Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for June 2012

Sabu: The Anonymous Zeitgeist?

with 2 comments

 

Quinn Norton’s Wired Elegy for Anonymous and Sabu 

I saw the article come up in the RSS feed and thought “here we go again” and surely, we did go again, to that special place where fantasy meets maudlin memories of what once was… Well, for those that is who live in the fantasy world and not reality. The ode to Sabu and Anonymous that Quinn put down to digital ink was one of the larger steaming piles on the internet I had seen in some time, and trust me, I have seen some epic steaming piles of shit on the internet kids.

Aside from the obvious issues of some scattered ideas, I was taken aback by the article’s reverence for Anonymous and the feel that the writer, having been “embedded” for so long, has basically been overtaken by “Stockholm Syndrome” and believes the hype that Anon’s would like to have spun about their organization, collective, group… Ehh, whatever it is. Phrases like the following cued me in on her deep need for deprogramming:

In 2011, Anonymous figured out how to infiltrate anything, to mobilize not just machines but bodies.

Really? They are the new APT huh? They are an existential threat to the existence of society? What flavor was the kool aide you had Quinn? Must’a been strong strong stuff, or have you just gone all Patty Hearst on us all? Tell me, do you have a green army jacket and a copy of LOIC in your purse? I am sorry to report to you Wired, but, your reporter has gone over to the other side…  Suffice to say, that I have issues with this article and the following graphs will enlighten you as to why. First off though, lets cover the first couple of paragraphs of this epic story, the elegy for Sabu and his power…

Sabu, Hector Xavier Monsegur, International man of mystery, and master hacker, idol of the Anonymous hackerati, and petty criminal. A force to be reckoned with as the article makes out, but, also fails to point out that in an “anonymous and headless” org as they like to think of themselves, was in fact, not only a snitch but also a “SINGLE POINT OF FAILURE” as we say in the information security business. This is something that Quinn failed to comprehend or just negates due to the kool aide drinking (think lotus eaters) that seems to pervade the anonymous movement as well as the Occupy one that she later waxes poetic on down further in the article.

If indeed Sabu was so loved by anonymous, and approved of, then they have completely abdicated their core beliefs in operations and set themselves up for the fall that came with Sabu’s arrest and subsequent rolling over on everyone in the “movement” that have spawned all of the arrests we are now seeing come to trial (cleary et al.) So, neither Sabu, nor the Anon’s of Lulz/Antisec nor Anonymous as a whole were very bright about the operational details that later would bedevil them.

See kids, everyone makes mistakes and no one is immune to them. Sabu made them, you all made them, and in the end, several of your pals will be going to pound me in the ass prison.. and for what? I’m afraid none of is as smart as we like to think we are. Just so happens some of you are now finding this out.. The hard way…

Sabu was no hero.

Sabu was no digital hacker god.

Sabu was just a guy with troubles and a need to feel important, loved, idolized, and he wanted ATTENTION.

He had them all, and now has even more, from federal authorities.

His ID ate his Ego and it led him to absolute compromise of his life.

As Quinn would make out, he was the poster child for Anonymous, able to hack anything in a single bound! What Quinn fails to tell you is that a majority of the hacks were low hanging fruit and he was shooting fish in a barrel. You see, the skidz were out selecting targets not because of political importance, but instead they were just looking for the easy score. It’s far easier to claim a win and surround it with political and movement ideals than it is to go after true targets, work assets, and compromise with an end goal in mind.

Wake the fuck up Quinn…

Do-Ocracy or Erratic Primates With Computers?

Quinn goes on to wax poetic on how Anonymous has a “do-ocracy” which, uhh, what? Really, what the fuck does that really mean? You are trying to tell me that it’s a headless org without leaders and yet people come together and do things in a concerted way? Sure, yeah, that works for DDoS but what about all this hacking you are going on about as if it were fantastical and magic?

Tell me, how many disorganized personalities out there do you know of work as hackers? It takes focus, well, unless its the usual low hanging fruit target that Lulz approached that is. Granted though, the HB Gary thing, that was done well, they had a plan, they engineered people and that went off as a well oiled machine would. I applaud that one kids, really I do, not from what you did, but the way you did it. That was worthy, but, still, what is all this claptrap that Quinn is going on about now?

Do-ocracy, yeah, don’t buy that one either. Look, you cannot have an unstructured organization or even a collective. You liken yourselves to a stochastic system in one breath, then say you are a hive mind like bees the next. Lemme give you all a hint, bees and ants, they use signals from leaders to tell them what to do, where to go etc.

See kids, it’s a system they have ranks, they have functions, and they work towards a concerted goal using messages. Go on, go read about them and then come back once you have a grasp of it all… I’ll wait.

