Archive for the ‘DERP’ Category
The Great OSINT and Threat Intelligence Debacle
Who hacked Ashley Madison?
Who the fuck should really care other than the police?
The answer is no one really should but just as with the whole thing there is a salacious fascination over the nature of the site and who’s who in the database. Now though we have cyber sleuths posting “maybe” evidence that a certain account “might” have ties to “maybe those” who hacked the site and dumped it’s contents online.
Just stop.
Look, the cat is out of the bag and the data is dumped so move on and learn from what happened at least if you can get past all the schadenfreude. This whole incident though only highlights something I have been saying for a while now. Primarily that OSINT and Threat Intelligence is only as good as the analyst and that in the game of Intelligence, it is easy to be led astray by the adversary as well as by your own cognitive biases. In this case with Brian Krebs and the Dezu account I can only say as a bystander watching the spectacle; “Enjoy the clicks man… Enjoy those clicks.”
I will say it again as I have said it many times in the past…
“It’s not about the who… It’s about the how. Learn from the how and attempt to prevent it in the future”
I had this discussion on Twitter the other day and yes, there are some reasons to do the attribution for companies that understand the threat space that is their domain. On average though it is pointless because companies do not have that basic comprehension on the part of their execs and their boards. So trying to give them a nuanced analysis of who the adversary is, is just fucking pointless. Learn from how they hacked you and care less about who they are. Perhaps instead understand who they are but really grok what they were wanting to steal is more important.
Meanwhile all the companies out there are yelling about attribution and how they can even do it “live” as I recently heard uttered on a sales call.
Fuck you… Fuck. You.
K.
Digital Jihad: The Great Irhabi Cyber War That Won’t Be.
Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.
Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.
They are now boasting it is only a matter of time before their plan becomes a reality.
The Great Cyber Jihad
Since Junaid Hussain escaped over the border to the new lands of jihad (aka Syria) he has been vocal on Twitter showing off his great cyber manhood in classic irhabi bloviating online. That Junaid made some inroads by hacking into the prime minister’s email address at Gmail only lends him dubious credit to his hacking skills to a person involved in the security field. This however is not how the great unwashed within the media and certain quarters of the government and the military seem to perceive the threat posed by Junaid today now that he is an ISIL irhabi.
Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.
Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.
They are now boasting it is only a matter of time before their plan becomes a reality.
The above text came from just one of the spate of recent reports on the great “Cyber Jihad” that is being touted to come from the likes of Junaid and ISIS/L as they attempt to expand their reach from the Middle East globally. This ls.particular commentary makes the bile rise within my gut on so many levels though. But that kind of pales in comparison to the one right below…
“We’re in a pre-9/11 moment with cyber,” John Carlin, assistant attorney in charge of the Justice Department’s National Security Division, warned at a July conference in Aspen. “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction as they can to our infrastructure.”
PRE-9/11 OMG!!! Look you fuckwit if that were the case then China would have already put us out of our misery really. For that matter some half assed pot sodden kid who happened to hack into our grid would have taken us down years ago. There is just no need for this posturing and certainly above all coming from someone without a clue in their head about how things really work in the world of computer security. This kind of scare tactic aimed at getting people to respond in fear to allow for the government to do anything in the name of protecting us is vile.
Meanwhile you have other players such as the one below making statements of “ALL OUT CYBER WAR” while commenting on Anonymous’ operation against ISIS. I laughed and I laughed and I laughed until I just wanted to cry at the sheer stupidity of it all. Look, Anonymous can’t get their shit together enough to be both leaderless and effective so really, how much of an “ALL OUT CYBER WAR” can there be there huh? Do you even know what a cyber war really means? Cyber warfare is both digital and kinetic in it’s purest form and what kinetics did Anonymous really carry out in this operation to DoS ISIS offline?
Lemme give you a clue… None.
