Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘crime’ Category

The QNB Hack: Cui Bono?

leave a comment »

Screenshot from 2016-05-02 11:14:51

The Dump

The recent dump of data from the Qatari National Bank was of interest to me and many others because it was purporting to have the accounts and identities of spies within it’s csv and text files. I downloaded the files from Cryptome thanks to someone pointing me in their direction and took a nice long look. As the story has unfolded it has come to light that the bank itself says the data is real and that they are now “completely secure” which is amusing given that this was an ols SQLi attack that netted this Turkish hacker group the jewels of QNB.

The dump consists of the oracle database files, the passwords, and the banking information of all the users therein. I have to say that most of it is really quite pedestrian but then the hackers, or the bank management,  created file folders (as seen above) that marked people as spies, Mukhabarat, Security, Gov, and other tantalizing names. I first had thought that the file folders and their speculative names had been created by the hackers to sex up their dump but it has come to light that if you look within the database dump itself you see the directories and names have headings like intelligence and defence. So it seems that the bank itself may in point of fact created these tags in the belief or inside knowledge that the people in the data were in fact what they claimed, or at least thought they were.

The Spies

I looked at all the interesting folders and the data all the while wondering about the validity of the idea that these names were in fact corresponding to real assets, NOC’s or just functionaries in Qatari space that had just been quite well blown by this hack and subsequent data dump. On the whole I would call into question all of the names being linked directly to espionage organs. I really have to wonder if the bank would in fact be that “in the know” about spooks in their country and really have to be circumspect about their putting that in the users bank records. I mean even the Mukhabarat would at least demand that it be obfuscated one would hope by a code of some sort and not just in the headers/directories themselves.

It really kind of feels like the natural tendencies of the Arab nature had gotten the best of the database admin and the managers of the bank and they believed that these people were spies without there being any real proof. In any case, if these people, especially those who are FORN and in country, now may have some trouble with people thinking that they are really spies and subject to attacks. Imagine if you will any jihadi types who might take this data as gospel and go after these people for da’esh or AQ. This could be bad. I have yet to hear of anyone leaving their positions or the country. If I were one of them I would at least be looking over my shoulder henceforth.

Screenshot from 2016-05-02 13:58:40

Screenshot from 2016-05-02 13:58:58

Screenshot from 2016-05-02 13:59:40

Screenshot from 2016-05-02 15:33:48

Screenshot from 2016-05-02 15:34:40

Screenshot from 2016-05-02 15:35:19

Screenshot from 2016-05-02 15:38:52

 

Screenshot from 2016-05-02 15:43:58

The other data I can see perhaps the military accounts and names being totally on the money because they are their own Ministry of Defence and really, that is not top secret stuff. Likely the bank see’s where these people get their pay from (Qatari funds from the gov) but even these people could now be targets because this hack was motivated by political means it seems after all.

Cui Bono?

Screenshot from 2016-05-02 16:10:09

It seems that the Bozkurtlar (Grey Wolves) a Turkish political group and their hackers were the perpetrators of this hack. There is a long history between Turkey and Qatar and most of it seems kind of benign but when you scratch the surface a bit you can see that there are some issues between them as well as some synergies in their support of certain terrorist groups like da’esh. (click linked image below)

Screenshot from 2016-05-02 16:13:47

Screenshot from 2016-05-02 16:12:09So, “Cui Bono?” Well, certainly the Grey Wolves, to what end I am not completely sure. They did post their video before the hack hit the pastebins out on the net so it was pretty much their gig but I still don’t quite understand why. Perhaps these hackers are quasi wolves and or it is some other entity using the wolves as a cover for their activities. Given that there has been no real perceived fire coming out of Qatar over this nor in other areas of the world that we are aware of, I kind of doubt all these people were in fact assets of foreign powers.

At the end of the day, this just turns out to be yet another derpy easy hack using SQLi on an entity that wasn’t performing any due diligence but it had the sexy sexy for the masses with the idea that some great hack exposing spies had occurred. In my opinion not so much really. So hey Grey Wolves, gimme some more context would you than some poos British shmucks MySpace page in the future would you?

K.

Written by Krypt3ia

2016/05/03 at 00:08

DPR: Not so dread inspiring but surely now full of dread….

leave a comment »

DPRFAIL

zwfviyhpjvezupkhcfz?

No one would surrender to the Dread Pirate Ulbricht.

