your shit out and work with the system quietly, then you are just looking for a cheap fix of adrenaline and adoration by legions of wanna be’s.
Digital Skirmishes and Silliness
I agree with Ali that the governments need to get a handle on this. If they want patriot hacker units, then they will have them and they will be controlled. As opposed to the Batman vigilante model that we now have here. Frankly that’s what Militias were originally for, to have citizen soldiers and now we have the National Guard, perhaps they need to create and maintain this new warrior class to keep the sanity. I am sure that if they did this, there would be plenty of volunteers and it might be a good thing. However, as usual, when government gets their hands on anything they usually fuck it up somehow.
Live and learn… Then adapt.
All I know right now is shit is way out of hand and the stupid has reached epic proportions and it will not go well unless some ground rules are instituted. Thank you Ali for your kind words and you know I am right behind you when the shit goes down.
Hard power is a term used in international relations. Hard power is a theory that describes using military and economic means to influence the behavior or interests of other political bodies. It is used in contrast to soft power, which refers to power that comes from diplomacy, culture and history. While the existence of hard power has a long history, the term arose when Joseph Nye coined ‘soft power’ as a new, and different form of power in asovereign state’s foreign policy. Hard power lies at the command Hegemon end of the spectrum of behaviors and describes a nation’s ability to coerce or induce another nation to perform a course of action. This can be done through military power which consists of coercive diplomacy, war, and alliance using threats and force with the aim of coercion, deterrence, and protection. Alternatively economic power which relies on aid, bribes and economic sanctions can be used in order to induce and coerce.
While the term ‘hard power’ generally refers to diplomacy, it can also be used to describe forms of negotiation which involve pressure or threats as leverage.
Over the weekend I had a twitter conversation (140 char’s at a time, rough) about the meaning of “Soft Power” in the current parlance propounded by Joseph Nye. I have a different opinion of the nomenclature concerning the terms “Soft Power” and “Hard Power” in today’s political and economic environment. While the other party I was speaking to had a more strict version of thinking per Mr. Nye’s (he coined the term soft power) definition. I myself feel that today things are a little more complex for the terms to be so tight given that now economic “hard power” seems to have morphed into a vast array of economic digital espionage that softly, along with other soft power style moves, create a hard power outcome of directing or tricking other countries into actions that the others desire.
The primary mover and shaker of this for me is of course China and one only has to look at the news cycle to see both these types of “power” being wielded by the RPC. I think it is time to take a look at the means and the philosophies that China has been using to effect the changes that they need to become not only the predominant military force in the world, but more so an economic juggernaut that will outweigh and perhaps stealthily creep behind and slit the throats of other countries in subtle and not so subtle ways.
Hard vs. Soft Powers and Nomenclature
As seen above in the quoted text, hard power is seen as economic sanctions as well as military actions. This is all in response to the soft power of politics and the methods of carrot to the hard power stick. All of these allude to direct actions that are perceived as means to manipulate nations states and other actors into actions desired by the power that is employing them. I would put to you all that there is another form of “soft power” that the Chinese have really created over the last decade that employs a more stealthily nimble approach from the espionage arena (hard power by strict definition?) and economic strategies that, with nationalistic goals of grand scale, have wrought a new type of “power”
Perhaps this power should be called “Covert Soft Power” as it is being employed covertly both in the hacking of companies to steal their economic secrets (IP) as well as by the addition of espionage and common business tactics to buy into, and or subvert companies to facilitate access to economic secrets as well as out maneuver companies and close them out on deals etc. All of this seems logical to me (adding this meaning to the term) but perhaps I am outside the norms on this one. The way I see it though, there is a new vector here that the Chinese are leveraging and I think we could use a little thought on the matter and perhaps how to counteract it all.
China, The Hard and Soft Power via Economic Espionage and Investment
China in particular has been working at a multiply pronged and diligent attack on systems and corporations as well as governments to effect the long game strategies that they want. Instead of attacking things head on, the Chinese prefer the methods of “The Thousand Grains of Sand” where many operations and operators work to effect the larger outcomes from small pieces. The Chinese are patient, and because of the Eastern mind, seem to come at things in a more subtle way than most of us in the West tend to think about. In all, the subversion and outright theft of IP has a multipurpose goal of broadening their technical abilities, their economic abilities, and overall, their dominance in the world as a power.
What the Chinese have realized mostly though, is that the subtle knife is the best way to control the enemy, slowly, and subtly slitting the throat of the opponent without a struggle. Frankly, I admire the approach really. In terms of the argument of “soft power” I place these efforts squarely into it because in tandem with certain “political” maneuvers, they can have huge net effects. By combining the military, the economic, and the political aspects of soft and hard power, and the gray’s in between, China has become a force to be reckoned with. So, I put it to you all here, that there is room for a change within the nomenclature of Mr. Nye’s coinage and that I think, in order to better understand the mosaic that is happening, we need to re-tool some of the ideas we have pre-conceived for ourselves.
