Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Advanced Persistent Threat’ Category

Spies Using Social Media? No. Way. *Eyeroll*

leave a comment »

Screenshot from 2016-07-31 07-15-27

THIS rather breathlessly hyperbolic report on JTRIG using social media and hacking to spy on, or manipulate people, governments, and movements as well as gather INTEL on them had me eyerolling. Yes, this is new in that social media is new as is the Internet and hacking but really, the techniques of manipulating populaces for political and espionage advantage are nothing new. The spy agencies out in the world perform these PSYOPS and disinformation operations all the time and in the olden days kids they used to manipulate the press, then TV and the press, then INFOTAINMENT. There is nothing new here…

What you all have to realize is that now YOU are more easily hackable, your information more able to be stolen or accessed by writ of law, or YOU give it away by using applications that have been expressly created to give the agencies access to you as in this URL shortener that GCHQ used on the protesters in the Arab Spring. You all have to realize that unless you are code auditing everything you use on the net, then you too could easily fall prey to information leakage or outright compromise if you are a target of the “community” at large.

I would also like you all to take note that those who may support Wikileaks, or be a member of say Anonymous also were targeted and used in this operation by GCHQ as well so if you are an Anon, you too have been targeted rather directly (like the citation of Topiary’s conversations) so you too are not safe even if you are trying to use good OPSEC, which, it turned out, and I have written about in the past, you were not. Oddly enough though, the Snowden leaks on JTRIG also show how the same issues are at play for those operators within NSA/GCHQ as well. Trying to keep sock accounts straight, know the language and the patter, as well as the political issues is problematic when you are doing things on a larger scale (trust me I know) so at least you have that going for you right?

Heh.

Wake up people.

OPSEC… Live it.

Dr. K.

Written by Krypt3ia

2016/07/31 at 14:30

DNC Hack: The Flying Fickle Finger of Fate and Intelligence Analysis

leave a comment »

ikQnbyk

 

I had some Tweet conversations this morning that led me to a need to make yet another post on the DNC hack debacle. @Viss and @mr0x20wednesday both struck up a conversation after I posted a link to the NYT article on the consensus that is growing within the government that Russia carried out the hack. The consensus building is coming from assessment by the CIA while the FBI has initiated an investigation into the hack and the subsequent dump of data to Wikileaks and to the web via the wordpress account for Guccifer2.0. It is important to take note of the previous statement I make here about who is “assessing” and who is “investigating” and that is something people in the general population do not quite grok much of the time. The FBI attempts to prove things in court and the CIA generates analysis and assessment to help leaders make decisions. These are two different things and I want you all in INFOSEC to understand this when you start to have conversations about spooky things like the hack on the DNC and the subsequent possible propaganda, psyops, and disinformation campaigns that may ensue.

I recently wrote a more irreverent post while I was in a more Hunter S. Thompson state of mind concerning American politiks and the mess we are in, but the core idea that Russia carried off this hack and the actions after it still hold true for me. Many of you out there are reacting more like how I reacted when the Sony attack happened and once again I also find myself asking the same questions and having the same concerns over attribution versus solid evidence. There are many issues at play here though that you have to take into account when dealing with an action like the Sony or DNC hacks where information warfare or “cyber war” are concerned. Most of the considerations you have to make surround the classification of much of what you might get in the way of evidence to start with never mind about the circumspect nature of attribution that is being released to the media. At the end of the day my question to the FBI was “Show me proof” which is their job right? FBI is part of the DOJ and should be leading to charges right? Well, none were proffered by the Obama administration, some sanctions were laid on DPRK but no charges, unlike the wanted posters for the Chinese agents that the FBI laid out for hacks and thefts of data. There is a distinct difference here and that is evidence that can be presented in a court versus attribution and analysis by companies like FireEye and Crowdstrike. True, both those firms can prove certain things but primarily, as you all know out there, attribution is hard to prove so it really stops at analysis, more like the intelligence agencies content and mission.

