Digital Insurgency

Archive for the ‘Digital Insurgency’ Category

Operation: ROLLING THUNDER:

It has come to light that the GCHQ (The UK’s NSA) took action against Anonymous by DDoS as well as the use of HUMINT and malware attacks to attempt to dissuade them from further actions. While this may be a surprise to some it is just a matter of action and reaction in the hive mind of the IC. Of course at one time there may have been more trepidation about carrying out direct action against quote unquote “dissidents” as some may call Anonymous but those days are long gone and one of the primary reasons such actions are easily rationalized now is because of terrorism. Terrorism used to mean blowing things up or taking hostages but now, with the 5th domain of cyber, that equation has changed greatly in the eyes of the worlds governments. Of course in this case it was the British carrying out the covert actions against the anonymous servers and users and as many know the Brits don’t have the most stellar first amendment record (D orders) and have a different perspective on what people have the right to do or say that may be considered civil disobedience. However, I should like to point out that it is highly likely that the UK did not act alone here and that it is probable that the NSA and the UKUSA agreements were in play here as well. I once sat on a panel at Defcon where I warned that these types of tactics as well as others would be used by the governments of the world against the Anon’s if push came to shove and it seems that I was not far off the mark. We have crossed the Rubicon and we are all in a new domain where the rules are fluid.

Civil Disobedience vs. Criminality In Anon Actions:

Some have written that these actions now revealed by Snowden show that we are all in danger of censorship and of direct action if we say or do things online that a government or agency doesn’t like and they are correct. It really is a matter of dystopian nightmare import when one stops to think that these were not state actors nor really terrorists by definition (yet) that GCHQ and the JTRIG were carrying out netwar on. The rationale I am sure is that the C&C of Anon needed to be taken out because they were “attacking” sites with DDoS or other actions (hacking in the case of LulzSec) and thus were a clear and present danger to… Well… Money really. While some consider DDoS a form of civil disobedience others see it as a threat to the lifeblood of commerce as well as portents of larger attacks against the infrastructure of the internet itself or perhaps the power grid as we keep hearing about from sources who really haven’t a clue on how these things work. Sure, there were criminal actions taken by Sabu and others within the collective as well as the splinter cell that was LulzSec/Antisec but most of the activity was not anything that I would consider grounds for covert action. That the JTRIG not only used malware but also HUMINT and SIGINT (all things used in nation state covert collections and actions) shows that they were genuinely afraid of the Anon’s and Lulzers and that their only solution was to reciprocate with nation state tools to deny and disrupt their cabal. I think though that most of the aegis that the IC had though was the fact that they “could” do it all without any sanction against them because it was all secret and they hold the keys to all of the data. Of course now that is not the case and they should be held accountable for the actions they took just as the CIA has been or should have been in the past over say the covert action in Nicaragua. I don’t think this will happen though so what will really only come out of this revelation is more distrust of governments and a warning to Anonymous and others about their operational security.

Cyber Warfare and Law:

What this release shows though most of all is that the government is above the law because in reality there is very little real law on the books covering the 5th domain of cyberspace. As we have seen in the last few years there has been a rapid outpace of any kind of lawfare over actions taken in cyberspace either on the nation state level (think APT tit for tat) and criminal actions such as the target hack and all the carding going on. In the case of the US government the military has far outstripped the government where this is concerned with warfare units actively being formed and skills honed. All the while the government(s) has/have failed to create or edit any of the current law out there concerning cyber warfare in any consistent manner. So this leaves us with warfare capabilities and actions being carried out on a global medium that is not nation state owned but globally owned by the people. Of course this is one of the core arguments over the internet, it’s being free and a place of expression whereas corporations want to commoditize it and governments want to control it and make war with it. This all is muddled as the people really do not truly own the infrastructure corporations do and well, who controls what then without solid laws? Increasingly this is all looking more and more like a plot from Ghost in the Shell SAC with government teams carrying out covert actions against alleged terrorists and plots behind every bit passing over the fiber. The upshot though is that as yet the capacity to carry out actions against anyone the government see’s as a threat far outstrips the laws concerning those actions as being illegal just as much as the illegalities of actors like Anonymous. The current law is weak or damaged and no one has really stepped up in the US yet to fix even the CFAA in a serious way as yet.