A New Battlespace, A New Set of Battles
Finally, I would also put it to you all that the battle space is much different today than it has been in the past. Not only do we have the digital landscape, but said same digital landscape, that makes it easier to steal, also makes everything more interconnected. By interconnected, I mean that it is far easier to effect large changes to companies by the automation that we all have in place today to speed up our transactions. Today it is far easier to quickly make instant trades, and effect the bottom line of a company for the better or worse as well as steal data in minutes that in the past, would have taken days, weeks, or months to ex-filtrate from a company via conventional HUMINT means.
In the scenarios run on trades on the markets, you can see how one alleged “fat finger” incident can have a large scale and rippling effect on the whole economies of states, never mind businesses individually. So, once again, the battle space has changed greatly because of the interconnected-ness of things. It seems that the matters of state now more than before, can be changed through the soft power of the digital attack or manipulation. This is what I mean by “soft power” or perhaps the term I mentioned above “Covert Soft Power”, attacks that we are seeing now, and are having trouble truly attributing to nation-state, corporate, or individual actors are having larger and larger effects on our economy, our policies, and our long term viability as nations, companies, or groups.
At the end of the day though, I suggest that we are being manipulated by masters at the game of “Go” and we need to pay attention to every subtlety and not be so rigidly minded. It is the water that flows around and over the rock, eventually wearing it down to nothing.
In the present day where the word “Cyberwar” is all the rage, and governments as well as private sector entities are seeking to cash in on the power grab that is mostly information warfare as the Chinese actually call it (信息战) too many are forgetting a core problem to the picture. This problem, is “attribution” as it has been termed in the community. To attribute an attack to an individual, government body, or group, is something that to date, has not been discussed as much as I would like to see with regards to all of the cyberwarfare talk as well as any other inferences with regard to forensics and geopolitical ascription to acts of “war” as this is has been labeled by this terrible terminology that we have latched onto.
Nomenclature aside, there are issues around trying to determine definitively where an attack has really come from because of the nature of computer systems, varying countries that they reside in, and the potential for the actor to be anyone from nation state to individuals of a collective privately, or a single determined individual. It is my contention that “attribution” can be very hard to prove in a court of law, never mind that a country may in fact be ready to wage war against another on the grounds of what is taken to be the truth of where an attack originated from and who the actors really were. There are too many variables that may never be one hundred percent certain to be basing any of these decisions on in my view, unless one has hacked back into the core final system that originated everything and that is rarely the case today.
So, where does this leave us? How do we even attempt to attribute an attack to any one person, government, or group? Can we ever be certain of any of this information? Can we base an aggressive action against a nation based on any of it?
Fingerprints and Ballistics
Some would approach the problem of attribution of digital attacks on the methodology that began the criminal forensics process we have today. Fingerprints were the first forensic model for determining who really may have created a crime if the evidence did not consist of an eye witness attesting to the fact that “they did it” Ballistics soon followed once guns began to have lans and grooves bored into the barrels to allow for more accuracy. Both of these examples leave telltale marks on the bullets or objects to determine which person or what gun were the arbiter of whatever crime was committed. Today though, we do not have the same narrow confines of data to examine as both of these examples allow for.
Code is the medium of today and while there are certain ways to tell if code was written in the style of a person or written on a particular computer, for the most part, these do not allow for absolute certitude as to who the actor was that created the code, nor for that matter, who used said code to effect an outcome (i.e. attacks on systems) conclusively. All one really has in most cases, are pieces of code, that, with the right coder, may in fact look like anothers, or, all attributions have been stripped from, or, lastly, copied directly from open sources and then tweaked. All of these scenarios allow for a great lassitude on determination conclusively on source or origin.
With all that said, the digital fingerprints are there, and with luck someone can determine if the coder was sloppy and forgot something. Interestingly, much of this was out in the open and talked about with regard to the Stuxnet infections in Iran. Once the code was audited, there were many subtle clues as to who “may” have written, and in fact there were potential red herrings left in the code such as “mytrus” and other tidbits that may in fact just been placed there to mess with those seeking to perform forensics in hopes of finding out who did it. To date, many think that the US and the UK did the work, planned the operation, created the code, and implemented it, but, there is no conclusive proof of any of that is there?