………..

Ok, back? Do you have a better grasp of this now? Now ponder this, you are all primates. SOCIAL primates by the way, you all work together by communicating AND you tend to have leaders. How does that work within the confines of what you think you know about stochastic systems like the one you claim to have?

Ya know, like the one that Sabu and you all created that was not so leaderless and is now pretty much out of commission?

Yeah…

It’s time you all took a look at sociology and psychology in regard to what you do and how you are doing it.

Herds and Flocks Both Have The Same Flaw.. Someone Takes The Lead

I have written about this before so I will not belabor it more here, I will simply point you HERE and have you read. Once you have, come back and finish out this article.

So, You’ve DDoS’d and You’ve DOX’d… I See Nothing’s Changed.. So Much For Zeitgeists 

So, Sabu was the zeitgeist of Anonymous according to Quinn. He and his pals hacked many places and caused quite the ruckus, but, what really came of all that action huh? Do we have anything to really speak to the vast and sweeping changes that their actions created?

Is our data safer now generally?

Have the cops been stopped from abusing power?

Has the government thought better about their power grabs both on the internet and off?

Has a more open and equitable system of governance been created from it all?

No, no, no, and no. Basically, all of Sabu’s and Anonymous’ actions to date have not made us better off at all really. Sure, you can make correlations that Anonymous has something to do with the Arab spring, but, just how much is a real problematic thing to quantify. Hell, even Quinn would not throw it up there definitively in her kool-aide haze (good for you!)

So, what’s this all about I wonder? Is this movement, which was born from /b/ and Lulz just the rabid collective Id or is it a movement? It would seem according to some, that the organization is maturing and that the majority want to do something about the encroaching government and corporate control over us all. I personally would love to see this happen, that the masses get organized and energized about making a difference in the years to come against the governments heavy hand.

Do I have real hope of this happening? Not really…

If Anonymous continues with the DDoS and Doxing that we have been seeing against targets of opportunity, we will have no substantive change, well, I should say no “positive” change. You see, if you keep doing what you have been ad nauseum, you will only serve to make the government tighten their grip on us collectively. Now one could argue that this will happen anyway, and frankly, I see in my minds eye Bluto making his famous “Germans bombing Pearl Harbor” speech at Delta house here, but couldn’t we do something more constructive?

In the end, just realize that all your machinations to date, have not raised the consciousness nor made real change. Here is where your analogy to bee’s comes back to bite you in the ass.. You have stung, now, lacking stinger, which you leave in the target, you go off and die. Ya know, like the famous Sabu and his rhetoric!

Oops.

So, How Different Are You From The Obama Administration, CIA, NSA, etc Post STUXNET and FLAME and CYBERWAR, Drones, etc?

Finally, I will leave you with these parting thoughts…

Ponder these ideas and questions;

  • How different are you from the governments that you say are being heavy handed when you DoS (no, its not a protest) those who you disagree with? Instead of say engaging in debate?
  • How different are you now from those you despise when you use the same hacking techniques to attack them? With cyberwar nakedly being used now, are you so different?
  • Remember, also with cyberwar, you are now a cleared target as well and may in fact become so because your actions are considered “warfare”
  • Remember one more thing, you guys don’t kill people.. The government is and will. Not to say that they will be coming after you with a drone firing a missile, but, generally these guys are much more serious about shit than you are.

I am not saying that you all should just lie down. That anonymous needs to go away. Far from it, I am saying you need to work smarter. If you don’t then I should expect more arrests and more insiders being the linchpins to those mass arrests being carried out.

Stop letting your Ids rule you and let the Ego drive a bit kids.

Oh, and Quinn, I can provide you a name of a good de-programmer if you like…

K.

Written by Krypt3ia

2012/06/27 at 09:36

Posted in .gov, Anonymous, AnonyTards

“Active Defense” The New Digital Wild West Justice

with 3 comments

Bringing A Knife To A Gun Fight

So, companies are starting to consider what is being called “Active Defense” against would be attackers online. Given what I know about the places I have seen over the years as a consultant, I would have to say that this would be the net effect of bringing a knife to a gunfight. Why you ask? Well, because as we have seen generally, and are being told all of the time by numerous people, we, generally, do not have very good defenses in many companies never mind the wherewithal to “strike back at” anyone that might be knocking on your digital door. This my friends, is one of the worst ideas in all of human kinds existence.

No doubt it will be the norm soon though, with a vendor on every stoop selling the next whizbang “blackice” to get those pesky APT’s

Wheeee, I can’t wait! Look, why not just fix the stuff you have and work on keeping it secure and not letting the bad men in first shall we? What? That’s not sexy enough? You say it’s not proactive? You need to see blood once you have been hacked?

