(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘CyberFAIL’ Category

So here’s my thing….

with 3 comments



Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.


Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.


Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…


All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…



Book Review: An Introduction to Cyber-Warfare: A Multidisciplinary Approach

with one comment




CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)

The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.

I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.

As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”

I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?


The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.

In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.


Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.

The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.


Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?

Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?


OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.

It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.


All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?

I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.


Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.

We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..

Put it in the syllabus!


The Global Cyber Game

with one comment



The Global Cyber Game:

I had been meaning to write about this before when I had originally read the text but things got in the way as usual (work, more work, some more work after that, Defcon/Bsides) Now though I am in a space where I can reflect back on this paper and write about it here for you all to see. The Defence Academy (UK) put this together to describe how we might approach “cyberwar” on the level of game play or game theory. They constructed a board and began to set to the task of creating game play and tactics given certain scenarios in the cyber world. (see image of game board below) You can actually play this game if you create a board from this design and work within the rules of game theory but this is not why I find this treatise so important.


What I find most interesting is the actual scenario’s that play out within the game play as well as the end game status that the paper puts it all down to in the end of N-Utopia and N-Dystopia. As one can gather from the inherent meaning of the words, N-Utopia means that we all work out our problems globally and work on bettering society (which in the Nash equations is the best play) or we end up with N-Dystopia, a Balkanization of the net, and warfare that scales all levels up to kinetic and will be the death of us all. Can you guess where I think we are right now on the N-scale? Yes, you’d be right to lean toward the N-Dystopia area. In fact I would even like to see that idea rendered in a new way with an older iconography, that being the Doomsday Clock analogy. Perhaps someone can take that up online and create one for the cyebrwarz eh?

Power Dimensions:

What must be taken into account in the great cyber game is that all of this is centered around power plays. The use of information as power, the use of information to effect actions vis a vis “power” and the varying types of power that are being wielded by the players. This paper covers this idea pretty well and should be required reading for anyone looking to study cyber-warfare along side Clausewitz and other more well known pieces of doctrine. Some however may already be familiar with the ideas of hard and soft power but let’s take that into the electronic warfare arena which is a bit harder to scope today.

  • Hard power
    • Overt threats and rewards
    • Kinetic action
    • Coercion
  • Soft power
    • Cooperation
    • Co-Option

Both of these types of dynamic play off of one another and work in tandem. There actually is a whole spectrum of power plays that can be derived from these basic premises but I will not go into all that here. To date I have seen an abundance of hard power tactics being employed on the game board and I fear that that seems to be what the governments of the world have locked on to as their aegis. I would love for more to try the soft power tactics and methods but I am too much of a realist to hope that it will ever really happen.

The game play today that we are all seeing unfold before us is the hard power of Stuxnet or the ramping up of every piece of malware and 0day conceivable being purchased by the US government or others in an effort to be superior when the battle comes. That is though when they are not using those said same exploits in the darker games of realpolitik that they are prosecuting now. As I see it now we are hurtling towards a massive cyberfail of our own making and the real cost of the bad play will be economies around the world and other collateral damage that may not be an apocalypse as we currently understand them to be.

The power dimensions portion of this paper is quite enlightening and you should broaden the scope of how those plays are made with information and the internet. One must understand the playing field as well as the weapon you wield. This is the main problem I have of late is that all too many people and governments are not understanding the game play, the field of play, nor the tools they are using (pieces) well enough to play the game well. This makes not only for bad play, but in this game there are real world consequences for us all when some government or actor does something immensely stupid.

Cyber Games Today:

So what are we seeing today that has me worried? Well, we have the cybergames with Stuxnet and other malware to start. I liken the release of Stuxnet as skin to the release of a biotoxin or virus that eventually will be re-worked or manipulated into a more fearsome weapon. These are not one use tools, they are in fact re-usable and re-tune-able. Once these things are out there is no controlling them and with the idea of Stuxnet you have something that was used against one target but could affect hundreds more in friendly countries if they had the same configuration.

Another cybergame being played today is the new surveillance state that we find ourselves in. It seems in the case of the US we have people who are interpreting our Constitution to suit their needs under the rubric of protecting the homeland. This cybergame is all about information and the power dimension of controlling it. I have been watching this Snowden affair unfold and frankly I am frightened of the capabilities that the NSA has but I am much more scared that they claim that they are protecting us while a Snowden subverts the very systems they are saying cannot be misused. This particular cybergame when looked at, show’s all of the hard and soft power dimensions at play with the media and the law. This should also be brought into the cyber game play as well.

Yet another cybergame going on is within the public/private sector and I call the “Patriot Games” What I mean by this is that we have non state actors playing rolls of asymmetric warriors online to effect whatever change they see fit. A certain un-named clown for one is a primary actor in this space and really started the trend in my opinion. The cybergamers here are vigilantes nothing more and nothing less and may or may not have an effect on the grander scheme of things on the net and in public policy. For the most part however, these players are on the hard power end of the spectrum and thus just mostly come off as thugs.

Lastly, the cybergame that seems to be the one with the most chance of playing in the larger space is that of Anonymous. Anonymous has been able to leverage many players into semi cogent action and could in the future have a real effect on policy and other dimensions within the cybergame play. The only reason that I place Anon into this game is because of that mobilizing force that they seem to carry. If motivated and able to be cohesive enough this group could affect the greater games being played and have on a microcosmic scale thus far in recent history.

In all, the games that are being played, and they are games, all serve as a means to an end for those paying attention to understand and perhaps help those in the seat of power how not to play the game at all. Our petty squabbling on the internet is just that. The reality is that the net is important and much of our lives today require it to run smoothly but if the net were to go down permanently our society would not utterly collapse. We would survive and we would re-build. The question then becomes would we have learned from it and do things better the next time around?

Cyber-Utopia and Cyber-Dystopia:

The idea of Cyber-Utopia is a far fetched one in my mind and probably many others out there. This would be a great thing if we could make it happen but given the petty nature of our.. well nature.. We will only see this ideal wash up on the rocks and sink into the ocean rather quickly. In the Cyber-Utopia we all work together, we cooperate, and we work towards a better day. … And I just don’t see this happening barring some kind of alien intervention frankly.

Cyber-Dystopia though I am afraid is already the case in many respects. We are seeing an almost Balkanization of the internet today as it is never mind the games being played in reality with Stuxnet and cyberwar. If the N-Dystopia comes to pass we will find ourselves at war with each other constantly in a “cyberworld” much like the episode of STOS “A Taste of Armageddon”  where all warfare is carried out via computer simulations and only the casualties report to be disintegrated as a means to balance it all out. Today though we will see attacks on economies as well as infrastructures to effect “war” (economic, political, or other) on our enemies and the real world costs will have to be measured in profit loss or perhaps even actual loss of human life.

The cyber-dystopia though is more than just an outcome of war. It is the outcome from our own inabilities to work with each other and our ability to rationalize warfare through a non apocalyptic destruction of life. It will be a tit for tat war of attrition that will not lead to any clear victories and certainly not elevate our societies in any way and that is the sad truth of it. Ladies and gents we are already in the dystopia. We just may not understand that yet.

