Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Cut-Outs’ Category

DNC Hack: The Flying Fickle Finger of Fate and Intelligence Analysis

leave a comment »

ikQnbyk

 

I had some Tweet conversations this morning that led me to a need to make yet another post on the DNC hack debacle. @Viss and @mr0x20wednesday both struck up a conversation after I posted a link to the NYT article on the consensus that is growing within the government that Russia carried out the hack. The consensus building is coming from assessment by the CIA while the FBI has initiated an investigation into the hack and the subsequent dump of data to Wikileaks and to the web via the wordpress account for Guccifer2.0. It is important to take note of the previous statement I make here about who is “assessing” and who is “investigating” and that is something people in the general population do not quite grok much of the time. The FBI attempts to prove things in court and the CIA generates analysis and assessment to help leaders make decisions. These are two different things and I want you all in INFOSEC to understand this when you start to have conversations about spooky things like the hack on the DNC and the subsequent possible propaganda, psyops, and disinformation campaigns that may ensue.

I recently wrote a more irreverent post while I was in a more Hunter S. Thompson state of mind concerning American politiks and the mess we are in, but the core idea that Russia carried off this hack and the actions after it still hold true for me. Many of you out there are reacting more like how I reacted when the Sony attack happened and once again I also find myself asking the same questions and having the same concerns over attribution versus solid evidence. There are many issues at play here though that you have to take into account when dealing with an action like the Sony or DNC hacks where information warfare or “cyber war” are concerned. Most of the considerations you have to make surround the classification of much of what you might get in the way of evidence to start with never mind about the circumspect nature of attribution that is being released to the media. At the end of the day my question to the FBI was “Show me proof” which is their job right? FBI is part of the DOJ and should be leading to charges right? Well, none were proffered by the Obama administration, some sanctions were laid on DPRK but no charges, unlike the wanted posters for the Chinese agents that the FBI laid out for hacks and thefts of data. There is a distinct difference here and that is evidence that can be presented in a court versus attribution and analysis by companies like FireEye and Crowdstrike. True, both those firms can prove certain things but primarily, as you all know out there, attribution is hard to prove so it really stops at analysis, more like the intelligence agencies content and mission.

So where does that leave us with regard to the DNC hack? Well, the attribution data presented first off may only be a portion of what Crowdstrike may have. Other portions may in fact have been classified or asked to be held back by the government (I’d say pretty likely here) and may some day be revealed. If the Sony hack is any indication though of this process, not so much. I am still unaware of any real conclusive evidence of Sony’s hack being DPRK but like I said, the US government sanctioned DPRK over it. It is not likely the government and the president would do so without some more solid evidence but one must consider “sources and methods” when dealing with international intrigue like this right? Don’t like that? Well, get used to it because you are going to see more and more of this as we move into the golden age of nation state hacking and covert action. There will be things you John Q. Public, will never know and will be classified for a good long time. Just take a stroll through the Spy Museum in the cyber war section and look at some of those code names. I bet you haven’t heard of some of them and at least one of them, some of us, were VERY surprised to see on that wall already.

But I digress…

At the end of the day though I have to go with previous experience, Occams Razor, and a sense of Cui Bono concerning the DNC hack/dump/manipulation. Some may argue that the GRU and KGB (yes, once again old agencies don’t die, they just change names 😉 ) would not be as sloppy as to leave the breadcrumbs that are being found by Crowdstrike and others. I would remind you to look at at the last big operation that we busted in the US by the KGB as well as the recent posting of selfies by a KGB graduating class as examples of “everyone fucks up” For that matter, shall we mention our own CIA’s debacle with the Pizza Hut? Every agency screws up and every hacker does too. Humans and human nature insure that things will get messed up, there are no perfect operations. In this case the assets involved likely had access to the DNC as well as the RNC but decided to use this data to influence the elections in a manner that they could get away with it easily. This is the nature of spying, politics, and geopolitics, take a look at the history of the CIA and dirty tricks in the politics of South America and then picture it if they were doing the same (hint, they are) today in the cyber age.

That’s right kids, there have been other dumps and hacks. Perhaps some of those too were the US? Think about it.

