Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘A new niche’ Category

Defcon Grows Up and Gets Recruited As An Asset…

with 3 comments

I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.

However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.

This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.

Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…

Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?

Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.

Just sayin…

So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.

So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.

Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.

How’s that for some “Threat Intelligence” huh?

Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.

Why?

Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.

So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.

You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”

For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…

Interesting times….

K.

Art Theft *Not* Funded or In Demand Because of “Rich Collectors”

leave a comment »

Karl Heinz Kind, who heads Interpol’s Stolen Works of Art unit, scoffed at the romantic, cinematic notions nurtured by “The Thomas Crown Affair,” which featured a stolen Monet, that rich collectors are behind art thefts.

“Pure fiction,” he said.

Full article here at the NY Times

Dear Karl,

You are full of shit as are all your friends who say the same thing. Sure, on average you cannot say that there have been a plethora of rich tycoons setting up heists. However, what you can extrapolate and you fail to do so for this article, is that it takes a wealthy individual with a desire to acquire such art, to PAY for it. Thus, the thieves always know that there will be at least three ways to fence the object;

1) They will make a ransom demand or a play for the reward for return of the art

2) They fence it and the fence hopes to find a fat cat buyer who “wants” it or knows someone else who does

3) They will try and turn it in for a reward

Really Karl, think outside the box a bit huh?

Regards,

CoB

Now that I have that rant out of the way… Let me talk a little bit about this articles contention as well as a nice business that I think should be started up. As I mentioned in my rant, there has to be a “MARKET” in order to perform the crime and expect to be remunerated! Do you really think that Joe blow on the street is going to have the money to buy these illicit art pieces from the fence? I mean, am I just not seeing the big picture here or something? The illegal economy has its wealthy clients no matter what Karl has to say. Sometimes I will admit though, the client may not know the provenance of the piece.. As well as some may not “want” to know that provenance either right?

On the flip side, this article has some interesting things to say that are kind of contradictory again to the whole picture of the gentleman thieves and “daring do” of the classic cat burglar in film and story. Life IS imitating art here no matter how much the cops want to deny it. You see, the thieves are becoming more sophisticated in their intelligence gathering, their skill sets, and their heists in some cases. The recent heists involving stole art works have been mostly interesting crimes where there is very little evidence to follow on just who did the deed because they have been doing their homework, much like what you have seen in the movies (Oceans 12, Heist, Thomas Crown, etc)

In real life the heists like that of the Antwerp Diamond heist have very strong elements of planning that mirror the best of the heist movies out there. What’s more, as the article mentions, it has become a game or a puzzle that the thieves are proud of pulling off, it’s something to be proud of in their minds. Think about it though, why are all those heist movies so popular huh? We all want to be that smart and that daring right? It’s a part of our genetic makeup…

Simple fact is this.. If you could get away with it… You’d try... And that is the appeal of daydreaming about it.

Meanwhile, the museums today have been hit hard by recession and the lack of arts spending, so is it any wonder (as the article alludes to) that the systems that protect the art are sub par or broken? They don’t have the money to really protect it properly so they rely on security through obscurity. The other side of this is that most of the art is accessible to the public in close quarters. The Mona Lisa is behind bulletproof glass and vaulted, but that is only after the attacks on the Uffizzi that this really happened. All too often today, you can go up to a famous piece of art and see that there aren’t any real security systems around them or, as in the case of the Paris museum, the system had been in need of repair and known to at least 100 people.

You see, unlike all those films that we have seen with lasers protecting the art, the real stuff sometimes has absolutely NO SECURITY. In the case of the Picasso’s they were in the home of family and not wired. These guys had the audacity to go in while she was there and cut them from their frames! I personally saw a large collection of known works in a corporate building that I was there to do a security assessment of. None of the artwork was wired and in fact one of the pieces I liked best was right next to an fire exit door that was not alarmed either! I could have made off with a nice little Monet.

*poof*

I put that in my report and the response wasn’t favorable. They in fact said it had nothing to do with their computer security.. I came back with:

“Well, if you aren’t going to protect your art masterpieces with alarms, how secure do you think you have protected your server room and your AS400?”

They shut up after that…

What it all comes down to is you have to take the due care to protect your valuables just like your data. If you can’t be bothered to do so, then you will lose it eventually.

The Mindset Change that has taken place in the criminal set too is also quite important. The article mentions that there are no groups that have specialized skills that work together. Well, wrong again. The “School of Turin” was an interesting group of men who had specific skill sets that worked together and honed their skills to pull off the Antwerp diamond heist. So that particular statement came right out of that Interpol officers ass… Which really makes me wonder what the fuck they are thinking…

Anyway, the criminals have been evolving with the hackers. That’s it right there. The hackers have adopted the methods not only of technical hacking but also elements of espionage tradecraft and surveillance. All of these techniques, when used together can coalesce into a heist planned out and implemented with precision. It is only natural then that teams of thieves going after targets would get individual players with specific skill sets to carry out their plans huh? The net net here is that if you want to steal that object of desire today, usually you have to have some technical know how and a plan.

Now, about that business idea… I have always liked the idea of being the art theft investigator. They play a role in most of the heist films, and they are usually the folks who are the recovery specialists for the insurance companies. I think though, that I would like to put a twist on that and be the penetration tester for museums to test their security. Now that would be a fun gig. A red team for the art world that is hired to break into museums and steal.. Well steal as much as you can huh?

This would be a great challenge I think… Of course given the state of things lately, perhaps not huh?

It would be an interesting job to have being technically inclined as well as having the interest and practice in physical security… I will have to ponder this some more…

Take a read through the article.. Then take your copy of “The Italian Job” and have a sit down….

CoB

Written by Krypt3ia

2010/08/27 at 18:24