Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘CodeWars’ Category

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

X

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

K.

Defcon Grows Up and Gets Recruited As An Asset…

with 3 comments

I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.

However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.

This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.

Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…

Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?

Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.

Just sayin…

So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.

So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.

Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.

How’s that for some “Threat Intelligence” huh?

Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.

Why?

Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.

So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.

You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”

For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…

Interesting times….

K.

Tweeting Cyberwar and Other Ridiculous Ideas

leave a comment »

The “Benefits” of Cyber War?

Something has been sticking in my craw lately and, like a grain of sand in the gullet of an oyster, it has finally matured into a pearl of… Well, not wisdom as much as bilious hate, but I do hope that it does enlighten some and denounce others for their vulgar stupidity. As you can see from the image above, the grain of sand that started this came from our pal Richard Bejtlich over at Mandiant. I have often found his diatribes to be products of the “echo chamber of secrets” that he lives in, but now it seems that his pathology is beacon-ing straight out of his nether regions and leaking onto his Twitter feed…and it seems he is fresh out of depends undergarments.

The quote on the “benefits” of cyber-war is completely out of whack and I would like to point you all in the direction of the fallacy of his train of thought. Richard, it’s not about how many are alive today because we used a stalling tactic cum sabotage against their nuclear program, it’s about us actually doing this and opening Pandora’s box on ALL of us because we did so without really thinking about it. THAT’s the issue you fail to grasp and it is something that you and many more like you in the “establishment” fail to get. So, no, we did not bomb the facility, but neither did we forestall the Iranian efforts to the point of dissuading them from carrying on, nor actually conceive of the idea that they would redouble their efforts post the attack. We poked the badger and now it’s pissed AND has the same weapon we used on them to RE-USE against us.

Nice.

Of course, I am not advocating the idea that this type of activity should just be verboten and that we should eschew such things. No, I agree in the use of the technology and the ends that we had in mind. No, what I disagree with now is that it’s being used as a cudgel in an election cycle and has turned into a FUD parade bigger than any ever seen before. It seems that the movers and shakers out there in Washington got new toys that they just had to play with and then brag about, at least that’s my perception. Of course then they have their rah rah guys like ol’ Tao here saying something to the effect that it’s a clean and precise warfare.

No, it’s not.

Tell That To The Iranian Physicists and Their Families

So Rich, how many lives were saved? How many were lost here should be the question. I can remember at least 3 Iranian scientists who went kaboom during and after the Stuxnet attacks. I also know I have heard of other people, including CIA assets that are missing and presumed killed who may also have had something to do with the operation in Natanz. So, it’s not really a clean warfare is it? In fact, lets expand on this and think about the FUD factors being talked about in the Congress and in general where “Cyber-War” is concerned. The fear is that when the shit goes down because someone inserted a worm into say the grid, then people start dying. Sure, they would likely be people in hospitals who are really sick, aka the sick and the aged, but hey, those are just collateral damages right?

No war is clean, no war is precise, and as we are seeing from all accounts even with drones, there will ALWAYS be collateral damage. So don’t blow sunshine up our collective asses on this one Richard. The fact is, this one could be really bad for many people if the situations are right and, by my estimation, will always have some portion of actual deaths attached to them because of blowback. Of course, all of this talk depends on whether or not you buy into the idea of this activity actually being “war’ in the traditional sense of the word. Like I said before, we are not even sure what “cyber-war” is nor have we really created rules and doctrine around it. So, let’s not go and minimize the issue by saying “gee, look how many lives we saved by not bombing the shit out of them!” The effects of the sabotage politically as well as what reprisals Iran might be thinking about or acting upon are not fully realized yet so it’s a bit early to start the spin there Rich.

Monkeys With Digital Guns

I have said this before and I am saying it again, we are just monkeys with digital guns. Fools with tools really. I am afraid of the level of hubris here and frankly feel that it’s almost time to just become a Luddite. At least Luddites won’t be compromised by their toasters because China made malware to p0wn us all. I really feel like Taylor, standing before the wreckage of the Statue of Liberty, yelling as Nova looks on like “Holy WTF?”

YOU MANIACS! YOU BLEW IT UP! OH, DAMN YOU! GODDAMN YOU ALL TO HELL!

How about we all take a step back and ponder what we have done? Lets look at the repercussions as well as the current state of our own systems before we move ahead at full steam?

What? The Pentagon is advertising for black hats?