Russia and Putin have been gerrymandering elsewhere, money and influence operations have always been around. Now consider yourself to be Putin and you have an operation that gave you easily funnelled information to the likes of Julian Assange and Wikileaks! Even more enticing, the fact that you all know that attribution is hard to prove in hacking! What do you have to lose if you are Putin or anyone else? So, if you look at how this plays out, and what more may play out come October, who, what nation, would have the most to benefit if we actually had trump in office?

Think… The answer is ANYONE who would like to take America down a peg and have more possible influence on world politics.

If you look though at the rhetoric by Trump you can in fact see that the big dog in the room would be Putin though. Just think about it! How much more power and sway would Putin have if Trump were in office and dismembers NATO? Come on now kids, think about it. Ask yourselves “Cui Bono?” here. So stop the quibbling about the attribution and the finger pointing. Take the analysis by the CIA and others as well as the eventual data the FBI comes up with and start looking to how can we fix the problems here? There are so many problems though that I too get disheartened. The political system is broken, the information systems are not properly protected, and we run headlong into creating more weaponized code? It is enough to make a man drink.

Ooh good idea…

Dr. K.

ASSESSMENT: Stephen Su aka Stephen SuBin aka Su Bin

leave a comment »

Chinese_Department_of_National_Security

 

The Arrest:

Recent news shows that an arrest has been made in a Chinese industrial espionage campaign that started around 2009 and resulted in larger dumps of data being taken from Boeing as well as other defense base aligned companies. Stephen Su aka Stephen Subin aka Su Bin was arrested in Canada after an affidavit was put in by the FBI giving evidence that SuBin and two others had broken into Boeing and other companies stealing data on the C-17 as well as F22 Raptor and JSF projects.

Screenshot from 2014-07-14 09:42:08

Screenshot from 2014-07-14 09:51:38

While the affidavit says a lot in a roundabout way on what the FBI considered evidence for the arrest there is a gap in just how the FBI came upon this guy and his co-conspirators in the first place. There is no mention of what tip may have led the FBI to obtain the email records of SuBin at Gmail and Hotmail as well as it seems the emails of the UC1 and UC2 at Gmail as well. Perhaps the data came from something like Xkeyscore or PRISM? I don’t think that that is likely but one has to ask the question anyway.

Aside from that lack of genesis for the FBI investigation the affidavit is quite detailed as to the back and forth with the UC’s and SuBin. There are file names and screen shots of data that was passed back and forth as well as email addresses and snippets of the emails themselves. Of more note though is a timeline and a operational details that SuBin and his team were using in order to carry off the espionage and this is very interesting. SuBin and the team were taking a more hybrid approach to the industrial espionage that we commonly don’t get to see or hear about in the current throes of APT madness.

Modus Operandi:

This case of espionage is different from the usual APT stories you hear today on the news. The reason for this is that the players here may or may not have ties back to those directorates and groups that APT come from. Or, they may not. The affidavit is unclear (perhaps deliberately so) on the two UC’s connections to any of the APT activities we have all heard about but they do use the same techniques that we have heard being used by APT actors.

What is different though is the use of human assets (i.e. SuBin) as a targeter for the hackers to hone in on specific files and architectures/companies/people. This is where this becomes more of a classic MSS (Ministry of State Security) operation than the ongoing attacks we have been seeing in the news since APT became a household term. Now, whether or not SuBin is actually a trained agent or just an asset is the sixty four thousand dollar question in my book. There are allegations in the affidavit that to me, looks like he could be either. Su talks about making money on the data he has been helping to steal which makes him look like a freelancer. Meanwhile there are other aspects that make it seem more like he is a true asset for MSS. I am still not quite sure myself and perhaps someday we will hear more on this from the FBI.

Screenshot from 2014-07-14 09:06:21

A common thread in much of the MSS’ (中华人民共和国国家安全部) playbook for industrial espionage is the use of human sources that are either naturalized citizens of another country. (i.e. Americans or in this case one who was about to be Canadian) In the case of SuBin, he had his own company in China that worked with wiring in airframes. This is a perfect cutout for the MSS to get an asset with access to Western companies that may be doing business with them. In the case of Lode-Tech (Su’s company) there was evidence from the 2009 documents (emails) that showed that his company was sharing space with Boeing at an expo which likely began this whole espionage exploit.

