Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Business Intelligence’ Category

Counterintelligence, False Flags, Disinformation, and Network Defense

with one comment

//B zrxr wwmpxjnp vf ygwyr jh kur gig vvbxv nf o “yinwf zcnt”. Ilmf xp vv lbi vwwpe grxr mhct sxh ubpifmpxt qzgu o izkruyi nar t tcqjhrgrf. Mpgwf xrlf hawwki, CU’f uoom oehhvgvq lbtmqm, ybywzzcqt, ueq vbyzcvfx nngsk ucvlm. Pbh bxmf e qlf.\\

Threat Intelligence, Counterintelligence, and Corporate | Nation State Espionage

“Threat Intelligence”, a term that is just behind the oft used “Cyber” and God forbid, “Cyber” is all too often put in front of it as well to add more oomph for sales people to sell their brand of security snake oil… “But wait there’s more!” We also have other spook terms being kluged into the INFOSEC world now because, well, it’s cool to those cyber warriors out there. I know, I sound jaded and angry, which, yes, yes, I am, but… Well, it’s just gone completely off the rails out there. I hear people talking about these topics as if they know what they are talking about even with the exceedingly limited scope of digital security matters (i.e. hacking/forensics/defense)

I would like to clear the air here a bit on these terms and how they do really apply to the world of INFOSEC that we in this business now find ourselves in, one littered with military and spook terms that you may not be really familiar with. First off, lets look at the terms that have been thrown around here:

Threat Intelligence: In the spook world, this is the gathering of intelligence (HUMINT/MASINT/SIGINT etc) to determine who has it in for you and perhaps how they plan on getting at you.

Counterintelligence: Spies who hunt other spies (Mole Hunts etc)

Espionage (Nation State and Other) The umbrella under which this whole rubric exists. Nation state and other have the component of “Industrial” as well (i.e. IP theft)

Ok, so, where once we used to only have people in three letter agencies worried about “ThreatIntel” we now have the INFOSEC community looking at “threats” to their environments and calling it “Threat Intelligence” now. While it’s a cool name, does it really apply? What was it before the whole APT thing broke as well as the cyberwar-palooza we have today? For the most part, I can see only half of the term applying to any non state entity or three letter agency and that is of what “threats” are out there today. This means what exploits and pieces of malware are out there that your environment would be susceptible to.

Nothing else.

That is unless you suddenly have a company that has decided to launch its own “Intelligence arm” and yes, this has happened, but usually only in larger companies with defense contracts in my experience. Others though, have set them up, like Law firms, who then hire out ex spooks to do the work of counterintelligence as well as intelligence gathering to have an edge over everyone else. Perhaps this is bleeding out into other areas as well in corporate America huh? The point here for me is that unless you have an intelligence arm (not just INFOSEC) you should not be using the term “Threat Intelligence” as an encompassing statement of “there’s malware out there and this is what it is” Point blank here, IF YOU AREN’T DETERMINING WHO YOUR ADVERSARY IS AND WHAT THEIR PLAN IS… IT”S NOT THREAT INTELLIGENCE.

Looking at IP’s on an SIEM and reacting to a triggered event is not threat intelligence. It’s INCIDENT RESPONSE. It’s AFTER THE GOD DAMN FACT OK?

So, stop trying to make it sound cooler than it really is people. To further this idea though, we still have “Counterintelligence” which FOR FUCKS SAKE I have personally seen in a title of a complete MORON at a large company. This fucker sits around all day looking at his stock quotes though, see, it’s just a cool title. It has no meaning. UNLESS you really have an operational INTELLIGENCE UNIT in your company.

*Look around you.. Do you? If not then STFU*

If you do have a real intelligence wing in your org that carries out not only COUNTERINTEL/INTEL/HUMINT/THREATINTEL then more power to you. If not, you’re deluding yourselves with militaristic terms and cyberdouchery… Just sayin.

However, the way things are going with regard to the world, I should think that you might see more of these kinds of intelligence arms springing up in some of the larger corporations of the world. It’s a rough world and the fact that everything is networked and global has primed the pump for these kinds of activities to be a daily operations tool. It’s now the blurring of the lines between what nation states solely had the control and aegis over to now its becoming privatized and incorporated.