“Anonymous announced late last week a full scale cyber war against the Islamic State (Operation Ice ISIS), intended to attack ISIS supporters using social media for propaganda purposes”
So aside from the bloviating and the scare tactics coming out of ISIS itself we also have our responses from the government and the media with all their so called experts on cyber war and jihad. There is a lot of wankery going on here but finally this guy makes a little sense in the middle of his post on this mess…
ISIS’s main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions, as well as victory parades, as part of developing deterrence and creating an illusion of force in excess of the organization’s actual strength. The essence of its online activity, however, is broader. It enables its supporters to obtain operational information, including training in preparing explosives and car bombs, and religious rulings legitimizing massacres in regions under ISIS control. In tandem, it distributes indoctrination materials, such as a maagzine called Dabiq: The Return of Khilafah, which focuses mainly on topics relating to formation of the new Islamic state headed by ISIS leader Abu Bakr al-Baghdadi. However, ISIS’s technological expertise is not the only factor. Perhaps the public, which is revolted by the organization’s deeds but closely follows these clips and photos as a kind of reality show, is contributing a great deal to the organization’s popularity.
Yes, there it is.. ISIS has been carrying out a PROPAGANDA war primarily and with that comes from PSYOPS as well. This is the first true set of statements I have seen to date over this whole debacle. Ok, they are waging a propaganda war and a recruitment drive for sure but really, a cyber caliphate? I mean to date I have not seen this show up verbatim anywhere on the boards or on twitter so who’s leaping logic here? Seems to me that there’s a sucker born every minute and about 99% of them want to go into journalism nowadays.
A propaganda war using Twitter does not a cyber war make.
Cyber Warfare and Jihad
So let’s chat about the realities here about the capabilities of the Irhabi (ISIS/L or AQ or SEA) in a context of what we have seen so far. What have we seen you ask? Well, DoS, some data thievery, some malware use and phishing, but generally nothing spectacularly scary. Certainly nothing on the level of a nation state actor like China has been seen out of any of the loose groups that claim some jihadi notions online to date. So where do we get all this BOOGA BOOGA over the likes of Junaid Hussain and ISIS taking down our grids and things?
*squint*
Yeah, there’s no there there. I am sorry but even if ISIS/L used it’s monies that it has stolen over the last months to set up a “cyber team” they still would be LIGHT YEARS behind the likes of China.. Hell they would even be way behind Iran for that matter so really, there is nothing to fear here. Never mind that many of these guys like Junaid are working in countries that are actively being bombed and shooting is happening so really, how much longer does Juny have anyway before he gets a Hellfile missile up his ass?
Truly the cyber jihad is a non starter for me and it should be for you too. On the other end of that equation though is the fact that they are actively recruiting and getting their message out using social media and this is a problem. Now don’t get me wrong, it is not a clear and present danger kind of thing because really, 100 Americans out of how many people seeing their online drivel have actually left the country to go to jihad pretty much gives a sense of the threat. You have to be pretty unbalanced to want to do this shit to start with so if you get up and leave the country to join up you are a truly unbalanced person to start. One so easily swayed by the propaganda wing of ISIS needs help and what they will certainly get is a bullet instead while fighting. Even ISISL really doesn’t care about the Takfiri, you see kids, they are just bodies to be used… Nothing more. They may call you brother but under their breath they call you fodder.
Much Ado About Nothing
The reality is that ISIS is more a conventional force than anything else. They are not as well planned as AQ and they tend to be one dimensional thinkers. I will admit that their propaganda war has been interesting to watch but I don’t see that it is an existential threat. In fact, I concur with the assessment that AQ is still the real player here who can strike at the US and had a better track record thus far. Surely if ISIS continues to carry out the propaganda war they may garner more recruits but I just don’t see them being that inspirational to get lone wolves to activate/radicalize. I certainly don’t see them being able to put teams together to hack our infrastructure and take us down either. In fact I am not a proponent of that line of thinking anyway as a great threat. Our systems are too complex and fragmented to allow for such a spectacular attack.
So please news media… STFU.
K.
