So you all know me, I had to go and download CSI Cyber just to see. I mean, I couldn’t resist because I am a masochist and I knew that this would be a terrible show so I had to see it! Well I am happy to report that none of you were wrong, this is in fact one of the worst shows on television and it’s not just because it is all about the OMG CYBER! There are a whole host of issues with this show and I just wanted to share with you all my personal review. So strap yourselves in, put on your sturdiest CYBER HELMET, and prepare for a heaping helping of WTF.
The show starts off with the kidnapping of a baby and some nonsense about voices coming from a nanny cam. The case comes across the lead investigator’s email and she immediately goes to her boss and says that any criminal action that includes electronics make it a CYBER CRIME! No, really, she says this and thus a plot line is born! The feebs then take over the case and use shiny bags to take away laptops and phones. They use what they call “Faraday Bags” and have the nifty graphic above to show signals bouncing off the bag PEW PEW PEW! (eat your hearts out Norse!)
It was in this moment that the plots sub sub plot of CYBER PSYCHIATRY comes to play. The main character ( Avery Ryan ) who is loosely based on the “creator/SME” of the show Mary Aiken one of the loopiest people I have looked at online. She claims she is a “Cyber Psychiatrist” whatever the fuck that is. Let me just set you all straight, there is no such thing as a “Cyber Psychiatrist” There are Psychiatrists who maybe deal with technology issues and pscyhology and psychiatry but there is no cognitive DSM V sub speciality that I am aware of. In short, she is making shit up as she goes. I may go into a full rant on this later on, but sweet jeebus she is as much a Cyber Psychiatrist as the Scorpion Crew is an elite red team in reality ok?
Next let’s talk tech because I know you all want to! CYBER CYBER CYBER! Blinky lights and holodecks for everyone! This show does not let us down in this area either. There is so much shiny blinky light material that if you are epileptic you should really consider watching it with shades. The highlights of all this is the above image from the uberl337 hax0r showing that malware always shows up as RED TEXT on ADA and more often than not actually calls itself MALWORM! As I was morning drunk tweeting watching this farce I managed to start a bit of a dialogue with some who complained that they did not get all of our attitudes about the tech being right at all because it’s TV FOR FUCKS SAKE! Well, Ian, yes, yes it is and really we should not really worry ourselves about this in reality. I guess some of us all care too much or live it too closely. In my case I don’t really care beyond the possibility that this shit will bleed into our real lives as dumbasses think that this is all reality from watching entertainment TV. I will once again point to the CSI Effect and just say I hope this kind of shit does not happen in the court room because of shit like this is all.
OMG CYBER ATOMIC SOMETHING SOMETHING!
At the end of the day I just have to report that this show is sucktastic. The acting is wooden, the dialogue is horrendous, and the subject matter is wholly unbelievable. Well, unbelievable for someone who actually works in psychiatry, technology, hacking, acting, cinematography, etc. This is the turdliest of unflushable turds that CBS has grunted out of its collective anus in a while.
For my part I LOVED the original CSI because it was new and it was fun. I used to sit watching it with a REAL SCIENTIST who cringed as much as we all do about the OMG CYBER today so it is not just our group of peers that have issues with the Hollywood-izaton of their careers. Though I knew that the tech was not accurately portrayed made no difference because it was fun and the chemistry/writing worked. As soon though as Grissom left so did I. It has been pathetic to watch CBS continue to flail the dead corpse of CSI through the David (flip sunglasses down the nose) Caruso years to the Cheer’s OMG MY HAIR GREW BACK INTO A POMPADOUR Ted Danson travesty.
No more please.
Please FUCKING STOP!
*hangs head.. CSI CYBER!*
Welcome to CBS TV where we make shitty SHITTIER!
Global Threat Intelligence Report
In the month of February an astonishing array of news came out concerning information security and vulnerabilities. One such piece of news concerned supply chain tampering by Lenovo with “Superfish” an adware that compromised users SSL sessions of every user’s machine purchased from the company. In other areas we discovered that our personal routers were being attacked by phishing emails containing the default passwords for the routers that people commonly forget to change. It would seem that nothing is safe either because people leave the defaults as the way they operate or in fact the companies are weakening security on their products to make more money through tracking users and selling data to advertisers.
This report will cover the news highlights and give you a more nuanced portrait of their importance globally to you personally as well as at a corporate level for information security. Use this report as a primer to understanding the security picture as it is today and to help in confronting the security issues within your organization.
Think your BYOD program is secure? Perhaps you might want to think again about that as you consider this article. Applications for iOS and Android have been cloned and malware inserted into them for download by unsuspecting users. All the attackers need to is trick the end users into installing the new application with malware in it by sending them an email with a link to their fake site.
As more and more corporations move toward the singularity and use BYOD as their primary way of conducting business (phones, tablets, and phablets) these concerns should be more pressing. Given that the BYOD now allows personal devices to access corporate networks and assets, if the user then infects their device with malware that steals data such as keystrokes, then your corporate network is now at risk of compromise.