Covert Actions, HUMINT, and SIGINT:

When I was on the panel at DEFCON I spoke of the governments and agencies likely using disinformation and other covert actions against the digital insurgency that they perceived was being levied against them. Now with the perspective of the Snowden collection it is plain to me that not only will the easily make the call to carry out actions against those they fear but also those actions are myriad. If you are going against the nation state by attacking it’s power elite or its interests expect the actions to be taken against you to be swift and unstoppable. In the case of the DDoS this was just a tit for tat disruptive attack that seemed to have worked on some. The other more subtle attacks of hacking via insertion of malware through phishing and intelligence gathering my using spiked links and leverage against providers shows how willing they were to effect their goals. Now consider all that we have learned from Snowden and conjure up how easy it is today with NSL letters and obfuscated secret court rulings on the collection of data wholesale from the internet and infrastructure.. You should be scared. Add to this the effect of the over-classification of everything and you have a rich environment for abuses against whomever they choose no matter how many in the IC say that they are to be trusted. The base fact is this; The internet is the new battlefield for war as well as espionage not just criminality and law enforcement actions. If you are considered a threat by today’s crazy standards of terrorism is everywhere, then you too can have your data held in Utah where someday someone could make a case against you. Some of that data may in fact come from direct covert actions against you by your government or law enforcement per the rules today as they stand.

ANALYSIS:

The final analysis of this presentation that was leaked and the actions alleged to have been taken against Anonymous is that there is no real accountability and that secrecy is the blanket for covert action against non combatants in any war. We are in a new dystopian nightmare where cyberwar is concerned and there is a lot of fear on the governments part on attacks that could take down grids (misinformed ones really) as well as a ravening by some to be “in” on the ground level for carrying out such warfare. Without proper laws nationally and internationally as well as proper oversight there never will be an equitable solution to actions in cyberspace as either being criminal, grounds for war, or civil disobedience just as there will always be the high chance of reciprocity that far outstrips a common DoS. The crux here is that without the proper laws you as a participant of a DDoS could be sanctioned for attack and then over prosecuted for your actions as we have seen these last few years. Without a solid legal infrastructure and a Geneva Convention of sorts concerning cyber warfare, no one is safe. As an ancillary factor to this I would also say to all those in Anonymous and any other collectives that may rise you should be very careful and step up your OPSEC and technical security measures if you are going to play this game. As we have seen many of those key players in Anonymous and LulzSec were caught up with and are in legal trouble just as much as the guy who just decided to join a DoS for a minute and was fined a huge amount of money for his trouble. Remember, it’s all fun and games until the governments of the world decide that it’s not and want to squash you like a bug.

Written by Krypt3ia

2014/02/06 at 22:21

Posted in .gov, 1984, Cyber, CyberWar, D0S, DD0S, DIGITAL CIVIL UNREST, Digital Ecosystem, Digital Insurgency, Dystopian Nightmares

JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?

with one comment

AZIJ XXRZ HMCKIDACVA GZ UZZW!

The Legion of DOOM!

Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call” which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources” The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.

You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.

Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…

Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!

As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?

Makes you wonder huh?

DISINFORMATON & OPSEC

So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!

WE. ARE. DOOMED!

That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.

*SHUDDER*

The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;

The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.

The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!

The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.

As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.

There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.

Right wing nutbag Eli Lake
The “anonymous sources of intel”
The “anonymous sources handlers”

These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?

Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?

*blink blink*

Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….

The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!

Could it be that simple?

All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?

Right…

How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?

Political Wag The Dog

It seems after all once all the dust has settled that either one of two things happened here;

Eli Lake did this on his own and played the system for hits on his paper’s page
Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.

It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.

Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.

Written by Krypt3ia

2013/08/26 at 18:38

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

Written by Krypt3ia

2012/08/10 at 20:03

Hard Power, Soft Power, Economic Power, and The Power of Economic Digital Espionage

with 3 comments

Hard power is a term used in international relations. Hard power is a theory that describes using military and economic means to influence the behavior or interests of other political bodies. It is used in contrast to soft power, which refers to power that comes from diplomacy, culture and history. While the existence of hard power has a long history, the term arose when Joseph Nye coined ‘soft power’ as a new, and different form of power in asovereign state’s foreign policy.^[3] Hard power lies at the command Hegemon end of the spectrum of behaviors and describes a nation’s ability to coerce or induce another nation to perform a course of action. This can be done through military power which consists of coercive diplomacy, war, and alliance using threats and force with the aim of coercion, deterrence, and protection. Alternatively economic power which relies on aid, bribes and economic sanctions can be used in order to induce and coerce.