Now another fact that seems to emerge from the affidavit is that these guys were just using Gmail and other systems that are not the most secure. I do know that in some cases the APT also use these email systems but these guys seem to be pretty open with their exchanges back and forth. This to me means that they were not professional’s for the most part. I can come down on both sides here as well after having seen some of the flagrant OPSEC failures on the part of APT in the past. Generally though my feeling is that these guys were a little too loose with their OPSEC to be professional MSS operators and may in fact all have been contractors.

Screenshot from 2014-07-14 10:02:42

On the other hand though these guys had some tradecraft that they were following and these likely worked pretty well. In the image below you can see how they were hand carrying some data to Macao and Hong Kong in order to bypass certain “diplomatic issues” as they say. Additionally, the surveillance portion (which is the first time this has come up with the APT type of activity) has ever been mentioned. In the case of SuBin, he had access to Boeing itself (an assumption as none is directly mentioned in the affidavit) via his company ostensibly and thus had a presence that a hacker is lacking in remote APT activities.

Screenshot from 2014-07-14 10:25:06

 

So you can see how this is a hybrid operation and something we don’t often get to see. Could this be the new paradigm in industrial espionage? Frankly this is something I would have thought was going on all along given what I know of Chinese espionage as well as having done assessments in the past that included a physical attack portion. By synergizing the APT hacking with MSS old school tradecraft these guys were pretty successful (65 gig of targeted data from Boeing alone) and maximized insider knowledge of what to look for with technical hacking exploits. If you think about it how many companies do business with China? Now ponder how much access those companies may have to networks and people in those companies… Yeah.

These are tried and true practices on the part of the MSS as well as other intelligence agencies the world over so we have to pay attention to this stuff as well as worry about the common phishing emails that come in waves as well. Overall I think that the US needs to be a bit more self aware of all of these types of activities and methods to protect their environments but to do so I imagine will be a tough sell to most corporations.

Advanced Persistent Espionage:

What this all means is the following; “Industrial espionage doesn’t just mean APT phishing emails blindly coming at you. It also means that there may be actual people and companies that you are working with that are actively gathering your data for sale as well” Another recent incident involves Pratt & Whitney with a naturalized American Iranian who stole a lot of physical documents as well as seemingly had emailed data out of their environment to Iran as part of a sale. You have to remember it’s not just all electrons boys and girls.

However, the hybridization of the methods of APT and traditional tradecraft is just beginning. I think that the Chinese have seen the light so to speak and will start to leverage these things more as the US continues to put pressure on them concerning APT attacks. The MSS will get more and more cautious and work smarter as they continue to be persistent in their espionage activities. The Russians are already pretty good at this and they leverage both now. It’s time I guess that the Chinese have decided to look to their Russian friends and steal a bit from their playbook as well.

K.

 

Written by Krypt3ia

2014/07/14 at 18:47

Robin Sage Has Taught Us Nothing It Seems…

with one comment

Screenshot from 2014-07-08 09:28:52

Cutouts and LinkedIn

Recently I was sent an invite by the profile of “Emanuel Gomez” an alleged recruiter from Alaska asking to be added to my LinkedIn “friends” Some of you may have seen the event happen on LinkedIn as after I did a little due diligence OSINT it became clear that this account was a cutout for someone looking for entree to my list of connections using a rather obvious fake name and details. The first clue though was a quick search of the headshot used on Google image search which came up with the real person’s name and profile elsewhere. Once I got that hit it was all out OSINT time and here is what I found.

linkedinSE2Real user profile of unsuspecting Richard Velazquez

 

linkedinSE3

The culprit behind this fake LI account is one Leon Jaimes, a techie in Alaska via Colorado. Leon had used an email address in his profile that led me right to him as he posted under his real name at various bulletin boards and had a flickr account attached to the same address. Within his data on the image upload site he had many personal details as well as an old registration with pertinent personal data on it that he had photographed and placed on the web… Yeah.. Sigh…

 

 

Screenshot from 2014-07-08 09:58:18

I made short work of Leon and dug up a lot on him including an arrest record for being drunk and trespassing in someone’s house. All I have to say is Leon, buddy, like I said in the email I sent to you, your OPSEC sucks! Leon actually emailed me back asking where he had gone wrong and admitting to the profile which I did not answer… I mean really? I am going to teach you better OPSEC? Two words FUCK. NO.