If you have a BYOD program and do not have a robust way to manage what the users can download and install then you are more likely to have a compromise to your domain. If for example though, you have BYOD mandates and policies that require phones with separate profiles you might be on a better footing in that the end users corporate profile should be completely locked down and unable to install anything without approval. This is a hard needle to thread and must be considered today as we see more of these types of attacks being leveraged in the wild against corporate BYOD programs.
Once again we find ourselves facing another SSL attack that may leave our private communications at risk. This one has been an issue for many years and only now is being talked about as something adversaries may be using. As with others, this attack uses the fact that many systems still allow backward compatibility to reduce the encryption levels to one that can be cracked by an attacker.
While this attack is being patched it is important to note that since Shellshock and Poodle adversaries have been working on variations on a theme to attempt to find old or unthought-of of exploits to leverage in attacks today. It is important to keep up on these various vulnerabilities being reported to respond to them as soon as possible once they have been announced.
It is recommended that all SSL systems be set to disallow backward compatibility of there is a newer version that is more secure. If you are forced to use backward compatibility though, you should insure that you have a risk assessment carried out and the risk signed off on at a corporate level to cover your risk should an incident occur from one of these known exploits.
Common technologies abound today and one of the most popular is the COTS (Common Off The Shelf) router for internet access. In the case of D-Link, one of the more common brands being used today, there are multiple vulnerabilities that could lead to compromise of home or even corporate networks. The current vulnerability allows for a remote attack to gain “root” or administrative access to the routers.
So how then could these COTS routers be a threat to your corporate network? Well, consider that the home user who is VPN’d into your network is using one of these routers that is vulnerable? If that is the case and their router is compromised, then so too is all the traffic and systems potentially they own at home. If that home user has their system online and not on the VPN then their system could be scanned and compromised remotely. If the end point has been compromised so too is your network VPN or not so this is a real threat to your corporate environment as well.
Additionally, should by any chance your environment have any of these devices connected to your networks then you too may be vulnerable directly from attacks on those routers. Consider too any company that you may be connected to (via VPN for instance again) that may be a mom and pop with one of these routers being used. This could be leveraged to gain access to your network as well by an enterprising adversary.
It is recommended that all corporations consider these vulnerabilities whether or not they think they have these devices on premises or not. All it takes is one connection from an insecure network elsewhere that has rights on yours to make your life miserable.
NAS (Network Accessible Storage) is common not only in corporate networks but also home networks. As such these devices need to be securely configured and access restricted to internal networks only unless you absolutely know what you are doing. In the case of the Seagate NAS, this vulnerability is like many of the others out there and Seagate has yet to update their firmware months after the fact. This leaves all of these devices unprotected on networks and on the internet in some unfortunate cases.
Think that your corporate network doesn’t have a problem because the NAS is behind the firewall? Well that is not truly the case either as you could have a compromise internally and if these devices are secured yet vulnerable to these types of attacks you could lose in the end. It is recommended that you seek to determine if you have these in your environment and patch as soon as possible.
Alternatively, consider the end user out there who works for you. Do you have a strong policy and practice of not allowing those users to store corporate data anywhere other than your network? Consider the end user who buys one of these and puts it on their home network and shares it accidently with the world. Think that is not probable? Then go to Shodan and look for these devices or better yet use Google to search for them. They are out there and they are open.
Patch Tuesday in February was huge with a total of 56 vulnerabilities being fixed in Microsoft products. A majority of the patches were for Internet Explorer, a core piece of the Windows system and the one most attacked by adversaries seeking to exploit users systems.
This particular patch cycle was of note because the previous cycle had not patched IE and this one seems to have been an aggregate of earlier patches being held back. As the number of patches is so high for one piece of the Microsoft system it can be inferred just how much attention is paid to attacks for the IE Browser.
It is recommended that every enterprise undertake a strong process driven function around patching in your environment. Specifically, enterprises should take care to patch high value target systems at the least and all systems at the most. Given that there are mitigating factors that may leave an organization no choice but to not patch a system because it would break business, those systems should be signed off on for risk and as a compensating measure watched more to insure that they are not compromised.
Earlier this report covered default passwords on routers in the home. It seems that this issue has risen again as malware/malcode disguised in spam has been seen in the wild with the ability to log into routers with insecure default passwords. This type of attack is not new but it is once again being leveraged by particular actors today in the wild.
This in and of itself should be a wakeup call for any users who have not changed their default passwords and logins for COTS routers. As also mentioned before in this report, this is something that all enterprises should be concerned about with regard to users who work from home and have access to your internal networks.
It is recommended that all organizations look at these vulnerabilities as not only affecting home users but also those networks that they may interface every day for work. As such, it is in every companies interest to follow these things and to have education for their users not only about corporate networks and assets but also those BYOD devices and networks that interconnect them.