Suffice to say, that everyone does make mistakes, but, with the right amount of diligence, it an adversary can make it incredibly hard code wise, to determine who did the writing. On the other side of the coin, the digital forensics arena also looks at the network and hardware side of the equation as well. Many attacks today are not directly coming from the home systems of the adversary, but instead they are coming from proxy machines that have either been rented or, more likely, hacked previously. This too can be heavily obfuscated and be something of a problem to gather information from if those systems reside in countries unfriendly to the attacked parties. One would likely have to hack into those already compromised systems and then attempt to gather intelligence as to where they were being controlled from and by. This is of course if the system wasn’t already burned or, as in many cases, the logging had all been removed and thus there were no logs to see.
From this perspective, yet again, there is a great amount of doubt that can be injected into the picture of just who attacked because of the nature of the technologies. Unless the systems are live, and in fact the adversary is either still using them or was exceedingly sloppy, it could be very hard to in fact prove conclusively any one actor or actors carried out and attack even from the digital forensics side of the house. This leaves us with a problem that we have to solve I think in order to truly be able to “attribute” an attack even tentatively to anyone. One cannot only rely on the technologies that are the medium of the attack, one must also use reasoning, psychology, and logic as well as whatever the forensics can allude to as to the attacker. This is very much akin to the process used by CIA analysts today and should be the SOP for anyone in this field, because the field is now truly global as well as has been brought into the nation state arena of espionage and terrorism, never mind actual warfare.
Inductive vs. Deductive Reasoning
First off, I would like to address Inductive and Deductive reasoning in this effort as one of the precepts core to these attribution attempts. By using both of these in a rigorous manner, we can attempt to shake out the truths to situations that may in fact seem clear on the face of them, but, once looked into further may be discounted, or at the very least questioned. Much of this lately has been the hue and cry that APT (Advanced Persistent Threat’s) are all pretty much originating from China. While many attacks have in fact been attributed to China, the evidence has not always been plainly clear nor, in many cases, has the evidence been anywhere in the open due to classification by the government and military.
There are many “secret squirrels” out there and they all pretty much squeek “CHINA” all the time. Unhappily, or perhaps unfortunately, these same squirrels end up being the ones talking to the news media, and thus a juggernaut is born in the news cycle. It just so happens that there are many other nation states as well as other actors (private/corporate/individual) that may well be the culprits in many of the attacks we have seen over the years as well. Unfortunately, all too many times though, a flawed inductive or deductive process of determination has been employed by those seeking to lay the blame for attacks like ghostnet or ghost rat etc. Such flawed thought processes can be shown by examples like the following;
All of the swans we have seen are white, thus, All swans are white.
This has pretty much been the mindset in the public and other areas where attacks in the recent past have been concerned. The attacks on Google for instance were alleged to have come from China, no proof was ever really given publicly to back this up, but, since the media and Google said so, well, they came from China then.. Right? While the attack may have in fact come from China, there has been no solid evidence provided, but people are willing to make inductive leaps that this is indeed the truth of it and are willing to do so on other occasions where China may have had something to gain but proof is still lacking. The same can be said with the use of deductive reasoning as well. We can deduce from circumstances that something has happened and where it may have originated (re: hacking) but, without using both the inductive method as well as the deductive with evidence to back this up, you end up just putting yourselves in the cave with the elephant trunk.
Psychology and Victimology
Another part of the picture that I believe should be added to the investigative process on attacks such as these, is the use of psychology. By using the precepts of psychological profiling as well as victimology, one can take a peek into the motivations of the attacker as well as the stance of the victim that they attacked into account on the overall picture. It is important to know the victim, their habits, their nature, and background. These factors can often lead to insights into who the adversary may in fact be. While the victimology paints the picture of the victim, it also helps flesh out the motives and possible psychology of the aggressor as well.
Of course one need not be a board certified psychiatrist or psychologist to perform a vicimtology in the way that we need to within the confines of determining who may have hacked a client. Many pentester’s do this very thing (though perhaps not enough today it seems) by profiling their targets when they are preparing for a test scenario. The good ones also not only look at what the target does, but also how they do it. They also look at how things work logically, as well as every other aspect of the business to determine how best to attack and what would have the most effect to replicate what an attacker “could” do to them. This is a key also to determining who may have actually attacked as well as why they did and this leads to another part of the puzzle, that of motives.
In trying to determine who attacked one must look at the motives for the attack. These motives can also show you the lengths that the attacker was willing to take (i.e. creating custom code and other APT style attack vectors/methods) to effect their end state goal. If there seems to be no real reason for their attack, and they have not stated it in other ways (like Anonymous and their declarations of attacks) then we are left to come to grips with seeking the reasons as well as what they took/destroyed/manipulated in the end. It is important to look at the whole picture instead of focusing on the minutiae that we in the INFOSEC field often find ourselves looking at daily in these IR events.
Hannibal Lecter: First principles, Clarice. Simplicity. Read Marcus Aurelius. Of each particular thing ask: what is it in itself? What is its nature? What does he do, this man you seek?