So where does that leave us with regard to the DNC hack? Well, the attribution data presented first off may only be a portion of what Crowdstrike may have. Other portions may in fact have been classified or asked to be held back by the government (I’d say pretty likely here) and may some day be revealed. If the Sony hack is any indication though of this process, not so much. I am still unaware of any real conclusive evidence of Sony’s hack being DPRK but like I said, the US government sanctioned DPRK over it. It is not likely the government and the president would do so without some more solid evidence but one must consider “sources and methods” when dealing with international intrigue like this right? Don’t like that? Well, get used to it because you are going to see more and more of this as we move into the golden age of nation state hacking and covert action. There will be things you John Q. Public, will never know and will be classified for a good long time. Just take a stroll through the Spy Museum in the cyber war section and look at some of those code names. I bet you haven’t heard of some of them and at least one of them, some of us, were VERY surprised to see on that wall already.

But I digress…

At the end of the day though I have to go with previous experience, Occams Razor, and a sense of Cui Bono concerning the DNC hack/dump/manipulation. Some may argue that the GRU and KGB (yes, once again old agencies don’t die, they just change names 😉 ) would not be as sloppy as to leave the breadcrumbs that are being found by Crowdstrike and others. I would remind you to look at at the last big operation that we busted in the US by the KGB as well as the recent posting of selfies by a KGB graduating class as examples of “everyone fucks up” For that matter, shall we mention our own CIA’s debacle with the Pizza Hut? Every agency screws up and every hacker does too. Humans and human nature insure that things will get messed up, there are no perfect operations. In this case the assets involved likely had access to the DNC as well as the RNC but decided to use this data to influence the elections in a manner that they could get away with it easily. This is the nature of spying, politics, and geopolitics, take a look at the history of the CIA and dirty tricks in the politics of South America and then picture it if they were doing the same (hint, they are) today in the cyber age.

That’s right kids, there have been other dumps and hacks. Perhaps some of those too were the US? Think about it.

Russia and Putin have been gerrymandering elsewhere, money and influence operations have always been around. Now consider yourself to be Putin and you have an operation that gave you easily funnelled information to the likes of Julian Assange and Wikileaks! Even more enticing, the fact that you all know that attribution is hard to prove in hacking! What do you have to lose if you are Putin or anyone else? So, if you look at how this plays out, and what more may play out come October, who, what nation, would have the most to benefit if we actually had trump in office?

Think… The answer is ANYONE who would like to take America down a peg and have more possible influence on world politics.

If you look though at the rhetoric by Trump you can in fact see that the big dog in the room would be Putin though. Just think about it! How much more power and sway would Putin have if Trump were in office and dismembers NATO? Come on now kids, think about it. Ask yourselves “Cui Bono?” here. So stop the quibbling about the attribution and the finger pointing. Take the analysis by the CIA and others as well as the eventual data the FBI comes up with and start looking to how can we fix the problems here? There are so many problems though that I too get disheartened. The political system is broken, the information systems are not properly protected, and we run headlong into creating more weaponized code? It is enough to make a man drink.

Ooh good idea…

Dr. K.

ASSESSMENT: The Target Hack As An APT Style Attack

with 3 comments

140110103529-computer-hacker-620xa

Fazio Heating & Cooling Phished via OSINT:

Screenshot from 2014-02-12 13:42:14

With the release of Brian Krebs’ article on the Fazio Heating phish and use of their credentials in the Target TTCE/POS hack comes the notion that the criminals potentially used OSINT to carry out their crime. In looking at the sites that Brian has posted about you can see that there is a plethora of data available for an attacker to use to footprint Target as well as the eventual partner or supplier that was to be Fazio. By using common tools and techniques it is quite possible that the Lampeduza Republic or proxies thereof carried out the intelligence gathering needed to determine who they should target in order to possibly garner access to the Target networks via portals like the supplier portal mentioned in the article. What may in fact be the case though is that Fazio was just one target of a phishing campaign directed at all of the vendors that could be gleaned from the site leakage online (i.e. doc files, pdf files, and xls files containing metadata as well as direct data on companies and contacts that can be harvested through Google and Maltego) All of this data could well be used to set up phishing campaigns for any and all vendors found in hopes that they (the criminals) would be able to gather access credentials for the Target network to carry out the next phase of the operation.