While the term ‘hard power’ generally refers to diplomacy, it can also be used to describe forms of negotiation which involve pressure or threats as leverage.

A Conversation

Over the weekend I had a twitter conversation (140 char’s at a time, rough) about the meaning of “Soft Power” in the current parlance propounded by Joseph Nye. I have a different opinion of the nomenclature concerning the terms “Soft Power” and “Hard Power” in today’s political and economic environment. While the other party I was speaking to had a more strict version of thinking per Mr. Nye’s (he coined the term soft power) definition. I myself feel that today things are a little more complex for the terms to be so tight given that now economic “hard power” seems to have morphed into a vast array of economic digital espionage that softly, along with other soft power style moves, create a hard power outcome of directing or tricking other countries into actions that the others desire.

The primary mover and shaker of this for me is of course China and one only has to look at the news cycle to see both these types of “power” being wielded by the RPC. I think it is time to take a look at the means and the philosophies that China has been using to effect the changes that they need to become not only the predominant military force in the world, but more so an economic juggernaut that will outweigh and perhaps stealthily creep behind and slit the throats of other countries in subtle and not so subtle ways.

Hard vs. Soft Powers and Nomenclature

As seen above in the quoted text, hard power is seen as economic sanctions as well as military actions. This is all in response to the soft power of politics and the methods of carrot to the hard power stick. All of these allude to direct actions that are perceived as means to manipulate nations states and other actors into actions desired by the power that is employing them. I would put to you all that there is another form of “soft power” that the Chinese have really created over the last decade that employs a more stealthily nimble approach from the espionage arena (hard power by strict definition?) and economic strategies that, with nationalistic goals of grand scale, have wrought a new type of “power”

Perhaps this power should be called “Covert Soft Power” as it is being employed covertly both in the hacking of companies to steal their economic secrets (IP) as well as by the addition of espionage and common business tactics to buy into, and or subvert companies to facilitate access to economic secrets as well as out maneuver companies and close them out on deals etc. All of this seems logical to me (adding this meaning to the term) but perhaps I am outside the norms on this one. The way I see it though, there is a new vector here that the Chinese are leveraging and I think we could use a little thought on the matter and perhaps how to counteract it all.

China, The Hard and Soft Power via Economic Espionage and Investment

China in particular has been working at a multiply pronged and diligent attack on systems and corporations as well as governments to effect the long game strategies that they want. Instead of attacking things head on, the Chinese prefer the methods of “The Thousand Grains of Sand” where many operations and operators work to effect the larger outcomes from small pieces. The Chinese are patient, and because of the Eastern mind, seem to come at things in a more subtle way than most of us in the West tend to think about. In all, the subversion and outright theft of IP has a multipurpose goal of broadening their technical abilities, their economic abilities, and overall, their dominance in the world as a power.

What the Chinese have realized mostly though, is that the subtle knife is the best way to control the enemy, slowly, and subtly slitting the throat of the opponent without a struggle. Frankly, I admire the approach really. In terms of the argument of “soft power” I place these efforts squarely into it because in tandem with certain “political” maneuvers, they can have huge net effects. By combining the military, the economic, and the political aspects of soft and hard power, and the gray’s in between, China has become a force to be reckoned with. So, I put it to you all here, that there is room for a change within the nomenclature of Mr. Nye’s coinage and that I think, in order to better understand the mosaic that is happening, we need to re-tool some of the ideas we have pre-conceived for ourselves.

A New Battlespace, A New Set of Battles

Finally, I would also put it to you all that the battle space is much different today than it has been in the past. Not only do we have the digital landscape, but said same digital landscape, that makes it easier to steal, also makes everything more interconnected. By interconnected, I mean that it is far easier to effect large changes to companies by the automation that we all have in place today to speed up our transactions. Today it is far easier to quickly make instant trades, and effect the bottom line of a company for the better or worse as well as steal data in minutes that in the past, would have taken days, weeks, or months to ex-filtrate from a company via conventional HUMINT means.

In the scenarios run on trades on the markets, you can see how one alleged “fat finger” incident can have a large scale and rippling effect on the whole economies of states, never mind businesses individually. So, once again, the battle space has changed greatly because of the interconnected-ness of things. It seems that the matters of state now more than before, can be changed through the soft power of the digital attack or manipulation. This is what I mean by “soft power” or perhaps the term I mentioned above “Covert Soft Power”, attacks that we are seeing now, and are having trouble truly attributing to nation-state, corporate, or individual actors are having larger and larger effects on our economy, our policies, and our long term viability as nations, companies, or groups.

