Archive for the ‘Anonymous’ Category
THIS rather breathlessly hyperbolic report on JTRIG using social media and hacking to spy on, or manipulate people, governments, and movements as well as gather INTEL on them had me eyerolling. Yes, this is new in that social media is new as is the Internet and hacking but really, the techniques of manipulating populaces for political and espionage advantage are nothing new. The spy agencies out in the world perform these PSYOPS and disinformation operations all the time and in the olden days kids they used to manipulate the press, then TV and the press, then INFOTAINMENT. There is nothing new here…
What you all have to realize is that now YOU are more easily hackable, your information more able to be stolen or accessed by writ of law, or YOU give it away by using applications that have been expressly created to give the agencies access to you as in this URL shortener that GCHQ used on the protesters in the Arab Spring. You all have to realize that unless you are code auditing everything you use on the net, then you too could easily fall prey to information leakage or outright compromise if you are a target of the “community” at large.
I would also like you all to take note that those who may support Wikileaks, or be a member of say Anonymous also were targeted and used in this operation by GCHQ as well so if you are an Anon, you too have been targeted rather directly (like the citation of Topiary’s conversations) so you too are not safe even if you are trying to use good OPSEC, which, it turned out, and I have written about in the past, you were not. Oddly enough though, the Snowden leaks on JTRIG also show how the same issues are at play for those operators within NSA/GCHQ as well. Trying to keep sock accounts straight, know the language and the patter, as well as the political issues is problematic when you are doing things on a larger scale (trust me I know) so at least you have that going for you right?
Wake up people.
OPSEC… Live it.
JM511 Hacking since at least 2004:
There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.
To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.
JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…
JM511 aka فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:
JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.
It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (firstname.lastname@example.org) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.
UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.
So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s you and someone else’s money that will get you some jail time I suspect.
My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.
PARASTOO پرستو :
I got a tweet today about some data sitting on cryptome.org that got me thinking about this “group” again so I did some more digging online on them (him) The name of the “group” is Parastoo (پرستو Farsi) which means Swallow or bird. In the last year this guy (yes I think it’s literally one deranged person) had been active on at least two .ir sites that dealt with security and hacking and then started his own domains to ostensibly carry out cyber war against Israel and attempt to leverage the IAEA and others. So far all of the alleged hacks and data dumps that I have seen have not impressed and the data itself seems to be from systems that they “think” are important but in reality they are not. Specifically of late there are threats concerning CIA plots and diatribes that read like Lulzsec on methamphetamine and Ketamine at the same time. This guy really has quite the beautiful and large tinfoil hat and he wants us all to know about it in no uncertain terms. It is interesting to read between the lines in a stylographic way how the writer here seems to be molding their communiques in the manner of Zodiac. with a third person approach that intones more than one person and that this is a group. By using “Parastoo is speaking” they come very close to the “This is Zodiac Speaking” which attempted to portray power and induce fear. It is also interesting to note the language used in the emails is of a nature that implies a good grasp of English as well as a flare for the overly dramatic which does not lend credence to the threats that they imply. In fact the reading I take away, and seemingly the press as well, is that of someone either trying too hard to be Anonymous or smacks of outright trolling.
In tracing the domains for parastoo.ir and hacker4hire.ir I came across a defunct site (RCE.ir) which was a PHBB site that is now offline live but is archived in a couple of places as well as Google caches. When searches for “Parastoo” were used a clear link to a user on the RCE.ir site came up and that user was “DarkPassenger” who posted often on the site not only about hacking tutorials, tools, and the like but also dropped many links to government sites in the US and talked about conspiratorial things in nearly every posting. The DarkPassenger’s favorite saying or ahorism in each posting was “de nobis ipsis silemus” which is taken from the Baconian epigraph to the first Critique and translates to “on ourselves we are silent” which is ironic for all the commentary that DarkPassenger is putting out there that speaks to his state of mind. The DarkPassenger is also a fan of TV and movies and can be tracked to other .ir sites but generally from the first searches, does not have a lot out there under this account name to go much further (at present writing) to say who he may be in real life. DarkPassenger though does seem to have quite a bit of time on his hands and some technical capabilities though. Much of the data however that he and Parastoo post though is really just OSINT that anyone capable could carry out. In fact in one post (DP) talks about OSINT while laying out informatics on a military organizations email addresses and contact list so he is in fact versed in the ways of OSINT collection. A key factor to the link I am making between the Parastoo and DP is that he uses the “EXPECT US” cutline in many of his posts as well and seems rather enamoured with the idea that he is in fact an Anon and that bent of conspiracy and overarching plots infuses the majority of his postings online.