Understand the game:

So, I leave you with the paper: The Global Cyber Game pull it down and read it. Learn from it, play the game if you like, and spend some time thinking about it all. We are on the cusp of another evolution in our society that we have seen repeated in every other evolution we have had. We create something, then we weaponize it. Perhaps if more of us understand it and the pitfalls we can prevent the N-Dystopia from becoming any worse.


Cyberwar, Cyberdouchery, and Where The Rubber Meets The CyberRoad

leave a comment »


Uso Xqx gukk: Xyc cpu sw zol kz sw tkrbp zpditaeeag rp xyh Gncai.

Zr kq b qrwhyt vj cghc bru gsuvo, e imcb fmkksl vv wrdgrz si wc lwpr. Ycpaf mk lg u ubfacer pj zqeokyc nfkai grq ch pv etaqsox sh byisitrgb.


CYBER CYBER CYBER CYBER WAR! (A new song by Culture Club soon!)

I have been more quiet lately due to being a little burned out on the whole INFOSEC scene. The usual groups of factions are bellowing their usual bloviations and rutting like wild animals online, locking horns with others for dominance. It all frankly makes me just want to step back into my blind and clean my weapon, but, it also gives me pause to think and reflect on it all. It has been in this mode that I have sat and watched the “cyberwars” continue to amp up with the Kaspersky’s of the world finding more and more malware to write neat little papers on how they work and how “nation-statey” they are (oddly though never Russian in origin.. Gee I wonder why?) 

Others out there are writing treatises on how “Cyberwar” will work all the while there has been no real definition put down and agreed upon by the masses as to what “cyberwar/Cyber-War/Cyber-Warfare” really is. It has not been codified really, even with the recent UN Tallinn document:

“A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Tallinn Manual on The International Law Applicable to Cyber Warfare – Michael N. Shmitt

Without a common definition we are all left with a great amount of confusion and gray area to move forward and commit actions that may or may not be “war” because there is no set ground rules, law, or definitions. So, here we are, we have all these people making a great hue and cry, plans and deeds, all without really understanding perhaps the potentials for their actions, all eager to get in on the ground floor of the “new war” and yes, you gentle INFOSEC reader are also part and parcel, willing participants to it all as well. The “cyberdouchery” it seems cannot be washed from your hands as well, and this includes me I think.

Mea culpa.. Mea culpa…

While reflecting in my recently infected state (pre-con flu) I sat down with the laptop and watched “Cyberwar: Not what we were expecting” a BruCon presentation that I had a hand in with Josh and Brian. The presentation went well, and as I had seen and thought about the material before, having had discussions with both in the process of creation, I began to have a bit of a paradigm change in thought on this after the final presentation. I looked back at my own mind set and writings on the douchery and realized my own shortsightedness, I too had fallen prey to the “cyberwars” and the only conclusion I could have now is that they are upon us, no matter the definition and I had better think on that.

Let’s face facts here… No matter how many times we call douchery, it’s here…

For all of the high handed railing that I have done in the past, I perhaps had missed the salient fact that people are people, and that we as a society will always latch on to the new “thing” that is super cool, but may in fact be the worst thing for us (think of the iPhone madness) We as a species, tend to go, like many other creatures, say parrots or cockatiels, for the “shiny things” It’s just our nature. So how much more shiny than anything else is the notion of a clean “cyberwar” where we take out the enemy with a click of the button, no, not with kinetic explosions but instead with the lights just going out or a centrifuge breaking.

Yeah, sound familiar?

This neat idea though could in fact cause some dystopian scenarios to happen and yes, in the idea of “war” as we commonly know it, kinetic actions (i.e. tanks and planes and bombs) would likely be employed as well, but, this in fact may not be the end goal of “cyberwar” in the minds eye of those dreaming and plotting it. After all, I would say that we are in the era of the “cyberwars” now in fact, and the only use of kinetic force seems to be only taking place in the non declared wars in Afghanistan and now the Horn of Africa right?

The “cyberwars” though, have been playing out mostly quietly, bits and bytes doing their non kinetic (mostly) damage, stealing data for financial gain or other espionage goals. Both nation state as well as personal, group, non nation state, whatever you decide to name the actors as, they are doing it, right now.. You can almost hear the clicks of the hard drives now right?

It’s really just a war of packet attrition… But then again I hear you thinking,

“But, you said war.. and well, that’s not war.. That’s espionage and maybe sabotage”

Well, yes, but, then there’s this notion of “Cold War” to deal with.

“Christ, I miss the Cold War.” (Cold War vs. Hot War)

The above quote was one of my favorites from “Casino Royale”, the recent re-boot of the James Bond story line. I find it apropos to this discussion as even with Josh and Brian, the idea of the nomenclature of war has been somewhat nebulous really. The idea of a “cold war” seemed elusive to them and perhaps even to me in some way, though I lived through the cold war and was actually in East Germany briefly just before the wall fell. Seeing the “cold war” first hand kind of gives you a new perspective I guess, so I was a little more pliable to the idea that a cold war was in fact a war, just not one where we have outright battles being fought in the “open” and that’s the key here.

Cold War Noun:
A state of political hostility existing between countries, characterized by threats, violent propaganda, subversive activities, and…
The state of political hostility that existed between the Soviet bloc countries and the US-led Western powers from 1945 to 1990.

Cyberwar, is the new “black” of Cold War.

See what I am getting at here? Sure, there can be an all out war that employs a “digital aspect” to it, (i.e. disrupting comms and supply chains) but also, the mainstay thus far of digital warfare is “information war” and this is much closer to “cold warfare” as it has ever been as you can see from the standard definition. Case in point, we are trying to contain Iran from having its own nuclear weapons. What have we been doing? Well, sanctions, propaganda, espionage, and now, post Stuxnet, digital sabotage of their programs as well as great swaths of digital thievery of their data to see just how far along they are.

Now, look up at that definition again and think about it… See what I’m saying here? Of course this is one element though and there are others like the kinetic typical warfare also described. Actions in tandem (digital and physical/kinetic) like that of Estonia but you get the point. It’s mostly, at this point, about cold war tactics to manipulate an enemy without committing to all out warfare and that’s the rub. Of course there are many war planners out there looking at plans to do more than just manipulate an enemy politically, that’s more the bailiwick of the likes of the CIA and other three letter agencies.

Diplomacy it seems, has a new tool in it’s little black bag…. As does the military sector.. Truly “Dual use” technology here.

State vs. Non State, War vs. Non War (What’s in a name?)

In the rubric though of “cyberwar” lately, we have seen arguments made (some unqualified, some quite qualified) about just what it constitutes and one of those factors has been whether or not the actors are “state or non state” actors. I would put it to you right up front, who’s to say who is or is not state actors to start with? Have none of you ever heard about proxy wars? I mean come on people, we lived through the 80’s and the wars being fought by proxy and still you guys don’t get it?

Iran Contra

Afghanistan and the Mujahideen

The War on Drugs

The Current War on Drugs with boots on the ground in Mexico (CIA/MIL)

So, you are going to quibble over nation state and non nation state actors in cyber warfare? What’s more, you are going to do so when attribution is so damned hard? Wow, the hubris of it is just stunning on some people’s parts within this community. Talk about douchery, just take a look around people. Sure, there is a lot of douchery going around, but I just have to say look in the mirror here and take a good long look. I think we all could be blamed just as equally here.