Oy vey…

Earps, Clantons, And The Duck Of Death

I can see it now, it’s going to be akin to Old West gangs on the internets. The Duck of Death will be out gun-slinging, calling out all those weaker sorts in his clipped British accent.

“Come now sir, you really think that firewall will stop me? Don’t you know who I am? I am the Duke of Death”

This will just get out of hand and incredibly stupid. Sure, you can say that you are just going to maybe tarpit those attackers to prevent them from getting in quickly, but, you have to know that there will be (already are) services where blackhat types will hack back against those who “dun you wrong”

*spits into spitoon*

“Yup, I can git a cyber posse together and we can capture those there cyber varmints that done you harm lil missy”

This won’t end well…

Seriously? We Can’t Even Secure Our Shit

On a more serious note though, how many companies are really in a position to even think that they are near being secure? What we have developing here is just a reactionary “for hire” model of blackhats, and really, who’s to say that this company you are hiring isn’t going to rat you out in the end anyway? Or, for that matter, that their super blinky light appliance really will do what they claim and.. Well… What? Attack who? God, don’t even get me going on attribution here! I mean, really, c’mon, I have been all over this, who’s to say that Pharmacombinate A actually hacked your secret sauce in the first place? Especially if you have poor defensed already and no real way to tell if you are right.

Oh, and do you have a proactive and knowledgeable security team anyway? Do they have control over the environment (as much as anyone can) to respond not only to an incident, but also the aftermath? Are they in fact going to push the button on countermeasures? Will it be automated and perhaps cut off business operations because someone forgot to enter an IP address into a firewall or “hack back” appliance? What if it’s a client or business partner under that same scenario? Are you going to hack them? Block their traffic and thus go back to the issue of stopping work flow?

Nope, this is an idea that will just end in heartburn and law suits I suspect….

Bad Ideas, Like Cockroaches, Proliferate Quickly

Oh well, I am sure there are plenty of vendors out there printing up color glossies for the rubes to  buy. Others are making appliances with blinky lights and maybe even sound effects

“PEW PEW PEW! GOT YOU ANONYMOUS!”

Oh there will be douchery, and lots of it I suspect. Say, how long does snake oil take to ferment anyway?

K.

 

Written by Krypt3ia

2012/06/19 at 20:32

Tweeting Cyberwar and Other Ridiculous Ideas

leave a comment »

The “Benefits” of Cyber War?

Something has been sticking in my craw lately and, like a grain of sand in the gullet of an oyster, it has finally matured into a pearl of… Well, not wisdom as much as bilious hate, but I do hope that it does enlighten some and denounce others for their vulgar stupidity. As you can see from the image above, the grain of sand that started this came from our pal Richard Bejtlich over at Mandiant. I have often found his diatribes to be products of the “echo chamber of secrets” that he lives in, but now it seems that his pathology is beacon-ing straight out of his nether regions and leaking onto his Twitter feed…and it seems he is fresh out of depends undergarments.

The quote on the “benefits” of cyber-war is completely out of whack and I would like to point you all in the direction of the fallacy of his train of thought. Richard, it’s not about how many are alive today because we used a stalling tactic cum sabotage against their nuclear program, it’s about us actually doing this and opening Pandora’s box on ALL of us because we did so without really thinking about it. THAT’s the issue you fail to grasp and it is something that you and many more like you in the “establishment” fail to get. So, no, we did not bomb the facility, but neither did we forestall the Iranian efforts to the point of dissuading them from carrying on, nor actually conceive of the idea that they would redouble their efforts post the attack. We poked the badger and now it’s pissed AND has the same weapon we used on them to RE-USE against us.

Nice.

Of course, I am not advocating the idea that this type of activity should just be verboten and that we should eschew such things. No, I agree in the use of the technology and the ends that we had in mind. No, what I disagree with now is that it’s being used as a cudgel in an election cycle and has turned into a FUD parade bigger than any ever seen before. It seems that the movers and shakers out there in Washington got new toys that they just had to play with and then brag about, at least that’s my perception. Of course then they have their rah rah guys like ol’ Tao here saying something to the effect that it’s a clean and precise warfare.

No, it’s not.

Tell That To The Iranian Physicists and Their Families

So Rich, how many lives were saved? How many were lost here should be the question. I can remember at least 3 Iranian scientists who went kaboom during and after the Stuxnet attacks. I also know I have heard of other people, including CIA assets that are missing and presumed killed who may also have had something to do with the operation in Natanz. So, it’s not really a clean warfare is it? In fact, lets expand on this and think about the FUD factors being talked about in the Congress and in general where “Cyber-War” is concerned. The fear is that when the shit goes down because someone inserted a worm into say the grid, then people start dying. Sure, they would likely be people in hospitals who are really sick, aka the sick and the aged, but hey, those are just collateral damages right?