Fuuuuuck…

Well, guess time will tell what the first “great cyberwar” will bring. Could be a lot of nothing.. Could be some indigestion… Could be a collective fart… Much like the fart that I consider the tweet that started this whole diatribe. Start digging your trenches kids, the digital mustard gas is next.

K.

Written by Krypt3ia

2012/06/19 at 15:18

Paper Tigers… Aren’t We All?

leave a comment »

Paper Tigers.. Paper Cuts…

A recent post that echo’s others that I have seen in the not so distant past makes a claim that China is about 13th on the preparedness scale for cyber warfare. Now, you may be thinking;

“But Krypt3ia, the news and you have said they are cleaning our clocks and stealin our data!”

Well, yes.. yes they are. However, they may not in fact be number one in “defense” in this sphere as well. Now, I am not saying they are 13th and the article does call into question the methods of gathering data and the questions asked to make this statement (China being 13th most prepared) but, still, they are at 13 here. I personally don’t ascribe to this litmus test that the survey purports to show on the state of affairs in China or anywhere else where cyber strategy is concerned.

After all.. If they asked China or anywhere else, do you REALLY think they are going to give you the God’s honest truth about their programs and readiness?

Duh.

Offense vs. Defense

Lets flip that bit too and think about offense vs. defense here. After all, it is sexier to be offense and easier right? So, how do you really correlate this “study” in any way between the extreme success that China has had with regard to cleaning our digital clock in relation to China’s own defensive posture? One does not really require that the other be commensurate really, and this is a flaw in the logic of the whole story for me. In fact, it is because we here in the US and other countries were so ill prepared for defense on this playing field really, that the Chinese have been so effective at APT types of attacks against us. It has been said in the past, and I would agree, that not all of the attacks from China have been sophisticated…

Because they did not need to be. That’s just how piss poor security has been here.

So, a concerted effort by a cabal of patriotic hackers (assets such as the Green Army) and other spook run operations (corporate/mil/gov) have been successful at ex-filtrating data from our servers here in the West. They used various methods both exotic and not, but the key to this is that they made a “concerted effort” They had operational plans, assets, and patience. All of these things are much more directed and focused than being on the defensive end of the equation. Add to this the fact that defense has been so poorly thought acted upon until now, it becomes clear why the greater story heard here is that of the offense winning the day.

On average, the common corporation has only seen security (up til now in the age of Lulz) as a cost center and because humans lack the ability to sense long term threats well (my contention) we have had a dearth of concern over the security posture of things other than saying “We have a firewall.. it’s all good” In short, because of our lack of forward thinking collectively, we have allowed this scenario to play out until such time as forces outside of the norm have forced us to pay attention…

Something akin to the panther leaping from the tree that we heard growling but decided that it was up to far to jump on us….

We have made our own beds and now, with this study, we see that a majority of the countries out there are not ready for prime time.. And those who are, are likely lying quite a bit about their readiness.

Studies With Subjective Questions and Results

Meanwhile, the “researchers” out there are making faulty suppositions using data that should not be trusted because it cannot be empirically validated. It makes me crazy to see this kind of claptrap being touted on the interent and in the news as fact, though this report did call this into question (yay them!) However, this does not stop others from doing just as shoddy work and then making great claims about how China may in fact be less of a threat because they are not as prepared on defense.

Bollocks.

China, Russia, Israel etc etc are all key players in the espionage world which now includes the 5th battlespace of information warfare carried out on the internet and within computer networks. To think anything else because someone asked them just how prepared “they” were for “cyberwar” is just appallingly stupid. From now on people, if you see these types of reports or studies, do try to think critically about the datum that is being presented.

A Brave New World

It’s a brave new world out there. We are in the age of Lulz and “cyberwar” *booga booga booga* all things that we really do not collectively have a firm grasp on as import and repercussions. There is so much going on between the Anonymous/Antisec/Anarchy as well as the manipulation of them by the likes of China and other world powers that you really need a primer to understand just what is really going on. Even then, its all so internecine and confused at times that you never really will likely have a clue of the real truth.. Ever.

We are at the cusp of so much that could go so horribly wrong and we unfortunately have people in charge who are ill equipped to understand and deal with it in our government(s) You all have seen my screeds a thousand times about all of this so you all know too. All I can really say is try and protect your little piece of digital landscape..

That’s all you can do really.

If the archology of the internet is going to be beset by crackers, spies and villains, well, there isn’t much you can do about it. Certainly not trust the government or the corporations to do the right thing.. Or even really know what to do.

