Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘crime’ Category

Destabilize An Economy Much?

with one comment

Japan Probes Report Two Seized With Undeclared Bonds

By Shunichi Ozasa and Makiko Kitamura

June 12 (Bloomberg) — Japan is investigating reports two of its citizens were detained in Italy after allegedly attempting to take $134 billion worth of U.S. bonds over the border into Switzerland.

“Italian authorities are in the midst of the investigation, and haven’t yet confirmed the details, including whether they are Japanese citizens or not,” Takeshi Akamatsu, a spokesman for the Ministry of Foreign Affairs, said by telephone today in Tokyo. “Our consulate in Milan is continuing efforts to confirm the reports.”

An official at the Consulate General of Japan in Milan, who only gave his name as Ikeda, said it still hasn’t been confirmed that the individuals are Japanese. “We are in contact with the Italian Financial Police and the Italian Public Prosecutor’s Office,” Ikeda said by phone today.

The Asahi newspaper reported today Italian police found bond certificates concealed in the bottom of luggage the two individuals were carrying on a train that stopped in Chiasso, near the Swiss border, on June 3.

The undeclared bonds included 249 certificates worth $500 million each, the Asahi said, citing Italian authorities. The case was reported earlier in Italian newspapers Il Giornale and La Repubblica and by the Ansa news agency.

If the securities are found to be genuine, the individuals could be fined 40 percent of the total value for attempting to take them out of the country without declaring them, the Asahi said.

The Italian embassy in Tokyo was unable to confirm the Asahi report

Real bonds or forged I wonder….

Written by Krypt3ia

2009/06/14 at 01:33

What was it I was saying about the insider threat being the company or management itself?

leave a comment »

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records. But the company failed to immediately shut off his VPN access. That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by Dallas FBI agent Robert Smith.

The Comanche Peak nuclear power plant in Texas.

Company logs showed that the VPN connection originated at Shin’s home IP address, Smith writes.

Oh yeah, that they were “the” inside threat. Well, case in point. These jokers walked him off premises but did not kill all his access. Gee, go figure that a disgruntled employee with intimate knowledge of the network would actually use their access to do something bad! Even more of a surprise that a company would not kill all their access right away.

Yeah.. Sorry to say that this is more prevalent than one might think. Good thing this guy didn’t do more damage.

Written by Krypt3ia

2009/05/31 at 01:25

The “Insider Threat” aka Your Companies Management

with one comment

Two stories on the internet today piqued my interest in the actual facts of this this issue of the “insider threat” as opposed to hack attacks from external sources. I would say that perhaps aside from “security theatre” that the real insider threat is the inaction and incompetence in some cases on the part of the companies out there who are insecure from basic lack of secure practices. This I would think is the larger issue that allows both insider attacks as well as outsider to be so successful.

Basic things like default settings on systems, printers, network appliances, applications, etc really make the work of the insider or outsider very easy. Once those low hanging fruit attacks are performed, the foothold actually can be in fact root on many systems because of these issues not being remediated at the time of install on many systems.

The first story I saw today had the headline of: Security Experts Raise Alarm Over Insider Threat and it espoused the common thread of late that all the layoffs today are making turncoats out of many and thus, those with the insider access are the biggest threat. On the one hand I agree with that assessment. However, if the company in question is actually following procedure, they should be able to mitigate the issue by closing accounts and changing passwords etc on key systems. This is of course to say that you actually lay this person off, and walk them out at that moment.

If instead your insider thinks that they are about to be laid off, well, they may use their access to steal data or perhaps even damage it before they get the ax. So sure, they may actually be a threat in this way, but, I think there is  a larger threat by their ethics being lax and someone coming along with some quick cash or a threat of blackmail. You see, I think that the insider threat must be approached from a HUMINT (aka spying) angle instead in this day and age.

The average disgruntled employee is the one that I would approach with quick cash after some time getting to know them and egg them on. Once you have them in the bag you just ask them to do the deed with the promise of money. Access can be bought these day if not easily tricked out of a worker with some low end social engineering. On the other hand, were I looking for some more long term and higher access I would go for the longer approach of coercion of an asset.