No war is clean, no war is precise, and as we are seeing from all accounts even with drones, there will ALWAYS be collateral damage. So don’t blow sunshine up our collective asses on this one Richard. The fact is, this one could be really bad for many people if the situations are right and, by my estimation, will always have some portion of actual deaths attached to them because of blowback. Of course, all of this talk depends on whether or not you buy into the idea of this activity actually being “war’ in the traditional sense of the word. Like I said before, we are not even sure what “cyber-war” is nor have we really created rules and doctrine around it. So, let’s not go and minimize the issue by saying “gee, look how many lives we saved by not bombing the shit out of them!” The effects of the sabotage politically as well as what reprisals Iran might be thinking about or acting upon are not fully realized yet so it’s a bit early to start the spin there Rich.

Monkeys With Digital Guns

I have said this before and I am saying it again, we are just monkeys with digital guns. Fools with tools really. I am afraid of the level of hubris here and frankly feel that it’s almost time to just become a Luddite. At least Luddites won’t be compromised by their toasters because China made malware to p0wn us all. I really feel like Taylor, standing before the wreckage of the Statue of Liberty, yelling as Nova looks on like “Holy WTF?”

YOU MANIACS! YOU BLEW IT UP! OH, DAMN YOU! GODDAMN YOU ALL TO HELL!

How about we all take a step back and ponder what we have done? Lets look at the repercussions as well as the current state of our own systems before we move ahead at full steam?

What? The Pentagon is advertising for black hats?

Fuuuuuck…

Well, guess time will tell what the first “great cyberwar” will bring. Could be a lot of nothing.. Could be some indigestion… Could be a collective fart… Much like the fart that I consider the tweet that started this whole diatribe. Start digging your trenches kids, the digital mustard gas is next.

K.

Written by Krypt3ia

2012/06/19 at 15:18

It’s The 90’s All Over Again.. Except This Time Online: Political Correctness and Human Nature

leave a comment »

Remember The 90’s and The PC Movement?

Ahh the 90’s… A time when things were good. The economy was booming, terrorism was, well, starting again having been in a lull since the 70’s, and we all were just zippidy doo da about life! Well most of us were. Others though, well, they were fretting over our collective moral souls because we were an inch from perdition’s flame from vulgar behavior and attitudes! That’s right kids, for those of you who were too young to remember, this is the time when the government started to think that they should control (but in the end label) the lyrics of songs or records because they could be harmful to children  and much more insidious things ensued. Step into the Wayback machine kids… Political Correctness The “Culture Wars” Culture Wars: The Struggle to Define America by James Davison Hunter Pat “Fuckin” Buchanan *shudder* It was a scary time kids, but then again, so were the 70’s and 80’s as well if you were around for them and cognizant of what was going on. It was this landscape though, the 90’s that really bears the most on the conversation I want to have with you all though. The 90’s where the technology today (internet) began to be prevalent and also a scary scary thing to the powers that be. Just as the times were changing socially, artistically, and most of all to me, musically, the technology also gave people an outlet as well as to some, a means of control, just remember the clipper chip and you’ll know what I mean.

In other areas though, there seemed to be this movement toward “right behavior” and conforming to norms that, well, rankled me and I am sure many others. At the time we had people like Tipper Gore trying to get things labeled as (R) or (Mature) because they could not outright ban it (re rap music/gangsta rap lyrics) I remember her and certain people throwing a kanipchen fit over the images and lyrics to Guns-N-Roses Appetite for Destruction as well. I mean, I listened to it and I am just fine… Right? So why all the need to censor things? Was it perhaps that too many people were not, oh, say, watching their kids and dealing with them? Perhaps letting the TV raise them? Heh. Well, many jumped on board and it made the 90’s a hell of a fun time. I had thought we had gotten past all this claptrap, but, it seems its all coming back and now, it’s all about “online” content too! Of course, there are those looking to do the old fashioned route again like Middleborough Mass, where they decided to put out an ordinance against swearing in public. You read that right, they will fine your ass $20.00 for swearing! Morons.

Being “Sensitive”

The other day I had to endure a “sensitivity training” I will not go into the reasons why we were being trained but I will extrapolate for you all the reason why I think we were there. The real reason we were there was to 1) CYA for the company and 2) because far too many people are not raised to be accepting whatsoever of anyone being different in our collective cultures. It is my contention that if you are unable to be tolerant of others differences now at adulthood, then you are the product of a poor upbringing and failed to learn anything in Kindergarten. It’s really as simple as that. However, because of the legal system and because of the overblown nature of what is considered PC corporate behavior today, people have to go through the basics of “Don’t be an asshole” training. Now, for me, this also extends to the laws being drafted today about cyber bullying. Granted, people are bullied (kids and adults) and some do in fact take their lives over it. This is sad and I really wish it upon no one, but, is it not the job of the parents or the person to just realize that these people are assholes and get over it? I mean, it’s the internet for God’s sake! We are ALL ASSHOLES and we had better learn this from a young age.

