Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for March 2014

ASSESSMENT: Target Media and Lawsuit Failures

with 2 comments

new-management-model

 

The Target Hack Media Failures:

From the moment that Brian Krebs first put out his story on the Target hack it’s been mostly a feeding frenzy of reporters trying to out scoop not only Brian but everyone else they could leverage to get a headline. Throughout the whole affair though there has been a lot of speculation on how the hack happened, the timelines and just what if anything Target knew about what was happening to them as it was going on. Since the first report we have come a long way to understanding through confidential sources just how the happened but the reality is that there are many things still unsaid about the hack itself with any certainty.

The biggest hole in the whole story to date has been how did the hackers infiltrate into Target in the first place? After looking at data that Brian had shown me and doing my own research on Rescator and the Lampeduza he and I came to some conclusions on how they most likely got into their systems. Primarily the phish on Fazio allowed the attackers to gain access to Target’s booking/payment systems for doing business with their vendor’s online. It was a supposition on my part that they used an infected Excel sheet, doc file or pdf to gain access to the peripheral system connected to the internet by passing it with the stolen credentials to Target’s online system. Once a user had the file inside they likely opened the document and infected themselves and thus allowed access to the general network. Of course then it become simply an issue of locating a machine that sits on the LAN where the servers and the POS can be accessed.

The media generally though has been harping on the idea that since Fazio is an HVAC company that they had access to ICS or PLC units within the Target network as this is all the rage in the news. There never has been any proof of this happening and in fact Fazio has made a statement saying they never had access to the Target HVAC systems remotely as they don’t do that kind of work for them. This however escaped the media in general as well as some Infosec bloggers that I know as well. Now however we have a new twist on this media festival of failure with the advent of the Target lawsuits recently brought out by banks involved with this mess.

The Target Lawsuit Failures:

The Target lawsuit  now not only goes after Target Corp itself but also Trustwave, a security company that allegedly carried out the Target PCI-DSS (Payment Card Industry) assessment at or around the same time as the compromise to Target was happening. It was at this time that Trustwave certified that Target was in fact “PCI Compliant” and that in the industry’s eyes secure. Of course this is a misnomer that many in the security field have been venting about for years and the popular euphemism for it is “Check box Security” because in reality it is just a check mark on a form and not a real means of protecting data.

Screenshot from 2014-03-28 15:59:42

 

The lawsuit is filled with ill informed views on what happened to Target as well as how security works and has been roundly regarded in the security community as well as the legal community as a joke. Using dubious sources on cyber security and primarily believing all that the media has written on the subject of the Target breach this lawsuit makes assumptions about the PCI that are common and untenable. One of the more egregious failures in comprehension is that any system of checks and or regulations would make any system or database secure just by the very fact that you have checked off all the boxes in a list of things to do. This is especially the case with PCI due in a larger part because of the way it is audited and by whom.

PCI-DSS Failures:

One of the real issues that seems to be coming out of the lawsuit and the reporting on it centers on encryption of data. The encryption of data at rest (in a database) or in flight (on the network between systems) is the crux of the issue it seems to the legal team for the litigants in the Target affair but I would like to state here and now that it is a moot one. The idea is that if everything is encrypted end to end then it’s all good. This is not the case though as in the case of this particular attack on Target the BlackPOS malware that was used scraped the RAM of the systems which was not encrypted and usually isn’t. This is a key factor in the case and unfortunately I know that the legal teams here as well as the legal system itself are pretty much clueless on how things work in technology today so this will just sail right over their heads.

Here are the facts in as plain a way as I can get across to you all:

  • BlackPOS infects the system and scrapes the RAM for the card data
  • BlackPOS then copy’s the data and exfiltrates it to an intermediary server to be sent eventually to the RU
  • The data is not encrypted at this time and thus all talk of encryption of data or databases is moot unless said data came from database servers and not copied from POS terminals
  • Encryption therefore in database or on the fly is a MOOT POINT in this case

There you have it. It’s a pile of fail all the way round and the media and the law are perpetuating half truths and misconceptions on how things really work in the digital world. There are many issues with PCI-DSS and the encryption issue that is cited in the law suit and the Wired piece linked above are just silly because the writers and the lawyers haven’t a clue. While PCI needs to either die a quick death for something better it is not the only reason nor the primary one that the attack on Target worked. There are of course many other reasons due to inaction that have been brought forth recently that do paint quite another picture of ineptitude that are the real culprits here.