All this aside, either way you do it you, the company, make it easier for a non technical person or a technical APT to root your networks when you don’t follow the most basic of security principles of CIA. Which brings me back to the larger of the inside threats… Management.

In all my years of assessment, I have seen all too many places where the management just does not get security, does not care about security, and does not want to spend the time and money doing the due diligence for secure operations. Without a proper buy in from the top, then security becomes a non issue with the masses and thus nothing is carried out securely at company X. Default passwords, no passwords, poor passwords, sharing passwords etc all are very common in places without any security insight. Often too, these companies have no insight into what is happening on their networks to tell if indeed someone is attacking or exfiltrating data out of their networks through their own firewall… Never mind the guy with the 4 gig USB stick who just downloaded the “secret sauce” recipe and is walking out the front door as he smiles at the guard.

So, my take, the insider threat is a big one indeed and so easy to exploit.

And that brings me to the second article today: Simple information security mistakes can cause data loss, says expert wherein an eminent forensics investigator from Verizon has found through his assessments that the outsider attacks have been far greater. He does however in a backhanded way, have my opinion as to who that insider threat really is: Management.

However, as the article does not really cover this overtly nor the real insight I think about “who” these attackers are I will add to this a bit. I think that those spear phishing attacks that rely on very specific individuals being targeted also has an insider portion to it. After all, just where does all that data come from to target these individuals? The inside of course.

Intranet/internet websites are a rich data mining arena for the APT or the industrial spy. All too often the companies themselves give up all the details an attacker could ever need or want. Most of the time too no hacking need be done to get the information and often much more data than should be available is due to misconfiguration as any good Google hacker can attest. Add this to the whole lack of security posture and you have a deadly mix.

So, to bring it all together, I think that as a general rule “we” are our own worst enemy and the de facto “insider” threat when security is not applied.

Speaking of DHS and Bad Cyber Security…

leave a comment »

OK: Personal Data Of 1M On Stolen DHS Laptop

April 23, 2009 by admin
Filed under: Government Sector, Theft, U.S.

Well, here’s a laptop theft that will probably cost more than $50,000….. KOCO reports that a laptop stolen from an employee’s vehicle on April 3 contained personal information of up to 1 million people. According to the Oklahoma Department of Human Services, the computer had names, Social Security numbers and birthdates of people who receive state assistance. NewsOK has a bit more on the incident.

Update 1: OKDHS has a notice on its web site about the incident that says “The personal information included names, Social Security numbers, dates of birth and home addresses of clients who receive Medicaid; Child Care assistance; Temporary Assistance to Needy Families (TANF); Aid to the Aged, Blind and Disabled; and Supplemental Nutrition Assistance (SNAP or Food Stamps). The data did not contain driver’s license numbers, credit card or banking information. The potential breach did not affect Child Welfare services.”

So, here’s my thing…

1) Why in the holy hell did DHS did have 1 Million users data for MEDICAID on a DHS asset?

2) What you say? No ENCRYPTION? WTF!

3) Just when will we learn?

Written by Krypt3ia

2009/04/24 at 18:05

BOOGA BOOGA BOOGA! BEWARE THOSE WHO USE COMMAND LINE FUNCTIONS!

leave a comment »

April 14th, 2009

Boston College Campus Police: “Using Prompt Commands” May Be a Sign of Criminal Activity

Deeplink by Matt Zimmerman

On Friday, EFF and the law firm of Fish and Richardson filed an emergency motion to quash [pdf] and for the return of seized property on behalf of a Boston College computer science student whose computers, cell phone, and other property were seized as part of an investigation into who sent an e-mail to a school mailing list identifying another student as gay. The problem? Not only is there no indication that any crime was committed, the investigating officer argued that the computer expertise of the student itself supported a finding of probable cause to seize the student’s property.

