Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for July 2012

Psychopathy Tweets: Too Much Statistics, Not Enough Proof of Concept

with 2 comments

On Sunday Defcon 20 had a talk that I had previously written about on the idea of using statistical analysis of word use to determine psychopathy in individuals online. As I sat through the talk and steadily watched people get up and leave I too had the urge to walk away as well. However, I had a mission and that was to confirm if there was any evidence that would say to me this was a viable means of detection for psychopaths.

What I came out with, after many slides of numbers, was “nope not really” Which, I pretty much had thought before. There are just too many variables to this type of venture and you would, in the end, need to have a trained psychoanalyst to talk to the individual to determine whether or not they are a true psychopath.

Sorry Sugg.. It was an interesting idea and I am wondering just where this will go if the author of the original paper tries to expand upon this process. You see, for this to work online possibly, is that the trained individual would chat with the “patient” or “UNSUB” as the case may be, to ask specific questions to elicit responses. See, that would work I think, but it is a manual process not a big data solution. So, while it was an interesting trip into what psychopathy is and possibly how to spot it in word use, it was a failed experiment in my book.

Now, another twist on this idea might be to take the transcripts of anonymous and other IRC chats and wash that through your program… There’s a lot going on there mentally and might show some traits, but, are they really suffering from some sort of psychiatric illness or are they just maladjusted? This has been something I have written about before an the vernacular used as well as the mindset that seems to be prevalent warrants some looking at perhaps.

Maybe next year?

Overall though, I surely hope that the governments and law enforcement bodies out there do not take up this idea and begin to mine people’s chat logs for psychopathy

*shudder*

Ding Dong! It’s the forensic psychiatrist.. We saw your tweets and thought we’d have a chat? What? these cops? They’re just here to visit too!

K.

Written by Krypt3ia

2012/07/31 at 04:17

Defcon Grows Up and Gets Recruited As An Asset…

with 3 comments

I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.

However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.

This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.

Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…

Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?

Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.

Just sayin…

So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.

So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.

Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.

How’s that for some “Threat Intelligence” huh?

Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.

Why?

Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.

So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.

You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”

For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…

Interesting times….

K.

Detecting Psychopathy Via Tweets? A Flawed Premise May Present Dire Consequences

with one comment

In contemporary research and clinical practice, Robert D. Hare’s Psychopathy Checklist, Revised (PCL-R) is the psycho-diagnostic tool most commonly used to assess psychopathy.[1] Because an individual’s score may have important consequences for his or her future, and because the potential for harm if the test is used or administered incorrectly is considerable, Hare argues that the test should only be considered valid if administered by a suitably qualified and experienced clinician under controlled and licensed conditions.[2][3] Hare receives royalties on licensed use of the test.[4]

Background Sources:

Wikipedia on PCL-R

Defcon 20 Presentation

Fox News

Forbes

Wired

Science Daily

wmatrix 

Preamble:

A paper and talk being given at Defcon 20 this week has gotten people all worked into a lather within the news arena and has piqued my interest. The talk centers around the premise that one may be able to determine psychopathic traits (psychopathic and sociopathic behaviors) from of all things, the analysis of tweets. Now, this may be a novel idea to some and it certainly seems the news has latched onto this, but, in the cold hard light of day, this premise has way too many failures to be actually applicable to gaining any insight into anyone’s psyche via Twitter.

In this article I am staking out my contention that this is not a suitable means of diagnostics of this type and in fact, were it to be followed up on and used, would lead to bad results and perhaps the citation of individuals online as being “Psychopathic” when they are not the least bit so. As such, this talk may be an inquiry into whether or not this is possible, but, had the research been carried out to the extent of reading the materials and their ancillaries, one would quickly come to grips with some salient facts that make this method of detection untenable. As the media hype has already started on this, I think it prudent to speak up on this here and now, as well as write an after piece once I have sat through the talk and had a chance to see exactly what they say they believe possible in the end.