Well the news cycle exploded this week with the arrest of Ross Ulbricht aka DPR or if you like The Dread Pirate Roberts of Princess Bride and now Silk Road fame. The schadenfreude here had been epic as the criminal empire that was one of the largest in the darknet was taken down because the “pirate” could not comprehend how to carry out OPSEC properly. What lead to this guy’s demise was some good old fashioned internet gumshoe work by an SA who also worked on the Sabu case back last year. Ross it seems decided to use his personal Gmail address for postings pimping Silk Road as well as  other assets that tied it all together digitally back to him. Not the best of OPSEC here Ross.

I challenge you to a battle of wits.

Anyway Ross had an idea and that idea was pretty interesting in that he wanted to use the darknet to have a Libertarian nirvana of commerce for just about anything. He set up his site, maintained it himself for a time, and then began to realize that he could not do it alone and this is where things start to go wrong. You see, when you run something yourself you only have yourself to deal with. When you start bringing in people to work for you and they know things about you (and you will always slip up here and give things away unless you are a trained spook) and that makes them a liability to your Operational Security. Ross learned this the hard way I suppose in that he started to feel that people needed to be whacked because they knew too much.

Meanwhile the OPSEC failures that Ross had made were steadily creeping up on him. So too were the UC’s on Silk Road who worked their way into the boards making deals and gaining his trust. In the end Ross decided that one of the UC’s was actually a cool Huggy Bear kind of guy and asked him to whack one of his administrators who he felt was a threat… OOOPS! If it’s one thing a Dread Pirate should know is to “Trust No One” but Ross I guess did not read that lesson in his Econ Theory classes. I guess it’s just another pointer I would make to all of you would be Pirates or Ninja’s out there … You can’t trust anyone. Oh, and yeah unless you are trained for this at say Langley or maybe Академия федеральной службы безопасности Российской Федерации you are more than likely to fuck up majorly and end up in the clink with Ross and many others. I have to say though that the idea of using the darknet and all the means that Ross had put together was a pretty good plan. The only real hitch was that he never took into account that he was going to be going up against a nation state(s) and they always win.

Hey, at least he didn’t fall for that land war in Asia thing right? …..

Look, are you just fiddling around with me or what?

So Ross went on to become the ersatz Walter White of the darknet until one day at his apartment in San Fran his doorbell rang. At the door was ICE/DHS and they had an interesting package for him in their hands. The package was full of ID’s with his face on them but not his name and when asked about them according to the complaint/affidavit his answer was “Anyone could get documents like these online at places like Silk Road” which let me tell you Ross, isn’t the thing you want to be saying here. After some questions and answers it seems the ICE/DHS folks went away which is confusing to me. First off, I surmize that the ICE Q&A was just a front for the FBI’s ongoing investigation into Ross but really, why tip their hand like that? If I were Ross I would have closed the door, waved at the feds through the window, watched them leave and RAN to my system to have a fire sale at Silk Road. I would have chosen a new DPR and been on my way to a non extradition country but ol’ Ross?

…..Nope.

Ross instead of cutting and running doubled down! He went on to do an interview with Forbes and continued on his way doing the business of being the “Dread Pirate” which let me tell you son, was one of the most ballsy and stupid things I have seen since Barrett Brown on camera threatened federal officers lives. Ross what were you thinking? I mean damn dude, did you really think you were Walter White? Oh well I guess time will tell as interviews are carried out or data dumps come from the feds as we go along slouching toward a plea bargain. Perhaps though your cognitive dissonance between personae online and offline just sort of short circuited you out and you couldn’t do anything other than carry on thinking you were covered.

Time will tell… But let this be a lesson to all you would be Pirates out there. You may call yourself a pirate or a ninja or even a Ninja Pirate but you really are just some shmuck with a grandiose sense of the self instilled in you by your helicopter parents who always told you just how fucking special and magnificent you were. So as you sit in federal pound you in the ass prison Ross take heart, for I am sure there will be another DPR someday in the darknets ….Sailing the dark digital waters with the shrieking eels that will some day end up in the cell next to yours where you can commiserate.

K.

Written by Krypt3ia

2013/10/06 at 20:25

Из России с любовью

leave a comment »

DFPKSUCPTSWXMPF

Exposed.su

exposed.su_links_inout

A site popped up with the domain name exposed.su and within the pages (other than malware lurking for an IE exploit) sits all kinds of personal financial data for famous people. Among the people hit on this site were the likes of Hillary Clinton, Al Gore, FBI Director Mueller and others. The data on the site seems to be somewhat legit and soon after the page made a splash in the news the DOJ (FBI) Secret Service (USSS) and others had the governmental people’s links pulled off of cloudflair’s servers. After looking at some of the data myself before it was pulled I thought I would just have a look-see at this domain and what I could gather as to who was doing it. After some Maltego (RADIUM) work I began to realize that this all seemed to be emanating out of Russia. The domain was registered using an email address for “allperson.ru” which upon further searches turned up a den of sketchy sites.

