Archive for the ‘Corporate Intelligence’ Category
Counterintelligence, False Flags, Disinformation, and Network Defense
//B zrxr wwmpxjnp vf ygwyr jh kur gig vvbxv nf o “yinwf zcnt”. Ilmf xp vv lbi vwwpe grxr mhct sxh ubpifmpxt qzgu o izkruyi nar t tcqjhrgrf. Mpgwf xrlf hawwki, CU’f uoom oehhvgvq lbtmqm, ybywzzcqt, ueq vbyzcvfx nngsk ucvlm. Pbh bxmf e qlf.\\
Threat Intelligence, Counterintelligence, and Corporate | Nation State Espionage
“Threat Intelligence”, a term that is just behind the oft used “Cyber” and God forbid, “Cyber” is all too often put in front of it as well to add more oomph for sales people to sell their brand of security snake oil… “But wait there’s more!” We also have other spook terms being kluged into the INFOSEC world now because, well, it’s cool to those cyber warriors out there. I know, I sound jaded and angry, which, yes, yes, I am, but… Well, it’s just gone completely off the rails out there. I hear people talking about these topics as if they know what they are talking about even with the exceedingly limited scope of digital security matters (i.e. hacking/forensics/defense)
I would like to clear the air here a bit on these terms and how they do really apply to the world of INFOSEC that we in this business now find ourselves in, one littered with military and spook terms that you may not be really familiar with. First off, lets look at the terms that have been thrown around here:
Threat Intelligence: In the spook world, this is the gathering of intelligence (HUMINT/MASINT/SIGINT etc) to determine who has it in for you and perhaps how they plan on getting at you.
Counterintelligence: Spies who hunt other spies (Mole Hunts etc)
Espionage (Nation State and Other) The umbrella under which this whole rubric exists. Nation state and other have the component of “Industrial” as well (i.e. IP theft)
Ok, so, where once we used to only have people in three letter agencies worried about “ThreatIntel” we now have the INFOSEC community looking at “threats” to their environments and calling it “Threat Intelligence” now. While it’s a cool name, does it really apply? What was it before the whole APT thing broke as well as the cyberwar-palooza we have today? For the most part, I can see only half of the term applying to any non state entity or three letter agency and that is of what “threats” are out there today. This means what exploits and pieces of malware are out there that your environment would be susceptible to.
Nothing else.
That is unless you suddenly have a company that has decided to launch its own “Intelligence arm” and yes, this has happened, but usually only in larger companies with defense contracts in my experience. Others though, have set them up, like Law firms, who then hire out ex spooks to do the work of counterintelligence as well as intelligence gathering to have an edge over everyone else. Perhaps this is bleeding out into other areas as well in corporate America huh? The point here for me is that unless you have an intelligence arm (not just INFOSEC) you should not be using the term “Threat Intelligence” as an encompassing statement of “there’s malware out there and this is what it is” Point blank here, IF YOU AREN’T DETERMINING WHO YOUR ADVERSARY IS AND WHAT THEIR PLAN IS… IT”S NOT THREAT INTELLIGENCE.
Looking at IP’s on an SIEM and reacting to a triggered event is not threat intelligence. It’s INCIDENT RESPONSE. It’s AFTER THE GOD DAMN FACT OK?
So, stop trying to make it sound cooler than it really is people. To further this idea though, we still have “Counterintelligence” which FOR FUCKS SAKE I have personally seen in a title of a complete MORON at a large company. This fucker sits around all day looking at his stock quotes though, see, it’s just a cool title. It has no meaning. UNLESS you really have an operational INTELLIGENCE UNIT in your company.
*Look around you.. Do you? If not then STFU*
If you do have a real intelligence wing in your org that carries out not only COUNTERINTEL/INTEL/HUMINT/THREATINTEL then more power to you. If not, you’re deluding yourselves with militaristic terms and cyberdouchery… Just sayin.
However, the way things are going with regard to the world, I should think that you might see more of these kinds of intelligence arms springing up in some of the larger corporations of the world. It’s a rough world and the fact that everything is networked and global has primed the pump for these kinds of activities to be a daily operations tool. It’s now the blurring of the lines between what nation states solely had the control and aegis over to now its becoming privatized and incorporated.
William Gibson saw it.. Phramacombinats and all.
False Flags and Disinformation Campaigns
Which brings me to the next level of affairs here. When I was on the DEFCON “Fighting Monsters” panel, I made some statements that seem to have come to pass. I spoke about how Anonymous would have to worry about “False Flags” against their name as well as expand upon the idea that Pandora’s box had been opened. Nothing on the internet would really be the same because we all had moved into the “spook world” by the actions of Anonymous as well as things like Stuxnet. The lines had been blurred and all of us net denizens need to be aware that we are all pawns in a series of greater games being played by corporations and governments.