The Pitfalls of Attribution Theory
Another part of the picture that must also be assessed is that of the mindset of the assessor themselves. Today we seem to have quite the echo chamber going on with the likes of Beitlich and others concerning China and APT activities as I alluded to earlier. The media of course has amplified this problem threefold, but, the core problem is that we as investigators are sometimes easily tainted by the echo chamber. Thus I put it to you that the precept of “Attribution Theory” also play a key role in your assessments and that it can be a pitfall for you. In Attribution theory, one must also take into account such things as the motivations of the person doing the attributing. This means that even if you are a consultant in an IR, you too can allow your own leanings to sway your findings in such an endeavor as trying to determine who hacked whom with leading evidence but no definitive proof thereof.
Motives are key, motives of the assessor, motives of the victim, and motives of the adversary. One must take these all into account and be as impartial as possible and mindful of these things. It is my contention today, that all too often people are all too available to the idea that “China did it” is the go to assessment of a so called “APT” attack, especially so when APT is one of the most misused acronyms today in the information security field. It is just behind the term “Cyberwar” in my opinion in fact as one of the most misused and poorly constructed acronyms or terms for what is happening today.
In the end, one must take a step back and see the bigger picture as well as the minutiae that comprises its total while not being too easily swayed by our own bias or conditioning. I suggest you acquaint yourselves with these ideas and use them when involved in such cases where APT and Cyberwar are concerned.
There will Always Be “Reasonable Doubt”
In conclusion, I would like to assert that there will always be reasonable doubt in these cases. Given now that we are considering actions of war and legislation over attacks and counter attacks within the digital sphere, I would hope that those in government be made aware of the issues around attribution. I cannot conceive of going to war or launching missiles over a digital attack on some system somewhere. The only way I can see this actually becoming kinetic is if the attack is in tandem with boots on the ground or missiles fired from a distinct area of a foreign power. Unfortunately though, it seems of late, that governments are considering such actions as hacking the grid, as an acceptable trigger to kinetic response by the military. This for me is all the more scary given what I know about attribution and how hard it is in the digital world to determine who did what and when, never mind from where.
Presently I am working on a framework of this whole process model and will in the near future be presenting it as well as other aspects of determining the attribution of attacks on companies and systems at a conference in Ireland. It is my belief, with my partners in this presentation, that given more subtle cues of psychology, as well as sociological and historical inference, one can get a greater picture of the attacker as well as the motives for an attack if they are not openly stated by the aggressor. Of course none of this will eliminate “reasonable doubt” but, as CIA and other intelligence analysts have proven with such methodologies, one can make a more solid case by looking at all aspects surrounding a person, case, or incident to determine the truth.
Has AQAP Been Watching “The Dark Knight” Or What?
It seems lately that the officials out there “in the know” have decided to allow a leak about a certain 15 page report alleging that Al-Asiri, the mad bomber/designer and much described “genius” of terror, has been attempting to perfect a design for an internal “body bomb” Now, no one really knows if this is indeed “the truth” or just how far Asiri may have come in his plans to create these surgically implanted bombs. However, what one can extrapolate from the press on this thing and the sources on “background” willing to talk, is that this seems to be more of a propaganda ploy than anything else on the face of it.
While I have no doubt that this vector of attack has been on the minds of AQ for a long time, so too has the use of CBRN, but to date, they have not been able to do anything in those areas and in fact the BIO warfare program they tried to start was a miserable failure. So, do we really see them getting to the point where a convincing as well as operational “body cavity bomb” is actually put to the test? I suspect that it may be some time until such a plan is put together and operational but as the media would have it now, as well as those leaking the “details” here, they seem to be saying FEAR NOW!
The Case for Surgically Implanted Munitions: Possible, Crazy, Exceedingly Hard to Pull Off
Now that we are all abuzz about the “surgically implanted bombs” lets take a look at the actual nitty gritty of how this would have to be conceived and acted on to work.
- You have to have a willing shahidi… Well, there are some out there so there you go. One that is willing to have srugery as well as recuperation time, well, ok… Harder but possible
- You have to have a sealed, self contained system that will not bleed (inside the device) and make it malfunction
- You have to have explosives that are high power and yet only require small amounts to be of use
- You have to have no metal parts to pass through the magnetometer
- You have to have a surgeon or surgeons willing to do the cutting and sewing (Well Ayman is a Dr. after all too so…)
- The device will have to be hidden enough inside the body so as to not alert others and preclude mobility issues (i.e. small, though the BVD bombs seem to be so as well)
- Your detonator has to be either chemical or electric/remote (timed or say an RF device) I lean toward chemical for these but who knows
The Case for FUDDERY as A Means to an End For BOTH Sides
So, what we have here though seems to be a lot of clucking about bombs inside of people and the fear mongering that goes on with some quarters of the intelligence community feeding this all to the media. SOFREP, a site concerned with SOF (SPECOPS) had this story out there last week and now it seems to be making the rounds with backup data (background from anonymous sources) that the mad bomber is in fact working on this with a cadre of doctors. Of course one can only assume that this “data” is perhaps coming from the recent mole that got into AQAP posing as a suicide bomber and stole their new prototype BVD bomb.