Increasingly carders and other adversaries are attacking corporations by targeting the end users for malware by phishing campaigns. Much of these exploits are directly targeted at gaining access to credit card data, bank account data, and PII data that would allow them to create new identities and start credit lines.
The adversaries are however getting cleverer and targeted today and with knowledge, they are attacking from the top down. Phishing campaigns aimed at executives gain access to their accounts and machines which then are used to trick employees into making funds transfers from the company accounts.
It is recommended that organizations keep awareness at a high level not only for regular employees but also specifically, the executives. Executives are the prime targets for much of the malware and phishing campaigns in these types of attacks and all too often, the executives and their minions are less aware than they should be about phishing and how to spot it.
Additionally, it is also a good policy to have some means of empowering employees to question the process of such transactions if they feel that there is something amiss. Often times the adversaries are counting on the social and psychological norms of corporate pecking order to just get an employee to react and carry out transactions like these.
As the tempo of attacks speeds up and more groups of adversaries start working together, the likelihood of follow on attacks using news items like the Anthem breach is high. In the case of Anthem, phishing emails started immediately after the incident made it into the news. Emails began to be sent from newly created domains created by a whole other sector of adversaries.
The Anthem breach for all intents and purposes, seems to have been Nation State actors and as such the data that they stole will not, and has not yet been seen to be for sale on the darknet or other places where this data is sold. This means that the criminals who do carry out this type of attack for money are seeking to capitalize on the backs of the APT by phishing already worried clients of Anthem.
It is recommended that organizations keep up with this type of activity as well as the breach itself. Targeted phishing emails are not just going to end users home addresses. These phishing emails and new waves of malware have been seen in corporate email systems as well. Awareness is key and as such talking directly to employees about these types of attacks will not only benefit them but hopefully stop incursions into your network as well.
The Anthem breach, while unfortunate, should be an object lesson for all corporations today. The scope of the breach and the attacks that were carried out to steal the information and keep access to the networks at Anthem should be studied by anyone who has a network and data they want to protect. In the case of Anthem though, it is becoming clearer that not only was it nation state actors but also that they had access to Anthem’s networks for a considerable amount of time before discovery.
As information becomes more available the likelihood will be that the initial incursion came from a phishing campaign using crafted domains (we11point.com etc) to get users to click on links and install malware on their machines. This is a common tactic and something that every organization has problems with as users are being manipulated by actors who understand human nature.
Watch the Anthem story and consider how your networks could or could not use telemetry to determine undue traffic to known bad actor sites as well as anomalous traffic. In the case of Anthem, it was a sysadmin who first noticed that their account was being used on a system that they had never logged into that started the incident there. Every org is vulnerable to these tactics and it is in the interest of every company to learn from others mistakes as well as the modus operandi of the actors involved.
Superfish, a simple piece of adware that was installed on every system that Lenovo sold in the last couple of years had upended the trust of the public about their products. This particular malware was to perform a man in the middle attack against SSL traffic and route the user to specific ads which then would pay Lenovo on the back end. This however backfired on them once the malware was discovered.
While Lenovo claimed that the adware was harmless it was shown that in fact this piece of software could be easily subverted to break into machines by setting up man in the middle exploits and getting users to log into things with their credentials as well as downloading malware. This is unacceptable and an object lesson in supply chain trust.
If one cannot trust the supply chain (e.g. laptops from Lenovo without malware pre-loaded) how can one trust that the systems they are buying for their companies are secure? This issue should be something that all companies consider when not only purchasing new equipment but also those systems or appliances they may buy grey market online. Can you trust the systems have not been tampered with?
Today the selling of “Threat Intelligence” is all the rage, but really how useful is much of what is being sold today? So far the focus of many seems to be on “who” carried out the attacks but not so much on the how. While the who can be important in many ways, it is the least of your worries when dealing with an incident and this needs to be a key focus for companies.
By engaging companies that sell threat intelligence a company can in fact gain a better foothold on protecting their networks and data. However, all too many companies are not prepared to really use the data that these threat intelligence firms provide because they do not have enough insight into their own networks to start. As such it is key to know your own capabilities and work with threat intelligence firms to set up feeds and methods that will help your company detect and deter as well as proactively mitigate ongoing campaigns.
It is recommended that when you look into threat intelligence feeds that you first undertake a serious introspective look at your environment, it’s maturity, and capabilities to truly leverage the data that you are buying and not to just have a feed as a check box in an auditors notebook.
Document for download and dissemination HERE
A Cosmic War
A recent article in The Atlantic has staked the claim that daesh is a millenarian cult bent on bringing the apocalypse upon the world. The article uses recent materials from Dabiq (the daesh propaganda magazine) and cites interviews with the likes of Anjem Choudary to back it’s case that not only is the group Muslim (well that is a given right?) but also that they are battling to re-create the Caliphate to bring the end times upon us all. A great battle with Shaytan (شيطان,) and even Jesus will ensue and in the end the Caliphate will win and all kufr will be destroyed.