Since then, we have seen many disinformation campaigns (think sock puppets on social media, fake news stories, rumours, etc) as well as false flag actions where Anonymous may have been blamed or named for actions that the core did not carry out. So many times since then we have seen Anonymous attempt to set the record straight, but, like I said before, who’s gonna believe them because they are “anonymous” and disparate right? Could be anyone… Could be them… And with previous actions, are they to be trusted when they say they did not do it? See, the banner thing (hive mind) has a tremendous proclivity for severe blowback as they have learned.
What’s sauce for the goose though, is also good for the corporate, political, private gander right? How many Acorn operations do you need to see happening in the election cycle to realize that this has been going on for some time and that, now, with the internet, its easier to perform these kinds of operations with a very small group with minimal effort as well? Pandora’s box was not only opened, it was then smashed on the floor and what was once contained inside has been forever unleashed upon us all.
Yay.
Now, going back to you INFOSEC people, can you then foresee how your companies reputation or security could be damaged by false flag operations and disinformation? A recent example may in fact be the attack purported to be on against Josh Corman of Akamai because he said some things that “some” anonymous players did not like. Were they really out to get him? Were they doing this out of outrage or was there another goal here? What you have to ask yourselves is, what is my company and it’s employees susceptible to in this area? Just as well, this also applies to actual attacks (DDoS etc) they could be signal to noise attacks. While the big attack is going on, another team could be using the fog of war to sneak into the back door silently and un-noticed.
See where I am going there?
In the case of Josh, do they want to D0X him or do they want to force Akamai to maybe flinch and let him go because of bad press, and potential attacks on their infrastructure and management?
Ponder that…There are many aspects to this and you have to have a war mentality to grasp it at times. Not all attacks frontally are the real attack today. Nor are all attacks on players what they may seem to be in reality, the adversaries may in fact have a longer game in mind.
Network Defense and Network OFFENSE
Ok, so back to reality today with many orgs and their INFOSEC programs. You are looking to defend your network and frankly you need not have “cool” names for your program or its players. What you need is to be mindful of your environment and pay attention to the latest attacks available that would affect it. Given today’s pace though, this makes just about everything suspect. You can get yourself an IDS/IPS, an SIEM, Malware protection, and all kinds of things, but, unless you know where shit is and what it is, you lose the big game. So, really, threat intelligence is just a cool name for an SIEM jockey today.
Like I said, unless you are doing some real adversary profiling and deep inspection of attacks, players, motivations etc, you are not doing THREATINTEL. You are minding the store and performing network defense… i.e. your job.
Now, on the other end of the spectrum lately, there have been certain douchenozzles out there saying that they can sell you services to protect your org with “OFFENSE”
*blink blink*
Offense you say? Is this some new form of new SPECWAR we aren’t aware of? Firms like the more and more vaporware company “Crowdstrike” seem to be offering these kinds of services, basically mercenaries for hire, to stop those who would do you harm. What means are they going to employ here? Obviously performing what they see as intelligence gathering, but then what? Once you have attribution will there then be “retribution” now like so many Yakuza centric stories in Gibson novels? I’m sorry, but I just don’t see this as viable nor really any kind of a good idea whatsoever… Leave it to the three letter agencies.
Alas though, I fear that these companies and actions are already at work. You can see some of that in the link above to the book I reviewed on private intelligence and corporate espionage. Will your data be a part of a greater corporate or government conspiracy? Some black ops mumbo jumbo over your personal information perhaps? Part of some retribution for some attack perceived to have happened to company A by company B?
Welcome to the shadows and fog of espionage kids.
Going “Off The Reservation”
Overall, I guess I just wanted to lay some things out there and get people’s heads around the amount of douchery going on today. We collectively have gone off the reservation post 9/11 with PII, Privacy (lack thereof) and hacking. That entities like Anonymous came to be and now see the governments and corporations of the world as dark entities isn’t so hard to see when you look at the crap going on out there. What we saw in Team Themis was just one small spec in a larger “Cyber Beltway Banditry” going on today. Look to the other side where you have Fusion centers with private INTEL gathering capacities tossing out absolute crap yet spending BILLIONS of dollars and, well, there you have it.
Monkeys with digital guns.
We are off the reservation already and it’s every man (or woman) for him or herself.
In the end though… If you have a title that says something like “CHIEF INTELLIGENCE OFFICER” on it, you’d best be at a three letter agency.. If not, then you are deluding yourself with EPIC DOUCHERY.
