Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘CyberWar’ Category

EquationGroup, ShadowBrokers, and Loving The Cyber Pathogen Bomb

with one comment

6165571_14630612227717_rId5

We all knew that this shit was going on but now it’s reaching epic cyber douchery levels kids…

Monday:

Hey someone posted some shit on the Github and the everywhere! LOOK!

DOWNLOAD

DOWNLOAD

DOWNLOAD

Tuesday:

Shiiiit this stuff looks kinda real!

FUCK THEY TOOK DOWN ALL THE LINKS!

…EXCEPT MEGA OF COURSE…

LOOK! RC5 and RC6 Implementations match EQUATION GROUP!

ERMEGERD!

LOOK ODAYS!

SNOWMAN SAYS LAY OFF RUSSIA BECAUSE YOU WAKE DA BEAR! (Uhh hey, can I have my dacha now? I have been a good comrade)

ASS-ANGE FROM HIS EVITA BALCONY: WE HAVE ALL THE SHIT AND WE WILL BE POSTING IT BECAUSE FUCK YOU ALL!

Wednesday:

SECRET SQUIRRELS FORMERLY AT NSA SAY HOLY SHIT!

SECRET SQUIRRELS AT TAO SAY OOPS!

SECRET SQUIRRELS AT TAO SAY THIS IS RUSSIA BY GOD!

Fuckery. It’s all fuckery kids. The world is at war already and the populace never got a vote on this one. These scripts and exploits are just the tip of the 2013 iceberg and the reality is that knowing what the likes of  J-39 and their ilk were hoping for back in the day we are well and truly fucked if they decide to go all out cyberdouche. Now we have this almost parity with this leak by who? The 2016 cyber equivalent of the Rosenbergs? I haven’t a fucking clue and no one else does as to who did this and why. No really, fuck you if you say you do. And if you attempt to “treat intelligence cyber attribute” this shit you are only trying to get clicks for ads.

But seriously, the biggest issue I have with all of this is that while we are all slobbering over the dump and the potential one to come no one seems to be talking about how fucked up this is. While these guys are making and buying 0days and pwning foreign nations our own infrastructure lays like a burned out whore in the missionary position. We are prosecuting the war but we are not securing the “homeland” for shit and we see it every day. See, the rub of it all is that corporations are the ones that hold the infrastructure and fuck all trying to make them become secure through legislation or any kinds of rules. So here we are with all our shit in the wind to start with, no mass movements to secure the nations everything, and now a dump of just some of our cyber weapons has been spilled online as a big fat fuck you.

Yeah, I feel good about where we are.

Still, the shit is three years old.. Who’s to say that those sploits still work on systems in China let’s say. Anyone checked by the way? Anyone?… Well in any case either someone fucked up and left this shit on a server in 2013 to now OR as some have intoned, this was an insider. Either case still leads to the inevitable fuckery the nations have all been up to and we are not alone, not by a long shot. Some have said that the NSA should be securing things and I just laugh and laugh at that. What the fuck do you think their operational aegis is anyway? It’s to break all the things and own them! So all you who look to Ft. Meade for any solutions are just deluded. Nope, the war is on, it is hot, and it is all under cover. When someone finally decides to go batshit they will unleash all the sploits in tandem with kinetic operations and that will be it. A real hot war will erupt.

It’s still true.. We are the reason we can’t have anything nice.

Oh well, at the end of the day there’s fuck all we can do. The shit is in the wind and now everyone has it. It will be used as a platform of attack until all the things are patched but in between they will be used for whatever ends lone actors or nation states feel like using them for.

Yay.

Move on.

K.

 

Written by Krypt3ia

2016/08/17 at 17:00

DNC Hack: The Flying Fickle Finger of Fate and Intelligence Analysis

leave a comment »

ikQnbyk

 

I had some Tweet conversations this morning that led me to a need to make yet another post on the DNC hack debacle. @Viss and @mr0x20wednesday both struck up a conversation after I posted a link to the NYT article on the consensus that is growing within the government that Russia carried out the hack. The consensus building is coming from assessment by the CIA while the FBI has initiated an investigation into the hack and the subsequent dump of data to Wikileaks and to the web via the wordpress account for Guccifer2.0. It is important to take note of the previous statement I make here about who is “assessing” and who is “investigating” and that is something people in the general population do not quite grok much of the time. The FBI attempts to prove things in court and the CIA generates analysis and assessment to help leaders make decisions. These are two different things and I want you all in INFOSEC to understand this when you start to have conversations about spooky things like the hack on the DNC and the subsequent possible propaganda, psyops, and disinformation campaigns that may ensue.

