Who hacked Ashley Madison?
Who the fuck should really care other than the police?
The answer is no one really should but just as with the whole thing there is a salacious fascination over the nature of the site and who’s who in the database. Now though we have cyber sleuths posting “maybe” evidence that a certain account “might” have ties to “maybe those” who hacked the site and dumped it’s contents online.
Look, the cat is out of the bag and the data is dumped so move on and learn from what happened at least if you can get past all the schadenfreude. This whole incident though only highlights something I have been saying for a while now. Primarily that OSINT and Threat Intelligence is only as good as the analyst and that in the game of Intelligence, it is easy to be led astray by the adversary as well as by your own cognitive biases. In this case with Brian Krebs and the Dezu account I can only say as a bystander watching the spectacle; “Enjoy the clicks man… Enjoy those clicks.”
I will say it again as I have said it many times in the past…
“It’s not about the who… It’s about the how. Learn from the how and attempt to prevent it in the future”
I had this discussion on Twitter the other day and yes, there are some reasons to do the attribution for companies that understand the threat space that is their domain. On average though it is pointless because companies do not have that basic comprehension on the part of their execs and their boards. So trying to give them a nuanced analysis of who the adversary is, is just fucking pointless. Learn from how they hacked you and care less about who they are. Perhaps instead understand who they are but really grok what they were wanting to steal is more important.
Meanwhile all the companies out there are yelling about attribution and how they can even do it “live” as I recently heard uttered on a sales call.
Fuck you… Fuck. You.
With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.
Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.
That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.
So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.
Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.
Now that I have that out of the way let me take this article and turn some things on their head a bit. I would ask, if I were writing an article on this subject just how talented on average are these CISO’s that are being made scapegoats and not allowed at the C-Level table? Are these CISO’s capable of making those security decisions to start? How technical are these CISO’s on average and have they worked the bulk of their career in information security?
See this is what burns me much of the time. We have CISO’s who are titular C-Level execs that most often than not NEVER carried out a pentest and have little to no real experience carrying out a security program to start with. This is a problem and one that everyone seems to not quite grok in the corporate world but if you are in INFOSEC and you are capable, usually you are not considered to be C-Level material at the average corp. This is just my experience of this being in the business so long but hey, this article seems to be backing this up a bit as well.
On top of all this it seems that the people asked in this survey of sorts showed that the CISO, like much everything else in INFOSEC is considered the red headed step child that is better neither seen nor heard. That is until they have had a breach and then they can blame the CISO that they have not empowered and perhaps never trusted because they weren’t competent to start with.
But hey.. That’s just me right?
The role of the CISO is evolving more now because the breaches today are at a high and the compromises with data dumps have been making the news cycle burn brightly. That’s the extent of it really, these companies aren’t looking at the news, turning to their boards or other C-Levels and saying
“SHIT! WE REALLY NEED SOME TALENT AND EMPOWERMENT TO THE CISO NOW NOW NOW!”
Mmmmmyeah, not happening that I have seen. Evolutions kids is a long ass process and in nature it takes millions of years. I am afraid though that in INFOSEC we don’t have that much time. So here are my bullet point thoughts to leave you with;
- We’re fucked
- If your CISO has no experience and shows that in meetings with other execs… You’re fucked
- If your CISO has no empowerment… You’re fucked
- If your CISO has no empowerment and no real experience he will be gone soon and… You’re fucked anyway
- Corporations are like living entities made of of large amounts of cells (people) that are in essence psychopaths. They are self involved, manipulative, and only want what they want and will do anything to get it.
I watched in ever increasing fits of rage as the hearings proceeded. First it was the five hearings on the OPM data loss and failures therein, then it was the two hearings on “going dark” featuring James Comey. By the end I was a seething mass of hate gnashing my teeth and using the last nearly shredded synapse I had left to parse the fuckery I had seen.
What was all this? How did we get here? How the holy hell did our government completely abdicate its responsibilities around secret information that was used to grant people secret and top secret clearances? I sat mouth agape in rage as I watched Archuleta mumble and stumble her way toward insufficient if not blatantly obfuscated answers to the senators on what and how things had happened. It was clear by the mid point that we had been fucked collectively by the US government who consistently says “trust us” then turns us over and fucks us in the ass.
Now we hear that there actually were approximately 22 million people who’s personal data was stolen by god knows who, though really can we trust that figure? I mean how many times did Archuleta say she did not know how many to the senators? How many though is a relative thing when you are not logging, which now we also know per the CIRT team that testified in one of the hearings. When you aren’t logging it is like every day is a day in Vegas baby.
Meanwhile everyone is a twitter about the “who” that did it and the OPM and their minions are crying APT and CHINA! Well, what evidence has been presented that it was in fact China?