We all need to develop coping mechanisms and much of this should stem from good parenting. Instead I fear, we have all abdicated the parenting to the beige box and the intertubes as opposed to sitting with your kids and having real discourse and bonding. Regardless, now it seems that the Nanny state needs to get in on the act and create law to help sort it all out. It’s one thing to make something criminal, and another to attempt to force behavioral modifications on us all that may yet infringe on our first amendment speech rights in this country. I think we are at the tipping point here and with all the cyber hubbub over warfare and criminality, the congress critters have taken the reigns in their oft ill conceived ways and will likely fuck us all in the end with their swift pens of “justice”

Laws On Online Behavior, or Making Free Speech Criminal

The re-birth it seems of the PC attitudes of the past now has begun to spill into the internet and its “Wild West” of cussing and bad behavior. Once again, people are starting to stir up rhetoric to speed congress toward action against those horrible people who inhabit the internet. Once again, it’s certainly not the parents job to control their children online and certainly not the individual’s right to be as vulgar or maybe say, buy a exceedingly large soda in NYC it seems. No! We need the Nanny State to come along and control what we do for our own good! Meanwhile that same group of people is allowing “Cyberwar” to be pre-emptively acted upon even though we have no fucking clue as to how to defend against such attacks on our own feeble infrastructure.

Lately I have been hearing stories of people being told to remove their blogs because they have offended someone, case in point today came from some child blogging on how bad her cafeteria was at school! Holy WTF?! What the hell is going on here? Is this not free speech? Are we not in America? Oh, wait, SHE was in Scotland.. Ok, so the daily haggis was not to her liking, but trying to stifle the creativity and the opinion of the child was just ok? NO, it was and IS not! Nor should it be even thought of as acceptable that this happen in the first place.  It was even worse that a governmental body tried to pull this crap, and this is what I fear here in the states as well. How long til we have “free speech zones” on the internet one wonders?

Meanwhile, back to bad behavior and the internet. Like I have said before, its the “internet” and the intonation there is that “who the fuck cares?” No one should take it seriously. If someone says something bad about you to the world, well, say that it isn’t true. If it isn’t true and you get fired or something happens and you have a case, sue their asses. Otherwise, all this claptrap about lil johnny’s feelings being hurt should just stop. There are already laws about harassment on the books and those should be used or amended for use to arrest someone on stalking etc. However with all of the rush to get legislation on the books, it seems that other areas are being exposed to piteously stupid law making around freedom of speech globally. Now, I realize that it is a global community and many places do not allow free speech, but, I am only here to ring the warning bell.

DING DING DING!

Pay attention to what the Congress Critters are up to or soon enough you will find yourself having to deal with some bogus charge of swearing in public or online.

FUCK! ASS!

K.

Written by Krypt3ia

2012/06/15 at 15:47

ZOMG, ZOMG, ZOMG, LinkedIN Was HACKED and Our CRAPPY Passwords Were Leaked!

with 2 comments

ZOMG LinkedIN was HACKED!

A tweet conversation yesterday finally snapped my brain into focus on the whole LinkdIN hack password debacle. Someone had tweeted about the non complex nature of the majority of the passwords from the hash dump and my snarky response was basically “Who cares? After all, LinkedIN certainly didn’t, why bother when places don’t carry out due diligence?” After all, it was only LinkedIN right? I mean, who’s not already “in the know” that this is the Mos Eisley of business networking right? Between all the cutout accounts and stupid headhunters, one really has to know that it’s just a business version of Faceyspace right?

Well, I guess there are some out there who are using it like it’s a super secure and wonderful tool to make “spook” contacts for intelligence gathering huh? *SNORT* If anything we have seen that it has just turned into a festival of stupid commentary, casual hooking up, and one of the BEST tools for someone like Tommy Ryan to nab all kinds of .MIL and .GOV folks with their digital pants down more than anything else. So they were hacked, any of us in the business with half a brain “should” have been using throw away passwords or phrases with the apropriate complexity anyway, this includes the government and certainly the military people….

Well, it seems that this is not really the case….

ZOMG LinkedIN WASN’T PROTECTING MY PASSWORD!