At the end of the day though, I suggest that we are being manipulated by masters at the game of “Go” and we need to pay attention to every subtlety and not be so rigidly minded. It is the water that flows around and over the rock, eventually wearing it down to nothing.

Written by Krypt3ia

2012/05/21 at 17:40

Posted in .gov, .mil, Chairman Meow!, China, Chinese Overlords, DarkVisitor, Digital Ecosystem, Digital Insurgency

Attribution: Fingerprints vs. Ballistics and Inductive vs. Deductive Reasoning

with 4 comments

The Problem

In the present day where the word “Cyberwar” is all the rage, and governments as well as private sector entities are seeking to cash in on the power grab that is mostly information warfare as the Chinese actually call it (信息战) too many are forgetting a core problem to the picture. This problem, is “attribution” as it has been termed in the community. To attribute an attack to an individual, government body, or group, is something that to date, has not been discussed as much as I would like to see with regards to all of the cyberwarfare talk as well as any other inferences with regard to forensics and geopolitical ascription to acts of “war” as this is has been labeled by this terrible terminology that we have latched onto.

Nomenclature aside, there are issues around trying to determine definitively where an attack has really come from because of the nature of computer systems, varying countries that they reside in, and the potential for the actor to be anyone from nation state to individuals of a collective privately, or a single determined individual. It is my contention that “attribution” can be very hard to prove in a court of law, never mind that a country may in fact be ready to wage war against another on the grounds of what is taken to be the truth of where an attack originated from and who the actors really were. There are too many variables that may never be one hundred percent certain to be basing any of these decisions on in my view, unless one has hacked back into the core final system that originated everything and that is rarely the case today.

So, where does this leave us? How do we even attempt to attribute an attack to any one person, government, or group? Can we ever be certain of any of this information? Can we base an aggressive action against a nation based on any of it?

Fingerprints and Ballistics

Some would approach the problem of attribution of digital attacks on the methodology that began the criminal forensics process we have today. Fingerprints were the first forensic model for determining who really may have created a crime if the evidence did not consist of an eye witness attesting to the fact that “they did it” Ballistics soon followed once guns began to have lans and grooves bored into the barrels to allow for more accuracy. Both of these examples leave telltale marks on the bullets or objects to determine which person or what gun were the arbiter of whatever crime was committed. Today though, we do not have the same narrow confines of data to examine as both of these examples allow for.

Code is the medium of today and while there are certain ways to tell if code was written in the style of a person or written on a particular computer, for the most part, these do not allow for absolute certitude as to who the actor was that created the code, nor for that matter, who used said code to effect an outcome (i.e. attacks on systems) conclusively. All one really has in most cases, are pieces of code, that, with the right coder, may in fact look like anothers, or, all attributions have been stripped from, or, lastly, copied directly from open sources and then tweaked. All of these scenarios allow for a great lassitude on determination conclusively on source or origin.

Digital Fingerprints

With all that said, the digital fingerprints are there, and with luck someone can determine if the coder was sloppy and forgot something. Interestingly, much of this was out in the open and talked about with regard to the Stuxnet infections in Iran. Once the code was audited, there were many subtle clues as to who “may” have written, and in fact there were potential red herrings left in the code such as “mytrus” and other tidbits that may in fact just been placed there to mess with those seeking to perform forensics in hopes of finding out who did it. To date, many think that the US and the UK did the work, planned the operation, created the code, and implemented it, but, there is no conclusive proof of any of that is there?

Suffice to say, that everyone does make mistakes, but, with the right amount of diligence, it an adversary can make it incredibly hard code wise, to determine who did the writing. On the other side of the coin, the digital forensics arena also looks at the network and hardware side of the equation as well. Many attacks today are not directly coming from the home systems of the adversary, but instead they are coming from proxy machines that have either been rented or, more likely, hacked previously. This too can be heavily obfuscated and be something of a problem to gather information from if those systems reside in countries unfriendly to the attacked parties. One would likely have to hack into those already compromised systems and then attempt to gather intelligence as to where they were being controlled from and by. This is of course if the system wasn’t already burned or, as in many cases, the logging had all been removed and thus there were no logs to see.