Actions taken by entities, in this arena (cyber-warfare) no matter the attribution, which may be wholly wrong mind you, can always have a sliver of doubt attached to them as to whether they are a proxy of a nation. It’s as simple as that. So, in the case of say the Georgia DDoS that happened, who can be sure, unless they have a really solid HUMINT report in hand, that this attack was not in some way or shape condoned or sponsored by the Russian government or factions thereof?

*silence.. baleful stare*

All I’m really saying is that the world is grey and to make great pronouncements of “I know shit” isn’t going to cut it in reality, and that even goes for me. Like they say on the internets, photo’s or it never happened. What can be said though, is that it would seem, from all evidence within the media machine and the rhetoric of the governments of the world, that the Dr. Cyberlove’s of the world are beating the drums for “cyberwar” pretty damn hard… And that the governments are scurrying to get a piece of the action.

“A fool with a tool.. Is still a fool” (Or: Simians flinging digital poo)

Which brings me to my next diatribe. As the title above says, a fool with a tool.. Is still a fool. Folks, we have all kinds of work going on developing 0day’s and plans of action by various warfighting units new and old. It seems that whenever we, as a race, come up with a new way to get over on the other guy, we mass produce and refine it without really thinking about the ramifications of our actions. It’s just human nature it seems, but in cases like this we just rush headlong into it, like we did for so long with biological warfare.

“Surely digital warfare and code is nothing as bad as biological warfare” is what some of you are thinking out there now as you read these lines, and yes, you are right I think on the whole, but, there is always wiggle room for disaster right? The potentials for malware and unforeseen consequences are there and unlike Jericho’s take on the dangers of “cyberwar” now, I can give it a little more room for possible bad outcomes from what’s being created now. What will happen as we all reach the singularity that some are postulating as we network everything? Currently the grid is a big topic as we make the “smart grid”, a model that is already being attacked by hackers as well as perhaps nation states trying to gather intelligence on how it works/will work and how to manipulate it. This type of attack alone could be dual use, like the Stuxnet attack, it could be a way to manipulate a country and its policies, or the prelude to a further physical attack. Who’s to know until it happens right?

All in all, I just have to look on in wonder at the hubris of the whole affair. We truly are monkeys with digital guns. Unfortunately today we have political systems that are short sighted and, in the case of our own here in the US, groups of diametrically opposed morons in a political election cycle that looks much more like a high school election campaign for prom queen. These are the people in the political office that direct the policies and war plans for us, which now include the idealistic ideas of “clean cyber warfare, targeted and with little blowback or collateral damage”

Monkeys with digital guns…

Cyberwar and YOU

Well, so here we are, we are in the age of the “Cyberwars” as much as the term might stick in the craw of many in the community. I would put it to you that as a person with anything online, you are a target. Whether it be the cyberwarfare of the state, or the cyber machinations of the criminal gang seeking to steal your money or your data, we all are under the same threats. Infrastructure as well as your personal PC are targets within a larger game of digital Stratego. Face the fact, live with it a while, and then think about what you can do to insulate yourselves a bit better.

It seems that even if you do not have a computer (some don’t.. no, really!) you still have a digital presence online because the companies that you do business with have one. The governments have their records online and those records are your records! There is no escaping it really, you are a part of the picture and you should get used to the idea. The power that you suck up every day with your digital toys is somewhat vulnerable and a target, and even if the adversary cannot take out the whole country, let me tell you from experience, just take out one state and see the shit fly because people don’t have power. Where I live we had that big storm a year ago and when people could not get their gas to power their generators it started getting hairy, and that was with the power only being out a week or so. Imagine if it were in fact long term? It’s the people’s reactions (base and territorial) that worries me more than the power being off.

So, whether it’s your data, your power, or your money, you too are a cog in the vast cyberwar machine that is all the rage. Will bad things happen? Maybe. Will epic and tragically bad things happen? Maybe. I am not short sighted enough to say it won’t ever happen, nor can I say that these attacks will not be employed by some foreign power or Bondian villain. I’m just saying it is possible, not overly likely, but look at all the work going on at DARPA and other places looking into how to make it a reality.

The cyberwar is upon us and we had best start taking it seriously because people in power are making plans, and like biological warfare, it seems perhaps there could be unforeseen cirucmstances that could trigger bigger and worse things.

Plan accordingly and think a bit more cogently.


Written by Krypt3ia

2012/09/29 at 13:16

Peter the Great Versus Sun Tzu: DEATH MATCH!

with one comment


“Douchery, it seems, like life, always finds a way”

Even in the shallowest of pools, the most vile of biological sludge can dwell.. And so it seems that the friendly folks at Trend Micro have decided to put out a little pdf on how the different kinds of APT act, rating them against greater entities from history. In other words, they put out a pile of crap and think that they have done the world a great service in laying said pile of crap where you can trod in it.

The paper, “Peter the Great Versus Sun Tzu” alleges that a comparison can be made between the varying actors in malware creation and use today. They have broken this down into a battle royal between the “Asians” (i.e. China) and the “Eastern Europeans” (i.,e. The Russians) which, is just patently stupid, but, lets choke down the bile for a bit to really look at their “research” shall we? Let’s look first at the players in this game, well the ones other than an AV firm looking to get their horse into the APT game that is…

First off, the paper is co-mingling and APT vs Crimeware activities while trying to compare the two which is somewhat dubious in my opinion. Why? Because as there are different goals here and widely different time tables as well as assets available. Crimeware may have come a long way, but, it is not at all at the level of the espionage game being played not only by China, but also Russia as well as a host of other countries in the game today. So, just to focus on these two is rather short sighted to start, but wait, it gets worse! They go on to look at the structure of the orgs as well comparing each to a thought leader in their country, thus we have Sun Tzu and Peter The Great.. Which, uhh, well, Peter The Great? Really? I’da gone with Rasputin or something like that but ok…

Secondly, the paper then goes on to talk about infrastructures and timetables of each group’s modus operandi claiming that there was extensive research into it. Of course the only research that they link to was a paper on the Chinese syndicates on their blog. They do link to a couple other studies on past malware packages but really, where’s the love for the Russians here? What’s more, the author then goes on to talk about how the players are like mercenaries (Russia) and Foot Soldiers (China) which in a stretch can be almost made, but, there is much more complexity to this issue of operations than an eight page document allows for. Sorry, but you are glossing over so many salient facts that must be talked about here that it all just makes the point of the exercise laughable.

What’s more here, uhh how is this going to help anyone looking for help with APT with your product Trend? Do you have some magical “Sun Tzu Difference Engine” that we don’t know about yet? Look, it’s all good that you want to investigate the players and you think that you can look to be better equipped as an AV company to deal with these threats, but nothing in this document has anything to do with real world countermeasures or, for that matter, solid information or understanding of the mindset’s of the players here.

Not to mention, like I alluded to above, they are not the only players here. So… What was your point again? I mean, even your “tactical comparisons” were weak and only part of a larger and more complex picture that you just don’t seem to have a handle on. Otherwise I think you would have thought better than to release this on the internet.