After reading the article in it’s entirety I just had to sit back and wonder at the over simplification that just had been perpetrated on us all by this reporter. I think he frankly went to the George Bush school of Islamic Comprehension but I had to go back and read through all the issues of Dabiq to confirm or deny what the author was saying. Five issues of Dabiq later, I am still of the opinion that the article is off the mark where this is all concerned. I also believe that once again it is another classic case of a reporter writing about things without deep knowledge of them but yet speaking on them as if he were. Here are some salient facts that the Atlantic failed to talk about in this article;
- Hadiths Versus Qu’ran: Much of what daesh uses as exhortations and rationalizations for their actions come from the Hadiths (prophetic traditions) which basically are a grouping of sayings written long after the prophet was gone. So much of what is there is subject to doubt because this is based on memory or just made up whole cloth to be companion pieces and re-enforce certain ideals. This of course is also coming from religion and all religions have their books which were written a long time after the people involved had passed on. So the use of these even further separated texts from their original oral traditions that finally got written down is reason enough to doubt their validity.
- The Caliphate and Millenarian Prophecy: daesh seems to be only recently really interested in the millenarian slant on their battle with the kufr of the world and apostasy in general. In looking at their propaganda over the arc of their arrival and dominance it can be seen that this is a new feature. Specifically you can see this arc over the 5 issues of Dabiq magazine. This rhetoric over a cosmic war and the use of the eschatology concerning Rome, the Crusades, and the great battle with Shaytan (إبليس) frankly is only being leveraged now to give their base a boost as well as is a well thought out propaganda tool. The daesh want to recruit and they, unlike AQ/AQAP and Inspire found the right mix that has seemed to, in tandem with their actual taking of lands and creating a so called “caliphate” made all the difference in getting recruits to come to the new Afghanistan. This melange of things, rhetoric, tales of epic battles, use of ultra violent means, and the propganda generated from it is what daesh is about and using it, not necessarily I think do the core believe all that they are putting out there. I have yet to see Al Baghdadi speak on these things at all.
- The Language of Crusades and Rome: Another bone to pick here that I have is that the claptrap of using Rome and the Crusades is that they post date the prophet by quite a long time. You can see that daesh is carefully cultivating a look and feel using key words and ideals that resonate with people concerning the wound that is the Crusades. Honestly, this is just a hot button use of terminology and imagery that Bush only exacerbated when he said “This crusade, this war on terrorism is going to take a while. ” I remember face-palming when he said this on live air. Now the daesh and their acolytes use this all the time as a rallying call evincing images of Salahuddin but removing any of his more temperate decisions or commands concerning the greater war on the lands of the ummah.
- Propaganda Wars and Recruitment: The article fails to take into account that nothing daesh says should be taken at face value. The reporter goes on to talk to a few true believers (aka the deluded) in Britain and elsewhere but, as you can see, they are not in Syria are they? They are propaganda mouth pieces only and the fact of the matter is that all of what we have seen has been carefully created propaganda by the media wing Al Hayat. When reporters talk about daesh and all of what has been going on of late they always remark on the professional quality of the videos and other media being put out. Well, there you have it, it is propaganda and if you just believe that this is all that daesh is about, well, you have been fooled. This is all a means to an end to intimidate as well as recruit.
- Politics, Power, and Money: No matter how much the daesh clothe their movement in the millenarian trappings that you see in Dabiq, this is not just about a cosmic war. This is about power and politics as well as money. The daesh are now trying to mint coins as well as raking in huge amounts from the oil fields that they have taken in Iraq. No doubt if the caliphate ever really normalizes you will see Baghdadi and his core living well somewhere, not in fact frugally with the people.
- The Apostasy of daesh and Islamism: Finally, the daesh are the most apocryphal and apostatic group out there today. The use of the hadiths to rationalize their brutality is just a means to an end for control over the people. Fear of violence clothed in snippets of hadiths is apostasy in itself. They have carried out atrocities that Salahuddin would be shamed by never mind the prophet and if they TRULY believed in the teachings of the various books, then they would not be doing these things. So when the arguments start over Islamism/Jihadism and their book being the source of all the ills of the world much of it can be blamed on this one dimensional reporting in the Atlantic.
Once You Name A Thing You Have Power Over It
I guess in the end this Atlantic article serves the purpose of the US and others who don’t have the wherewithal to take the time to understand Islam, the region, and its history to give them an understandable bogey man. After all, in looking at the US governments answers to daesh thus far I for one can see this simplification to be of use to them. It has been hard to troll the daesh as we have seen with the “Think again turn away” program by (@CEP) and a nuanced approach is, well, nuanced. Don’t get me wrong, this whole thing is as complex as it gets but if daesh wants to simplify it all to gather recruits with their cosmic war propaganda well then turn about is fair play right? So go ahead CEP, use this and troll the living daylights out of it.