Side Channel Attacks:

In this case it is being intoned that the access of Fazio on the extpol.target.com site/application may have had AD credentials that could either have had too much access to start or that they were used to escalate privileges on the server/system/application to exploit the core server inside the TTCE. While this is possible, one has to wonder if that is indeed the case or was there some other access that Fazio may have had? It seems though on the surface of it, that the access to this server and the lack of segmentation allowed for the exploit to be carried out and access granted to more of the internal networking within the Target TTCE. The fact though, that at the present time people are saying (off the record and anonymously) that Fazio was the epicentre of the access that caused this data theft shows a certain type of attack that is more common to a more planned and funded style of operation called APT. The side channel attack here is first foot-printing all the companies that doe business and then either choosing a target to phish or hitting them all to see what access could be stolen for escalation. This is a common APT tactic and bespeaks more planning than the usual phish of a company like target (shotgun approach as Brian says) and then exploiting to steal data. This from all evidence thus far, seems to be a very well thought out campaign from the creation of the malware (BlackPOS) to the phish and ex-filtration of data.

APT Activities by Non State Actors:

Up to now the focus of all of the APT talk has been over nation state actors. I would like to point to the Target hack and the Lampeduza as as evidence (so far) that we are now seeing a non nation state actor taking cues from all of the talk about the APT and using those techniques to their own advantages. It is of course not difficult to carry out these types of attacks in an orderly and persistent manner, it just takes an organization that is motivated and able to handle the work. I would say that the Lampeduza shows this kind of regimented behaviour as well as a motivator in the dumps of cards and easy money from their sale. The point being is the APT genie is out of the bottle and anyone with the means and the will can now carry out APT style attacks by using OSINT and other common hacking techniques to commit their crimes so no, it’s not China all the time is it? This case as it unfolds should be watched by everyone in the Infosec community because these types of attacks are only going to be more and more common and not just reside within the sphere of nation states and espionage.

ANALYSIS:

The ongoing fall out from the Target compromise is becoming more and more interesting and prescient on many levels for the security community as well as the populace at large. The attack vectors are leaking out slowly and I am sure that some day soon there will be an explanation from the DFIR folks hired by Target and the USSS as to what really happened. In the meantime information like Brian’s is very elucidating on how things may have happened and with the direction they are taking currently, it would seem that this attack and exploitation cycle was rather well thought out. As you have seen in my previous post, the Lampeduza while flamboyant, also show that they seem to have a sense of hierarchy and military ethos that I can see fits well into a criminal league who use APT techniques to get into systems, exploit them, and then keep the persistence as long as possible as they exfil their desired data. That these guys also seem rather blatant about their sites and their actions only seems to be an exceedingly large case of hubris that may eventually get them in trouble but that is for the future to hold. As well, if it wasn’t the Lampeduza who carried out the attacks, then whoever they are working with or hired has been studying the APT in the news cycle as well. Either way, this was a slick attack and I look forward to seeing where all this leads.

K.

Written by Krypt3ia

2014/02/12 at 19:13

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

Neuromancing The Cyberwars

leave a comment »

The Great Cyberwar to Come

Every day lately I open up the newsfeed and see more and more dire predictions of cyber doom and cyber war. Each time I read this stuff I just have to hang my head and curse under my breath all of the morons out there both reporting on it as well as those purveyors spinning the cyberwar to come. In fact, I really loathe the term “Cyberwar” as do I think, many of my compatriots in the infosec industrial complex (ooh coined a new one there huh?) Every time these people open their mouths I have to just borrow a line from Seinfeld and bellow;

“SERENITY NOW!”