I recently wrote a more irreverent post while I was in a more Hunter S. Thompson state of mind concerning American politiks and the mess we are in, but the core idea that Russia carried off this hack and the actions after it still hold true for me. Many of you out there are reacting more like how I reacted when the Sony attack happened and once again I also find myself asking the same questions and having the same concerns over attribution versus solid evidence. There are many issues at play here though that you have to take into account when dealing with an action like the Sony or DNC hacks where information warfare or “cyber war” are concerned. Most of the considerations you have to make surround the classification of much of what you might get in the way of evidence to start with never mind about the circumspect nature of attribution that is being released to the media. At the end of the day my question to the FBI was “Show me proof” which is their job right? FBI is part of the DOJ and should be leading to charges right? Well, none were proffered by the Obama administration, some sanctions were laid on DPRK but no charges, unlike the wanted posters for the Chinese agents that the FBI laid out for hacks and thefts of data. There is a distinct difference here and that is evidence that can be presented in a court versus attribution and analysis by companies like FireEye and Crowdstrike. True, both those firms can prove certain things but primarily, as you all know out there, attribution is hard to prove so it really stops at analysis, more like the intelligence agencies content and mission.

So where does that leave us with regard to the DNC hack? Well, the attribution data presented first off may only be a portion of what Crowdstrike may have. Other portions may in fact have been classified or asked to be held back by the government (I’d say pretty likely here) and may some day be revealed. If the Sony hack is any indication though of this process, not so much. I am still unaware of any real conclusive evidence of Sony’s hack being DPRK but like I said, the US government sanctioned DPRK over it. It is not likely the government and the president would do so without some more solid evidence but one must consider “sources and methods” when dealing with international intrigue like this right? Don’t like that? Well, get used to it because you are going to see more and more of this as we move into the golden age of nation state hacking and covert action. There will be things you John Q. Public, will never know and will be classified for a good long time. Just take a stroll through the Spy Museum in the cyber war section and look at some of those code names. I bet you haven’t heard of some of them and at least one of them, some of us, were VERY surprised to see on that wall already.

But I digress…

At the end of the day though I have to go with previous experience, Occams Razor, and a sense of Cui Bono concerning the DNC hack/dump/manipulation. Some may argue that the GRU and KGB (yes, once again old agencies don’t die, they just change names😉 ) would not be as sloppy as to leave the breadcrumbs that are being found by Crowdstrike and others. I would remind you to look at at the last big operation that we busted in the US by the KGB as well as the recent posting of selfies by a KGB graduating class as examples of “everyone fucks up” For that matter, shall we mention our own CIA’s debacle with the Pizza Hut? Every agency screws up and every hacker does too. Humans and human nature insure that things will get messed up, there are no perfect operations. In this case the assets involved likely had access to the DNC as well as the RNC but decided to use this data to influence the elections in a manner that they could get away with it easily. This is the nature of spying, politics, and geopolitics, take a look at the history of the CIA and dirty tricks in the politics of South America and then picture it if they were doing the same (hint, they are) today in the cyber age.

That’s right kids, there have been other dumps and hacks. Perhaps some of those too were the US? Think about it.

Russia and Putin have been gerrymandering elsewhere, money and influence operations have always been around. Now consider yourself to be Putin and you have an operation that gave you easily funnelled information to the likes of Julian Assange and Wikileaks! Even more enticing, the fact that you all know that attribution is hard to prove in hacking! What do you have to lose if you are Putin or anyone else? So, if you look at how this plays out, and what more may play out come October, who, what nation, would have the most to benefit if we actually had trump in office?

Think… The answer is ANYONE who would like to take America down a peg and have more possible influence on world politics.

If you look though at the rhetoric by Trump you can in fact see that the big dog in the room would be Putin though. Just think about it! How much more power and sway would Putin have if Trump were in office and dismembers NATO? Come on now kids, think about it. Ask yourselves “Cui Bono?” here. So stop the quibbling about the attribution and the finger pointing. Take the analysis by the CIA and others as well as the eventual data the FBI comes up with and start looking to how can we fix the problems here? There are so many problems though that I too get disheartened. The political system is broken, the information systems are not properly protected, and we run headlong into creating more weaponized code? It is enough to make a man drink.

