Archive for January 2014
ASSESSMENT: JIHADIST FORUMS; IT’S A TRAP!
Preface:
A connection passed me this little missive from a jihadist board this morning and I couldn’t pass this one up to write about. The poster is a fairly new one (Nov 2013 started his acct) and he is writing about how the jihadist boards have pretty much turned into security services traps online to break the brothers jihad. While much of the post is pedantic there is a core of truth to what the guy is saying no matter how poorly he writes about it. The fact of the matter is that many of the sites out there have always been poorly secured as well as subject to not only agent provocateur attacks but DD0S as well. Khaled wants to not only warn about the insecurity around much of the boards but also that he proposes new means to protect the brothers from being captured. While he lacks any real technical specifics here he is alluding to issues that they do have and he half understands. In all, an interesting read and I thought it would be for you all as well. Please forgive some of the crudity to the translation as I am not fluent yet in Arabi (written specifically) but I think I worked it down to the gist of it.
Paste: http://pastebin.com/B7Qa7nsh
Translation:
Khaled Musli writes….
In the name of God the Merciful Peace and blessings be upon His Messengers and his family and followed them until the Day of religion.
Triangle of terror in the forums is :
The forum hosting company where members write and do not know of the security apparatus follows!!
The forums were a blessing and a gift of God Almighty to see religion and belief and the search for news of the Mujahideen in the squares jihadist turned to tyranny under the hammers and the plight of a curse and a means to discredit and handcuff and restrict votes and hands ! It’s the same traps that were previously exercised .. But this time it electronically ! What is the saddest technology while turning into a weapon , however, and the darkness of tyrants and enemies !
But before then :
Jihadist forums , the story of excitement and crying at the same time! Soul-searching on the other, and the journey of self-affirmation with others.
The Islamic index launched all models Brotherhood and mystic , etc. .. Then came the jihadist forums.. The number does not exceed the fingers of one hand , it was a new phenomenon on the Internet audience! Where he became a man feels that he reveal what is inside without supervision or control , was expressing his faith and exactitude of the Lord by denying him the reality and the environment!
This Phenomenon was attractive , especially as it allows you to call yourself names new sail where the character of (different) about the real personality ! (aliases)
A new way started from the point of expression to the point of promoting thought and ideology then came fake masks (users) from other countries and intelligence and security apparatus’ After this massive development witnessed by the jihadist forums during Alsnouattalmadih there had to be a careful and accurate study of this phenomenon which is now affecting the Muslims in our country especially the Islamic and even the media ! !
The jihadist forums evolved so dramatically in recent years where development and there has been a growth in diversity and subtraction and expansion in the Internet audience in them. This development was most exciting and its transformation into a media spreads in alleys of the scientists of truth and quacks, and unknowns both naive and smart good and bad. The intelligence and the bad guys have been the hunted and hunter !
The forums spread the word of jihadist Almzakah , and thereby helped by programs to provide forums and ease of hosting and installation appeared to separate the wheat from the chaff but soon this began deteriorating , back to a lack of creativity and underdevelopment about the reality of the nation in all its details in these forums ! !
There were several people in the doctrines of the label :
Itzmy, his real name or a part of his real name ( and this is very rare ) and some Itzmy loved loved their character or were influenced by him and on behalf of some specific code or loved admire him or battle or incident or event or history or geography ! Some names Itzmy intellectual of the names of groups to the currents of ideas to beliefs ! But behind these names were hiding and a variety of different personalities all share in wearing masks made available to it forums !
When he woke up the other party :
Then evolved phenomenon where the forums became the largest gathering of spying and surveillance helped in that this rush is limited and non-formal and informal sectors of the large numbers of oppressed peoples and thought it a good opportunity to unload their repressed thoughts and feelings from all these years of injustice and tyranny …oppression and tyranny !
The reason for this is that the phenomenon made it a breeding ground for Investigation and Intelligence in the Arab world. I realized that these gatherings can be exploited for certain goals by opposition groups whatever the quality of the opposition the victim went so young and the needy and were duped !
It Was a trap :
After the ( jihadist forums ) were knocked off on top of the world’s attention and communication to the public Internet encouraged in people a kind of technical yearning and longing began which broke the restrictions and isolation and Retention of intellectual thoughts and feelings for many segments of Arab society that had been restricted for decades.
Evolution subtraction qualitative in forums, and take character media purely in the recent period , became the local media global following with interest what poses in these forums, news , articles, analyzes and information materials , and raising it interesting and exciting is the exploitation of various groups of these forums for the dissemination of data and statements and files audio and video , was a chance of life opportunities that will not be repeated ! Especially jihadist groups that are active in many countries .
This increased the ferocity of the conflict groups are active in the media and promotion of the ideology and goals of the State and the security services are trying to reduce this phenomenon which is in fact the reason for media restrictions on these groups !
They did not benefit from all attempts at blocking and destruction and closure to these forums and sites though and it was not necessary to plan more intelligent and more effective means ! The plan then was ( electronic fishing ) which is about security issues growing and multiplying living in the forums and negatively affecting the governments.
The mission of this campaign was to set a trap for the electronic owners who promote a particular ideology or without their media machine to a disseminate their ideas.
Electronic fishing plan :
The plan was as follows (according to visualize the conflict that is happening in the forums, which I am following and still do for a long time ) the idea is to visualize imaginary and not necessary to be literally it all revolves around this department and within this framework.
These are set up within the Department of Internal security services to monitor and participate in these forums are a group of security agents ( or recruit active in the forums ) that have a good cultural understanding and the ability to understand the forums and dialogues and ideas of these jihadi groups .
These groups are divided into small teams , each band has a specific role and a specific play :
For example, ( under cover agents ) as role supporters in these groups to give ideas and establish relationships with these members ! !
( agent provocateurs ), a group of others who do the opposite role of attacking the ideas and these groups in a provocative way to agitate ! ! !
The elements ( under cover agents ) register under the names of forums are closer to the ideology of these groups in order to notify the other party that they are close to them ! ! These start writing topics (posts) that advocate these groups ideas/ideologies to fool (put to sleep or fool) the other party to these topics and fool them all ! ! !
They start side correspondences by mail and messenger until the rhythm of the prey to the network ! ! !
The ( agent provocateurs ) whereupon register the names of the exact opposite or normal , and you subtract topics provoke the other party and try to reply to topics and raising the other end !
I do not mind the exchange of roles between two opinions , and do not mind a game of cat and mouse between two opinions ! ! !
In the sense that both the teams are playing a game direction and the opposite direction ! ! The other party is watching and watching , and perhaps fools trick and tends to the party who supported !
Of course , this plan is a plan that I mentioned several of the plans pursued by the security forces in the forums ! There are ways and methods more dangerous .
Forums owners in the dark :
Do the forums and owners play an important role in this fierce conflict ? !
And why are other jihadist forums not being prosecuted and shut down ? !
Technically you could see the members and where are they? ! (poor opsec)
There is no doubt that the owners of jihadist forums are between rock and the hard place about member security services ! ! Members are trying to hide their identities , and the security services are trying to get information from the owners of these forums for members !
The quality of these forums are (vb/phbb) which are the largest percentage of Arab forums and are the most insecure because these forums know the number of the entry of the member or the so-called IP address ( a unique number to the Internet in which you can know which country you enter including the member or visitor) These can be seen through additional software that shows the access number (IP) and the specified complete information and not just the state.
IP addresses can be traced but not always as there are numbers entering hidden (proxies and TOR) and are therefore difficult to follow. But with the development of spyware it has become possible to be done to access the phone which have has been used to get on the site and therefore know who the owner of the phone as and arrest him .
Of course this site has your mail lists and add them also the nature of the posts and the responses and some of the words that fall from the member inadvertently and they can go through it all to figure out who writes the posts .
Of course , there are many ways to hide the real information browsing , but the majority don’t know how to.
From this point, cooperated some forums that claim to advocate jihad falsely with the security services in order to provide information for those members , and this is what explains the survival of some forums that claim to advocate Mujahideen falsely published scandals and write the spectrum of the opposition , remained these forums is blocked and non- prosecution ! ! !
Malice and cunning develops when :
Prepared by the security and intelligence plan, the most insidious of these, because the jihadi forums sincere did not respond to their requests , and they have established a private forum, new , and have been promoting it to attract members from another forum , has put a smart plan commissioned by some members left threads against them in order to attract other parties .
There are forums known to follow the security services or they collaborating with them! ! There is no need to mention names , but they are known to attendees of the forums.
Hosting companies accused of the biggest security problems :
Where the role of hosting companies in this fray ? !
Hosting companies play a serious role and important role in this conflict , and the hosting company is a company that holds files and data on its website ( servers ) which computers are intended to put the sites .
Attackers can see and open and watch databases , and can know the numbers to access the site , and know of any states walk , and knows all the passwords and data members , and you know the number entering false or not!
All these factors make hosting companies play an important role in this battle, electronic , and therefore are trying to stay away from forums hosting companies Arabic! Being located under the control of the state they are in. !
However this does not mean that the hosting companies the best of America ! ! Now there is a law that allows the Office of the FBI to enter on any server hosting company to search for specific information ! This has happened several times to major sites !
Third-party invisibility :
Jihadi forums are trying to protect their members and are trying to escape from the grip of security intelligence , to put its companies away from corporate America and the Arab , such as the European companies , or Russian or Chinese or Malaysian , etc.
And many sites have succeeded in this, and there are some people disappeared from the world of the net, because he did not find a suitable hosting company has its reservation !
There is continuous monitoring of all the jihadist forums , both of Arab security services or of Jews themselves! (don’t forget me too 😉
There are many other sites tasked with monitoring the sites and forums where Arab and positions and what he writes , and this is part of a global scheme to follow up on all matters relating to anti- occupation ,
Crusader Zionist hegemony and arrogance . And speech in this long technically and media .
As about the ability of the security forces in the Arab countries to prosecute tens of thousands of attendees and break forums , it is also thought by some that they have a miraculous power that they can follow each person and follow every word and character! Despite the evolution of technology and the presence of all the requirements for it , but not to this extent , there is a general framework to move and there are filters ( filters technique ) are certain of which focus on groups without the other ! (NSA programs no doubt)
How does one fall prey in the net ? !