The rest is HERE

I am agog at the silliness of this incident. I mean, haven’t we moved past the whole idea that someone like Kevin Mitnick and “Whistle” into a phone and launch nuclear weapons? People are sheep and those who are in the position to swear out warrants evidently are incapable of understanding a command prompt from the “nuclear football”

From personal experience (see posts back a year ago on my run in with technology inept police) most of the “crime fighters” out there don’t know a mouse from a keyboard. That these buffoons think they have the power to seize equipment from end users (and I will include our fearless DHS/TSA employees in this too per the rules lately at the border) is just ludicrous. They don’t have the chops to understand the technology never mind its misuse!

I hope this guy sues them…However, what I really hope is that the insanity stops. Someone has to get a hold of this situation and stop this crap.

Art Imitating Movies?

leave a comment »

Leonardo Notarbartolo strolls into the prison visiting room trailing a guard as if the guy were his personal assistant. The other convicts in this eastern Belgian prison turn to look. Notarbartolo nods and smiles faintly, the laugh lines crinkling around his blue eyes. Though he’s an inmate and wears the requisite white prisoner jacket, Notarbartolo radiates a sunny Italian charm. A silver Rolex peeks out from under his cuff, and a vertical strip of white soul patch drops down from his lower lip like an exclamation mark.

In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.

The loot was never found, but based on circumstantial evidence, Notarbartolo was sentenced to 10 years. He has always denied having anything to do with the crime and has refused to discuss his case with journalists, preferring to remain silent for the past six years.

Until now.

The rest HERE

Wired has just published a story on the web that it plans on publishing in their next paper edition on the “Antwerp Diamond Heist” of 2003. I write the title of “Art Imitating Movies” because this story reads much like the script for a “heist” film on par with The “Oceans” series of movies or “The Italian Job” *side note, I am listening to both scores as I read and write about this article**


This heist story brings in all the big plot lines that these films usually have. A group of con artists, technicians, and thugs, an impenitrable vault, and an elusive and as yet un-named mastermind with the funds and the connections to make it happen. Hell, they even had a scale model of the vault just like the movies!


The question is though; “Do we believe this story at all, in part or just a little?”


I for one believe the technical details as they can be seen in the crime scene photos as well as the police reports. Such things as how they defeated the light/heat sensor in the vault with a can of hair spray is a classic hack that has been done. Or perhaps the use of the polystyrene shield to prevent the heat sensor on the exterior from going off by “The Genius”


The working out of the code by watching a video taken by secreted cameras is a bit harder to conceive working, but, it could be done. Even the bypass of the internal electrical pulse and the electromagnetic plates was sheer simple genius that obviously the designers never thought low tech enough to discover their weakness.


Classic.. and well done gentlemen.


Now, how the story played out by the tale told by Leonardo Notabartolo has some interesting twists. The real truth of what happened to the “merch” may never be down. Diamonds are all too easy to traffic, cut, sell, disperse, that they are likely already in your friend “Tom’s” diamond engagement ring he got over at the mall for all we know.


The idea that these guys were played and played so handily really is the thing that trips alarms for me. The article contends that the face man (Notarbartolo), a known Mafia connected guy, who had been a thief since 8 years old, could be so easily duped just doesn’t play. Leonardo’s been around the block, he is no fool, but you are supposed to believe that he would go into a gig like this so trusting of his benefactor/facilitator?


I agree though, what a short con this would make! Imagine carrying off a con where you pocket 100 million in diamonds all the while you have used a talented crew of thieves to do your dirty work. Staggering really, yet so so elegant in play. This too also implies a very large conspiracy by the merchants at that facility. All of them would have to be on board for this to work. Keeping all their diamonds in their personal vaults, somehow shifting them to secure locations instead of being in the vault. Of course they have dirty dealings on a daily basis there no? Not inconceivable.


Overall, this story I think has yet to really play out. How it wil I cannot say…What can I say though… I admire their escapade.. Well sans the pound me in the ass prison part.

