Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘DD0S’ Category

Digital Kinetic Attacks: South Korean DD0S Botnets Have “Self Destruct” Sequence

leave a comment »



From McAfee Blog

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

The rest HERE

At first, the idea of a digital kinetic attack to me would be to somehow affect the end target in such a way as to destroy data or cause more down time. These current attacks on South Korea’s systems seems to be now, more of a kinetic attack than just a straight DD0S. Of course one then wonders why the bot-herders would choose to burn their own assets with this new type of C&C system and malware. That is unless the end target of the DD0S is just that, one of more than one target?

So the scenario goes like this in my head;

  • China/DPRK work together to launch the attacks and infect systems also in areas that they would like to do damage to.
  • They choose their initial malware/C&C targets for a secondary digital kinetic attack. These systems have the potential of not only being useless in trying to trace the bot-herders, but also may be key systems to allies or the end target themselves.
  • If the systems are determined to be a threat or just as a part of the standard operation, the attackers can trigger these systems to be rendered (possibly) inert with the wipe feature. This too also applies to just going after document files, this would cause damage to the collateral systems/users/groups

Sure, you burn assets, but at some point in every operation you will likely burn at least one. So doing the mental calculus, they see this as a win/win and I can see that too depending on the systems infected. It is not mentioned where these systems (C&C) were found to be, but, I am assuming that they were in fact in China as well as other places around the globe. This actually steps the DD0S up a level to a real threat for the collateral systems.

Of course the malware here does not physically destroy a drive, it is in fact just rendering it useless (potentially, unless you can re-build the MBR AND you zero out the data on board) as you can see from this bit of data:

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The malware is aware enough to see if someone has tampered with the date and time. This sets off the destruct sequence as well, but, if you were able to stop the system and forensically evaluate the HD, I am sure you could make an end run and get the data. Truly, we are seeing the next generation of early digital warfare at this scale. I expect that in the near future we will see more nastiness surface, and I think it highly likely in the post stuxnet world, that all of the players are now thinking in much more complex terms on attacks and defences.

So, let me put one more scenario out there…

Say the malware infected key systems in, oh, how about NASDAQ. Those systems are then used to attack NYSE and suddenly given the order to zero out. How much kinetic warfare value would there be to that?

You hit the stock market and people freak

You hit the NASDAQ systems with the compromise and then burn their data

Ouch.

Interesting times….

//SIGINT FOR ANALYSIS: DD0S: CHINA/S.KOREA/WORDPRESS “So Ronery”

with one comment

THREE stories in the news recently have me pondering the tit for tat nature of what may be Kim Jong Il’s mostly impotent attacks against the outside world. It would seem that Mr. “ronery” may have been a little miffed of late because South Korea decided to float balloons laden with leaflets over into the Northern side after the Middle East began to protest against repressive regimes.

I laughed til I cried when I saw this on the news, poor Kim Jung! What’s even more hilarious is that I have also heard that the South Koreans also put KJI’s image on the pamphlets because it is a crime to destroy or defile any image of the “dear leader” So, the North Koreans must have fits and starts when these balloons start coming down! Net net though, the information makes it to some in the closed country, and one hopes that they are seeing what is happening outside in the real world… At least a little.

Post the balloon launches (Feb 25 2011) we are now seeing some interesting things happening on the internet that may in fact be KJI and North Korea acting out against everyone, especially the South Koreans. Both attacks on the face of it, may not be related, however with a closer look one may see that they could very well be related;

WordPress traces 2nd DDoS assault to China

Shock

By John Leyden

Posted in Enterprise Security7th March 2011 12:27 GMT

Free whitepaper – The Register Guide to Enterprise Virtualization

Blogging service WordPress suffered a further series of denial of service assaults on Friday, days after recovering from a particularly debilitating attack.

WordPress.com, which serves 18 million sites, traced the vast majority of the attack traffic of the latest assault back to China. Analysis pointed to a Chinese language site as one of the principal targets of the attack.

This as-yet-unnamed site is blocked by Chinese search engine Baidu, prompting speculation that the attack might be politically motivated. However, a closer inspection of events led WordPress to conclude that commercial motives were probably behind the attack, TechCrunch reports [1].

Separately the French finance ministry has admitted that it came under a sustained and targeted attack in December, targeting files related to the G20 summit that took place in Paris two months later. More than 150 computers at the ministry were affected, the BBC reports [2].

Paris Match magazine, which broke the story, quotes an anonymous official who told it: “We noted that a certain amount of the information was redirected to Chinese sites. But that [in itself] does not say very much.” ®

Original URL: http://www.theregister.co.uk/2011/03/07/wordpress_ddos_reloaded/

South Korea Probes Internet, GPS Disruptions

South Korea is investigating the latest high-technology assault against it. The attack targeted government computers and users of the GPS navigation system. It came as South Korea and the United States hold an annual military exercise that North Korea calls a prelude to an invasion.

Fifteen million South Koreans logging online Monday received an alert from the country’s Internet Security Agency. It instructed them to download a vaccine program to thwart a foreign online attack against Web sites of key government agencies and financial institutions.

Officials Monday said the government is trying to figure out who ordered the attack on the Internet sites last Friday and Saturday. Targets included the presidential Blue House, the Ministry of Foreign Affairs and Trade, the National Intelligence Service, South Korean military headquarters, the U.S. military forces in the country and several other agencies.

They were hit by what is known as a distributed denial of service attack. It was done by overloading targeted sites with Web page requests from about 80,000 personal computers infected with malicious software.

Suspicion as to who masterminded the attack falls on North Korea. But Park Kun-woo, a spokesman at Ahn Lab, a leading South Korean maker of security software, says there is no clear evidence Pyongyang orchestrated this one.

Park says nothing is certain at this point because malicious computer hackers tend to disguise themselves in various ways. It is clear, he says, however the attack did not originate in South Korea and was dispersed via a number of countries.

The National Police Agency says the attacks were routed through computer servers in numerous places, including Brazil, Hong Kong, India, Iran, Israel, Japan, Russia, Taiwan and Thailand.

Internet security companies say, as of Monday, more than 100 of the so-called zombie computers that were used to carry out the online attack have seen the contents of their hard drives erased by the malware that the computer owners unsuspectingly downloaded.

This incident did not last as long as a similar disruption over five days in July 2009, but it targeted more Web sites. Officials have said the 2009 attack was traced to an Internet protocol address in China used by North Korea’s Ministry of Posts and Telecommunications.

Other attacks also have been traced to China.

Experts say North Korea has an Internet warfare unit that targets South Korean and American military networks.

Also Monday, the South Korea Communications Commission confirmed that interference to Global Position System signals on Friday came from a location in North Korea that was pinpointed as the source of a similar disruption last August.

The incident reportedly affected GPS receivers in military equipment and mobile phones as far south as Seoul. It also took place, as was the case last August, while a military exercise with the United States was under way here.

The U.S. military command in the country is not confirming whether the GPS jamming disrupted the exercise. A spokesman says as a matter of policy, the command does not comment on intelligence matters.

The Yonhap news agency quotes a South Korean defense official saying the GPS disruption did have a slight effect on military artillery units.

Now, WordPress was attacked around the same time as the South Korea attacks. However, the linking factors for me are twofold:

1) Both have Chinese elements

2) Both are aimed at political targets (wordpress has said that there seemed to be a foreign political nature in the attacks)

While N. Korea does not have an infrastructure in house to set off attacks, they do indeed have connections with China and certain Chinese telco/internet backbone providers that they have worked with in the past on such occasions. While the attacks seem to be a bit more wide spread as attacking systems go, both would be timed in such a way that tips me to believe both are the work of North Korea. So far, no one has really made this connection that I have seen in the news as yet, but, it’s not such an outlandish idea.

Now, KJi has nukes, and he has all kinds of other weapons of war, but, he seems to be lacking in one area, “cyber” as the press might put it. Since his regime is SO repressive that they have no infrastructure, it is likely that any such programs would be run out of the south of China. North Korea likely has many programmers/military types working in the south China area at facilities that are Chinese run working on cyber war capabilities. Were N. Korea actually to get its own infrastructure I have no doubt they would be read to go. That they don’t at present is only a small stumbling block.

It is also well known that the Chinese and others will easily rent out bot-nets for the work as well as be paid for information/cyber operations of this nature. So, the attacks are really only cogently linked together here from their connections to pissing off N. Korea. Frankly, I am kinda surprised the attacks didn’t also have some Facebook DD0S as well…

All in all though, the DD0S did not do permanent damage anywhere and for me, just seem to be more a cry for attention on the part of Mr. Ronery…

Sad panda.