After creating the overall atmosphere at the level of the forums and the level of individuals , begins a plan to arrest cyber dissidents , and begins the process of gathering the spoils in the forums that have been the focus on them.
There are many styles of plots within the security plan ( electronic fishing ) for catching prey and these methods are divided into two sections:
First: the technical methods
Secondly, methods of mankind ( by handling )
It is technical methods :
1 – the theft of the e-mail
2 – planting spyware on your machine
3 – access to your screen and real name ; who writes in the forums and stealing and writing through it.
4 – to be a forum in which he writes is originally belonging to the security and intelligence services
5 – to break into his computer via messenger or an email , and get all the files ! aka hacking ( In the absence of protection software on the device )
Methods of human :
1 – Trying to bribe him by writing topics supports the idea and opinion , and thus created a friendly relationship up to Instant , then chatting on Messenger , then communicate the sensory and the meeting , and spoke of the disaster here !
2 – Posting certain topics glorifying and praising thought to bait the brothers
3 – Continuous communication via private messages and e-mail in order to strengthen the relationship and development.
4 – Get the addresses of the other victim , and thus expanding the circle of victims. (making connections)
5 – Providing any assistance to him in order to gain affection and confidence , and providing false information in order to manipulate it .
All of these methods and many others , followed by the adversaries within the security plan for the implementation of a comprehensive plan inside the jihadi forums which are expressing their opposition to the intellectual and practical for any system or state .
Many Colorful masks and face of one :
The most dangerous thing in this matter and this plan is a game of multiple masks ! The sense of how to be a captain in the intelligence and security services and at the same time a member of one of the jihadi groups ! It is the process of distortion of the party in order to achieve the objectives of the hidden benefit of the first party. (aka it’s hard to be an agent provocateur!)
This is what should be what the jihadist forums pay attention to and understand well when going into dialogues on jihadist forums .
Forums conflict and war forums took great dimension while wearing a turban Maguethohmah intelligence captain for the appearance and Mufti Sheikh Naseer jihad and the mujahideen , or vice versa !
It was expected to evolve conflict to this point having stepped up jihadist groups and their presence on the net, the forums in particular are the point of the media work and the address of Sheikh Ayman al-Zawahiri Media jihadist began to communicate strongly among its members attempt to circumvent the limitations of reality and movement.
The security services began a new attempt to penetrate these groups and control them by distorting the work of jihad and started electronic detection cells that spread in the forums !
Electronic mechanism of action plan :
I started to plan the new electronic security and it is:
1 – Cell formation and fake jihadist forums task specific data dissemination promotion and promote ideas distort the image of jihad and the mujahideen , or an image of the other. (DISINFORMATION)
2 – The team must responded to and disseminate data to encourage them to generate a stream of support and advocacy for the emergence of a strong appearance !
3 – Creating the case of adverse reaction to the visitors through a crude way of asking and barbaric ideas and beliefs and statements such as atonement. This is what you want the security of this plan to be .
The plan is very easy and can be applied with ease examples are well known and the data easy to formulate. The method of dialogue and atonement are available, the technical possibilities exist but these ideas must be spread dramatically
The strongest example of this is the multiple data released from several destinations in the bombings in Sharm el Sheikh ! Data for each group claiming to be made from it! ! No one knows anything about the other group ! (DISINFORMATION)
Long talk about this axis , and there is information difficult to talk about and write , but it’s much broader than that , and the danger lies in changing the minds and ways of thinking to the public net, it is the process of laundering organization of the minds and ideas , involving everyone!
There is no end :
Forums war or conflict to exist in jihadist forums will not stop and will not end , because the technical means available to everyone in the complete absence of freedom and unloading shipments of oppression and injustice , will remain gatherings knock on her exercise of this right for the delivery of her voice.
The greatest danger lies not in this right to these gatherings , but lies in the transformation of this arena to ( traps electronic ) to the rhythm of this prey weak and convert the arena to a new prison , prosecutions and follow-up informants and wiretaps and spying and the practice of the worst methods of distortion and deception !
It’s the same traps that were previously exercised .. But this time it electronically ! What is the saddest technology while turning into a weapon , however, and the darkness of tyrants and enemies !
Moved interest
Hur eye , conformist God, claiming well for the owner of this review good .
ANALYSIS:
While Khaled wishes to have real dialogue out there on these forums he is worried that the security services and the NSA have pwn3d them all. He also worries that infighting within the groups has not helped and believes (perhaps rightly) that there are agent provocateurs on the sites sowing dissent as one team, and then another playing the good cop to the bad and gathering intel on users. He implores the brothers to learn more about the security around these sites as well as to take a serious look at who is hosting their sites to start. He references the FBI as being able to seize servers and peek into them while they are active (like they did with SR and SRII) and posits that the brothers need to start managing their domain access better though he does not offer a solution other than locating them in countries outside the US. Khaled is also worried about the revelations from Snowden it seems though he does not reference him directly. He speaks about hacking against the brothers being carried out through (phishing) but also larger plans of social engineering and espionage tactics by the local security services as well as others like the US. He then offers an idea of creating their own DISINFORMATION campaigns by creating fake cells and sites to draw the law off of their other more secret sites that have been secured. Overall though he see’s that the internet has given this gift to the jihadi’s of being able to talk to each other and evangelize online and is upset that it is being perverted by the LEO’s in order to break their spirits and their jihad.
While I agree that there is a lot of what Khaled is describing going on out there, I also think that the jihadi’s do it to themselves quite a bit as well with shooting themselves in the foot so to speak. The infighting and squabbles on these boards is like watching an arabic 4chan argument sometimes. There are certainly more stringent rules regarding actions on the jihadi boards but all in all they too are seen backbiting each other at times like adolescent school girls on a playground. The issue though as I see it is that primarily these sites have always been insecure and easy to prey upon as Khaled says. Most of these sites are filled just with those who want to spew their thoughts in a place where like minds prevail and to advocate for the proselytizing of others to become shahid. While these sites do harbour solid intelligence it is usually only over actors and their connections, rarely actual data on plans that will be put into action. Until such time as a newly secrued and closely watched jihadi board shows up in the darknet or completely inside a private network somewhere I find these sites to be more amusement than anything else of intelligence value. This makes Khaled’s concerns all the more amusing as he is so fervent in his writing here.
K.
ASSESSMENT: Insider Threats, Espionage Recruitment and Psychological Profiling
Insider Threat SNOWDEN:
The insider threat has always been and always will be the bigger of the threats or so the aphorism goes. In reality it certainly seems to be the case in the Snowden affair and the NSA is still stinging from it as I write this. Snowden leveraged his administrative access where he could and used technical and social means as well to gather the information and access he wanted to ex-filtrate out of Ft. Meade. Since Snowden was so successful and the NSA and IC has been blindsided by the ease of the attack and their stunning lack of controls the government and IC has been re-thinking their security around insider threats. Since much of today’s technology allows for ease of access and people tend to be the weakest link in the security chain (on average) the NSA is looking to more proactive controls against this type of exploit. Since they failed logically and technically to stop an insider attack I assume that they are in a real bind trying to assert control over not only the data they house but also the custodians of that data and architecture as well.
The Insider Threat Has Always Been The Largest:
Since the dawn of time the insider threat has always been a go to if possible in waging war against anyone. The Trojan Horse for example is the greatest use of the “insider” by placing outsiders inside and making the opposition the method of their own doom. Insiders though are commonly traitors or spies (sleeper or other) inserted or bought to work for the opposition to gain access inside the confines of the sanctum. In the case of hacking and digital malfeasance this often times takes the shape of an insider who feels they have been wronged in some way and either steals IP or destroys operations within a company or org to cause great damage. What has come to light though over the years and now has been brought to the fore are the psychological and social cues or traits that make a person more likely to be an insider threat.
In the case of espionage the recruitment of spies really is the tale of an insider threat. What makes someone become an asset for a service like the CIA? Within the IC (CIA) a lot of time was spent on the psychology of recruitment and handling of assets. MICE was the standard by which the CIA handled recruitment and handling up until recently when a new paradigm was put forth (RASCLS) which is much more reciprocal instead of just carrot and stick. Where all of this touches on insider threats though in the common vernacular of INFOSEC is where the motivation lies for someone’s actions. In a paper put out recently called “Inside the Mind of An Insider” the focus is on technologists and insider attacks that they have or may carry out and their personal motivations as well as proclivities to do so within the tech sector. I however would assert that this take is only a sub header within the larger umbrella of motivations and actions that an insider whether or not they are a spy or just an aggravated tech worker would have or carry out.
in the paper (cited above in picture at top) the writers lay out the “six characteristics” that coincidentally make up much of the same ideals and motivations that you will find in a recruit-able asset within the IC sphere. In fact, I would assert as well that if in fact Snowden were at all contacted by an outside security services to do what he did, these motivations would have been leveraged within him as well. What it all comes down to human nature. We are all subject to wants and desires as well as feelings of being under appreciated or not appreciated at all in our daily lives. This makes anyone potentially an insider whether they self activate or are handled by someone.
Countermeasures And Technologies:
The NSA though has been working on some technical means of detection and deterrence of an insider attack where other logical means have failed. These consist of programs that monitor behaviour patterns of users and access as well as I can only assume their outside activities such as internet access, browsing, and comments on sites. Can such programs really detect accurately the mind of a person and their motivations to lock down on them as a potential threat? I am sure that the technology is getting much better at this heuristic behaviour detection so sure but I don’t think it will be infallible however. I also suspect that it will also mark people as bad actors when in fact they may never even entertain the thought of actually carrying out some plan against the NSA or whatever company that might employ such tech. I would also assume that the people at the NSA will be undergoing more frequent and rigorous Poly sessions as well as perhaps psychological profiling which does not bode well for many I think who want to feel as though they are part of a team. Generally the job is stressful enough when you cannot talk about anything you do and are always fearing that you might slip at some point and give away information that you shouldn’t. The psychological stress of cleared life is hard and this will all just make it a little harder in the post Snowden world.