Ooh good idea…

Dr. K.

Wait Till October…

with 2 comments

Snip20160724_2

There is so much talk about the leak by Wikileaks of the DNC emails (20k) which is only a partial dump I think in the end. Much of the Tweet stream is going on about how this is likely the KGB (No, I will not call them FSB) and how this is bad in so many ways. The DNC dump Friday has been fun to go through from the perspective of laughing at their hubris and gawking at the people involved, the money, and the fuckery. However, once you get past all the schadenfreude you start to realize just how fucked we all are.

First you begin to realize just how dirty and full of fuckery politics is to start, that is if you aren’t already jaded about this shit. Then you realize the proportions of the fuckery when you see proof of some of the things that go on via the leaks from the DNC’s and Hill’s toilet server and you think

“What the SHIT?”

You take a shot of whiskey and crawl back into your lizard brain for a while to get away from it all.

Once you have ruminated on all of this then you start to ponder on the motives and the actions taken by the actors here. They hack Hill’s server in the disused crapper and then DNC’s systems? Or was it the opposite?  What is the motive here? Is this a hack by some kids to upset the political apple cart? Or is this something more? Is this a nation state? The attribution firms are in high gear promoting their theories but this time I will go with what Crowdstrike is selling.

th62e

Pooty and his funtime band are doing a number on us is my vote too and fuck are they pulling a whammy using our own political fuckery to destabilize all the things. This has been the hack that I would consider to be an outright CIA styled destabilization operation, the kind that you would find material online on (think South American fruit and sugar) with a cyber cyber twist. Even Nixon, who pulled this kind of shit with the plumbers and Watergate would be envious right? The only difference here is that Nixon got caught. Pooty is not gonna get caught because of the nature of hacking, attribution, and cyber cyber cyber.

Once you start to look at it as a destabilization operation against the US then you have to look at the possible goals here. The US is on a five front war? How many fuck fronts is it now anyway? We are precariously teetering on the edge of failing empire, and we have these nitwits (both party candidates) running for office, both of them now tainted beyond redemption. Hillary with  bathroom servers, no malware protections, and not even the forethought or ability to hire people to help them secure her shit properly? Then she goes on to consider their machinations safe for fucking un-encrypted classified email?

JESUS FUCK!

*deep breath*

Then we have Trump, with his.. Well.. His everything. He is the worst candidate I could ever think of and yet here we are, he is the RNC candidate. We are well and truly fucked. I can only imagine the security posture of his systems but gee, no one has hacked him.. Have they? If they have no one has leaked anything… Yet. I am sure his servers are full of dirty shit too.

Ok, so yeah, here we are in July and November rapidly approaches. We have Trump as the official RNC candidate for ORANGE CAESAR which scares the living fuck out of me, and we have Hillary, the lady who flouts all security measures for ease of use…Wait… Shit, that really is everyone ain’t it? HELL that is most of corporate MURICA! God dammit we are so fucked!

Anyway, Hill goes on to mishandle CLASSIFIED information and skates on it while frankly others have been pilloried for less. Truly people, with the leaks so far and just the epic fuckery of the race, I am just crawling into that lizard brain more and more with the help of a good grain alcohol. The problem is I keep coming back to lucidity and then hear/see/read the news and end up chugging the shit again to make it go away!

The sad thing is that what we have seen is just the tip of the shitberg. Trust me, wait till October when the real revelatory emails show up. It’s called and “October Surprise” and fuck it’s gonna make Hunter’s worst drug and loathing fueled nightmares seem tame in comparison. Think about it people, Pooty and the KGB are easily, handily, fucking us all over with the cudgel of our own hubris and lack of due care.

All the while these fuckheads are crafting all our dooms with malware and cyber cyber cyber WAR that would make Dr. Strangelove weep in ecstasy. While they argue over surveillance as good and crypto as bad they really don’t comprehending any of it. If it weren’t true it would make one hell of a farcical film. Unfortunately for us it is true, and it is happening today. We the people are the ones being fucked over by their collective business as usual in so many ways.

This isn’t over kids…

Put your helmets on and wait for October for the last of the dumps. I am fairly certain some shit will come out and in the end MURICA will begin it’s 2nd empire with an orange, small handed, orangutan at the helm of this country. Hunter was smart to have left because if he were alive now he would be reaching for the shotgun all over again in much more despair.