K

Anonymous: Headless, Herd Mentality, or Convergence Theory Driven Entity?

with 10 comments

In my last couple of posts I took a look at what has been going on with Anonymous and HBGary Federal. Within those posts, I began musing on just how decentralised Anonymous really is. By looking at the overall picture of how Anonymous seems to work on the face of it, you might think that they are just a fluctuating group of online personae who sign up for certain operations that they desire to devote time to. However, no matter how many times I look at the big picture, I still see an underlying structure(s) that potentially have more static features that can be analysed and thus, allows for the potential of there being pseudo-anonymity.

Now, this may rankle some within the anonymous camp and likely will cause some comments here but, this is something that interests me as well as really is an academic thought experiment as opposed to Aaron’s little projects. So, you anon’s out there, take this post and my musings as food for thought as you go on about your anonymous lulz. I am not searching you all out to “out” you, just looking at an interesting problem.

With that said, lets move on to my theories.

Motivations, Drivers, Flocking, Herding, and Convergence Theory:

Before I go into the infrastructure of Anonymous as I see it, let me first go into the psychology behind the human side of Anonymous. This bears directly on the infrastructure due to the fact that humans online comprise the entity known as Anonymous. It is the psychology behind that human element, that give rise to the means by which they are carried out in a social media format. (i.e. the internet/IRC/Social media)

Human motivations can and are myriad, however, there are some basic desires that are fulfilled by action as a cohesive group. These desires or goals take shape in differing ways. In the case of Anonymous, they have aligned themselves with a “swarm” mentality, and I ascribed to that at first, but, after thinking about it quite a bit, I have come to the conclusion that a swarm does not really fit the patterns of behaviour exhibited by Anonymous. A swarm implies lack of thought and instead just reaction. The examples used before of bee’s or ants are good ones to use to show in fact, Anonymous does not resemble them. Instead, the Anon’s all have motivations as a whole and on their own individually that motivate them to act as they are. In this simple fact, the aspect of having self awareness and motives, shows that the allusion to swarming is a fallacy.

Instead, I propose that since humans are behind the actions of anonymous, and comprise its ranks, that other theories apply to them that come from a more humanistic approach, much of it being from psychology. The following theories apply as I see it.

From Wikipedia

Herd behavior in human societies
The philosophers Søren Kierkegaard and Friedrich Nietzsche were among the first to critique what they referred to as “the crowd” (Kierkegaard) and “herd morality” and the “herd instinct” (Nietzsche) in human society. Modern psychological and economic research has identified herd behavior in humans to explain the phenomena of large numbers of people acting in the same way at the same time. The British surgeon Wilfred Trotter popularized the “herd behavior” phrase in his book, Instincts of the Herd in Peace and War (1914). In The Theory of the Leisure Class, Thorstein Veblen explained economic behavior in terms of social influences such as “emulation,” where some members of a group mimic other members of higher status. In “The Metropolis and Mental Life” (1903), early sociologist George Simmel referred to the “impulse to sociability in man”, and sought to describe “the forms of association by which a mere sum of separate individuals are made into a ‘society’ “. Other social scientists explored behaviors related to herding, such as Freud (crowd psychology), Carl Jung (collective unconscious), and Gustave Le Bon (the popular mind). Swarm theory observed in non-human societies is a related concept and is being explored as it occurs in human society.

Information Cascade:

An information (or informational) cascade occurs when people observe the actions of others and then make the same choice that the others have made, independently of their own private information signals. Because it is usually sensible to do what other people are doing, the phenomenon is assumed to be the result of rational choice. Nevertheless, information cascades can sometimes lead to arbitrary or even erroneous decisions. The concept of information cascades is based on observational learning theory and was formally introduced in a 1992 article by Sushil Bikhchandani, David Hirshleifer, and Ivo Welch.[1] A less technical article was released by the authors in 1998.[2][3]

[4][5]

There are two key conditions in an information cascade model:
1. Sequential decisions with subsequent actors observing decisions (not information) of previous actors.
2. A limited action space (e.g. an adopt/reject decision).[6

Classical theories
The main idea of Sigmund Freud’s crowd behavior theory is that people who are in a crowd act differently towards people from those who are thinking individually. The minds of the group would merge to form a way of thinking. Each member’s enthusiasm would be increased as a result, and one becomes less aware of the true nature of one’s actions.
Le Bon’s idea that crowds foster anonymity and sometimes generate emotion has become something of a cliché. Yet it has been contested by some critics, such as Clark McPhail who points out that some studies show that “the madding crowd” does not take on a life of its own, apart from the thoughts and intentions of members. Norris Johnson, after investigating a panic at a 1979 Who concert concluded that the crowd was composed of many small groups of people mostly trying to help each other. However, ultimately, leaders themselves identify themselves to an idea.

Theodor Adorno criticized the belief in a spontaneity of the masses: according to him, the masses were an artificial product of “administrated” modern life. The Ego of the bourgeois subject dissolved itself, giving way to the Id and the “de-psychologized” subject. Furthermore, the bond linking the masses to the leader through the spectacle, as fascism displayed in its public representations, is feigned:

“When the leaders become conscious of mass psychology and take it into their own hands, it ceases to exist in a certain sense. […] Just as little as people believe in the depth of their hearts that the Jews are the devil, do they completely believe in their leader. They do not really identify themselves with him but act this identification, perform their own enthusiasm, and thus participate in their leader’s performance. […] It is probably the suspicion of this fictitiousness of their own ‘group psychology’ which makes fascist crowds so merciless and unapproachable. If they would stop to reason for a second, the whole performance would go to pieces, and they would be left to panic.”[1]

Edward Bernays (1891–1995), nephew of psychoanalyst Sigmund Freud, was considered the father of the field of public relations. Bernays was one of the first to attempt to manipulate public opinion using the psychology of the subconscious. He felt this manipulation was necessary in society, which he felt was irrational and dangerous.

Convergence theory

Convergence theory holds that crowd behavior is not a product of the crowd itself, but is carried into the crowd by particular individuals. Thus, crowds amount to a convergence of like-minded individuals. In other words, while contagion theory states that crowds cause people to act in a certain way, convergence theory says the opposite: that people who wish to act in a certain way come together to form crowds. An example of convergence theory states that there is no homogeneous activity within a repetitive practice, sometimes observed when an immigrant population becomes common in a previously homogeneous area, and members of the existing community (apparently spontaneously) band together to threaten those trying to move into their neighborhoods. In such cases, convergence theorists contend, the crowd itself does not generate racial hatred or violence; rather, the hostility has been simmering for some time among many local people. A crowd then arises from convergence of people who oppose the presence of these neighbors. Convergence theory claims that crowd behavior as such is not irrational; rather, people in crowds express existing beliefs and values so that the mob reaction is the rational product of widespread popular feeling.

My money though is on Convergence Theory. While herd mentality works in many respects, the herd seems less actively motivating the outcome as it is reacting to external stimuli or a certain single entity moving them to “herd” in a specific direction. In Convergence Theory however, we have a more nuanced approach to understanding that like minded individuals congregate together socially and then as a crowd, act out on their collective consciousness. I believe that all of these behaviours and observations play a role in the macro-verse of Anonymous.

I also believe that at times, there are leaders who take up the issue that they feel needs redress and then start that herd moving toward a goal by beating the drum. Thus you have the chats and the boards where people take their digital soap boxes out and speak on the target, the reasons, and the method of attack. If the idea gets enough traction vis a vis the oration of the de facto leader at that time, then, a movement begins. Which brings me to the next topic.

Cells vs Spontaneous Headless Entities:

Anonymous has said many times and rather vociferously, that they are a headless organisation. I have always been of the opinion that no matter how many times they make that claim, it is functionally impossible. There will always be a core group of individuals that will be leading an operation. It is also the case that Anonymous is predicated on infrastructure that must be maintained. The IRC rooms, the servers, the web servers etc, all have people who operate them and manage them. In this respect, those persons would be the holders of the keys to the kingdom would they not? If a person in charge of such functions were to turn (or be turned) on the organisation, they could do massive damage to the org by being in charge of key assets.

I would further like to posit that for each “raiding party” as they may be called, would also have de facto leaders. An incidence of this can be seen in the WBC debacle in the response to WBC that claims 20 people had worked on the document. Those twenty people would nominally be leaders of that cell or operation by my accounts. So, to extend this further, for every operation there must be a division of roles and responsibilities doled out to function, it is just our nature to do this. If Anonymous were truly a chaotic system, nothing would get done effectively.

Cells however, also fit as an modus operandi for Anonymous. When I say cells I mean this from the perspective of cells in terrorism. Al Qaeda, as a functional operation has been winnowed down to the point of only being a titular entity in the jihadi movement. Due to the war on terror, AQ has shifted their operations from being rather linear to a cell mentality. All of the cells out there are pretty much self formed at present. The cells consist of like minded people who get subtle and not so subtle information/mandates from the AQ HQ via things like “Inspire Magazine” or the jihadist boards. The same can be applied to the structure of Anonymous. There are still those people who are making suggestions and or are outright perceived leaders, that can be singled out as targets of interest. This may not be the case every time, but, by using the information above on motivations and crowds, you can infer that it is the case more times than not.