ANALYSIS:
Whether you call it an “insider threat” or a spy, saboteur, or insurgent the same psychology applies. People are motivated by things that are personal to them. Desires they have for money, power, or fame as well as a myriad of other reasons for their actions. To attempt to detect and deter this activity will be quite the undertaking and hard enough in the classified world. Now imagine that you are not a cleared individual but instead an corporate employee, how are you going to feel about such activities and programs attempting to tell whether or not you might turn on the company and damage their servers? I somehow doubt that many corporations will undertake the threat modelling here for insider threats as seriously as the NSA but I can see where some might want some insight. We already have things like Websense and IDS/IPS/SIEM tech that follows traffic but with the advent of the likes of Facebook, how long will it be until they offer a service that tracks users behaviour and sells it to your security department? If companies are sufficiently worried about their insider threats then they will begin profiling and putting in countermeasures.
Welcome to the brave new world…
K.
ASSESSMENT: PARASTOO/DarkPassenger
PARASTOO پرستو :
I got a tweet today about some data sitting on cryptome.org that got me thinking about this “group” again so I did some more digging online on them (him) The name of the “group” is Parastoo (پرستو Farsi) which means Swallow or bird. In the last year this guy (yes I think it’s literally one deranged person) had been active on at least two .ir sites that dealt with security and hacking and then started his own domains to ostensibly carry out cyber war against Israel and attempt to leverage the IAEA and others. So far all of the alleged hacks and data dumps that I have seen have not impressed and the data itself seems to be from systems that they “think” are important but in reality they are not. Specifically of late there are threats concerning CIA plots and diatribes that read like Lulzsec on methamphetamine and Ketamine at the same time. This guy really has quite the beautiful and large tinfoil hat and he wants us all to know about it in no uncertain terms. It is interesting to read between the lines in a stylographic way how the writer here seems to be molding their communiques in the manner of Zodiac. with a third person approach that intones more than one person and that this is a group. By using “Parastoo is speaking” they come very close to the “This is Zodiac Speaking” which attempted to portray power and induce fear. It is also interesting to note the language used in the emails is of a nature that implies a good grasp of English as well as a flare for the overly dramatic which does not lend credence to the threats that they imply. In fact the reading I take away, and seemingly the press as well, is that of someone either trying too hard to be Anonymous or smacks of outright trolling.
DarkPassenger:
In tracing the domains for parastoo.ir and hacker4hire.ir I came across a defunct site (RCE.ir) which was a PHBB site that is now offline live but is archived in a couple of places as well as Google caches. When searches for “Parastoo” were used a clear link to a user on the RCE.ir site came up and that user was “DarkPassenger” who posted often on the site not only about hacking tutorials, tools, and the like but also dropped many links to government sites in the US and talked about conspiratorial things in nearly every posting. The DarkPassenger’s favorite saying or ahorism in each posting was “de nobis ipsis silemus” which is taken from the Baconian epigraph to the first Critique and translates to “on ourselves we are silent” which is ironic for all the commentary that DarkPassenger is putting out there that speaks to his state of mind. The DarkPassenger is also a fan of TV and movies and can be tracked to other .ir sites but generally from the first searches, does not have a lot out there under this account name to go much further (at present writing) to say who he may be in real life. DarkPassenger though does seem to have quite a bit of time on his hands and some technical capabilities though. Much of the data however that he and Parastoo post though is really just OSINT that anyone capable could carry out. In fact in one post (DP) talks about OSINT while laying out informatics on a military organizations email addresses and contact list so he is in fact versed in the ways of OSINT collection. A key factor to the link I am making between the Parastoo and DP is that he uses the “EXPECT US” cutline in many of his posts as well and seems rather enamoured with the idea that he is in fact an Anon and that bent of conspiracy and overarching plots infuses the majority of his postings online.
Parasatoo.ir, hacker4hire.ir & RCE.ir:
The postings claiming hacks as well as those that rave on claim that DP had set up a couple domains for “attacks” on the outside world from the .ir domain. These domains are registered by what I assume is a cutout name of zohre sajadian which coincidentally was also used for the RCE.ir site. All sites are currently down and in fact I cannot locate any content for the hacker4hire.ir nor the parastoo.ir sites respectively. The only one that did have active content for a while was the RCE.ir address. This site was up for quite some time but was insecure and much of the content was not that interesting. It is of note though that the domain registrations all line up as well as there seems to be some overlap in email hosting between a .ru address and the chmail.ir site (that address is verified as being real)The information for the address as well as the name of the holder seems to be just made up. In fact the address cannot exist because there is no intersection for Felestin Street with Johmoori. A cursory look at the name used of Zohre Sajadian also comes up with some hits but they seem to be un-related at this time to the sites and their registration so mostly this is a dead end I think.
Alleged Hacks & Anonymous Rhetoric:
So far in my searching I have not found too much out there to support any large hacks of data or dumps thereof that show this “group” has done what they claim they have overall. Aside from news stories (few in fact) that claim Parastoo made off with “sensitive” information on nuclear systems and facilities. However the data that they claim to have taken and was admitted to by IHS Inc. is all of a nature that can be purchased from the web or has been published already in the past. The only real sensitive information that has been possibly breached was credit card information that may have resided on those servers that were compromised. So while the Parastoo makes grandiose claims of important hacks and data leaks, thus far, when really investigated they have yet to make a major hit on anything of real import. Since the sites have gone dormant or offline as well it has yet to be determined what else they may be working on or have compromised but if you look at the rhetoric from their pastebin posts as well as the alleged emails on Cryptome one becomes a bit jaundiced and must take everything they say with a large grain of salt. Another factor to remember that even with the drawings like the one at the top of this post are often available to anyone on the internet either by insecure or misconfigured servers or in fact the data is meant to be open to the public. This is a paradigm I have learned about recently in looking into the OSINT on nuclear facilities and systems. So these dumps of information are not what the attackers think they are because they are unacquainted with the data and it’s secrecy or lack thereof.
ANALYSIS:
The final analysis of the “Parastoo” group is that in reality it is at least one person (DarkPassenger) who wants to make a statement on Israel and nukes with a fixation on IAEA and DOE. While some pastes in the pastebin list seem to have actual data from systems that are externally facing to the internet (DOE for one) the majority of the data seems to be half understood misinformation being spewed to garner attention. As the Anonymous model has been let out of the bottle so to speak post Lulzsec, there are many who would aspire to their level of reputation and attention and these dumps are an attempt to attract it. Of course the problem with the Anonymous model of operation is that anyone can take on the mantle and claim to be an Anon or a group of them to effect whatever outcome they seek (mostly attention) so it is oftentimes hard to take groups like this seiously until such time as they dump hard data onto the internet for all to see. In the case of Parastoo none of this is evident and as such I categorize (him/them) as a non threat actor on the larger stage of geopolitics and information warfare at this time.
K
ASSESSMENT: The Lampeduza Republic Organizational Structure
The Lampeduza Republic:
The Lampeduza Republic is a collective of carders which has it’s base of founders primarily in the Baltic states. You may be familiar with this name and the group through Brian Krebs work on the Target breach of 2013. The Lampeduza came into existence circa 2011 (Creation Date: 2011-06-01T16:54:41Z) as a follow up to other sites that had shut down but with the creation of this one the creators also covered all the bases with mirrors on other servers and domain names. What makes this site different from the rest of the carder arcology is that this group is exceedingly hierarchical and structured themselves after the constructs of Roman rule. As the main player who seems to be involved per Brian has a penchant for games as well as hacking and carding, Rescator (aka Hellkern) it seems only fitting that he has a STEAM account and a love for ROME II (All Out War) It is my contention that he and others within his clan perhaps began this whole escapade after playing ROME II together and grew to love the idea of being powerful “Senatus” or dare I say even Caesars?
Organizational Structure:
The Lampeduza Republic (Lampeduza rei publicae) took it’s structure from the old Roman rule as I said above and within this classicist format they have the following categories of “citizens”
- Сaesar — monarch of the Lampeduza Republic.
- Consul — highest public official, the head of executive & administrative authority, the head of the Senate.
- Senator — highest governmental authority of Lampeduza Republic Senate.
- Praetores — highest public official, Republic arbitrator.
- Legatus — messenger of the Republic Senate, legion leader. Senate assigns the title to the most devoted Republic warriors, shown himself to good advantage.
- Quaestores — assistant of the Republic Senate. Treasurer, assessor, the one responsible for payments to contractors. Posts all the decisions, resolutions & laws of the Senate and Caesar ordinances.
- Primus Pilus — ranked highest in Centurio legion. Shown himself to good advantage for a long period of time. Literally the first rank. Having the right to assign himself two assistants (Centurios).
- Centurio — warrior, recommended himself to good advantage and decent reputation amongst collegues. Having the right to assign himself two assistants (Optios).
- Optio — assistant of the Centurio. Chosen by Centurio among his warriors. The title can be assigned by Republic Senate, without Centurio’s petition to anyone standing out sharply against background. Having the right to assign himself one assistant (Tesserarius).
- Tesserarius — assistant of the Optio. Obligated to organize security & password transitions. Republic of Lampeduza army career is starting with Tesserarius title.
- Censor — title assigned by default to forum moderator, invited by Senate for observing compliance with Republic constitution. Moderator having title of the Lampeduza Republic allowed to indicate It in his status.
- Legionarius — citizen of the Lampeduza Republic, lucky passport owner.
Whether or not the actual group functions in a strict regimental way remains to be proven but the general idea is followed through on from what I can see. In looking at it from caches of pages it seems like the inner group of progenitors consists of Consul Octavian (Caesar) , Senator Severa, Senator Tiberiy, and Senator Flavius. The Caesar is named as “Octavian” which as it happens there is a site Octavian.su which is now a defunct site. This may account as to who was the progenitorus primus in the Lampeduza universe and to date no one has really looked at this Octavian as much as Rescator has. My question becomes who is Octavian? Is Octavian just another user ID for Rescator? Or is this someone else altogether? Additionally, you can see how Rescator has moved up the ranks in the site as time has moved on from Legatus to Praetor all from meeting notes as it were on the site itself. Additionally, the role of Tiberius Caesar seems to have it’s laurel wreath squarely upon Tiberiy, a name that to date really hasn’t been mentioned in the stories around the Target heist.