Analysis:

Overall the analysis here is that there are many to be blamed for this hack and not all of them are the adversaries that carried it off. The fallout now with the lawsuits and the press coverage of the debacle has only amplified the failures  and is making things worse for some and better for others. We have seen an uptick already in finger pointing as well as sales calls laden with snake oil on how their products could have stopped Rescator cold. The fact of the matter is Fireeye and Symantec both tried but the end users failed to allow it to act as well as heed their warnings. Of course one also should look at this and see that even if the tools had been heeded it may not have stopped the attack anyway without a full IR into what was going on.

The people who are any good in this business of security live every day with the assumption that their network is already compromised. This is a truism that we all should take to heart as well as the knowledge that we cannot stop every attack that is carried out against us. We can’t win every battle and we may never win the war but we have to try. Targets failures will hurt for some time within the company as well as to those who were working there at the time. I have no doubts that heads rolled and perhaps that was necessary. It is also entirely possible that people did try to stop this event but were told not to do something because it might affect their production environment. Of course this is all speculative but you people out there reading this from this business know what I am talking about. It’s a universal thing to be shackled in your battle to secure the network because it affects the bottom line.

What I would like you all to take away here though is that PCI is not the only reason for this hack and certainly it isn’t because Target was not encrypting their traffic or their databases. This is just a ridiculous argument to be having. Just as ridiculous as it is to have the cognitive dissonance to believe that checking a box in an audit makes anything more secure.

K.

Written by Krypt3ia

2014/03/28 at 20:50

Posted in FAIL, Target

Ninja, Samurai, Shogun, and Ronin

with one comment

ninja_red

Preface:

I cannot count the amount of times that someone has called this or that person a “Ninja” in the INFOSEC/Red Team community that we all inhabit. One cannot go to a hacker conference without seeing Ninja imagery in the artwork surrounding the business of digital security today and this allusion to the Ninja has been problematic for me for some time. I think my feelings on this are akin to the feelings of some who grind their teeth on hearing about another presentation on security that contains Sun Tzu quotes from the Art of War.  Recently though I have had some insights due to some reading as well as a series of incidents involving the Target story that got me thinking. My conclusion is this; “If we are going to use the imagery and call ourselves Ninja then we had better also look at the Samurai who defend their domains and their Shogun as well as the odd Ronin out there we run into”

To this end I am writing this post on the parallels today for those who wish to consider themselves Ninja as well as perhaps reach those defenders or “blue team” folks to understand the landscape here from a historical perspective as well as a tactical one. Given the nature of the threats today and the increasing use of unconventional warfare tactics in everyday compromises it is my opinion that we all must be much more versed with warfare as well as espionage in order to deal with the everyday job of compromising a network as well as defending it. This too also follows through to the idea that you must be able to deal with your particular “Shogun” and take their orders as well as advise them on the battles that you are waging.

So, if you want to consider yourself a Ninja Mr. pen-test red team-er then so shall I consider myself a Samurai. However, I will understand their meanings in the context of history, not Hollywood, and apply their traditions and capabilities to today’s battle on my Shogun’s network.

Ninja History:

The history of the Ninja is shrouded in mystery for many but the truth of the matter is that they were primarily two clans from Iga and Koga during the 14th century that are the wellspring of the story of Ninja. These were mountain ascetics at first and then commoner families or clans who passed down their teachings within the family for security’s sake. These Ninja were not bound by the Bushido as completely as the Samurai were but did have their core ideals emanate from the same code. The Ninja were specialists in unconventional warfare using common tools as weapons but their primary aegis was to not have to fight in the first place. A Ninja you see was in fact a spy more than anything else and their first tool in their arsenal was stealth. The use of disguises and psychological warfare were the first tenets outside of a command of their bodies as weapons and this made them a force to be dealt with that the Samurai often failed to do well.

The reason that the Samurai often failed to win against a Ninja was that the Samurai’s main goals were to die in battle honourably and to use no artifice in battle. The Ninja on the other hand used trickery and deception as their primary tools and this extended to individual fighting between the two which often times was not on a field of battle but instead at a gate to the castle or elsewhere where they were not prepared to fight. This is of course if the Ninja was forced into a battle in the first place. As one master put it; “The best ninja has no smell, leaves no name, and makes everybody wonder whether he existed.” so the first priority was never to be seen at all.