Dr. K.

PS.. I have written about possible motives recently… You might wanna take a look.

Written by Krypt3ia

2016/07/24 at 13:41

Did China Just Bill Clinton Us on OPM?

leave a comment »

Clintond

 

In an article posted today from the Chinese State News service Xinhua the official ruling on the OPM hack has been determined to have been carried out by a group of “criminal hackers” not at the behest of the Chinese government. As such they say, the hack was not an official act of cyber war but instead a criminal act according to current laws on cyber warfare.

Dude, we just got Bill Clinton’d on one of the largest hacks to date on governmental databases! Let’s parse this out a bit and then move on to another story that was also posted today. That story; “Congress wants to know how OPM hack could hurt U.S. spies” asks one of the most idiotic questions I for one can think of as someone who’s data was stolen by a foreign power who is now saying in effect; “We have your data, but hey, it was a criminal act. We didn’t ask them to do it but thanks for the files!” 

Thanks China! Don’t mind you holding that data for me since I think that the OPM and the DHS aren’t really capable even with their neato NCATS cyber hygiene service! Say… Did I mention I found all your FOUO documents on your super neato hacker hygiene program being leaked by your own servers? YAY!

Asshats.

But I digress… Ok so back to the first story. I believe that in the past I have written about the coming cyber wars in context of how incredibly hard it will be to prosecute not only the war, but also the defense as well as the, well, prosecution, of anyone we think carried out actions against us. Here we have a classic example of how this will all work with the, well lets call it from hereon the “Clinton Defense” for lack of a better moniker.

China was pretty smart to play it this way because not only does it sort of absolve them but it also gives them a chance to now leak that data to the darknet let’s say and lend credence to the idea that criminal gangs stole the data and are now trying to profit from it. Once the cat is out of the bag the cat pretty much is useless right? Well no, in fact they have their copy of the data and I am sure the MSS and more so the PLA have farmed all that data out to their intelligence customers for further exploitation.

China wins.

This is probably a scenario that certain analysts already thought might come to play since we kind of already pointed the finger at China anyway. It also may have been a foregone conclusion given the futile naming of names and placing them on wanted lists that the DOJ put out this year. If you think we will ever get hold of those Chinese PLA assets you are just deluding yourself. From now on I can see how China and now other nations will just blame non state actors for the hacks against any assets just like some mother scolding a bad child for thievery out of the cookie jar. All the while the players will not be charged with anything and perhaps never even be known because the government will cover their identities.

Do you see where this is all going? What a slippery slope this is? All the while we keep focusing on attack and not on defense. Yeah, that will win the day for us for sure. I am so tired of all the bullshit. Even if you can DFIR and OSINT the shit out of things all one has to do is “officially” blame another actor and the game is over. There won’t be any trials and the data is still in the hands of the adversary, once again, because WE FAILED TO HAVE THAT CYBER HYGIENE!!

Fuckery.

Meanwhile the congress seems to be overtaxing their small minds trying to understand how the data that was stolen (SF86’s and the kitchen sink at OPM) could affect those in the clandestine service. Seriously? Are you fucking kidding me? You don’t understand how China having not only access to where someone worked and works, but also all their personal histories, clearance levels, friends information, psych status, fucking everything to create a super dossier on them could affect a clandestine agent? Tell me something congressman… Are you an idiot?

I would like the congress to understand even more deeply about the hack on OPM. It is more than just the data that they stole. It is also about how long they had access to the internals at OPM and then the networks that the OPM network touch. For instance, did you know that the server the data was being held in partially sat in the DOI?

NO I AM NOT KIDDING

The Department of the Interior is a place I know rather well because I worked for the DOJ on a case against them back in the day. I had to look at their networks and boy oh boy, what a fucking mess. Would it also surprise you to know congressman that the DOI network has classified network connections as well? Did you know for example that when I was poking about I saw NRO shit as well? Think about that and let it rattle around your empty heads a bit. Ask yourself and then ask OPM and DHS what other networks the Chinese may have had access to for about a year?

HEAD. SPLODE.

I dunno, it seems like every day I just want to crawl into the woods and build my 6×6 shack and wait for the apocalypse to come far away from the asshattery that will undoubtedly occur. Fuck the whole iot bullshit with fridges and toasters exploding from grid hacks by Ted Koppel. I just want out because we as a species are just incapable of handling this shit appropriately. I eagerly await the end where the AI finally takes over and decides to liquefy us all to feed to one another to be used as batteries for the Matrix.