Enough already of this Cyberwar lunacy! Let me tell you something, we have been in an information war for a long long time and a component of that is EW (Electronic Warfare) For years we have been manipulating warfare through information whether it be planting fake stories in the press (newspapers, tv, radio etc) to manipulating data within systems as part of disinformation campaigns. The only real difference today, and I think is the crux of the cyberwar craze are two factors:

  1. Everything seems to be connected by computers today
  2. We can now manipulate not only data, but the machines that process actual physical processes (ICS/SCADA)

So yes, there is more that potentially can be done to an enemy target electronically, but, the hoopla and hype around cyberwarfare has gotten WAY out of hand today and someone needs to bust that bubble before the morons in charge get their trigger fingers on the button. Perhaps though, its too late for that as I am looking around today and see that the military is saying they have the potential right to launch attacks after cyber attacks…

Good God… It makes one root for Skynet thinking about the great cyberwar to come.

Trust Us… We’re the Government!

What is most frightening to me is that the government and the military seem to be under many misapprehensions over “cyberwar” In the case of the government, more to the point, Congress and the House, we have two august bodies that are filled with some of the most misinformed and Luddite oriented groups of people I have ever seen… And these are the people we are going to entrust to make policy on such topics? The said same people who would have the likes of Gregory Evans speak to them about digital security?

We are doomed.

So, what do we have here? We have the people making laws led by the blind and the chicken little’s of the world. All of this over the overhyped and overblown idea that the great cyber war is a commin and no one is safe! Our power will go out because hackers will shut it all down! The gas pipelines will explode because John McClane won’t be able to get the Apple kid to the right terminal during the fire sale! The financial system will collapse because Thomas Gabriel will have jacked into the feeds and slurped ALL of our digital records on to his terabyte drives!

OH NO!

Yeah, you might be asking yourself right about now;

“Do they really believe that shit?”

Well, take a look at some of their laws lately concerning digital matters and privacy.. Then tell me they really know anything about the internet nor digital security. So, yes, I firmly believe they believe it. In fact, there is an old trope in the movies about hackers. You know the one, where the hacker just sits down and 5 seconds later they are root on the Gibson… Yeah, I really think that is how they percieve hacking and how easy it would be to hack the planet.. So to speak.

So, are you comfortable with these people deciding whether or not we actually physically (or digitally) attack another country after we get a little pwn3d?

I am not.

Attribution… We Don’t Need No Stinkin Attribution!

Back to the DoD and their recent proclamation about physical and other attacks against those who attack us with a cyber attack. I just have one word for them to chew on and contemplate;

ATTRIBUTION

You know, that pesky word meaning we actually KNOW who attacked us? Yeah, well as far as I have seen today, it’s pretty damned hard to determine most of the time who did what and where on the net. Digital forensics only get you so far, compromised machines can be tampered with in so many ways to make it look like someone did something and these guys want to launch cruise missiles against nation states over a DDoS?

Mmmm yeah… This will not end well.

Ok, so the next great cyberwar will take place pretty much like the whole premise of the Terminator films then? Will Skynet become sentient or will we just have a military and government that says “THEY DID IT” and fire off some missiles? Frankly, what I see here is a lot of posturing and hope that the reality is that people will realise that they cannot attribute anything and not fire one missile due to the lack of concrete proof.

But.. That assumes that cooler heads prevail and there are not too many hawks in the room….

Dark Prognostications of DOOM… Trust Me, I Write Blogs!

Meanwhile, we have the blogosphere and the pundits out there with slit eyed prognostications about how many more times 9/11 it would be, this cyberwar to come that McClane is not there to save us from.

“THERE ARE NO AIR GAPS TO SCADA! WE ARE DOOMED!”

“THE COLLATERAL DAMAGE WILL BE HUGE!”

“OUR WAY OF LIFE WILL BE DESTROYED!”

Blech. Look, sure, a cyber attack on key infrastructure would be bad. It could cause a real ruckus and we could have pockets of the country/world where power may be down a while, gas lines could blow, and there would be collateral damage. However, this would not be an all out war. In fact, I think it would be far worse if someone took out the core routers to the internet… I mean, at least that is doable if you do it right with kinetic attacks at key points (MAE’s etc) However, I just don’t see it as a likely scenario.