Vendor Hell
Vendor conferences and webinars:
Yesterday many of you who might read my ravings saw my Twitter feed explode with rage over a vendor sponsored conference I attended on the “Target Hack” The invitation to this meeting local to me …well an hour away that is, promised new and interesting information on the Target case and I decided to attend in hopes that there would be some inside info. What I got instead was a chance to listen to the meanderings on the 2nd amendment by Asa Hutchinson and the community college version of X-Force’s state of the hack.
The finale though was the talk on the Target hack which was prefaced with “Everything I am going to talk about today is open source and from the news” …really now, this is your inside information that you said would be given? What proceeded was a description of information you could get by reading the news reports and in particular Brian Krebs blog on the subject. This was nothing like that which I had been lead to believe was on offer and it made my bile rise as you may have seen. It was a giant time suck and really should only have been on offer for those who hadn’t a clue about the hack. In fact, this may well have been useful were you an executive without a clue. Which I am not.
A proposal for a ratings system:
I left the conference after IBM had done their dog and pony show on Target with a headache and a real distaste for all things vendor. I know, this is the norm for the bulk of the people in this business but it made me start thinking on the hour drive home. Perhaps in a perfect world we could have a ratings system for these meetings. If we were to be completely efficacious we could craft a way to denote the level of information being given and those best suited to attend. I know this is likely a pipe dream but I just have to toss this out there.
While I was completely bored and enraged by the conference yesterday, it did have it’s merits for someone who had no clue about the Target hack. Chris Poulin did a fair job at describing the events that were in the news and in the blogs and I believe a lay person (exec) would have learned at least something from it. So could we perhaps work with vendors to get a ratings system as well as maybe work with them to inform our managements in an efficacious way? I know, I may be dreaming a bit here and sound like a Cavalry Unicorn but hey maybe an aneurysm from yesterday made me more open to the idea.
All I am really saying is that if we want to be better at getting our execs to understand some things perhaps we need to control our vendors a bit more and get them to actually be useful to us instead of just hawking bad data and wares. Perhaps the reality is we as security professionals need to look at all of these vendor offerings and choose which ones can be trusted to be at least somewhat informative and worth going to for our management. A simple rating system would be very helpful, let’s say a 1 for n00bs, 2 for intermediate people and a 3 for technical and competent people?
Please? Pretty please?
The community wants better communication? Start reigning these guys in:
I guess what I am saying is that with all of the hubbub over Cavalry and “doing better” I would suggest we first start working with vendors offerings. Let’s cut the bullshit right out and start getting our managements to offerings that will actually help them comprehend the job they are supposed to be doing. Perhaps that only really means not letting them attend anything from a vendor at all huh? Perhaps these are all just in reality boondoggles …which incidentally I feel security conferences are today anyway, that need to be avoided like the plague.
Maybe there is no winning here.. I feel the rage returning which is the prelude to the apathy again, turn, turn, turn. Look, we all complain every day about managements lack of comprehension so if we are going to fix that perhaps strictly monitoring their vendor conference attendance is a good start. As for us, well, we need to continue to be jaded about these calls, webinar’s and meetings accordingly. If yesterday was any indication for X-Force then I need to start pulling away from anything they put out there. I cited it in a tweet but I have no idea how they put a <1% attack traffic on Aerospace and Defense in their slide. Perhaps that datum might speak more to their lack of penetration and usefulness in the space though.. hmmm….
I guess in the end the words to live by are “Caveat Emptor Stupid!”
K.
DPR: Not so dread inspiring but surely now full of dread….
zwfviyhpjvezupkhcfz?
No one would surrender to the Dread Pirate Ulbricht.
Well the news cycle exploded this week with the arrest of Ross Ulbricht aka DPR or if you like The Dread Pirate Roberts of Princess Bride and now Silk Road fame. The schadenfreude here had been epic as the criminal empire that was one of the largest in the darknet was taken down because the “pirate” could not comprehend how to carry out OPSEC properly. What lead to this guy’s demise was some good old fashioned internet gumshoe work by an SA who also worked on the Sabu case back last year. Ross it seems decided to use his personal Gmail address for postings pimping Silk Road as well as other assets that tied it all together digitally back to him. Not the best of OPSEC here Ross.