Let’s get this over with already.

K.

Written by Krypt3ia

2015/12/02 at 18:19

Posted in China, CyberWar, Hacking

THE CYBER WAR THREAT!

leave a comment »

NOVA

 

Nova had a program on this week about the impending cyber war threat that the media loves so much to go on about and scare the populace. I had hoped that it being Nova they would do a better job at covering such a topic but in the end this show was no better than a 20/20 episode and this is very disappointing. The show was remedial at best and I understand the need for that given the audience base concerned but really did you have to just talk to the beltway bandits like Richard Clarke and Former General Hayden? This is a disservice to the viewing public and frankly consists of scare programming out of PBS in the hopes of ratings?

I and others have railed about the cyber war rhetoric in the government and the media but this is PBS! Come on and do a better job of journalism would you? Look, here are the problems with your broadcast that I want you to pay attention to;

  • Is cyber war possible? Sure, but on limited scales and really it would have to be truly backed up by kinetic warfare (i.e. boots on the ground) otherwise this is all just tit for tat espionage. You –rm a bunch of computers at Sony and we maybe shut down whatever is working in Pyongyang. This is not an existential threat and Nova failed to really get that across amongst the scary music and voice overs.
  • The focus on the grid is one that we have seen many times before and yes, if a nation state made a concerted effort on 9 (count them NINE) choke points in the US they could in fact cause an outage on a national scale. How long would we be down? I am not sure but it would not be the end of the world and if you do such a thing you had better have C-130’s in our air space dropping troops at the same time to make it a war.
  • The complexity of the systems and their semi interconnected nature makes an all out cyber attack on a national scale less likely and you did not cover that at all. There are many disparate systems in the grid and the pipeline systems. You could not likely without a great effort and a lot of luck have everything go down from a cyber attack alone. Simply put, you would have to have a kinetic aspect to the attacks to work. Something along the lines of the attacks on the transformers in the Silicon Valley area a year ago when they were shot with AK-47 fire.
  • Lastly you did not cover at all the fact that there are many people out there securing this stuff where they can. I personally have been on assignments assessing the security of the grid and other systems that have SCADA/PLC’s and yes I can tell you there have been times where I was just flabbergasted by the idiocy. Why connect these things to the internet I will never understand. Why connect them via WIFI in the field makes my head explode.

Anyway, at the end of the day this show only made my head explode again at the poor quality of journalism, this time by a favorite of mine, Nova. It was one sided and just a scare piece. Has the government owned you so much that you need to be the cyber war mouthpiece for them? Did you guys lose a bet? What the holy hell were you thinking? Just stop, for the love of God stop.

Post Script Screed:

After watching this episode of Nova I went online looking for the “Aurora Test” documentation that they mentioned in the piece. The fact that they showed pages of the report redacted on air got me thinking about whether or not it was all still on the net. Well, yes yes it is and it’s all here. 840 pages of unredacted love from DHS who in their infinite wisdom through a FOIA request, released the WRONG documents. These were CLASSIFIED and they show the choke points to attack were you wanting to attack the US grid or pipeline as well as a full description of all kinds of data you would want to do so.

*hangs head*

Yes, DHS, the people who brought you the TSA and other fun security theater programs have managed to single handedly pass out the keys to the kingdom because some asshat could not think their way out of a government provided thin wet paper bag. So there you have it kids, if you want to attack the grid have at it because in the scare-o-rama that was the Cyber War Threat they say nothing has been done to secure those choke points! Yes! Complete with shadowed anonymous speakers afraid to go on the record for fear of reprisals because they are telling the truth about our security fail!

Sweeeeet.

If you are a reader here you have seen my stuff in the past on this as well as my digging around with Google to find all kinds of shit on the net that could lead to compromise of the grid. Truly, if the terrorists or anarchists or anonymous or even the fucking 13 year old down the street wanted to, they could do some damage with this stuff. How long until such a thing happens because some idiot can use Google and a COTS hacking program?

Talk about your black swans…

Yours in everlasting head-desk

K.