Domain Data:

domain: EXPOSED.SU
nserver: dave.ns.cloudflare.com.
nserver: fay.ns.cloudflare.com.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: exposed.su@allperson.ru
registrar: REGTIME-REG-FID
created: 2013.03.06
paid-till: 2014.03.06
free-date: 2014.04.08
source: TCI

Last updated on 2013.03.14 17:21:38 MSK

I then followed up with searches for allperson.ru email addresses and attendant domains attached to them. What I found was a pattern of behavior showing that most of these email addresses were for scam sites, free MP3 or video sites, and one forum for all kinds of coding and what looks to be scam techniques. Basically, I think that whoever set up this exposed.su site is affiliated with allperson.ru and or Legato LLC (scammers) and the information and connections you will see below. Of note though is that in the case of the exposed.su site there is nothing that directly ties it to anyone in particular. However, once you start digging around you can make connections between individuals and groups including addresses/persons involved in the ZEUS botnet.

Allperson.ru

allpersonRU_

domain:        ALLPERSON.RU
nserver:       ns1.tuthost.com.
nserver:       ns2.tuthost.com.
state:         REGISTERED, DELEGATED, UNVERIFIED
person:        Andrej V Punegov
phone:         **********
e-mail:        an@kazancity.net
registrar:     REGTIME-REG-RIPN
created:       2007.09.25
paid-till:     2008.09.25

Allperson.ru was a service/site that had about 5 email servers and was originally registered back in 2008. As you can see from the above domain data it was registered by a “Andrej V Punegov” Searches for Andrej give up a laundry list of sites and data that he has been affiliated with in the past. Not much more comes up in the “Googles” so I will leave it at that for the moment. The list of sites though that he has registered is long so it is likely that this is another player who has moved on to bigger and better scams… If that is a real name at all. The email address provided also gives up some interesting hits including an IRC site which I will leave for another day.

Another interesting email address in the allperson.ru set was demand.su@allperson.ru This address was directly tied to the ZEUS botnet that was taken down by M$ and is listed in the plaintiff filing  So here we have a direct tie of this allperson domain to Zeus and only a handful of email addresses. Could it be that this is all tied together? In fact, look at the email name “demand.su” the same format as exposed.su … Coincidence?

dema ndsu_ZEUS

wml.su_forum

Проверка домена
e-mail: wml.su@allperson.ru
e-mail: evgenij.w@gmail.com
e-mail: wml.su@mail.ru
nserver: ns1.wml.su. 62.149.12.117
nserver: ns2.wml.su. 62.149.13.81
created: 2006.06.29

wml.su

wml.su_fraudster

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registration date: 2007-11-02
Last updated: 2012-02-11
Expiration date: 2013-11-02
Owner, Administrative, Technical Contacts:
Email: evgenij.w@gmail.com [4 domains use this email]
Name: Evgenij Ermolenko [4 domains use this name]
Phone: +3.80976061100 [4 domains use this phone]
Address: Katyuzhanka
Katyuzhanka
Kiev Oblast,07313
UA
WML2.COM IP: 62.149.13.81
The IP belongs to ISP COLOCALL LTD
ISP domain: COLOCALL.NET

Then there is wml.su@allperson.ru which has an interesting history and present. It ties to a domain/site forum.wml.su which happens to be a little forum for what looks to be warez and other illicit things as well as possibly a hub for site design and programming. The owner of this site also listed evgenij.w@gmail.com as an alternate email address. Following up on this address we get information that shows this email was used on 4 domains and within that you get a new name: Evgenij Ermolenko who has quite the digital breadcrumb trail to follow. Now Evgenij’s site wml.su has also been shown to be a site for infecting phones with trojans (see above) and seems to be quite the player here in the world of malware and scams.

Evgenij… Time to worry a little I think. Probably not much as you are located in Oblast, or Moscow, or.. Who the hell knows. The fact of the matter is you are one of those Russian bandito boys that pretty much never gets caught by the long arm of the law right?