I challenge you to a battle of wits.
Anyway Ross had an idea and that idea was pretty interesting in that he wanted to use the darknet to have a Libertarian nirvana of commerce for just about anything. He set up his site, maintained it himself for a time, and then began to realize that he could not do it alone and this is where things start to go wrong. You see, when you run something yourself you only have yourself to deal with. When you start bringing in people to work for you and they know things about you (and you will always slip up here and give things away unless you are a trained spook) and that makes them a liability to your Operational Security. Ross learned this the hard way I suppose in that he started to feel that people needed to be whacked because they knew too much.
Meanwhile the OPSEC failures that Ross had made were steadily creeping up on him. So too were the UC’s on Silk Road who worked their way into the boards making deals and gaining his trust. In the end Ross decided that one of the UC’s was actually a cool Huggy Bear kind of guy and asked him to whack one of his administrators who he felt was a threat… OOOPS! If it’s one thing a Dread Pirate should know is to “Trust No One” but Ross I guess did not read that lesson in his Econ Theory classes. I guess it’s just another pointer I would make to all of you would be Pirates or Ninja’s out there … You can’t trust anyone. Oh, and yeah unless you are trained for this at say Langley or maybe Академия федеральной службы безопасности Российской Федерации you are more than likely to fuck up majorly and end up in the clink with Ross and many others. I have to say though that the idea of using the darknet and all the means that Ross had put together was a pretty good plan. The only real hitch was that he never took into account that he was going to be going up against a nation state(s) and they always win.
Hey, at least he didn’t fall for that land war in Asia thing right? …..
Look, are you just fiddling around with me or what?
So Ross went on to become the ersatz Walter White of the darknet until one day at his apartment in San Fran his doorbell rang. At the door was ICE/DHS and they had an interesting package for him in their hands. The package was full of ID’s with his face on them but not his name and when asked about them according to the complaint/affidavit his answer was “Anyone could get documents like these online at places like Silk Road” which let me tell you Ross, isn’t the thing you want to be saying here. After some questions and answers it seems the ICE/DHS folks went away which is confusing to me. First off, I surmize that the ICE Q&A was just a front for the FBI’s ongoing investigation into Ross but really, why tip their hand like that? If I were Ross I would have closed the door, waved at the feds through the window, watched them leave and RAN to my system to have a fire sale at Silk Road. I would have chosen a new DPR and been on my way to a non extradition country but ol’ Ross?
…..Nope.
Ross instead of cutting and running doubled down! He went on to do an interview with Forbes and continued on his way doing the business of being the “Dread Pirate” which let me tell you son, was one of the most ballsy and stupid things I have seen since Barrett Brown on camera threatened federal officers lives. Ross what were you thinking? I mean damn dude, did you really think you were Walter White? Oh well I guess time will tell as interviews are carried out or data dumps come from the feds as we go along slouching toward a plea bargain. Perhaps though your cognitive dissonance between personae online and offline just sort of short circuited you out and you couldn’t do anything other than carry on thinking you were covered.
Time will tell… But let this be a lesson to all you would be Pirates out there. You may call yourself a pirate or a ninja or even a Ninja Pirate but you really are just some shmuck with a grandiose sense of the self instilled in you by your helicopter parents who always told you just how fucking special and magnificent you were. So as you sit in federal pound you in the ass prison Ross take heart, for I am sure there will be another DPR someday in the darknets ….Sailing the dark digital waters with the shrieking eels that will some day end up in the cell next to yours where you can commiserate.
K.
JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?
AZIJ XXRZ HMCKIDACVA GZ UZZW!
The Legion of DOOM!
Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call” which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources” The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.
You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.
Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…
Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!
As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?
Makes you wonder huh?
DISINFORMATON & OPSEC
So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!
WE. ARE. DOOMED!
That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.
*SHUDDER*
The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;
- The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.
- The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!
- The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.
- As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.
There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.
- Right wing nutbag Eli Lake
- The “anonymous sources of intel”
- The “anonymous sources handlers”
These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?
Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?
*blink blink*
Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….