Nick Re-Use as De-Anonymization:

Now, once you consider the motivations and the structures that are created or used, one must then consider how would someone go about trying to determine targets of interest. In the case of Anonymous this allusion had been made (poorly) by Aaron Barr. He went after certain parties that he claimed were in fact the core leaders of Anonymous. I can’t say that any of those names were in fact core leaders, however, I will say that the nicknames themselves could have been used to gain intelligence on said users and indeed prove their affiliation.

My premise is this;

1) The more unique a nick is the easier it is to track

2) Nickname re-use on other sites in tandem with uniqueness makes tracking and expanding on social connections easier

3) With the right foot-printing, one can potentially get enough information not only to see affiliations and actions, but also real names of individuals

So, if you are on the Anon boards and you re-use your nick, AND it is unique enough, I know that you can be tracked. Add to this the notion that you use your nick as an email address, then you are adding even more context for someone to search on and cogently put together patterns for recognition. So, the more data points, the more coherence to the picture if you see what I mean. By using tools like Maltego or even Palantir correctly, one can make those connections. In the hands of a trained analyst, the data can really show a person’s online personae and lead to enough data being revealed to have law enforcement breathing down your neck with warrants.

In looking at the Anon sites, one can see regular names turning up. Using Maltego on some of those names have also given returns that would be a good start on locating those people because the used the same nickname for other uses that are inherently insecure. Which is ironic as Anonymous is supposed to be just that. In fact, one can log onto their IRC session just as “anonymous18457” etc. I would do this every time I wanted to go onto their servers so as not to have too much residual data for someone to mine.

Aaron was right in that people are inherently lazy at times. We as a species are also ill equipped to delineate long term threats as opposed to near term. In most cases though, many of the Anon’s are in fact young and likely inured to the idea that the Internet is in fact an anonymous space.

It isn’t, unless you take pains to make it so.

Conclusion:

So there you have it. I have been pondering this for a little while now. I am sure there will be more as I think about it a bit. Aaron was a fool, but let me tell you, there are others out there in spook country who aren’t. These techniques are no secret nor are the theories of behaviour. These are common ideas that are used within the psyops realm and you, “anonymous” legions must take that into account. If the authorities cannot get the core members, they will eventually get round to going after the low hanging fruit.

However, with these techniques, even someone diligent about their anonymity can be defeated. Everyone makes mistakes…

Keep your wits about you.

K.

Anonymous Fallacies: To LOIC or Not To LOIC, That is the Question

with 6 comments

BY ANONYMOUS ON THE 9TH OF DEC 2010 08:01:14 PM

Educate: Operation Payback
1)      http://twitter.com/op_payback
2)      http://anonnet.org/
3)      http://www.youtube.com/watch?v=kZNDV4hGUGw
4)      http://www.mediaite.com/online/anonymous-posts-video-message-describing-their-mission-in-defense-of-wikileaks/

Jester(Robin Jackson) Information
1)      http://svc.mt.gov/gsd/onestop/upload/UEFRFI.doc (Government Document)
2)      http://helenair.com/news/article_8e648ac0-fddd-11df-9d90-001cc4c03286.html (press article with a photo of him)
3)      http://twitter.com/th3j35t3r (Jesters twitter)
4)      http://dc406.com/ (Registered by robin jackson and has the jester poker on the left)

Participate: LOIC || IRC [See Caught: Warning and Escape for further information]
1)      http://pastehtml.com/view/1c8i33u.html [download LOIC/discuss IRC]
2)      NO TARGET [target LOIC]

Participate: Wikileaks Insurance
1)      http://utorrent.com [download Bittorrent]
2)      http://torrentfreak.com/how-to-encrypt-bittorrent-traffic/ [encrypt traffic]
3)      http://peerblock.com [block dangerous IPs]
4)      http://thepiratebay.org/torrent/5723136/WikiLeaks_insurance  [download the file]

Participate: Expose the Fiction
1)      http://img23.imageshack.us/img23/4958/1291867745327.jpg
2)      http://img143.imageshack.us/img143/4684/1291862911917.jpg

Participate: Expose the Truth
1)      http://www.wikihow.com/Google-Bomb [Keyword: Operation Payback]
2)      http://www.time.com/time/specials/packages/article/0,28804,2028734_2028733_2028727,00.html [vote @ 98, revote with InPrivate Browsing]
3)      http://i54.tinypic.com/30jij2q.png [Facebook Avatar]

Participate: Other Tools
1)      http://www.techpavan.com/2009/08/17/what-black-fax-black-fax-attack-why-how-to-do-black-fax/ [Target: Unknown]
2)      http://atdhe.net/watch-bbc-news.php [Enjoy the lulz]

Clean Up: Protect Yourself
1)      http://www.piriform.com/ccleaner/download [download CCleaner]
2)      Tools > Driver Wiper > Select Drive > Wipe Free Space > Gutman (35) > Wipe
3)      http://www.truecrypt.org/ [download TrueCrypt]
4)      Select Drive > Encrypt
5)      http://www.aboutcookies.org/Default.aspx?page=2 [delete browsing cookies]
6)      http://lifehacker.com/5530828/start-any-browser-in-private-browsing-mode [launch as InPrivate Browsing]
7)      http://techpp.com/2009/07/09/top-5-free-vpn-clients/ [download VPN service]
8)      Set wireless network to unsecured or WAP to claim you were hacked if v&

Caught: Warning and Escape
1)      DO NOT PROXY. It will affect the proxy, not the target. That’s why you use VPN.
2)      DO NOT attack on a school, work, or company owned network; your traffic is heavily monitored. You will get caught.
3)      DO NOT attack by yourself or in small numbers, you will get caught. While in larger numbers, it’s minimal if non-existant, and if server goes down it’s impossible to recover corrupt data on who attacked.
4)      DO NOT “bot net” it is illegal. DDoS with LOIC is legal, however.
5)      CHANGE your MAC IP after destroying the internets, or risk having your e-mail MAC IP traced back.
6)      If you are v& (vanned) declare you had no participation in this event. Note you are using a dynamic IP address and that many different people use it, because it’s dynamic. If they prove that it was yours, then tell them you are a victim of a “botnet virus” that you had no control or knowledge of. Additionally if you set your wireless to unsecured or WAP prior to LOIC you can claim someone hacked your wireless. Case closed.

I found this on pastebin today and after reading through it, I have to re-consider some of the idea that there is a core group of competent hacker types running the show at Anonymous. What really caught my eye is the section in red above, the admonition about “if you get caught” This is the most egregious set of instructions that I have ever seen and will only serve to land those of the “hive mind” in courts across the globe with a fair chance at getting truly buggered.

Let me take it point by point here:

1)      DO NOT PROXY. It will affect the proxy, not the target. That’s why you use VPN.

VPN? VPN? WTF? What VPN are you talking about there skippy? If you use a VPN, then you are concentrating the traffic to a single IP exit node as well as making it just as easy to track. Which brings me back to “what VPN?” You have a service somewhere? Usually you only see VPN’s used in companies or personal use for secure access to systems behind firewalls.

Now, on the other side of this, umm yeah, proxy-ing the traffic for the LOIC makes sense and should have been used. As far as I have seen, the LOIC is just a glorified F5 key script. If you proxy then you will just be polling a site via proxy (hopefully without logging) to port 80 http. So, there may be more traffic on nodes of whatever proxy you use, but, the traffic should get there if the proxy is robust enough.

2)      DO NOT attack on a school, work, or company owned network; your traffic is heavily monitored. You will get caught.

Ehhhhh depends on the company or school doesn’t it? I mean many colleges are still lacking in controls over their Internet traffic. However, I would say that they would be right.. Unless the traffic were VPN’d to a proxy outside. Then you would have something.

3)      DO NOT attack by yourself or in small numbers, you will get caught. While in larger numbers, it’s minimal if non-existant, and if server goes down it’s impossible to recover corrupt data on who attacked.

Say what? No matter the volume of users, if the systems at the recieving end are configured properly and able to log the traffic, then ALL of your IP’s will be logged! As I suspect you will all soon find out after the Feds have audited those seized servers and logs from those who got DDoS’d

4)      DO NOT “bot net” it is illegal. DDoS with LOIC is legal, however.

BAAAHAHAHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHHA! Ok kids, Law 101 here. If you PARTICIPATE in a DDoS no matter if you use LOIC or a Botnet, you ARE in fact COMPLICIT in an act that is against the law. You don’t get any extra points for carrying out said attack for motives nor method of attack. This is especially true when you use a tool that does NOT obfuscate your IP addresses as you perform it. Whoever collaboratively wrote these do’s and don’t is culpable in your crimes too… As well as for the crime of stupidity.

5)      CHANGE your MAC IP after destroying the internets, or risk having your e-mail MAC IP traced back.

WTF? Your MAC IP? Would you perhaps be meaning your MAC address as well as your IP address? Ya know, the IP address that you are not masking at all when you use LOIC to “destroy the internets” ?? OMFG, Here’s the “internets” manual RTFM please! This is even below skiddie level.

6)      If you are v& (vanned) declare you had no participation in this event. Note you are using a dynamic IP address and that many different people use it, because it’s dynamic. If they prove that it was yours, then tell them you are a victim of a “botnet virus” that you had no control or knowledge of. Additionally if you set your wireless to unsecured or WAP prior to LOIC you can claim someone hacked your wireless. Case closed.

Once again, you have no real grasp of how the Internet works do you? Let me break it down for you…

A) Dynamic IP addresses do change, but, tend to remain the same for users a long time. Depending on the lease time set by the ISP you could have it for days. So trying to say that you are on a dynamic IP is pointless.

B) Any dynamic IP is going to be logged as to what account holds the IP address during that session in the logs!

C) Yeah, claiming there was a botnet malware package installed on your PC will do no good, unless you actually do that yourself before you do all of this.. and even THEN forensically it is easy to tell that you installed it and LOIC. Any way you slice it, unless you physically smash your machine or fully encrypt it with something like TrueCrypt AND shut it off before the feds knock your door down… You are fucked.

D) The un-secured wifi argument can work, but, I will go back to the forensics argument again.. We can see you. You lose.

In the end, this whole thing has been run like a train wreck. Anonymous has failed to think this all through and certainly has no idea about the legalities here to be telling anyone of these kids out there using LOIC that they are going to be ok. It may be all about the lulz, but soon it’s going to be all about CYA and lots of lawyers fees kids.

CoB

Written by Krypt3ia

2011/01/05 at 19:13

Posted in DD0S

Emergent Digital Warfare: Swarming; A Further Look at C2

leave a comment »

The Hive Mind

In my last post I talked about the “swarming” tactics that were being employed by Anonymous and elements of 4chan to DDoS sites in their “operations” This post is going to deal with more of what can be tactically done to respond to not only the tactic of swarming (via electronic DDoS as opposed to in a real battlefield) but also the DDoS as a vector of attack itself. I have been Googling quite a bit and have turned up some interesting papers on the subjects and this topic has had me thinking quite a bit for a while now.

What has been at the back of my mind all of this time has been the claims that Anonymous is a “collective” of people that perform a hive mind style of Athenian Democracy (that’s the media’s dubbing there, not mine) inside the digital domain of IRC to choose their targets and launch their attacks. However, I would like to correct this statement and state that I believe it to be dissembling on the part of Anonymous to say that it is truly a leaderless aggregation of entities. Instead, I believe that there are a core group of individuals who comprise the C2 structure that then in turn guides others to the hive mind.

Why do I say this? Well, lets look at it from the perspective of bees. Bee’s are a hive mind, however, they have a queen do they not? It is that queen who runs the hive and not an Athenian black marble in a jar of white one’s kind of way. The worker bee’s have no say in the actual targeting of anything, but a chemical signal and dance from another will set them off to attack or to go to a specific place rich in flowers to pollinate. In short, the bees do not have frontal lobes and large brains, so there is a more complex system of decision making that goes into higher brain function individuals on an IRC channel than there is in a chemical signal to a bee to attack something.

So, in the case of the IRC channels and the C2 (command & control) of the Anonymous Operations, I say that there is a more complex system at play and that they, by their very nature, require a command and control structure that requires key players to facilitate them.

Cells and Compartments

There have been reports that there are a core group of hackers who are at the heart of this C2 architecture and I would tend to agree that they may indeed be hackers (the loose term by way of technically savvy individuals) and they in fact have at their disposal systems such as IRC servers and channels that they either fully control themselves, or that they are loaned time on. I believe that there is a more hierarchical structure to the Anonymous group than they would like to admit, and as such, they are in a much more precarious position than they might indeed think tactically. Sure, they have plenty of cannon fodder out there using the LOIC, but, the core cabal still hold the digital strings. In this case, we have many skiddies out there, so who are the brains behind the coding and implementation?

Just as well, take a look at the collective press releases that have been made on piratepad etc. Last one I saw had 16 authors working on the whole… 16 is not legion… 16 is “finite” So, sure, at present you have LOIC which is not obfuscating IP addresses of end users, and you have kids out there just doing this for shits and giggles, but elsewhere, you have the likes of those who hacked Gawker. Those weren’t skiddies, just how many were there and were they working in completely compartmented cells? If not, then eventually the cells will be broken.

Think about it this way… Everyone that you  bring into this venture has the potential of being from the opposition. All it takes is one agent provocateur  to bring a network down.

The Technologies of DDoS Swarming

The IRC systems that the hive mind and Anonymous operations have been using so far, have started to be targeted by the federal authorities of not only the US but other countries in hopes of gathering logs and decommissioning them for C2 use. The current server irc (anonops.ru) sits in Russia, and in fact is likely to be a bit safer out there at present, but, note that they moved it to Russia in order to prevent being taken down and seized. This is the fatal flaw in the system that Anonymous has yet to really come to grips with. By announcing their targets and their channels to connect to the C2 network, they give up their tactical advantage for not getting popped. When the authorities know where the systems are that are the actual C2 mechanism, then they will use any and all force to go after those nodes and take them down.

A more fully working and secure system would be the traditional botnet approach though for this type of sustained attacks. By using botnets of infected machines, Anonymous would have a better chance at not actually getting pinched as easily as they might because they in the open with their C2 channels and their methodologies (i.e. LOIC) After all, once the warrants go out on all those kids like the ones in Germany, then there will be a bit more of a call for the commanders to create more “secure” technologies than LOIC to perform the DDoS won’t there? Or are they not planning that far ahead?

You see where I am going with this? You still have a single point of failure in the IRC and the LOIC’s insecure natures. Eventually, no one will want to play unless they can be assured that they are protected by IP obfuscation.

My recommendation? Use the botnets and forget the skiddie stuff. Sooner or later, you all will piss off the wrong folks and your single point of failure in the “hive” system will bring you all down. All it would really take at the present moment would be for the authorities in .ru (cough KGB cough) to backdoor the system and audit all of the traffic on it. Unless you are shelled in with a proxy (funny, how anon doesn’t allow TOR on their IRC) then its highly likely someone would be on your doorstep soon enough breaking it down.

For that matter, the KGB just might like to get in there and use you all for their own ends.. Anonymous would make a nice patsy wouldn’t you?

Countermeasures for DDoS

Meanwhile, all of these events have brought the specter of DD0S to the fore again for the greater community at large doing business on the internet. DD0S is such a simple idea but it seems to be a daunting task to differentiate the traffic and mitigate an attack of this type. Because all of the traffic is ostensibly authentic according to the routers and servers, the problem becomes either how to determine if indeed it is truly authentic traffic or an attack vector. Therein we have the swarming that I spoke of before, the server is swarmed over with connection attempts.

The Military has been working on the DDoS issue for some time now and there are some good papers on the subject:

1) Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor

2) Mitigating DDoS with DFS

3) DISTRIBUTED DENIAL OF SERVICE-DEFENSEATTACK TRADEOFF ANALYSIS (DDOS-DATA)

It looks as though the best means so far discussed have to do with a type of packet filtering approach that could potentially differentiate good from bad traffic, but that would take another stratification of traffic (network layer) and likely would be costly and perhaps not so good for net neutrality. As yet though, no one seems to have a good solution to the problem… So, there will always be the potential for a large scale attack on any site that will take it offline and perhaps overtax the servers themselves overhead wise. These though, are only one form of direct attack DOS on a site… What about DDoS on say a router or the main DNS servers out there on the net?

Moving Forward

The time of Anonymous is upon us. I wonder however, just how long that will be though, because I fear that they have awakened the sleeping giant just as it has become technologically self aware. I am sure that in 2011 there will be arrests and dismembering of Anonymous and groups like them when they poke the badger one too many times.. That is, there will be more of them popped unless they get a bit smarter about their OPSEC.

The technologies out there now are going to be worked on and sometime in the near future, I suspect there will be some more mitigations offered by the likes of CISCO etc for DDoS. Until that time, the LOIC and its progeny will continue on DoS’ing sites offline as a protest or just for the lulz. I wonder though, if the Anonymous C2 will realize that what I have said above is true, and work on some obfuscation techniques for their networks and end users…

Time will tell…

In truth, 2011 will be the year of the cyber war and we are in for a ride folks.