Sadly though, I fear they won’t do this..
However, everyone should know that this is not just some epic battle of good and evil. Satan and Jesus. This is not a millenarian cult in the least bit at its core and to think so is just stupid. I hope at least that this article does not cause even more troubles with Islamophobia amongst the uninitiated and stir more hate. Frankly, as I have said on Twitter recently; “If you want to paint daesh as an apocalyptic cult you may as well also paint Christianity as well. I mean, they are the ones who wrote revelation right?” It’s not the book but those who use the book for their own agenda. In the case of daesh, they aren’t even using the book, they are just winging it.
The Cyber Caliphate Hacks Newsweek and DCITA:
Since the hack on the Pentagon’s CENTCOM Twitter feed and the dropping of dox from someone’s email/phone/machine the so called “CyberCaliphate” had been looking for another target and it seems that they did find a couple in the Newsweek Twitter feed and someone at DCITA (DC3) Defense Base group. On February 10th the Newsweek twitter feed began posting data from another hacked account within the military, albeit the Defense Base side of the house, that showed the Caliphate had culled FOUO data from the DCITA. The documents dumped in screen shot form show internal rosters of phone numbers, some org charts, and other mostly uninteresting documents that are not super secret though sensitive enough to be problematic.
PS.. Dear feds, please don’t give me 10 years and a RICO conviction for just posting shit that is already in the open and is FOUO to start ok? *derp*
By problematic I mean that there are some tidbits in there like phone numbers and the types of jobs that these guys hold as well as who they work for, like the guy from the NSA who is signed up for classes. More at issue for me though is that if you look at the email addresses used you see that some of these guys are using YAHOO and GMAIL as their point of contacts! Why is this a problem? Well, because this is supposed to be a group tasked with the security of defense base companies like Pratt & Whitney, Lockheed, and others. Using GMAIL or YAHOO as their primary contact, hell, even a secondary places the information they hold potentially at risk from hacking… Like their shit being stolen and posted on a newly created website and a twitter feed right? This is TERRIBLE OPSEC and COMSEC kids!
The Attribution Games Begin:
Overall the data is mostly uninteresting as these things go. What is interesting though to me is the kerfuffle that Caliphate is causing and now the crazy attribution game that is going on out there trying to pin these hacks on someone. Originally when the first hack and dump happened the first person that everyone started pointing their collective fingers at was Junaid Hussain ( @AbuHussainIS ) but he actually denied being involved while laughing about the whole thing. Could Juny have something to do with it? Maybe, but he is in Syria and seems to have his own problems lately just trying to keep a twitter feed up. With this second hack and dump though another ersatz attribution wonk claimed that in fact the hacker in question was in fact an Algerian hacker going by the moniker PoTi-SaDz This reporter *cough* made some bold claims but provides no other proof than there is a commonality between the words on defacements made by the Team System DZ crew.
This guys contention is that because the imagery is similar in some of their defacements and the use of :”i Love ISIS” as a slogan clinches it that PoTi SaDz is the infamous Caliphate hacker. Well Matt, I have some other thoughts on that and you should pay attention. First off, please present a little more proof before you play the attribution game. Do you have a source? A snitch? Something other than some poor assumptions to make these claims? Let me give you some for instances here to consider after looking at these guys.
- You claim that they stopped defacing in 2014 and that is incorrect (see screen shot below)
- Have you seen the English used by these guys? It is broken and bespeaks someone who does not really speak it. Now go look at cyb3rc.com and tell me that isn’t a fluent speaker
- PoTi-SaDz M.O. so far has only been defacements and shows no other skill sets to speak of in hacking other systems that might dump these kinds of files
- Hahahaha funny thing.. PoTi calls ISIS alternately Da3sh hahaha Hey Matt, go read up on the word daesh and how ISIS hates that shit
- Nothing on the Caliphate’s posts shows any of these confusions, this person(s) knows about ISIS and is at least on the face of it making a good show of being a supporter without the cluelessness of PoTi
So once again, let’s not worry about who did the hacking! Instead let’s focus on how the hack happened in the first place! How did DCITA get powned in the first place? The hack so far looks to be low level, maybe someone’s email or a box that was insecure at the end user level who likely had stuff where they shouldn’t. The whole problem here is that everyone is all up in arms about CENTCOM’s and now DCITA’s stuff being hacked (ERMEGERD) by the daeshbags!