Legato LLC

legato_llc

.

geo

Then there is Legato LLC. This is an interesting little corporation out of Oblast (coincidences coincidences) that has had it’s share of run in’s with illegality. Under private ownership it is alleged to have been created in 1970? It’s *cough* businesses cover anything from advertising to email and information technology. Hmmmm one wonders if they had a hand in the creation of allperson.ru and maybe still have some email servers that are being pointed at? Either way, it seems that Legato may have also been involved in the ZEUS botnet as well because the players here all seem to be connected by their digital trails as well as penchants for naming conventions. One of the scam sites was geo electronics and it seems that they were in the business of straight out fraud as well as money laundering and mule recruitment. Oh yeah, it’s getting deep now eh? It would seem that this rabbit hole goes on further but I am getting claustrophobic in it so I will leave off here with the detective work.

Conclusions:

Ok so what do we have? Well, we have a constellation of sites tied to an old defunct email system that seems to have ties to Legato LLC and to Zeus as well as money laundering and such. Why then does this site pop up and start dumping data on famous people’s credit histories? Histories and information that may not in fact be correct to begin with? Even though the USSS and FBI are looking into this I have to wonder if the data was correct. I am hearing that some of the phone numbers were not right at all and that this all really ties back to some hack on credit services this week. What is the motive here? Well, the Twitter feed and one of the links seem to point to someone with a grudge against the LAPD (re the Dorner affair) and the police in Russia. Since the twitter feed is down I missed the tweet that mentioned that but meh, I am not the caring at present.

Could this be an Anon motivated kind of thing? Well, the imgur picture of the girl on the page does come from an anonymous tied/named site but that is really tenuous to start but it could be. Overall though this site and the data seems to have rankled the feds a bit so maybe it was just for the lulz. Could this person just have access to the site data and used it to make this site and make it look like it came from Russia? Maybe.. But overall the feel of it and the acillary data seems to show that it was someone involved in the Russian sites including Zeus. PERHAPS they are just pissed off that their money making scheme vis a vis ZEUS got shut down?

That’s a lot of maybes huh? But hey, them’s the internetz kids. Your mileage may vary but keep an eye on this one because I am sure there are more than a few subpoena’s going out to Cloudflair where this is all hosted. One of the funniest things about this site though was that one of the links was to a credit dispute site. Now that’s cheeky!

K.

Written by Krypt3ia

2013/03/14 at 18:02

Posted in Blackhat, Cracking, crime

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.

From Lulz to Global Espionage: The Age of the Cracker

leave a comment »

It seems that 2011 is turning into the year of the cracker. Between Anonymous, Lulzsec, and the ongoing wave of espionage being carried out by nation states, we have begun to see just how serious a threat cacking really is. Of course both of these groups of attacks  have greatly differing motives as well as means. Lulzsec, well, is doing it for the Lulz and the others such as nation states or criminal gangs, are doing it for political, financial, or personal gains. In this post I will cover all three groups and their motives as well as means.

Lulzsec:

Lulzsec is a splinter group of Anonymous who for all intents and purposes, have decided to carry out raids on any and all sites that they feel need their attention. This could be simply a process of finding the lowest hanging fruit and exploiting it or, there may be some further agenda that they have yet to explain fully. So far though, we have the simple explanation of “They are doing it for the Lulz”

Lulzsec really began their efforts with focusing their full attention on Sony Corp. Sony pissed them off by attempting to prosecute a coder/hacker/reverse engineer named GeoHotz. Geohotz managed to tinker with some Sony code and they went out of their way to try and destroy him. It’d be one thing if he was being malicious, but Geohotz was not.. Instead Sony was. This caused a great backlash in the hacker community against Sony, and though they came to an agreement with Geohotz, Lulzsec decided they needed some attention.

After numerous attacks on Sony that netted Lulzsec much data and showed just how poor Sony was at protecting their client data, Lulzsec decided to take their show on the road so to speak. They began their new campaign with “The Lulz Boat” which set sail for #fail as they say. Soon the Lulz were epic and the target scope began to open up. Lulzsec attacks began to show up on Pirate Bay as well as on pastebin where they would dump the data from their attacks and laugh at the targets poor security.

What once seemed to be revenge has now morphed into a free for all of potential piratical actions for unknown reasons by Lulzsec. Of late, they also seem to be profiting from their actions by donations of bitcoins as well as perhaps other help from the masses who enjoy their antics. It is hard to tell exactly what the agenda seems to be for Lulzsec as it is still evolving…

Meanwhile, their actions have risen the ire of not only the likes of Sony, but now the governments of the world as well as their law enforcement communities. Who knows how long it will be before they are collared or if they will be at all.