“Sun Tzu is Angry…”

Ahh, well, here we have another aspect of this paper that I have a bone to pick with. I have had this discussion with Jericho on more than one occasion and to whit, anyone trying to kulge Sun Tzu into any cyberwar or cyber cyber cyber argument had better be well versed in two things.

1) Being able to think like a tactician

2) READ and have UNDERSTOOD all of Sun Tzu and The Art of War

All too often people wing out a single maxim and BANG! They are experts on this subject! No, no, you’re not there cowboy, now sit down and shut up mmmkay? In this instance, Sun Tzu’s name is used but not really related to at all within the document as a whole. No explanations on how the author conceived how Sun Tzu’s teachings about warfare at all affected or shaped the Chinese APT/Hackers/Malware Writers at all. Not. One. Word. So, exactly how does Sun Tzu fit in here other than a catchy title one wonders… I am going to hazard a guess that the author has not read and understood Sun Tzu… And I am further going to make a statement that that is just really douchey.

While the paper does have some inkling of the idea that there are different classes of hackers within China, they really have yet to emote any other understanding than that. It’s akin to saying there are many cats in the world.. “So many that there are all kinds!” Yeah, thank you, please sit down and learn with the class there Clyde… Look, there are many reasons for hackers and malware writers to be active. Many psychological reasons that are innumerable, but, there are some broader stroke ideas that can be made, and yes, some of them are political. See, we are all a product of our upbringing and in China, they are rather nationalist as a country, so sure, there would be a great swath of players out there doing it for their country or their pride. But, that’s not the whole picture nor are any others really written about in this paper.

Additionally, I nearly choked when the paper cited the “Thousand Grains of Sand” without any real preface or explanation thereof afterwards. All I’m saying here is that you need a better understanding of China, the MSS, and the players as a whole (Green Army to today’s patriotic outfits) as well as the Nation State players before you just release such drivel upon the world Trend.

Go read… Maybe talk to some hackers… Eight pages to explain the Chinese! HA! Do you know that they have 26k characters in their language right? Eight pages…

Sun Tzu is pissed and he will send the clay army after you soon.

“Peter The Great is pissed too!”

This brings me to the illusory statement about the Russian hackers being “Mercenaries” and on equal footing like the days of Peter when he removed the egalitarian nature of the army to allow for officers of any class to be made…


It’s twattle and you should be beaten around the head and neck with a rubber fish for that one. How the hell do you get from there to the criminal gangs today? Hell, how do you even try to equate that to FSB/KGB/GRU activities being perpetrated by these groups? I mean, ok, sure, highest bidder for services and small groups of thugs sure, maybe the moniker of mercenary is apro pos but they are more like thugs and gangs than anything else.

Sure, they want to keep their trade secrets to sell to the highest bidder as well. So they take more time and patients with their infrastructure and coding. It only makes sense, but once again, what has this to do with your AV product? Do you have some sort of “Semiotics Engine” you are selling here? It’s all just backfill and not really fully fleshed out with, oh, facts and such. You know, citations maybe?

Yes the Russians have quite the syndicate of malware writer gangs and yes, they make lots of money… But if I wanted to know more about that, I’d talk to Brian Krebbs because, oh, he has experience and cites facts in his articles…

Just sayin…


In the end, I read this paper with increasing amounts of bile rising out of my duodenum with each word. It’s great that you want to take up this “research” and all, but, really, what’s it got to do with Sun Tzu, tactics, Peter the Great, or for that matter, your AV product? Will all this unsolicited and unsupported conjecture really give me an edge with your product line? Will the “Semiotics Engine” stop the next wave of crimeware phishing emails coming at me that try to connect to Turkish servers? Will that in fact tell me that it is really the Russians or the Baltic players? Or maybe this is all some sort of “Attribution Engine” you are developing for us all to understand the adversary better as you shrug your shoulders, palms up, and say “Sorry, our product didn’t stop that malware”

Do us all a favor and go make an engine that really works. Come up with a means to really protect our end users from phishing emails and their own stupidity (CLICK CLICK CLICK! HEY WHY WON’T THIS SCREENSAVER WORK?) because this paper, as you call it, is useless to me and everyone else out here in the real world looking for some kind of solution.

… And don’t come out of your lab til you have a real workable solution…

Why? Cuz Sun Tzu said so THAT’s WHY!


Written by Krypt3ia

2012/09/21 at 19:38

“THREAT INTELLIGENCE” Sure, there’s plenty out there but, are you an analyst?

with 2 comments

Sfy fdh uua ldy lbrld nswgbbm obrkdvq C phmkmye, utn obnm mify ptm mwy vl sbw mgkznwal htn gz jahwz pvvsijs vl dpgfixc.
Lwuq fnlw ug


From Dell’s CTU page

Threat Intelligence

Time is of the essence when protecting your organization’s critical information assets against cyberthreats. However, finding the security intelligence that matters most to your organization consumes precious time and adds strains to in-house resources already stretched too thin. At times, days or even months can pass before vulnerabilities in your environment are patched, increasing business risk and expanding the window of exposure.

Leveraging Dell SecureWorks’ global threat visibility across thousands of customer networks, proprietary toolsets and unmatched expertise, the Dell SecureWorks Counter Threat Unit (CTU) security research team performs in-depth analysis of emerging threats and zero-day vulnerabilities.

Powered by CTU research, the Dell SecureWorks Threat Intelligence service delivers early warnings and actionable security intelligence tailored specifically to your environment, enabling you to quickly protect against threats and vulnerabilities before they impact your organization. The Threat Intelligence service enables you to reduce considerable risk by closing the window of exposure more quickly, and also enables you to spend more time devoted to quickly remediating the risks most pertinent to your organization.

Threat Intelligence services provide:

  • Proactive, actionable intelligence tailored to your environment
  • Clear, concise threat & vulnerability analyses
  • Detailed remediation information & recommendations
  • Consultation with our threat experts
  • On-demand access to extensive threat & vulnerability databases
  • Malware analysis upon request
  • XML intelligence feeds
  • Integration with other Dell SecureWorks services for correlation and unified reporting


Threat Intelligence: THREATINTEL another acronym or name of something we in the INFOSEC world are now hearing as a mantra of what we need. Vendors are pimping this idea as they “cloud-ify” their solutions (SOPHOS etc) to give you the proper “Threat Intelligence” for your org. Plug in threat intelligence into Google and you will get zillions of hits that are sales pitches right off the bat. However, recently on the LiquidMatrix podcast the question was posed of “just what is the meaning of threat intelligence?”

I think that is a very important question and perhaps there are more of you out there who may not know. Certainly there are C levels out there I am sure who haven’t a clue what it means as well. A basic understanding of English will tell you that this activity involves threats and their detection, but as a company what are the threats that they would be looking for? A person with a military background may have another idea altogether of “Threat Intelligence” as they may not be so much focused on network or computer issues. Instead they may focus on physical security and the threat of individuals. Still others with a mind toward the world of intelligence, may see a more nuanced picture of the same term with bigger pictures and more subtle ideas.