Oh, yeah, “trust us”
So, an org that wasn’t properly logging, wasn’t following recommendations from the IG, and had a terrible security record that included not hiring people who knew what they were doing but double and triple tasked current employees to be security is going to tell me definitively that China did it. Sure, I will just believe the fuck out of that. The reality though is that I can believe it was China since I have not seen any data for sale in the darknets and this is their modus operandi but that is cold comfort here. It could have been Russia, it could have been DPRK for all we really know and this can be said because once again, they weren’t logging and they weren’t practicing security due diligence so the bar to entry there was low.
For fucks sake, with what we know now it could have been little Billy in his bedroom with the sticky tube socks who hacked OPM right?
By the end of the hearings I had a massive headache and needed a bottle of whiskey to kill the memories and the pain. Do not get me wrong here people, this is no news to me. You see I once did some work in the gov space and in fact worked in the DOI where that server was housed by OPM (yeah, not even in their own space) and I know how that government sausage was made. I especially loved how I was lied to by employees, to my face, only to show them the actual scans and pentests that proved they were lying. Obviously nothing has changed since I was there many years ago.
The moral of this story though is not only about the lack of due diligence but I wanted to focus on the cryptofuckery that was on every senators lips.
“Why weren’t those files encrypted Mrs. Archuleta?”
Every time this question was asked I just wanted to yell at the tiny screen.
“NO YOU FUCKERS THE CRYPTO WOULD NOT MATTER! YOU DON’T FUCKING GET IT!”
I shook my impotent fist in the air and grumbled over and over but as you would expect it is to no one, since no one listens anyway. The fact of the matter though is that many in the world misapprehend what crypto is and does. A database that is encrypted and is live is not encrypted. The data is encrypted at rest, not while users have active access to it!! So it is useless to hang your hat on the crypto argument in the debate over OPM failure but the senate and the genpop just don’t get that.
Here it is for you all in plain lingo;
If the system is live and the user who has access to it is pwn3d then FUCK ALL matters crypto ok? Own the endpoint and you own the whole thing. I sense a Game of Thrones quote here somewhere but I just can’t put it together.
Comey The Backdoor King:
Then the hearings for “Going Dark” came and the derp parade was in full derp regalia. James “back door” Comey came to the senate to beg the question;
“What’s so bad about backdoor’s on crypto? I mean, trust us, we are the government!”
I sat agog once again as this guy took every opportunity to say “Well, I am not an expert but I see no problem with doing this” repeatedly to the senators. Senators mind you, that did not really take him to task. Instead they listened and nodded and agreed that ISIS is scary and that terrorism was as well. The odd thing though was that if you listened closely enough, Comey was not predicating all of this on Islamic terror but instead “regular crime” He chose to use the old pedophile routine and the obvious child kidnapping scenario to make his case.
It was Jack Bauer all over again except this time Jack was tearing the finger nails off of someone to get their crypto keys because the gubment did not have an easy access backdoor to just decrypt the everything. This is the same argument that we almost saw behind the scenes post 9/11 that got us to where we are today with global pervasive surveillance in the post Snowden era. The only difference this go around is that Comey is asking and the senate and us are watching. This time we at least get to watch and say “WHAT THE FUCK?”
Well, the hearing went on and on while Comey said the same thing again and again “We need this and I don’t think it’s a bad thing, I mean, there has to be a way right?” Contrary to what the experts did say though, that a back door, front door, side door, whatever, degrades the efficacy of the crypto and it should not be done at all. Never mind the whole issue of thinking that we live in an Orwellian dystopia now with pervasive surveillance, add to that that the government would have access, warrant or not, to a universal back door to cryptographic systems. This would be the shit sammich on top of the shit sunday we have today not to put too fine a point on it.
No Comey. Just. No.
Alas though we will see what the senate has to say and the rest of our “august” body we call our government. Kids, we are well and truly more fucked than we were before and I am afraid it is only going to get worse. Back door access to crypto will not help, people will come up with ways to use crypto that is not back door accessible and I am fucking sure that the terrorists and other bad actors will carry on as they have. No Comey, it’s time you did your fucking jobs and got more people into the HUMINT space not just back door all the things.
If I were you all… I would start coding new crypto programs or start printing one time pads.
Nuclear Bomb of the Mujahideen:
AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.
So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.
Here are the details of the site:
- Created Monday 6/22/15
- Single page
- 6 downloads
- Email address of the creator is: firstname.lastname@example.org
- Old data
- Excell and PDF’s uploaded are malware free (at this time)
- Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
- Data is taken from government and science files on clearnet
- Files created on system with Latin as base language not Arabi
- Yes.. the feds now know about the site.
So take a gander at the images below then meet me at the metadata section!
Implosion calculator for the package (Nuclear material fission)
What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?
Dude’s a Winderz user
You can see where the 2006 files came from there…
Using MS office and PDF machine!
MOAR PDF details
So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.
On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.
Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.