Written by Krypt3ia

2015/10/15 at 21:43

Fear and Loathing On The Internet: A Savage Journey to the Heart of the Cyber Trenches

with 3 comments

mRXVtx2P.jpg_large

Image courtesy of GonzoPhD

O’Five Hundred

It was 5am and the coffee had just started to brew when I saw the tweets that the DPRK was back online. Immediately my bloodshot eyes closed in salutation because the game was on. I booted up the laptop and got the old terminal up and typed the old familiar line $ nmap -Pn 175.45.176.0/24. I hit enter and began the worship of caffeine as is my custom at this ungodly hour that I find myself in my old age waking up to more often.

Once the coffee had been poured I came back to my comfortable seat to find that one IP address in the subnet (/24) had come up with all kinds of ports open! “Ooooh, this will be interesting” I thought as I began to play with the ports in my browser and other tools. Little did I know then what I would know now about life in the 21st century cyber war!

No sooner had I begun to poke at the ports I began to sense dark forces moving against me. I decided to forge ahead though and hit the second sub that DPRK has. The Nmap began unleashing it’s port scanning hell upon the enemy and I went back to the SMTP server that I had located. It began to offer up it’s dirty flower to me as I poked and prodded. It seemed that because the DPRK had been down since the night or so before they were still recovering, their firewall still trying to come back from the oblivion that had been wrought upon it by… Whoever.

O’Five Thirty

As I started to get bored with the one address that was available I decided to turn on the old iPad and listen to a flick while playing. I had not been watching long when all of a sudden WHAM! I could feel the palpable blow from my.. Nay, OUR enemy! The DPRK had hit back! My iPad stopped mid sentence and began to just become completely verklempt. I checked the wireless sig and it was fine… What in holy hell was happening! A creeping feeling of dread began to creep up my coccyx with a cyber chill! “Could it be that the infernal Kim Jong Un has hit me?” I thought to myself. “Nah, just a wireless issue” I mused but I decided to check. I brought up my browser and hit the router address… Nada.

“Uh oh”

I flew to my office and booted up another wired box and frantically hit the router again… 500 error…

“Shit!”

I sat and pondered it all.. I had just become a casualty of the great cyber war of 2014! My router was offline, my shit was smoking and I knew that that creeping feeling of cold dread from my coccyx was in fact the cruel reality… I had been DDoS’d!!

O’Five Thirty Five and Three Seconds

I rebooted the everything and began to work the systems. I had my cyber helmet on now and I was prepared to fire a new salvo at the dreadnaught that was DPRK! The router cycled, the IPS… The Wireless… I frantically typed in the address for the IPS and began looking at logs. I scanned as the caffeine began to really sing in my veins to see the following addresses had hit me like a metric shit ton of SYN!

222.220.35.5
222.66.55.245
183.61.244.73
125.227.197.158
222.186.15.161

It was all there in black and white. The wiley Kim Jong Un and his frightening UNIT 121 had hit me with the dreaded SYN FLOOD! But wait, what? Those addresses aren’t DPRK! They are all in CHINA!

*cold sweat begins to trickle down my back with the realization that I had begun a new international incident!*

“CHINA! CHINA!” I yelled at the screen. I tried to calm myself and remember my cyber attribution training! “The IP’s are in China! I am being attacked by China! It’s incontrovertible! It’s China attacking me as a proxy for DPRK! MY GOD!” This is when the klaxons began going off.

INBOUND PACKETS!

WHAM!

I was hit again wave after wave from China. There was no way around it. I had to declare cyber war on DPRK because China attacked me after I used a network tool on DPRK addresses!

DAMN THE CYBER TORPEDOS!

The packets flew and the Chinese hit me with everything they could. I could hear KJU screeching in the background yelling orders of more salvo’s against the capitalist cyber swine that was me!

WHAM!

BOOM!

My cyber helmet developed a crack and there was only one thing left to do…  I blocked them on my firewall. The war ended then… At approximately 0540 hours the great “Cyber War” of 2014 ended. I looked around to see posters torn from walls.

The. Horror!

Now I am a veteran of the cyber wars… I still have not gotten my purple heart. Listen well you young men and women. Heed the tale of this cyber warrior and his time in the cyber trenches. Cyber war is cyber hell.

K.

Written by Krypt3ia

2014/12/23 at 22:19

SONY: The Laughing Man Effect

with one comment

Laughing_Man_by_thooley

Preface:

In the past I have written about “The Ghost In The Shell” referring to current incidents online and the future of network warfare. I mostly wrote about the anime show’s prescience with regard to the fact that many of us in the business of computer security it seems gravitated to it because of those very scenarios in the first place and a certain cool factor to them. Of course all of that was science fiction and it could not happen in the real world could it?