The upshot here is that for each person or group that takes up the idea of monitoring threat intelligence, they first have to know what they are particularly interested in keeping an eye on, and how their organizations need that intelligence to work for them.

Threat Intelligence Takes Many Forms

In today’s world and from where I am seeing (or actually hearing it used most) is in the world of information security. In this instance, and for the thrust of this article I would like to define the types of threat intelligence that we should be paying attention to in no specific order as all are an equal part of the larger picture:

  • Malware types and propagation
  • Phishing exploits in the wild and their modus operandi
  • Vulnerabilities out in the open (new and old)
  • Your AV and IDS/HIDS/NIDS capabilities (stratified? Not? Multiple types?)
  • SIEM and Network Monitoring of health/traffic
  • Network centric asset management (a good network diagram that is updated frequently)
  • Hardware asset management (knowing what you have and where it is)
  • Software asset management (knowing what you use and what should and should not be there)
  • Network landscapes (yours and others connected to you)
  • Potential Aggressors or bad actors and their types
  • News Cycles on hackers and hacks
  • Political and social “net” movements
  • Your social media posture (PR etc) in the world at large (i.e. social media monitoring of your org being talked about)
  • The state of morale at your organization
  • Industrial espionage potentials for your org (what you hold and why it might be of interest to a nation state or other)
  • Patching and your network landscape
  • The security posture of the orgs that work with you and have connection to you
  • The threat to any orgs that you are affiliated with and connected to (i.e. higher threat and poorer security posture make for a higher threat overall to you)
  • Actionable intelligence from IDS/IPS as well as trending data from a SOC (Security Operations Center)

As you can see from the above, it’s not just getting your hands on an IDS/IPS or a SOC service and looking at the attacks currently being aimed at you. You have to know the environment, know the players both inside and outside of your organization and be able to extrapolate a big picture view that you can then drill down into and have a deep understanding of.

Is this always possible in every org? Certainly not…

However, all of these factors above could lead to a technical compromise as well as perhaps an insider leak of information that could cause you great damage. You see, this has to be a more holistic picture and not just a network centric approach in order to have a better chance at protecting yourself. The focus for many of us in the information security sphere all too often just takes the form of technical means of security when the picture is much more complex. Unfortunately though, this is where many of the companies out there looking to sell appliances and cloud services lead companies and C levels astray.

Threat Intelligence Snake Oil

Sure, a SOC and an IDS/IPS is always a good thing. I am not saying that going without one is a super fantastic idea. What I am saying is first, you have to know your appliance. Know how it works as well as what the alerts mean yourselves, not just let the service dictate to you what an alert means. Now this means that you should have technically capable people who can read an alert, know the environment well, and determine “if” an alert is indeed valid.

Remember the old axiom “A fool with a tool… Is still a fool”

SOC services today often also say they offer you threat intelligence reports. These often are regurgitation’s of news stories on current hacks that have happened as well as patches being put out for various systems. No doubt these are good, but, they don’t always have everything you need to understand the threats. This is if you even get this feature, some places may in fact only offer the IDS/IPS and it will alert you alone without real context other than a CVE and some technical details. It is important when you decide to get a threat intelligence piece in addition to an IDS/IPS service, that you look at their alerts and get a good working picture of just how much information they are collecting, it’s relevance to your org, and its timeliness. After all, if you get an important piece of data the day after an attack, its already too late right?

This is all predicated though on the idea that you have someone or group of people who understand threat intelligence principles and how to apply them to your particular environment. This is where you need “Analysts” Even with a good SOC service that has good threat intelligence for you, it’s useless unless YOU have an analyst who can interpret the data.

Threat Intelligence Requires Analysis

A common issue in the intelligence game is having analysts who understand not only the data, the complexities of environments, and the big picture view of things, but also the ability to “analyze” data and extrapolate from it in a cogent way. Recently Jeffery Carr posted a blog on Infosec Island that was particularly prescient about the need to have the right psychology when performing analysis. He is absolutely right and in his article it was specifically around the intelligence collected by agencies like the CIA. You however are likely not the CIA but, you still need to have an approach to your threat intelligence in the same vein.

The technical side of the threat intelligence needs to be married with the social and psychological as well to have the big picture view of your threats. As I mentioned above, you need to know who might have it in for you, who might target you, why would they target you, and other motivations to have a better grasp of your threat matrix. For this, you need an analyst, or analysts, not just a report from the SOC. The same can be said just for the technical side of the house as well. If you have technical alerts but no real insight into how they work as well as what you presently have in your environment, then it’s game over really. The same can be said if you don’t have an analyst who can then extrapolate all of this into a cogent means of getting it across to the C levels that there is an issue(s) and the urgency or not of remediating them.

Analyses and analysts then, are the linchpin to the whole process. Without good analysis, then the service is useless really.

Graphic from:

It is paramount to have a working program of threat intelligence as opposed to just getting a service and thinking you are all set. This to me, would be the next level of “Candy Security” in that you are laying all your eggs in the basket of some service like so many still today think that they have a firewall and their all good. As we have seen in the last few years alone, the threatscape of the online world has grown from just malware that steals bank data to malware and attacks that have much broader scope and end goals as well as aggressors that are thinking much more laterally in their approaches.

So once again, analysis is key.

Final Analysis

As the complexity of attacks grow at a rate outstripping the pace of “Moores Law” the defenders have to take up a more nuanced approach to protecting their environments and their data. Reliance on technical solutions alone is not tenable, and as I have said in the past, you have to look at the creature behind the keyboard to get a better picture of the attack much of the time. A better understanding of all of the areas mentioned above will give you a higher chance of at least keeping some pace with the attacks out there against you.

Without analysis and insight, you are in an oubliet.. And you will want to “forget” because if you really think about the threats just from not knowing what goes on in your environment, you won’t be sleeping much. Consider your threat intelligence program if you have one, and if you don’t consider starting one.


Written by Krypt3ia

2012/08/26 at 12:41

Project Viglio: There Will Be CyberDouchery!

with 9 comments


Once Upon A Time….

Once upon a time, not too long ago, at Defcon, a guy no one really heard of stepped up and claimed he was starting a new group and needed volunteers and money. This was Chet Uber, and after some time, and some posts, we all thought this little group with the misspelled logo (viglio is not vigilant wink wink nudge nudge) but it seems that they just fell off the radar instead of imploding. I had previously written about the whole debacle in the making a bit ago and gave it no more thought, that is until today when someone passed me the article linked above. It seems that they have been slinking around doing.. “something” and gaining alleged members like Vint Cerf? Really Vint? You’re gonna hang your hat with Uber?

*blink blink*

*Que Swordfish Soundtrack*

Wow, stellar… Ok, so, back to the show here. This article out today seems like a bit of a play for money to me. After all, there’s the “We’re secret and we do secret attribution things but, we are running in the red” *pulls pockets out and shows the lint* So, why allow an article to be written by a second rate blog cum news source online? Allowing super secret access to all their super secret bits to do a tell nothing piece?

*sniff sniff* Smell that? It’s “CyberDouchery”

Oh, There WILL be Douchery

So, who do we have listed in the super secret organization according to what “could be told” by Chet and his crack team?

