Nuclear Bomb of the Mujahideen:
AS IF the jihadi’s were listening to some people in the media they responded to a dearth of their particular brand of crazy in the darknets by adding a new site Monday. The Nuclear Bomb of the Mujahideen is a single page on the onions with six download links for documents on how nuclear weapons work, how to make one, and how to calculate the effectiveness of materials and fallout. Yes indeed, the darknet is now indeed scary because the AQ centric author of this single page has uploaded old data from 2006 that was circulating the clearnet on the jihadi boards back then.
So below I have some screen shots of the documents including the excel files that they left for calc’s to be made by some hapless jihobbyist who might try to make this happen. Frankly since there is nothing new here this is kind of a non story story BUT I wanted to get this on the blog before the MASS MEDIA SCARE engine sparked up and suddenly FOX is talking about the end of the world because DARKNET! This is not the end kids and in fact I think it much more likely that a dirty bomb would be used before some nuke was created by some group of jihadi’s or Da’eshbags.
Here are the details of the site:
- Created Monday 6/22/15
- Single page
- 6 downloads
- Email address of the creator is: firstname.lastname@example.org
- Old data
- Excell and PDF’s uploaded are malware free (at this time)
- Excel files do have macro’s though so there is that.. VT came up clean but MALWR.com failed me today (500 error)
- Data is taken from government and science files on clearnet
- Files created on system with Latin as base language not Arabi
- Yes.. the feds now know about the site.
So take a gander at the images below then meet me at the metadata section!
Implosion calculator for the package (Nuclear material fission)
What is more interesting from a DFIR kind of perspective is all the metadata that was left by the guy who put this site up and loaded those files. It could be all old data and I will have to go through my files to locate these pdf’s from 2006 to compare but let’s take a look shall we?
Dude’s a Winderz user
You can see where the 2006 files came from there…
Using MS office and PDF machine!
MOAR PDF details
So what do we have here? Well, the creator not creating anything new. In fact the documents all come from the 2006 range (pdf’s) or 2014 in the case of the Excel files. So someone just downloaded these and then uploaded them to this site on Monday. Now, what I will say though is that they have enough comprehension of nuclear tech to include the excel files on the radiation fallout and calc’s for implosion but really, not much more than that. For all intents and purposes this could be a troll from someone who just Googled a bit and came up with a zip file to add to this site.
On the other hand, could this bee a phish of sorts? Why the email address? Feds? Or is this a real believer who wants to have the tech in the darknet and wants to have a discussion via mail2tor? I have to wonder about this and I may in fact email them to see what I get back. Since the files seem to be malware free (at this moment) I am going to say this is 50/50 a troll or a true believer. Though, the coincidence that a report on how there is a lack of terrorism (jihadi) in the darknet and suddenly this site appears, well, trollhard my friends.
Ok back to the media.. DON’T FREAK OUT!!! This is nothing. You have more to fear from your IP enabled toaster exploding like on CSI Cyber then you do of some numbnut finding fissile material on a darknet market and using these guides to make a bomb. Believe me.
OPM is the exemplar of how our government deals with information security, or should I say doesn’t deal with it. Some will say that there are many mitigating circumstances like old systems that cannot be updated that caused much of the failures that lead to the OPM being compromised for over a year. However, the subsequent pivoting by the adversaries into many other networks we have not begun to even discuss as a nation yet because we are now media and governmentally fixated on the fact that the adversary had access to SF86 forms. Forms mind you that should be one of the better protected things out of all the possible things the government holds in it’s systems. So far the discourse in the media has been more sensationally oriented on the magic secret code names that the likes of Crowdstrike and Mandiant have come up with respectively for actors. Actors that they claim with varying vociferousness are in fact China whether it be the PLA (People’s Liberation Army) or the MSS (Ministry of State Security) though neither is accepting the pure hubris of all their press releases and anonymous or semi anonymous back-channel chats with the media in hopes of more attention.
Whether or not these attacks were from China and their varying and vying espionage organs is rather irrelevant now and everyone needs to understand this. The cat is proverbially out of the bag here and by the cat slipping the bag, we now notice that the emperor who was holding that burlap sack of cat is in fact naked. Or at least that should be the story here but as you can see from the stories filed above by the New York Times alone, the real attention seems to be on the fact that China is in fact hacking us. Well, I am sorry but I have news for you all, they have been hacking us for a long time now and doing very well at it. The primary reason for their being so able to steal us blind though is not as the media and the government and the Mandiant or Crowdstrike’s of the world would like you think. The APT (Advanced Persistent Threat) it seems, does not have to be advanced. They just need to be persistent and might I add patient.