- The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
- So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
- HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!
Could it be that simple?
All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?
Right…
How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?
Political Wag The Dog
It seems after all once all the dust has settled that either one of two things happened here;
- Eli Lake did this on his own and played the system for hits on his paper’s page
- Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.
It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.
Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.
K.
So APT Is China *snicker* Now What?
zl’s egt amsk sbfmt kze kwcyfocggp ktlhiu!
Avanced? Persistent? Threat?
As RSA comes to a close and the corridors of the hall stop ringing with the acronym APT bleated out by a megaphone from the Mandiant booth I find myself once again looking at the problem as opposed to the hype. Let me simplify this for you all a little bit here to start though. APT is not necessarily “advanced” as the Mandiant finally lets you all out there not in the secret squirrel club know. In fact the APT’s are often just outsmarting the average end user on a daily basis and you and I both know it does not take a mental genius to do that right? Seriously there is nothing overly advanced nowadays in sending phishing emails and doing recon to assess your targets. Sure there is some coding going on once inside that is novel but really, any good hacker will tell you that they can code some shit up to keep persistence or maybe just buy it on the black market if needed. This is not rocket science here.
On the persistence thing yes, yes they are. They are persistent not only in trying to keep their toehold but also in that they bombard companies with emails in order to have a signal to noise attack. This is nifty but really it’s not a new technique. So ok persistence means they keep trying but it is often our own failings that ALLOW their persistence. Everything from the #click_sheep who keep clicking on every god damned email they get that asking if they want a bigger penis to companies lack of controls over patching and other standard procedures that they should be carrying out on their infrastructure. So when really looking for someone to blame look in the mirror folks. Hey maybe you will look in the mirror and see that you are Chinese huh?
Finally the “threat” part well I think I just covered that huh? YOU are the real threat in this vector. The adversary is just leveraging that fact to obtain their goals. The threat is not Chinese, Russian, Israeli, or French. It’s us. We are the threat and this was the case even before computers and espionage came together. How do you think a lot of the information was stolen back in the day from governments and companies? That’s right kids! It was by people being paid off or being leveraged in some way by spies and spy agencies. Now though, we really don’t have to leverage people as much with compensation or threats. Instead we just leverage their human natures and boy oh boy does it work ever so well!
Our sloth, greed, and general cluelessness are our own undoing.
Is WHO Hacked You That Important?
So Mandiant puts out a report on our Chinese hackers and everyone is a twitter over the “revelations” As someone who has personally dealt with this type of activity in my work life I was pretty apathetic about the report and it’s being published outside of the “sekret squirrel” world. Sure, they probably set us all back some and certainly have set the stage for a great amount of douchery to come but really, what good comes from this report and the data it dropped? Hurriedly I have seen many glom onto the hashes and the techniques that the Comment Crew was using in order to fortify their environments since the drop. Of course this may be to no avail as soon I am sure the CC will be changing their ways but hey, it gives us all something to do huh?
Meanwhile people are nodding their heads and saying “BAD CHINA” while the government pops out 140 page draft resolutions on how to deal with China and their hacking of our IP. I for one see this as just a lot of smoke and mirrors that may in the end have no greater effect other than political gain but hey who am I right? Let’s let it roll as everyone gets their panties in a bind over China. Others though have piped in and said that maybe it’s not only China but all too often these voices are not enough to cut through the cacophony of stupid to make it to the reasoned ear. Guess what kids it’s not just China and it never has been and this is the problem of fixating on one target. You tend to lose the other and then they come up behind you and shoot you in the back of the head.
The upshot here? Who hacked you is NOT as important as WHY you got hacked and HOW you got hacked. The old WHO WHAT WHY WHEN & HOW are important equally and we unfortunately have collectively latched onto the WHO and this will be our downfall. At least Mandiant is looking at the how but I am not hearing much about how to remediate the problems that cause the problem to start with. Instead as we see with the government response they are going to the WHO and saying “cut it out” and anyone who thinks that that is going to make them stop is really biting too tightly on the crack pipe. So back to the point which should be plainly clear. We are the target and we are the problem. It is important to understand the who but you cannot leave out the WHAT, WHERE, WHEN, and WHY. If you do then you will never win the battle.