You Know Who You Should Fear? Coders…

Nope, all in all, I would have to say in the end is that you need to fear the coders. The coders and the companies that they work for that are creating vulnerable software. Of course all software I think is potentially vulnerable, but, it seems that the standards out there are not being adhered to. We could be coding more securely and more keenly in the sense of not having Turing machine programs out there available to subversion but, we just aren’t there yet collectively to understand this and stop it.

The genie is out of the bottle.. No way to get it back in… We will die in the end from a thousand paper cuts…

Get your lemons out and enjoy the burn…

K.

 

Written by Krypt3ia

2012/02/09 at 21:49

The Hezbullah Cyber Army: War In HYPERSPACE!

with one comment

WAR! in HYPERSPACE: The Cyber Jihad!

A day or so ago, a story came out and made the rounds on the INFOSEC-O-Sphere about the Hezbullah Cyber Army The story, which was cub titled “Iranian Terror” was titled  “Iranian Cyber-Jihadi Cells in America plot Destruction on the Net and in Reality” Which, would get all our collective attentions right? The story goes on to tell about the newly formed Cyber Army that will be waging all out war on the US and others in “Hyperspace”

Yes, that’s right, you read that correctly.. This guy Abbasi is either trying to be clever, or, this is some bad translation. Sooo… Hyperspace it is! Well, I have a new tag line for him…

“In hyperspace.. No one can hear you giggle”

At any rate, the whole idea of a Cyber Jihad or a Cyber Hizbullah is a notion that should not just be sloughed off as rhetoric. I do think that if the VEVAK are involved (and they would want a hand in this I am sure) they could in fact get some real talent and reign in the ranks to do some real damage down the road a piece I think. So, while I may be a little tongue in cheek here at the start of this post, I want you all to consider our current threatscape (*cough* SCADA etc) and consider the amount of nuisance they could be if they made a concerted effort with the likes of the HCARMY.

So, yeah, this could be an interesting development and it is surely one to keep our eyes on collectively… But.. Don’t exactly fear for your lives here ok? After all, my opinion still applies that the bugaboo of scada does not easily fit into the so called  cyberwar unless it is effectively carried out with kinetic attacks and a lot of effort. Nope, if the HCA is going to do anything at all, it will be on the playing field of the following special warfare fronts;

  1. PSYOPS
  2. DISINFORMATION (PSYOPS)
  3. Support of terrorism (Hezbullah and others)
  4. INTEL OPS
These are the primary things I can see their being good at or being pawns of the VEVAK for.
So.. Sleep well for now because really all you have to truly worry about is that they are going to deface your page it seems (see picture at the top of the post)

Interview by IRNA with HCA

More than anything else though at the moment, the whole revealing of the HCA is more a publicity stunt than much else I think. For all of the talk in the US and other countries about mounting their own “Cyber Militia’s” it seems that Iran and Hezbullah wanted to get in on the ground floor..

Oh… Wait..

They forgot about the PLA and the Water Army!

DOH!

Oh well, sorry guys… Guess you will have to keep playing on that whole “HYPERSPACE WAR” angle to get your headlines huh? Besides, really, how much street cred is an organization like this anyway? So far I have been poking around all of their sites and find nothing (links or files) that would he helpful in teaching their “army” how to hack.

My guess.. This is kinda like putting out the inflatable tanks and planes for the Germans to bomb in place of the real ones.

The "About" Statement on HCA

Now.. Before You All Go Off Half Cocked (That means you Mass Media)

Meanwhile, I have seen the story that I linked up top scrawled all over the digital wall that is Twitter these last couple days. I am sure with everything that has been going on in Iran of late (i.e. the tendency for their bases to explode lately as well as their pulling another takeover of a consulate as well as spy roll ups) the media is salivating on this story because its juicy. It has it all really…

Cyberwar (hate that term)

HYPERSPACE!

Espionage

BOOGA BOOGA BOOGA We’re gonna activate our hackers inside your borders and attack your SCADA’s!

What’s the media not to love there?

HCA's YouTube Page Started in September

Well, let me set you all straight. This is piffle. This is Iran posturing and the proof thus far has been they have defaced a couple of sites with their logo.

THE HORROR!