Written by Krypt3ia

2009/03/13 at 22:06

Darth Cheney heads up Covert Assassination Operation

leave a comment »

Well, isn’t this an interesting twist in the history of “Bush Years”? Now, is it inconceivable? Not at all, in fact I believe that no one has actually taken assassination off the table since the EO that Ford put in. We have had a long history of being draped in the flag and wearing the “white hat” whilst outright whacking other countries problem children.

Lets see.. Chile, Argentina, Iran.. Shall I go on?

So yes, this is more blatant in some ways, as Darth Cheney has been, but in other ways they are only the ones since Nixon to actually be “caught” with their hand in the poison cookie jar so to speak. So back to the plausibility factor here…

Lets see.. Did Cheney do anything else akin to this that might lead us to believe he is capable?

“Gee.. Hmmm.. How about the WHIG, the YellowCake incident, and the outing of Valerie Plame?”

Oh.. Yeah… I guess that could qualify… But it seems that ol Darth had really expanded the program. I wonder if there was a master hit list somewhere? I am looking forward to Sy outing this one! I have to wonder though, will anything come of this revelation?

I don’t think so.

Written by Krypt3ia

2009/03/13 at 16:25

Just How Important Is IT Security?

with one comment

Cited from article HERE

Well, interesting little graph huh? Can you see the trending here? It seems that the corporate world STILL does not really “get” the whole idea of “Information Security” and its importance in this day and age. I still cannot fathom these numbers! How in the hell with all the hacking, industrial espionage, and outright theft going on out there today do they NOT get it and see INFOSEC as a real important commodity?

Sure, having information security can be costly especially if you have done NOTHING to secure your data, your clients data, your IP, whatever you hold dear and MAKES YOUR MONEY FOR YOU! But, uhh, if you LOSE that data, you lose your REVENUE STREAM you morons! Why? Why do you NOT get it out there corporate America?

What’s that?… You say it’s too hard? You’re too fat and lazy?

Oh… Yeah… I forgot for a second there.

I have said it before but I will say it again. Human beings are incapable of really sensing and avoiding long term tangential ideas of danger. It would seem a concept clear enough that there are people and state actors out there who want to steal your data for their benefit. Why then is this such an arcane concept when any of us in contracting as infosec warriors try to get this across to the “C” levels on down in any random corporate entity?

Is it because they just can’t get the concepts of computing? Sure, there are some luddites (ok, many really) so sure, they get that glassy eyed look and tune out. However, if you boil it down to;

“I just stole 20 million dollars from your bank! This is how and why.. I can help you fix it this way.. Please do these things”

and they don’t want to fix the issues or claim they are too “costly” to implement, well then, you have a recipe for another economic melt down on the macro scale. I have personally seen this in action many times, but the quote above actually happened. To the credit of the CEO though, he told the nay sayers in the board room to pay attention because he truly saw the implications of what I had done.

Now not all of these security issues just stem from “ninja’s” hacking the “Gibson” and this is where I really pop a blood vessel with corporate America. MUCH of the issues that need to be addressed for securities sake are low level and should be SOP for any company. It’s called “Best Practices” and you can get them in the ISO 7799 documentation. These involve the basics of “classifying data” and having “Policies and Procedures” in place and enforced. This is not rocket science! Why do they so often fail at even implementing these?

Laziness.

That’s how I see it. Not only are humans poor at determining long term threats, but they are often mentally lazy today. As a whole the picture portrayed by the movie “Office Space” is a true one. How many of you out there have “Ass Clown’s” running the show at your office? Many I am sure. Of all my years of consulting, rarely did I see a place with their shit together. All too often also I got called a “Bob” because I came around asking questions about what they do and how they do it. You could smell the fear.. Hell, I made an HR lady cry once! The Irony of it? I wasn’t even trying to be SCARY!

So, here we are… The economy is melting like a thermite grenade has been placed on the engine block. The state actors are getting more and more adept at hacking our systems and insinuating “industrial spies” in record numbers at our firms, and the government can’t even keep a “Cyber Czar” for more than a month as they keep quitting!