For more on Ninja go HERE

INFOSEC Ninja:

Given the quick primer above we then have to look at the dialectic today when these people are calling themselves Ninjas in our community. If we are to consider a Ninja then to be a warrior or adversary who uses unconventional warfare tactics and espionage techniques in the digital sphere many within the Red Teaming and Pen-Testing field “might” qualify. One has to ask though just how many of these red teams are using unconventional tactics like 0day to carry out their attacks as well as recruiting spies or physically infiltrating targets. This all depends on whether or not you are in fact allowed to take the gloves off and actually do things that an actual adversary would do. All too often I have seen penetration tests that would be called red teaming that had very limited scopes and ground rules that no self respecting Ninja would allow or abide by. So is this really a Ninja? One who follows the rules of engagement set forth by the target? Are they in fact then more of a Ronin or Samurai posing as a Ninja performing their task?

What I am trying to get at here is this;

  • Does following the rules of engagement on an assessment allow you to be called a Ninja?
  • Did you get in and get out without being seen or heard?
  • Did you use unconventional means or did you just use Metasploit?

Many guys out there I know personally are doing great work and I would call them Ninjas if it weren’t for my dislike of the whole hype and silliness around this imagery personified by Hollywood and now the INFOSEC community without the benefit of real historical context or understanding. As I mentioned above though increasingly this field of information security both aggressive and defensive is becoming more and more a pawn in a greater geopolitical game as well as field of battle and we need to catch up. The points I made just a bit ago about just how you carried out your penetration tests comes to bear here with adversaries like China and others who have no rules of engagement. They use whatever they can to get in and take the data they want and no amount of compliance like PCI will stop them or the common carder like Rescator and his crew. Unless we as a community can get it across to our Shogun’s (aka corporate America) that there are no rules we will then always see more Target breaches because they only followed the rules of PCI compliance and did no more.

EDIT:

I have been thinking about this post after watching an episode of TMNT (yes I watch Nick) and how the story line is including April O’Niel as a Kunoichi. A Kunoichi is a female ninja and they were also commonplace before the comic book world got their hands on the idea. Of course today you think Kunoichi and you may see something like “Shi” in your head. This was not necessarily the case but indeed there were female Ninja and they were often times inserted into situations like Anna Chapman was as an illegal and a honeytrap but they were exceedingly skilled in the same techniques as the men and equals if not more efficient.

Today there are many women Ninja in our business and it was an oversight on my part not to mention this designation. I am correcting this now though. I would like to however make the distinction that today’s Kunoichi is not just a pretty girl but there are many highly technical women in this business that can hack and to not acknowledge this is a disservice. This designation is not to separate the sexes and skills but to be inclusive where I had been remiss before in not thinking about including the term.

INFOSEC Samurai:

The opposite side of the coin for this argument is that the Blue Team side is in fact the hapless Samurai. Why are they the Samurai? Well, take a look at your average defender and you will see the similarities. The primary thing though is that the Blue Team is bound by the rules of the system in place or the Shogun they report to. In the case of corporate America your Shogun is your CSO/CISO/CIO and your Emperor is of course the CEO. The blue team cannot go outsides the confines of the rules set forth by the Shogun and the Emperor no matter how much you try and all too often it seems that the C level execs are hard to reach and consider the blue team more of a check box than anything else in today’s culture. Thus I add the title of “Hapless” to the Samurai because no matter how good the Samurai is he is always defined by the Bushido of the lord he or she works for.

In a battle against the Ninja (i.e. APT/Criminals/Mal-Actors) who use the tactics of unconventional warfare there is little that can be done by the Hapless Samurai who wears the shackles of corporate Bushido rules. How many of you out there have been hamstrung by policy or lack thereof in trying to address the unconventional war that is being waged today on all our networks by various actors? Again what I am trying to say is this;

  • How many times have you been told you cannot get a tool for prevention/detection because it costs too much and there is no budget?
  • How many times have you attempted to get the word out on security and awareness let’s say only to get a half hearted or any response at all?
  • How many times have you laid out the risks to your Shogun and been told that they would not fix the issues due to time/money/business continuity issues?

There are a host of questions I could ask but you get the gist here right? YOU are at the feet of your Shogun and your corporate emperor and you have little to no say in the direction of things. All you can do though is serve and serve with honor no matter the cost. Oh, and yeah, usually when the compromise happens who gets the blame and then is shuffled off to the unemployment line? Hey, at least it’s just that instead of being told to commit Seppuku right? Remember that you are the Infosec Samurai and learn to live with this because if you cannot, you will be very unhappy and your every day will be filled with angst and misery. If you take a real look at the Bushido code though or the Hagakure perhaps you can find meaning.