Parasatoo.ir, hacker4hire.ir & RCE.ir:
The postings claiming hacks as well as those that rave on claim that DP had set up a couple domains for “attacks” on the outside world from the .ir domain. These domains are registered by what I assume is a cutout name of zohre sajadian which coincidentally was also used for the RCE.ir site. All sites are currently down and in fact I cannot locate any content for the hacker4hire.ir nor the parastoo.ir sites respectively. The only one that did have active content for a while was the RCE.ir address. This site was up for quite some time but was insecure and much of the content was not that interesting. It is of note though that the domain registrations all line up as well as there seems to be some overlap in email hosting between a .ru address and the chmail.ir site (that address is verified as being real)The information for the address as well as the name of the holder seems to be just made up. In fact the address cannot exist because there is no intersection for Felestin Street with Johmoori. A cursory look at the name used of Zohre Sajadian also comes up with some hits but they seem to be un-related at this time to the sites and their registration so mostly this is a dead end I think.
Alleged Hacks & Anonymous Rhetoric:
So far in my searching I have not found too much out there to support any large hacks of data or dumps thereof that show this “group” has done what they claim they have overall. Aside from news stories (few in fact) that claim Parastoo made off with “sensitive” information on nuclear systems and facilities. However the data that they claim to have taken and was admitted to by IHS Inc. is all of a nature that can be purchased from the web or has been published already in the past. The only real sensitive information that has been possibly breached was credit card information that may have resided on those servers that were compromised. So while the Parastoo makes grandiose claims of important hacks and data leaks, thus far, when really investigated they have yet to make a major hit on anything of real import. Since the sites have gone dormant or offline as well it has yet to be determined what else they may be working on or have compromised but if you look at the rhetoric from their pastebin posts as well as the alleged emails on Cryptome one becomes a bit jaundiced and must take everything they say with a large grain of salt. Another factor to remember that even with the drawings like the one at the top of this post are often available to anyone on the internet either by insecure or misconfigured servers or in fact the data is meant to be open to the public. This is a paradigm I have learned about recently in looking into the OSINT on nuclear facilities and systems. So these dumps of information are not what the attackers think they are because they are unacquainted with the data and it’s secrecy or lack thereof.
The final analysis of the “Parastoo” group is that in reality it is at least one person (DarkPassenger) who wants to make a statement on Israel and nukes with a fixation on IAEA and DOE. While some pastes in the pastebin list seem to have actual data from systems that are externally facing to the internet (DOE for one) the majority of the data seems to be half understood misinformation being spewed to garner attention. As the Anonymous model has been let out of the bottle so to speak post Lulzsec, there are many who would aspire to their level of reputation and attention and these dumps are an attempt to attract it. Of course the problem with the Anonymous model of operation is that anyone can take on the mantle and claim to be an Anon or a group of them to effect whatever outcome they seek (mostly attention) so it is oftentimes hard to take groups like this seiously until such time as they dump hard data onto the internet for all to see. In the case of Parastoo none of this is evident and as such I categorize (him/them) as a non threat actor on the larger stage of geopolitics and information warfare at this time.
The time it seems may be upon us where Anonymous meets Jihad, something I am calling Jihad 3.0 for the moment. Very recently a site has popped up as well as a video therein claiming that a new Anonymous cell calling itself “Anonymous Caucasus” They have made a splash by declaring an OP against the Sochi Olympics and the Russian government for crimes against the Caucasus Emirates. Now this is a big deal in the sense that already Russia has been the site of two “Black Widow” suicide bombings prior to the games actually starting as well as this is the first nexus between Anonymous and Jihad.
Think about this for a moment. Anonymous, an idea online is now being used as a weapon within the Islamic Jihad ostensibly as an electronic army to backstop the greater jihad. This will no doubt cause some consternation to not only some Anon’s perhaps but also to the terrorism analysis and warfare set as well. It seems perhaps that Vilayat Dagestan is taking a page from the Syrian playbook here and following the SEA (Syrian Electronic Army) model. Of course one wonders just how much power this group will have in the area of hacking but in tandem with kinetic attacks and intelligence gathering, this could be a new generation in the GWOT.