(As an aside, please read Why The Hell Was Secret White House Helicopter Data Found On A Computer In Iran? too. This is an excellent article on the MARINE ONE escape that ties back to my screed on security basics that government as well as government contractors who should be spanked for not following basic security processes.. Leading to an escape of epic proportions)

I give up.. I can only cry out in the howling storm so long before I just get too hoarse and clam up.

Ladies and gents.. Start digging bunkers and loading up the ammo, MRE’s, and other necessities. Cuz, I expect “Thunderdome” any day now.

CoB

Hey Rube: Fear And Loathing In America 9/12/2001

leave a comment »

By Hunter S. Thompson
Page 2 columnist
It was just after dawn in Woody Creek, Colo., when the first plane hit the World Trade Center in New York City on Tuesday morning, and as usual I was writing about sports. But not for long. Football suddenly seemed irrelevant, compared to the scenes of destruction and utter devastation coming out of New York on TV.

Even ESPN was broadcasting war news. It was the worst disaster in the history of the United States, including Pearl Harbor, the San Francisco earthquake and probably the Battle of Antietam in 1862, when 23,000 were slaughtered in one day. The Battle of the World Trade Center lasted about 99 minutes and cost 20,000 lives in two hours (according to unofficial estimates as of midnight Tuesday). The final numbers, including those from the supposedly impregnable Pentagon, across the Potomac River from Washington, likely will be higher. Anything that kills 300 trained firefighters in two hours is a world-class disaster. And it was not even Bombs that caused this massive damage. No nuclear missiles were launched from any foreign soil, no enemy bombers flew over New York and Washington to rain death on innocent Americans. No. It was four commercial jetliners.

Comment on tragedy
Page 2 recognizes the need to entertain a variety of viepoints at this difficult time. If you’ve got something to say about any of the columns on the page today or if you’d like to comment on sports’ role in the tragedy, click here to send us your thoughts. We’ll run the best letters later in the week.

They were the first flights of the day from American and United Airlines, piloted by skilled and loyal U.S. citizens, and there was nothing suspicious about them when they took off from Newark, N.J., and Dulles in D.C. and Logan in Boston on routine cross-country flights to the West Coast with fully-loaded fuel tanks — which would soon explode on impact and utterly destroy the world-famous Twin Towers of downtown Manhattan’s World Trade Center. Boom! Boom! Just like that.

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now — with somebody — and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive “figurehead” — or even dead, for all we know — but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing — even George Bush’s $350 billion “Star Wars” missile defense system — could have prevented Tuesday’s attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed — for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won’t hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job — armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

OK. It is 24 hours later now, and we are not getting much information about the Five Ws of this thing. The numbers out of the Pentagon are baffling, as if Military Censorship has already been imposed on the media. It is ominous. The only news on TV comes from weeping victims and ignorant speculators.

The lid is on. Loose Lips Sink Ships. Don’t say anything that might give aid to The Enemy.

Absorb what Hunter had to say 9.12.01 with the perspective of time… My commentary later today.

Exigent Circumstances and The 5th Amendment

leave a comment »

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

“Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,” Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.

Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

The Rest

First it was the allowance for DHS/TSA/ICE to just seize your computer at a border crossing or at the airport. Now its you “Must” provide your passphrase to encrypt your data because the 5th ammendment does not apply. Now, I have some problems with the whole notion from the start that these minimum wage “pseudo” night guards, can claim “exigent circumstances” and take your laptop. Add to this the precedent set with this case, it’s downright scary out there.

Now, I have no love for the child molester or the guy out there making, partaking in, and passing around kiddie porn, bit, I had thought that our time of trashing the constitution was over with the new administration. Perhaps I am wrong? Or is this a hold over from our last eight years of Bush love?

In any case, this sets a very bad precedent for anyone travelling with a laptop and anything they might hold private because Johnny, I make 10 bucks an hour TSA wants a look at your porn and now the courts say you have to void your fifth amendment rights.

Written by Krypt3ia

2009/03/05 at 01:45