OPM is the exemplar of how our government deals with information security, or should I say doesn’t deal with it. Some will say that there are many mitigating circumstances like old systems that cannot be updated that caused much of the failures that lead to the OPM being compromised for over a year. However, the subsequent pivoting by the adversaries into many other networks we have not begun to even discuss as a nation yet because we are now media and governmentally fixated on the fact that the adversary had access to SF86 forms. Forms mind you that should be one of the better protected things out of all the possible things the government holds in it’s systems. So far the discourse in the media has been more sensationally oriented on the magic secret code names that the likes of Crowdstrike and Mandiant have come up with respectively for actors. Actors that they claim with varying vociferousness are in fact China whether it be the PLA (People’s Liberation Army) or the MSS (Ministry of State Security) though neither is accepting the pure hubris of all their press releases and anonymous or semi anonymous back-channel chats with the media in hopes of more attention.
Whether or not these attacks were from China and their varying and vying espionage organs is rather irrelevant now and everyone needs to understand this. The cat is proverbially out of the bag here and by the cat slipping the bag, we now notice that the emperor who was holding that burlap sack of cat is in fact naked. Or at least that should be the story here but as you can see from the stories filed above by the New York Times alone, the real attention seems to be on the fact that China is in fact hacking us. Well, I am sorry but I have news for you all, they have been hacking us for a long time now and doing very well at it. The primary reason for their being so able to steal us blind though is not as the media and the government and the Mandiant or Crowdstrike’s of the world would like you think. The APT (Advanced Persistent Threat) it seems, does not have to be advanced. They just need to be persistent and might I add patient.
So when you read the headlines and the stories like those in the Times about the advanced malware called “Sakula” and how the tricksy Chinese have gotten administrator on OPM systems I cannot blame the uninitiated thinking that this is hard and that the Chinese actors are the equivalent of super villains hacking from beneath islands with skull faced volcano’s on them. After all, the media is teaching the people not in the know by these lede’s that computer security is unfathomable and hard. You know, like the comment by Archuleta in the Congressional hearing that “Security takes decades” No ma’am it doesn’t and as the congressman who yelled at you that day said, we don’t have decades. In fact, I would say that this game of Go is almost done and we aren’t winning. We have lost and the reasons we have lost are manifold but I would say that the root of it all is that we, America, have abdicated the notion of securing the things that we should have long ago. The excuses are many; because it would be costly, or hard, or perhaps more so due to government stagnation, self interest, and indolence.
I know that the majority of the readers of my blog are in the security community but I wanted this post to reach across the void to the everyman on this matter. I exhort you to read the stories in the news and to take a step back. Consider the following statements and really understand where we are today.
- The OIG not only has been reporting on the OPM’s security issues but all of the governments. Go read the reports online for other orgs. You just have to Google for them and you will see over the years the same issues surfacing.
- OPM was told many times and with every report only minor changes were made. Money was not spent, people were not brought in, and all over networks that hold sensitive data.
- OPM was not practising security at a level commensurate with policies and procedures that were standard 20 years ago.
- OPM is part of a larger network of systems intergovernmentally. DOI (Dept of Interior) is one that I have had personal experince with. Insecurities abound.
- Since the hearings the President has made comment that he believes in Archuleta and she is keeping her job, though she has failed to make changers per OIG that have been pending for years.
- The argument that an adversary is advanced falls apart when the target is not following even the base security protocols that stop a user from using “password” as a password lord knows what else they weren’t doing.
Brass tacks, we deserved to be hacked.
Sad but true.
So gentle reader, consider what I have told you here. The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.
Physician heal thyself.
OPM: Voted Most Likely To Be Hacked
Have any of you ever read an OIG report out there in cyber land? Well you should if you are interested in the security of your data and that data is held by any government entity. In the case of the OPM (Office of Personnel Management) it seems that numerous times the OPM was told by the OIG (Office of the Inspector General) that their security measures (FISMA) were lacking, to be nice about it. Others might use harsher words and frankly, after reading sections of the 2012 report on their security I want to have a full out Trourettes attack. Suffice to say that the OPM was not doing what they should have been. Have a read through on this document from 2012 and look at the big FOUO statement at the bottom of the pages from the FISMA assessment. This was easily downloaded from the OPM’s site through Google.. If this was meant to still be FOUO, well, there’s another fail for you.
Screen-shots courtesy of @SynAckPwn
You could also just take a gander at the recent hearing in the Senate on this debacle at C-SPAN where the IG basically drubs the OPM for not following recommendations made on security for quite some time. You also get to see the management of the OPM flounder as they try to look like they are at all intelligent about security, it’s actually painful to watch. Clearly though watching these turkeys flap on how security is hard and takes ‘decades’ (Archuleta) gives you a sense of how new the idea of security measures that are common today are to them. This hack was just a matter of time and I had to laugh when they also said that they had detected the attack and that the New York Times and others were wrong about it actually being a vendor on site doing a presentation that sparked this IR for OPM. Oh well, the IG was right and and now an indeterminate amount of personnel now have their data somewhere ostensibly in China in the hands of what we are being told is the PLA.