The Senate of Lampeduza:
Senate of the Lampeduza Republic: Consul Octavian, Senator Severa, Senator Tiberiy, Senator Flavius, considering petition of the Сenturio Pompei, Primus Pilus DJ CRACK, Quaestores Trayan have decided:
I. Magistrate the following:
– Octavian – Ceasor pro tempore, the Consul & the head of the Republic Senate
– Rescator – Praetores of the Lampeduza Republic, assign the Legatus title
– Trayan – Guarantor of the Lampeduza Republic, assign the Quaestores titleII. Assign the Primus Pilus title of the Lampeduza Republic
DJ CRACK – Primus Pilus of the Republic, province Censor
Blaster – Primus Pilus of the Republic, province CensorIII. Assign the Сenturio title of the Lampeduza Republic
Pompei – Сenturio of the Republic
rfcid – Сenturio of the Republic
goldminer – Сenturio of the Republic
-=SGA=– – Сenturio of the Republic, province Censor
St.Patrick – Сenturio of the Republic
Mesr – Сenturio of the Republic
greystone – Сenturio of the Republic
powerseller – Сenturio of the Republic
Search – Сenturio of the Republic
Шаман – Сenturio of the Republic
j.p.morgan – Сenturio of the Republic
True Partners – Сenturio of the Republic
alphadog – Сenturio of the Republic
risk25 – Сenturio of the RepublicIV. Assign the Optio title of the Lampeduza Republic
TaoBao – Optio of the Republic
jimy – Optio of the Republic
fff3fff – Optio of the Republic
himik – Optio of the Republic
PapaRed – Optio of the Republic
Septimiy – Optio of the Republic
Avidiy – Optio of the RepublicV. Assign the Tesserarius title of the Lampeduza Republic
bissone – Tesserarius of the Republic
liberral – Tesserarius of the Republic
SENATE DATA:
So the main players here are the following;
Caesar Tempore Octavian
Senatus Severa
Senatus now Tiberius Caesar Tiberiy
Senatus Flavius
Praetor Rescator Legatus of the Lampeduza
ANALYSIS:
While Brian has actual screen shots of Rescator (a lover of old French films it seems about pirates) talking about the BlackPOS and the shuttling of card data there is certainly more than one player here in the Lampeduza universe. Given the love of the Roman structure of governance it actually played out a most interesting game of looking at who was in fact in charge and the overall makeup of the organization. I have not really taken any kind of real look at the other players on an OSINT level but I am sure that once that is done it will be a bit more enlightening as to who these guys are. It is my theory that they all are gamers and all played quite a bit of ROME II (Total War) and aspire to be the new Romanus Civilis of the digital age. It kind of also fits with the Russian/Ukrainian tastes as well on a societal level. The other part of the puzzle is whether or not these guys were just the procurement specialists and others actually carried out the hack or was it all of them, in their structured and regimented organization that carried off not only the hack but also the brokering of the card data, reaping all the financial rewards as a new Rome should?
Meanwhile Rescator (ala Hellkern) surely had the technical chops to code some of the software as well. In his online profile as Hellkern dates much further back with hacks and code that seems to include a worm that made the rounds circa 2009. He’s been around but so too has Ree4 who it seems for all intents and purposes was the one who modified the memory scraper tech and made it what it is today at least in a proto form. Did Rescator go the next steps and get it to be the application that bypassed AV today and was what was used on Target and the others? Ostensibly the FBI has shown as well as Brian that the software was up for sale for six thousand dollars and obviously that price was paid. Just who made the changes? We still aren’t sure as solid evidence goes but it seems from what Brian has found concerning OPSEC failures on the part of Rescator/Hellkern he surely had something to do with it. The collective though for me is the thing..
Who else is there and who are they in real life?
K.
mlal qh xzvp ttdqdm xof fgrowuqd
ASSESSMENT: DPRK Networks and CNO Capacities
DPRK INTERNET AND INTRANET:
As the DPRK under Kim Jung Un has been poking the global bear lately with threatening faxes I thought it was time to re-approach the CNE/CNO/CNA capabilities that they have and gut check against the hype in the news cycle. As there has been talk of cyber attacks allegedly carried out by the DPRK against at least the South, one has to wonder just what kind of connection the North actually has to the global internet. As it turns out the DPRK has a class B (175.45.176.0 – 175.45.179.255) address space that is ostensibly outwardly facing to the global internet. Inside the country though the fiber intranet is closed off to the external internet for the most part save for those eleets deemed important enough to have it. The gateways for this internet connection are sourced out to the Chinese mainland (China Unicom/ Star JV/ Loxley Pac) and are most likely located in southern China. This however has not stopped certain people actually downloading from Bittorrent this last year so we know that a certain amount of people actually do have access that goes to the internet directly from Pyonyang which was a bit of a surprise for me at first but then you look at the small area from which they are coming from and you see it is a very small subset of people accessing the net to pirate movies. The masses though who have access to a computer are relegated to the Kwangmyong network that they can only access through the “Red Star OS” that the DPRK has special made for them to use. This intranet is from all reports, more like a BBS than the internet and consists of very little content and certainly not anything revolutionary (both technically and literally) I have downloaded a copy of Red Star and will be putting it in a sandbox to play with and report on at a later date.
Pirating:
WHOIS for DPRK
- The official North Korean governmental portal Naenara at: http://www.naenara.com.kp
- Committee for Cultural Relations with Foreign Countries at: http://www.friend.com.kp
- Korea Education Fund at: http://www.koredufund.org.kp
- Korean Central News Agency at: http://www.kcna.kp
- Korea Elderly Care Fund at: http://www.korelcfund.org.kp
- Rodong Sinmun newspaper at: http://www.rodong.rep.kp
- Voice of Korea at: http://www.vok.rep.kp
- : http://www.ksf.com.kp
- Air Koryo, a North Korean flying service, at: http://www.airkoryo.com.kp
- Pyongyang Film Festival at: http://www.korfilm.com.kp
- Pyongyang Broadcasting Station at: http://www.gnu.rep.kp
DPRK Internet Accessible sites:
Uriminzokkiri a facebook like service located outside of the DPRK zone
uriminzokkiri.com WHOIS
DPRK CNO, CNA & CNE:
There seems to be some cognitive dissonance concerning the capabilities of the DPRK where network warfare is concerned. As seen below in the two snippets of articles either they have nothing much in place because they are focusing more on nuclear technologies or they are creating a master group of hackers to attack the US and South Korea. I for one think that the truth lies somewhere in the middle in that I know that fiber has been laid and that the eleet and the military both have access to the internet for their own purposes. That the connection is routed through a satellite ostensibly (mostly) shows just how disconnected the regime wants to be to insure their power consolidation. Though there is a single “internet cafe” in Pyongyang, it must be noted that it only serves network traffic to the intranet that they have created. I have to wonder though if perhaps somewhere within that infrastructure lies unknown dark spots where the government may not have as much control as they would like.
On the topic of cyber capabilities, the report said North Korea probably has a military computer network operations capability. North Korea may view computer network operations as an appealing platform from which to collect intelligence, the report added, and the nation has been implicated since 2009 in cyberattacks ranging from computer network exploitation to distributed denial of service attacks.
In assessing North Korea’s security situation, the report said, “North Korea continues to fall behind the rising power of its regional neighbors, creating a widening military disparity and fueling its commitment to improving asymmetric and strategic deterrent capabilities as the primary guarantor of regime survival.”
Tensions on the Korean Peninsula have grown as relations between North and South Korea worsen, the report noted. North Korea has portrayed South Korea and the United States as constant threats to North Korea’s sovereignty in a probable attempt to legitimize the Kim family rule, its draconian internal control mechanisms and existing strategies, the report said.
“The regime’s greatest security concern is opposition from within,” the report added, “and outside forces taking advantage of internal instability to topple the regime and achieve unification of the Korean Peninsula.”
North Korea seeks recognition as an equal and legitimate international player and recognized nuclear power and seeks to normalize its diplomatic relations with the Western world and pursue economic recovery and prosperity, the report said.
“[North Korea’s] rhetoric suggests the regime at this time is unlikely to pursue this second goal at the expense of the primary goal of pursuing its nuclear and missile capabilities,” the report added.
North Korea has the highest percentage of military personnel in relation to population than any other nation in the world, with approximately 40 enlisted soldiers per 1000 people with a considerable impact on the budge of the country. Don’t forget also that North Korea has capabilities that also include chemical and biological weapons. A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.
The large cyber force responds directly to the command of the country’s top intelligence agency, the General Reconnaissance Bureau. Last year in internet have been published satellite photos of the area that is suspected to host North Korea’s ‘No. 91 Office’, a unit based in the Mangkyungdae-district of Pyongyang dedicated to computer hacking, its existence was revealed in a seminar on cyber terror in Seoul.
According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming high skilled team of hackers to be engaged in offensive cyber operations against hostile government and in cyber espionage activities.
In more than one occasion the North Korea has threatened the South promising waves of attacks, and the cyber offensive option is the most plausible considering the advantage in terms of efficiency, noise and political impact.
North Korea’s electronic warfare capabilities are second only to Russia and the United States…
Increasing concerns on cyber warfare capabilities of the North Korea
So when the question of CNO/CNA/CNE comes up with many here in the rest of the world it is all pretty much a guess as to what the answer truly is. Of course I would love to know what the NSA knows about that internal infrastructure. I suppose that the NSA, with all of the revelations of late, probably has(d) entre into the intranet from hardware that had been spiked with surveillance tech. Overall the picture from using nmap and other technologies shows that the infrastructure outside looking in, without backdoor access to China Netcom systems, is pretty blank from an information warfare perspective. The sites that are sitting out there that are live are flat but if one were to r00t one what would the acl’s be like one wonders. DPRK has spent a lot of time hardening and walling themselves off but nothing ever is 100% secure. With all the talk about their DD0S attacks against S. Korea though and the bank hack (2013) there have been some leaks that lead us to believe that they do use that .kp IP space for access to their malware C&C’s. In the case of the bank hack this last year the malware was beaconing to an IP within their internet facing space surprisingly. For the most part though the attacks that have been perpetrated by the DPRK have been through proxy addresses (S. China etc) so as to have some plausible deniability.So short of some leaking of intelligence on DPRK and their internal fiber networks it’s pretty much still a black hole or maybe more apropos a giant darknet of their own and we cannot see inside.