Know Thy Enemy.. Know Thyself…
It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.
Sun Tzu: Art of War
It’s a trite thing to some out there *looking at you Jericho* to quote Sun Tzu in any cyber context but in my case here it is absolutely correct to quote. The problem I am finding in much of the approaches to trying to defeat or lessen the APT problem focuses less on knowing the self (aka your network and your people) and more on blinky light solutions to stop them dead in their tracks as the vendor propaganda states. Some even go as far as to proclaim that security awareness is pointless which I called bullshit on before rather vociferously in the past. I find it to be one of the more reprehensible statements made up until yesterday’s revelations that a panel gave at RSA saying that “We are soon going to live in a post crypto world” and that crypto is pointless because the APT keeps avoiding it. This is one of the most idiotic statements I have heard in a while and it just makes me think people misunderstand APT even more than before. Everyone thinks they are unstoppable and that is not right. These attacks can be mitigated but it will take real work to do do not some blinky verndor solutions.
The point here is this; We need to carry out due diligence and we need to be vigilant in our security apparatus. We need to engage the end users and teach them about malware and phishing and keep teaching them over and over and over again. Wrote learning is the ONLY way that this will get into their collective heads. Sure, we can also use technologies to attempt to arrest the spear phishing attacks but if you have a 3 star general who is a #click_sheep well, you are pretty much fucked if you are not really paying attention to the network SIEM and other mitigations in place and even then, with creativity those too can be outwitted. These APT types use common traffic to hide within and that is the problem. The pivot is the key here, they are using your network to their advantage just like a Judo expert. Will you be able to stop them all? No. Will you be able to considerably cut the attack success down with holistic methods? I believe you can and I have seen it in action. Others have said much the same thing and I hope more people start paying attention.
I agree that knowing who is attacking is important but it is only important as long as you take the time to be introspective about what they are seeking from you and how they are getting it out of you. What flaws in your infrastructure and culture are they exploiting that is allowing them to rob you blind and how can you remedy them to stop them. These are the key questions that seem to be missing from so many vendor offers like Crowdstrike and others out there today offering offensive defense or active defense. Sure, if your org is working properly and you have security enlightened end users go for the disinformation honeypot things and other means of defense. However, if your people are a bunch of #click_sheeple then what is the point? You will be PWND and it will be all be moaning and wailing “woe is me” in the end …Trust me.
Oh, and a last word here on the #click_sheep thing. Why am I harping on it? Look at the reports again. 99.999 percent of the attacks are being performed via phishing and spear phishing STILL! We have known about this type of attack how long? Come on people! There’s a reason it is done this way. It’s because people are not being trained properly as well as their systems are not being patched up! I know what you are thinking “but there’s 0day!” Yes yes there is but that is only a small percentage of the attack surface at present.
CLICK CLICK PWN.
Behavior Modification Is Needed
Now that I have ranted a while let me just re-iterate the facts. We are to blame for the APT successes. The term was coined back in 2006 and though it’s been in the secret squirrel world it was a known quantity. In fact I would say that it was not only the APT but generally crackers who were using these techniques for the most part and the APT just went along with it and refined it. This is not new and now that it is all out in the open we need to really pay attention here and look at the problem from the macroverse level and not just the myopic microverse that we in the industry tend to have. This isn’t just a technical problem it’s a sociological and psychological problem that we have to work on. Many say that there is no defense to social engineering attack but I do not ascribe to that. With the proper security education and awareness training anyone can defeat SE attacks. It just takes training like that which Dave Aitel thinks is pointless.