Trust me people, it would be a better use of time trying to figure out how this shit happened to people who should know better than trying to chase down derpy low level hackers like Caliphate. Wake me when Caliphate hacks something important ok? Until then let me go back to important things like Twitter and watching others fiddle while their digital Rome burns to the ground. Meanwhile, PSSSSST DC3, WTF dudes? Stop this shit! You have important data to watch leave Lockheed’s network! Yeah, I remember fondly the JSF data exfil! Those were the days…
Cyber WAR indeed… <Shakes head>
Since the Charlie Hebdo attacks it seems that Anonymous has finally become self aware about the online jihad that has been going on for years now. While I can laud their determination and willingness to… Help… I cannot agree with what they are doing with their blunderbuss approach to the taking down of ISIS online. You see kids there is more to all of this than just knocking off some poorly secured sites that the jihobbyists run to end the threat of daesh. Oh, and yeah, by the way call them daesh at least huh? If you do a little reading about them you will learn that daesh loosely translated from their Arabic acronym means “to crush under a boot” they don’t like it.
Anyway, back to what I was saying here. Look, I know you want to help (some of you that is) Others are looking for a quick fix and media attention, which hey, if Mandiant and Crowdstrike can do it so can you right? The main thing though is that if you are going to prosecute a war on terror then you should at least try to be helpful to the IC while you are at it okay? The second thing is that you are all fighting a battle you cannot win here and no matter how you try you are only getting in the way of things in reality. What do I mean? Well, let’s look at it this way;
If you take all the sites down for however long you will only force them to make other sites that are more under the radar. You will be also teaching them about security and you don’t want to be doing that do you? Say, did you see the article from Glenn Greenwald about how Iran learned from our Stuxnet attacks on them and are now a real threat? Yeah, see, it’s a double edged sword kids.
I have looked at all your plans and really only one site in the lists there was important to the jihobbyists as a platform of getting the word out. On the other front though, your Twitter war has been interesting to watch as well. Take it from one guy who has been doing this a while *cough jihaditwits cough* it is not really all about taking down the accounts. It’s about learning who the talkers are, who they talk to, and what the pipeline is for propaganda to take down, not just scatter-shot take-downs of accounts. Moreover let’s talk about doxing these guys and providing that to LE huh? I know, I sound like a broken record right? Look, we could use all the help we can get out there.
Back to the Twitter war though, let’s talk about this a bit. You see that graphic above? Yeah, those are just a small sample of accounts that I have collected recently. There are ZILLIONS of these guys out there on twitter re-tweeting links to content from Syria and other places. Have you stopped them? What? You haven’t gotten them yet? Let me tell you, you won’t either. The sad fact is this is the biggest game of whack-a-mole there ever was. I recently stopped altogether because I had to take stock of what I was doing. Was it having any effect at all? Even with my targeting of players who were really plugged in was I having a positive effect? Well, I guess I was from the point that I got the fatwa’s and the warnings about the account but in the end I was kind of meh about it so I took a break. I am back though and I wanted to share with you my thoughts on your “digilante” war.
So here are my parting thoughts…
- MMD, you gotta stop bein so derpy.
- Anonymous, work smart and not just carpet bomb here
- Share your dox with LE
- If you are going to go after Twitter accounts make them count. QUALITY OVER QUANTITY PLEASE
- Do your research and understand the propaganda war going on here kids. You knock out one channel they will open another
- Understand that you are teaching these idiots! You will eventually make them smarter
- It may feel like you are doing something but you really aren’t from the perspective of the GWOT
- While you may feel like the propaganda war is being won by you, the reality is that they love to be martyrs so you are only going to make them work harder and gather more followers
With all that said, I am sure you will continue doing what you are doing. Even more so once the news cycles start stroking the collective ego’s involved. Just know that you are not stopping them. Stopping them is up to the governments of the world and the military forces that will eventually have to kill or capture them all.
In the wake of the release that Anthem has been hacked I have been taking stock of where we are today where information security is concerned. It seems that if you just look at the industry through the lens of the news media, we are all under constant assault by so called advanced actors out to steal us blind, spy on us, or take our personal data by exotic means that are inscrutable. The realities though are far from the truth where it concerns the advanced nature of the attacks that play into the media and marketing blitzkriegs by companies like Crowdstrike or Mandiant/FireEye are hawking.
The realities are that today we have businesses selling intelligence wholesale to corporations that are not mature enough to use the data they are being sold. On average, the data being sold by these companies is nothing you cannot get from open source arena’s for free and on the whole are overly focused on attribution of groups and actors. While a mature organization might have use of these feeds and reports on various groups the average company out there today just cannot use the data because they lack the practices and people to truly understand the information as well as apply it to their orgs.
Clearly the business model today is intelligence centric and completely lacking in the areas of not only showing companies how to use their intelligence feeds to help in detection but also how to fortify their environments against the attacks to start. Richard Bejtlich was recently on a panel in front of the Senate when he made the comment that many times after his company Mandiant, had been on an engagement with a client they were once again compromised shortly after they left. This comment alone shows just how little these companies like Mandiant are having any effect on teaching these companies how to at least detect if not halt attacks. Attacks mind you, that are not necessarily advanced as the APT moniker implies.