K.
DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up
A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.
Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;
If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?
Or, would you start using sharp implements to get him to talk in a more expedient fashion?
We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.
I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.
Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.
We all will have choices to make and trials to overcome… Cofer was right.
“May you live in interesting times” the Chinese say…
Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;
“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”
Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;
“Curtis: If it isn’t Leopard Boy and the Decepticons.”
So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:
- Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
- Targets need recon and intelligence gathered has to be vetted before dumping
- Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
- Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
- Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
- If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
- Grow up
- The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
- If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
- You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
- Failure to pay attention will only result in fail.
There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.
K.
http://www.darkreading.com/security/attacks-breaches/231300360/building-a-better-anonymous.html
http://www.pcworld.idg.com.au/article/396320/three_tips_better_anonymous
http://www.wired.com/threatlevel/2011/08/defcon-anonymous-panel/
http://venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here-lulzsec-is-here-theyre-everywhere/
BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda
From GamerCrypt
Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.
As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.
Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.
Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.
So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…
Say.. You guy’s aren’t MI6 are ya?
HA!
More when I have it.
K.
From Lulz to Global Espionage: The Age of the Cracker
It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.
Lulzsec:
Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”
Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.
After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.
What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…
Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.
Nation State Actors:
The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)
What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.
This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.
Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.
Industrial Espionage:
This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.
In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.
Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’
Criminal Gangs:
This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.
Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.
With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.
When The Players All Meet:
It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.
In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.
More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.
Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…
K.
The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage
黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.
Beginnings:
Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.
Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.
From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..
The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.
Motivations for APT Attacks:
Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.
This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.
State vs. Non State Actors:
The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.
There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.
In the end, they all are state actors I think just by the nature of the regime.
Techniques:
In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing‘
Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.
Moving Forward:
Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.
But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:
More to come…
K.
Anonymous #HQ: Inside The Anonymous Secret War Room
John Cook and Adrian Chen — Dissident members of the internet hacktivist group Anonymous, tired of what they call the mob’s “unpatriotic” ways, have provided law enforcement with chat logs of the group’s leadership planning crimes, as well as what they say are key members’ identities. They also gave them to us.
The chat logs, which cover several days in February immediately after the group hacked into internet security firm HBGary’s e-mail accounts, offer a fascinating look inside the hivemind’s organization and culture.
- Sabu
- Kayla
- Laurelai,
- Avunit,
- Entropy,
- Topiary,
- Tflow
- Marduk
- Metric
- A5h3r4
So, Hubris/A5h3r4/Metric have broken into the inner circle of at least one cell of Anonymous. I say cell because I do not think that these users are the actual full scale leaders of Anonymous, instead, as I have said before, there are cell’s of Anon’s that perform operations sporadically. These folks, if the chat transcripts are true, are the ones just behind the HBGary hack and at least one of them, with the Gawker hack.
Once again, I will reiterate here that I think Anonymous is more like a splinter cell operation than anything else. There is an aegis from the whole as an idea, but, they break off into packs for their personal attacks, or whatever turns them on. They coalesce into a unit when they feel moved to, but, they do not overall, just get together and act without direction on the part or parts of leaders.
The example below of the transcripts for #HQ show that these characters though, are a little high on themselves after the hack on HBG… And you know what happens when you don’t pay attention to the hubris factor. You get cocky and you get burned. As you can see below, some of them are at least nervous about being popped or infiltrated.. Those would be the smart ones…
04:44 <&Sabu> who the fuck wrote that doc
04:45 <&Sabu> remove that shit from existence
04:45 <&Sabu> first off there is no hierachy or leadership, and thus an operations manual is not needed[snip]
04:46 <&Sabu> shit like this is where the feds will get american anons on rico act abuse and other organized crime laws
04:47 <@Laurelai> yeah well you could have done 100 times more effective shit with HBgary
04:47 <@Laurelai> gratted what we got was good
04:47 <&Sabu> if you’re so fucking talented why didn’t you root them yourselves?
04:47 <@Laurelai> but it could have been done alot better
04:47 <&Sabu> also we had a time restraint
04:48 <&Sabu> and as far as I know, considering I’m the one that did the op, I rooted their boxes, cracked their hashes, owned their emails and social engineered their admins in hours
04:48 <&Sabu> your manual is irrelevent.[snip]
04:51 <&Sabu> ok who authored this ridiculous “OPERATIONS” doc?
04:51 <@Laurelai> look the guideline isnt for you
04:51 <&Sabu> because I’m about to start owning nigg3rs
04:51 <&marduk> authorized???