From this perspective, yet again, there is a great amount of doubt that can be injected into the picture of just who attacked because of the nature of the technologies. Unless the systems are live, and in fact the adversary is either still using them or was exceedingly sloppy, it could be very hard to in fact prove conclusively any one actor or actors carried out and attack even from the digital forensics side of the house. This leaves us with a problem that we have to solve I think in order to truly be able to “attribute” an attack even tentatively to anyone. One cannot only rely on the technologies that are the medium of the attack, one must also use reasoning, psychology, and logic as well as whatever the forensics can allude to as to the attacker. This is very much akin to the process used by CIA analysts today and should be the SOP for anyone in this field, because the field is now truly global as well as has been brought into the nation state arena of espionage and terrorism, never mind actual warfare.

Inductive vs. Deductive Reasoning

First off, I would like to address Inductive and Deductive reasoning in this effort as one of the precepts core to these attribution attempts. By using both of these in a rigorous manner, we can attempt to shake out the truths to situations that may in fact seem clear on the face of them, but, once looked into further may be discounted, or at the very least questioned. Much of this lately has been the hue and cry that APT (Advanced Persistent Threat’s) are all pretty much originating from China. While many attacks have in fact been attributed to China, the evidence has not always been plainly clear nor, in many cases, has the evidence been anywhere in the open due to classification by the government and military.

There are many “secret squirrels” out there and they all pretty much squeek “CHINA” all the time. Unhappily, or perhaps unfortunately, these same squirrels end up being the ones talking to the news media, and thus a juggernaut is born in the news cycle. It just so happens that there are many other nation states as well as other actors (private/corporate/individual) that may well be the culprits in many of the attacks we have seen over the years as well. Unfortunately, all too many times though, a flawed inductive or deductive process of determination has been employed by those seeking to lay the blame for attacks like ghostnet or ghost rat etc. Such flawed thought processes can be shown by examples like the following;

All of the swans we have seen are white, thus, All swans are white.

This has pretty much been the mindset in the public and other areas where attacks in the recent past have been concerned. The attacks on Google for instance were alleged to have come from China, no proof was ever really given publicly to back this up, but, since the media and Google said so, well, they came from China then.. Right? While the attack may have in fact come from China, there has been no solid evidence provided, but people are willing to make inductive leaps that this is indeed the truth of it and are willing to do so on other occasions where China may have had something to gain but proof is still lacking. The same can be said with the use of deductive reasoning as well. We can deduce from circumstances that something has happened and where it may have originated (re: hacking) but, without using both the inductive method as well as the deductive with evidence to back this up, you end up just putting yourselves in the cave with the elephant trunk.

Psychology and Victimology

Another part of the picture that I believe should be added to the investigative process on attacks such as these, is the use of psychology. By using the precepts of psychological profiling as well as victimology, one can take a peek into the motivations of the attacker as well as the stance of the victim that they attacked into account on the overall picture. It is important to know the victim, their habits, their nature, and background. These factors can often lead to insights into who the adversary may in fact be. While the victimology paints the picture of the victim, it also helps flesh out the motives and possible psychology of the aggressor as well.

Of course one need not be a board certified psychiatrist or psychologist to perform a vicimtology in the way that we need to within the confines of determining who may have hacked a client. Many pentester’s do this very thing (though perhaps not enough today it seems) by profiling their targets when they are preparing for a test scenario. The good ones also not only look at what the target does, but also how they do it. They also look at how things work logically, as well as every other aspect of the business to determine how best to attack and what would have the most effect to replicate what an attacker “could” do to them. This is a key also to determining who may have actually attacked as well as why they did and this leads to another part of the puzzle, that of motives.

In trying to determine who attacked one must look at the motives for the attack. These motives can also show you the lengths that the attacker was willing to take (i.e. creating custom code and other APT style attack vectors/methods) to effect their end state goal. If there seems to be no real reason for their attack, and they have not stated it in other ways (like Anonymous and their declarations of attacks) then we are left to come to grips with seeking the reasons as well as what they took/destroyed/manipulated in the end. It is important to look at the whole picture instead of focusing on the minutiae that we in the INFOSEC field often find ourselves looking at daily in these IR events.

Hannibal Lecter: First principles, Clarice. Simplicity. Read Marcus Aurelius. Of each particular thing ask: what is it in itself? What is its nature? What does he do, this man you seek?