I had meanwhile begun a thread on LinkedIn about the incident (pic at top started the string) to alert others as to the ongoing ruse. I had seen others within my circle who had fallen for this as well as others he seemed to be aiming at. At the time of my initially getting the email to add him he had 23 people as connections. By 10 am he had 50. People were just click happy and adding him to their connections without really taking a closer look at his profile. Mind you, these were people in INFOSEC as well as MIL and Fed types! I checked the profile as of this writing though and it is now gone from LI so there is at least that and more than a few people have looked at my post and commented. Yet, it still bothers me that so many fell for such a poorly constructed profile.

FAIL.

Social Animals With Cognitive Issues

Screenshot from 2014-07-08 09:41:30

So what have we learned since the big hullabaloo over Robin Sage? It would seem not much really. Why is this? Why have people generally not learned from the event Tommy sparked back a few years ago? Are we just not teaching people about SE and the perils of cutout accounts and espionage being carried out by state actors and others via venues like LinkedIn? I actually believe that there are many concomitant issues at play here and I recently spoke at BsidesCT about the cognitive issues around security.

We are creatures of habit with lazy minds it seems with biological impediments cognitively as well as generally, as a species have adapted to being social animals. It’s this very social aspect that is being leveraged so well today as always in the espionage world. It is just that today you can reach people much easier via the net and social media and harvest much more data extremely quickly. There are of course a host of social mores that I could go into but perhaps that’s for another day. What I would really like to say here though is that if you are on LinkedIn and you are not at least trying to vet those people trying to get you to add them then you are likely adding cutout accounts as well who are spying on you.

OPSEC Lessons Learned

So I guess many people may not care at all who they connect to on LinkedIn. Perhaps some of those people are in INFOSEC or the Defense base as well. Maybe those users really have nothing in their profiles to protect and do not consider their connections to be of worth to some adversary somewhere. Perhaps those same people are idiots and have not been paying attention to the news for the last, oh, let’s say 3 years? Maybe there is just a general lack of education on the whole within companies about social engineering, phishing, and today’s common attacks? Is there actually a study out there showing just how much education is going on at a corporate and nationwide scale?

Here are the salient simple facts for you all to chew on:

  • Everyone is a target and your information and your connections are important to an adversary looking to attack YOUR business.
  • Social Media sites like LinkedIn are a goldmine for this intelligence gathering. Not only of your connections but also your personal information that you may leak there or other places that when mined, can lead to a fuller picture of who you are, your habits, and your weaknesses.
  • Phishing and SPEAR-Phishing attacks start at this level with intelligence gathering on you and others in your circles. Plans are hatched leveraging who you know and who you work with to exploit yourself and others into clicking links or giving up intelligence to the adversary.
  • All of the above happens every day to millions of people and the reality is you are the only one who can try to prevent it by being more aware of these things.

I should think that there would be more moratoriums on the use of LinkedIn and other places tagging where you work to your profile. This is a real harvest festival and has been for some time and yet no one has made a move here. LinkedIn also is a part of the problem too. They seem to be doing pretty much nothing to invent means of vetting people to insure they are who they say they are. Look at the recent case of Newscaster and their use of not only LI but also Facebook and Twitter. They had numerous people from the Aerospace community connected to them on LinkedIn and this was an Iranian operation (note** Amateurish and likely not state sponsored or run**) but still… You get the picture right?

I will leave you with these questions;

  • What’s on your LinkedIn?
  • Who are you connected to?
  • What information is on your profile that could be used to tell what access you have, who you work for, who your friends are, what your preferences are etc…
  • What secrets do you have that I can exploit from your social media accounts?
  • What OPSEC precautions have you taken to protect your information?
  • Are you even aware of these things?

Think before you click ADD USER.

K.

 

Written by Krypt3ia

2014/07/08 at 14:41

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

ウェブ忍者が失敗する : Dox-ing, Disinformation, and The Fifth Battlespace

leave a comment »

Digital Ninja Fail: ウェブ忍者が失敗する

The recent arrests of alleged key members of LulzSec and Anonymous have been called into question by the ‘Web Ninja’s‘, a group of would be hackers who have been ‘DOX-ing” the anonymous hierarchy for some time now. Yesterday, they posted the following on their page concerning the arrest of a man from the Shetland Islands who is purported to be ‘Topiary‘ by the Met and SOCA.