So, once again we find that a company, that people do in fact pay for, was NOT performing the due diligence that they should be on behalf of their clients and protecting their passwords with salted hashes at the very least. Nope, no crypto of worth was at work within the rarefied digital confines of LinkedIN and WHO’DA THUNK IT? Even after they found out they were hacked they did not really have a grasp on if they “really” had been and failed to issue an alert until later the same day (much later, like late afternoon) when word of the hack and proof of the dump was out on the Russian hacker board at 6am EST.

Now, given the past history of security gaff’s and certain unsavory people/accounts on LinkedIN over the recent few years, and LinkedIN’s lackadaisical attitude towards security, is it any surprise that this all happened? That LI was not encrypting the password database to BASIC security standards? After all, they just take your money so you can hit up the pretty recruiters right? No security needed there… Nah. Hell, they don’t even have a CIO/CSO/CISO do they? Who needs them huh? C’mon “We no need your stinkin CISO”

Oopsies.

So what has the “INFOSEC Community” have to gripe about here? I mean, gee, we already kinda knew their posture right? You should have collectively had your throw away password anyway, so no biggie. Yet, look at all the hue and cry here!

ZOMG The 6 MILLION Passwords Were On The Whole SIMPLE AND INSECURE!!!

Yup, that headline says it all really. You see, people on average don’t really care about their passwords nor do they really have the security awareness to even attempt to create complex ones. I mean, hey, it’s as simple as downloading a password manager/vault that creates them for you with good complexity as well as saves them for you to look upon when you forget right?

*Evidently, THAT is too hard for the majority of end users… Hangs head…*

Nope, all too many people had simple passwords like 1234 for their access to a site where they lay bare much of their business and social data it seems. Oh, and did I also mention that in the same day there was a vuln released on their iOS app that was thieving YOUR calendar data? Oh yeah, nice! I guess it’s all just human nature to be lazy and create passwords that are easy to remember but this is just getting silly people. One wonders just how many of those people replicate those silly passwords on to other sites like their email or maybe their bank huh?

Oh my…. That many? We’re DOOMED.

Look, I have said it before and I will say it again, our own natures provide the largest attack surface. In the case of LinkedIN and the six million passwords there are two:

  1. Laziness on the part of the company not encrypting the passwords to basic standards and laziness on the part of the EU’s not creating stronger passwords
  2. A STUNNING lack of situational and security awareness on the part of both parties
It’s simple really, if you are a pentester or a criminal, all you need do is remember the axiom that human nature will always be the undoing of many security systems.Trust in stupidity son…

 

ZOMG The Security Industry FAILED To Teach Us All About Strong Passwords!!!

Meanwhile, there was a great hue and cry by the twits on my feed and in articles on Island and other places on how the industry (as well as LI) failed once again in the security space. We evidently do not have enough “evangelistas” out there teaching the wretched masses about the wonders of proper password choice. We are just not reaching them and when we see things like this we then go on ad nauseum chiding them or in most cases just pointing our collective fingers and laughing.

Yeah, that’ll teach em. I can feel their collective IQ’s rising now.

I guess my question is can we even really inculcate these things when the basic human nature is to not use our frontal lobes too much? We have too many passwords now and it’s hard! C’mon, just lemme do 1234 it’s gonna be fine because the company is protecting my data! How do I know? Oh, cuz they have this pretty graphic here with a lock on it!!

If you believe that, I have this bridge I’d like to sell you.

Look, all you INFOSEC people out there lamenting, stop. Breathe. The simple truth is that you cannot win this battle unless YOU are in direct control of the systems that would FORCE password complexity on the end users. The sad fact is too many of us aren’t actually in control, its the C levels who are in the end, we just tell them what would be best for the security of the business. It just so happens that much of the time these measures cost money, or, more likely, inconvenience the workers and the perception is that work and PROFIT would suffer from your new fangled security measures.

No, you cannot do that.. The workers will revolt and we will lose productivity Sonny Jim! That would affect the bottom line..

ZOMG You INFOSEC Weenies Are MISSING THE POINT!

Ok, so, it happened. LinkedIN handled it exceedingly poorly, and there is a great cry upon the internets over it all. People were tweeting and blogging, exhorting users to CHANGE THEIR PASSWORDS on LinkedIN but were failing to give a more nuanced warning.

“Uhhh, but, LI wasn’t sure they were hacked, how they were hacked, or IF they were still hacked!”

GO NOW! CHANGE YOUR PASSWORDS!

But, what about the whole password re-use thing? Any mention of that? Or that if you change your password, it may yet again be leaked because they may still be hacked?

*crickets*

Yup, bang up job people.

The real point for me is this salient fact: LinkedIN and other companies like Sony have shown time and again, they DON’T CARE about YOUR data. Always remember this people. So, you want an account on these places, then you best make a throw away pass and limit your data on the sites that host it. Otherwise, there will be a compromise like this one and not only your data there, but elsewhere (if you re-use or iterate) will be up for the taking.