中国黑马:
Speaking of Darknets I just wanted to touch on this idea for a bit. One wonders just what CNA/CNO the DPRK might be carrying on with regard to TOR nodes and the use of the darknet. I should think an interesting study might be tracking IP’s from Southern China to see where much of that traffic is being routed through TOR nodes. I think that this could be a real untapped subject for study to date. If the eleets have access to not only the internet through INTELSAT/Chinacom and MAC OSX boxes then perhaps some of them are actually routing traffic through proxies like TOR to cover their own censorship arcology? Can you imagine that Un doesn’t have high speed SAT connection through INTELSAT so he can surf unencumbered? What about certain high ranking intelligence and military people as well? It surprises me that I am not seeing more in the darknet from the DPRK itself as well. Of course this would, even with it being on TOR or in a proxied hosted system, a dangerous game to have any kind of truth telling coming directly out of Pyongyang. Still though, I would love to see this happen as well as perhaps some incursion into the intranet by someone adding a rogue SAT feed and a router. Presently I have seen reports about how former DPRK escapee’s have been smuggling in DVD’s, Net-Top PC’s and Netbooks over the Chinese border and giving them to people. The thrust of this idea is to bring Western movies and media to the DPRK as a subtle form of mental malware. I would push that further and create a new darknet within their dark fiber network.
ANALYSIS:
When one sIn the final analysis, the DPRK has connectivity that is very limited in scope and in actual use. The eleet few have access to the outside world while the rest have a very controlled intranet that is full of propaganda and surveillance. When one starts talking about their capabilities for cyber warfare you have to take what is usually said with a grain of salt or a whole shaker. The fact of the matter is that much is still not known about their capabilities outside of perhaps the NSA and certain people in the IC. From the attacks seen to date we have seen much activity out of China that could also be dual purpose attacks for DPRK as well. Since much of their CNA/CNE capabilities and training has come out of (literally) China one has to assume that not every China hack is just for China or originating from them. For that matter, it is entirely possible that traffic we have all seen coming from S. Korea could in fact be proxy attacks from the DPRK as well for plausible deniability. My feeling though is that the DPRK is still getting it’s unit’s together and building capacities and is not a clear and present danger to the world from any kind of cyber warfare scenarios. DPRK uses the aggrieved and angry squeaky wheel approach to diplomacy cum bullying on the world stage and is not suited for sneaky cyber war just yet. Also cite the fact that if you poll the likes of Crowdstrike or Mandiant you will not see too many (if any at all) attacks or campaigns being designated to DPRK actions. Now why would that be?
K.
ASSESSMENT: Threat Intelligence and Credit Card Fraud
TARGET:
With the escape of card data and personal data from Target over the holiday season we have seen an uptick in stories about the underworld of carding. Of course Target is just one large company that has been hit with such attacks albeit this time this one hit scored over 70 million cards and their attendant PII data. As the fallout continues to get reported on the attack itself, Brian Krebs has been reporting on those behind the scenes offering up the “dumps” for the criminally inclined to buy cards and data in order to create new lines of credit or spend the ones that have been stolen. As time has worn on though, and as Target starts to release details of just how inadequate their security was on their systems that allowed this attack to happen from external access to their intranet one thing has become clear; Credit crime is not abating and the banks and credit companies are either powerless or don’t care to find ways to stop the hacks and dumps from happening in the first place. Target specifically in this instance has done a terrible job of responding to the incident with clients and the street and now that details are coming out about their internal security issues, they no doubt will be hiring PR firms by the dozen to spin a tale that this was impossible to have stopped.
CARDERS:
In reality the carders live a fairly open existence on the internet in PHP bulletin boards much like the jihadi’s do. Their OPSEC is lacking as Krebs can attest and in some cases really don’t care because they live or work in countries where the laws are not as robust and they don’t really fear prosecution. After having been on their sites and looked at caches as well as live data I can say that the OSINT that Krebs culls is not that hard to perform and that more people should be doing the same thing in order to interdict possible attacks in the future. I would assume that there are personnel tasked to do this from say Treasury or USSS but inasmuch as all of this came as such a surprise and that Krebs broke the story before anyone else says a lot about the lack of eyeballs on these forums. These guys are living large and often are not that old to begin with. We aren’t talking about old KGB guys now lurking the net and stealing credit card data to support their plans of world domination. What we are talking about are kids who play Xbox and have a revenue stream that is often times pretty robust allowing them to do pretty much whatever they want. Of course I suspect that there are ties to Mafiosi of the Russian variety (this case) as well as in other quarters because hey, this is just another piece of action right? What still amazes though is the naked operations that these guys carry out day to day that don’t even require much else than an ICQ connection and an email address that can be thrown away.
RESCATOR:
In the case of Rescator though, we have a kind of a “Senatus” as they like to call him on the sites who seems to have been at this for some time and has amassed an infrastructure to allow for the sale of not only stolen credit card data but also flooding services and other offerings. In the case of the latest Target affair, Senatus Rescator is most definitely at the forefront of the whole thing. He and others like Flavius are in charge of about 10 or so sites that are transitory at times and all bulletin boards pretty much explicitly for the trade of credit card data. Now, as to whether or not Rescator was the main operator behind this hack on target and others is a question that I cannot answer at the present time. I will say though that the conglomerate including those like Flavius and Rescator may in fact form the cabal that ordered up the hack and ex-filtration or perhaps just benefited from the dumps that came to them from the hackers. I lean towards though the idea that Rescator and Flavius and others were likely the ones who put this all together, purchased the malware, and got the hired hands to pull it off if not doing some of the work themselves. That Krebs and others have actually tracked Rescator to a single name and have his personal details shows the lack of OPSEC there and one hopes that sometime in the near future he will get a knock at the door from Interpol and the USSS/FBI but that remains to be seen.
LAMPEDUZA, RESCATOR, OCTAVIAN:
Domain ID:GMOREGISTRY-DO27434
Domain Name:RESCATOR.SO
Created On:2013-10-01T07:27:57.0Z
Last Updated On:2013-10-08T06:45:26.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18968955T
Registrant Name:Private Registration
Registrant Organization:rescator.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.so@domainsproxy.name
Admin ID:WN18968956T
Admin Name:Private Registration
Admin Organization:rescator.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.so@domainsproxy.name
Tech ID:WN18968957T
Tech Name:Private Registration
Tech Organization:rescator.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.so@domainsproxy.name
Billing ID:WN18968958T
Billing Name:Private Registration
Billing Organization:rescator.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.so@domainsproxy.name
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:GREG.NS.CLOUDFLARE.COM
Name Server:ROSE.NS.CLOUDFLARE.COM
DNSSEC:Unsigned
Domain Information
Query: rescator.cm
Status: Active
Created: 01 Jan 2014 15:52 WAT
Modified: 10 Jan 2014 09:54 WAT
Expires: 01 Jan 2015 15:52 WAT
Name Servers:
pns4.cloudns.net
pns5.cloudns.net
Registrar Information
Registrar Name: Web Commerce Communications WebCC
Registrant:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net
Admin Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net
Technical Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net
Billing Contact:
Name: Private Registration
Organisation: rescator.cm
Address:
Rm.804, Sino Centre, Nathan Road
Kln Hong Kong, Hong Kong 582-592
hk
Email Address: rescator.cm@domainsproxy.net
Domain ID:GMOREGISTRY-DO27425
Domain Name:LAMPEDUZA.SO
Created On:2013-10-01T00:58:44.0Z
Last Updated On:2014-01-16T14:55:50.0Z
Expiration Date:2015-10-01T23:59:59.0Z
Status:clientTransferProhibited
Status:clientUpdateProhibited
Status:clientDeleteProhibited
Status:serverTransferProhibited
Registrant ID:WN18967443T
Registrant Name:Private Registration
Registrant Organization:lampeduza.so
Registrant Street1:Rm.804, Sino Centre, Nathan Road,
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:lampeduza.so@domainsproxy.net
Admin ID:WN18967444T
Admin Name:Private Registration
Admin Organization:lampeduza.so
Admin Street1:Rm.804, Sino Centre, Nathan Road,
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:lampeduza.so@domainsproxy.net
Tech ID:WN18967445T
Tech Name:Private Registration
Tech Organization:lampeduza.so
Tech Street1:Rm.804, Sino Centre, Nathan Road,
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:lampeduza.so@domainsproxy.net
Billing ID:WN18967446T
Billing Name:Private Registration
Billing Organization:lampeduza.so
Billing Street1:Rm.804, Sino Centre, Nathan Road,
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:lampeduza.so@domainsproxy.net
Sponsoring Registrar ID:webnic
Sponsoring Registrar Organization:Web Commerce Communications Limited
Sponsoring Registrar Street1:Lot 2-2, Technology Park Malaysia, Bukit Jalil,
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:5700
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+60.60389966788
Name Server:PNS4.CLOUDNS.NET
Name Server:PNS9.CLOUDNS.NET
Name Server:PNS7.CLOUDNS.NET
Name Server:PNS5.CLOUDNS.NET
Name Server:PNS8.CLOUDNS.NET
DNSSEC:Unsigned
Domain Name: LAMPEDUZA.NET
Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Name Server: NS1.CLOUDNS.NET
Name Server: NS2.CLOUDNS.NET
Name Server: NS3.CLOUDNS.NET
Status: clientTransferProhibited
Updated Date: 03-oct-2013
Creation Date: 31-may-2011
Expiration Date: 31-may-2022
>>> Last update of whois database: Mon, 20 Jan 2014 20:30:53 UTC <<<
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: LAMPEDUZA.NET
Registry Domain ID:
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date:
Creation Date: 2011-05-31T11:47:48Z
Registrar Registration Expiration Date: 2022-05-31T11:47:48Z
Registrar: Internet.bs Corp.
Registrar IANA ID: 814
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone:
Reseller:
Domain Status:
Registry Registrant ID:
Registrant Name: Jeremiah Heisenberg
Registrant Organization: Offshore Hosting Solutions Ltd.
Registrant Street: Oliaji TradeCenter 1st floor
Registrant City: Victoria
Registrant State/Province:
Registrant Postal Code: 3341
Registrant Country: SC
Registrant Phone: +248.2482032827
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@offshore-hosting-service.com
Registry Admin ID:
Admin Name: Jeremiah Haselberg
Admin Organization: Offshore Hosting Solutions Ltd.