INFOSEC Shogun:

The Infosec Shogun is in fact the CSO or CISO in today’s corporate structure. These are the lords who, like the Shogun generals should be marshaling the troops and fighting the overall tactical battles. My experience to date has been that far too few of these Shogun’s had actual viable experience to be the Shogun and more often than not got their jobs by the fickle flying finger of fate. Of course this is changing now in more places but I would hasten to point you at the Target affair to show you otherwise. Given the information that has come out of Target so far there was no CISO or CSO Shogun but instead a CIO who had no real IT background to begin with. Unfortunately all too often this is the case with the CSO as well. What good is a general (Shogun/CSO/CISO) who has no experience in battle? How can one expect to win any battle with someone at the army’s head who has no idea what the conventions are never-mind the tactics to fight it?

Alternatively you may have a Shogun who does have experience and can give you direction as well as take counsel to fight the war but they too may be hamstrung by their emperor who holds them back. The idea here is that like it or not, whether you are literally in ancient Japan or the corporate boardroom today you are always reporting to someone and taking their orders. This is the key here, that while the Ninja may have basic orders they also were given greater purview on tactics and mission parameters and we, the hapless Samurai are not. We are governed by our corporate masters and to go outside the rules is to be let go. Remember this Blue Team Samurai as you prosecute your daily battles against the adversary who laughs at rules.

INFOSEC Ronin:

The last designation I would have you consider is the Infosec Ronin. The Ronin are master-less Samurai who often became more NInja than anything else historically. Some of these Ronin were in reality still Samurai but using the tactics of the Ninja to win the day for their Shogun but this was not the norm. In today’s world I would consider the consultant to be a Ronin. A consultant goes from job to job and does the bidding of the master of the day and in fact may have the latitude to tell the master that they are wrong. A Ronin may in fact operate as a Ninja primarily because they have no set master and this is rather liberating.

For the sake of this argument I am going to just say that the Ronin, one who is established can walk away from any contract if they are unhappy with the responses from their “master Shogun” and move on. This is the key to perhaps actually being an effective Samurai in some cases. It really does depend though on the master who has hired you to perform a job. I personally have walked away from clients because after the first pass of a final report they had decided that certain things were not worth re-mediating. If I feel that the client is only going to perform “check box” security then I am no longer willing to help them if I am in fact a Ronin. I know that some will say that this is just stupid and you will not make your pay day but I personally would rather be benefiting the security of a place than just giving it lip service wouldn’t you? Of course not many of us out there are in the position to do this and I will admit that my consulting is a side business to my main income so for me it is a bit of a luxury having this code of ethics. The Ronin though has a place at the information security table specifically next to the Ninja because they are not bound solidly by the rules of the emperor at that particular shogunate.

Unconventional Warfare  & INFOSEC:

Finally I would like to cover the idea of Unconventional Warfare and the state of INFOSEC today. As I have made statements about above, we are now in a place where information is power and all warfare with it is allowed. The advent of APT (Advanced Persistent Threats) and nation state actors has changed the paradigm of Information Security forever as much as networking has. We have seen the advent of many kinds of laws and rules being put in place to stop bad actors as well as force corporations to at least adhere to a modicum of security practices to protect their clients. Many of these, such as HIPAA or PCI-DSS have come out of Washington as toothless cudgels that corporations can just speak to as talking points and skate on actual practices. Alternatively many of these rules have little to no comprehension of actual technological issues nor address unconventional warfare tactics that are being used to attack systems and companies to steal data. On the whole nothing to date out there really will make a difference against a determined adversary and that knowledge needs to be common. Instead though it seems to be arcane and mysterious to many in power.

Until such time as ideas like Defense in Depth are more common and we have Shogun’s and emperors who understand not only how their business runs but their threatscape we will be doomed to failure. Of course one might also hasten to add that even with the best of the best we will always lose a battle or two and this is quite correct. The key though is to attempt to win the war itself and leave the battles to the day to day. Accept those we lose and learn from them to hopefully win the overall war later on. Unfortunately too many of the people that we the Samurai deal with are not at all aware and in many cases do not seem to care to understand the issues until they have been burned and burned badly (like Target)…

We, the Samurai face the battle today that no one has faced before. The threatscape is ever changing at the speed of light and the adversaries are many. Prepare for your daily battles knowing who you are and where you sit in the hierarchy. If you decide you want to be a Ninja understand that you too may be bound by the rules of the Shogun as your retainer. I want you all to think about the names we give ourselves and the perceptions we want others to have of us but most of all I want us all to be enlightened about our fight and who we are. Today it’s just a given that you must consider your networks are already compromised and that Ninja is in there stealthily stealing data and it more than likely isn’t one that you may be paying to test your security.

K.