This group has not even reached Anonymous standards yet! So relax.. Sit back… Watch the show. I am sure it will quickly devolve into an episode of the keystone cops really. They will make more propaganda videos for their YouTube, create a new Twitter account, and post more of their escapades on their two Facebook pages to let us all know when they have defaced another page!

… Because no one will notice unless they let us know…

Just The Persian Facts Ma’am

The real aegis here seems to be shown within the “about” statement for the group. Their primary goals seem to be to attack everyone who does not believe in their moral and religious doctrine. A translation of the statement rattles on about how the West are all foul non believers and that we are “pompous” Which really, kinda makes me think that the Iranian people, or at least this particular group, has a real inferiority complex going. More so though, it seems from the statement that they intend more of a propaganda and moral war against the west and anyone else they see fit than any kind of real threatening militant movement.

You know.. Like AQAP or AQ proper.. Or Jamaa Islamiya.

This is an ideological war and a weak rallying cry by a group funded by a government in its waning years trying to hold on to the digital snake that they cannot control forever. Frankly, I think that they are just going to run around defacing sites, claiming small victories, and trying to win over the real hackers within their country to their side of the issue.

Which… Well, I don’t think will play well. You see, for the most part, the younger set who know how to hack, already bypass the governments machinations and are a fair bit more cosmopolitan. Sorry Mamhoud, but the digital cat is already out of the bag and your recognition of this is too late. How long til the Arab Spring reaches into the heart of Tehran and all those would be hackers decide to work against you and your moral jihad?

Be afraid Mamhoud… khomeini…

All you really have is control temporarily.. You just have yet to realize it.

Tensions In The Region: Spooks & The Holiday Known as KABOOM

Now, back to the region and its current travails. I can see why this group was formed and rolled out in IRNA etc. Seems to me even with the roll up of the CIA operations there in Iran you guys still are being besot with problems that tend to explode.

  • Wayward Trojan drones filled with plastique
  • Nuclear scientists who are either being blown up or shot in the streets
  • Nuclear facilities becoming riddled with malware that eats your centrifuges.
You guys have it tough right now.
Let me clue you guys in on something… If you weren’t such a repressive and malignant regime, we might work with you on your nuclear programs to power your country. But, unfortunately, you guys are FUCKING NUTS! So, we keep having to blow your plans to shit (we as in the rest of the world other than say North Korea that is) because we are all concerned you just want a bomb. Why do you want that bomb? So you can lord it over the rest of us and use it as a cudgel to dismantle Israel say.. Or maybe to just out and out lob it over the border.
You are untrustworthy.
Oh well.. Yes we all have played games there and I agree some shit was bad. The whole Shah thing.. Our bad… Get over it.
I suspect that the reason why all of these bad things are happening to you now though sits in the PDB on the presidents desk or maybe in a secret IAEA report that says you guys are close to having a nuclear device. You keep claiming that you are just looking to use nuclear power peacefully… But then you let Mamhoud open his mouth again and shit just comes right out.
Until you guys at least try to work with others and not repress your people as much.. Expect more KABOOM.

What You Should Really Worry About From All of This

My real fear though in all of this hoo ha out of the HCA is that VEVAK and Hezbullah will see fit to work with the other terrorist groups out there to make a reality of this whole “Cyber Jihad” thing. One of these factors might in fact be the embracing of AQ a bit more and egging them on in their own cyber jihad. So far the AQ kids have been behind on this but if you give them ideas AND support, then we have a problem I think. The ideal of hit and run terror attacks on infrastructure that the government and those in the INFOSEC community who have been wringing their hands over might come to pass.

HCA Propaganda Fixating on OWS

If the propaganda war heats up and gains traction, this could embolden others and with the support of Hezbullah (Iran) they could “try” to make another Anonymous style movement. Albeit I don’t think that they will be motivated as much by the moral and religious aspects that HCA puts out there as dictum. Maybe though, they will have the gravitational force enough to spin all of this off into the other jihadist movements.

“The enemy of my enemy is my friend”

If the HCA does pull off any real hacks though (say on infrastructure) then indeed they will get the attention they seek and more than likely give the idea to other movements out there to do the same.

AND that is what worries me.

Cinch Up That Seatbelt… It’s Gonna Be A Bumpy Ride

Finally, I think that things are just getting started in Iran and its about to  get interesting. With all of the operations that seem to be going on in spook world (please don’t use PIZZA as a code word again mmkay?) and the Israeli’s feeling pressured by Tehran’s nuclear ambitions and rhetoric, I suspect something is about to give way. Add to this the chicken-hawks who want to be president (Herman I wanna touch your monkey) Caine and the others who have so recently been posturing like prima donna models on a runway over Iran and we have a disaster to come.