The Pitfalls of Attribution Theory

Another part of the picture that must also be assessed is that of the mindset of the assessor themselves. Today we seem to have quite the echo chamber going on with the likes of Beitlich and others concerning China and APT activities as I alluded to earlier. The media of course has amplified this problem threefold, but, the core problem is that we as investigators are sometimes easily tainted by the echo chamber. Thus I put it to you that the precept of “Attribution Theory” also play a key role in your assessments and that it can be a pitfall for you. In Attribution theory, one must also take into account such things as the motivations of the person doing the attributing. This means that even if you are a consultant in an IR, you too can allow your own leanings to sway your findings in such an endeavor as trying to determine who hacked whom with leading evidence but no definitive proof thereof.

Motives are key, motives of the assessor, motives of the victim, and motives of the adversary. One must take these all into account and be as impartial as possible and mindful of these things. It is my contention today, that all too often people are all too available to the idea that “China did it” is the go to assessment of a so called “APT” attack, especially so when APT is one of the most misused acronyms today in the information security field. It is just behind the term “Cyberwar” in my opinion in fact as one of the most misused and poorly constructed acronyms or terms for what is happening today.

In the end, one must take a step back and see the bigger picture as well as the minutiae that comprises its total while not being too easily swayed by our own bias or conditioning. I suggest you acquaint yourselves with these ideas and use them when involved in such cases where APT and Cyberwar are concerned.

There will Always Be “Reasonable Doubt”

In conclusion, I would like to assert that there will always be reasonable doubt in these cases. Given now that we are considering actions of war and legislation over attacks and counter attacks within the digital sphere, I would hope that those in government be made aware of the issues around attribution. I cannot conceive of going to war or launching missiles over a digital attack on some system somewhere. The only way I can see this actually becoming kinetic is if the attack is in tandem with boots on the ground or missiles fired from a distinct area of a foreign power. Unfortunately though, it seems of late, that governments are considering such actions as hacking the grid, as an acceptable trigger to kinetic response by the military. This for me is all the more scary given what I know about attribution and how hard it is in the digital world to determine who did what and when, never mind from where.

Presently I am working on a framework of this whole process model and will in the near future be presenting it as well as other aspects of determining the attribution of attacks on companies and systems at a conference in Ireland. It is my belief, with my partners in this presentation, that given more subtle cues of psychology, as well as sociological and historical inference, one can get a greater picture of the attacker as well as the motives for an attack if they are not openly stated by the aggressor. Of course none of this will eliminate “reasonable doubt” but, as CIA and other intelligence analysts have proven with such methodologies, one can make a more solid case by looking at all aspects surrounding a person, case, or incident to determine the truth.

Written by Krypt3ia

2012/05/18 at 19:15

Posted in .gov, .mil, A New Paradigm, APT, Digital Epidemiology, Digital Forensics, Digital Insurgency

Paradigm Shifts: Global Salafi Jihad and “The Group of Guys”

with one comment

Global Salafi Jihad

The idea of Global Salafi Jihad has been something that I have been thinking about since the demise of OBL and now Anwar and his cohorts at Inspire (Malahem) and it seems reasonable to me that this is the natural next step in the jihad movement. The term “Global Salafi Jihad” denotes that the jihad has switched from the loosely based Salafist ideals put forth by AQ and is shifting back to the more rigid beliefs of the Salafist.

The exhortations of AQ online and other, have been curtailed since the deaths of OBL and Alawki with the media wings only putting out the usual rhetoric that it has been unable to substantiate with actions. It would seem that in the case of the Western jihadi’s that they hoped to induce into jihad, the AQ team has failed to really produce the desired effect and have waves of Western jihadi’s who activate and wreak havoc here and abroad. In fact, there have been 176 cases of self radicalized jihadi’s in the US and only 2 of them actually went on to physical attack mode with firearms.

So, it has been a lackluster performance and AQ knows this. It is my thought that the next turn will be more toward radicalizing actual Muslims with the tenets of Salafi belief. Whether or not this will take the shape of online exhortations or the more localized indoctrination at mosques is the real question. Again though, shifting back to this position I feel, is the only way to go about getting their desired goal of creating zealots who are willing to become shahid for their cause. It is finally becoming clear to them that the Western kids are just that, Western, and not really inclined to doing much other than talking about jihad as living out those fantasies online, much as they do with video games.