04:52 <@Laurelai> its just an idea to kick around
04:52 <@Laurelai> start talking
04:52 <&Sabu> for who? the feds?
04:52 <&marduk> its not any official doc, it is something that Laurelai wrote up.. and it is for.. others
04:52 <&marduk> on anonops
04:52 <&Sabu> rofl
04:52 <@Laurelai> just idea
04:52 <@Laurelai> ideas
04:52 <&Sabu> man
04:52 <&marduk> at least that is how i understand it
04:52 <@Laurelai> to talk over
04:53 <&Sabu> le sigh
04:53 <&marduk> mmmm why are we so in a bad mood?
04:53 <&Sabu> my nigga look at that doc
04:53 <&Sabu> and how ridiculous it is[snip]
04:54 <&marduk> look, i think it was made with good intentions. and it is nothing you need to follow, if you dont like it, it is your good right
04:55 <&Sabu> no fuck that. its docs like this that WHEN LEAKED makes us look like an ORGANIZED CRIME ORGANIZATION
My observations though have always been that the groups would be infiltrated by someone and then outed. It seems that this may indeed be the case here if the data is indeed real. It seems to me that a certain j35t3r said much the same before, that he could and did indeed infiltrate the ranks, and had their data. Perhaps J has something to do with this? Perhaps not… Still, the principle is sound.
- Infiltrate
- Gather INTEL
- Create maps of connections
- Report
It would seem also that these guys are liminally aware of the fact that their actions can be seen as a conspiracy and that the government will not only get them on hacks potentially, but also use the conspiracy angle to effectively hogtie them in court. Let me tell you kids, there is no perfect hack… Well unless the target is so inept as to have absolutely no logging and does not even know for a very long time that they had been compromised.. Then the likelihood of being found out is slimmer, but, you guys popped and then outed HBG pretty darn quick.
I am willing to bet there are breadcrumbs.. And, those said breadcrumbs are being looked at by folks at some three letter agencies as I write this. You see kids, you pissed in the wrong pool when it comes to vindictiveness. I agree that HBG was up to bad shit and needed to be stopped, but, look at the types of things they were planning. Do you really think that they are above retaliation in other ways than just legal? After all, they were setting up their own digital plumbers division here huh?
Anyway… Just sayin…
Back on topic here with the Backtrace folks and the logs. I have looked at the screen names given and have come to the conclusion that they are all generic enough that I could not get a real lock on anything with Maltego. I had some interesting things pop up when you link them all together, but, overall not enough to do anything meaningful. The other issue is that Maltego, like any tool using search engines and data points, became clogged with new relational data from the articles going wide. I hate it when the data is muddied because of this.
So, yeah, these names are not unique enough to give solid hits. Others though who have been re-using nicks online as well as within the confines of Anonops, well that is another story. I just have this feeling that there are larger drift nets out there now hoovering all you say and do on those anon sites, even if they are in the .eu space. I still have to wonder if any of those IRC servers have been compromised yet by certain intelligence agencies.
One wonders too if China might also be playing in this area… How better to sow discontent and destabilize than to use a proxy like Anonymous for operations?
For that matter.. How about the CIA?
NSA?
Think on it… Wouldn’t Anonymous make a perfect false flag cover operation?
For now, I am going to sit and watch. I would like to see the full chat transcripts though. Now that would be interesting.
“May you live in interesting times”
Indeed.
K.
Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating
Night Dragon Chinese hackers go after energy firms
Latest revelations from McAfee highlight large scale covert attacks emanating from the region
Phil Muncaster, V3.co.uk 10 Feb 2011Just over a year after the Operation Aurora Chinese hacking revelations shook the world, security vendor McAfee has uncovered another large-scale, covert and targeted attack likely to have originated in the region, dubbed Night Dragon.
Dating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a competitive advantage to another party.
The attacks use methodical but far from sophisticated hacking techniques, according to McAfee’s European director of security strategy, Greg Day.
First the hackers compromise extranet web servers using a common SQL injection attack, allowing remote command execution.
Commonly available hacking tools are then uploaded to the compromised web servers, allowing access to the intranet and therefore sensitive desktop and internal servers.
Password cracking tools then allow the hackers to access further desktops and servers, while disabling Internet Explorer proxy settings allows direct communication from infected machines to the internet, said McAfee.
The hackers then use the specific Remote Access Trojan or Remote Administration Tool (RAT) program to browse through email archives and other sensitive documents on various desktops, specifically targeting executives.
Night Dragon hackers also tried spear phishing techniques on mobile worker laptops and compromising corporate VPN accounts in order to get past the corporate firewall and conduct reconnaissance of specific computers.