William Gibson saw it.. Phramacombinats and all.

False Flags and Disinformation Campaigns

Which brings me to the next level of affairs here. When I was on the DEFCON “Fighting Monsters” panel, I made some statements that seem to have come to pass. I spoke about how Anonymous would have to worry about “False Flags” against their name as well as expand upon the idea that Pandora’s box had been opened. Nothing on the internet would really be the same because we all had moved into the “spook world” by the actions of Anonymous as well as things like Stuxnet. The lines had been blurred and all of us net denizens need to be aware that we are all pawns in a series of greater games being played by corporations and governments.

Since then, we have seen many disinformation campaigns (think sock puppets on social media, fake news stories, rumours, etc) as well as false flag actions where Anonymous may have been blamed or named for actions that the core did not carry out. So many times since then we have seen Anonymous attempt to set the record straight, but, like I said before, who’s gonna believe them because they are “anonymous” and disparate right? Could be anyone… Could be them… And with previous actions, are they to be trusted when they say they did not do it? See, the banner thing (hive mind) has a tremendous proclivity for severe blowback as they have learned.

What’s sauce for the goose though, is also good for the corporate, political, private gander right? How many Acorn operations do you need to see happening in the election cycle to realize that this has been going on for some time and that, now, with the internet, its easier to perform these kinds of operations with a very small group with minimal effort as well? Pandora’s box was not only opened, it was then smashed on the floor and what was once contained inside has been forever unleashed upon us all.

Yay.

Now, going back to you INFOSEC people, can you then foresee how your companies reputation or security could be damaged by false flag operations and disinformation? A recent example may in fact be the attack purported to be on against Josh Corman of Akamai because he said some things that “some” anonymous players did not like. Were they really out to get him? Were they doing this out of outrage or was there another goal here? What you have to ask yourselves is, what is my company and it’s employees susceptible to in this area? Just as well, this also applies to actual attacks (DDoS etc) they could be signal to noise attacks. While the big attack is going on, another team could be using the fog of war to sneak into the back door silently and un-noticed.

See where I am going there?

In the case of Josh, do they want to D0X him or do they want to force Akamai to maybe flinch and let him go because of bad press, and potential attacks on their infrastructure and management?

Ponder that…There are many aspects to this and you have to have a war mentality to grasp it at times. Not all attacks frontally are the real attack today. Nor are all attacks on players what they may seem to be in reality, the adversaries may in fact have a longer game in mind.

Network Defense and Network OFFENSE

Ok, so back to reality today with many orgs and their INFOSEC programs. You are looking to defend your network and frankly you need not have “cool” names for your program or its players. What you need is to be mindful of your environment and pay attention to the latest attacks available that would affect it. Given today’s pace though, this makes just about everything suspect. You can get yourself an IDS/IPS, an SIEM, Malware protection, and all kinds of things, but, unless you know where shit is and what it is, you lose the big game. So, really, threat intelligence is just a cool name for an SIEM jockey today.

Like I said, unless you are doing some real adversary profiling and deep inspection of attacks, players, motivations etc, you are not doing THREATINTEL. You are minding the store and performing network defense… i.e. your job.

Now, on the other end of the spectrum lately, there have been certain douchenozzles out there saying that they can sell you services to protect your org with “OFFENSE”

*blink blink*

Offense you say? Is this some new form of new SPECWAR we aren’t aware of? Firms like the more and more vaporware company “Crowdstrike” seem to be offering these kinds of services, basically mercenaries for hire, to stop those who would do you harm. What means are they going to employ here? Obviously performing what they see as intelligence gathering, but then what? Once you have attribution will there then be “retribution” now like so many Yakuza centric stories in Gibson novels? I’m sorry, but I just don’t see this as viable nor really any kind of a good idea whatsoever… Leave it to the three letter agencies.

Alas though, I fear that these companies and actions are already at work. You can see some of that in the link above to the book I reviewed on private intelligence and corporate espionage. Will your data be a part of a greater corporate or government conspiracy? Some black ops mumbo jumbo over your personal information perhaps? Part of some retribution for some attack perceived to have happened to company A by company B?

Welcome to the shadows and fog of espionage kids.