Well, once upon a time the idea of a plane flying in the air or a submarine for that matter were pure SCIFI and now we take them for granted. So it is too with some of the ideas put forth by G.I.T.S. where online culture and warfare are concerned. If you are not familiar with the G.I.T.S. franchise I suggest you go to Amazon or Hulu and watch them all. If you are familiar with them, then you might have the same “Ah ha!” reaction that I did watching the evolving story of the Sony hack.

SONY HACK

So to catch you all up, Sony it seems got hacked. Not just hacked, but utterly hacked, penetrated, compromised, whatever adjective you would rather use all of them applies here. Suffice to say that Sony was taken down in such a way that absolutely nothing electronic should be trusted within its environment whether it be a router, switch, desktop, laptop, server down to USB sticks. The hackers had complete control over what seems to be all of their infrastructure and for an indeterminate amount of time.

The adversary, once gaining access began to plunder all of Sony’s secrets, ex-filtrating them out of their networks to the tune of one hundred and eleven terabytes of data. This is an astounding amount of data to take and one has to wonder just how they got it out of there. I mean, did they move it on TB drives? Did they FTP that out? What? You also have to wonder just how long that would take if they were being sneaky about it. It also begs the question of whether or not the attackers had to be sneaky at all because perhaps Sony had not learned it’s lessons from previous attacks and just was not watching traffic at all to see the immense amounts of data leaving their domain.

It gets worse though for Sony… If that were even conceivable to many. The adversary then inserted a special feature to the malware they were using to compromise systems with to destroy the MBR section of hard drives on systems that were infected. This poison pill was then activated when the attackers were done to perform the coup de grâce that would take Sony down hard. As it was described the malware changed the login screen for all the users and then the game was on. Sony knew something was up and then systems went BOOM. Or did they? I am not too sure on this fact because I have not seen much out of Sony as to what happened next.

The net effect here is that Sony cannot trust anything and anyone potentially within their walls and had to shut down their whole network. They handed people pens and pencils and continued working as best they could as they called in Mandiant to perform the incident response for them. Meanwhile, the adversary had made contact with Sony either with the screen change (see below) or other means to say that they had that 111tb of data and laid out terms of what they wanted to not let it out on the net. That was around Nov 24 and it’s now December 6th. Since then there has been two data drops by a group calling themselves the GOP (Guardians of Peace) One drop was small, around a gig and the next was 27 gig. Within those files were found great swaths of Sony data that included numerous SSN’s and personal data for people who worked with or for Sony. In short, it’s a nightmare for all involved really.

Then things got… Weird.

Suddenly Variety (the Hollywood trade rag) was reporting that Sony thought that their adversary was in fact the DPRK and Kim Jong Un. Why? Because Sony was going to release a film that KJU did not appreciate. That film is called “The Interview” and it’s a comedy whose premise is that two Hollywood types are invited to DPRK to interview KJU and are asked “humorously” to whack KJU by the CIA.

Eh.. It could be funny. I really don’t think it would have nor will be but that’s just me. I am not a big fan of the two major stars of the film and of late Hollywood has mostly been the suck anyway, but yeah I digress…

So yeah, Variety is reporting that DPRK hacked Sony and with Mandiant being signed on HOLY CHINA! We all in INFOSEC began popping the popcorn and waiting on Tao to start talking about where DPRK touched him. It was and is still, rather unreal. The modus operandi for some of the hacking does match what DPRK has done before with wiper malware, or shall I say “has been attributed to have done before” and attribution as you all know is hard. However, the data kinda looked like maybe it was possible but with the lens of time it seems less likely that it was a nation state actor especially if the reason for the attack was in fact over this movie.

Since the advent of the DPRK theory, this whole story has just become a media frenzy about “CYBER CYBER CYBER WAR PEARL HARBOR BE AFRAID!!” The reality though seems to be a bit different from the popular media fallderall in that the GOP has all along said that this attack was in response to Sony’s bad practices and they needed to be taken down for them.

The Laughing Man Effect

This is the juncture where the Ghost In The Shell comes in and a certain arc in the story line from the Standalone Complex. If you are a fan you might remember the series of episodes concerning “The Laughing Man” In these episodes we are introduced to a hacker who appears from nowhere and begins a campaign of attacks against corporations for their misdeeds. In particular one company that was colluding in surveillance and stock manipulation but I will leave all that to you to watch.