The group’s membership involves people from a wide range of disciplines and backgrounds. The current leaders who are willing to be publicly identified (other than Uber) include Mark Rasch, (General Counsel, Director of Cybersecurity for CSC), A.J. Fardella, (Director of Intelligence and Analysis, Director of Black Diamond Data and a planning commissioner for the city of Pittsburg, California), and Michael Tomasiewicz (Deputy Director and second in command to Uber, Network Specialist with ConAgra Foods). Others include Adrian Lamo who is the Assistant Director for Adversary Characterization, Doug Jacobsen (Director of Science & Technology, Professor of Electronics at Iowa State University), and Jeff Bardin (Assistant Director, Intelligence and Analysis – Middle East Desk, Chief Intelligence Officer for Treadstone 71).

Hmmm some names are familiar, and some have the patina of being legit.. Perhaps they are just idealists. All in all though, the same problems around this “organization” still apply. What are they really doing? Who are they reporting to if anyone? What support are they to LEO’s and why, if they have such luminaries in the biz like “Treadstone” *snort* are they not in fact funded by the government in some way? Also, if they are all doing this kind of work, what is the clearance level like here? Is the government in fact sharing data with these folks to bird dog things?

I somehow find this unlikely.

Also, the bulk of the people listed are not really overly technical so where are all the real technicians here? There are just a plethora of questions that come to mind with this feeble article on and frankly, they open a real can of worms I think for anyone really paying attention to what’s going on with regard to attribution and general buggery that’s been going on since Stuxnet appeared. PSYOPS, Jester, Anon bullshit, it’s just been a festival of stupid out there and this just adds a fouler odor to the whole thing.  The worst part about it though is that the government may in fact be paying attention to these people and taking data from them as gospel.

*baleful stare*

Really USGOV?

So yeah, the government is not saying much here but we have Uber saying that they are doing all this work and passing all this data.. I really don’t see the government responding here or talking about “Project Vigilant” do you?

*Cough.. Anyone?*

So, once again, I ask you, if Viglio is not getting INTEL from the government and the military, then who might their targets be? Ya know, who’d be out in the open and available to the spooky eyeball in their cheesy logo?


Hmmm say Anonymous? Or maybe anyone on the internet who might not share their opinion? See, this would be the optimum target for a group like this. A group of non condoned individuals not cleared for national security cases but wanting to help… Or am I just a paranoid old man?

Oh shut up! I know I am!

Anyway, I certainly hope the US Government takes all this with a grain of salt, that is, if they are taking this at all. Since Viglio is not telling exactly what they do, it is highly likely that they are just trawling the IRC channels looking for unsuspecting n00bs to capture with their wiles and then write nifty reports on them and pass them to their local field office… Which in fact might just throw them in the circular file… If they were smart. Unfortunately though, I suspect that there are customers for their data and in that, the fear of what they could be up to wells inside me, as it should all of you.

Given The Known Known’s… Shit, Should We Even Worry?

Ok, now that we know they are out there and we pretty much can surmise that they are not working super secret cases for the NSA, just what are they up to? As I alluded to above, I personally think they are just trolling the internet looking for hacker n00bs to turn in as would be APT.

But, that’s just me huh?

What? Others think so too?

Yep, they do.. On background I have talked to a couple of people in the know and they have the same opinions generally. Basically everyone feels that this is some sort of charlatan-esque effort on the part of a few who may in fact think they are doing the right thing. Others may be more motivated by ego and perhaps money (if there is any to be had) but generally, the feeling is that this is a pile of bad mojo. One source that I talked to said this (paraphrasing here)

“Ok, so we have a small community here and no one we know has been tapped for this duty or been asked about it? No one we know actually works with them? The odds of that within the INFOEC community are pretty that we would know several somebody’s who were actively working on it. The fact that we don’t bespeaks a problem with this organization”

There seem to be a lot more questions about this group than there are answers and no matter how many names with brand recognition you throw out there (mind you many of them thrown out there now are once again, non technical people or charlatans) you are kinda left with a sense of feeling dirty for having thought about them.

I Hope Our National Security Doesn’t Depend On These Quacks…

*hangs head*

Once again I come to you with a rant and a peek under the incestuous blanket of INFOSEC and CYBERDOUCHERY. I am sorry for those of you with delicate dispositions, but the tales must be told for all our own good. A group such as this, extra legal as they seem to be and rather deliberately evasive using the rubric of “secrecy” as their cloak should set all of your spidey senses off. At best they are a group of people seeking to do good but in fact may be doing ill by carrying out poor OSINT. At worst, they are a group  of people trying to boost their ego’s by thinking that they are secret squirrels and in the know.

Either way, I would hazard a bet that nothing good is coming of their machinations and anyone out there on IRC may find their names in files that they can FOIA request that came from tips by “Project Viglio”

This shit is just out of hand…

I suggest people look into their background and decide for themselves…


Written by Krypt3ia

2012/08/21 at 19:03

“Active Defense” The New Digital Wild West Justice

with 3 comments

Bringing A Knife To A Gun Fight

So, companies are starting to consider what is being called “Active Defense” against would be attackers online. Given what I know about the places I have seen over the years as a consultant, I would have to say that this would be the net effect of bringing a knife to a gunfight. Why you ask? Well, because as we have seen generally, and are being told all of the time by numerous people, we, generally, do not have very good defenses in many companies never mind the wherewithal to “strike back at” anyone that might be knocking on your digital door. This my friends, is one of the worst ideas in all of human kinds existence.

No doubt it will be the norm soon though, with a vendor on every stoop selling the next whizbang “blackice” to get those pesky APT’s

Wheeee, I can’t wait! Look, why not just fix the stuff you have and work on keeping it secure and not letting the bad men in first shall we? What? That’s not sexy enough? You say it’s not proactive? You need to see blood once you have been hacked?

Oy vey…

Earps, Clantons, And The Duck Of Death

I can see it now, it’s going to be akin to Old West gangs on the internets. The Duck of Death will be out gun-slinging, calling out all those weaker sorts in his clipped British accent.

“Come now sir, you really think that firewall will stop me? Don’t you know who I am? I am the Duke of Death”

This will just get out of hand and incredibly stupid. Sure, you can say that you are just going to maybe tarpit those attackers to prevent them from getting in quickly, but, you have to know that there will be (already are) services where blackhat types will hack back against those who “dun you wrong”

*spits into spitoon*

“Yup, I can git a cyber posse together and we can capture those there cyber varmints that done you harm lil missy”

This won’t end well…

Seriously? We Can’t Even Secure Our Shit

On a more serious note though, how many companies are really in a position to even think that they are near being secure? What we have developing here is just a reactionary “for hire” model of blackhats, and really, who’s to say that this company you are hiring isn’t going to rat you out in the end anyway? Or, for that matter, that their super blinky light appliance really will do what they claim and.. Well… What? Attack who? God, don’t even get me going on attribution here! I mean, really, c’mon, I have been all over this, who’s to say that Pharmacombinate A actually hacked your secret sauce in the first place? Especially if you have poor defensed already and no real way to tell if you are right.