With the true believers though, the ones who have been trained in madrassa’s by wrote with Salafist beliefs, those are the core that they seek to manipulate and use to their own ends. This means that the pivot I believe, will be more of a focus back to the core Salafi ideology while manipulating the recruits with propaganda on how the kafir have invaded the lands (the usual line)

Net/net this means a kind of indoctrinal brainwashing… One that really will pivot back to the lands of the Ummah as the training grounds. This however will not be the true ideal of “Global Salafi Jihad” but it will be the only way I think that they can see toward keeping their movement relevant and alive.

The Group of Guys Theory and Jihad

The other aspect of this line of thought is that the theories of Dr. Marc Sageman will come to play and there will be “groups of guys” who will coalesce together in places to eventually take up jihad and Salafi beliefs. Dr. Sageman’s premise is that for the most part, the jihadi’s that have come about and actually carried out attacks were not trained in madrassa’s from childhood, but instead tended to be 2nd generation Muslims living in countries that are not predominantly Muslim. In fact, many of these guys were not radical at all until they began to feel a certain discontent with where they were in life and sought to learn about their heritage. There seemed to be something missing and when they started looking, they came across the AQ doctrine and gravitated toward it for a few reasons.

Romanticism
Fraternity within their group
Adventure

Much of the same ideas play out in the online jihad as well, but seem to not get the real life spark that is required for the actors to really activate and play their part in reality as opposed to their idealized and fantasy life that they can easily sublimate their desires with online without having the danger angle. In the cases that Dr. Sageman looked into, these players got together and as a cell, in person, worked out the details and egged each other on to actually doing something in real life.

And this is a key difference today.

Going back to the online jihad, we see this egging on and inspiring speech within the bulletin boards, but the reality is that each and every one of these players is alone in a room somewhere typing on a keyboard. Once disengaged from the internet, they do not have the physical presence and the motivation to actuate.

Post UBL, Anwar Alawki, & Inspire Magazine

Since the death of Anwar Alawki and his cohorts, Inspire magazine has been off of the digital shelf. This magazine was the closest that the AQ set had gotten to being hip and cool enough to garner attention from the Western kids. Now that it is gone, the one conduit to perhaps creating more lone wolves went with it. However, even this magazine had issues with trying to get the masses to heel to and do their bidding. This is something that they also lamented a bit in the propaganda and planning materials and I have written about in the past.

Now that this is gone, and as far as I know there are no players to fill the void, this has dealt a real blow to the online jihad and once again tips it back to the old model of Salafi jihad taking over where the Mtv AQ set has left off. This is problematic for AQ as the Salafi mindset is more than certainly not one that the Western mind and the kids here today really get, so, I am sensing an overall failure to inspire the kids with it sans something like Inspire Magazine. The question then becomes is there anyone to step up here? Perhaps Gadahn, but, he is really not that inspired himself nor inspiring for that matter.

The right word for Adam is pedantic I think.. He and Ayman are much the same in reality… Uninspiring old men yelling at the world to get off their lawn.

The Failures of Social Networking in Jihad

The use of Net 2.0 and Social Media however has been an important feature to the online jihad. Today there are numerous sites out there with Jihadi content and themes. These sites as I mentioned above, have only nominally created any kind of serious jihadi’s though. The problem with these sites though from my perspective is that C&C for those who would self activate or those “groups of guys” out there who create their own cell autonomously, can get direction and support from these sites.

I would say that 95% of the traffic on these sites are just kids playing “Jihad” online but there is a very real aspect of command and control here that should be recognized. Inspiration as well is another key factor to look at too as these sites can attract those seeking excitement and direction. Those that want to get indoctrinated can then easily get the materials and the chat to move further toward their evolution of becoming the next wanna be shahidi making a crude device in their basement or chatting with others about aspirations of shooting up a mall.

Fortunately, the use of these sites has been a boon to the likes of the FBI as they are able to obtain attribution on their users as well as insert players into the game to lead them into traps and roll them and their aspirational plans up with stings. However, as I pointed out earlier, it seems that nothing can replace the actual proximity of individuals to each other in real life to get them to actuate their plans beyond just talk.

This is a key factor and why I now feel that the online jihad is a failure and will continue to be so. You can network all you want, but human nature plays a key role here. It’s easy to just sign off, create a new ID and be anonymous online as people jeer at you. In real life, that social embarrassment and pressures involved in real life social interactions are the main reasons that others have re-enforced each other to acts of jihad.