Frankly, you know what keeps me worried?

  1. Biological warfare or accidents with the materials
  2. A dirty bomb or a nuclear bomb cobbled together from illicit materials from the likes of Russia or Pakistan
  3. Mass coronal ejections causing a large EMP

Cyberwar.. Not so much.

The problem is that there are too many pundits and too many crazy opinions out there that are getting ear time with the Luddites in charge. Hell, for that matter, I am a blogger too, so I could be part of the problem as well huh? Maybe I am all wet and tomorrow China will attack at dawn… It’ll be just like Red Dawn.. Except they will hit us first with cyber attacks and then drop thousands of troops on us (Wait a minute! What a movie idea!)

CRAP! Someone beat me to it!

Oh I know! instead the Chinese will just release all our prisoners from cell blocks by using Metasploit against their ICS systems that lock the doors!!!

Heh.

Remember you heard it here first!

Reality? Nah, Just Pass Me The SymStim and Goggles!

I guess in the end, I just have to resign myself to the fact that sanity will not prevail. We will have a military with putative attribution and a Congress unqualified to rule on such things to pass the vote to attack those who attacked us with their packets and malware.

We’re screwed…

Oh well, I will just have to put in the REM and listen to the end of the world and we know it…

*Sits back…puts on shades…Hacks the Gibson*

YEEEHA!

K.

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

The Son of Stuxnet… Methinks The Cart Be Before Ye Horse

with 2 comments

My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.

Mowbray, Richard II Act 1 Scene 1

 

 

As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;

“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

Alrighty then, we have a newly released and re-tasked version of Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.

So, not really so complicated as I see it.. You?

The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.

So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?

Pathetic.

RATS, RECON, & Targets

Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.

Once again I say “Evidence Much?”

You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.

Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.

HOLY WTF?

Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.

Or… Wait.. Now that might be an advantage to you guys huh?

Ponder.. Ponder…Ponder…

Well played….

What it all boils down to for me is this:

Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.

What? No Mention Of APT Here?

Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!

There, I said it.

APT attacks:

  • Infiltrate
  • Seek data
  • Exfiltrate data
  • Keep access

And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.

NOT STUXNET..NOT SON OF STUXNET!

Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.

Baseless Claims: Pictures Or It Never Happened!

Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.

Frankly, I find your faith in rationality disturbing… Symantec…

K.

Anonymous, SCADA, LULZ, DHS, and Motivations

with 2 comments

Anonymous Is Interested In PLC’s & SCADA?

A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.

And therein lies the difference.

If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.

DHS Jumping The Shark?

The motivations of the release by DHS have also  been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.

Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’  factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.

For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.

Motives, Means, Technical Abilities

So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?

  • Telco?
  • Power?
  • Manufacturing?

Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.

Now, we do know that the  Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars  being made.

Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.

Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.

Governments

Nations

Nation States

… AND.. Corporations.

You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.

Blowback

In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.

Not to say that everything is going ever so well now…

DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..

Get yer FUD here!

Same goes for this DHS warning.

Your results may vary…

K.

从中国用爱 From China with Love: The Chairman Meow Collection

with 3 comments

From China with Love:

Within the last year (since Stuxnet) the general populace has become more aware of the problems we all face from digital attacks and espionage. Of course sitting here today writing this blog entry, I look back at my past posts and wonder just why people are catching on now. China has been working us over for a long time and with each day’s passing we have been steadily more and more compromised by the 7th directorate and their proxy hacking groups. This is not to say that others aren’t doing the same thing as well. China just happens to be the more active due to their single minded desire to be the pre-eminent superpower and they have the politically charged populace to do it (i.e. PLA and their civilian hacking counterparts)

Israel, Russia, England, the list goes on, all spy on us as we spy on them. In the case of industrial espionage, the Chinese are first on the list, followed closely by Israel and Russia as well as France. Its a game we all play, its just that China has been going at it in a much smarter and cohesive way is all. All one need do is look at the current state of affairs to determine that they have been exceedingly adept at it as well, kudos to them really and shame on us. We (the US) have been too busy being slaves to greed and cheap products from, you guessed it, China, to notice that our collective clocks were being cleaned. Sure, some have been in the know about this (the military, DOD DIB parters) but we have been hampered by several things.