Written by Krypt3ia

2014/03/26 at 17:41

Posted in Ninja

ASSESSMENT: INSPIRE 12 “Shattered”

leave a comment »

Screenshot from 2014-03-15 07:25:33

Inspire 12 Shattered:

Inspire issue 12 was dropped on Alplatform Friday night and this issue is somewhat different from past issues due to changes in staff and a change in thought probably brought on by the attrition that has occurred. It is also of note that this issue is ostensibly just put out by AQAP and makes no mention of Al Malahem which may show some of the fractions in the AQ umbrella as well as security issues that may have happened online in the recent past. Of course AQAP was the progenitor of the magazine but it was also a group effort for some time and that seems to have changed with the isolation of groups in part due to the death of OBL and the pedantic leadership of Ayman. This issue seeks to reach the “lone wolf” audience and broach the field of operations in the West as opposed to the Ummah in the lands which has been the standard of this magazine nearly from the beginning.

It has been some time since the last issue was released and I am assuming this was because of the attrition I spoke about before. Indeed there seems to be little input from Abu Al Amrici in this issue and there are new guest writers as well as a scope creep into other areas of concern such as North Africa which was a bit of a surprise but as you look at the bigger picture of the magazine that makes sense as the publishers are trying to change the scope to cover more areas of jihad outside the lands of the Ummah such as the EU and now Africa. Covering such things as an article on the bombings in Kenya by Al Shabaab and even having a Harakat (Shabab Youth Brigade)  guest writer. Overall, there are some subtle changes within this issue that analysts should take note of that bespeak a change in thought to a more global approach.

Contents Overview:

Screenshot from 2014-03-15 07:27:27

Changes From Previous Issues:

The biggest change in Inspire other than a change in staff and writers was the subtle tone from a more Koran centric and pedantic messaging to a more political and Western thought driven methodology. Through the course of the magazine the writers have been coming to grips with trying to motivate the Westerner to action while doing so with the call of jihad through the Koran and their particular spin on it. Over time I believe they have come to realize that to reach the Western audience that may be enamoured but unwilling to act solely on the Koranic call to jihad they have to reason with them in a more Western manner. In this issue there is a much more political and economic spin that attempts to spark a response in a Westerner against the actions of America in particular. The authors have seized upon the times (i.e. Snowden releases, war weariness, and economic climate issues) to try and sway the reader into action.

The layout of the magazine is just as slick as before (because the authors have used the 2011 pdf frame used in the past from the metadata in the file) and the progression of the magazine’s dialectic is as follows;

  1. The state of the jihad (Koranic)
  2. The deen of jihad (Koranic)
  3. Interview/Questions on the reasoning of actions within Jihad with Anwar Al-Alawki (Koranic)
  4. Samir Khan on the politics of Palestine and the Jihad (Political)
  5. City Wolves “call to action” (political)
  6. Tawheed/Choosing AQ ( Doctrine/Koranic)
  7. Experience of Jihad (Koranic and Romanticism thereof)
  8. Q&A with President Obama *Q&A carried out by snippets of press conferences** (Political)
  9. The Sister’s corner *Mujahidah wives exhortations by Umm Yahya) (Koranic)
  10. Shattered *the political and economic bankruptcy of America and the West** (political)
  11. Open Source Jihad (IED’s)

Screenshot from 2014-03-15 07:30:13

Screenshot from 2014-03-15 07:52:37

Screenshot from 2014-03-15 07:53:28

Screenshot from 2014-03-15 07:57:09

Screenshot from 2014-03-15 07:59:30

Screenshot from 2014-03-15 08:03:30

Screenshot from 2014-03-15 08:04:26

Screenshot from 2014-03-15 08:08:19

Screenshot from 2014-03-15 08:18:33 Screenshot from 2014-03-15 08:20:08

Screenshot from 2014-03-15 08:27:53

Screenshot from 2014-03-16 05:39:08

This shows more of a creep away from the hard edged issues in the past that focused on the “duty” of the Ummah via the Koran to a more balanced logical/rhetorical argument basis for Jihad with softened approaches more palatable to the Westerner. The issues of the day make their appearances covering not only drone strikes and the pull out of Afghanistan (2014 maybe?) as well as the surveillance state that has been revealed by the Snowden releases. This magazine talks about the Snowden files indirectly but also shows that they have taken heed by removing the Q&A section via email “due to security reasons” which obviously is due to the Snowden revelations.