Although there is no clear evidence that the attacks were carried out by the state, individuals or corporations, there are clear links to China, said McAfee.
For example, it was from several locations in China that individuals ” leveraged command-and-control servers on purchased hosted services in the US and compromised servers in the Netherlands”, said the security vendor in a white paper entitled Global Energy Cyberattacks: Night Dragon (PDF).
In addition, many of the tools used in the attacks, such as WebShell and ASPXSpy, are commonplace on Chinese hacker sites, while the RAT malware was found to communicate to its operator only during the nine to five working hours of Chinese local time.
McAfee said that researchers had seen evidence of Night Dragon attacks going back at least two years.
“Why is it only now coming to light? Well, the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility,” Day explained.
“Only really in the last few weeks have we been able to get enough intelligence together to join the dots up, so our goal now is to make the public aware.”
Day advised any company which suspects it may have been targeted to go back and look through anti-virus and network traffic logs to see whether systems have been compromised.
Low level day-to-day problems can often be tell-tale signs of a larger, more concerted attack, he added.
William Beer, a director in PricewaterhouseCooper’s OneSecurity practice argued that the revelations show that traditional defences just don’t work.
“The cost to oil, gas and petrochemical companies of this size could be huge, but important lessons can be learned to fend off further attacks,” he added.
“More investment and focus, as well as support and awareness of the security function, is required from business leaders. Across companies of any size and industry, investment in security measures pays for itself many times over.”
Lately there has been a bit of a hullabaloo about Night Dragon. Frankly, coming from where I do having been in the defense contracting sector, this is nothing new at all. In fact, this is just a logical progression in the “Thousand Grains of Sand” approach that the Chinese have regarding espionage, including the industrial variety. They are patient and they are persistent which makes their operations all the more successful against us.
The article above also has a pdf file from Mcaffee that is a watered down explanation of the modus operandi as well as unfortunately, comes off as a sales document for their AV products. Aside from this, the article and pdf make a few interesting points that are not really expanded upon.
1) The attacks are using the hacked systems/networks own admin access means to exfiltrate the data and escalate access into the core network. This has effectively bypassed the AV and other means of detection that might put a stop to a hack via malware.
2) The data that the Chinese have exfiltrated was not elaborated on. Much of the data concerns future gas/oil discovery. This gives the Chinese a leg up on how to manipulate the markets as well as get their own foot in the door in places where new sources of energy are being mined for.
All in all, a pretty standard operation for the Chinese. The use of the low tek hacking to evade the tripwire of AV is rather clever, but then again many of us in the industry really don’t feel that AV is worth the coding cycles put into it. Nothing too special here really. Mostly though, this gives more insight into a couple of things;
1) The APT wasn’t just a Google thing
2) Energy is a top of the list thing, and given the state of affairs today with the Middle East and the domino effect going on with regime change, we should pay more attention.
Now, let me give you a hint at who is next… Can you say wheat? Yep, take a look at this last year’s wheat issues.. Wouldn’t be surprised if some of the larger combines didn’t have the same discoveries of malware and exfiltration going on.
K
HB Gary: Hubris, Bad Science, Poor Operational Methodology, and The HIVE MIND
Algorithms, Social Networks, and COMINT:
When I had heard that HB Gary had been popped and their spool file was on PB I thought that it was unfortunate for them as a fairly well known company. Once the stories started coming out though with the emails being published online, I began to re-think it all. It seems that Aaron Barr really fucked the pooch on this whole thing. He primarily did so due to his own hubris, and for this I cannot fault Anonymous for their actions (within reason) in breaking HB Gary and Barr’s digital spine.
It seems that Barr was labouring not only a flawed theory on tracking social networks, but also in that he planned on selling such a theory and application to the government. One notion was bad, and the other was worse. First off though, lets cover the science shall we? Barr wanted to track users on social networks and show connections that would lead to further data on the users. The extension that he was trying to make was obtaining actual real names, locations and affiliations from disparate sources (i.e. Facebook, Twitter, Myspace, IRC, etc) While this type of data gathering has been done in the past, it has not usually been culled from multiple sources automatically electronically and then strung together to form a coherent pattern. In short, Barr was wanting to create software/scripts to just scrape content, and then try to connect the dots based on statistics to tie people to an entity like Anonymous. The problem, and what Barr seemed to not comprehend, is that the Internet is a stochastic system, and as such it is impossible to do what he wanted with any kind of accuracy. At least in the way he wanted to do it, you see, it takes some investigation skills to make the connections that a scripted process cannot.