Going “Off The Reservation”

Overall, I guess I just wanted to lay some things out there and get people’s heads around the amount of douchery going on today. We collectively have gone off the reservation post 9/11 with PII, Privacy (lack thereof) and hacking. That entities like Anonymous came to be and now see the governments and corporations of the world as dark entities isn’t so hard to see when you look at the crap going on out there. What we saw in Team Themis was just one small spec in a larger “Cyber Beltway Banditry” going on today. Look to the other side where you have Fusion centers with private INTEL gathering capacities tossing out absolute crap yet spending BILLIONS of dollars and, well, there you have it.

Monkeys with digital guns.

We are off the reservation already and it’s every man  (or woman) for him or herself.

In the end though… If you have a title that says something like “CHIEF INTELLIGENCE OFFICER” on it, you’d best be at a three letter agency.. If not, then you are deluding yourself with EPIC DOUCHERY.

K.

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC

with 5 comments

 

The establishment of a Corporate Information

Reconnaissance Cell (CIRC) will provide Hunton &

Williams LLP with a full spectrum capability set to

collect, analyze, and affect adversarial entities and

networks of interest.

From: Team Themis pdf


CIRC: The New Private Intelligence Wing of (insert company name here)

The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.

What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.

You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?

Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?

A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.

In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate

The Technology:

I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.

Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.

There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.

The ANONYMOUS names file

This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.

The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.

What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.

Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.

The INFOSEC Community, HBGary, and Spook Country:

Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.

HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.

So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”

There is no black and white. There is only gray now.

The Morals:

And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.

It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.

So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.

Conlcusion:

We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.

The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.

If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.

The only privacy you truly have, is that which you make for yourself. Keep your wits about you.

K.

Top 5 ways to destroy a company.. But Will They Sign Off On That?

leave a comment »

I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”

The truth of the matter for me comes down to a few different factors:

  1. A lack of understanding the results that you present them
  2. A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
  3. A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client

Nickerson too gets to this and asks;

Well why does that happen?

  • What we give them isn’t important. Managers don’t care about shells!
  • They don’t care about what we care about!

What do they care about?

  • The product line
  • The Brand
  • The Employees
  • The Bottom Line

I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.

Top 5 ways to destroy a company

  • Tarnish the brand
  • Alter the product
  • Attack the employees
  • Effect financials directly
  • ** Your turn! **

The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?

The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)

The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.

Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;

“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”

It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.

So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:

  1. Profile the business overall, where they are in the market, and their history
  2. Profile their business model and their product or products
  3. Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
  4. Profile the employees and C levels (are they engaged? Do they buy in on security?)
  5. Formulate scenarios that would cause varying levels of damage (targeting them)
  6. Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits

Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.

I think that is what he was driving at through all of the ranting…

So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.

CoB

Top Secret America: The Fifth Column, Uncontrolled and Unaccounted For

with 2 comments

The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work.

These are some of the findings of a two-year investigation by The Washington Post that discovered what amounts to an alternative geography of the United States, a Top Secret America hidden from public view and lacking in thorough oversight. After nine years of unprecedented spending and growth, the result is that the system put in place to keep the United States safe is so massive that its effectiveness is impossible to determine.

The investigation’s other findings include:

* Some 1,271 government organizations and 1,931 private companies work on programs related to counterterrorism, homeland security and intelligence in about 10,000 locations across the United States.

* An estimated 854,000 people, nearly 1.5 times as many people as live in Washington, D.C., hold top-secret security clearances.

* In Washington and the surrounding area, 33 building complexes for top-secret intelligence work are under construction or have been built since September 2001. Together they occupy the equivalent of almost three Pentagons or 22 U.S. Capitol buildings – about 17 million square feet of space.

From Secret America in the Washington Post

PBS Frontline report coming this fall

When this article came out there seemed to be just a collective murmur as a response by the masses. I figured that either people just didn’t care, didn’t get it, or were just too stunned to comment about it. Upon reading up some more and seeing the Frontline piece, I have decided that most people just can’t grasp the sheer import of this report. What this all says to me is that the government has no idea of just who is doing what and how much money is being spent. What’s more, the people certainly have no idea (the people as in the voting public) whats really going on either.