So when you read the headlines and the stories like those in the Times about the advanced malware called “Sakula” and how the tricksy Chinese have gotten administrator on OPM systems I cannot blame the uninitiated thinking that this is hard and that the Chinese actors are the equivalent of super villains hacking from beneath islands with skull faced volcano’s on them. After all, the media is teaching the people not in the know by these lede’s that computer security is unfathomable and hard. You know, like the comment by Archuleta in the Congressional hearing that “Security takes decades” No ma’am it doesn’t and as the congressman who yelled at you that day said, we don’t have decades. In fact, I would say that this game of Go is almost done and we aren’t winning. We have lost and the reasons we have lost are manifold but I would say that the root of it all is that we, America, have abdicated the notion of securing the things that we should have long ago. The excuses are many; because it would be costly, or hard, or perhaps more so due to government stagnation, self interest, and indolence.
I know that the majority of the readers of my blog are in the security community but I wanted this post to reach across the void to the everyman on this matter. I exhort you to read the stories in the news and to take a step back. Consider the following statements and really understand where we are today.
- The OIG not only has been reporting on the OPM’s security issues but all of the governments. Go read the reports online for other orgs. You just have to Google for them and you will see over the years the same issues surfacing.
- OPM was told many times and with every report only minor changes were made. Money was not spent, people were not brought in, and all over networks that hold sensitive data.
- OPM was not practising security at a level commensurate with policies and procedures that were standard 20 years ago.
- OPM is part of a larger network of systems intergovernmentally. DOI (Dept of Interior) is one that I have had personal experince with. Insecurities abound.
- Since the hearings the President has made comment that he believes in Archuleta and she is keeping her job, though she has failed to make changers per OIG that have been pending for years.
- The argument that an adversary is advanced falls apart when the target is not following even the base security protocols that stop a user from using “password” as a password lord knows what else they weren’t doing.
Brass tacks, we deserved to be hacked.
Sad but true.
So gentle reader, consider what I have told you here. The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.
Physician heal thyself.
OPM: Voted Most Likely To Be Hacked
Have any of you ever read an OIG report out there in cyber land? Well you should if you are interested in the security of your data and that data is held by any government entity. In the case of the OPM (Office of Personnel Management) it seems that numerous times the OPM was told by the OIG (Office of the Inspector General) that their security measures (FISMA) were lacking, to be nice about it. Others might use harsher words and frankly, after reading sections of the 2012 report on their security I want to have a full out Trourettes attack. Suffice to say that the OPM was not doing what they should have been. Have a read through on this document from 2012 and look at the big FOUO statement at the bottom of the pages from the FISMA assessment. This was easily downloaded from the OPM’s site through Google.. If this was meant to still be FOUO, well, there’s another fail for you.
Screen-shots courtesy of @SynAckPwn
You could also just take a gander at the recent hearing in the Senate on this debacle at C-SPAN where the IG basically drubs the OPM for not following recommendations made on security for quite some time. You also get to see the management of the OPM flounder as they try to look like they are at all intelligent about security, it’s actually painful to watch. Clearly though watching these turkeys flap on how security is hard and takes ‘decades’ (Archuleta) gives you a sense of how new the idea of security measures that are common today are to them. This hack was just a matter of time and I had to laugh when they also said that they had detected the attack and that the New York Times and others were wrong about it actually being a vendor on site doing a presentation that sparked this IR for OPM. Oh well, the IG was right and and now an indeterminate amount of personnel now have their data somewhere ostensibly in China in the hands of what we are being told is the PLA.
So today I decided to take a looksee at OPM online and this is where I got that Google dorked file I liked to from the IG. Anyway, their systems give up quite a bit of info when you query them with FOCA:
Now if you really want to make a concerted effort you could use all that intel to Google dork more and likely come up with plenty of data to target them further but it’s my guess that the adversary already did this. Or, they just sent them a phish campaign based on some of the data they got from Anthem and got their toehold.. No.. Wait.. Sorry, I forgot that OPM had been compromised over a year!! Oh well there goes that little theory.. Nope nope.. It’s just because they suck at security. There was much more out of FOCA but ya know, I don’t want to add too much more fuel to the conflagration now do I?
*wink wink nudge nudge SAY NO MORE!*
NO REALLY, CHINA
I know what you are thinking, you are saying to yourself; “They always blame China!” and yeah, we kinda do but that is not wholly unwarranted really. China has it’s hack on and there are many reasons why they do. Most of it has to do with their perceptions of war that have been guided by Sun Tzu since he wrote his treatise on warfare. Others out in the security community might scoff at the overuse of Sun Tzu (I know Brian) but when you are talking about the adversary actually being China, well you kinda have to take this into account. I mean, they aren’t that much for Von Clausewitz as they are for Sun Tzu in their doctrinal leanings. I have written about this before so I will not overburden you here with it all. I do want you to understand though the reasons for these things though and to that end I want to refer you to the video at the top of the page. Please go watch that now and then come back here… I’ll wait.