CoB

 

Written by Krypt3ia

2011/01/03 at 23:34

Emergent Warfighting in the Physical and Digital Realms: “Swarming”

with 3 comments

I recently mused on the preponderance of articles on the Ansar boards concerning insects. The postings all centred on Bee’s Ants, and other insects that, as it was pointed out to me later, “swarm” It was after this epiphany, that the person who reminded me of this fact, sent me a link to a pdf file written by the military back in 2000 and updated in 2005. This document produced by the RAND Corporation has hit the mark today especially for me post the Wikileaks DDoS and I should think that others have picked up on this, namely, the Jihadists.

Al Qaeda,” or “the Base,” as Osama bin Laden’s terror network is known, may be trying
to engage in “strategic swarming”—an effort to strike simultaneously, or with close
sequencing, at widely separated targets (e.g., the embassy bombings in Kenya and
Tanzania). But, so far, his ability to mount operations of strategic significance seems lim-
ited. Also, to the extent to which the Base’s operations depend upon bin Laden’s direct
leadership, this is a case that differs from the “leaderless” quality of classic swarm theory.

The Jihadists have learned from this swarming pattern to actually create an infrastructure of communications (their websites and boards) that are not solely housed on any one server, but instead, many servers that can be used as a backup when one fails. This has made it harder for sites to be taken down just as much as the nature of the Internet itself has made it difficult to put a halt to these sites being stood up quickly and easily missed by authorities. By extension though, the jihadi’s have also begun I think, to make the connection between swarming tactics, guerrilla warfare, and the position they find themselves in today being shunted into certain areas of the Asiatic.

What has come of this is that AQ, GIMF, AQAP, AL Shabab, and others are branding their propaganda wings, creating a virtual infrastructure for recruitment, and attempting to create “hives” of malcontent’s that will swarm when the signal is given. What’s worse, is that I fear the Jihadists will learn from our pals at Anonymous and perhaps use the technologies at hand (LOIC and an IRC server) to attempt a combined attack of digital and kinetic that could be problematic for us all. Which brings me to the digital realm…

What the DDoS is at its heart is in fact a “swarming” maneuver for the digital age. With the prevalence of inter networked technologies that we have become inextricably connected to, a swarm attack could potentially kill a non resilient network infrastructure and render the country inert in many ways. This has been proved out with the cyber attacks on Georgia by Russia in tandem with the kinetic attacks of bombing and other internal guerrilla warfare that was carried out there. The Rand report does a great job at not only describing the physical swarm used in warfare to date, but also goes on to cover the nascent internet (its writing was in 2000 but citing 1994 documentation)

Swarming has two fundamental requirements.

First, to be able to strike at an adversary
from multiple directions, there must be large numbers of small units of maneuver that
are tightly internetted—i.e., that can communicate and coordinate with each other at
will, and are expected to do so.

The second requirement is that the “swarm force” must
not only engage in strike operations, but also form part of a “sensory organization,” pro-
viding the surveillance and synoptic-level observations necessary to the creation and
maintenance of “topsight.”

Thus, swarming relies upon what Libicki (1994) calls “the
many and the small,” as well as upon Gelernter’s (1991) notion of a command element
that “knows” a great deal but intervenes only sparingly, when necessary. These two fun-
damental requirements may necessitate creating new systems for command, control,
communications, computers, and intelligence (C4I).

Clearly, digital communications enable the rise of swarm networks. They provide for
smooth cascades of information and for the level of information security that will be
needed in an increasingly dispersed, nonlinear battlespace of the future. The conse-
quence of poor information security will be high for a swarm force if it becomes com-
promised—but then the cost of intercepted and decoded communications has always
been high. In 207 B.C., during the later years of the Second Punic War, a Carthaginian
messenger was caught by the Romans, leading to the deadly ambush of Hasdrubal’s
army at the Metaurus—and to the overall defeat of Carthage (Creasy, 1851, pp. 84–110).
Two millennia later, at the Battle of Tannenberg in the opening month of World War I,
German radio intercepts of Russian field movements allowed an outnumbered force
under Hindenburg to win a signal victory that tipped the scales much in Germany’s
favor.

Robust communications that help with both the structuring and processing of informa-
tion will enable most pods and clusters to engage the enemy most of the time—a key
aspect of swarming. If this can be done consistently, it holds out the possibility of creat-
ing a new kind of force-multiplying effect, whereby a skillful blending of the technologi-
cal and organizational aspects of information operations can enable a relatively small
force to outperform an ostensibly larger one.

There you have it, they called this back in 2000, of course there had been DoS attacks already, in fact one of them was actually named operation SWARM. So the precedent and the idea had already been in use and thought about. My question is why then, with all of the knowledge about how this works, NOTHING really has been substantively done about creating meshed networks that could withstand and respond to a SWARM/DDoS attack? Even if the heart of the problems today may lay at the application layer, what else could be done aside from load balancing that would re-mediate this attack?

In the last few days all I have been seeing on the blogs and RSS feeds are predictions for the 2011 threatscape. Of course DDoS is right at the top of that list now because of Anonymous and others who have been using this attack schema for their own purposes. Anonymous though, at the level of theory and practice, truly has been a “swarm” attacker. They have used innumerable personal machines through a C&C infrastructure that can in fact be anywhere. All you need to do it put out the word (IP address/channel) and anyone who wants to can just give cycles to the cause. Of course this is proving to be a little problematic as the FBI is seizing servers already from the DDoS campaigns against Mastercard and other vendors.

Done right though, with no skiddie technology, but instead with proxies, and protections for the end users (John Q. Public) then it would be much harder to catch anyone after the fact as well as if you handled it deftly, you could in fact create a mesh network that could hand off the traffic should there be a counter attack against the aggressors. Similarly, if those being attacked had a resilient network (dare I say cloud computing.. alas.. I did..) then it is possible to absorb the traffic, or deflect it so as to not have a situation where the systems are down because of a single node of failure, so to speak.

In conclusion, I think that this paper is very important to not only the military, but also the security and networking industry itself. Think not only about the potential for DDoS attacks, but also picture the next gen of “Stuxnet” with not only the features of PLC injection, but also botnet/p2p capabilities (it had p2p of a sort built in already) that could infect machines with multiple 0day, lay in wait until the “swarm” order is given. This could be the largest swarm attack yet.

Interesting times….

CoB

I recently mused on the preponderance of articles on the Ansar boards concerning insects. The postings all centred on Bee’s Ants, and other insects that, as it was pointed out to me later, “swarm” It was after this epiphany, that the person who reminded me of this fact, sent me a link to a pdf file written by the military back in 2000 and updated in 2005. This document produced by the RAND Corporation has hit the mark today especially for me post the Wikileaks DDoS and I should think that others have picked up on this, namely, the Jihadists.Al Qaeda,” or “the Base,” as Osama bin Laden’s terror network is known, may be trying
to engage in “strategic swarming”—an effort to strike simultaneously, or with close
sequencing, at widely separated targets (e.g., the embassy bombings in Kenya and
Tanzania). But, so far, his ability to mount operations of strategic significance seems lim-
ited. Also, to the extent to which the Base’s operations depend upon bin Laden’s direct
leadership, this is a case that differs from the “leaderless” quality of classic swarm theory.The Jihadists have learned from this swarming pattern to actually create an infrastructure of communications (their websites and boards) that are not solely housed on any one server, but instead, many servers that can be used as a backup when one fails. This has made it harder for sites to be taken down just as much as the natrue of the internet itself has made it difficult to put a halt to these sites being stood up quickly and easily missed by authorities. By extension though, the jihadi’s have also begun I think, to make the connection between swarming tactics, geurilla warfare, and the position they find themselves in today being shunted into certain areas of the Asiatics. 

What has come of this is that AQ, GIMF, AQAP, AL Shabab, and others are branding their propaganda wings, creating a virural infrastructure for recruitment, and attempting to create “hives” of malcontents that will swarm when the signal is given. Whats worse, is that I fear the Jihadists will learn from our pals at Anonymous and perhaps use the technologies at hand (LOIC and an IRC server) to attempt a combined attack of digital and kinetic that could be problematic for us all. Which brings me to the digital realm…

What the DDoS is at its heart is in fact a “swarming” maneuver for the digital age. With the prevalence of inter networked technologies that we have become inextricably connected to, a swarm attack could potentially kill a non resilient network infrastructure and render the country inert in many ways. This has been proved out with the cyber attacks on Georgia by Russia in tandem with the kinetic attacks of bombing and other internal guerrilla warfare that was carried out there. The Rand report does a great job at not only describing the physical swarm used in warfare to date, but also goes on to cover the nascent internet (its writing was in 2000 but citing 1994 documentation)

Swarming has two fundamental requirements.