If true, then yes, sure, they had plans and were trying to make a bomb system that would be hard to detect, I mean, how many MRI’s are at the airports now huh? If this data did not come from the mole though (and there is data that this has been floating around now since at least last fall, way before mole man) then why now is this being thrust upon the media? Or, now that I think about it, there was that arrest of the guy with the pr0n that had the stegged “future work” file in there.
I am willing to bet that is the provenance of the file in question. Ok, so, there you have it. We have the plans and.. What.. Why release this to the public? I mean, what real purpose does it serve other than to scare the populace into submission? In the SOFREP report there is mention of something along the lines of “So how do you feel about your L3 machine now?”Uhhh, just fine really, I mean, it won’t help me if there is a surgically implanted bomb, but it gets much of the rest of the stuff when used properly. I am guessing that the impetus here was to make the TSA look good, by saying “you think you are hassled now, but look at what the jihadi’s are planning!”
Honestly, sure, it could happen, but the odds are slimmer than one might think I think and this seems to be a play here to manipulate the public mindset. Others have called the same foul on the play here but I just wanted to put it down here and sort through all the issues to ascertain where the truth might lie. In this case, for me, it seems like this story serves the purposes of both sides. For one, the security services here and the politicians both get a win by leaking data to sow fear, a fear that was ever so well used in the past (like G’Dub’s admin) and others to sway thought and perhaps lessen resistance to certain things. On the other side, this also works for AQAP because even if they are planning it, they are causing us to create even more elaborate Rube Goldberg devices to stop them, costing us more money and time.
It’s a win win for all of them.. FUD it seems is a booming business.
So, IF They Make These Bombs Happen Then What?
In the end, it comes down to this; “What are we going to do?” Do we really expect that we will now install MRI’s and X-Ray machines in the TSA lines to scan our internal organs as well as the sniffer/blower/wand/m-wave that we already have? This is a means of bombing that would be hard to detect if done well and certainly would not easily be seen under clothes or even with an M-Wave scan if it is not protruding/bulging the persons body in some way. Hell, for that matter, AQAP should just be looking for morbidly obese shahidi candidates huh?
Certainly, leaking this data to the news serves little purpose than to perhaps get people (including those on the hill) to buy into new measures and monies to appropriate them? It would not make one whit of difference in the current protection scheme now would it? Frankly, if AQAP and A-Asiri have been working on this, and it were a major threat, I personally would not have been dropping this to the media. Keep the intel secret (as the report is alleged to be) and keep it out of the public eye…
Unless you all think that by leaking this data you are retarding the chances that AQAP will try this method? I really don’t think that will be the outcome here.
In the end.. I call shenanigans.
OK, ENOUGH of the BULLSHIT, Lets not make a RELIGION out of this
Lately I have been inundated with tweets (not at me, just in my feed) of people using the “E” word. Blog posts about “Being an Evangelist” or “Are you one too?” I have to say that this post has been building in my lower intestine like a backup of putrescent bile resulting from a clogged sphincter, and that sphincter has been blocked by the word “Evangelist” My issue primarily is that you all (and you know who you are) are perpetuating a heaping pile of steaming bullshit by using this ecclesiastical term improperly to suit your needs of being center stage and telling everyone from the fucking mount what “they” should be doing.
Wake up people, you are falling into the same old theistic behavior that we all as evolved sentient beings should eschew, neigh, …loathe. INFOSEC is not a religion and YOU are not the FUCKING POPE ok? There are no cardinals, there are no Bishops, there are only a bunch of people who want their opinion to be heard and listened to AD NAUSEUM. It’s as simple as that, and if you start clothing it in the robes of ecclesiastical rhetoric you FAIL. “But this isn’t the meaning of the word evangelist now! It’ really means in modern times to profess a point of view!” They will all cry out as they read this diatribe.
My answer shall be a swift and sure “No, look at the dictionary and the latin root of the word you morons”
You all are clothing this in terms of religion and it’s inappropriate. It’s only leading to the predilections that some of these people have toward messiah complexes and we certainly don’t need that in this arena that has been fraught with enough ego and hubris to choke a horse.