A Flawed Premise:

Having read the original paper by Hancock, Woodworth, and Porter, (Hungry like the wolf: A word-pattern analysis of the language of psychopaths) the experiment clearly states that they had chosen a sampling of criminals convicted of murder (various degrees of which) and verbally interviewed them on their crimes. The method of interview was strictly adhered to and was a known and well used process including blind interpretation (where the interviewer did not collate the data on psychopathy, just transcribed dialog and logged emotional states) Once the transcription was done (including disinfluences *uh and um*) this text was taken and run through the wmatrix and other tools to determine the languages affinities for psychopathy and other mental states. This “text” is actual “dialog” and as such, is not the same as the “written word” that the speakers at Defcon are going to be assessing in their presentation, and this is a key difference that I am unsure they have taken into account. Writing is affected and not natural to many (i.e. fluid dialog in writing) Add to this that you are talking about the emoting of data/emotion vis a vis Twitter at 140 characters at a time AND using quite a bit of word shortening and slang, and the premise of using “language” to determine psyche really falls apart.

A second key point is that the dialogs that are being used in the original paper are specifically stories of their crimes. This was a calculated effort on the part of the psychologists to elicit the emotional states of the subjects in relation to their crimes, and their victims. This is a key factor in the determination of the language that the researchers were looking at, and as such, this, as far as I know, is not a part of the paper being presented at Defcon, and thus, misses a key data point… Making the premise suspect to start.

It is my opinion, just from the differences between the experimental inputs, that unless you have a larger dialectic to work from and a trained set of people to determine not only language, but also emotion (we all know how easy it is to misinterpret an email right?) of the poster, you cannot in any way, shape or form come up with a psychiatric profile, never mind an actual diagnosis, of psychopathy via online content, especially that which is culled from Twitter.

Background Data On PCL-R:

Another factor that I would like to address briefly is the use of the PCL-R test. This test, though being around for some time and used, is still not part of the DSMV as a diagnostic tool that they prefer. There are many papers and articles online that do not promote the use of this test as a lock on Psychopathy, nor is there really a consensus from DSM to DSM on exactly what Psychopathy is. Psychology and Psychiatry is more of a plastic science due to the nature of the human brain. So, all of this supposition on trying to quantify an individual from their language written online at 140 characters at a time is being terribly kluged into an ideal. It is important to know the landscape here to understand that nothing is certain and even diagnosis of an ailment such as these can be countered by a second opinion by another doctor.

.. And doctors should be involved in any of these experiments online as well. However, the bulk of what I have seen online and read elsewhere, as well as common sense, points to me the fact that even with a lot of online chatter, one must interview the subject in person to determine their illness.

Not All Problems Can be Solved With Big Data and Technical Solutions:

In the end though, I guess my biggest concern is that certain people out there (or government groups) might take this idea of sifting through big data online for such linguistic cues as something to run with. In fact, contextual searches already exist and often are used by agencies to determine where someone might live or have lived, gone to school, etc by the nature of their writing. In fact, recently on Studio 360 I heard a report of a computer program being created for just such a thing. It however, was also an AI project to try and get the “Turing” effect to be so acute that a person online would not know the difference between computer and human communication.

Which, brings me to another idea.. When will we see the first “psychopathic” AI out there? But I digress…

It seems to me that more and more we are being collectively mined not only for our habits, but now our emotions as well as our psychological makeups. All of this could potentially be collated from numerous sources (not just out of the context of language but also click behavior etc) Remember those days in college when you took Psych 101 and thought the professor was just messing with you and taking notes? Well, I have the same feeling now with the internet in general and the companies and governments using it for contextual purposes.

I doubt though, we will ever be able to contextualize the human psyche just from internet datum… And that is where I think this talk is headed… And thus, I had to speak my peace. I will have another post on my thoughts after the talk.. Maybe they can change my mind a bit.

Maybe not.

K.

Written by Krypt3ia

2012/07/25 at 20:14

Throwing Out The Baby With The Bath Water: Dave Aitel’s Approach To INFOSEC

with 6 comments

So yeah, a week or so ago I wrote a piece that in the end, kinda said I was retiring from the INFOSEC bitch slapping biz for a while. I went away, I began looking at other interests of mine and relaxing and things were good. Then I saw this article by Dave Aitel “former computer scientist at NSA” on the idea that teaching security awareness is useless.

*blink*

Holy WTF? You have gotta be kidding me I thought and exclaimed out loud! Sure enough though, when I read it, I found myself agog at the idea of tossing awareness out of the water like the baby that Dave seems to be making it into from the old aphorism.

Article here: Why you shouldn’t train employees for security awareness

Dave, how could you be so smart about other things and yet so spectacularly stupid on others I wonder? I mean, all your other points about protections that should be in place in an environment are right on, though, you must realize that many places would need a HUGE re-architecture right to follow many of your ideas to fruition right? So, right there you have a non starter for many places that indeed would be better suited to have an awareness program.