Ok after watching that video let’s talk about why OPM and what use the data is to the Chinese. It is more complex than just using possible SF86 form responses for targeting people to become spies. It does seem at this point that the SF86’s also were taken but let’s just go with the notion for now the they only got the databases of employee records such as names, addresses, social security numbers, and the like. What would the PLA want with this? Well, for that let’s step back and look at the Anthem hack for instance. Anthem held a lot of records for those federal employees as well and if I were a Chinese spook org looking to target people for more exploitation this would be a good dump to have right? For that matter any spy worth their salt would want that data to help them target names, addresses, emails, etc to use in further phishing attacks right? Think about it this way, in INFOSEC and pentesting what is the first thing you do? You do a footprint and you gather OSINT. Well in this case they got more than OSINT, they just took the whole catalog internally by hacking specific targets that were data rich.
Of course not only China would like this stuff but from what we are being told (as well as data being passed to others in the world of secret ioc and ttp squirrels) this was China. I am of a couple of camps here on the China thing. I have seen the Chinese actors and I have seen them used as a scare tactic by political movers. Whether or not it was in fact China really matters to the larger geopolitical sphere of things and that this was a hack of a government system with data that is rather important, I have to say that understanding who did it as well as we can is kind of important. Other hacks, meh, I don’t care. You have to either decide that China has done everything or they have been a convenient excuse for hacks that have happened. I am in the middle and will reside there until I have some data to prove things either way.
That the data has not turned up for sale so far is kind of a clue though that this is not going to be your average Ukrainian hacker team looking to abuse credit. Just as the data in the Anthem hack has not turned up either show’s you that this data is being used for other, more geopolitical purposes. Who is stealing the data really and who has it in their hot little server somewhere is the question that has yet to be answered though. Sadly, until such time as some LE or spook agency lets loose that they found it in the hands of some foreign national we will never know the truth of it. Gee, maybe we can just get a PLA hacker to defect huh?
What you can expect more though is that we will be seeing a rise in hacks on the military, the defense base, the government and anyone and everyone in private companies that got a clearance for their outsourced government work. This is what the data will be used for and the fruit of this won’t be seen for some time I suspect. This is today’s espionage made easy because people and organizations fail to understand nor care about the security measures that they should be implementing. This is a constant cry among the INFOSEC community but hey we never seem to really learn and I would blame that more on our physiological makeup than anything else really. We just aren’t wired for this stuff as a whole. So when we get together as societies or organizations we spectacularly fail because as they say; “None of us is as bad as all of us”
Right, so back to the China thing. If you take the time to understand their doctrine for information war (战争) you get a good idea of how this kind of espionage is exactly what they would be doing to further their goals. Goals mind you, that may not be all about kinetic warfare but instead winning the battle without firing a shot. I would suggest if you have the time and the inclination read the book I linked by Hagestadt and then get your hands on everything you can about this subject. You see, we won’t be seeing this go away any time soon and as Sun Tzu said “If you know the enemy and know yourself, you need not fear the result of a hundred battles”
Don’t just read the words.
“There is great disorder under heaven, and the situation is excellent”
The Darknet, or Dark Web, just saying it seems to emote some strange land filled with dark corners to the great media unwashed. The reality is a little more simplistic, a place where sites can in fact be found through clearnet addresses on pastebin or even searched within the darknet on spider engines. Recently the news has been filled with attacks by China on Tor users in their country to track them as well as efforts to stop Tor altogether from working in their country via the “Great Firewall” Sometimes though we can get a glimpse behind the veil a bit when lurking the darknets of how some Chinese can get through the great firewall as well as give insight into perhaps a non APT criminal element of the digital age in China.
Monday I came across two sites on the darknet that are Chinese in origin and this is something new at least to me thus far. What made them even more interesting was that they were both oriented toward hacking and freedom as we see with the posts above on site 1 as well as hacking and criminal activities as you will see in the images below. Unfortunately for me and perhaps all of you, the site above disappeared Tuesday and I did not have a chance to fully archive it for perusal. What I did see though can be encapsulated into the following bullet points;
- The admin is in Beijing
- The site was a platform for freedom of speech and Tor use as far as I read but there may have been more
- It was php based
- It was trying to show people the how to’s in setting up other sites as well as all of the things above
What I saw of the site intrigued me and I had hoped it would be stable and grow but alas it seems that the Chinese caught on, the admin’s access got cut off, or, maybe they got scared off. I will keep looking for this site to come back though and I hope to get a fuller read on it.
Chinese Darknets and Crime:
The other site that I located Monday is the more unseemly side of the darknet you all hear about every day in the news. The second site that I found is a darker one offering services such as carding and accounts in China for sale. So when you think of China, well most people lately, all they hear is APT! but the reality is that the Chinese are the same as everyone else and you will find both sides of the coin in the darknet as well. Those who want to express themselves by using Tor as a means to that end against an oppressive government, and those looking to make a buck by hacking and crime.