Posers, Priests, Acolytes, and Charlatans
So, you wanna be the guy with the biggest hat? (yeah, going there with so many hats gray/black/white/dirty) Well what better way than to elevate yourselves above all others than to use the lingo of the ages to make yourselves the divine conduit to INFOSEC GOD’s right hand status eh? What’s next? Are you all gonna start your own revivalist conferences? Oh, wait.. That’s already going on. Con’s are popping up everywhere and the acolytes are flocking aren’t they? Holy Geebus, even as I rhuminate on this I see more parallels! The vendor rooms are the tents where you see geeks and freaks, clowns and circuses! Best part of all, you get to see the “blow off” by the booth babes!
Look, I’m not saying everyone is like this but it’s begun to feel like a carni to me that has taken itself too seriously. This use of the religious terms and the awe with which some are held is just silly. What’s worse, you are allowing all of this to be used by the likes of LIGATT and others to have their own “evangelism sideshow’s” hawking their particular brands of security snake oil. There are of course people like Jericho and Attrition out there to call people on this, but as a whole, the industry, once again I find myself saying this, is an “Industry” and to make yourselves out to be the clergy of some great and grand security church, even by just using the nomenclature is wrong whether your buy into it or not.
Frankly, the bandying about of the term by people on my feed makes me dry heave. See, as far as I am concerned, this job is an “Avocation” and should not be elevated to religiosity as it seems to be lately by those within as well as those selling it. You do it because you love it, otherwise, you are just in it for the money. If you love it, sure you can be passionate about it, but you are not by any stretch of the imagination a “evangelist” unless you have a book you are professing and selling with bone fragments in the back of the tent for only a sawbuck a piece! *wink wink*
There is so much more fail in this arena that we do not need to go muddying the water with all this claptrap.
So, Mr. Evangelist, Am I Going to Heaven or INFOSEC Hell?
As I started tweeting about this people started coming back with “Then that makes you the INFOSEC HERETIC” and, yep, I guess I am. Or perhaps I am the INFOSEC Redheaded Stepchild. I am sure both apply equally as well as “That BASTARD” I sit back and watch all of you and sometimes I just feel like what’s the point? I look at our current situation with APT and the EPIC-ness of every other EPIC tweet about EPIC-ness at the latest EPIC con and I want to EPIC-ALLY shoot myself. Are we all just teenagers here looking for that much attention as a group? As a business? Perhaps the people who are quietly doing the work in the background should speak up now and then (as I am told they exist by Ali) I do know they are out there, and perhaps they quietly watch and shake their heads now and again.
So do you?
It’s sad really that it has devolved in so many ways to the same ol same ol that we are seeing now in our election cycle. “I’m cooler!” “No no, I AM COOLEST” It’s really what I touched upon in the last “Fear and Loathing” series post on DC. Some people wrote back and asked if I thought it was that dystopian.
I have to say, kinda, yeah… Though I embellished as the “GONZO” journalist playbook implies.. (it’s written in crayon by the way) So am I going to INFOSEC Hell? Am I a heretic? I will leave that to all of you out there in INFOSEC-land who deign read this rant. Either way, once again, we use the language of the ecclesiastical to elevate or denigrate someone’s views eh? Perhaps this is all we know, we people who still follow a book so closely that now has the masses up in arms about the issue of people of the same gender wanting equality.
Holy fucking shit.
A book mind you, written by people barely able to understand nature around them so they made stories up to fill in the gaps. Really? 21st century? Yeah.. Right.
Monkeys with digital guns.
Pride goes before destruction, a haughty spirit before a fall.
As I wind down from this verging on Tourettes induced screed, I have to just say that I really do mean to take aim at this culture we have here. I think its too full of shit and it is no wonder we are unable to cogently deal with the problems en mass that we have with digital security. It’s because the culture sets itself up to be not listened to by the old guard. Wasn’t it back in the 90’s that L0pht told the congress that they could shut the net down? So, what happened to all the mitigations? What happened to the “Oh my God! This security shit is important!” it all just left their heads as we went on in our pedantry, that’s what happened.
We’ve been too busy being cool and showing that we can do cool shit while not actually focusing on the issue at hand, that of protecting the things that should be protected.
Sure there are many solid people out there taken seriously by those in power, but if you look at the general term “hacker” and the odiousness it has now, why would anyone take us seriously? Thus we have the new terminology of cracker and others? Trying to buy legitimacy even as we go from con to con being “evangelists” ???
I don’t know folks.. Seems like we all have enough trouble getting through to the straights here, we don’t need to make it worse by our own self defeating antics right?
We are not evangelists, barely most of us are professionals… Stop and take a long look in the collective mirror….
It’s been busy lately in AQAP HQ
Well, as the news cycle of late has been showing, it has been the busy season for AQAP, in between rocket attacks from drones, they have been busy evidently devising a new type of underwear bomb that is “super sophisticated” according to the press accounts.