This can be seen directly from the article snippet below where the programmer calls Barr on his flawed logic in what he was doing and wanted to do.
From “How one man tracked down Anonymous and paid a heavy price”
“Danger, Will Robinson!”
Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:
Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.
Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.
Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.
Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.
Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.
Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.
Barr: [redacted]
Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.
Barr: [some information redacted] On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!
Coder: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate. mmmm…..taco!
Aaron, I have news for you, the coder was right! Let the man eat his taco in peace! For God’s sake you were hanging your hat completely on scrape data from disparate social networks to tie people together within a deliberately anonymous body of individuals! Of course one could say that this is not an impossible feat, but, one would also say that it would take much more than just gathering statistical data of logins and postings, it would take some contextual investigation too. This was something Barr was not carrying out.
I actually know something about this type of activity as you all may know. I do perform scraping, but, without real context to understand the data (i.e. understanding the users, their goals, their MO, etc) then you really have no basis to predict what they are going to do or really their true affiliations. In the case of jihadi’s they often are congregating on php boards, so you can easily gather their patterns of friendship or communications just by the postings alone. Now, trying to tie these together with posts on other boards, unless the users use the same nick or email address, is nearly impossible.
Just how Aaron Barr was proposing to do this and get real usable data is beyond comprehension. It was thus that the data he did produce, and then leak to the press enraged Anonymous, who then hacked HB Gary and leaked the data in full claiming that none of the data was correct. Either way, Aaron got his clock cleaned not only from the hack (which now claims to have been partially a social engineering attack on the company) but also from the perspective of his faulty methodologies to harvest this data being published to the world by Anonymous.
OSINT, Counter-Intelligence, and Social Engineering:
The real ways to gather the intelligence on people like Anonymous’ core group is to infiltrate them. Aaron tried this at first, but failed to actually be convincing at it. The Anon’s caught on quickly to him and outed him with relish, they in fact used this as an advantage, spurring on their own efforts to engineer the hack on HB Gary. Without the right kind of mindset or training, one cannot easily insert themselves in a group like this and successfully pull of the role of mole or double agent.
In the case of Anonymous though, it is not impossible to pull this off. It would take time and patience. Patience it seems that Aaron Barr lacked as much as he did on scientific and mathematical method where this whole expedition was concerned. Where his method could have been successful would have only come from the insertion of an agent provocateur into the core group to gather intel and report back those connections. Without that, the process which Aaron was trying would have yielded some data, but to sift through it all with interviews by the FBI and other agencies would have become ponderous and useless in the end.
It is my belief that there is a core group of Anon’s as I have said before. Simply from a C&C structure, there has to be an operational core in order for there to be cohesion. This can be seen in any hive structure like bees, there are drones, and there is a queen. A simple infrastructure that works efficiently, and in the case of anon, I believe it is much the same. So, were one looking to infiltrate this core, they would have a bit of a time doing so, but, it could be done. Take out the core, and you take out the operational ability of the unit as a whole to be completely effective. To do this though, one should be able to understand and apply the precepts of counter intelligence warfare, something Barr failed to grasp.
In the end.. It bit him pretty hard in the ass because he was in a hurry to go to press and to sell the ideas to the military industrial complex. Funny though, the real boys and girls of the spook world would have likely told him the same thing I am saying here… No sale.
Oh well… Arron Icarus Barr flew too close to the anonymous sun on wings made from faulty mathematical designs and burned up on re-entry.
K.
Top 5 ways to destroy a company.. But Will They Sign Off On That?
I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”
The truth of the matter for me comes down to a few different factors:
- A lack of understanding the results that you present them
- A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
- A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client
Nickerson too gets to this and asks;
Well why does that happen?
- What we give them isn’t important. Managers don’t care about shells!
- They don’t care about what we care about!
What do they care about?
- The product line
- The Brand
- The Employees
- The Bottom Line
I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.
Top 5 ways to destroy a company
- Tarnish the brand
- Alter the product
- Attack the employees
- Effect financials directly
- ** Your turn! **
The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?
The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)
The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.
Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;
“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”
It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.
So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:
- Profile the business overall, where they are in the market, and their history
- Profile their business model and their product or products
- Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
- Profile the employees and C levels (are they engaged? Do they buy in on security?)
- Formulate scenarios that would cause varying levels of damage (targeting them)
- Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits
Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.
I think that is what he was driving at through all of the ranting…
So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.