Another factor here I think is that many people just have too much faith in the government and in the corporations. When you really look at it though, once you have worked in the sausage factory and have seen how its made, you really never want to eat sausage again. Its like that with working for the government and or corporations really. Having spent all these years in the information security business working for fortune 500 companies as well as the government, I can say I do not want to “Eat the sausage” Of course perhaps the better thing to say is that I do not trust the government nor corporations because they both are comprised of inept people and red tape.

By far though, the concerns that I have are something a bit more ominous in nature. I fear that these machinations will only lead to greater abuses of power by not only the government but also the corporate entities that they have tasked with performing all this secret work. It used to be that there was government oversight on the intelligence community, but you knew that there was some off books things happening. Now, we have post Iraq and still ongoing in Afghanistan, a contractor proxy war that now includes a civilian intelligence element. An element that now seems to be even more “civilian” because it is being operated by corporations and not wings of the government. It gives a new meaning to “black ops”

Another interesting turn in this “secretification” to steal a Bush-ism is the whole issue of just how far the pendulum has swung from the nations not caring so much about HUMINT and intelligence to suddenly being even more fervent about it it seems than they were during the cold war years. I might also hazard a statement to say that since 9/11 it has generally felt more and more like the 50’s again where paranoia is concerned about the “enemy threat to the homeland”

Are we in danger? Yes. Do we need to have to go back to the 50’s mentality of us and them with a McCarthy-esque twist? No.

Of course all or most of this is aimed at Jihadi terrorists and not a governmental body like the Soviet bloc and this is where the disconnect seems to be the largest for me. It’s rather ironic actually that all this effort is being predicated on fighting a group of people who are not generally known for being easily infiltrated nor as easy to get a grasp on as the Sov’s were. People just knee jerked after 9/11 and really, they have only created even more bureaucracy in which the real INTEL will get lost and another attack likely happen because of it.

Welcome to Washington’s dementia…

Spies Among US

leave a comment »

First of all, when it comes to espionage, nothing in Russia has changed. After all, the real leader of Russia, Vladimir Putin, was as a career KGB agent who came up through the ranks, and not by exhibiting democratic principles but rather by being a steadfast believer in communist ideology and the especially harsh methods of the Soviet regime with which we are all familiar. In fact, let’s not forget, no one presently in a senior leadershipposition in Russia came up through a nursery of democratic institutions, but rather through the vestiges of Stalin, Kruchev, Andropov, the NKVD and the KGB. Putin, true to his breeding, has surrounded himself with trusted KGB cronies who believe as he does at all levels. So don’t expect anything less from Russia than what they are: not our allies. The KGB had illegals in the United States under the Soviet system and the SVRstill does, according to most experts, under the Russian Federation. How many are here? No one knows, but one thing we can be sure of, this is one of their favored ways to penetrate a nation and have a presence there and they are not giving up on this technique.

But why you ask? After all, the Russians have satellites and they can intercept communications and break codes. Yes and more. However, the one thing that Russian intelligence will always rely on is a backup system to their technical expertise in case of war (hostilities). They always want to have a human in the loop who can have access to information and more importantly to other humans.

You see, an illegal that passes as an average American, can have access to things no satellite, phone intercept or diplomat can have access to—every day things, such as a car, a home, a library, neighborhood events, air shows on military bases, location of fiber cables, access to gasoline storage facilities, a basement to hide an accomplice, a neighbor’s son serving in the military, and so on. If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

Full article HERE

The above is a snippet from a Psychology Today article by a former FBI spycatcher. I bring it to you to perhaps clarify some of the news out there and maybe give some ancillary corroboration to the things I have been saying all along about the 11, now 12 “illegals” that were caught and so quickly deported recently.

It was surprising to see just how many people thought that since the Sov Bloc was gone that the new Russia would be spying on little ol’ us. I guess this says more about our culture than it does about theirs really. Just as the author says above, the Russians still have the “strong man” mentality inculcated within their culture and they are led by none other than Vladimir Putin, KGB down to his boxers… And still in charge. So why would it be so inconceivable that the Russians would have such illegals programs as well as other NOC operatives in country? Its certainly the case and always has been. It’s just that the people of the US are too busy thinking about the latest episode of the Hills instead of perhaps geopolitics huh.