9/11 pointed out to the intelligence community that an over-reliance on technology failed to detect and stop the 19 hijackers from AQ. This failure was remedied by adding record numbers of assets post 9/11 to carry out HUMINT (Human Intelligence) and what we learned most of all that technology in itself is useless against human nature and a healthy dose of avoiding tech. It was tradecraft that allowed the plot to succeed even when their phone conversations were being tapped. I make this analogy because once again we are facing the same problem within the INFOSEC community as well as the government and military’s. The adversary is relying on human nature and we are relying on technologies created by humans. It’s a bad mix really and it needs to be re-evaluated to include more introspection on the people creating, maintaining, and using the technologies today. So far I am not seeing too much of this ethos being bandied about in the community and I think it is at our own peril.
I feel like it should be a catch phrase akin to the GHW Bush era’s “It’s the economy stupid” In my case though its more along the lines of “It’s not just the technology stupid” We have been myopic and we need to cut that out. The next shiny whizbang appliance is not going to stop that 3 star #click_sheep from opening the email addressed to him with the misspellings about how he has a package from UPS and needs to install this .EXE file to get it.
Derp.
K.
I AM A NUCLEAR WEAPON MAN….
qsycniigfcfjdwjwhx
I AM A NUCLEAR WEAPON… A WEAPON OF AWESOME DERP
Welp, here I am again about to write yet another moron in the gubmnet speaking about computers and national security when they should just shut the fuck up. This time around it’s John Kerry, the new SECSTATE who opened his big stupid mouth in a confirmation hearing and uttered the following allusion to hackers today;
‘Foreign Hackers Are ’21st Century Nuclear Weapons’
*blink… twitch…rage*
John, buddy, I thought you were a bit of a bint when I knew you back in the Beacon Hill days but now you have really gone and done it. What the FUCK were you thinking? Were you thinking? Sometimes I just wish you people would take a step back and think about shit before you say it. You are wholly unqualified to make such a statement in the first place and here you are feeding that line of bullshit to the Senate committee who is confirming you? Tell me, did you also manage to completely control your gag reflex later on for the glory hole after the proceedings?
I heard this little bit of news on Twitter and thought; “Nah, they got that wrong.. No one would be THAT stupid as to say something like this” Sure enough I was wrong in thinking that. My bad I guess. You sir have taken the DERP award for the new year! It’s a nice award too because we have combined it with the “Jumping the Shark” award! It’s got this nice figure of Ira Winkler jumping a shark in a Fonzie pompadour while masturbating on the onlooking audience. I am sure it will go nicely in your new digs at State.
QUICK! CALL N.E.S.T.
So, now it’s out there, this phrase likening all “hacking and hackers” to an arsenal of weapons of mass destruction and all we can do is look on in abject horror as these morons believe this shit. Really, you are going to compare and contrast someone DDoS’ing a site, stealing corporate data, or defacing a page to a nuclear all out fucking bomb? WHAT THE FUCK ARE YOU SMOKING? ….And can I have some? It’s gotta be some damn strong shit for you to be believing the words coming out of your mouth.
Seriously though this is just par for the course given the “Cyber 9/11” going around the government today I guess. The problem is that the body politic has completely abdicated any full grasp of the realities here and instead have decided to just run with the scary words and ideas in an attempt to scare the masses into submission. This is a shameful state of being and it bodes ill for us all more and more every day. Grandpa it seems has gotten his first computer and is afraid to click delete because the world might fucking end and it’s time to take away grandpa’s license to “internet” I think.
Look, hacking and hackers, even if they hack into the power grid are noting in comparison to an ICBM aimed at a nation state where MILLIONS can die in the blink of an eye John and somewhere in that thick Heinz riddled skull you know this so cut it the fuck out. I know you won’t but I just had to say it before my head exploded from your stupidity. You have committed one of the larger of the deliberate misapprehensions about technology and hacking not to mention espionage that there ever has been.
.. And this derp’s for you.
DERPCON 1
So we have officially gone to DERPCON 1 now.. Nice… I give up. However, at the very least you have given me an idea for a T-shirt design. You will see me wearing the T-shirt above (sans pecs) at Shmoocon this year. So thanks John, at least I got this crappy T-shirt out of the deal I guess. Others seem to have latched on as well so maybe more will be seen around.
*hangs head… sigh*
I need a drink… MEDIC! BOURBON STAT!
K.