Admin Street: Oliaji TradeCenter 1st floor
Admin City: Victoria
Admin State/Province:
Admin Postal Code: 3341
Admin Country: SC
Admin Phone: +248.32724
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@offshore-hosting-service.com
Registry Tech ID:
Tech Name: Jeremiah Haselberg
Tech Organization: Offshore Hosting Solutions Ltd.
Tech Street: Oliaji TradeCenter 1st floor
Tech City: Victoria
Tech State/Province:
Tech Postal Code: 3341
Tech Country: SC
Tech Phone: +248.32724
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@offshore-hosting-service.com
Name Server: ns1.cloudns.net
Name Server: ns2.cloudns.net
Name Server: ns3.cloudns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-01-20T11:49:26Z <<<
domain: OCTAVIAN.SU
nserver: jack.ns.cloudflare.com.
nserver: leah.ns.cloudflare.com.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: fpolev@mail.ru
registrar: RUCENTER-REG-FID
created: 2013.01.13
paid-till: 2015.01.13
free-date: 2015.02.15
source: TCI
Last updated on 2014.01.21 00:31:35 MSK
~$ whois rescator.la
Domain ID:CNIC-DO1009346
Domain Name:RESCATOR.LA
Created On:2013-02-21T01:24:13.0Z
Last Updated On:2013-12-27T12:53:29.0Z
Expiration Date:2014-02-21T23:59:59.0Z
Status:SERVER UPDATE PROHIBITED
Status:SERVER HOLD
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:CLIENT DELETE PROHIBITED
Status:SERVER TRANSFER PROHIBITED
Registrant ID:WN18395382T
Registrant Name:Private Registration
Registrant Organization:rescator.la
Registrant Street1:Rm.804, Sino Centre, Nathan Road
Registrant City:Kln Hong Kong
Registrant State/Province:Hong Kong
Registrant Postal Code:582-592
Registrant Country:HK
Registrant Phone:+852.23840332
Registrant FAX:+0.0
Registrant Email:rescator.la@domainsproxy.net
Admin ID:WN18395383T
Admin Name:Private Registration
Admin Organization:rescator.la
Admin Street1:Rm.804, Sino Centre, Nathan Road
Admin City:Kln Hong Kong
Admin State/Province:Hong Kong
Admin Postal Code:582-592
Admin Country:HK
Admin Phone:+852.23840332
Admin FAX:+0.0
Admin Email:rescator.la@domainsproxy.net
Tech ID:WN18395384T
Tech Name:Private Registration
Tech Organization:rescator.la
Tech Street1:Rm.804, Sino Centre, Nathan Road
Tech City:Kln Hong Kong
Tech State/Province:Hong Kong
Tech Postal Code:582-592
Tech Country:HK
Tech Phone:+852.23840332
Tech FAX:+0.0
Tech Email:rescator.la@domainsproxy.net
Billing ID:WN18395385T
Billing Name:Private Registration
Billing Organization:rescator.la
Billing Street1:Rm.804, Sino Centre, Nathan Road
Billing City:Kln Hong Kong
Billing State/Province:Hong Kong
Billing Postal Code:582-592
Billing Country:HK
Billing Phone:+852.23840332
Billing FAX:+0.0
Billing Email:rescator.la@domainsproxy.net
Sponsoring Registrar ID:H129924
Sponsoring Registrar IANA ID:460
Sponsoring Registrar Organization:Web Commerce Communications Ltd
Sponsoring Registrar Street1:Lot 2-2, Incubator 1, Technology Park Malaysia
Sponsoring Registrar Street2:Technology Park Malaysia
Sponsoring Registrar Street3:Bukit Jalil
Sponsoring Registrar City:Kuala Lumpur
Sponsoring Registrar State/Province:Wilayah Persekutuan
Sponsoring Registrar Postal Code:57000
Sponsoring Registrar Country:MY
Sponsoring Registrar Phone:+603 8996 6788
Sponsoring Registrar FAX:+603 8996 8788
Sponsoring Registrar Website:http://www.webnic.cc
Name Server:JACK.NS.CLOUDFLARE.COM
Name Server:LEAH.NS.CLOUDFLARE.COM
DNSSEC:Unsigned
The sites that Rescator and friends have set up are an arcology on the internet for underground (almost) carding forums. As at the top of the page (see maltego map) you can see that they all can be connected together either by registration data or links to one another to and from their domains. One interesting bit is the fact that a couple of the sites were registered our of the Seychelles by “Jeremiah Heisenberg” which has a checkered past with sites ranging from online poker for bitcoins to outright scams including takedown notices from MPAA. It seems that perhaps the nearest thing to a real financial entity that can be found in the intelligence gathering I did today was this company (likely a shell company) that could be a means to an end in laundering funds and cleaning them. As to whether or not Rescator and the others are a part in this or are just the mules (so to speak) is the question I still have and it will take more looking to see. In the end though this constellation of sites and their spidering out to many many others both on and off of the darkweb is the primary means for volume trafficking in stolen credit data and PII as well as bank accounts and access to financial institutions. In other words, a real and credible threat.
THREAT INTELLIGENCE AND ANALYSIS:
I have been looking into these sites and the players for a little while now and I have to say that with the lack of OPSEC I would think they would be easy targets for takedown. What has been bothering me now since I started this Odyssey is that companies like Target as well as the banks out there lack any true intelligence gathering apparatus to actually monitor these sites and get insight into what is happening. Ok, I know this may sound a little out there to some and that I am asking for companies and banks specifically to have working intelligence apparatus but really, isn’t that the only real way to have a fighting chance here? Had the banks or some firms out there been doing what Krebs has been doing perhaps this attack would have been at least prepared for a little bit if not stopped due to intelligence gathering from these fairly open sites? My analysis that stemmed from about a day’s worth of looking backstops Krebs data and even goes further and really, I did not put all that much time into it. Imagine what could be done with the proper analysis and heads up on such POS malware as was plainly for sale and talked about in these forums?
It will be some time until the Target kerfuffles dust has settled but I would like to advocate more HUMINT and OSINT like Krebs has been doing by analysts either selling this as a service or perhaps in house operations that at the very least can spend some time Googling or using Maltego to determine just what is happening out there in these not nearly opaque bulletin boards. As I write this though I am wondering whether or not the simplest answer here is that the banks just don’t care because in the end the costs will circle back to the clients in the form of fee’s. This reasoning serves the cognitive dissonance within the financial sector that says it’s not their fault, it’s not your fault, but hell there is nothing we can do about it. I should think that more proactive approaches to anti-fraud methodologies might be better but who knows what they are thinking. Overall this kind of crime will continue both big and small because the companies make it easy for the criminals to hack them (bad passwords and processes etc) as well as the lackadaisical leze fair attitude on the part of the credit corporations and banks persist. The real loser though will be the client who has to deal with bad credit through identity theft, loss of funds that may or may not be guaranteed, and generally being the product for sale by these miscreants.
K.
ASSESSMENT: Edward Snowden KGB Asset
THE SNOWDEN AFFAIR:
Since the revelations began and the man without a country odyssey started all of our lives have changed at a fundamental level regarding our digital and private lives. The now million plus document trove is being parsed out by Glen Greenwald and others for the public to get a look into the inner workings of the state surveillance apparatus much to the consternation of the IC as well as the government and the dismay of the public. However you look upon Mr. Snowden and his choice you have to admit that the information does lend an insight into the great potential for abuse of the apparatus that the NSA has put together no matter what they may tell you they are doing or not doing to protect us. You see the point is no matter what alleged safeguards and altruism may lie within the apparatus and it’s employees it’s still ripe for abuse that will never see the light of day because it’s all classified and codified by the government. This is the point of the exercise as I see it from Mr. Snowden’s point of view and the aegis behind his doing what he did. Of course from day one darker minds would make assertions that there were darker geopolitical machinations at play and this was all just a dastardly plan to destroy us as a country. Of course as the passion play played out it was first China, the go to country for all our woe’s of late (APT etc) but as time wore on and Snowden found a perch in Russia, it’s now “clear” to some in the government that the plot was in fact Russian all along.
KGB ASSET:
Mike Rogers has been the bell ringer on the idea that Snowden from the get go was in fact a handled and groomed asset by a foreign power. His most recent bellowing without any real evidence is that Snowden was in fact an asset for Russia from the start and furthermore that all of this was done to damage the US and seek primacy once again on the international stage. Of course as I mentioned already Mike cannot offer any evidence and he alludes to “secrecy” of the data but in reality until you have proof that you can emphatically state and present the people it’s all just wild speculation and a form of conspiracy or propaganda in and of itself. While it is possible that Snowden was from the start an asset of the KGB FSB, the evidence thus far for motive, methods, and follow through are somewhat thin and I cannot go on the record as thinking he was handled from the start by Russia or any other nation state. The fact that Snowden ended up in Russia at Sheremetyevo may in fact be because of the machinations of Assange and Wikileaks brokering the deal to get him there and then to get him allowed into the country not as a plan all along. There is more evidence to say that this is in fact the case then there is of any KGB FSB actions.
OCCAM’S RAZOR:
Using the paradigm of “Occam’s Razor” here let’s run through the possibilities on whether or not the claims being made by Mike Rogers and others out there that this was a carefully planned operation that cultivated Ed Snowden to become the largest leaker in history.
- Ed Snowden is a naive individual who became through a sequence of events, an administrator within the IC networks and began to see things he thought were illegal and immoral
- He used his knowledge of hacking and technologies to accumulate data through his own administrative access and social engineering
- Once he saw the data he decided to leak all that he could and after seeing what happened to Manning made a plan to go to a country that in all the spy novels is easy to infiltrate and ex-filtrate out of
- The NSA itself had poor OPSEC and threats from insiders were poorly covered thus making this possible (proven to be the case)
- The NSA could not even keep track of internal access and exploitation (proven to be the case)
- He contacted the press and was turned down by some until he met Greenwald and Poitras who then planned with him how to release the data and to firewall Snowden off
- While in HK it became clear he could not stay there once the NSA/USA/UKUSA and other apparatus began working in the background to extradite him
- Poitras, Greenwald, and then Wikileaks ex-filtrated Snowden out of HK and to Russia where a brokered interim solution of the airport no mans zone was at least possible
- Snowden is a prize for the
KGBFSB after the fact from not only an intelligence perspective but also a political one that thumbs its nose at the US (a win win for Putin)
- Edward Snowden was a carefully orchestrated long term asset by the
KGBFSB trained by them to infiltrate the NSA and then use his domain admin/root access to steal them blind, exploiting their logical and technical vulnerabilities who they then ex-filtrated to HK and to Russia as a smoke screen for their own operational cover
- Snowden was handled by
KGBFSB for years while coming up the ranks as an UN-credentialed cleared individual clearly taking advantage of the US’ lax clearance and oversight process post 9/11 - Snowden was in contact with Russia from the start and is a consummate operator perhaps even a cleverly created cutout sleeper agent
- Once gathering all the data Snowden then passed it to Russia for them to digest and then leak to the world to cover their own operations and shame the US
- Snowden is now a hero of the state in Russia and will get a hero’s treatment with access to all that Russia can offer in the post Soviet Oligarchy (inclusive Anna Chapman visits)
Hmmm is it just me or does the razor only really cut one way?