Anonymous Caucasus, Electronic Army of the Caucasus Emirate:
رسالتنا هي للحكومة الروسية و إلى كل الشركات التي هي جزء من ألعاب سوتشي و تضع كل دولار لإقامة هذه الألعاب على أرضنا . الأرض التي تمت فيها الإبادة الجماعية للقفقاسيين في عام 1864 حيث تم إبادة أكثر من 1 مليون شخص . مجهولو القوقاز يؤمنون بأن ألعاب سوتشي ستقام فوق أكثر من مليون قبر لأشخاص أبرياء نفقوا في الإبادة الجماعية . عار على روسيا و على كل قفقاسي يؤيد إقامة تلك الألعاب على أرض وطننا . اليوم مجهولو القوقاز قرروا القيام بعملية جديدة ، عملية PayPackSotchi أكبر عملية ضد الحكومة الروسية و سنشن الحرب الإلكترونية عليها. اليوم مجهولو القوقاز أقوى من أي وقت مضى و نشاطنا سيكون عالمي . نحن ندعم كل الأمم القفقاسية التي هي ضد روسيا و ضد أعداء الإسلام. سنجعل الحكومة الروسية تفكر 1000 مرة قبل أن تقرر أن تقوم بأي شيء على أرضنا . اخرجو من ارضنا ، اخرجوا أو سنجعلكم تحت اقدامنا . اذا العالم سينسى المسلمين و مجهولي القوقاز فنحن لن ننسى أبدا . حربنا الإلكترونية ضد روسيا سوف تؤثر على جميع الحكومات و مواقع الشركات التي هي جزء من ألعاب سوتشي و جزء من محاربة الإسلام . نحن دائما موحدون و أبدا متفرقون و أفعالنا ستثبت من نحن . هجومنا الأخير على البنوك الروسية كان مجرد دعابة . سنقتل روسيا بنجاحاتنا و سندفنها بابتسامتنا . هجومنا سيودي بالحكومة الروسية إلى الحضيض و سيجعل العالم يعرف من هم القفقاسيين و من هم المدافعين عن الإسلام . هذا اليوم سيأتي قريبا كما هو معتاد و الشر بذاته سوف يتهاوى . سنضحي بأنفسنا من أجل كل شخص حر و كل إنسان لم يكن يملك أي شيء سيكون الان مفعم بالقوة ضد الشر . نحن مجهولو القوقاز … لن ننسى أبدا …. لن نسامح أبدا … ترقبونا
Our message is to the Russian government and to all the companies that are part of the Sochi Games and put every dollar to establish these games at home . The land in which the genocide of Afghanistan in 1864 where he was the extermination of more than one million people. Unknown Caucasus believe that the Sochi Games will be held over the grave of more than a million innocent people had died in the genocide . Shame on Russia and all Agafqasa supported the establishment of those games in our homeland . Today unknown Caucasus decided to do a new process PayPackSotchi largest operation against the Russian government and will launch electronic warfare on them. Unknown Caucasus today is stronger than ever and our business will be global . We support all the nations of the Caucasus , which is against Russia and against the enemies of Islam . The Russian government will make you think 1000 times before you decide to do anything on our land . Akharjo of our land , or get out Sndjalkm under our feet . If the Muslim world will forget and unknown Caucasus , we will never forget . E fight against Russia will affect all governments and corporate sites that are part of the Sochi Games and part of the fight against Islam . We are always united and never dispersed and our actions will prove who we are. Our attack on the last Russian banks was just a teaser . Russia will kill our successes and Sndfnha Baptsamtna . Our attack will claim the Russian government to the bottom and make the world know who they are Caucasians , and they are defenders of Islam . This day will come soon, as usual , and evil itself will crumble . Sacrifice ourselves for each person is free to everyone and did not have anything now going to be full of force against evil . We Caucasus unknown … We will never forget …. Will never forgive … Triqbona
Statement from the Anonymous Caucasus
The above statement is directed toward the Russian government and the Sochi games but really does not say much about what attacks are to come. They mention attacks against banks but little more than “look out we’re coming for you” as is often the case with an anonymous operation. The Arabi here for the most part translated as if it was already written in English and translated into it but it seems perhaps that the author is fluent in not only English but also Russian and Arabic. As announcements go this site is some what green with many functions not yet up for use but generally it seems they are somewhat serious about not being taken off line (cloudflare) as well as having the media savvy for a slick video set and graphic design.
In looking at all of the site data and looking behind the scenes a bit has been interesting. It seems from the WHOIS data and the links to and from the site (including shared infrastructure such as email) link Anonymous Caucasus directly with Vilayat Dagestan. Vilayat Dagestan is aligned with Islamism and has ties to Al Qaeda. In fact all of you out there may in fact be remembering the ties that Tamerlan and Dzokhar had to the area and to the same group ostensibly when Tamerlan went to the old country to visit. The question then becomes is this actually a funded operation by Vilayat and the Caucasus Emirate or is this a smoke screen for some kind of attention and support? Since the sites tie right back to each other with shared infrastructure it is my opinion that this is in fact an approved operation by Vilayat.