1) Contractors (i.e. private companies) do not have robust security postures and often are connected to DOD systems (say an air force base) Not to mention that these systems that the contractors own hold the goodies and escalation vectors that the APT want. Patching, IDS/IPS, SIEM, DLP, all words that are foreign to many exectuives making decisions about security and often have not one clue in the matter to start. I have in fact seen one place that had a C level exec with a 4 character password to their system! One that also had a pre-populated ID! YAY! Way to go there Mr. C level who manages a company that makes war-fighter systems! So, suffice to say that they companies have been ill equipped to handle security and the executives have been reticent to care.

2) Government regulations have been too lax in governing the security mandates and repercussions on any and all contractor companies that work on war-fighter systems. Sure, there are ITAR regs and potential fines, but really, how many of these companies have had true audits of their networks and environments to test their security postures? A good red team of many of these places I am sure would turn up shockingly scary vulnerabilities and network security gaff’s that would, if leveraged by the likes of the Chinese, lead to huge compromises of the companies as well as their proprietary data. In the time I was at a defence contractor, I only saw one red team and in that event it only took about an hour to compromise the place utterly. We need to enforce security on all defense contractors for both sides of their businesses (defense base and public) in order to insure that the data is safe. Right now, even after everything that has happened with China, we still have no real regulation and control over these companies security postures and that is why we will keep failing.

3) Human nature and corporate group think are the lead causes in our failures mentioned above. We as beings seem to lack the ability to see the long term dangers with regard to this type of warfare. We are also being leveraged by social engineering attacks (phishing, vishing, etc) to gain the toehold into the networks that lead to escalation and persistence. We need to be teaching secure computer practices both on a personal and a corporate level in order to be better equipped to try and stop these attacks. It’s not going to be the new piece of hardware or software that the vendors want to sell you (though they do have a place if they work) but instead the human factor that will be able to help here. I just would like to see the C levels at least aware of the security threats and really understand them. So far, I have seen too many in management without a clue and who don’t seem to care.

So, what I think we really need are some rules set up for companies doing government business that mandate secure practices and insure that if those companies are not following through, will be fined and shamed as well as lose their contracts. Its one thing to be compromised even if you are doing the due diligence, its quite another to be compromised and not really care nor understand the problem because there are no negative incentives to being that way. In today’s world, we need to be sharper than this if we want to stay in play on the global scale.

What we really need to be now is a ‘Digital Sparta’

Meanwhile, we are behind the game here. The government is trying to come to grips with all of this (poorly) all the while the Chinese and others now using the APT style of persistent attacks, are making bigger and more audacious hits against us (cough RSA & Lockheed cough!) while the news media spins on telling only half of the story that they comprehend to the masses that have little comprehension of the issues at all. Meanwhile, we in the security community talk about attribution and the problems of not only trying to stop all this from happening, but also deal with the repercussions politically trying to capture those carrying out the attacks.

All of this during the cacophony of vendors (and I mean you McAffee) spewing buzzword bingo out of your collective keisters trying to make sales and use the situation to your advantage.

Its time to pay real attention to the problems allowing these attacks to take place so easily and to the companies that are being targeted by the likes of China. For a little more history, I have collected the “From China With Love” collection on my blog. Dating back to 2008/2009 to today, you can see that this has been going on for a long time, and there is much more that has gone on that you might know about, or ever will unless you are cleared to know.

Enjoy.

Is Someone in China Reading Your Emails?

Our Chinese Overlords, Or how China is pwning the US

Economic Warfare: The New World Threat Via Cyberspace

Ni HAO!

Ghost Net: Aka Subseven or any other trojan backdoor program

Cyber SPIES in our GRID! Let the hand wringing begin!