ANALYSIS:
My take on the whole affair is that Snowden was not a paid/cultivated/handled asset of the KGB FSB nor do I think that he was aided in any way by Russia in carrying out this leak/exploit. What I do think is that he is naive but also that what he was seeing, what we are all now seeing today in the news made him feel that the accumulation of power in a central secret body was anathema to freedom and the American ethos. As we have seen in the news there have been many things that the government has allowed, even shall we say promulgated, that are clearly violations of the US Constitution no matter the inveigling that might occur by those in power as to it’s legality. So I for one can see why someone like Snowden might do what they did outside of their own propensities for spy novels and a sense of right and wrong.
The realities are that no matter the attestations by those running the programs and their need to use them, there is always a chance of their abuse and subsequent burial of the facts through classifications and National Security letters as we have seen these last years. Were egregious abuses happening and are they still today? I am sure there are some, after all this is nothing new and all you need do to confirm that is Google “Quis custodiet ipsos custodes?” or look just to recent history with the Plame Affair to see how abuses can and have happened. So is it really outside the pale for someone with a conscience and perhaps an overactive imagination to think that great wrongs are being committed in all our names? I think that while there may have been no abuses “may” I also think that the capacity for abuse and the infrastructure to hide them is easily seen within the current architecture of the IC apparatus of the NSA and their programs. After all, if you want to ask about the idea that if you have nothing to hide you have nothing to fear, I ask you to tell me just exactly how you feel every time you go through a TSA checkpoint at the airport today.
Finally, I would also like to touch on the idea that the governments own hubris and now embarrassment is firing the boilers on this whole blame game that Snowden is in fact a handled asset of the Russians. I think that the NSA/USGOV and IC community feel the sting of their inadequacies as they have been laid bare for all to see. You see, Snowden did not carry out some 3l33t hacking here to gather the data. He used common techniques and vulnerabilities within the NSA and other government IC bodies to steal data and put them all on a USB stick and then walk out with them. It’s a simple trick and the top of that list is actually just socially engineering people for their passwords within the confines of the most secretive and secret IC shops in the world. Now that has to sting a bit wouldn’t you agree? So there is shame all around here on the part of the government and it puts them all in a weak position tactically. The reactions of all those at play seems to be more along the lines of dialogue from a playground spat rather than state or spycraft and it’s sad really. As the immortal words of GW Bush can attest;
“There’s an old saying in Tennessee – I know it’s in Texas, probably in Tennessee – that says, fool me once, shame on – shame on you. Fool me – you can’t get fooled again.”
To me, it seems that Snowden just did what he did because of a myriad reasons that also include a certain amount of self aggrandizement. However, I can point to things in our own history and to popular media that may explain why someone might do something like this on the grounds that they think it’s illegal, immoral, and against the tenets of the USA. While POTUS is right about how important these types of programs can be in the war on terror and the every day intelligence gathering that every country needs to survive, it should also be possible to have some level of oversight to disallow for abuses of power to happen and happen with great frequency due to over classification. These are fundamental changes that should occur but the reality is that the very nature of the work being done and the culture within it’s halls will stoip any real progress being made. In the end nothing will change and the NSA will continue to collect all the data it can like a giant hoover-matic for later sorting and use.
Having grown up in the era of Nixon though, and other revelations like Iran Contra, I for one not only know that these things will continue to happen but that they have in the past and should be in our collective consciousness. Unfortunately many do not remember and the only entree into such ideas may in fact be cinema… I leave you with this scene from “Three Day’s Of The Condor”
Not everything in cinema is just fantasy…
“scr hrw lgihr kzpzz cwl nci pjwt”
ASSESSMENT: Virtual World Recruitment and Operations of Jihadi’s In WOW
Virtual Worlds vs. The Internet or Darknet:
A recent post on Wired had a bold claim in the title; “U.S. Intel: Osama Bin Laden Avatar Could Recruit Terrorists Online for Centuries” that made me snort then giggle then facepalm. Once again we see that the government has been watching too many Hollywood movies and listening to too many cyber snake oil salesman. This current regurgitation stems from a newly declassified report that was requested by the IC on virtual worlds and terrorism (aka jihad) and makes some far fetched assertions about technologies that just aren’t there yet. Presently though we do have the internet and it can be seen as a virtual world in and of itself, and that is not even covering the idea of darknets. The report though really covers the idea that virtual worlds, i.e. game universes are the place where jihad will bloom as well as many sundry other types of illicit activities. While this idea is a common plot for B movies it has not really been the reality within the virtual reality of games like WOW (World of Warcraft) In fact a recent dump from “Snowman” (Ed Snowden) showed how the NSA had teams of individuals trawling WOW and other games seeking terrorists to little or no avail. Most took this as yet another invasion into the privacy we all thought we had, but some of us just had to laugh because we were in fact also tasked with looking for the AQ set in the same games as well.
So while the government think tankers and scientists were creating this report others were in fact looking not only in the game environments for secret comm’s but also within the internet itself. There are many boards online since 2001 that have sprung up and gone away as I have reported on over the years. The internet is the virtual world today and will likely be it in the future, we will just interface with it a little more organically with things like Google Glass or some other HUD devices. So yes POTUS and the IC, the terrorists are in the virtual world of the internet, just not so much are they plotting the end of the West in WOW or Second Life. In fact, to date they have yet to really make inroads into the Darknet as well so really, they aren’t hiding all that much with super secret sites, after all, they have to advertise to get recruits, this is why they came up with Al-Malahem in the first place.
Jihad Online:
To date the Jihadi’s have been on the learning curve as to how to leverage the internet. Much of their message gets lost outside of the insular community-scape of their lives as Muslims in the would be caliphate. Many sites are out there for the jihadi’s to talk to each other and they are mostly not very secret about them. Sure there are sites that are a little more stealth but in general the web is being used on one level to radicalize and proselytize. On the other end of the spectrum the C&C for Jihad is as easy as setting up an email and using encryption to send instructions back and forth. In fact, they now have chat rooms and programs for some point to point chat as well so really they are learning but I would hardly say that they are as cyber aware or capable as say an Anonymous cell today. I have written a lot over the past 13 years about this topic and investigated many sites and while it is a threat as a means of communicating and having a command and control base, I have also seen great gaff’s in OPSEC as well that lead right back to these notional jihadi’s (like the IP address in the tutorial video on how to hack of their own system) Sure, the jihad is online but it is not as Gibsonian as the paper linked above would make it out to be nor do I think it will be so in the near future.
Virtual Sociology and Psychology:
The paper linked above however is correct in some of its assessments on the future of the internet and technology to allow us to interface with it. We are creating more and more ways to interface with the data we love to share and as time goes on we will be more awash in a sea of it every waking moment of the day. This also leads to social and psychological developments on how we act as societies and people as well. I have written about this in the past as well and while this stuff is interesting the contentions in the paper are starting to come to pass. There is a section on criminality that we are seeing actually happen in the darknet with places like Silk Road, and all the criminality that seems to be flourishing in the darknet. This is happening now because TOR and the darknet implies that you can actually transact there in secrecy and keep your privacy, this leads to a dis-inhibition effect that leaves the user thinking they are invincible… Or more to the point invisible. This of course is now being shown not to be completely true with the arrest of The Dread Pirate Roberts (v1) and the take-down of the Silk Road (v1) site in the darknet. All of this too has to be taken into account when trying to kluge the idea that the internet or more to the point WOW is going to be the ground zero for terrorism. As the jihadi’s have seen with their efforts online it is hard to actually recruit and radicalize people simply through slick magazines and slogans, especially when you are asking a Westerner to strap explosives on and kill themselves in the name of jihad. The psychology of interaction when not in person is a problematic one so yes, the idea of a virtual you interacting in a metaverse while entertaining, is likely not going to actuate offline behaviour and actions.
What The Government Sees As Future State:
Once again the government and the politicians are getting spoon fed notions that there is a great dystopia about to take place where William Gibson novels are the reality. There’s a terrorist in every chat room and a dark cyber plot in each packet passed over the net. While once again this makes a great B movie, I have to once more say poppycock! It always amazes me what the government and military types will swallow from some think tanker’s delusion as reality and a clear and present danger. Since we have had the revelations that the NSA did in fact have people trawling in WOW, and I myself was tasked at one point to look into it as well we can extrapolate that people in power saw this and other like reports as the gospel. It is just an assumption here as well that as the net convergence continues and we begin using wearable computers with HUD interfaces that the government will be seeing more terrorists on every street corner as they are trying to type with their haptic gloves and it’s sad really.
ASSESSMENT of Jihadist Recruitment and Operations Online & In Virtual Worlds 2001-2014:
The assessment is this, as you see above, there was no real evidence of these games or virtual worlds being used for terrorism. Sure there is criminality going on but hey that happens everywhere and with every technological solution offered. Will there be terrorism on the net in the future? Sure. Are people plotting and planning things online now? Yes. Is it the Gibsonian novel that they seem to be making it out to be in the report linked above? Not so much. As for this notion that the avatar of Bin Laden will be exhorting and recruiting terrorists for a hundred years online and in the game verse? No. While there have been a couple games put out by jihadi’s in the past this has not proved to be something that worked for the masses and brought more to jihad. This notion of the Bin Laden avatar is just ridiculous and quite the one dimensional approach to thinking about the online world and the nature of the jihad.
K.