Nation State Actors:

The ‘Nation State Actors’ may well be the most sophisticated group here. Many of you likely have heard the term APT, and this group would be the core of the APT. Those nations that have the means to use assets at their disposal to make long term and concerted attacks against their targets. This is the real meaning of APT (Advanced Persistent Threats)

What we have seen in these last few months is either an escalation on their part, or, we are just now catching on to their attacks by actually paying attention to information security. I am not sure which it is really, but, I lean toward there being more attacks as the programs developed by certain countries have solidified and spun up. As you have seen here, I have made much mention of China as being the culprit in many of the attacks recently. I stand by that assessment, but one must not forget other countries like Russia or Israel for APT attacks.

This all of course is just a natural progression from the old school espionage with physical assets in the field to a digital remote attack vector. As we have gotten wired, so has the espionage game. In the case of the wired world, unfortunately, much of the security that would usually surround assets in the old days, are not put into place in the digital. Why is this? It could be a lack of understanding, or, it could also be that the technology has outpaced the security values that they require to protect the data within.

Either way, hacking/cracking has now become a tool of war as well as intelligence gathering. It’s just a fact of life today and unfortunately the vendors and users have not caught up on means to protect the assets properly.

Industrial Espionage:

This is where the APT, Lone crackers, Companies, and Nation States meet. All of these groups use hacking/cracking as a means to an end. In the case of nation states, they are often looking to steal IP from companies. Often times that IP happens to be from defense contractors. This is a dual use type of technology both for war as well as any technology taken could further their own in many other ways.

In today’s world, you have all of these players using attacks to steal data for themselves, or their masters. The recent attacks on Lockheed are just this, APT attacks, likely by China engaged to steal IP on military hardware and technologies to augment their own and compete not only on the battlefield but also economically.

Other attacks are likely un-noticed and carried out by single aggressors or small teams that hire themselves out for this purpose. These are the civilian equivalent of the nation state spies and often can be contracted by nation states or other companies to carry out the work. In fact, this has become a boutique niche for certain individuals and companies in the ‘private intelligence’ arena. For this type of actor, I suggest reading ‘Broker, Trader, Lawyer, Spy’

Criminal Gangs:

This brings me to the criminal gangs. These are most commonly from the Eastern Block (The former Soviet Union) and they too often work tacitly for the government. In the case of Russia, there is a large amount of governmental complicity with the gangs. This is because much of the Russian government is made up of Russian mob types or, are paid handsomely by them for complicity.

Much of the crimeware trojans out there are Russian (Ukraine) made and the money that they steal from their quick hits goes to the East. Just by looking at the news, you can see how many ATM skimming attacks have money mules hired by the Russians and how often the money makes its way there. An interesting convergence here is also the connection between the Chinese in some cases and the Russians working together. There was a spate of Russian run botnets that had Chinese involvement as well as Russian servers/sites showing up in China recently.

With the synergy of the Russian and the Chinese malware makers working together, we will have a level of attacks that will only escalate as they learn from each other and perfect their methods. Meanwhile, they are robbing places blind by stealing PII data to create identities with as well as just transferring large sums of money digitally from banks that lately seem to be getting off for not performing the due diligence of security on behalf of their clients.

When The Players All Meet:

It seems that in the end all of the players meet at the nexus of digital crime. Whether its stealing data for profit, or as an act of patriotism for a nation state, all of the players work within the same digital playground. As the technologies meet, so do the players and it is likely there will be bleeding together of means and opportunity.

In the case of Lulzsec, it has yet to be determined what they really are all about other than the laughs. As they were once a part of Anonymous, one might think they might have a political agenda, but they have said otherwise. However, some of their actions speak to a more political bent than anything else. The recent attack on the senate websites seems to belie at least some politics at play as they stated they didn’t like them very much.

More importantly though, it is the response by the nation states and their law enforcement groups that will be interesting. For groups like Lulzsec, they are now passing from the nuisance category into perceived enemies of the state. Once they start attacking government and military targets with their lulz, then they are likely to see a more hardened response from intelligence agencies as well as the likes of the FBI.

Once the laws and the enforcement agencies catch up with the technology, then we are going to see some interesting times…

K.

#LIGATT A Cautionary Tale of Cyber-Security Snake Oil

with 10 comments

The Charlatan of the Intertubes:

Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;

1) Plagiarism is just wrong.

2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.

Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.

Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;

  • His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
  • None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
  • His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
  • None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
  • He immediately played the race card in response to the allegations of his plagiarism and fraud
  • In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)

Here are some more examples via Twitter:

#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo

#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc

#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..