Screenshot from 2014-03-16 06:56:49

For the most part this issue shows a direction change that is more subtle but perceptible if you look at the entirety of the issues from 1 to 12. The changes to the organization through attrition slowed them down but it also perhaps gave them new blood and pause to determine just how they could attract the Westerner better. Mentions of Faisal Shazad as well as Dzokhar and Tamerlan make it into the issue as well as add targeting ideas that will be explored below in the next sections. This of course is the more troubling thing about this issue with more of a focus on targeting and timing for attacks. Generally though this issue once again follows the basic formula to engage the would be “Lone Wolf” and exhort them to action. The main difference being that the tenor is less strident and more engaging and this is the primary difference.

Open Source Jihad: Car IED’s

Screenshot from 2014-03-16 05:39:46

One of the more troubling points of this issue however is an expansion on a theme. I had heard pundits in the past ask why AQ and others had not used the idea of car bombs here in the US more often. Well, now they are advocating this with a type of bomb that actually failed in Times Square by Faisal Shazad. The Open Source Jihad section this go around focused solely on car bombs. In this case it was focused solely on the use of gas canisters and oxidization. I am not showing the how to’s but suffice to say that they have a basic design that Shazad used but with some changes to make it more effective. The authors also revised their operations manual to offer the lone wolf the choice of martyrdom or remote/timed detonation systems. With these plans a would be wolf could do some serious damage were they to carry out their plan with a working IED in a car or, more to the point as they show in their final image of the magazine, a panel van.

Screenshot from 2014-03-16 05:55:40

TARGETING:

The most problematic part of the open source jihad section was a new feature called “Targeting” which needs no preamble. In this case the targeting is very directed and shows some thought post the bombings of the Boston Marathon. The authors are laying the groundwork for the wolves to be methodical about their target choices. In this case they have a focus on NY as always and Washington but also mandate that the UK has specific targets and times that are propitious for attacks to create the maximum kill ratios and fear factors. This is a significant change and what has me more worried is the whole package here. You have your device which is fairly easy to create with materials on hand (especially as summer approaches BBQ) and then you have directed targeting and times with which to carry out your action. The targeting also gives the wolf things to look for such as the usual congregating events but hints at specific events upcoming this spring and summer as well.

Screenshot from 2014-03-16 05:41:30

Screenshot from 2014-03-16 05:45:06

ANALYSIS:

The final analysis on this issue of Inspire is that the changes in staff have also garnered a change in tone and approach to radicalizing the lone wolves into action. These changes are showing how they are learning to approach the Westerner to incite action and given the climate today there may be more people who are moved toward this line of thinking. Though I would hasten to add that the mental status of the individuals who wish to be lone wolves plays a key role in their movement from just ideating on such actions to actually putting them into practice. In the case of the Boston bombers they both came from a region that was fraught with issues and both had issues stemming from broken home lives and a desire to feel they belonged somewhere. This and other factors make it possible that some other deranged and motivated individual of the Western persuasion will act out upon these orders by AQAP.

If anything though, this publication is sure to get a reaction from the government and security around events throughout the world will be tightened even more than they might have been post the marathon bombing. In this instance the IED’s are specifically designed for carnage to bystanders and not for demolition of buildings as well. This is I assume to generate the maximum amounts of fear from attack but also because the complexity of larger and more powerful bombs is higher and the likelihood of failure is more probable from the lone wolf set. I can imagine though that the AQAP set may in the future attempt to engage the wolves to come to the lands of the Ummah and train for those more complex missions in places like Syria or perhaps in Afghanistan post US pull out. Time will tell though and I am sure we will be seeing another issue of Inspire for summer soon enough.

K

Written by Krypt3ia

2014/03/16 at 11:39

ASSESSMENT: TEAM JM511

leave a comment »

Screenshot from 2014-03-14 10:04:48

JM511 Hacking since at least 2004:

There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.

Screenshot from 2014-03-14 10:31:54

To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.

JM511 Today:

JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…

Screenshot from 2014-03-14 11:47:34

Screenshot from 2014-03-14 11:31:31 Screenshot from 2014-03-14 11:31:16

JM511 aka   فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:

JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.

Screenshot from 2014-03-14 10:58:40It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (jxffh@yahoo.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.

UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.

Screenshot from 2014-03-14 17:12:44

Screenshot from 2014-03-14 11:36:25

Screenshot from 2014-03-14 10:30:07

Screenshot from 2014-03-14 10:48:32Screenshot from 2014-03-14 12:32:12

So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s  you and someone else’s money that will get you some jail time I suspect.

ASSESSMENT:

My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.

K.