Let’s face the fact that most attacks today do not come from exotic 0day and sneaky DMZ hacks. No, instead these hacks happen through social engineering and phishing attacks. Sure some hackers may be using 0day within their phish attacks but it has been my experience along with many others, that it does not require a 0day to hack a corporate network today. The problems with many corporations stem from a lack of security awareness as well as presence within the org to instil secure practices like patch management and employee awareness on what a phish looks like and how to detect them. Neither of these skills are things that Mandiant or Crowdstrike offers as a primary service. After all, if they did and it really caught on, where would they make their money?
Still however, it is not Mandiant or Crowdstrikes problem is it? They are in the business of incident response and threat intelligence right? No, the real issue here is that both of these companies perpetuate the idea that attribution is the key to stopping all your hacking woes and not so much about having the proper security infrastructure to mitigate these attacks. And by infrastructure I do not mean just hardware and software, I also mean people with skill sets and an organization that understands security from the CEO down. This is the primary issue that I have seen throughout my career in penetration testing and information security. Frankly, it is one of the biggest reasons that pentesters love doing what they do, the corporations make it easy for them because they don’t have a security mindset.
I cannot tell you how many times over the years I have seen orgs that had grossly misconfigured systems as well as a lack of processes or policies that would mandate that things be run securely. Add this to the notion that these companies also lack real telemetry to track incursions and you have an org without any insight into how it operates as well as what traffic is going in and out of their domain. This is endemic in corporate America and anyone who tells you any different has an agenda to cover their own ass. Collectively corporate America should be totally afraid of what POTUS has proposed in the way of intelligence sharing and not because they should be worried about PII. The real fact of the matter is that they are all going to be worried that they will have to actually perform due diligence, spend money, and have actively operational security programs to feed that information to the sharing program to start.
I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place? These are questions I would be asking first say about Sony than who did it? Was it North Korea? Instead, let’s talk about the organizations failures in security and how they can better shore them up to stop the next attack instead of banging the attribution gong so loudly.
With the announcement today of approximately 80 million records being stolen from Anthem and the usual buzz words of advanced attack ringing in the air, I for one had to say something about the realities we face in security. Simply put, it is too often the case that organizations place security in the category of red headed step child and relegate them to the sub basement as a necessary annoyance. Security is a cost centre and is troublesome all of which is anathema to business as usual. Security causes things to perhaps move slower, make people take a little more time to think, and generally feel like a drag on the hyper-kinetic business model so many corporations feel they need to be today. As such it is always a battle to insure that basic security practices are carried out like patching and hardening of systems. It’s a sad truth and you all must have run into this if you are a blue team player.
How do we fix it all? I have no idea. All I do know is that we are losing the battle and it is not because China is hacking us all with advanced malware on par with Stuxnet. We all need to understand that what we see out of the media is hype and what we see out of the vendors is marketing and not necessarily what we really need. Until such time as all organizations out there understand security and it’s nuances we, the workers within the security field as blue team members will be Sisyphus.
Threat Intelligence Report – December/January 2014/2015
In the months of December 2014 and January 2015 many paradigms on how the security of the Internet was perceived began to change. With the advent of the Sony hack and all of the fallout since, there has been quite a bit of angst on the part of governments across the globe in response to the attack.
This concern is warranted because the Sony hack set a precedent in destructive actions on the part of a nation state (ostensibly) to attack a private corporation and completely destroy it’s capability to function as a company for many months. To date, Sony is still off line internally with all of it’s various systems being reconstructed to enable workers to resume regular business.
Alternatively, other attacks like the Christmas day attacks on Sony and Microsoft’s PSN and Xbox networks took their functions off line at a key time for gamers with new consoles to play the games they got for Christmas. These DoS (Denial of Service) attacks were carried out by a group of “script kiddies” (hackers without real skills) called “The Lizard Squad” and their arrests are now happening in January by the FBI and others across the globe.
The final assessment though is that the game has changed and the rules are yet to be determined on a legal level as well as on an attackers decision process on how far is too far to go. In the case of the Sony attack, whether or not it was a nation state doing so, the game changer is that they completely destroyed the capabilities for Sony to operate their business. This situation ups the stakes for other adversaries, both nation state and other, to a level at which nothing is taboo and everything is possible.
In short, we are living is “Interesting Times” as the Chinese say, and we had all be ready to handle the outcomes of potential attacks like the Sony attack because it is likely that it will not be the last one of it’s kind.
The Sony attack was not new in the sense that the malware had been around for some time on the Internet. A version of it had been used in 2013 on banks in South Korea and it managed to destroy quite a bit of data. However, the attacks in 2013 had been stopped before the complete destruction of the banks systems was complete. However, the notion of using such malware attacks by an adversary in such a way had not been carried out before on private entities and this was the game changer.
In the case of Sony, an iteration of the malware from 2013 (DarkSeoul) was upgraded with about forty percent more changes to the base code that refined the process a bit. The malware, after editing was leaner and able to destroy drives in a very quick fashion. The crux of the attack lay in the malware choosing a certain section of the drive (middle) and quickly taking that section out with destructive wiper tools. In essence, that one stripe made the drive useless.