Oh, and do you have a proactive and knowledgeable security team anyway? Do they have control over the environment (as much as anyone can) to respond not only to an incident, but also the aftermath? Are they in fact going to push the button on countermeasures? Will it be automated and perhaps cut off business operations because someone forgot to enter an IP address into a firewall or “hack back” appliance? What if it’s a client or business partner under that same scenario? Are you going to hack them? Block their traffic and thus go back to the issue of stopping work flow?

Nope, this is an idea that will just end in heartburn and law suits I suspect….

Bad Ideas, Like Cockroaches, Proliferate Quickly

Oh well, I am sure there are plenty of vendors out there printing up color glossies for the rubes to  buy. Others are making appliances with blinky lights and maybe even sound effects


Oh there will be douchery, and lots of it I suspect. Say, how long does snake oil take to ferment anyway?



Written by Krypt3ia

2012/06/19 at 20:32

Dr. Cyberlove… Or, how I learned to stop worrying and love CYBERWAR!

with 4 comments

“Based on the findings of the report, my conclusion was that this idea was not a practical deterrent for reasons which at this moment must be all too obvious”

The Cyberwars and Your Government

Today I opened an email/link that started me on a long strange trip into the wonderful world of cyberdouchery once again. I suppose that since I work in this business I should not be surprised to be brought to the heights of Tourettes ticking and swearing by what I read, but, yet again my brain just dumps like a BSOD and the stupidity laid before me. The quote that got me is the following from a Senate hearing yesterday afternoon:

“I fear that when it comes to protecting America from cyberattack it is Sept. 10, 2001, and the question is whether we will confront this existential threat before it happens,”

Senator Joseph Lieberman, an independent from Connecticut and a co-sponsor of the bill, told his colleagues, according to a prepared text sent by his office.

Joe… Joe you are a moron.

*facial tick*

Comparing the FUD of a cyber attack on our infrastructure to 9/11 is the WORST kind of fear mongering and pandering that I can even consider and YOU Mr. Lieberman have no idea what you are talking about. It is unconscionable that you go around spouting this crap in front of your colleagues as a means to an end to getting a bill signed with your name on it! I was yet again astonished by the hubris of this guy until I read the next graph of the story where he is backed by Jay Rockefeller;

“We are on the brink of what could be a calamity,” he said. “A widespread cyberattack could potentially be as devastating to this country as the terror attacks that tore apart this country 10 years ago.”



So, you and Lieberman are saying that you are both experts on hacking, infrastructure design and implementation, AND just KNOW that its indeed possible to just destroy the system? That that system will cause a cataclysm that will end life as we know it? Sure sounds like you think you are on top of that. Oh, and you two are going to bring the specter of 9/11 in there as well huh? Is this the only number you guys know? I mean even Hope & Crosby had other dance numbers they could throw out there to entertain in those road movies!

Hey, I have news for you two.. 9/11 did not destroy us. Nor will any attacks, “if at all really possible” on our infrastructure. You are just using jingoism and FUD to sway the other morons on the senate. I know you two are not hackers nor are you even able to understand IP implementation never mind anything on the OSI layers..

So.. Where are you getting all this crap?


Enter Richard “Dr. Cyberlove” Clarke III, a man of mystery brought here from Germany in Operation: PAPER-CLIP. The man with the plan, the only one who KNOWS that the cyber villains out there can easily subvert all of our systems and turn out the lights on the US within a matter of 15 minutes.

He’s in the know and he’s got a plan.

Quietly in the background he is whispering into the earwhigs of Rockefeller and Lieberman, telling them what to say. With gravitas, he whispers in his not quite so German accent about how absolute pandemonium will break out if the Chinese and Anonymous break into a water facility in podunk Iowa and tamper with a bilge pump. A cascade effect will build from that single small failure until minutes later we are all out of power and unable to respond to… to… Something.

Yes, it’s the likes of Richard Clarke and others out there in the world with desires on the security space and having “powers” as well as sacks of money, are the ones selling this crap to the senate and the house. Spinning tales of absolute destruction to those who can’t even plug in their own DSL routers at home. Selling them all with tales of 9/11 and how devastating it will be once the hackers gain control of the pipelines and the power grid and the planes, trains, AUTOMOBILES!


Or… You could maybe make some new laws granting more powers with less oversight and understanding *he says sheepishly* Let us handle it all for you… It’ll be ok. I can help, I am in the private sector now and I happen to know these guys.. Well, it’s a company.. Well, uhh yeah I kinda am CEO.. But.. WE CAN HELP YOU!

For a fee…

CHA CHING! FUD, Legislation, and Sales

The one thing that I can kind of agree with that AntiSec has put out there (the old one not the new) is that generally, there is too much FUD being sold to the straights to make sales. The snake oil is thick out there and the use of terms like DLP, DPI, and APT are buzzwords that make sales through fear and whizzbang. I the case of APT it is one of the most misused terms today that unfortunately gets put on the side of appliances and in brochures that offer the cure all to your ills.

There are too many companies out there with marketing schemes selling to the latest FUD nomenclature and it is really quite sad. The saddest thing though to me, is seeing such snake oil and chicanery being used on our government and the congress critters to manipulate them. In the case of the congress it is not only the interests of those companies monetarily at work, but also, as I alluded to, other forces, perhaps somewhat darker in nature.


Digital land grabs are being made by corporations (MPAA/RIAA) as well as the military and other services seeking to have dominance in a new world of opportunity, the digital space where, just like the days of old, you can do pretty much what you want to, until it is legislated on. So much of this lately though, seems to be corporately driven (MPAA) with ACTA, SOPA, PIPPA and so on where corporations want to control the space in order to not lose profit. Sometimes I understand this, in the case of IP (Intellectual Property) it’s warranted in many ways. However, the lengths that the MPAA and others want to go to to get what they feel is theirs is completely out of scope with the realities of the world.

It really just comes down to profit margins in the end.. And they are willing to spend big bucks to lobby the government to get their way. Sadly, the lobbyists cater to the senators desires for money to keep their jobs as well as perhaps line their pockets

(poor babies soon won’t be able to carry on their insider trading in the senate! OH NO!)


Hi, I’m Your CYBER-WARFARE Lobbyist Chip…

On the other end of the spectrum we have the military and their desires for dominance of the battlespace. They make dire predictions (ala Dr. Cyberlove) that the infrastructure is gonna get taken down, and that we will see our civilization crumble before us.


Sure, there are potential issues with regard to infrastructure and hacking/warfare, but, it is not such that we need to frame it and clothe it in the ripped flag of 9/11 do we? Obviously these guys all think so. I would beg to differ, and I find it shameful that it has come again to this jingoism. It is fair that the military and others might want to get ahead of the curve here in the protection of what we have. However, it is necessary that a clear and non slanted approach be taken to the problems at hand. The studies out there are few and far between (those available to non TS folks) on the actual risk assessments of the current infrastructure. I for one would like to see a practical assessment of the current technologies in place and just what it would take to bring them down..


Instead we get theories and suppositions as well as the old “trust me”

Well, I work in the business and I know more than a few people and as yet no one I have talked to is often hiding in their basement waiting for the end to come from this vector of attack.

… And there is a singular reason..