#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy

#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names

♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE

Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.

Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.

This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!

The “Industry”

The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.

Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.

The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…

I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.

Security is a voyage… Not a destination:

This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.

I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.

It’s really all about the basics…

So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…

CoB

Fair and UN-Balanced

with 2 comments

Hacktivist Tactics Raise Ethical Questions

Wednesday, January 27, 2010

Contributed By:
Anthony Freed

D7abe7b28ded56be631510c3a6caa996


By Anthony M. Freed, Director of Business Development at Infosec Island

Recently we have witnessed the emergence of international hactivist and vigilante “the Jester” through his crusade against jihadi and militant Islamic networks, and some third party networks that contain evidence of having been infiltrated by rogue elements.

Jester’s activities raise an important question: Where do cyber vigilantes fall on the infosec ethics spectrum?

That is the issue my fellow editors and I have been wrestling with while considering our options for covering the Jester’s exploits – on the one hand, he is acting against some very unsympathetic targets, including the website of the Iranian president.

But on the other hand, he is employing what would be considered Black Hat tactics which violate multiple international and domestic laws, as well as possibly interfering with covert intelligence operations.

Full article Here:

So, this is the new story making the rounds on twitter, LinkedIn and other places on the internet concerning jester. In reading this article, the writer says he “mostly” agrees that what jester has been doing is wrong, however, he does not I think really believe it completely. In fact, I think that Mr. Freed is just looking for a good byline that will be picked up by the mainstream media and thusly give him more exposure.

Anyone who reads my blog here will already know the saga with the jester and I. Suffice to say jester is a pedant and I am tired of the whole affair. However, when I saw this article and how much this “reporter” seems to be just soft peddling the story with a bent toward jester as a “patriot” it made my blood boil. This is especially true considering the emails between he and I just post my first run in with jester. I have made it quite clear that I have no afinity for his methods and feel that overall, his methods are ineffective if not downright useless.

The legality issues of his methods also do not fall into the grey area of whether or not its a moral issue. It’s simply illegal to carry out a DDoS attack by law. So, there you have it. Instead, Mr. Freed is making this more than it is and thus with this article drumming up more applause for an “alleged” former soldier who is empassioned to move against Jihad online.


Emails from Anthony Freed:

LinkedIn
Anthony M. Freed has sent you a message.

Date: 1/28/2010

Subject: RE: Q about your crabbyolbastard site

I didn’t say he vets his targets – he did. I am not a blogger, so I don;t tend to write overly emotive or subjective pieces. My intention is to provoke some consideration of the larger issues at play.

I was clear that I do not support Black Hat tactics, or meddling in intel ops.

And I am in contact with the authorities – I am working with both the FBI and a fmr White House CIO on the issue.

Please reread the article, because I just don’t see your point with these criticisms – perhaps you are too emotionally involved with this story to be objective?

It seems you have pretty much ended what could have been a good relationship for you with Jester by being so combative.

I continue to have lengthy daily chats, and will continue to cover his exploits objectively.

Fell free to join the discussion.

Thanks!

On 01/28/10 5:09 AM, Scot A Terban wrote:
——————–
Anthony,
Kind of a one dimensional piece there. He vettes his targets? He certainly did not vette mine. Jester is more than one person, and the one who dos’d me for spite 30 minutes at a time is no special operator. Other responses in my comments purporting to be jester belie another writer with more control.

His argument of coin is bogus too. As I pointed out before, these sites are mirrored and multiple as you can see from the maltegos I have been generating. He so os only hitting the “popular” or well known sites. There are many more out there he is not touching nor likely knows are there.

I suggest you talk to some JTTF types or other intel operators to get an opinion other than jesters on mode of operation and affect.

Cheers,
S.

Mr. Freed, my problems with your story are clear here. You do not call into question or investigate jester at all. You do not do anything but become a mouthpiece for him and that is not reporting. That instead is commentary or propaganda. Even more importantly, your lack of understanding of why I was unable to stomach your story is driven even further to the point when you remark that I passed up a chance at being friends with jester because I was combative.

You miss the point sir and I do not know how I could have made it more clear.

I do not wish to be his friend and I do not approve of his methods. I never have.

Now, on to your comment on being objective. How can you be objective when you say you are working with the authorities? Are you just stringing jester along here? I mean, at least I have told him outright what I think of him. You sir, seem to be using jester as much if not more than he might be using you for attention.

Such Hubris.

You’ve been burned buddy.

Written by Krypt3ia

2010/01/29 at 02:09