Oh.. and Bachmann.. *Shudder* Please remove her from the Intelligence committe!! That whole Pakistani nuclear AQ attacks thing was sooo not right!

PSSSSST BACHMANN they’re called SECRETS! (or, for your impaired and illiterate self SEKRETS) STFU ok?

OH.. Too late, now NATO is attacking into Pakistan…

It looks to me like the whole middle east is about to erupt like a pregnant festering boil and we are the nurse with the needs who has to pop it and duck.

So.. Uh yeah, sorry, got carried away there… I guess the take away is this; When you look at all the other stuff going on there, this alleged cyber army is laughable.

Yuk yuk yuk… You’re killin me Ahmed!

K.

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments


Conclusions
Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities


Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.

*sadface*

Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.

K.

The Son of Stuxnet… Methinks The Cart Be Before Ye Horse

with 2 comments

My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.

Mowbray, Richard II Act 1 Scene 1

 

 

As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;

“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

Alrighty then, we have a newly released and re-tasked version of Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.

So, not really so complicated as I see it.. You?

The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.

So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?

Pathetic.

RATS, RECON, & Targets

Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.

Once again I say “Evidence Much?”

You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.

Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.

HOLY WTF?

Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.

Or… Wait.. Now that might be an advantage to you guys huh?

Ponder.. Ponder…Ponder…

Well played….

What it all boils down to for me is this:

Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.

What? No Mention Of APT Here?

Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!

There, I said it.

APT attacks:

  • Infiltrate
  • Seek data
  • Exfiltrate data
  • Keep access

And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.

NOT STUXNET..NOT SON OF STUXNET!

Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.

Baseless Claims: Pictures Or It Never Happened!

Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.

Frankly, I find your faith in rationality disturbing… Symantec…

K.

The Eternal Game of Whack-A-Mole Goes On: Was Al-Shamukh Hacked?

with 2 comments

The Eternal Game of Whack-A-Mole Goes On:

Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.

Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;

British Hackers Take Down Al-Qaeda Websites

and

NBC News: Hacker attack cripples al-Qaida Web communications

*Facepalm*

None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:

From: robtex.com The domain and NS pointers have been suspended by GoDaddy

The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.

Whois data for shamikh1.net

Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.

In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.

Distributed Sites:

“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.

This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)

In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.

http://shamikh1.net

http://shamikh1.info

http://202.149.72.130/~shamikh/vb/

http://202.149.72.131/~shamikh/vb/

http://202.75.56.237/~shamikh/vb/

All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.

shamikh1.info whois data

This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.

So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?

Cupcake Recipies Instead of IED’s Do Not A Hack Make:

Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.

Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?

No one has said.

This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.

They are worried.

Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.

Whodunnit:

This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?

All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..

But, they will be back again… Let the great game of whack a mole begin!

K.

Lulz, Jester, and Counterintelligence On The Internet

with 8 comments

Escalation:

I once wrote a blog post about ‘escalation’ and it seems that my fears are coming true as the Lulz Boat keeps making waves across the Internet. Between Lulzsec, Jester, Anonymous, and now God knows who else, we are seeing a re-birth of the 90’s anarchy hacking. However, since so much has changed network wise since the 90’s its been amplified a thousand fold. What has spun out of all the hacking (hactivism, vigilantism, whatever you want to call it) is that we are seeing just how a counter-intelligence operation is carried out. Th3j35t3r and his friends at Web-Ninjas’s are carrying out this counter-intelligence program and posting their findings on Lulzsecexposed as well as on th3j35t3rs own site on word-press.

To date, their efforts have not seemed to have either slowed Lulzsec’s antics, nor generated any federal arrests of anyone involved. However, I think it important to note the methods being used here to attempt to put faces to names in the lulz crew.

The LulzSec Problem:

The problem with trying to track lulzsec members is primarily the technologies that they are using prevent getting a real idea of where and who they are. By using VPN technologies, proxies, and compromised systems in the wild, they have been able to keep their true identities from being exposed in a more meaningful way other than screen names. Due to the problems of digital attribution, the governments of the world cannot quite get their hands around who these people are nor, would they be able to prove such in a court of law at the present time without solid digital forensics on the end users machines.