ASSESSMENT: Industrial & Nation State Espionage
Espionage & Industrial Espionage:
This case has been spinning up in the news since it hit the net yesterday but this post begs the questions over nation state espionage versus opportunistic theft of data to sell. Clearly this case has yet to be fleshed out completely by the FBI and others but it seems at the first blush though, that this guy decided to steal information with a motive of selling or trading it for money or other forms of remuneration. In either case though, this is a form of both industrial and nation state espionage by the mere fact that the end location of the data was going to be Iran, a nation state that currently is on many lists for boycott. The major issue here that has yet to be worked out though in this particular case is whether or not Mr. Khazaee in fact hand a MISRI handler or not.
Motivations:
When looking at espionage of any kind one has to look at the motivations of the players involved to understand how to classify it. In this case as I said above we do not have a lot of data on the actions of Khazaee save for that he worked for Pratt for a certain number of years and that he was recently laid off by them in August. Here though are the important questions I am asking in light of this arrest:
- Was Khazaee motvated by need for money? (he filed for bankruptcy)
- Was Khazaee stealing as revenge for being laid off? As I remember this round I think they knew they were going to be at a certain date.
- Was Khazaee acting out of an allegiance to Iran?
- Was Khazaee working for SAVAK at all?
- Was Khazaee working for SAVAK for fear of his family still in Iran?
All of these questions being answered will give a good idea of how long he had in fact been taking the documents from Pratt as well as lend an understanding of why exactly he did it. All of these scenarios are possibly reasons that in fact caused Mr. Khazaee to perpetrate the crime. I will say though, that given the circumstances around his history and the slips in OPSEC here that led to his capture (as serendipitous as they may seem) I am thinking that this was more an opportunistic crime than anything else.
ASSESSMENT of Pratt & Whitney Case:
My overall assessment given the information we have to date is the following:
- Khazaee was more than likely acting alone hoping that he could exfil the data to Iran and gain money/job in Iran
- I don’t think Khazaee had a handler here in the US just from the failure of the plan due to his not really hiding the documents very well
- I think notionally he had contacted people in Iran to say he had documents and that he’d like to deal
- Khazaee had MANY signs of being recruit-able and if he was it was missed completely by US security (Pratt/DOD) with regard to clearances
- IF this data was taken from the NON DOD/ITAR areas of the company then there is an access/classification issue on the data
- Physical security needs to start inspecting all bags, boxes, etc at the facilities
- Why didn’t Khazaee take the data electronically on a stick? (mitigation’s are in place)
Overall I am interested in seeing where this all leads. It is not like the Chinese already haven’t stolen the JSF lock stock and barrel basically from hacks in the past (Lockheed) but I guess if Iran had a hand in Khazaee’s actions at the start then they did not want to pay China for it. My sense of this though is that Khazaee not only fell into poor credit and financial ruin but also may have had negative feelings for UTC/Pratt with his being laid off as well and that motivated him to attempt to make some easy money. I seriously doubt from everything I have seen online so far concerning Mr. Khazaee’s personal life that he was a patriot to Iran to start. As time goes by I am sure we will have more revelations in the news cycle to chew on.
I will say though, with this being the second incident of late for Pratt regarding escapes of data like this that they will be in the hot seat a bit with the government….
K.
ASSESSMENT: Anonymous Caucasus, Electronic Army of the Caucasus Emirate
Jihad 3.0
The time it seems may be upon us where Anonymous meets Jihad, something I am calling Jihad 3.0 for the moment. Very recently a site has popped up as well as a video therein claiming that a new Anonymous cell calling itself “Anonymous Caucasus” They have made a splash by declaring an OP against the Sochi Olympics and the Russian government for crimes against the Caucasus Emirates. Now this is a big deal in the sense that already Russia has been the site of two “Black Widow” suicide bombings prior to the games actually starting as well as this is the first nexus between Anonymous and Jihad.
Think about this for a moment. Anonymous, an idea online is now being used as a weapon within the Islamic Jihad ostensibly as an electronic army to backstop the greater jihad. This will no doubt cause some consternation to not only some Anon’s perhaps but also to the terrorism analysis and warfare set as well. It seems perhaps that Vilayat Dagestan is taking a page from the Syrian playbook here and following the SEA (Syrian Electronic Army) model. Of course one wonders just how much power this group will have in the area of hacking but in tandem with kinetic attacks and intelligence gathering, this could be a new generation in the GWOT.
Anonymous Caucasus, Electronic Army of the Caucasus Emirate:
رسالتنا هي للحكومة الروسية و إلى كل الشركات التي هي جزء من ألعاب سوتشي و تضع كل دولار لإقامة هذه الألعاب على أرضنا . الأرض التي تمت فيها الإبادة الجماعية للقفقاسيين في عام 1864 حيث تم إبادة أكثر من 1 مليون شخص . مجهولو القوقاز يؤمنون بأن ألعاب سوتشي ستقام فوق أكثر من مليون قبر لأشخاص أبرياء نفقوا في الإبادة الجماعية . عار على روسيا و على كل قفقاسي يؤيد إقامة تلك الألعاب على أرض وطننا . اليوم مجهولو القوقاز قرروا القيام بعملية جديدة ، عملية PayPackSotchi أكبر عملية ضد الحكومة الروسية و سنشن الحرب الإلكترونية عليها. اليوم مجهولو القوقاز أقوى من أي وقت مضى و نشاطنا سيكون عالمي . نحن ندعم كل الأمم القفقاسية التي هي ضد روسيا و ضد أعداء الإسلام. سنجعل الحكومة الروسية تفكر 1000 مرة قبل أن تقرر أن تقوم بأي شيء على أرضنا . اخرجو من ارضنا ، اخرجوا أو سنجعلكم تحت اقدامنا . اذا العالم سينسى المسلمين و مجهولي القوقاز فنحن لن ننسى أبدا . حربنا الإلكترونية ضد روسيا سوف تؤثر على جميع الحكومات و مواقع الشركات التي هي جزء من ألعاب سوتشي و جزء من محاربة الإسلام . نحن دائما موحدون و أبدا متفرقون و أفعالنا ستثبت من نحن . هجومنا الأخير على البنوك الروسية كان مجرد دعابة . سنقتل روسيا بنجاحاتنا و سندفنها بابتسامتنا . هجومنا سيودي بالحكومة الروسية إلى الحضيض و سيجعل العالم يعرف من هم القفقاسيين و من هم المدافعين عن الإسلام . هذا اليوم سيأتي قريبا كما هو معتاد و الشر بذاته سوف يتهاوى . سنضحي بأنفسنا من أجل كل شخص حر و كل إنسان لم يكن يملك أي شيء سيكون الان مفعم بالقوة ضد الشر . نحن مجهولو القوقاز … لن ننسى أبدا …. لن نسامح أبدا … ترقبونا
Our message is to the Russian government and to all the companies that are part of the Sochi Games and put every dollar to establish these games at home . The land in which the genocide of Afghanistan in 1864 where he was the extermination of more than one million people. Unknown Caucasus believe that the Sochi Games will be held over the grave of more than a million innocent people had died in the genocide . Shame on Russia and all Agafqasa supported the establishment of those games in our homeland . Today unknown Caucasus decided to do a new process PayPackSotchi largest operation against the Russian government and will launch electronic warfare on them. Unknown Caucasus today is stronger than ever and our business will be global . We support all the nations of the Caucasus , which is against Russia and against the enemies of Islam . The Russian government will make you think 1000 times before you decide to do anything on our land . Akharjo of our land , or get out Sndjalkm under our feet . If the Muslim world will forget and unknown Caucasus , we will never forget . E fight against Russia will affect all governments and corporate sites that are part of the Sochi Games and part of the fight against Islam . We are always united and never dispersed and our actions will prove who we are. Our attack on the last Russian banks was just a teaser . Russia will kill our successes and Sndfnha Baptsamtna . Our attack will claim the Russian government to the bottom and make the world know who they are Caucasians , and they are defenders of Islam . This day will come soon, as usual , and evil itself will crumble . Sacrifice ourselves for each person is free to everyone and did not have anything now going to be full of force against evil . We Caucasus unknown … We will never forget …. Will never forgive … Triqbona
Statement from the Anonymous Caucasus
The above statement is directed toward the Russian government and the Sochi games but really does not say much about what attacks are to come. They mention attacks against banks but little more than “look out we’re coming for you” as is often the case with an anonymous operation. The Arabi here for the most part translated as if it was already written in English and translated into it but it seems perhaps that the author is fluent in not only English but also Russian and Arabic. As announcements go this site is some what green with many functions not yet up for use but generally it seems they are somewhat serious about not being taken off line (cloudflare) as well as having the media savvy for a slick video set and graphic design.
Analysis:
@AnonymousCaucasus
WHOIS anonymou.so
Hacking of Kavkazpress.ru site on Vilayat Dagestan site by Anonymous Caucasus
In looking at all of the site data and looking behind the scenes a bit has been interesting. It seems from the WHOIS data and the links to and from the site (including shared infrastructure such as email) link Anonymous Caucasus directly with Vilayat Dagestan. Vilayat Dagestan is aligned with Islamism and has ties to Al Qaeda. In fact all of you out there may in fact be remembering the ties that Tamerlan and Dzokhar had to the area and to the same group ostensibly when Tamerlan went to the old country to visit. The question then becomes is this actually a funded operation by Vilayat and the Caucasus Emirate or is this a smoke screen for some kind of attention and support? Since the sites tie right back to each other with shared infrastructure it is my opinion that this is in fact an approved operation by Vilayat.
These facts, the connections to the Mujahideen and the actual words spoken on the Anon Caucasus video show it to be not only an anonymous emulating group but also in fact part of the greater jihad. This then makes it a new twist in the GWOT for us all. As stated above it remains to be seen just what capabilities this group will have but the paradigm itself is what is more important in the grander scheme. For the moment though we can see they have hacked at least one site and show proof of it with a dump on pastebin as well. Of course the reality of most hacking operations with regard to Anon as well as the jihad thus far have only been propaganda oriented. We have yet to see real operational intelligence being gathered and used by AQ and others in theatre so to many this may also seem just an interesting twist. We will have to see what happens when the games begin and move on. Perhaps these guys are all bravado… Perhaps other Anon’s might not like this group’s using their nom de guerre for terrorism…
Interesting times….
K.
Krypt3ia 