I would say that they have in fact worked out a better way to get a bomb of reasonable size onto a plane with the right shahid but as for it being so “sophisticated” I cannot say that I think it is all that and a cup of coffee. Currently the FBI (Quantaco) lab boys have the briefs in hand and are looking into the design and so much as we know at present, it has no metal parts. So, this means its all plastics and liquid/soft (semtex/c-4 plastique) explosives. So, where’s the innovation? I would have to say detonator and just design to be slim, as powerful as possible (you only need to blow a hole in the fuselage) and not easily detected in pat downs or body (mm-wave) scans. The detonator though has been the failure point for the last couple of shoe/underwear bombs that were tried, so I would say that if they innovated, it would have been in this area.
Oh well.. But that hasn’t been the BIG story has it concerning AQAP huh? Nope, everyone is abuzz that the CIA had an asset in AQAP for a “few weeks”
Whoa! *sarcasm implied*
Moles and Assets in AQAP: Paradigm Change
As win’s go, this “shahidi asset” in AQAP who turned over the bomb and also helped with intel on the location of Fahd Mohammad Ahmed Al-Quso for a drone strike that killed him, was a pretty good one, though, now with all of the leaking of that this was an inside asset working for <REDACTED> intelligence agencies, I have to think that maybe it wasn’t so much a planned thing as an “opportunity” that presented itself. Since the asset saw no other way than to just turn over the device (because they joined up to be a suicide bomber from the start) they were pretty much burned from the get go here. Once their operation was set in motion and sent to the airport, well, it’s not like they could turn up the next day and say “oops, it didn’t work” So, this was a VERY perishable operation and so far, I am not hearing that from the press nor the administration’s leaks on this.
Context is a key thing kids.
So, if you turn on the news you hear the crowing going on that we got a “spy” in AQAP… Yes, sure… No… Not really. I suspect that this person was in a position of contact with AQAP, wanted as a “shahidi suicide bomber” and either was available to being turned, or went directly to the intelligence service for their country and said “Hi, AQAP called and they want me to go BOOM” I could be wrong, but I suspect that this is the case, either way, the asset was cultivated for this one off and it worked. Now, as for having long term assets in AQ or AQAP, well that is another kettle of fish altogether. Something that is seeming to be misconstrued a bit in the media reports. So far as I know it, we have not had very much HUMINT of this nature within AQ/AQAP/The Salafist Jihad movement because they are so paranoid and tribal.. As well as we had a total FAIL on grooming assets from the region to begin with.
So, post this little operation, where will we stand? Well, lets see…
Pro: We got the bomb, and we whacked a major player as well as gathered other intel from the asset who was embedded for a while
Con: Now they are gonna even be more paranoid…
Pro: Now they are gonna be even more paranoid!
Con: Likely we will not have any more assets on the ground for a while because the are paranoid
Well, there you have it. It was a win, but not as much as it’s being made out to be I think personally from an intelligence gathering standpoint. Who knows maybe we will get lucky again with another shahidi huh? Won’t hold my breath though.
Post UBL, Samir, Anwar, etc etc.
So, once again back to the changing times. Lets see, we had the recent anniversary of UBL’s death and the trucking out of the stories again. I personally have been reading Peter Bergen’s book on it all called “Manhunt” and found some interesting details in there. However, with that and the letters from Abbottabad, one gets an interesting picture of not only UBL’s last 6 years, but also the state of affairs between rival groups and personalities. If the documents are to be believed (yes some are saying there are reasons for these documents being released without the context of the whole trove and what “can” be declassified) then we see a picture of UBL as trying to thread the needle a bit on how to handle the monster that had gotten away from him.
AQAP it seems was a group that he did not officially sanction (franchise) and the name is their own doing. In fact, the letters show that UBL was not a fan of Al-Awlaki and thought that AQAP was doing a little too much indiscriminate killing of Muslims in the lands. Something I can see being the case as in the end UBL was ethnic Yemeni and his last wife (#4) was as well. So perhaps there is some truth to the idea that not only was UBL not a fan of the groups actions but was so because of ties to the area. I also suspect that there may also have been some reservation on the part of UBL on Anwar because of the places that they found themselves; UBL in confinement, marginalized, and Anwar out and about, preaching and gathering a real following amongst the younger jihadi set.
Of course that is all supposition on my part and from reading the letters that were released. Anyway, we whacked Anwar and his boys including Samir, the head of “Inspire” magazine which lead the unthinking masses to believe that AQAP and AQ (from all deaths above) were pretty hurt to the point of being almost intert. Well, they were wrong of course and as we have seen were busy making new plans to attack the US.. Which was what UBL was re-iterating to AQAP and others before he got his-self whacked. All of this goes to show that it’s not just the leaders that you have to kill, it’s the premise of their war. Sure, taking out leaders helps a lot, but, it seems with jihad, that there is a ideological element that is tough to put down.