In the case of Lulzsec and Anonymous, they are not using just one system but many types of systems to protect their anonymity. Thus, with the right tools and obfuscation, they feel impervious to attack from anyone, be they government, law enforcement, or the likes of Th3j35t3r. Tactically, they have the advantage in many ways and it would take one of two types of attacks, if not both simultaneously, to take the Lulzsec and Anonymous core group down. The attacks I mention are these:

1) A direct attack on their IRC servers that host the secret C&C channels

2) Insertion of ‘agent provocateurs’ into the C&C of Lulzsec and Anonymous (as recently alluded to with the FBI stat that one in 4 hackers are CI’s recently)

I actually would suggest that both avenues of attack would have the best effect along with a healthy program of disinformation and PSYOPS to keep the adversary unbalanced and malleable. Which leads me to my next section.. The methods of attack.

Counter-Intelligence:

An overall category, Counter-Intelligence ranges all of the afore-mentioned types of attacks. In the case of Lulzsec, anyone could be a member within the community that encompasses info-sec or anonymous. Hell, Jester could actually know some of these people in real life just as well as you the reader might and never know it if the member never talks about it. I imagine it’s kind of like Fight Club;

The first rule of Fight Club is, you do not talk about Fight Club. #2 – The second rule of Fight Club is, you DO NOT talk about Fight Club. 

If anyone talks, they could end up in some serious shit and in this case, disappeared pretty quickly if the governments in question get their hands on them. This is especially true now that they have hit the FBI and CIA with their attacks and derision… But I digress. The key here is that because no one knows who is who or is talking about it, it is very analogous to the idea of a mole hunt or counter intelligence operations that seek to locate spies within the community (such as within the CIA) There are whole divisions in the CIA and FBI as well as other places that are solely devoted to this type of war of attrition.

I believe that it is a counter-intelligence operation that will win the day though in the battle against Lulzsec or any other like minded adversary. Winning that battle will take the following types of sub operations as well.

PSYOPS & Disinformation:

PSYOPS and Disinformation work together to unbalance the adversary as well as spin the masses toward compliance or action. In the case of LulzSec, this type of activity is already ongoing with their own ‘Manifesto‘ and other publicity that they have put out. They want to spin opinion and generate adoration as well as fear, both of these are in evidence within the media cycle and the public’s perception of who and what they are. Where I am seeing both types of activity on Lulzsec’s part, I can also see within the actions of jester and the Web Ninja’s as well.

On the part of LulzSec, the following psychological operations and disinformation campaigns can be seen:

  • For each alleged ‘outing’ of a member, they make claims that these are not core members of their group (note, they do not make claim to the anonymous model of headless operations) such outed persons who can be connected to them are merely underlings in open IRC channels
  • Affecting accents and 4chan speak to attempt to hide their real patterns of writing and mannerisms
  • A claim to having battles with 4chan and /b/ as well as Anonymous while they seem much more aligned to them (distancing)
  • The use of agent provocateurs against Jester within his own coterie of followers and open IRC channel
  • The use of flash mobs (abuse) within Jester’s open IRC channel
  • Leveraging the fact that they are anonymous (in concept) and due to the technology today, virtually untouchable

On the part of Jester we have the following operational tactics used so far:

  • The outing of individuals believed to be core members of the group (no matter if correct, will prompt a reaction from Lulzsec that may be telling)
  • The use of agent provocateurs to place disinformation as well as gather intel on the adversary (Lulzsec) which can be seen in leaked IRC chat transcripts
  • The creation of analogous groups such as the Web Ninja’s to work against LulzSec
  • Leveraging the fact that he is just as anonymous (in concept) as they are and due to the technology today, virtually untouchable

It seems from both sides of the battle, that these types of actions are being used to mislead and gain the edge over the other. In the case of Jester, I am pretty sure that this is an overt thing. While, on the other hand, with Lulzsec, I see it as a reactionary set of measures to attempt to keep themselves from being exposed as to who and where they are. As this continues, I am willing to hazard that even more players are playing a part in this war, quietly, and those would be the government operatives looking for an in to take the Lulz down. Of course, the government has been pretty quiet about Lulzsec haven’t they? One wonders just what they are up to.. If anything at all.

Of course, the NSA may just be the dark horse here… And the Lulz won’t know what hit them.

Then it will be over.