What happens though is that The Laughing Man takes on the corporation and through hacking exposes them for what they had done as well as effects their bottom line greatly financially as well as damaging their reputation. It was the spectacular nature of the hack though, on live TV in this future Japan that got others completely obsessed with the Laughing Man and what he had done. If you have not seen the series there is a box set of just the episodes that concern the Laughing Man you can watch.

The story line though sparked with me because it showed the great asymmetric power of this kind of warfare that could be carried out by one person. One person with the skill sets to do it, could affect the bottom line of a company at a distance as well as anonymously. This is a powerful thought and one that in today’s society is much more of a reality than ever before and it is precisely because of technology. This idea I personally now call “The Laughing Man Effect” and in tandem with meme’s could spell real trouble for the world today. We have seen this already taking place with Anonymous and their various wars against injustice or just for the lulz as we saw in LulzSec. In fact, I would claim that HB Gary would have been the first instance of the Laughing Man Effect and it just took the Sony incident for it to solidify in my head.

Memetics

Now consider the meme. Meme’s are ideas or images that catch fire with people and are passed on rather like cognitive malware. Anonymous was a meme as well as means of creating and delivering meme’s on the internet. Born of the 4chan boards where meme’s are born every second, some dying on the vine while others catching fire, Anonymous caught on once they went after Scientology. The reality is that Anonymous lit this fire and now GOP has taken up the notion ostensibly and acted upon their personal desires of retribution much like Anon’s did on Scientology.

If the GOP is in fact a real group or person with an agenda to destroy Sony then I believe that their idea has come from Anonymous(s) successes. I also think that if they do really exist as a group then they have learned from Anonymous successes and failures. So far GOP has been pretty cagey with their use of dead drop email accounts and the use of various servers around the globe to send email to reporters. Which, if they are not caught right away, will give them more power of the meme as the David who slew Goliath.

In the end, I believe this to be just the meme taking root in the collective unconscious spurred on by the likes of Anonymous, Snowden, Wikileaks, and the Occupy movements. We live in a time where the small can in fact easily take down the big with technologies that we all use and often times do not secure properly. In the case of Sony it seems that they neglected a lot and got burned badly by doing so. If that is the case then who’s to say when the next big corporation is taken down by another person or persons with an axe to grind or a valid grievance?

The meme is catching and the Laughing Man Effect may be a real concern for the governments and corporations of the world. The more flashy and catchy or perhaps just downright motivational the more chance that others will follow. This is the nature of the meme and it’s ability to propagate so quickly and effectively in our hyper connected world. If you just look at all the media coverage of the Sony incident and then look at all the armchair detection going on around it you can see how this one too has sparked the collective imagination and curiosity.

Future State Electronic Warfare

So here it is. What some have been fearing and perhaps not getting across well enough is coming to pass. In our connected world it is easy to take things down and burn them. I the case of Sony they will come back sure. If you look at their stock the last few days as revelations surfaced, their prices took a dive but then went back up. Perhaps the real world just doesn’t understand the ramifications of what has happened here. However, the fact remains that Sony was completely decimated on a technical level to start. This is an important point that should be thought about.

That Sony was likely hit by an insider is highly probable. Was that insider sent in or actively recruited? Are they someone who just did this because they felt abused? I guess time will tell on these questions but insider attacks have always been a problem and they won’t go away. How do you really protect against that without making life harder for end users? Much more, how do you protect against insider attacks without alienating workers as they are watched every second of the day as they work to insure they aren’t setting off an attack? It’s a vicious cycle really.

Alternatively, how can any company expect to defeat a determined attacker anyway? The dreaded APT’s have had it easy and still do to a large extent but even after we all have learned our lessons, it will still always be a surety that a determined attacker will get you in the end. With that knowledge then what do you do? Do you just accept that fact like something akin to the AA credo of “Grant me the serenity to accept the things I cannot change” or do you fight harder? It is a never ending battle.

What Sony can teach us though now is that the idea of this kind of warfare is out there. Ordinary people are feeling empowered to take on corporations and governments with the aid of the very technologies they use to carry on daily business. Technologies that are now commonplace and we cannot do without. This is a scary thing to many in power and it’s been made all the scarier when things like the Sony hack happens so utterly and completely well.

Welcome to the future of online/electronic asymmetric warfare kids.

K.

 

Written by Krypt3ia

2014/12/06 at 22:49