What this also means is that business in general doesn’t get it nor care to and this is the most important point.

Either we demand they all do better or we just let them carry on leaking our data.

Written by Krypt3ia

2012/06/10 at 11:15

Posted in EPIC FAIL, Hacking, Infosec

FLAME ON!: Cry Havoc! and Let Loose The Dogs of Cyberdouchery.

leave a comment »

POTUS Has Dialed Into The W.O.P.P.R.

Scene: POTUS stands silhouetted in the doorway of the SITROOM looking intently at a small tablet screen. Around him his cyber generals sit shifting uncomfortably from time to time in the long pregnant pause.

POTUS: “Clarke, so, you say this is the only way that we can get into and destroy their capability?”

Clarke: “yes” he says lugubriously

POTUS: “Well then, let’s send them the stick.. Someone will be stupid enough to plug it in”

Scene: The generals all rise and leave single file out the door falling into the darkness of the hallway in the bowels of the White House. POTUS looks up at Clarke who is fixing his one black leather glove.

POTUS: “You know, if this goes wrong we’ll just blame it on Israel right?”

Clarke: “That contingency has already been taken care of, I have primed the veep… He’ll fbomb that shit like a tourretts patient off his meds”

POTUS: “God love that crazy mick”

Cut scene: Screen goes dark

Stuxies Midnight Emissions

Well, it’s been a crazy week or so in the news cycle. With the revelations that POTUS personally had a hand in the destruction of Iranian nuclear centrifuges with malware, the floodgates of stupid have opened up and we have a wave as high as the biblical one that wiped the earth clean of people (if you believe that kind of crap) Since this came to light in the NY Times, we have had all sorts of characters pontificating on the subject. Everyone has their opinion and unfortunately, all of them mean nothing to anyone of note because the real decisions of state have already been made haven’t they? Onward we will sally forth though, with vigorous words on how we are the pre-eminent power on earth and how we are blessed by God him/her/itself and looking back be damned. We had the coders and we had the will so we did it.

Now, don’t get me wrong, I agree with the end result of the Stuxnet malware itself. I think though we could have been more subtle and manipulated their product instead of just causing the centrifuges to eat themselves, but, that is another story. No, we did what I think was a nice little piece of work against a regime that is unstable enough to do more with nuclear weapons than just stockpile them. Frankly, one way or another, Iran will eventually get the nuclear bomb, but, we seem to have slowed them down a bit at the very least with this attack. Or, I should say, did slow them down, for a little while. Now though, after this report in the Times and the non attributable crowing of the administration that was behind it attributing themselves as the culprits, I think that Iran will just redouble their efforts on this issue as well as the development of Stuxnet II “This Time It’s Personal” as the movie poster will declare.

Nope, for me the issue I have with all of this is that the admin is using this as a cudgel to win an election. This and this alone is the bone of contention I have with POTUS and company. A POTUS that ostensibly is SOOOOOO upset over leakers and prosecutes them to the fullest of the law.. That is, until it serves their personal or political needs that is. I find it comical now that there are calls in the senate to investigate the “leaks and leakers” within the White House who talked to Sanger about their digital daring do. All you really need to do Mr. senator is walk up to 1600 Pennsylvania Ave and knock on the oval office door. You can find the leaker there I can assure you.

Hubris, thy name is “Politician”

Politics, Pedantry, and Hucksterism

So, there you have it, we created Stuxnet with much secrecy, so much secrecy that it got leaked to the New York Times! Well, not so much leaked as much as planted in the Times by the spinmeisters as a political pogramme on us all to sway our vote. The Times story is rife with allegory on how the admin was taking care with this operation and that they wanted as little collateral damage as possible. The program was tested on an analogous testbed with equipment that we got from Libya, the results of which were the destroyed remains of the centrifuges, all was in preparation. All we need then do was get an asset on the ground to plug in a USB stick and viola! Instant PWNAGE!

I’m sure there will be a full length feature film soon and it will be fueled by the leaks that this Times article and subsequent book were as well. Do you suppose they will be filming at Ft. Meade? Will Mike Hayden make a guest appearance? We all want to know! Suffice to say, that the media, the pundits and the other nations of the world will be taking note and working out their responses to all of the revelations from POTUS and company. For me though, my response is already quite clear…

“We’re fucked”

This whole escapade was ruined by the need of the admin to tattle on itself. I personally highly doubt that this was leaked by one person and all by themselves outing a whole clandestine operation. No, this was a political move, one that will I think, have some blowback on us all. Some will make the argument that the US wanted the Iranians to know, so we could be the “Babe Ruth” pointing at the backfield as if to say “That’s right muthafuckers… We are the shit and we will fuck you up.” I do not ascribe to that being the case as a tactic, hell, Biden then throws the Israeli’s under the bus twice in that article! It was the equivalent of verbal chaff and anyone with half a brain can see that.