CoB
Krypt3ia 
SPOOK COUNTRY 2011: HBGary, Palantir, and the CIRC
with 5 comments
CIRC: The New Private Intelligence Wing of (insert company name here)
The HBGary debacle is widening and the players are beginning to jump ship each day. The HBGary mother company is disavowing Aaron Barr and HBGary Federal today via twitter and press releases. However, if you look at the email spool that was leaked, you can see that they could have put a stop to Aaron’s game but failed to put the hammer down. I personally think that they all saw the risk, but they also saw the dollar signs, which in the end won the day.
What Aaron and HBGary/Palantir/Berico were offering was a new kind of intelligence gathering unit or “cell” as they called it in the pdf they shopped to Hunton & Williams LLP. Now, the idea and practice of private intelligence gathering has been around for a very long time, however, the stakes are changing today in the digital world. In the case of Hunton, they were looking for help at the behest of the likes of Bank of America to fight off Wikileaks… And when I say fight them off, it would seem more in the sense of an anything goes just short of “wet works” operations by what I see in the spool which is quite telling.
You see, Wikileaks has made claims that they have a certain 5 gig of data that belonged to a CEO of a bank. Suddenly BofA is all set to have Hunton work with the likes of Aaron Barr on a black project to combat Wikileaks. I guess the cat is out of the bag then isn’t it on just who’s data that is on that alleged hard drive huh? It would seem that someone lost an unencrypted drive or, someone inside the company had had enough and leaked the data to Wikileaks. Will we ever really know I wonder?
Either way, Barr et al, were ready to offer a new offering to Hunton and BofA, an intelligence red cell that could use the best of new technologies against Anonymous and Wikileaks. Now, the document says nothing about Anonymous nor Wikileaks, but the email spool does. This was the intent of the pitch and it was the desire of Hunton and BofA to make both Anonymous and Wikileaks go away, for surely if Wikileaks were attacked Anonymous would be the de facto response would they not?
A long time ago William Gibson predicted this kind of war of attrition online. His dystopian world included private intelligence firms as well as lone hackers out there “DataCowboy’s” running the gamut of corporate intelligence operations to outright theft of Pharma-Kombinat data. It seems that his prescient writings are coming into shape today as a reality in a way. With the advent of what Barr and company wanted to offer, they would be that new “cowboy” or digital Yakuza that would rid clients of pesky digital and real world problems through online investigation and manipulation.
In short, Hunton would have their very own C4I cell within their corporate walls to set against any problem they saw fit. Not only this, but had this sale been a go, then perhaps this would be a standard offering to every other company who could afford it. Can you imagine the bulk of corporations out tehre having their own internal intelligence and dirty tricks wings? Nixon, EH Hunt, and Liddy would all be proud. Though, Nixon and the plumbers would have LOVED to have the technology that Aaron has today, had they had it, they may in fact have been able to pull off that little black bag job on Democratic HQ without ever having to have stepped inside the Watergate
The Technology:
I previously wrote about the technology and methods that Aaron wanted to use/develop and what he was attempting to use on Anonymous as a group as the test case. The technology is based on frequency analysis, link connections, social networking, and a bit of manual investigation. However, it seemed to Aaron, that the bulk of the work would be on the technology side linking people together without really doing the grunt work. The grunt work would be actually conducting analysis of connections and the people who have made them. Their reasons for connections being really left out of the picture as well as the chance that many people within the mass lemming hoards of Anonymous are just click happy clueless folks.
Nor did Aaron take into account the use of the same technologies out there to obfuscate identities and connections by those people who are capable, to completely elude his system altogether. These core people that he was looking to connect together as Anonymous, if indeed he is right, are tech savvy and certainly would take precautions. So, how is it that he thinks he will be able to use macroverse data to define a micro-verse problem? I am steadily coming to the conclusion that perhaps he was not looking to use that data to winnow it down to a few. Instead, through the emails, I believe he was just going to aggregate data from the clueless LOIC users and leverage that by giving the Feds easy pickings to investigate, arrest, and hopefully put the pressure on the core of Anonymous.
There was talk in the emails of using pressure points on people like the financial supporters of Wikileaks. This backs up the statement above because if people are using digital means to support Wikileaks or Anonymous they leave an easy enough trail to follow and aggregate. Those who are friending Facebook support pages for either entity and use real or pseudo real information consistently, you can easily track them. Eventually, you will get their real identities by sifting the data over time using a tool like Palantir, or for that matter Maltego.
The ANONYMOUS names file
This however, does not work on those who are net and security savvy.. AKA hackers. Aaron was too quick to make assumptions that the core of Anonymous weren’t indeed smart enough to cover their tracks and he paid the price as we have seen.
The upshot here and extending what I have said before.. A fool with a tool.. Is still a fool.