Development of Sources:

One of the more tradecraft oriented things that must be going on is the use of sources or getting assets into positions to be inside the Lulz Boat. I am sure that there are players out there sidling up to the right users on the IRC boards in an attempt to get into the inner circle of LulzSec as well as Anonymous. These assets are likely to be working for the government but I can also see someone like Jester using the same tactic, if not posing himself as the asset. Due to the nature of the problems of tracking these people, this is the best way to get close to the Lulz and to gather raw intelligence on them. After all, even if not fully trusted, an asset can gather important data on the actions of the Lulz and be there when they make a crucial mistake.

The other side of that coin may be people who have been outed and were in fact affiliated with the Lulz. This is where the FBI has a forte in turning hackers into informants by allowing them to work for them instead of just being put in a hole somewhere. It has happened in the past (carders for example) and likely is the case in the Lulz affair. After all, some have been ‘vanned’ already in Anonymous circles and I have yet to hear about any real solid court cases being filed.. So.. One tends to think that there is a bit of cooperation going on with those who have been popped already for being suspected ‘anons’

In the case of the Lulz, we have yet to see or hear of anyone being taken into custody for being afiliated with the Lulz.. But, the day is young especially of late.

Habits Will Be Their Downfall:

Overall, I would say from what I have seen in IRC and in other data located out there on key user names, that human nature and habits will be the downfall of the Lulz. People have habits and these can be leveraged to attack them. No one is perfect and none of these people to my knowledge have been trained to avoid the pitfalls of habit that a trained operative would. Insofar as the Jester seems to have hit the mark in a few cases is telling that people are leaking data. Either the Lulz themselves have been careless (as they harp on password re-use, I harp on user name re-use) or they have indeed  been infiltrated by assets of the enemy, or, have decided to go down another less dangerous path in hopes of not being prosecuted.

Habitual behaviour too is not only action, but mannerisms, thought processes, and enunciation of motives. Just as coders tend to code in specific ways that can be used as ‘digital DNA’ so too can writing patterns, speech, etc even when attempted to be clothed in 4chan speak. As well, the habits of human nature to be trusting will too be their downfall. After all, unless this is a one person operation, there are many links in the chain that could and will be exploited. As people seem to be dropping off of the Lulz Boat (per Jester’s data) they will need new blood to keep the Lulz going, and that means that they will have to recruit, vet, and eventually trust someone…

And that is where the counter-intelligence operation will seal the deal… The phrase “Trust No One” just cannot be a reality in any operation. This is why they sometimes fail, because you trust the wrong person.

Over Reliance On Technology:

In the meantime, the Lulz seem to be relying quite a bit on technologies that are rapidly becoming susceptible to attacks by those who want to capture or stop them. The use of Anonymous proxies like Tor, while effective now, are also compromise-able from a few different perspectives. The technology may be solid, but the pressures legally on those who run them may in fact lead to compromise. Just as any of these avenues of anonymization that are out there could in fact be just honey-pots to capture data. A case in point would be Tor, which was a Navy project to begin with and anyone who has set up an exit node, can in fact sniff the traffic for data that may be helpful in getting a lock on a user.

Additionally, any other means of technology like cloud services that are hosting their data or facilitating anything the Lulz do, could potentially be compromised if the right people are involved *cough NSA cough* that have the latitude to do what they like. Given today’s surprising numbers of laws being passed that erode all of our rights to privacy, I should think that the days are numbered for the Lulz on the technical playground as the boys at Ft. Meade start getting their orders to lock and load.

Never trust so much in technologies that YOU do not run solely yourself.. Remember the government can make any company that MITM attacker and YOU the attacked.

The End:

In the end, I think that the Lulz have pointed out that ‘Elephant with its trunk in out collective coffee” but at what price? Will this change the paradigm and make the government care about security in a more cogent way? No. Instead they will come up with tougher laws and more ways to invade privacy by shortcutting the process. Sure, shit is out there and it is vulnerable, but you know what? It always will be. If it isn’t some very low hanging fruit like SQLi then it will be 0day. There will always be a way in. That is just the nature of things and the Lulz will have shifted paradigm.. Because truly, the Lulz will be on LulzSec, emotionally charged and sorry for their actions… While sitting in jail.

K.

*EDIT* Oh and one more thing to add here as an afterthought. I may remind you all that as the laws are changing and the Patriot Act has been re-signed. The Lulz, having upped the ante, can easily be considered ‘Domestic Terrorists” This would place them in even a more precarious place because then, the legal gloves come off….

One man’s Domestic Terrorist is another man’s “Enemy Combatant”