Written by Krypt3ia

2014/03/14 at 16:32

ASSESSMENT: Target Lessons Learned

with one comment

Newbie working

The Hack:

While there is a lot of information out there on how the Target hack allegedly happened there are a few points that have been clarified. The blackPOS was installed in systems within Target after the hackers had been in for some time carrying out recon and getting a handle on how to carry out the ex-filtration of data. Given the information already out there it is a postulate that the hackers got hold of the Fazio credentials to the Target portal and then leveraged that system to carry out the compromise internally. The system trafficks in excel, word, and pdf files and to my mind, as the hackers had the Fazio creds to get onto that system they just uploaded a malware laden file for someone internally to open and compromise their system. The question then becomes just how long it took from that moment to the moment that the hackers gained access to the Target POS systems and servers to install their malware on.

According to PCI rules as well as the CEO of the company (Gregg Steinhafel) Target was in PCI compliance and that means that the network should have been segmented to disallow easy compromise from end users systems etc. Of course we are relying on the testimony of the CEO and others at this point in time because we have no other reports from FireEye or anyone else to attest to that fact. In any case the hackers got to the data and ex-filtrated it while triggering alerts that should have started an incident Response (IR) internally at Target. This did not happen though it seems and thus the hackers made off with all the data that they wanted. The moral of the story here can be summed up in an old aphorism I love to cite; “A fool with a tool is still a fool”

The After Action Report:

According to sources close to the investigation of the incident (Fireeye/Mandiant) alerts were given on key systems that were infected by the BlackPOS and detected as malware of indeterminate kind due to there not being any current signatures on it in the AV and IDS/SIEM systems. If the information given by the anonymous sources, then the fact of the matter is that the technologies that Target bought into to protect their data were in fact ignored at best and at worst turned off by the SOC managers internally at Target because they perhaps gave too many alerts. This is a common problem with IDS/SIEM/AV systems as they need tuning constantly and in larger companies the amounts of traffic that pass through the sensors is huge and complex. It is not uncommon in some organizations to have no real FTE’s watching those systems either with a reliance on employees who may be under-trained or not trained at all watching over the hen house. Security it seems has always been an afterthought for many companies, until that is they get hacked and outed in the press.

In the case of Target there are moves going on since the incident happened to shuffle the internal deck so to speak and make it seem that changes are happening to policy regarding security. The CEO is making the rounds with legalese responses couched in flowery language that really boils down to “no comment” and the CIO has resigned perhaps under considerable pressure. After the incident occurred I began checking the Target postings for security and began to see a lot of activity out there for workers to take over their security operations. I am assuming that there has been a bit of attrition other than the CIO and this should really be the case given the information that has come out to date on how this attack succeeded and the failures afterwards to cope with it. Suffice to say that the aphorism above about fools and tools applies certainly to Target in this instance but who else might it also cover as well out there today one wonders.

ANALYSIS:

The final analysis of the Target hack cannot be fully determined because the evidence is not yet public. However, the data that has come out (re: Bloomberg piece linked above) shows a very salient fact that should be heeded by us all in INFOSEC. That fact is this; “Technology is great but one has to use it properly to stop these things from happening” If the Target SOC had not turned off functionality they would have caught this attack happening. If the Target SOC had in fact been paying attention to the Fireeye system as well as the Symantec system they could have reacted quickly to at least attempt to catch the data being ex-filtrated out of their company via FTP. The sad truth is that they did not catch it nor did they see it because the human propensity for ease of use caused a systemic failure to occur in security.

I am sure more data will come out someday as much as Target will allow. One has to wonder in a publicly traded company how much transparency they should provide and what you actually will get though. The information coming out so far though, if indeed true, is pretty damning to Target and their practices. I will say that I believe what has been told to reporters in confidence given my experience over the years with corporate entities and their lackadaisical attitudes toward security thus far. All too often companies are pretty cavalier about security and in the case of Target all you have to do is look to the reports coming out now about how they plan on hiring a CSO for the company. It seems the CIO had no real experience and the company did not see fit to have a CSO or CISO until now. To boot, if you look at the wording it was implied that they were seeking an internal candidate up until recently. Think about that for a minute, they wanted an internal candidate for a job function where they lacked skill sets to begin with and had such a spectacular failure? The word hubris comes to mind.

The ultimate takeaway I would like to leave you with here is that Target is just one corporation of many that have the same problems. In fact I would hasten to add that we as a species are our own worst enemy when it comes to security and if you add to this the dynamic of corporate mores you have a recipe for epic failure. You can have all the high tech gadgets in the world but you still can be defeated by the human animal either through shrewdness on their part of laziness and stupidity on yours. There is a trend today in a reliance on technology as the panacea to all of security’s ill’s and this must be tempered with the human nature of those who operate it before we will ever be at all secure.

K.