Now, this is a bold statement for anyone who really knows what they are doing in the intelligence analysis field. So, it is my supposition that these guys have no clue about what they are doing by making bold assertions like this. The data they have is tenuous at best and by making such bold statements, I have to wonder if indeed the so called ‘Ninja’s” themselves might not be a tool of anonymous to in fact sow that disinformation.

Here are the facts as I see them;

  • To date, the federal authorities have not questioned anyone who was DOX’d by the Ninja’s that I am aware of
  • The individuals who were DOX’d that were investigated by the authorities were in fact outed by LulzSec/Anonymous themselves
  • Adrian Chen has spoken to the person that the Ninja’s have fingered and claims that he (said person) went to the authorities himself. So far he is still not a suspect.

So, taking into account these facts, I would have to say that the Ninja’s have failed in their stated mission so far and I would suffice to say that if they are indeed a part of a disinformation campaign, then that too has failed. After all, the police seem to be ignoring the data put on the interent by the likes of the Ninja’s in favour of other tried and true tactics. The primary tactic as I see it, is grab one individual and then get them to roll over on their compatriots in the face of massive jail time.

This pretty much works all the time as we, as human beings, are most willing to sacrifice others for the self. In the case of the likes of LulzSec skiddies, I would have to say that the ages of the players, and their generational tendencies will allow them to cut deals pretty quickly. It’s my assessment that they are in it for the self gratification and lulz, not for the altruism that the LulzSec and Anonymous press releases have been trying to have one believe. My assumption is that if indeed the 19 year old guy they popped in Scotland is involved with LulzSec, and is in fact Topiary, he will roll over soon enough.

I also believe that these are all untrained operatives and they have made and will make more mistakes. I am pretty sure that the alleged “leaderless” group has leaders AND that unlike a true guerrilla warfare cell, will know the other players personal details. Essentially, they have had no compartmentalisation and they will all fall eventually though interrogation and deal making. As I said before, the insider threat to the organisation is key here, and it was this idea I think the Ninja’s had.. Well, at least that was the original idea of the Ninja Warrior. They were spies who infiltrated the ranks and destroyed from within.

So far with these guys.. Not so much.

Welcome To Spook World: Disinformation Campaigns and Intelligence Analysis

Now, on the whole disinformation thing, I know that the Lulz and Anonymous have said that they are using disinformation as well to try and create a smoke screen. Frankly, all of the intelligence out there that is open source is suspect. Maltego map’s of end user names as I have shown in the past can be useful in gathering intelligence… Sometimes. For the most part, if a user keeps using a screen name in many places and ties that name to real data, then they can be tracked, but, it takes a lot of analysis and data gathering to do it. Though, many of the foot soldiers within the Anon movement are young and foolish enough to just keep using the same screen names for everything so there is a higher likelihood that the data being pulled up on Maltego and with Google searches is solid enough to make some justified conclusions.

With the more experienced people though, there has been some forethought and they have protected their identities as best they could. What became their real downfall was that they could not rise above petty infighting and dox-ing each other. Thus you have the start of the potential domino effect on the core group as well as anyone who has any peripheral affiliation with the Lulz. Be assured, those who have been pinched are giving up as many names as possible as well as whatever is on their hard drives, Anon hacker manuals or not. All of these scenarios lead to the conclusion of more arrests by the authorities and even more skiddies getting into legal trouble around the globe. Meanwhile though, if the core group has been smart, then perhaps the leaders will skate for a time, using the masses as canon fodder.

Gee kids.. Did you know that you were all expendable?

On another tac, I would like to speak about the potential of the disinformation campaigns being perpetrated by the authorities as well. Consider that the trained professionals out there who are hunting these characters (Topiary, Sabu, et al.) are also adept at using not only the technologies of the fifth battlespace, but also the training afforded them in ‘spook world’ This means disinformation campaigns, mole hunts, and insurgencies of their own, getting to the inner core of Anonymous and Lulz. Now, that there were six (alleged) lulzer’s it would be more difficult to do, especially if those LulzSec folks really do know one another (as they claim they do not, which, I just don’t buy.. Remember the compartmentalisation issue) The agent provocateur’s are out there I am sure and with each rung of the ladder, they get closer to the core group.