Now I could not locate names for these sites at all and they are not very slick or whacky as many of the other sites on the darknet. These are functional and straight forward sites which I hope to mine some more as time goes on. Who knows, perhaps others will pop up. Actually, I would not be surprised to see people in Hong Kong setting these up or other places in the world trying to get real information to the people of China if they can access it secretly. It seems though that the Chinese government has been quite active in trying to put a stop to this. I hear that in i2p there are more Chinese sites and use. I will have to take a look. For now though, I will keep an eye on these sites.
I recently gave a presentation at Mass Hackers on “Online Jihad” which went very well. While I was covering the online jihad, the topic of Darknet Jihad came up as well, it usually does when anyone talks to me about the subject. Well, since giving that presentation I have seen various and sundry gubment types claiming that the “Jihadi’s are using the darknet! OMG! It’s why we need to have crypto front doors and de-anonymize the darknets!!!!”
I am writing this post to set the record straight and to make a point… A cryptic point that someone reading this will get and you know who you are. The darknet is on the whole NOT being used by jihadi’s to hide their comm’s in the sense of going to darknet sites. Please for the love of everything sane, all you gubment types and wanna be spies get that the fuck into your heads right the fuck now.
Yes, the jihadi’s are using TOR and other VPN’s in attempts to hide their traffic on the “clearnet” but no, they are not gathering in large groups in hidden services sites on the actual “darknet” This is an important difference that many in the media and in the government either don’t get or don’t want to get in favor of having a scary scary thing to say to get the other ossified gubment workers (aka the Senate and House) to capitulate out of fear to their crypto breaking desires.
So lemme mansplain for you all about just what is going on in the darknet and what is not ok?
Darknet Jihad Funding
What you see above this text are two sites that have appeared in the darknet and these have been the most tangible and visible of anything out there to date. The top picture is from a site that had a real bitcoin address and appeared in 2013 I believe. I wrote about it back then at least so maybe it was around in 2012. In the end though it amassed about 1200 bucks and then it was cashed out. Personally I think it was a scam site but who’s to know really.
The second more recent site is directly supposed to be a Da’esh site and it appeared last month on the darknet. It’s bitcoin address is real as well but to date has had no money put on it. This site too smells more like a fake or a dangle by an agency than anything else. Why? Because the fact of the matter is that to date, I nor anyone I know in the know, have found ANY other sites out there on the darknet, in the hidden services, at all that is jihadi in origin or aegis. None. Niente. Nada.
Of course there may be super secret sites that only a select few know the address of or maybe they are just using other sites like market places as dead drops but even this sounds a little too esoteric for the nitwits we see today in jihad and jihobbyism online. There is just no there there man, nothing to hang your crypto is bad hat on Mr. gubment guy! Ok ok ok, there was one upload to a file server in the darknet for one manual but the link was given on the clearnet jihadi board so how the fuck super secret is that?
Meanwhile Back In The Clearnet….
Ok so now that I have made myself I think crystal clear, let’s talk about what the jihadi’s are doing that I and others like me have seen. For the most part they have taken to TOR and TAILS like a mother since the Snowman dumps. This is to be expected right? I mean, look at all of us in the security community talking about this shit too right? If we say that it is better to TOR up or use TAILS to protect our basic security and privacy it stands to reason that these jihadi mo mo’s will too huh?
This is not rocket science kids…
Oh and yeah, since TOR has become every so user friendly, it is a natch that these guys will install it and use it on anything and everything that can run it. If you look below here you can see how they are using various tools on various platforms like Android just to reach their Da’eshbag Twitter accounts so they can spew their derpy propaganda!
So yeah, they are using TOR, TAILS, and anything else they think will give them an extra layer of protection. I have seen tutorials in Arabi all over the place for them to use and the mandate from the Da’eshbag pooba’s on how to be secure online. This however does not stop them from getting a JDAM shoved up their asses though when they take selfies am I right?
Right, anyway, the skinny is that until these guys are all digital natives they aren’t going to be living and lurking in the darknets. Sure, they will have TOR, and sure they will have encrypted chats but hey, WHEN THE FUCK DID WE NOT HAVE THOSE OPTIONS TO START HUH? Really, for fucks sake stop it with the scare tactics USGOV and every god damned three letter agency! How about this, you say fuck all to the tech fixation and the shortcuts and you all get your HUMINT game back on?
That is how you will win this war. Make friends, find out where they are, and then JDAM the fuckers.