What is coming out though more each day, is that not only was Aaron and HBGary Fed offering Palantir, but they were also offering the potential for 0day technologies as a means to gather intelligence from those targets as well as use against them in various ways. This is one of the scarier things to come out of the emails. Here we have a company that is creating 0day for use by intelligence and government that is now potentially offering it to private corporations.
Truly, it’s black Ice… Hell, I wouldn’t be surprised if one of their 0day offerings wasn’t already called that.
The INFOSEC Community, HBGary, and Spook Country:
Since my last post was put on Infosecisland, I had some heated comments from folks who, like those commenting on the Ligattleaks events, have begun moralizing about right and wrong. Their perception is that this whole HBGary is an Infosec community issue, and in reality it isn’t. The Infosec community is just what the shortened name means, (information security) You all in the community are there to protect the data of the client. When you cross the line into intelligence gathering you go from a farily clear black and white, to a world of grays.
HBGary crossed into the gray areas long ago when they started the Fed practice and began working with the likes of the NSA/DOD/CIA etc. What the infosec community has to learn is that now the true nature of cyberwar is not just shutting down the grid and trying to destroy a country, but it also is the “Thousand Grains of Sand” approach to not only spying, but warfare in general. Information is the currency today as it ever was, it just so happens now that it is easier to get that information digitally by hacking into something as opposed to hiring a spy.
So, all of you CISSP’s out there fighting the good fight to make your company actually have policies and procedures, well, you also have to contend with the idea that you are now at war. It’s no longer just about the kiddies taking credit cards. It’s now about the Yakuza, the Russian Mob, and governments looking to steal your data or your access. Welcome to the new world of “spook country”
There is no black and white. There is only gray now.
The Morals:
And so it was, that I was getting lambasted on infosecisland for commenting that I could not really blame Anonymous for their actions completely against HBGary/Aaron. Know what? I still can’t really blame them. As an entity, Anonymous has fought the good fight on many occasions and increasingly they have been a part of the mix where the domino’s are finally falling all over the Middle East presently. Certain factions of the hacker community as well have been assisting when the comms in these countries have been stifled by the local repressive governments and dictators in an effort to control what the outside world see’s as well as its own people inside.
It is my belief that Anonymous does have its bad elements, but, given what I know and what I have seen, so does every group or government. Take a look at our own countries past with regard to the Middle East and the CIA’s machinations there. Instead of fighting for a truly democratic ideal, they have instead sided with the strong man in hopes of someday making that transition to a free society, but in the meantime, we have a malleable player in the region, like Mubarak.
So far, I don’t see Anonymous doing this. So, in my world of gray, until such time as Anonymous does something so unconscionable that it requires their destruction, I say let it ride. For those of your out there saying they are doing it for the power and their own ends, I point you in the direction of our government and say this; “Pot —> Kettle —> Black” Everyone does everything whether it be a single person or a government body out of a desired outcome for themselves. Its a simple fact.
Conlcusion:
We truly live in interesting times as the Chinese would curse us with. Today the technology and the creative ways to use it are outstripping the governments in ability to keep things secret. In the case of Anonymous and HBGary, we have seen just how far the company was willing to go to subvert the laws to effect the ends of their clients. The same can be said about the machinations of the government and the military in their ends. However, one has to look at those ends and the means to get them and judge just was it out of bounds. In the case of the Barr incident, we are seeing that true intelligence techniques of disinformation, psyops, and dirty tricks were on the table for a private company to use against private citizens throughout the globe.
The truth is that this has always been an offering… Just this time the technologies are different and more prevalent.
If you are online, and you do not take precautions to insure your privacy, then you lose. This is even more true today in the US as we see more and more bills and laws allowing the government and police to audit everything you do without the benefit of warrants and or by use of National Security Letters.
The only privacy you truly have, is that which you make for yourself. Keep your wits about you.
K.
Rate this:
Written by Krypt3ia
2011/02/19 at 20:45
Posted in 1st Amendment, A New Paradigm, Advanced Persistent Threat, Anonymous, APT, Business Intelligence, Business is war, CAUI, Chiba City Blues, CIA, Codes, COMINT, Commentary, Corporate Intelligence, CounterIntelligence, Covert Ops, CyberSec, CyberWar, Digital Ecosystem, Dystopian Nightmares, Espionage, Hacking, HUMINT, Infosec, Infowar, INTEL, Maltego, Malware, Narus STA 6400, Neurobiology, OPSEC, OSINT, Panopticon, PsyOPS, Recon, Security, Security Theater, SIGINT, Social Engineering, Subversive Behavior, Surveillance State, Tactics, The Five Rings, Tradecraft, Weaponized Code, Wikileaks