So today I decided to take a looksee at OPM online and this is where I got that Google dorked file I liked to from the IG. Anyway, their systems give up quite a bit of info when you query them with FOCA:
Now if you really want to make a concerted effort you could use all that intel to Google dork more and likely come up with plenty of data to target them further but it’s my guess that the adversary already did this. Or, they just sent them a phish campaign based on some of the data they got from Anthem and got their toehold.. No.. Wait.. Sorry, I forgot that OPM had been compromised over a year!! Oh well there goes that little theory.. Nope nope.. It’s just because they suck at security. There was much more out of FOCA but ya know, I don’t want to add too much more fuel to the conflagration now do I?
*wink wink nudge nudge SAY NO MORE!*
NO REALLY, CHINA
I know what you are thinking, you are saying to yourself; “They always blame China!” and yeah, we kinda do but that is not wholly unwarranted really. China has it’s hack on and there are many reasons why they do. Most of it has to do with their perceptions of war that have been guided by Sun Tzu since he wrote his treatise on warfare. Others out in the security community might scoff at the overuse of Sun Tzu (I know Brian) but when you are talking about the adversary actually being China, well you kinda have to take this into account. I mean, they aren’t that much for Von Clausewitz as they are for Sun Tzu in their doctrinal leanings. I have written about this before so I will not overburden you here with it all. I do want you to understand though the reasons for these things though and to that end I want to refer you to the video at the top of the page. Please go watch that now and then come back here… I’ll wait.
Ok after watching that video let’s talk about why OPM and what use the data is to the Chinese. It is more complex than just using possible SF86 form responses for targeting people to become spies. It does seem at this point that the SF86’s also were taken but let’s just go with the notion for now the they only got the databases of employee records such as names, addresses, social security numbers, and the like. What would the PLA want with this? Well, for that let’s step back and look at the Anthem hack for instance. Anthem held a lot of records for those federal employees as well and if I were a Chinese spook org looking to target people for more exploitation this would be a good dump to have right? For that matter any spy worth their salt would want that data to help them target names, addresses, emails, etc to use in further phishing attacks right? Think about it this way, in INFOSEC and pentesting what is the first thing you do? You do a footprint and you gather OSINT. Well in this case they got more than OSINT, they just took the whole catalog internally by hacking specific targets that were data rich.
Of course not only China would like this stuff but from what we are being told (as well as data being passed to others in the world of secret ioc and ttp squirrels) this was China. I am of a couple of camps here on the China thing. I have seen the Chinese actors and I have seen them used as a scare tactic by political movers. Whether or not it was in fact China really matters to the larger geopolitical sphere of things and that this was a hack of a government system with data that is rather important, I have to say that understanding who did it as well as we can is kind of important. Other hacks, meh, I don’t care. You have to either decide that China has done everything or they have been a convenient excuse for hacks that have happened. I am in the middle and will reside there until I have some data to prove things either way.
That the data has not turned up for sale so far is kind of a clue though that this is not going to be your average Ukrainian hacker team looking to abuse credit. Just as the data in the Anthem hack has not turned up either show’s you that this data is being used for other, more geopolitical purposes. Who is stealing the data really and who has it in their hot little server somewhere is the question that has yet to be answered though. Sadly, until such time as some LE or spook agency lets loose that they found it in the hands of some foreign national we will never know the truth of it. Gee, maybe we can just get a PLA hacker to defect huh?
What you can expect more though is that we will be seeing a rise in hacks on the military, the defense base, the government and anyone and everyone in private companies that got a clearance for their outsourced government work. This is what the data will be used for and the fruit of this won’t be seen for some time I suspect. This is today’s espionage made easy because people and organizations fail to understand nor care about the security measures that they should be implementing. This is a constant cry among the INFOSEC community but hey we never seem to really learn and I would blame that more on our physiological makeup than anything else really. We just aren’t wired for this stuff as a whole. So when we get together as societies or organizations we spectacularly fail because as they say; “None of us is as bad as all of us”
Right, so back to the China thing. If you take the time to understand their doctrine for information war (战争) you get a good idea of how this kind of espionage is exactly what they would be doing to further their goals. Goals mind you, that may not be all about kinetic warfare but instead winning the battle without firing a shot. I would suggest if you have the time and the inclination read the book I linked by Hagestadt and then get your hands on everything you can about this subject. You see, we won’t be seeing this go away any time soon and as Sun Tzu said “If you know the enemy and know yourself, you need not fear the result of a hundred battles”
Don’t just read the words.
“There is great disorder under heaven, and the situation is excellent”