This in tandem with the hard coded domain names, addresses, and passwords of high level accounts, made the attack all the more destructive and pervasive. The sole intent of the upgrades and deployment of this malware package (4 variations of malware in total) was to take Sony off line hard at a maximum cost.
The assessment that goes along with this attack on Sony is alluded to in the executive summary. The crux of the meaning being that this malware was not advanced. It has been around since 1998 as a concept, and the attacks used to place it in the network were not new as well. What is different is that the actor was willing to carry out such an attack on their target in the first place.
The changes to laws you are seeing proposed by the Obama Administration show just how in earnest they are to respond to this change in tempo of cyber warfare. There are few international laws that handle this type of attack and we have yet to have any real substantive ground rules that all countries would abide by in this battle space.
Additionally, the attack on Sony also sets the tone for non state and chaotic actors who may want to just wreak havoc wherever they can with the same tools. Remember that the code is already out there and the access can be granted through phishing attacks or insider access at any company. This attack and the narrative on how it happened should be paid heed by every company today because they too could be the next Sony with the right adversary set to destroy them.
As stated above, the US Government has been actively seeking to update and create new policy on hacking and cyber warfare since the Sony attacks occurred. The Obama White House has in fact put forth changes to the CFAA (Computer Fraud and Abuse Act) as well as new legislation covering all manner of information sharing as well as repercussions for hacking.
The primary concern for business though should be the changes to reporting on incidents as well as the proposals for an information sharing between companies and the government on security threats being seen in the wild. These information sharing programs already exist in the private defense contractor space but as yet do not exist outside of that realm. The matter of the reporting of incidents however is a new and prickly topic and as such should be watched closely by corporations to be sure of what they may have to report on and in what time frames. Additionally, they should be concerned with fines for non reporting as well as issues over releasing data on vulnerabilities they may have.
The primary concern that companies will be looking at will be the reporting and repercussions from doing so. At present this is all notional and with the president being a “lame duck” it may not be something that companies will have to concern themselves with at all. That is unless the Senate and House decide to act on these proposals.
The Lizard Squad, is a loosely knit group of script kiddies that created a now defunct DoS (Denial of Service) software package that was used to take Sony PSN and MS Xbox networks down on 12/25/14.
These attacks were chaotic in that the Lizard Squad just did it because they wanted to. There was no political agenda, there was no real stated reason, they just took things off-line to make people unhappy and to gather fame for themselves.
At present, the Lizard Squad’s tool is off-line, the code of which has been dumped online, and the services users passwords (which were not encrypted) are in the open. The FBI is investigating the incident and has in fact captured three of the hackers from the group already with more to come.
The Lizard Squad is just one group of many that come into existence and go out of existence on-line regularly. Loosely modeled on Anonymous, the Lizard Squad acted out of a need to chaotically cause mischief on-line without much more reason than they wanted to.
This type of actor is becoming more prominent with actions like this and with each big story, and the attention they are given, more will rise up like them to sow havoc on companies on-line. These actors for the most part usually carry out attacks though that are not as complex or devastating as the Sony attack but they could also evolve and carry out like attacks.
It is thus important that companies pay more attention to groups like these and monitor OSINT and other threat intelligence feeds to be aware of groups that might target them. Being armed with information may make all the difference in the world to your OPSEC against such attacks by these actors.
Dell SecureWorks Counter Threat Unit(TM) (CTU) researchers discovered malware that bypasses authentication on Active Directory (AD) systems that implement single-factor (password only) authentication. Threat actors can use a password of their choosing to authenticate as any user. This malware was given the name “Skeleton Key.”
CTU researchers discovered Skeleton Key on a client network that used single-factor authentication for access to webmail and VPN, giving the threat actor unfettered access to remote access services. Skeleton Key is deployed as an in-memory patch on a victim’s AD domain controllers to allow the threat actor to authenticate as any user, while legitimate users can continue to authenticate as normal. Skeleton Key’s authentication bypass also allows threat actors with physical access to login and unlock systems that authenticate users against the compromised AD domain controllers.
This malware is novel in that it uses a flaw in the Active Directory in tandem with single factor authentication. This novel approach, if not mitigated by Microsoft, could be enhanced and used more widely by attackers. There is however one flaw in the malware that mitigates the attack;
The only known Skeleton Key samples as of this publication lack persistence and must be redeployed when a domain controller is restarted. CTU researchers suspect that threat actors can only identify a restart based on their inability to successfully authenticate using the bypass, as no other malware was detected on the domain controllers. Between eight hours and eight days of a restart, threat actors used other remote access malware already deployed on the victim’s network to redeploy Skeleton Key on the domain controllers.
However, if you have a level of compromise that would grant the access needed to install malware on the domain controller, then this attack is secondary because the adversary has already compromised you at a deep level.
Full report for download HERE: Report