Written by Krypt3ia

2014/03/13 at 19:30

Posted in Target

ASSESSMENT: Corporate Threat Intelligence Versus Actual Intelligence Products

with 5 comments

Screenshot from 2014-02-25 11:12:19

Threat Intelligence:

Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco.

This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing.

Clients and Products:

When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them.

In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence.

Intelligence Collection:

The collection of intelligence is an arduous process that should be carried out by trained individuals. There are so many pitfalls that can happen to an untrained analyst that could make the product of the report bias or useless in the end and these things should be avoided. In the case of corporate intelligence reporting and threat intelligence the same is true. Just carrying out some OSINT on some individuals and outputting what you find by stringing together assumptions is not a valid way of carrying out intelligence reporting nor is it the correct way to gather intelligence. The collection of intelligence in the information security spectrum should also include direct data on telemetry and known instances of attack against the organization in question to determine if they are in fact subject to the interests of the threat actor such as Iran or SEA. The HP report lacks this context and thus is not much more than some suppositions about how you might be under threat from an amorphous threat actor, and thus is little more than FUD.

If you are going to collect intelligence I suggest that you get trained individuals to start or if you are interested in the subject yourself you can easily locate materials online to read on how to do so properly and avoid the common pitfalls like bias and group think. Intelligence collection is comprised of many facets. You need to be collecting information from a vast array of sources and methods before you attempt to analyze it and create any kind of cogent reporting for a client. In the case of the HP report you only have histrionic data from news reports and light analysis of websites owned by alleged hackers or state actors. True collection though for a client would also include detailed data or knowledge of their business, their technical measures, and their history to create a cogent picture of their business and the threats that they may face from the actors out there who may have interest in them. The HP report lacks this and that is unfortunate.

Intelligence Analysis:

The analysis of intelligence is as I said above, a learned skill that must be honed in order to perform it correctly. Analysis in and of itself takes all of the data out there and generates a report on the entirety of the data for an against, positive and negative. Anything short of this kind of holistic analysis of information in a report of this kind only serves to mislead the client and usually be quite incorrect. An example of this would be the White House Iraq Group’s (WHIG) assessment of Iraq’s WMD’s and intentions pre Gulf War II. In this case however it was even worse because the intelligence was fit to the political desire of the administration and thus was not really analysis nor intelligence product. In the case of the HP report there is a narrow swath of data that was alleged to be collected (presented in footnotes or screen shots) in addition to snippets of news media as intelligence.

To analyze intelligence one must first have proficiency in the disciplines of intelligence gathering, analysis, and the particular subject matter. In the case of the HP report, there is a lack of comprehension of the politics of Iran which might be drivers for the alleged hackers or state actors. There is also a lack of rigorous interrogation of the data presented as intelligence to test whether or not there may be a disinformation campaign or deception operations at play as well. Put simply, the analyst for HP did not take into account that this is in fact a nation state and that they may in fact be leading such analysts down the primrose path to obfuscate the real actors. This was not even considered in the report and just paints the alleged hacker groups as more than likely linked to nation state activities. This is poor analysis even if there may be some truth to it, but without a rigorous investigation and questioning there can be no real solid assumptions made. The net net here is that analysis of intelligence is not just looking at websites and making assumptions.

Intelligence Reports:

Reporting intelligence is a key part to the overall process within all types of intelligence activities. A report as stated above, must have a client and in the case of the HP report I would once again ask who is the client here? What type of business should be worried that they may fall into the targeting of the nation state of Iran or these Iranian hackers? What sectors of business should be more worried than others here? In the case of the HP report I suspect there was no real client here but it should never be forgotten why one is carrying out the intelligence cycle and just who your client is in order to tailor the report so they can use the information in a productive way. Form and formats change but the aegis of the report is to apprise your client of the five W’s (Who, What, Why, Where, and When) and should be paramount in your efforts at collection and reporting of any kind of intelligence.

ANALYSIS:

My analysis here is this; “Buyer beware” Threat Intelligence may be all the rage out there as services go but really think about what you are getting as product. Ask yourselves just what you are looking for when you consider buying into threat intelligence services and how you may be getting it. If you are looking to see what your current threats are your analyst should be asking you to provide intelligence on you first in order to see who might be attacking you. The technical means of log analysis and telemetry is an integral part of the process here for threat intel for corporate bodies and should never not be a part of the process. Any other reporting on threat actors without defined and direct matrices to your org is nothing more than news reports on possible terrorists who may or may not be attacking in the near future somewhere near you. This is not threat intelligence nor is it giving you a true picture of the threats you may face.

K.

Written by Krypt3ia

2014/03/09 at 11:01