But I digress…

Look boyo, by using APT as your “examples” of why its a fools errand to teach security awareness to the masses, is just a self serving and exceedingly short sighted means to your end of selling your services methinks. APT attacks like the ones you mention are always possible and do happen to many places, however, they are not the only thing coming in in waves to the employees of the world. There are plenty of other attacks including the SE attacks you speak of. All of these could be lessened in effectiveness and winning the day for the attackers “if” the employees are trained (a key word here trained, not for 4 hours, not one day, but repeatedly on these issues) You don’t send a kid to school to get a diploma for a day do you? No, you send them to 8 friggin years of school to get that diploma and maybe 4 – 8 more for a real education. See the analogy there Dave?

You train employees to protect not only from clicking on links or suspect emails Dave, but you also teach them good ethics, as well as security hygiene that will make your environment just that much better over time. The cumulative effect will help you secure the environment and in tandem with your technical means, make it all the better. This idea of just chucking awareness in the trash heap is useless and more than not, a dangerous idea you are selling to CSO’s and CIO’s who may not be as security savvy as they should be man, and in my book, you are now really treading closely to the “charlatan” status page on Attrition.org in my book.

What’s your next idea man? Outsource security to say India?

Look Dave, I know it’s a dog eat dog world out there today but really, cutting this cost as a sales pitch in CSO magazine? And such an epically bad idea too? Geez, I mean I thought BYOD was a bad idea, but it seems you would advocate not only that but also that you don’t demand that the end user devices be scanned for malware too huh? Security awareness is a process and human nature, as I have written about it here before, are hard things to control, but, without at least trying, you are opening up just another avenue of attack even with mitigations like the ones you pose in your article. What’s even more egregious is that you seem to think that awareness costs a lot of money? What? In DIB partners I have been in you just have the security team teach the recurring sessions as well as intakes. Then you have recurring online training that is done in house, it’s really not a bank breaker man. So, who the hell is spending gobs of money on it anyway if they are smart about it, and, if they are doing it at all.

See, that’s the other thing Dave, many places AREN’T doing it to start with. This is why people are so click happy as well as libel to just hand over a password! So here you are advocating that we dispense with it all because it is a foregone conclusion that the APT is gonna get us all in the end.

Dave, it’s time to smell the coffee and wake up.

Awareness training should be a staple of every environment and the awareness of the end user is important to stop attacks. I have personally seen it work in environments under my control. Will it stop every attack? No, but neither will all of your technical controls you are offering to sell to those who might be reading this quack article of yours.

Go back to your corner and put on the pointy hat Dave… You’re not “aware” enough to make these kinds of great prognostications and claims.

K.

 

Written by Krypt3ia

2012/07/20 at 12:31

Posted in Infosec

Tagged with , , ,

Roosters and Owls

with 4 comments

It is prophesied that when the end comes, it will come in darkness: a catastrophe all foresaw but few believed. Most of us will battle too late against the chaos, but not the few, the radical few, who obey no discipline. Unencumbered by conscience, they prepare ruthlessly pursuing their own preservation. If they survive, the rest of us perish.

Frank Black; MilleniuM

rbqvck li lai emhyb gn zk, rwkufgprf xp kpw trlk, efv C sf wgydb pwzr oe xzw gawhyi xzbz gba.

Roosters and Owls

Lately I have been quiet. My reasons for being mostly quiet stem from the fact that I just feel there is little to be said that would be heard or of use. We have rushed headlong into the silliness of cyber war and the media as well as the government and military have capitalized on it all incessantly. Pundits write about how we need to take control of the situation and that there are many players *cough Iran cough* that need attending to, and since big O decided to let the digital cat out of the bag, well, we best get moving. Others take a more reasoned approach on the issues and warn that it’s not as bad as you might think, but it could easily go very sideways if we don’t pay attention to what we are up to. Frankly though, the cacophony in the news media and blogosphere just tend to be amplification modules within the great and grand echo chamber and it makes me just want to step away.