First, to be able to strike at an adversary
from multiple directions, there must be large numbers of small units of maneuver that
are tightly internetted—i.e., that can communicate and coordinate with each other at
will, and are expected to do so.

The second requirement is that the “swarm force” must
not only engage in strike operations, but also form part of a “sensory organization,” pro-
viding the surveillance and synoptic-level observations necessary to the creation and
maintenance of “topsight.”

Thus, swarming relies upon what Libicki (1994) calls “the
many and the small,” as well as upon Gelernter’s (1991) notion of a command element
that “knows” a great deal but intervenes only sparingly, when necessary. These two fun-
damental requirements may necessitate creating new systems for command, control,
communications, computers, and intelligence (C4I).

Clearly, digital communications enable the rise of swarm networks. They provide for
smooth cascades of information and for the level of information security that will be
needed in an increasingly dispersed, nonlinear battlespace of the future. The conse-
quence of poor information security will be high for a swarm force if it becomes com-
promised—but then the cost of intercepted and decoded communications has always
been high. In 207 B.C., during the later years of the Second Punic War, a Carthaginian
messenger was caught by the Romans, leading to the deadly ambush of Hasdrubal’s
army at the Metaurus—and to the overall defeat of Carthage (Creasy, 1851, pp. 84–110).
Two millennia later, at the Battle of Tannenberg in the opening month of World War I,
German radio intercepts of Russian field movements allowed an outnumbered force
under Hindenburg to win a signal victory that tipped the scales much in Germany’s
favor.

Robust communications that help with both the structuring and processing of informa-
tion will enable most pods and clusters to engage the enemy most of the time—a key
aspect of swarming. If this can be done consistently, it holds out the possibility of creat-
ing a new kind of force-multiplying effect, whereby a skillful blending of the technologi-
cal and organizational aspects of information operations can enable a relatively small
force to outperform an ostensibly larger one.

There you have it, they called this back in 2000, of course there had been DoS attacks already, in fact one of them was actually named operation SWARM. So the precedent and the idea had already been in use and thought about. My question is why then, with all of the knowledge about how this works, NOTHING really has been substantively done about creating meshed networks that could withstand and respond to a SWARM/DDoS attack? Even if the heart of the problems today may lay at the application layer, what else could be done aside from load balancing that would remediate this attack?

Wikileaks to the Left of Me, Jokers to the Right, Here I Am Stuck in the Middle With You.

Well, it’s been an interesting week hasn’t it folks? We have Wikileaks leaking interesting if not, not earth shattering cables from US embassies around th globe. We have the US’ knee jerk reactions that are akin to a young girls naked photos being leaked on her Facebook page, crying foul and shaking their impotent fist at the “internets”. And we have a court jester who it seems, may have bitten off more than he could chew this time around and has gone into semi hiding post claiming a DoS that many in the security field feel was “weak” as one put it.

So, lets cover my thoughts on the weeks events by the numbers…

1) Wikileaks and CableGate

Ahh, the infamous “CableGate” as the Wikileakers have named it for maximum effect. Cables that give the inside skinny on what people see as ambassadors and analysts in the foreign service of this country. After the dumps, I am still non plussed by the contents of the cables. Perhaps this is beacuse I read quite a bit and know people who have been in the service. Maybe its because the reality of the documents data is already common knowledge to those who pay attention to world affairs and read the news. Some of them though  really do hold a few interesting gems on actions that we have taken with other countries that may seem to the layman, as being shifty or dirty..  But If you leave this country and actually work in others, you will see that sometimes you have to do things as it was once said before; “si fueris Rōmae, Rōmānō vīvitō mōre; si fueris alibī, vīvitō sicut ibi

Is it so hard to believe that bribery is rampant in other countries such as Pakistan? Do you really think that Russians don’t hit the bottle really hard and then have gunplay as they make deals at weddings for territory and power? If any of you reading this blog are shocked and amazed by all this and that we as the United States have to placate these people with backdoor deals, then, well I just don’t know my audience, while you, the reader are exceedingly naive and should wake up to the realities of how the world works.

I’ll give you a hint right here, right now. There are no white knights, and Superman is a comic. “Truth, Justice, and the American Way” is just a saying that placates us to believe that we do things above board all of the time and as Dr. Gregory House says; “Everyone Lies” It’s just the reality kids. So, when the Wikileaks folks get their shorts in a bind over cables like these I tend to think that they are all Pollyana’s that don’t know what real criminality is because once again, these documents are not equivalent to the Pentagon Papers. Had Wikileaks dropped a bundle of docs that showed in clear and no uncertain terms that the WHIG, Cheney, and their ilk clearly fabricated every bit of data that they used to prod the US to invade Iraq, well, that would be another story.

But again.. We don’t have that do we? What we do have is some dirty laundry and that has tickled the fancies of us all because we abhor “secrets” Not so much that we hate them for their sake, but, that we want to know them! We are inquisitive and always love to be one up on the other guy. So after this big dump, where is the outrage? The protesting? The shoe banging by the UN and other nations that were promised?

*tumbleweeds*

Yep, no one really cares enough to say that these are all shocking and storm the government looking for redress. So, on that account I side with Jester and give it all a #FAIL Which brings me to the organization itself and its newfound pariah status. I will also go one step further and give a #FAIL to the United States of America’s efforts regarding Julian Assange, the INTERPOL’s new #1 bad guy.

2) Julian Assange:”No Glove, No Love Gate”

Julian Assange has issues I think. His issues stem from a great heaping load of hubris as well as ego, but, then there is the side of him that I think is just plain adolescent idealism. The idealism was what drove him to this model of Wikileaks, but soon enough, it was the ego and hubris that took over the drivers seat. What Wikileaks has become is more a terribly petulant child shrieking about not getting a lollipop than an organization attempting to change the world by “freeing the data”

The troubles that Wikileaks has had with attrition of staff recently shows that Assange has become drunk on the status of being able to poke at nations and get their ire. Its somewhat akin to a little brother taunting a big brother just for the attention that he craves.. Which reminds me of another party in this little passion play that I will speak of below. For now though, my focus is Julian and the United States of America’s play to have him become the next Osama Bin Laden.

The reaction from these dumps though on the part of the US Government have been poorly thought out at least on the face of it recently. By leveraging (assumed) the Swedish and other governments to put Assange on the “RED” list for INTERPOL, for alleged consensual sex sans condom (or perhaps rape, its fuzzy with all the reports out there as to what really happened) the US has only shown its weakest face. The charges are weak and the placement of someone being charged only with the crime cited, shows just how much the US would like to get their hands on Assange, but they know they don’t really have a case.

What’s more, these senators out there now calling for Assange and Wikileaks to be deemed a “Terrorist Organization” are just out of their minds to even attempt to propose such a thing. THIS shows though, just what Assange and others are alluding to when they say this government is corrupt and or over-reaching in secrecy, surveillance, and general use of chicanery.

And on that account, I am agreeing with Assange and Wikileaks. The us has in fact reacted like that big brother being taunted by the little one and is attempting to haul off and slug him without mom or dad seeing it. What’s worse is that I am sure the US is working on a plan to have Assange kept somewhere if not able to find a legal leg to stand on to bring him here to the states and put him on trial.

Of course there is the off chance that any country now might just be afraid enough of Assange as the titular head of the organization to not only allow the US to take him, but also for some, to just do away with him by having a “convenient accident” occur.

Some secrets, as countries and people do the mental calculus for them, are worth the price of a life or lives. No matter the laws or executive orders…

Of course Wikileaks current data does not in the least constitute anything close to one of those secrets worth whacking him. So, the show will go on trying to get him into custody. He will be the martyr to his followers and I am sure that Wikileaks will become an even more powerful organization because of the poor handling of this case. In the end, the US will only ham-fistedly attempt to cover up the fact that the SIPRNET system was not being monitored as per policy and procedures mandated by the military and government. This allowed for a low level PFC analyst to steal nearly half a million documents from an alleged “secure system” This very same government that created the likes of the DHS and TSA to keep us all “safe” from terrorists. I guess they just took a cue from the Bush administration and thought that a banner saying “mission accomplished”  was just as effective at ending a war as a banner that says “This system is protected and may be monitored” was to protecting secrets.

Hubris and the emperor has yet again been shown to have no clothes.

So, my suggestion to the US government and the military would be to actually clean up their act and perform the due diligence that they need to carry out to protect their “secrets” from being stolen so easily and forget about trying to “get” Mr. Assange for this. The damage has been done and unless you do a better job at protecting the assets you hold, then sure as shit, its going to happen again and the next time, it may be even worse.