That is unless the core group falls apart on their own and DOX’s each other out. In the end, I am going to suggest that the authorities will use all of the tricks of the trade on the Anon/Lulz folks to bag them… And with concerted effort by government resources, they will get their men/women.

Untrained, Unruly, and Unprofessional Operators:

“Discretion is the better part of valour” as they say, and in the case of the Lulz and Anon crews, they seem to not have a clue. Perhaps the Lulz think that by being unruly and unpredictable to a certain amount, will be just the cover they need, but, I think that their lack of discretion will be their undoing as well as their hubris. Had many of these folks had some real training, they might have just stood down for a while (not just a week or so) after setting sail into the sunset.

As I have said before, it was a bad idea to recruit and have comm’s out in the open on IRC servers even if they had ‘invite only’ channels. As is being seen now, someone (jester perhaps) has taken down their servers again after other outages due to Ryan Cleary’s attack and pressure from the government on those connection sources that the Anon’s were using. I am sure the idea was to have a movement that could also serve as diversion for the core users as well as to LOIC, but this all failed in the end didn’t it? The LOIC is what has given the FBI the 1,000 IP addresses as a hit list, so to speak, that they are now using to collect people and charge them for the DD0S attacks.

Had these people been trained or not been so compulsive, they might have had more of a chance to keep this up for a much much longer time. As I write, the Lulz do continue, but they have slowed quite a bit since the arrests started again. This I think is because the cages are starting to get rattled and people are finally coming to the conclusion that some discretion is needed to not end up Bubba’s play pal in prison. It’s a learning curve, and likely going to be a painful one for the kiddies.

Unprofessional actions within this area of battle will end up with your being put in jail kids.

To end this section I would also like to add this thought. My assessment of the Lulz core group is this;

  • They were drunk on the power of their escapades
  • The more followers they had and more attention, the less risk averse they became
  • They seem to have compulsion disorders (don’t say it.. Aspergers!) that seem to not allow them to lay low (until now it seems)
  • The ego has eaten their id altogether
  • Base ages are within the teens with a couple over 20

Technical Issues Within The Fifth Battlespace:

Another BIG issue within this battlespace is the technology. The Anon’s and Lulz have been ascribing to the idea of “Proxies, we haz them! So we’re secure!” and to a certain extent they are right. There are always ways around that though and certainly leaks in data (such as the TOR leaks that have happened) that could lead someone to locate the end user behind the proxy, so they are not fool proof. Certainly not if the fool in question is some skiddie 12 year old using LOIC un-proxied and not obfuscated while they D0S Paypal.

The problem is that the technology could fail you as well as the untrained operative could make small and large mistakes that could lead authorities right back to their IP and home accts. On the other side of that equation is that when properly done, it is damn hard to prove a lot in hacking cases because of obfuscation, as well as mis-configured end systems that have been hit. I cannot tell you how many times I have seen incidents play out where the target systems had no logging on as well as being completely un-secured, thus leaving practically nothing for a forensics team to find and use.

Once again, this brings us back to the insider threat, whether they be the insider who decides to go turncoat, or, the agent provocateur (i.e. Jester and the Ninja’s as well as others from the authorities) who infiltrate the Lulz and then gut them from the inside. What it really boils all down to is that in the end, it will be the foibles of the Lulz core and the actions of spooks that will bring them down.. And I think they are learning that very fact now.

JIN; One Must Know The Enemies Mind To Be Victorious:

As a last note, I would like to say to the Ninja’s, you need to learn and practice your Kuji-in. It is obvious to me that you have failed on the ‘Jin’ (knowing the opponents mind) with your dox attempts. Until such time as I see people being hauled in that directly relate to your documents posted, then I am going to consider the following to be the case:

  1. DOX-ing is mostly useless and takes quite a bit of analysis before just releasing names
  2. The Feds are not taking your data as gospel, nor should the general public or media
  3. You yourselves may in fact be a tool of Anonymous/Lulz and as such, spewing disinformation
  4. You could be right, but by releasing it to the public at large, you are letting the Lulz know to destroy evidence and create obfuscation that will hinder arrests later.