CORRECTION: According to a tip I got from
@Apate1114 there was a site back in 2012/2013 that was alleged to be a standard jihadi type site. In looking for any kind of backstop on this all I could locate were links that described the onion site in question (http://p2uekn2yfvlvpzbu.onion) In February 2013 it is listed as “http://p2uekn2yfvlvpzbu.onion/ – Armas entrenamiento militar etc”
Another site lists a file on the site for that time showing a pdf for a .50 cal rifle: contru�ao rifle:p2uekn2yfvlvpzbu.onion/arm/50calRifleConstructionManual.pdf Neither of these says jihadi site etc and unfortunately I have not seen an archive of the site.
I had a chat with @Apate1114 and they gave me a correction to the above. They provided a bad link there. The link is in fact instead: aub35xzuj7wslusm.onion and is no longer up. The site that was linking it in 2013 is seen below:
This site, aljyyosh, calls the onion site موقع عربي غريب which is “weird website” Since then, nothing has been seen of this site in the onion but as you can see on aljyosh there are plenty of tutorials on how to Tor.
THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.
The Defender’s Dilemma:
This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?
All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.
What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?
Sampling Problems and Conclusions:
Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.
As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.
Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.
Thornton Melon: [in college bookstore] Hey, you guys get everything you need?
Jason Melon: Oh, yeah, we got it.
Thornton Melon: Good… Hey! What’s with the used books?
Jason Melon: Well, what’s wrong with used books?
Thornton Melon: They’ve already been read!
Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?
Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?
The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.
Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!
In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.
The conclusions we expected were as follows:
•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.
•The importance of intellectual property varies with the individual
•Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.
•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.
….. So 50/50? Uhhh Clue please?
•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).
……. NO. WAY. How long have we been saying this?
•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing
…… WORST fucking idea EVER.
•CISOs feel that attackers have the upper hand, and will continue
to have it.
…… Well duh, they do. It’s asymmetric warfare you idiots!
The conclusions that confirmed our suspicions were these:
•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
……..But Mandiant and others are more than willing to sell you a “wand”
•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.
……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.
•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used.
.…What have I been saying? They want it but really it’s USELESS hear that TI firms?
•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little
…..But they are all the rage in making sure your ass is covered.
•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.
….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!
•CISOs lack a clear vision on incentives
… Um not being fired?
•Information-sharing tends to live within a web of trust.
….And next to the land of the unicorns with gumdrop kids
•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?
•CISOs are likely to assign lower priority to security-as-a-service
…Well, yeah, I mean you wanna outsource everything and have nothing to control?
•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).
…Meh, I have seen a lot of eggs in one place lately.
The conclusions that came as surprises were the following:
•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.
…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.
•In general, loss estimation processes are not particularly compre-
… Loss estimation of future events.. Say heard of the Cat in box paradox?
•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.
…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.
God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!
I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!
GLOBAL Threat Intelligence Report – May 2015
In the month of May 2015 we saw the advent of “stunt hacking” with the claims of one researcher being able to hack a plane’s engines while in flight. While this event was the talk of all the media the real point of the thing was that nothing is secure, not planes, not trains, not automobiles, and certainly not your networks.
The common factor here is that security is an ongoing process that never stops. It is not a static thing and must always be perpetually worked on to hopefully prevent a breech or more than likely, to detect one that is or has happened and to react to it properly. The following document covers some of the events in the security sphere that took place in may and are commented on to give direction as to their importance in the scheme of things.
Please use this document as a means to an end to enlighten yourselves on the current threatscape out there and as a guide to a process with which you can grow your own practice to a maturity where this information cycle becomes your own.
Tiversa accused of hacking clients to extort them:
When you hire a firm to take care of your cybersecurity, you’re hiring a team of experts whom you assume you can trust. But one such firm allegedly used the trust of its clients to straight-up extort them with made-up “data breaches.”
CNN Money gives us a rundown on Tiversa, a still-operating cybersecurity company that offers up digital security services to other companies. According to a whistleblower who worked there and is now testifying in federal court, Tiversa was running a very simple and clever scam.
The importance of this story cannot be overstated today in a world where often times security is checked by hiring an outside firm to test it. In the case of Tiversa, the extreme is that they were extorting companies with false data or worse, by hacking firms and then extorting them into buying their services.
It is important to not only vet the companies you are doing business with but also to have security functions within the org that can vet the data being presented as well. If there are any questions on the findings they should be called out and researched to insure their validity in cases where companies offering these services may not be doing their due diligence.
It is also important for the executive management to understand the importance of the findings presented in these types of assessments as well as the differences between a vulnerability scan and a penetration test. All too often this key difference is not apparent to the C-Suite.
What’s the difference between a vulnerability scan, penetration test and a risk analysis?:
You’ve just deployed an ecommerce site for your small business or developed the next hot iPhone MMORGP. Now what?
Don’t get hacked!