3) The Wikileaks Zeitgeist and The Hacker Manifesto

Meanwhile, an interesting factional fracture has taken shape within the internet and specifically, the information security community. This has been something to watch on Twitter specifically as people on my #flist have been polarizing between saying much the same as me and others who are diametrically opposed to the government, secrecy, and the call for free access to information. Why this is so interesting to me is that many of these people who are on the feed are in fact workers within the information security industry. In short, those who are tasked with securing peoples information on a corporate and sometimes government scale.

“This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try to make us believe it’s for our own good, yet we’re the criminals. Yes, I am a criminal. My crime is that of curiosity. I am a hacker, and this is my manifesto.” Huh? Right? Manifesto? “You may stop me, but you can’t stop us all.”

The hacker Manifesto by The Mentor

The above quote seems to be the zeitgeist for many of the Wikileaks proponents. The information must be free and flowing. I am afraid that the reality is much different from this credo. Even more astonishing is that anyone who does actually work in the security industry would not have some pause about what Wikileaks is doing and perhaps take time to insure that it is indeed being taken to task for its aegis. It seems to me at this time, post the machinations on the part of the US to deny Wikileaks access to DNS, and site hosting, that the screeds are somewhat warranted, but still, they seem naive to me.

Then there is the thought that anyone who is working to secure people’s data (which are secrets or confidential) might be more scrutinized by anyone employing them “if” they are overly vocal in support of Wikileaks, a smart person might take the middle road on these things. Instead I see more wailing and moaning out there than I do calls for re-organization and rigor in what Wikileaks is doing. After all, it is pretty much singularly run by Mr. Assange, and you know my pov on his psyche.

I think that the security community needs to take up this issue and really hash it out. There are some big issues that need working out.

4) Staying Frosty? Really? Doesn’t seem so…

Lastly, lets take a look at the events surrounding Jester. You all know that I had my run in with him back last January. He DoS’d me a few times (not hard to do on a single IP running a low rent file server really) and made calls out to everyone that I was a terrorist sympathizer. It became clear to him that he had screwed up on that account because he did not do his homework and find out who I was and what I do.

We had words.

In the end, I am still here and still doing what I do. I have my reasons for my posts and for the work I do here as does Jester for what he does. However, I still feel that his methods are trivial in the fight against terror and his psyche is more that of a person with poor impulse control than any ex special forces operator that he would like you to believe he is. I think his motivation is more driven by a need for attention than it is for actual disruption and dismantling of terrorist networks online. You see, were he a real operator, then I think it would be much easier to make your hits even more ominous (were they not only for 30 minutes at a time) by saying nothing. This would leave it open for much speculation that the governments of the world are indeed carrying out the cyberwar. Instead, we have the legend of a lone patriot hacker saving us all from internet terror… But his services are not that unlike Domino’s Pizza: you can get it for 30 minutes or less and only with a couple of toppings.

Now though, the stakes are higher as he has decided to up the ante and attack Wikileaks. Which, I think he has begun to now understand, that it may have been a tactical error in a number of ways. You see, at first he was just hitting undesirables, jihadist sites outside the country. Sure he was pissing off some in the intelligence community, but for the most part people ignored him because he was not performing any kind of substantive attacks that effected change. The jihadi’s kept on talking on the same sites that they mirrored. In fact, they moved on to other areas like YouTube and Facebook unabated and often completely in the open. The jihadists didn’t care, and thus his fame died down… Until he targeted Wikileaks.

Since his claimed attacks on WL, he has been in the news more and more. Of course the big question became was he the sole source of the attacks that ended up bringing a 10gig a second hose being aimed at the WL Cablegate site? Was there government involvement there? Was he actually capable without help in doing this kind of attack with his Xerxes product? Those were all the questions that were going through my mind and I am sure others within the security community. Well, here is one answer that I have dug up.

Jester and others had recently been talking about “server time” in the #jester IRC it is possible that the server time could be a source of the 10 gig per second data flow. I can foresee the installation of xerxes on more than one box and using the big pipe to do the hit. This is supposition on my part, but, he did indeed talk to Mach and rjacksix about a request in a chat transcript.

As stated by the media and certain security analysts when asked about the Jester attacks, the consensus was that Jester had not done a stellar job at bringing down Wikileaks and in fact, as I said before here, that the attack was “weak” So, was the 10 gig a combined effort on the part of the likes of “anonymous” or 4chan? We may never know.

Since the initial DD0S and claim by Jester there have been some interesting if not really odd events in the last week. The biggest of these being the tweet ostensibly by Jester that his house had been raided by the local PD and his equipment confiscated. Yet, he was still able to re-access the internet and create a brand new domain name “th3j35t3r.net” and twitter account @th3j3st3r from whatever resources he could get to get online. The new site at the new domain was a clone of his WordPress site and both it and the new twitter account began to post data BAU. Shortly thereafter though, the site and the twitter account began to speak of a “legal fund” that Jester had begun and in fact, that if he reached 10K of funds, he would port and release Xerxes to the public.

After two donations though (see picture at the top of page) one of them being from Tom Brennan ($100.00) from OWASP? and another for $50.00, the site was pulled down. The donations site was run through paypal and gofundme.com. Shortly after the take down, the domain began to forward to Jester’s original WordPress site. As this was happening, the original Jester twitter account made a statement that in fact the new site and twitter feed was an “imposter” and that he now had control of the situation. This begs some questions though as the domain suddenly and swiftly began to forward its DNS to Jester’s site. Just how did he gain control so quickly?

Or, was it under his control the whole time?

It’s my belief that Jester was in control the whole time, but as to his motivations in doing this? I have no real clue other than perhaps this was a false flag to get people off of the trail. I think that perhaps at this time, he began to realize that when Wikileaks moved their domain to Amazon, he was crossing a line he hadn’t before and committing a potential crime that the US law enforcement community would follow up on. Maybe he just lost his nerve a bit..

Perhaps, as I said before, his habits were actually starting to become his undoing… You see, his acolytes now might be his Achilles heel.

Jester has for some time now, hosted IRC channels in various places, but he had been frequenting #2600 #jester. In this channel he had conversations with people who drifted in and out. However, often he had a few key people he talked with.

One of them is @rjacksix

http://twitter.com/rjacksix

http://www.internetevolution.com/profile.asp?piddl_userid=10389

http://wolfcreekbaptist.com/

http://www.dc406.com/

http://dc406.org

Robin Jackson  (406) 422-4685 or 406-465-0354 Helena Montana

blackcat[@]dc406[.]org

I know Robin from a rather bilious response on my blog as Jester was attacking me that said that I was a traitor blah blah blah. Rjacksix has been a chatty fellow and from his own accounts on the IRC and in other places, has claimed to know Jester well, has worked with him, and defends him when people dis his pal. The question I have is this.. Robin, are you in fact Jester? If not, then I am sure some people will be calling on you, if they haven’t already, asking just who he is. Several reporters and los federales have this data now too.. Perhaps you have gotten some calls recently? Like, say, Monday or Tuesday? Yeah…

Coincidentally, rjacksix and Jester have been missing from the IRC chat since Monday/Tuesday..

Why?

It was a critical mistake the attacks on Wikileaks, the attention is going to be trouble for you both, and now doubly so that one thing has happened. Someone, made the claim that they would port Xerxes and release it to the kiddies. You see guys, that right there is of MAJOR interest to the feds. They do not want this tool out in the open for anyone to use if they can avoid it… That is until they can come up with a means to combat the attack, which is already being worked on in certain quarters I am sure (pcaps in hand) So, the jig may be up either by your own hands Jester/Robin through this little stunt with the donation scheme. Even more so now that actual money was “donated” to the cause.

Oh well, Jester, you have the attention you have been seeking in spades. Your goal has been achieved for that. However, your techniques and your tool seem to have fizzled in really having great effect against either of your targets.

TANGOS NOT DOWN #FAIL

CoB

Written by Krypt3ia

2010/12/04 at 15:33

Yippee Ki Yay Mutha *%$#%^#

with 5 comments

Casper: That was creepy.
Trey: I tried to find more Nixon

Quote from Die Hard 4

A friend of mine, a more-or-less retired CIA paramilitary operative, sees the solution in characteristically simple terms. “We should go get him,” he said, speaking of Assange.

When my friend says “get him,” he isn’t thinking of lawsuits, but of suppressed pistols, car bombs and such. But as heart-warming as it is to envision Assange surveying his breakfast cereal with a Geiger counter, we shouldn’t deal with him and WikiLeaks that way.

At the risk of abusing the Bard, let’s “Cry havoc, and let slip the geeks of cyberwar.” We need to have a WikiLeaks fire sale.