These facts, the connections to the Mujahideen and the actual words spoken on the Anon Caucasus video show it to be not only an anonymous emulating group but also in fact part of the greater jihad. This then makes it a new twist in the GWOT for us all. As stated above it remains to be seen just what capabilities this group will have but the paradigm itself is what is more important in the grander scheme. For the moment though we can see they have hacked at least one site and show proof of it with a dump on pastebin as well. Of course the reality of most hacking operations with regard to Anon as well as the jihad thus far have only been propaganda oriented. We have yet to see real operational intelligence being gathered and used by AQ and others in theatre so to many this may also seem just an interesting twist. We will have to see what happens when the games begin and move on. Perhaps these guys are all bravado… Perhaps other Anon’s might not like this group’s using their nom de guerre for terrorism…
gaiuaim ioi dui pln!
The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.
Still Mos Eisley but….
I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.
One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.
So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.
Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.
Time will tell though I guess…
So Schneier, the paragon (most of the time lately) of being behind the curve, has linked a paper put together by Gabriella Coleman (ersatz sociologist and Anonymous cipher) Before clicking on the link and downloading I braced myself for a read that likely would make me want to perform the head—>desk ritual. Sure enough, after reading the 27 pages of mostly histrionics regarding Anonymous I was ready to apply said head to desk with the usual force. Why do I do this to myself? I suppose that I am that person who Einstein referred to as the epitome of insanity by performing a task over and over again expecting a different outcome. Either way, I thought it appropriate to call this into question for the larger audience to look upon and judge post my bile spewing.
HOW MANY YEARS OF STUDY DID IT TAKE TO PUT 27 PAGES OF DRIVEL TOGETHER?
Well Gabby, how long were you following the anon’s around again? I think you would have been better served by reading Parmy’s book and then spewing out some facts and insights after a little digestion than what you have put out there as a scholarly text on the Anonymous movement. Sure, your generalities concerning modus operandi citing the Rand report from 1997 is all super cool and all but really, what audience are you reaching out here to? You neither get into the issue deeply enough for the non novice concerning the net and Anonymous nor do you really put together a usable picture for the un-initiated to follow along as to what is really happening and has been since Anon percolated up out of the pool that is 4chan.
All in all the paper if it be called such, just lays out in florid language, the long and winding road of histrionics around Anonymous but not really touching on the issues of how it/they have been effected as well as are affecting the net/global politics/cyberwar today. There are hints and allegations in it but really, you are a sociologist are you not? Should you not be taking up this kind of inquiry as well? What you do do though is state that they are a not so anonymous and not so leaderless group which sounds awfully familiar to me. *I wonder why? Maybe you should look at my blog posts all these years eh?* While you point out that they have been a force, you do not really maintain what kind of force they are nor do you summarize whether or not you think that they will be a real force in change nor why they would not be? Well nominally I think you allude to the lack of cohesion but then you go on to counter that with all of the amazing things they can do with PR and hive mind. Frankly you just seem muddled there. Perhaps overall it is because they are so amorphous that you cannot really conclude anything at all? Which you again allude to.. It’s like that saying from the Supreme court on porn “I know it when I see it” It’s mighty useless when it comes to actually explaining something.
ANONYMOUS IN THE AGE OF THE PANOPTICON
The one thing.. ONE thing that I would have loved to have seen anything solid about is how today post events with busts like that of Silk Road and the other fallout from the Snowman revelations have affected the anons. You kinda sorta mention it at the end but then drop it. Perhaps it is too early to tell on that account. Perhaps you are just still milking this whole thing to further your drivel writing. I dunno. I just think that there is a far richer picture here that needs to be looked at and you are failing to do so with all your years of allegedly “studying” the anon diaspora. This paper was useless and I sure hope that policy makers aren’t reading it to understand anything other than the history of how Anon was born because otherwise they will be left more clueless and tired eyed than they started.
Oh and yeah so when do you appear on the next Dr. Phil?
rode bb iqdnpmbia fpn’k ybi lr qektrf?
par·a·noi·anoun1.Psychiatry. a mental disorder characterized by systematized delusions and the projection of personalconflicts, which are ascribed to the supposed hostility of others, sometimes progressing todisturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.2.baseless or excessive suspicion of the motives of others.Also, par·a·noe·a [par-uh-nee-uh] Show IPA .Origin:
1805–15; < Neo-Latin < Greek paránoia madness. See para-, nous, -ia
Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.
This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.
B of A’s THREAT INTELLIGENCE TEAM
Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.
One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.
Nothing more.. Nothing less.
Threat Intelligence vs. Analysis and Product
All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.
Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.
Threat Intelligence vs. HUMINT
This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.
My assessment in a nutshell here of the Paranoia BofA Drop is as follows:
- Paranoia found some interesting documentation but no smoking gun
- TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
- BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
- If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
- BofA needs to classify their data and protect it better on this front
- Paranoia needs to not let its name get the best of itself
All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.
For everyone else.. It’s just LULZ.