An often overlooked, but very important process in the development of any Internet-facing service is testing it for vulnerabilities, knowing if those vulnerabilities are actually exploitable in your particular environment and, lastly, knowing what the risks of those vulnerabilities are to your firm or product launch. These three different processes are known as a vulnerability assessment, penetration test and a risk analysis. Knowing the difference is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.
The differences between a vulnerability scan and a penetration test is a key point to understand for any organization to effectively secure an organization. The above article does a fair job at describing the differences and is a must read for any C-suite or middle manager who has a security function. In turn, this information should be imparted to those in charge to comprehend the differences and the needs for both to secure a company.
Even today after years of having these types of assessments available, often times you will find companies selling what they call ‘penetration tests’ when in fact they are not testing by penetration of exploits at all. On the flip side of this coin, many companies shopping for these services are much more comfortable with just a vulnerability scan without actually exploiting their networks due to the FUD (fear, uncertainty, and doubt) that surround such activities.
If your org is only having vulnerability tests run and not having penetration tests carried out as a real world test of the security of the org, you are only setting yourselves up for an eventual compromise and the fallout that comes with this. Both of these functions are integral to the hygeine of any security program.
Criminals stealing money via Starbucks App:
Starbucks (SBUX) on Wednesday acknowledged that criminals have been breaking into individual customer rewards accounts.
The Starbucks app lets you pay at checkout with your phone. It can also reload Starbucks gift cards by automatically drawing funds from your bank account, credit card or PayPal.
That’s how criminals are siphoning money away from victims. They break into a victim’s Starbucks account online, add a new gift card, transfer funds over — and repeat the process every time the original card reloads.
Starbucks, like many other companies today allows for the connection of bank accounts to honor cards that can be used to pay for services as well as give that user perks when they do use them. As smartphones take on the physical replacement of the honor cards we create a new vector for attacks against the user.
In this case the users passwords to the Starbucks application and system may have been weak but this does not discount other types of attacks against the mobile phones and the applications like the Starbucks app itself. In either case, the attack can allow for connected cards and bank accounts to be siphoned off rapidly by these events.
It is important to understand that this story can apply to you personally as well as perhaps organizationally if you have honor cards or deal with them. Honor cards specifically attached to bank accounts as well, can be hacked and the personal data as well as the banking data can be stolen.
Additionally, companies should be aware of these situations when potential applications have been compromised on users who may also have corporate data on phones as well. If an application is compromised, just how much access does it have to the phone’s operating system and thus the users data?
1.1 Million customer records lost to hack on Carefirst:
For CareFirst BlueCross BlueShield, the road to hell was paved with good intentions. Recently, while making security upgrades, the company discovered that it had actually already been breached—in June 2014.
1.1 million current and former customers were affected by the hack, and CareFirst has 3.4 million current customers. The company, which offers coverage in Washington D.C., Virginia, and Maryland, says that hackers compromised one of its databases and may have had access to user names, member IDs, legal names, birthdays, and email addresses. Medical records, credit card numbers, and social security numbers weren’t affected.
While this attack has the hallmarks of potentially being nation state instigated, it is important to note that even with a security program in place, compromises may be missed if the adversary is skilled. On average, according to Mandiant, most orgs are compromised for up to about a year before they are usually informed by someone else that they had been breeched and this is an important statistic to be mindful of.
It is not clear just how well the Caremark security program runs from the story nor is it possible for every security team to catch everything, but it does show that without indicators of compromise it can be difficult to spot when a company has been hacked and when data is leaving the network. Thus it is important to consistently strive to have a firm grasp on your network, it’s traffic, and any possible anomalies that may in fact be indications that you have in fact been compromised and data is being stolen.
Organizations should have mitigations in place such as IDS/IPS as well as robust logging and correlation in tandem with a SIEM product to watch the traffic in and specifically out of the domain to detect and potentially stop an incursion in process.
Stop using painfully obvious security answers:
We all love pizza, but that doesn’t mean you should be using it as a way to keep your data safe online.
In a new research paper, Google staffers found that those pesky security questions which are often used to help users recover passwords are one of the worst ways to protect online accounts. The company studied hundreds of millions of actual question-and-answer combos used by real Google users, and discovered people often choose obvious answers that are easy to remember — but also easy for hackers to guess.
For example, an attacker would have a 20% chance of guessing an English speaker’s answer to the question, “What is your favorite food?” by guessing “pizza” on the first try.
This article may be aimed at end users but it should also be aimed squarely at companies that use these types of questions as a means of authentication for their paying clients. These questions and their easy answers are not a feasable security layer today and could lead to compromise not only of end user systems but also corporate networks if they are not using more robust authentication techniques.
This article concludes that it should be taken even further to disallow the questions to be asked as they are too easy to guess from the start. This is a correct assessment of these kinds of questions. If you or anyone else is using a household pets name or a birth date of a child as a password you are already behind the security 8 Ball because these are easily obtainable bits of information on the internet today for adversaries to find.