A “fire sale” (as those who saw Die Hard 4 will remember) is a cyber attack aimed at disabling — even destroying — an adversary’s ability to function. Russia did this to Estonia in 2007 and Israel apparently did this to Syrian radar systems when it attacked the Syrian nuclear site later that year. The elegance of this is that if we can pull off a decisive cyber operation against WikiLeaks, it can and should be done entirely in secret.

Plausible deniability, anyone?

Full article HERE

So, with the revelations over the weekend of rape charges that mysteriously just vanished, one has to wonder if indeed there are forces at work trying to discredit Assange as step one in a much more ornate plan. After all, if one were to discredit him, then he could more easily be shipped out of his hidey hole to a more US friendly place with regard to legal standings right? Though, one wonders at the rape charge.. I mean we couldn’t get Polanski back here for child molestation, so what do you think is gonna happen with a regular rape charge?

Also this last week there was an article claiming to have a story being told by Lamo that there is a “velvet spy ring” Umm yeah, those days are not so over as this was the big deal with the Cambridge five no? I haven’t yet chased that story down due to laziness as well as.. Well, I can see that just as a poorly constructed propaganda attempt by someone.

Adrian, care to comment?

Anyway, this whole Fire Sale thing.. Uhh guys.. It ain’t gonna work. Sorry, but as the article alludes to, the Wikileaks pages are all over the place. They have some online ready to go and others are in their silos waiting to be prepped for launch. So, there is no real way to stop the data coming out if they want it out. I mean, I didn’t even mention the torrents… But this is who we are dealing with… A mindset that cannot grasp the intricacies of the intertubes sometimes. The damage has been done and short of taking down the whole of the Internet, the data will be set free by Wikileaks.

So what now?

Well, how about we make sure that the data does not get out of the compartmented systems in the first place huh? Manning evidently showed signs to others that he was a security risk and nothing was done. He had access to systems that if they were paying attention to infiltration and exfiltration methods, would have prevented the data from being burned to disc and taken out. It really reminds me of “The Falcon and the Snow Man” they were not paying attention to many of the rules in the secret areas and at the guard stations, thus the data was just taken out in quantity. I am sure that if the precautions were in place effectively and watched, Manning would have been caught sooner and perhaps this would not be as much a debacle.

Now, on the other side of the coin here… I am not against Wikileaks altogether. I agree with what Daniel Ellsberg did with the Pentagon Papers. The government was clearly lying about the war. In this case today, I am also sure that there were lies being told and likely still are… But the data I have seen thus far is no smoking gun and in no way shows any real malfeasance by the government. In fact, all the data thus far is about Afghanistan. Where I feel the big lies… well lie.. is in Iraq. Of course Assange is saying that data is coming soon.

We shall see.

So, to sum up..

1) You military and gov types… Get over it and tighten up your security!

2) Anything done to Assange will only make him a martyr

3) There is no stopping this data because it is already out of your control (pentagon, White House) So just buckle up cuz its likely to be a bumpy ride.

CoB

Taliban Webmaster: We’ve Been Hacked!

leave a comment »

From Wired.com

Online fans of the Taliban, beware: a website of the Islamic Emirate may have been hacked.

Abu al-Aina’a al-Khorasani, an administrator of an elite jihadi forum endorsed by the Taliban, warns in an online post that “group’s main site and the site of its online journal Al-Sumud,  have been the subject of an ‘infiltration operation.’”

Khorasani’s post on Fallujah forum warns online jihadis “to not enter any of the links that concern these websites, and not even to surf [the content] until you receive the confirmed news by your brothers, Allah-willing. ”

As browsers of the Taliban’s websites know, outages are fairly regular. But a confirmed infiltration may be something new, says Flashpoint Partners’ Evan Kohlmann, who’s been tracking Internet extremists for years.

“The official Afghan Taliban website has, of course, routinely been knocked offline and disabled by cybervigilantes and other culprits, but this would be the first instance that I’m aware of it being actually ‘infiltrated.’  It’s an unsettling prospect for security-minded online jihadists, because such sites can be manipulated by a variety of hostile parties in order to harvest a breathtaking amount of personal data on regular visitors.”

Indeed, in early April, Danger Room snagged a picture used to vandalize the Taliban’s main website, which featured scenes of some of the more notorious acts of brutatlity perpetrated by the Afghan militant group (pictured above).

While authorship of the apparent attack is as yet undetermined, it’s worth noting that the Defense Department stated its intention in the Spring of 2009 to begin shutting down extremist media outlets in Afghanistan and Pakistan.

HACKED!?!? OH NO! Heh, yeah, well this should not be any kind of news to anyone there, but I guess these guys aren’t the sharpest marbles in the bag huh? I mean, what have I been up to all this time? Shucks, and I am not the only one ya know…

Of course you have the odd “jokey” attacks but generally, these guys have been compromised for some time I would expect and they may just now be catching on to it. Of course if you look at my posts on their “tech” section lately, you might see just how savvy they are on the whole of it. They do have some guys who know what they are doing, but no one is as good as Younis Tsouli was back before he got popped in the UK.

At least not that I have seen…

I am sure nothing will change here. If they do take down the sites themselves or with a little governmental help, the jihadi’s will just pop another site up elsewhere and begin to propagandize again all over. It will be a never ending battle really… Unless they get smarter and get some real encryption, VPN tunnels, and dark net type of system that is invite only and rock solid…

I don’t see that happening from their caves…

You never know though… Perhaps they can cobble together something…

Anyway, more developments as I have them from the sites tonight…

CoB

Weapons Of Mass Disruption: Cyberpocalypse-a-palooza

leave a comment »

To avoid a digital doomsday, Clarke and co-author Robert Knake argue that America needs to treat cyberattack capabilities as nothing less than weapons of mass destruction that can “skip over the battlefield” to target civilian life. That sort of threat, like nuclear weapons, calls for a multi-tiered response: treaties, transparency, beefed-up defenses and a focused concern on rogue states.

Cyberwar treaties face a problem that traditional ones don’t. An enemy could easily hide the source of attacks by routing them through hijacked computers in another country or attributing them to independent criminals.

But Clarke contends that a government could be held accountable for helping to track down any cyberattack originating within its borders, just as the Taliban was held responsible for harboring Osama bin Laden. Although attribution on the Internet isn’t as simple as in traditional warfare, cyberattacks can be traced. Clarke says forensic hackers can follow the trail of bits when they’re given time and leave to breach enemy computers.

“The NSA can do that. And the NSA tells me that attribution isn’t actually a problem,” he says bluntly.

Full article HERE

Dick, Dick, Dick, I am with you in so many ways.. BUT, when you start talking about DPI of the WHOLE INTERNET, then you lose me pal.

Sorry *shrug*

I personally don’t want the whole of the internet being siphoned even MORE than it already is by DPI at every providers NOC with a NARUS STA6400 system installed.

Nope, no thank you.

Now, on the other things likes accountability for nations with server on their soil I am with you. If a server is public/private and is on your soil, there should be “some” responsibility there. At least there should be enough to enforce security practices be carried out to prevent it from becoming the botnet slave in the first place no? Of course Obama wussed out on that one here didn’t he? No rules will be created to enforce that type of accountability here in the private sector.. No sir! It would put an undue strain on the private sector!

*tap tap* Uhh sir, most of the infrastructure is in “private” hands… Umm without making them do some due diligence we are fucked mmmkay?

Yeah…

Meanwhile, lets talk to the italicized and BOLD text. Back in the days of yore, when pirates roamed the seas, there was a thing called a “Letter of Marque” basically, government would give a pirate hunter the letter and say “go git em” This is what we need today I think. Of course this is touchy, but, this is pretty much what Dick is alluding to. He says that he “knows” that were the NSA given a letter of marque, they could not only penetrate the systems involved, but also run the forensics to attribute where the perp really is.

“Whoa” to quote Neo…

Yes, it’s quite true. Not only the NSA could do this though. Go to the BlackHat or Defcon and you would have a plethora of people to choose from really. So this is no mysterious mojo here. Its just that this type of action could cause much more ire than the original attack maybe and lead us into that physical war with the nukes. Who knows.

I guess though, that what has been seen as the model for the future “internet” with cyber-geographic demarcations might just be the real future state we need. At least that is what Dick’s advocating here and I can sorta see that as a way to handle certain problems. If we break up cyberspace so to speak, into regions (like the whole .XXX debacle) then we can have set rules of governance. At present the internet is just a giant wild west stage complete with digital tumbleweeds and an old whore house.

*pictures the dual swinging doors and spurs jangling*

The one thing that rings true though, is that there needs to be some accountability.. Just what form that will take is anyone’s guess. For now though, we will continue on with the lame government jabbering and frothing with the lapdog that is the so called “press” lapping it all up and parroting it back to the masses.

Smoke em if ya got em…

CoB