“Well we did this because we wanted to settle the Israeli’s down, or they would have gone in hot”

Uhh yeah, nice way to say we did it “only because we had to”

Say, didn’t I see an ad by you offering a sweet price on a bridge somewhere?

Tell the truth, you wanted this out on that particular Friday because the jobs numbers were EPIC SUCK ok? Just please, admit it! C’mon, somewhere in your addled minds you know you want to tell the truth sometime!

FLAME ON YOU CRAZY DIAMOND!

Meanwhile, the FLAME debacle came into focus. An uber malware designed in the future by mad scientists and SKYNET with a 18 meg LUA decoder! This little gem has been perfectly timed to coincide with the STUXNET. Well, maybe, since it was Eugene Kaspersky ringing the bell on this one, perhaps not. However, the FLAME seems to be all about stealing every conceivable piece of data it can get its hands on. It was a welll run operation that has been going on since at least 2010 and bears the hallmarks of an intelligence agency running it. The use of cutout accounts with multiple names and locations as well as payment schemes shows that it wasn’t just Joe botnet herder. No, this one also was nation state most likely, but who’s?

More importantly, how many of you out there would like to take odds on just when POTUS will leak the details of how we did this one to the Times? Takers? Anyone? C’mon I can bet bitcoins! Aww shucks… Guess you are all too smart and know that soon enough we will be reading about this “super secret black operation” in the papers. Even today more facts have come out of the reverse engineers saying that FLAME has a novel MD5 attack that has been known about since 2008 was it?

“oooh sekret”

Be assured, that the FLAME will burn on as will the stupid around it from all sides.. Media.. Pundits…Politicians.. Malware vendors… I don’t care if FLAME is LAME, I only care that this escalation is getting out of proportion and those running the programs are leaking the details to effect their political efforts.

Let’s CYBER Like It’s 1999

Now on to the word “CYBER” and its unfortunate tagging with “WAR” right after it. I have railed against this word for some time now but even with the best of my efforts, the douchery abounds. In fact, the douchery seems to know NO bounds frankly. I remember a time when CYBER was only followed by SEX and really wish it would just go back to being that. Instead, we now have doctrine being written for “Cyberspace” and plans being made to militarize it all. All the while though not many really understand the space or the technology that they want to “CYBER” in! I can smell the fail now and it smells of cheap political and capitalist cologne.

Aside from the nomenclature issues here, I feel like others I have seen, that this has all been one giant mistake. We have opened “Pandora’s Box” as Mikko put it, and we are not ready for the consequences. I am damn sure that our infrastructure isn’t never mind the people and companies that run and own it all. Try getting all of these players to secure their shit even on a microcosmic scale and you will see my pain. We in the business have known all too well that too many times within the mental calculus that management makes, security is a lesser understood or cared about concern over the bottom line in the world of black ink in the books.

So, my prognosis for this patient is “you’re fucked” but, with the caveat that we have been for a long long time. Will all the antics with the declaration of “CYBERWAR” by the Obama administration really make a difference in the tempo of battle already ongoing? Will nation states and others speed up their efforts to bring down parts of our grid? To what end? What are we producing that is equivalent to a small vector like Natanz and nuclear fuel? I guess what I am asking is, just what are the odds of the first great CYBERWAR being brought to our digital shores? Can I expect to turn on the light switch soon to find that there is no power?

Or even worse… Will they STUXNET Apple’s facilities so the kiddies can’t get their new shiny MacBooks?

OH THE HUMANITY!

I guess this is all being mapped out, kinda like the PROJECT X that plans on mapping the whole of the internet.. So they can attack it. Time will tell I suppose, but, in the meantime, your douche forecast is for a high probability of douchery at levels never before seen. So wear your rubbers kids.

We’re Doomed

But seriously, I think that we are doomed. Not the kind of doom where the world will end in a zombie apocalypse though. Hell, I would love to have that instead of what we are going to get. Instead we will have more stupidity, more controls being placed on the internet, and a slew of half baked ideas that will only serve to make us all more constrained in our daily affairs online. Oh, and we will also live every day more in fear that some nation state, corporation, or crazy group of terrorists, will attempt to destroy something in our infrastructure…

Because they can and feel the need to.

Welcome to the CYBERWARS! Please keep all hands and feet inside the ride at all times.

Barf bags will be available for fifty cents at the ride’s end.

K.

 

Written by Krypt3ia

2012/06/08 at 17:08