A two factor authentication system today is a better way to secure your network and this usually consists of a user ID, A pin, and a password. As these systems are more costly many organizations try to avoid them, but they are the best way we have today of securing a network that is accessed by end users remotely.
Hackers sneak malware into job applications:
Hackers are slipping malware into resumes submitted through the job posting website CareerBuilder.com to infect businesses, security researchers have found.
Attackers are browsing open positions and attaching malicious documents disguised with the name “resume.doc” or “cv.doc” to applications, according to the Sunnyvale, Calif.-based security company Proofpoint. The attack sends malware directly to hiring managers and interviewers because CareerBuilder automatically emails job-poster notifications and attachments with resumes when candidates submit applications.
With the rise in phishing and the attendant rise in awareness on the part of corporations and their employees, the tactics needed to evolve to work. While phishing exploits still work pretty well on average, this pivot to sending resume’s pre-loaded with malware to specific targets was only a matter of time.
The upshot of this article and this analysis is that even with AV often times malware makes it through the defenses and is activated by internal users. When this happens you may have started the domino’s falling on a larger compromise to the whole of the network through one infected doc file or pdf.
Companies should take the extra step of having a sandbox technology on top of AV/Spam systems that can be used to open documents and test them for malware before being introduced into the common network environment. As seen with the attack on Target, the criminal elements (i.e. Russian carders) are using similar tactics to advanced persistent threats now and anyone who handles PII/PCI/HIPAA or any other kind of data that can be sold is a target.
Mumblehard turns WordPress sites into spambots:
The Mumblehard malware is turning Linux and BSD server into spam-spewing zombies.
Security researchers at ESET have logged over 8,500 unique IP addresses during a seven-month research period looking into the junk-mail-linked malware menace.
Mumblehard is made up of two different components. The first component is a generic backdoor that requests commands from its command and control server. The second component is a “full-featured spammer daemon” process, which is launched via a command received via the backdoor.
Not all hacking attempts are used to compromise networks and not all malware is used to steal data. In the case of Mumblehard, the malware was created and used to turn your system into a slave to be used as a means of making money via spam. This type of attack may seem more a nuisance but it really is a problem especially if the compromise could lead to further compromise of your network down the line.
As WordPress sites have had a track record of vulnerabilities in the past, it is important that if you have WordPress in your environment you keep up with patches and alerts concerning the application security of your sites. Anyone who has WordPress as a working part of their infrastructure, especially if it is internet facing, should be on the distribution lists for patching that wordpress puts out and be a regular part of the patch cycle.
The return of macro malware:
Macro malware, that tried-and-true document-borne attack vector, is back. Over the past few months, Microsoft has seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.
The majority of the macro-malware attacks have taken place in the United States and United Kingdom.
Macro malware gets into your PC as a spam email attachment. The user opens the document, enables the macro, thinking that the document needs it to function properly—unknowingly enabling the macro malware to run.
Success of course requires the email recipient to fall for a social engineering technique and open the attachment.
Within the realm of malware and phishing attacks this old malware attack has come back to the fore with a vengeance recently. Relying on the social engineering portion heavily to get the user to open the email first and then to turn on macro support has been partially successful in many instances.
Once opened the macro will then contact a download site and install other tools on the compromised system thus finishing the attack cycle. In many cases these phishing attacks and the files attached are not being seen by AV applications and thus passed to end users for them to open.
It is important that your organization have a good grasp on awareness for phishing/social engineering attacks and the different means that an attacker will try to get an end user to compromise their system and allow the adversary in. If you are not carrying out awareness on an ongoing and repeated basis it is highly likely that an end user(s) will be the arbiter of a compromise at your org.
New ‘Rombertik’ malware destroys master boot record if analysis function detected:
While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware.
Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.
This malware spreads through spam and phishing messages sent to possible victims.
While the Rombertik malware has made a splash in the news this month it is not necessarily novel in that it has a MBO (Master Boot Record) deletion program within it. This type of attack has been around for nearly eighteen years, however, the triggering of this piece of the malware is interesting.
As counter detection methods goes though, this is an extreme case and as such may not end up being all that common in the long run. However, the fact that this malware had it and that it was a purchased piece of malware being used by an individual and not a nation state is important to note.
(please see attribution article below for context of last statement)
Clearly the bar is being lowered on malware and phishing attacks and organizations should be cognizent of this fact. It does not take a nation state with resources and human assets to carry out an attack on a company that could possibly shut it down with such malware as this on the wrong computers.
Malware hidden in technet:
In an ironic twist, Microsoft’s TechNet Web site has been used by Chinese hackers to hide malware commands. TechNet is a digital security and support site for IT professionals. Security firm FireEye Threat Intelligence discovered the activity working in collaboration with the Microsoft Threat Intelligence Center.