Ninja’s got results.. Not so much for ‘Web’ Ninjas. At least Jester, if his claims are true, is breaking their C&C channels lately.. Which has its own problematic issues.. Just like his meddling in the Jihadi area, but, that’s a story for another time.

K.

IMPORTANT SECURITY TIPS: Security Tips for Jihobbyists At Majahden

with 5 comments

Security Tips for Majahden2 Users and Jihobbyists

Important Security Tips from Majahden:

The boys at Majahden have been learning lately about how psyops, hacking, disinformation, and being pwn3d works. I suppose since Osama went to live in a pineapple under the sea, they have been taking stock of just how much information they are leaking on the boards out there on the internets. There have been a spate of timely deaths in the AQ camp of late as well as a few arrests, but really, the intelligence coup of finding OBL and whacking him has all the jihobbyists worried that they will be next.

Of course they should be worried, but not only because OBL was popped. You see, we have been inside their shit for some time now and they just did not know it I guess. I have written in the past about sites that I have been poking at and digging through and I know in the case of Al-faloja (may it rest un-peacefully) I was able to get quite a bit of data from them. Since Al-Faloja fell down and went boom, there have been many site re-vamps by many a phpBB admin but they still seem to be on the whole, lacking the skills to really secure their shit.

Oopsies!

So, from their sooper sekret squirrel lair we have the following text from the above screen shot on majahden entitled “Important Security Tips” From this post I can say that they have been learning though. The tips are good and if followed it will make it just a teensy bit harder to track them and eventually have them picked up. Here are some good ones:

  • Trust no one: See a new member asking all kinds of questions about going to jihad? Be wary of them they may be spies
  • Use internet cafe’s to log in and post to the boards because they can track your IP address
  • DO NOT use just one internet cafe! Move around and make sure that you go outside your usual area (where you live)
  • Use a PROXY at the cafe!
  • Be careful though at the cafe because they are on the lookout for swarthy types like us!
  • NEVER give out your real information to ANY forum! (i.e. Bday, phone, etc)
  • Beware of files published to the forums! They could be malware!
  • Beware of popup installs like Java on the boards, they are not proper and likely a means to compromise you!
  • Beware people asking you to email them from the forum (use the message program on the board)
  • DO NOT RE-USE PASSWORDS!
  • Be careful what information (personal) you put on the site
  • Be careful about posting anecdotes about seeing this or that imam speak (places you in a place and a time)

AND Finally, in the FUNNIEST note of the list;

  • This is not a dating site! You want to make friends do that separately from the jihadi forums.

*snort*

In all, these warnings are good solid rules of the road for anyone going anywhere on the internet never mind on a jihadi board being audited by the likes of moi. Just from a privacy standpoint these types of suggestions are valid as well and should be the standard for anyone not wanting their identity stolen or their stuff hacked easily. This however, is pretty new to all of these guys and are the rudiments of SECOPS for them. Up til now, they have been not following any of these precepts, and to have to say this is not a dating site? Well, that kinda says it all to me hehe.

Meanwhile another tasty tidbit came up from the same site and this one is a little more interesting. The above screen cap is for a posting called “Deceptive methods to extract information” and it covers primarily the idea of snitches being placed in cells at camps to elicit information from jihadi’s. Now, this is nothing new to anyone who has had a diet of movies or TV here in the US, but perhaps it is a new one for these guys. Informants in the form of turncoat prisoners or actual agents from the likes of the CIA etc, have been standard operations to get information without the enemy knowing it.

This post is written by someone though who has had first hand experience with being detained. They go on to describe very specific scenarios and methods to evade giving up information to the “birds” as they are calling them.  (I think they mean stool pigeons) The writer gives suggestions on how to detect the turncoats and or to deal with the interrogators methods in trying to cajole information from them. All in all, this is an interesting read that comes across as someone who has had direct experience and understands PSYOPS.