Geopolitics and history aside, the article brings out a key point that I have made on more than a few occasions. HUMINT is ery important. This is something that we learned post 9/11 and have been trying to fix since we fucked it all up back in the 90’s (Sorry Bill Clinton) by reducing the HUMINT capabilities of the likes of the CIA in favor of technological means of spying (ala the NSA) We went too far in the other direction and got caught with our pants around our ankles because we did not have a man on the ground to give us good intel on the 19.

Then we have the 12 illegals pop up… and everyone is surprised that the Russians are spying on us as well as amazed at the old school tradecraft that they are using.

How antiquated…

Antiquated and still quite functional boys and girls.

Expanding it further out though, you can see in the passage that I like the most that;

If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

THIS is a key thing to pay attention to. Once you are in, you have so much access that you really don’t need all of the arcane spy vs spy stuff to get what you really want here. The illegals were a foothold group sent to burrow in and make lives so they could gather data and make friends. They would be, in states of serious distress between the countries, “inside men” the fifth column to attack the enemy from the inside… Say, does this remind you of anything going on recently? Say, oh Jihadi’s recruiting US citizens for Jihad?

Yep.

Situational Awareness is key.

Auditing Career: Dealing with Mentally Unstable Managers

with 3 comments

My Psychologist friend jokingly suggested that auditors receive training  on how to interact with people suffering with  Attention Deficit Disorders, bipolar disorders and in group dynamics in the corporate environment.    A company’s culture is a very complex organism.   Even the smallest places have complicated political and social layers (silos) that have nothing to do with the official roles and functions performed by individuals and shown in organizational charts.    Decisions in organizations, anyone who is observant will confirm, are not always made based on logic, business reasoning, policies, controls, and/or the need to comply with external regulations.  They are often made based on fear, anger, sexual attraction, insecurity, jealousy, greed, hate, prejudices and confusion. Because of these things, it is easy for mentally unstable people to “hide” in the open.   In many organizations these behaviors are sheltered because those at the top benefit from that sort of culture.

I love this line that I have highlighted, because really, its the basis of 99% of the decisions made in corporations. Much of that decision making process on the lower levels (operations) are made for the more base desires founded within the daily sloth of individuals that comprise the management set.

Really.

The thrust of this article is predicated on the idea that many people in positions of management are in fact potentially mentally ill, or show signs of such behavior. I can see some of that, but that is not the case all of the time. This article does not take into account the sloth and greed factors as much as they should be I think on a gross product level within American corporations. Sure there is a lot of greed, but, the closer assessment I have made has been that no one wants to be responsible and would rather just have a “good day” and go home after a solid 7.5 hours of internet surfing.

Other areas of concern would be ineptitude, negligence, lack of capacity for comprehension, and general lacksadazical attitudes on the parts of many where these matters (security/audit) are concerned. These are also backed by the near absolute lack of real follow through by entities to fine and or censure companies that do not comply with regulations and really audit companies well to assure they are doing their part.

So, lacking any real negative re-enforcements, the masses fall into a complacency that allows for such behaviors and feelings of entitlement on the part of managers etc. Also, because of the varying morays of corporations, it is also possible to maximize the behavior because the “manager” is God in the org and can do nothing wrong. If they want that open pipe to the internet to surf YouTube and have a sub standard (and against written corporate policy) password as well as no hard drive encryption to boot, then BY GOD they should have it because they are “management”

In a word, I would say that much of corporate America is “dysfunctional” and needs a good spanking as well as be sent to bed without supper! Or maybe, just maybe some more and REAL oversight in how they do their business should be carried out. Much like we are now seeing with the whole issues with Goldman Sachs and their cavalier attitudes on selling “pure intellectual masturbation” to the masses, thus crashing the economy.

Meh….

On the other hand, were you to take these features into account when you are auditing a company (more to the point penetrating one) then you could use all of these features in your attack. So, remember, always look at not only the threatscape, but also the psy-scape for your openings. Open your ears and take mental notes, because that sub standard password and other breaking of the rules could get you in much further much faster than by having to gain a toehold elsewhere kids.

CoB