According to a report by FireEye titled “Hiding in Plain Site: FireEye and Microsoft Discover New Obfuscation Tactic,” the activity was the handiwork of Chinese hacker group APT17. The group, also known as Deputy Dog, has been actively attacking organizations including U.S. government entities, defense industry companies, law and IT firms, NGOs, and mining companies, since at least 2013.
While this article shows that the nation state hackers had been using Microsoft’s own Technet site as a means of command and control it is important to understand that this can happen with any site. Small changes within code can be used to trigger malware to carry out actions as well as they can also be the arbiter of a drive by attack on users systems.
Given that the bar to access is being lowered as code can be bought and more savvy adversaries (both nation state and criminal) are getting in on the game, organizations should pay more attention to telemetry. As mentioned earlier in this document, the use of technologies to monitor traffic and their destinations should be a key part of any security program today.
[SECURITY] [DSA 3250-1] wordpress security update:
Multiple security issues have been discovered in WordPress, a weblog manager, that could allow remote attackers to upload files with invalid or unsafe names, mount social engineering attacks or compromise a site via cross-site scripting, and inject SQL commands.
These attacks are key to much of the kinds of attacks that are mentioned throughout this report. It is important to keep up with the patching for any WordPress site in your DMZ and these sites should be monitored for activities that may show indicators of comproimse.
In the case of this advisory, the attacks could be the first step in an internal compromise to the back end as well and as such could lead to a major breech.
Apple Safari Multiple WebKit Bugs Let Remote Users Execute Arbitrary Code, Access Files, and Spoof Interface Elements :
Multiple vulnerabilities were reported in Apple Safari. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain potentially sensitive information on the target system. A remote user can spoof user interface elements.
A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error in WebKit and execute arbitrary code on the target system [CVE-2015-1152, CVE-2015-1153, CVE-2015-1154]. The code will run with the privileges of the target user.
While Mac and OSX has a history of seeming to be less prone to vulnerabilities, the reality is that OSX, like any system that is popular, will be attacked to gain access to people’s systems. In the case of this vulnerability, the main browser (Safari) is the weak point and may lead to drive by attacks on users systems.
It is important that any org that has a complement of Mac systems also be up to date on the patches and vulnerabilities to this platform and not consider it more secure because of the perceptions that Mac would like people to have about their products.
Microsoft Silverlight Permission Error Lets Local and Remote Users Gain Elevated Privileges:
A local or remote user can obtain elevated privileges on the target system.
Silverlight does not properly allow applications intended to run at a low integrity level (e.g., very limited permissions) to be executed at a medium integrity level (e.g., permissions of the current user) or a higher integrity level.
A remote user can create a specially crafted Silverlight application that, when executed by the target user, will execute arbitrary code on the target system with the privileges of the target user instead of with limited privileges.
While Silverlight is a defunct language today it is still used by many organizations. This vulnerability may be mitigated by end users not having escalated privileges on the system that is attacked. However, there are still places where people have administrative privileges on systems and where this type of attack can cause root compromise of the system.
It is important to be aware of the use of Silverlight in your organization and to understand the vulnerability matrix where a compromise to this might lead within an org.
Apache Cordova vulnerability leaves Android apps wide open to hackers:
Security Researchers at Trend Micro have discovered a “major” vulnerability in the Apache Cordova app framework that leaves one in 20 Android apps open to hackers.
While this 5.6 percentile figure may seem small, this is an important vulnerability as are many others if you are using Android systems within your BYOD program. Without the right mitigations (sandbox/separate identities/systems) on a phone today you could potentially compromise a network as well as a smartphone.
Application hacks could lead to compromise of the OS itself as well as any applications you may have (i.e. touchdown and others) on the phone that facilitate access to your internal network or mail systems.
Logjam Vulnerability: 5 Key Issues:
While the “Logjam” vulnerability raises serious concerns, there’s no need to rush related patches into place, according to several information security experts.
These pros have been helping organizations understand how best to react to the announcement this week that a team of computer scientists have discovered a 20-year-old flaw in Transport Layer Security (see Massive ‘Logjam’ Flaw Discovered). And given the age of the flaw and absence – so far – of publicly documented exploits, experts say organizations do not need to rush related fixes into place.
With the advent of vulnerabilities that seem to have their own marketing campaigns attached, it is as important as ever, to understand the vulnerabilities as well as their risk. In the case of Logjam, there was a lot of media attention on it but the reality is that it is not the end of the world.
The vulnerability to the system is twenty years old and as it has not been seen in the wild previously denotes that it is not something that will show up in the wild soon. It is important to patch for it and manage encryption methods with or without this vulnerability as a standard practice.
Word doc for you to download and edit for your own use is here