The Take Away:

These posts and others within the site have me thinking that they are starting to become a bit more sophisticated in their efforts online. There are numerous tutorials now on chaining Tor and proxy-ing as well as the use of crypto and other security oriented programs. TNT_ON has been busy posting more tutorials as well as lauding Younis Tsouli (aka irhabi007, now in jail) as the progenitor of the jihadi hacking scene. All I can really say is that it is maturing and we need to step up our efforts with regard to them.

With the new invigoration within the cyber-jihadi community since OBL’s great pineapple adventure, they have taken up the gauntlet not only to hack but to wage a cyber-propaganda campaign like never before. Presently, the jihadi’s on Majahden and other sites have been spinning up and creating numerous Facebook sites that conform to standards that will fly under the FB radar (FB has been pulling sites down just about as fast as they could put them up) this has become the new “stealth jihad” They are making the effort now to have innocent front pages that lead to many other more hidden pages containing hardcore jihadi content. This is something that was being espoused last year on the boards and is now coming into acceptance as the main modus operandi. This way they can have their content and not get it 0wned or taken down by the likes of Facebook or Blogspot.

Since the advent of the LulzSec crew, it just seems that we all have been focused elsewhere.. Time to wake up and go back to working these fools. I say it is time to start a program of 0day infected dox that will be downloaded from all those sharing sites that these guys love. Remember the whole cupcake thing with Inspire? I say we do it en masse for as many sites as we can. Added to this, we should also be using many more approaches such as PSYOPS, Disinformation, and all out penetration of their servers… No matter where they sit.

But that’s just me… I also think that perhaps the NSA might have that already covered… One wonders…

At the very least, we should keep an eye on these sites.. If not for the lulz, then for taking them down once and for all.

K.

The Curious Case of The Deputy Attache at FBI, Sofia, Bulgaria on LinkedIn

with 5 comments

A friend messaged me this morning asking if I had ever heard of Pauline Roberts, who had been added to their LinkedIn. Having some resources at my disposal, I agreed to take a look and see just who this person may in fact be if not really the person she purports to be. In looking into Pauline’s past, I was unable to confirm ANY of her past references including the FBI. Now, this may in fact mean that this is a cut out account for someone looking to garner access to others with information they desire. This is the same type of action that the likes of Anna Chapman was undertaking with some of her compatriots as an “illegal” for the SVR while living in the United States.

In short, gathering intelligence and making connections via LinkedIn as well as other online and offline ways.

Back to Ms or Mrs, Roberts though. Her profile presents some interesting paradoxes that piqued my interest as well as set off the alarms for my friend.

  1. She is retired but using LinkedIn to make connections?
  2. She is incredibly open on her past with the FBI inclusive of her time as a ‘Deputy Attaché’ in Sofia at the end of her career.
  3. Her job history though (not seen in image above) includes being in TV news and Journalism at WKBN in Ohio but lists it as ‘law enforcement’
  4. Her photo on the LinkedIn has been shopped (background) and poorly.. Why?
  5. A general search of her name (married name) turned up nothing even in the government domains

On the face of it, it seems as though this profile may be a fake. Upon doing some good old detective work though, I managed to confirm that Pauline did in fact work at WKBN and was the News Director from an email exchange with someone who was there at the time. Furthermore, I asked the key question of whether or not she had left WKBN to go to Quantico for training and the answer was yes.

So.. It would seem that this is indeed Pauline Roberts formerly of the FBI and most recently an attaché in Sofia Bulgaria… But.. I still have questions about the profile and why so much information would be put out there. Especially for someone who did all of the things that this one claims. Imagine being a spook and then just putting up a LinkedIn page naming every station you worked at over the years.

That is not in my mind a good SECOP posture.

This all begs the question though about LinkedIn and social media in general. Just how much information do you really want out there? Is this somewhere you want to lay out such details of this kind of career (even a past one now..though recent) out there for everyone? On the flip side, all of us out there too may be the targets of campaigns to gather data about us and where we work in order for someone to gather intelligence (corporate or otherwise) So, it is important that you take into account just what you do and how much information you give out on sites like this.

As for my friend, well, on the face of it, she is real… Adding her is up to you… If she is the real deal though, could be a real asset having her in the list.. Or, maybe not given the SECOPS picture here..

K.

Written by Krypt3ia

2011/06/22 at 19:34

Posted in Cut-Outs, HUMINT, INTEL, SECOPS