DoD 2009 PLA Cyber Warfare Capabilities Assessment

MID’s “Seventh Bureau” and You.

Major General Dai Qingmin’s Cyberwar

The Cyber Cold War

How The Hackers Took Google A Theory: Manipulation, Geopolitics, and Cyber Espionage

PLA officer urges challenging U.S. dominance

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

The Thousand Grains of Sand In The Electronic Age: China’s Cyber Espionage Capabilities Outstripping Ours

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

America Faced With Wave of Chinese Espionage: Hello? Where Have You Been?

3322

Oh and as a post script; This post was also brought to you by @diocyde because he/she was such a pendantic wanker about me not caring about what China was up to as I was too busy chasing “pimple faced jihadists” online..

Moron.

K.

OPERATION SHADY RAT: Or As I like To Call It; Operation Shady Crap

with 3 comments

First, let me preface with an expletive laced rant that will be stripped for the straights at Infosecisland.. Please forgive the capslock shouting, but I cannot contain myself here!

//CUT HERE

HOLY WHAT THE FUCK?

McAffee WHAT IS THIS EPIC BULLSHIT YOU ARE PUTTING OUT THERE TO FUD THE CONGRESS INTO WANTING TO SEE IT? ARE YOU THAT FUCKING DESPERATE TO APPEAR AS TO KNOW WHAT THE FUCK IS GOING ON WITH REGARD TO APT THAT YOU PUT THIS “BOOGA, BOOGA, FEAR, FEAR, FEAR, FUD, BUY OUR PRODUCTS CUZ WE SAW SOME SHIT” LIGATT-IAN PRESS RELEASE?

YOU ARE WASTING OUR COLLECTIVE TIME AND IF YOU FUCKING GO TO CONGRESS WITH THIS BS I FULLY EXPECT TO SEE A NO CONFIDENCE VOTE IN THEM AND YOU!

NO.. WAIT…I ALREADY THINK YOUR PRODUCT IS JUST SHIT.

CONGRESS… WELL WE KNOW HOW USELESS THEY ARE TOO.. I GUESS YOU SHOULD BE FAST FRIENDS HUH?

END CUT//

Ok, now that I have that out of my system, I will now attempt to explain a few things in a civil manner on the RAT/APT situation. First off, there is nothing new here as I have said before on numerous occasions. This type of activity says more about the laxity of the targets security as well as the intent of the adversary in gathering state desired secrets on the part of China. The simple facts are these;

  1. China wants to have an edge and it finds itself using the Thousand Grains of Sand strategy to its benefit in the digital arena
  2. We have made it easy for them to compromise our systems due to lack of accountability and the short term gains seen by individuals within companies
  3. The adversary is smart and will do what it takes up to even intercepting helpdesk tickets and fielding problems to keep their persistent access!
  4. This has been going on for a long time and now is just getting out to the press.. Ok, I get that, but really, sowing FUD to win business will not help

It is readily apparent from this POS that McAffee has put out that they are just fishing for some press here for their flagging AV sales. This paper gives nothing relevant to the story around APT and as such, it should be just relegated to the dustbin of the internet and forgotten. Yes, the US was a major target but others were as well. This is a nation state working on these APT attacks, come on now! They have more interests than just the US! Just as much as you (McAffee) had access to ONE server out of many! Never mind all the others that were fleeting and pointed to by DYNDNS sites!

Really McAffee, you come off looking like rank amateurs here… Well, I guess you are really for pulling this little stunt altogether.

The adversary has been around for a long time. No one product nor service is going to protect us from them (that means you McAffee) so it is useless to try and sell us the snake oil you would like to. It is our own human natures that we have to overcome to handle the least of the problems that feed into group think and herd mentality in corporations and governments. Face the facts, they are here to stay and we need to learn the game of ‘Go’ in order to play on their field.

Unfortunately, we get dullards like these (McAffee) crying wolf and offering unctions to take our troubles away.. Unfortunately all too often there are too many willing to buy into their crap.

… And we keep losing.

K.

Written by Krypt3ia

2011/08/15 at 18:25