So they continue on… And so will the GWOT.
What I can say about Inspire
Well, speaking of AQAP and Samir etc, we had the dump of Inspire 8 & 9 last week and it was only a matter of time really. It seems that Samir had 8 in the can mostly before he got his personal bomb blast, but 9 is whole cloth the creation of those he left behind, including I suspect the guy who wrote the eulogy for Samir. Inspire 8 is oddly formatted and contains more kluge-y language but 9 seems to be back to the more slick jihadi hipster that it was before.
Not much has changed on content though, or thought for that matter. They did have some more detail on things.. But.. I cannot talk about it…. Wouldn’t wanna be one of those “leakers” ya know…Lets see what they come up with for 10 and see where they are headed. The one thing they did learn from all of the DoS and hacks, at the top of the mag they tell the brothers to post it everywhere, not just on the boards. Seems they have the whole internet to work with and not just their php pages huh? Now who’da thought that?
Election Season and Leaks of INTEL
Speaking of leaks and leakers! Can you tell its election season? I certainly can with all this hoo-ha over UBL’s demise and campaign ads! Now though, we have this leak about the underwear plot and how the <REDACTED AGENCY> got their guy in there.
Really? I don’t know about you all, but I am feeling rather jaded at the “inside sources in CT” being cited on this whole intelligence coup. Evidently now too the CIA and other entities are claiming that they are “looking into” the leak.
Hmm lemme see, who woulda leaked that? Maybe the intelligence agencies themselves? Perhaps even it was a “condoned” leak maybe?
Look, like I said before this guy had a one way mission and he was burned as soon as he left the compound to go on that flight (a highly perishable asset) so who’s losing out here that this information is leaked. (once again see above) I dunno, I may be being a bastard here, but this is how I see it. It was convenient on many levels to leak this to the press. Just as it was for Gdub to leak Valerie Plame’s name right?
Say Scooter, how’s life now that you have been thrown to the wolves on that… Feelin the love still?
Meanwhile, the war rages on for the black hearts and mushy minds of those jihobbyists out there who wanna join AQ/AQAP or any of the other franchises. The latest releases of Inspire pretty much say it all. They are following what UBL laid out as a broad base ideal, get the locals to attack the US. The jihadi boards online as well are a great part of this picture as well, giving the ability of propaganda and spin to those out there who would be a “lone wolf” as well as a repository for Inspire.
The boards of late have been under fire though by the patriot hackers as well as intelligence agencies though. Recent times have seen them taken offline not only via DoS but also being hacked and deleted offline. Of course they come back fairly quickly as the owners/operators have backups of them in other places and they are mirrored. So, once they get that master database back up, they all pop up away they go. Interestingly though, recent events have shown just how the boards play one role while technology is being used in another way to keep communications secret.
With the release of the Abbottabad letters we have seen how UBL and the networks have been using little technology to communicate via courier. Of course they are still using technology but only minimally and it seems in the case of UBL (that we know of) without actually using encryption on their hard drives or USB drives, that is until recently. An AQ operative was recently caught with a USB drive full of porn amongst other things. Within that porn there was, steganographically hidden, files for the jihad. These documents were future plans and other materials that will be ever so helpful in the war on terror. However, the point being is that this is the first acknowledged case of Steg being used by AQ and that is interesting. What I find most interesting about this though is the hindsight issue here. A case could be made that AQ learned from the fact that (as we know it by accounts) UBL did not crypt any of his stuff and the SEAL’s took it all. This would have put a severe crimp in AQ’s plans and as we have seen since UBL’s demise, we have been in a drone war that we have been winning much of the time. So, all that intel (pocket litter) we obtained from Abbottabad really came in handy and must have been an object lesson for those left in command of AQ.
Moving forward though, I expect that, from my reading of Inspire, AQAP has a plan to leverage the internet even more than they already are. I believe that they will continue to put the magazine out and perhaps inspire others to make clones. The ubiquitous nature of the internet will only serve to allow their propaganda to be loosed upon us all. The key though, is that their propaganda only appeals to a very small, and mentally damaged group that in reality will lose in the end. Why? Because there are far more sane people out there than there are those bent on AQ’s particular brand of “jihad”
Expect More as We Move Towards November
Well, I guess as a final conclusion to this screed, I just want to say that you all should expect more of all of this. The political season is upon us and the powers that be will be attempting to leverage all of this as well as the AQ’s of the world. Remember Azzam Al Amriki is still out there at present, and if he had his way, we’d be seeing Ayman on ABC news doing interviews.
No one needs that kind of pedantry… No… Really…