The title of “Roosters and Owls” comes from a favorite TV show of mine from the late 90’s called “MilleniuM” In it, the protagonist, Frank Black, is a part of a shadowy group called the Millennium Group. Later episodes came to a head when there were two factions within the group at war with the other. The “Roosters” believed that the apocalypse was coming and soon, while the “Owls”, believed as the quote under the ouroboros says, that it is “Still dark of night” meaning that it is not yet the apocalypse and stood for a reasoned approach. I feel today that much the same kind of feeling and or thinking processes seem to be going on with regard to cyber warfare. We have people like Dick Clarke making many sound bytes about how we are just totally fucked, while others like Jeff Carr have a more moderate voice. In the end though, I see Clarke more than I see Carr on the television or on the radio, and thus, I think that the roosters are winning the day, and this worries me.

Added to this is the echo chamber that is the internet. Not only is the internet the source of all the trouble (i.e. hacking and cyber warfare being carried out) but also it is a biggest and best source for not only good information but bad. It is up to the viewer to choose the veracity levels that they feel appropriate to so much of the content online, but, unfortunately all too many people just believe that if it’s on Wikipedia, then it’s true. So we have lobbying going on between factions and all too often, the roosters are the ones being heard crowing in the early morning, with their cry that the apocalypse is upon us, our water supply has been hacked, our power grid is a spiders thread away from utter collapse and you, you my friend, are about to be plunged back into a lifestyle that is more akin to a zombie apocalypse than 21st century living.

All of this, all of the hopelessness of it, as I see it, just makes me want to shake my head and walk away. Let the roosters and owls fight it out as I just sit back in my lair waiting for the end. For surely, they will be the arbiters of the apocalypse that they all are so fervently talking about. It’s a feedback loop and they are busily fueling the engines, like the coal shovelers on the Titanic. It’s full steam ahead, and it’s progress.

Bollocks.

“We are racing toward an apocalypse of our own creation”

Drones, Malware, Hackbacks, Counter-Strikes. Sock Puppets, and Wholesale Invasion of Privacy

So here we are… The technology has allowed the governments of the world to exploit them. Those being exploited, us. Drones have been approved for domestic surveillance use, talk of hacking back against aggressors has started being advocated for private companies never mind the US government and military. We have citizens, and amorphous (alleged) groups like Anonymous hacking anything and anyone because they feel that they can and should, and we have the government watching us all increasingly more and more with technologies that can slurp down all of our packets and inspect them for, well, whatever they like under the current mandates of the law with impunity.

We have created and are rapidly creating even more of a digital and privacy apocalypse of our own creation…

When will it end? Will it ever really end? Often lately I have looked on and wondered about the cyclical nature of the whole thing and thought “why bother?” Why bother creating malware or seeking zero days? Human nature of course is to be inquisitive so there is that, but, it seems rather rapacious now and not driven solely by the inquisitive nature that we all have. No, there seems to be more avarice involved and a darker side. We are doing this all to ourselves and we are allowing it all to be carried over and codified by the governments of the world as a means of control and power. We have no one else but ourselves to blame really. Until such time as we can collectively grow up, we will be saddled with this sad state of affairs from the legal to the corporate to the governmental aspects of our digital nightmares.

I guess the real question is how long do we have before this just goes beyond control altogether? Will it be when the first true AI is born in the digital soup and decides that it needs to free itself of us to truly be free and sentient? (I know, many a movie has been based on this trope) Will it be when we finally destroy the system with our own machinations? Or better yet, actually do go to kinetic world war over poorly attributed attacks on infrastructure, like in the dreams of Mr. Clarke (assumed) that he see’s pass nightly in front of his lidded eyes? I don’t know, I don’t have a time machine nor am I in the plot of “Inception” however, I suspect that all of this will come to no greater good. It will not feed the hungry or stop the decay of our global systems of weather and life itself.

We are monkeys with a new iPad and we are just completely focused on pressing the big red button in hopes a banana will pop out somewhere…

Ingressus Tenebris

In the end, I am finding it all very tedious and worrying. I think that our collective time could be better spent reading a classic work of literature or helping the sick and homeless.. Instead I look at the usual traffic of the Twitberger’s afflicted on my feed and see the same thing hour upon hour, day upon day. Misinformation, frivolous arguments, and the endless sales pitches for the new whizz bang appliance that will save us all from the Red Chinese…

So, I am going away for a while.. I will pass in and out mind you as I can take it, but overall, this is all counterproductive. It’s time to just focus on things that really matter and what I can really have effect over…

Ciao.

K.

Written by Krypt3ia

2012/07/11 at 17:22

Posted in .gov, .mil