The Realities of Information Security and Digital Warfare

Somehow reality seems to be a foreign concept to many of those out there in the FUD sector. Whether they be corporate, government, or military, they all seem to be living only in the last Die Hard movie existence than in any consensual reality the rest of us have. I recently read a paper by Sean Lawson  that pretty much summed it up for me. The take away is that the realities are different from the perceptions of “cyberwar” on all levels.

  • Technical levels,
  • Sociological levels
  • Perception levels

It’s a good read and covers the truth that even with substantial incidents, society tends to band together and survive. So, when you hear the dire predictions from the likes of Dr. Cyberlove, you should stop and think a bit about this paper. Surely there are areas where I disagree with Mr. Lawson, but the basic premise stands. Nothing, not 9/11, not Chernobyl, not Bhopal, utterly destroyed civilization and a cyber war certainly won’t as well.

Additionally, from the perspective of systems (be they natural or man made infrastructure) tend to have resiliency built into them to some greater or lesser degree. This means that the very nature of the “internet” is to be labile enough to handle an attack. The same could be said about the electrical grid. There is no way presently that everything could go dark in the US short of there being a large EMP accident stemming from a mass coronal ejection. It would not happen from a “cyber attack in 15 minutes” as Dr. Cyberlove would have you believe in his book.

Even with all of the SCADA out there connected to the internet I still cannot see my way to equating ANY of it to 9/11 levels of scary nor do I think it at all appropriate. We are presently at a state where espionage and LULZ are king. These things are not going to destroy our way of life. Only the stupid that is being propagated by the misinformation and outright obfuscation going on in the senate and other places is.

What We Don’t Understand We Fear… Like a VCR clock that blinks 12:00 All Day Long

Fear is the key. Fear is being used as a cudgel against us all by it being trotted out for the government to see and feel. All of these players making the laws can’t even program their DVR clocks never mind making laws about such technical subjects as hacking and information warfare. Yet, here we are, reading in the NY Times about how two senators are making bold claims about how horrible the day will be when someone finally hacks the matrix and turns off our lights or messes with our traffic lights.

Fear on a general level is the great motivator and I am afraid that they are afraid because they lack the understanding to know any better. I also fear that they keep getting bad information from the likes of Dr. Cyberlove and his pals who are just as misinformed but have a platform to speak because they are snuggy bears to the senate. On a mass scale, the general populace fears it all because they too don’t get it all, it’s a magic two thousand dollar facey-space machine to them… It just works, as the Mac heads say. They need not know how it works or how to protect it.

They are wrong.

Though, I don’t expect them all to be experts, but I do expect that real experts would be put in front of the people who make the laws and forge the countries direction on such things. Instead we get Pinky and the Brain.

*hangs head*

Our collective fears could allow these governments to control more and more of our online lives as well as place us in the position of the always monitored and suspect populace. It’s already happening and I fear that with the help of the Dr. Cyberlove’s it will only get worse.

Cyber DOOM

So, where is our cyber doom? Our real cyber doom is allowing this to go on. To not get involved and correct the silliness that is being propagated by the likes of Mr. Clarke. We will continue on this path and eventually something will happen. The Dr. Cyberlove’s of the world will say AH HA! WE TOLD YOU! but the reality will be we will move on. There will be no apocalypse. There will be no Cyber Katrina, the systems are just not that connected and it would take a HUGE effort to make that happen with kinetic attacks (picture Red Dawn, Chinese dropping into our country in parachutes) to cause the real “war” they seem to be predicting.

I just don’t see it happening.

Instead, how about we just talk about doing the right thing and protecting our networks from attacks big and small? Perhaps a little “due diligence” so that we are protecting things and are being accountable?

Is this too much to ask?


Written by Krypt3ia

2012/02/15 at 21:22

The Israeli SCADA’s That Weren’t and The Media Who Do NOT Fact Check

with 8 comments


The ongoing war of who can be more annoying has been raging between the “Muslim Hackers” and the “Israeli Hackers” since about January 2nd. 0xOmar and his crew dumped thousands of credit cards (Isreali) and the Isreali’s threatened him/her/them with being whacked or detained. After the threat by Israel, Omar and company (Nightmare and others) decided to DDoS the El-Al website and the Stock Exchange.

Which really went nowhere…

Just as the tensions were getting to a heated level suddenly a pastebin was dumped by a “guest” that claimed to have Israeli SCADA systems on them. Now the war was REALLY ON!


THEN on January 17th another Pastebin was put out and signed “Anonymous” which purported to be more SCADA systems and invoked the kiddies to go play. This time the dump had some emails and passwords (hashes as well)


The media ate it up.. The CYBERWAR between Israel and the Muslims was ON! And Israel is DOOMED!

What’s That? You Say Anonymous and Saudi Hackers Have.. “PWNT” SCADA’s In Israel! OMG OMG OMG CYBERWARRR!

Fearlessly the media clamped onto the pastebin’s and the hue and cry went out. The cyberwar was heating up and credit cards and SCADA systems hung in the balance! What would happen next? What would be the escalation? Would there be war in the streets as Palestinians and Israelis hurled useless credit cards at each other like small, mostly harmless shuriken?

How could these SCADA systems be online like this anyway?

What are the dangers here?


Enter The Captain BUZZKILL (REALITY)

This is where reason and sanity enter the picture… I was asked by someone in the media to look at this. No not someone in mainstream media, but more a researcher investigating something to do with all of this. So I got hold of the IP addresses/pastebins and began looking through each of their WHOIS records, googling the pages and eventually just hitting them up directly to see just what was what.

Out of the 22 systems listed as SCADA by the skids, only 3 were really SCADA and 4 may have been.. Maybe.. Though not likely.


Those that were SCADA were not in default state for passwords and in general, did not seem to be important systems such as government or large power company hardware… Hell, for that matter none were water facilities, which I should think in a desert would be kinda important no? Anyway, the sites all were a bust really and itreally kind of bothers me that none of the reporters out there actually took the time to ask someone like me, or anyone with a limbic system, to look them up and check if they were in fact SCADA AND EXTREMELY VULNERABLE



Not a one.

Never mind if they were important systems that could cause damage to Israel.. But then again, the perception of some is that dumping credit cards numbers is really really gonna do some major damage to “the man”


I’m sorry all you reporters out there are unable to dial phones or actually know any security folks out in the real world.. Oh.. Wait, Maybe you called on Greg Evans to confirm this?




I know, he is your “go to guy”….

*Le Sigh*

Dear Mainstream Media.. The INFOSEC COMMUNITY (apart from Greg Evans and those on the Attrition charlatans page) Are Here To Help!

Dear media.. There are many among you in the world who know who to use WHOIS and other tools as well as “The Googles” to understand the things that you might not. Those people are easy enough to find really. All you need to do is contact groups like ISC2 (shh all of you I know you are grumbling about that one) and other organizations that can easily provide you with some reputable people.

Call them, email them, TALK TO THEM!

Stop just rapid fire reporting on stuff you don’t understand and are certainly not taking the time to, oh, research on, in order to fulfil your jobs as “Reporters”

I know.. It’s a lot to ask..

But please.. For my sanity and others…

Do it.


Written by Krypt3ia

2012/01/20 at 19:17