The Network As Battle Space for Jihad

The paradigm change though I fear has been fomenting with the likes of Anonymous and their online movement. If the jihadi’s actually acquire online skills in the hacking sphere as well as figure out how to inspire and energize the more savvy believers online, then we have more problems. Recent events with regard to ICS and SCADA system vulnerabilities has shown that there is a potential for online mischief that AQ could leverage. These types of attacks would not be world ending and nothing close at all to what happened on 9/11, but instead would further the tenets that OBL laid out with regard to a “Death of a Thousand Cuts” type of warfare against the US.

It is my belief that this is potentially the new battlefield that AQ could leverage where the Western kids who gravitate toward jihad would be willing to take up digital arms. This paradigm would work for both the AQ core and the wannabe’s out there online who are unwilling to blow themselves up for Allah. With the idea that the internet offers anonymous ways to attack the powers that be (ala Anonymous) then I believe that AQ has a greater chance of inspiring followers to action and thus to potential real world acts of digital terrorism.

Acts that would not cause mass casualties on the whole, but would cause the government here to spend much more money and time on the “digital war on terror” and once again put fear into the populace who will now worry that their water will be cut off, or polluted with feces. Only these types of attacks, with real world consequences will be at all effective in furthering the jihad. Defacement of pages etc, is just skiddie stuff that will serve no greater purpose. Just one hack though on a power plant or more likely a water facility in podunk illinois will set the media and the chicken littles into a tizzy though, and that will be a media win for the jihad.

Once this happens and is claimed by the likes of online jiahdi’s then we will have a problem because this will give them the air that they desire and AQ will leverage that.

Running on Empty, AQ’s Message is Losing Steam

Generally though, I am feeling of late that the AQ message has been diluted by the deaths of key players and the squeeze we have placed upon the organization. The marketing of AQ to the masses online has been damaged with the loss of Alawki and his boys (inspire) even though they were still grappling with a working formula for their brand of jihad online. Now that the old man (Ayman) is in charge, I expect that the dictum will fall back to the Salafi system of thought, and that is a tough one for the Western kids to get in line with.

Unless AQ gets hip or learns that the digital space is up for grabs and acts on it, I frankly see the movement as going back to its roots. There will be an amount of time where AQ will have to inculcate more jihadi’s out of the next generation of kids in madrassa’s and this will take time. More and more the movement will have to be relegated to the steps of the tribal lands where it will fester.. Unless Pakistan gets in line and dismantles the ISI support for them and cleans out Waziristan.

Not too likely at present.

So, the core will go on. They will continue to try and get their message out, but it will go to the net 2.0 generation who really aren’t so much into blowing themselves up nor are they that devout.

Looking Forward Into The Jihad

So where does that leave us? I think that overall, we are going to see another shift in AQ and Jihad in general. The online jihad experiment has failed and I think the smarter ones in AQ know this. They will go on to re-tool and re-group while trying to avoid being hit by a hellfire launched from a predator. The only problem that I can foresee is the idea that they will learn something from the Anonymous movement and work more within the digital sphere.

Not so much recruitment… Until they have a success with a digital attack… Then the jihadi skiddies will come out of the woodwork.

Until then, we will have some more “get off my lawn” dispatches from Ayman.. And that’s about it.

Written by Krypt3ia

2011/12/07 at 12:11

Posted in Al-Malahem, AlMalahem, AQ, AQAP, As Ansar, Digital Insurgency, INTEL, INTELOPS, jihad, Jihad Recruitment

The Hezbullah Cyber Army: War In HYPERSPACE!

with one comment

WAR! in HYPERSPACE: The Cyber Jihad!

A day or so ago, a story came out and made the rounds on the INFOSEC-O-Sphere about the Hezbullah Cyber Army The story, which was cub titled “Iranian Terror” was titled “Iranian Cyber-Jihadi Cells in America plot Destruction on the Net and in Reality” Which, would get all our collective attentions right? The story goes on to tell about the newly formed Cyber Army that will be waging all out war on the US and others in “Hyperspace”

Yes, that’s right, you read that correctly.. This guy Abbasi is either trying to be clever, or, this is some bad translation. Sooo… Hyperspace it is! Well, I have a new tag line for him…

“In hyperspace.. No one can hear you giggle”

At any rate, the whole idea of a Cyber Jihad or a Cyber Hizbullah is a notion that should not just be sloughed off as rhetoric. I do think that if the VEVAK are involved (and they would want a hand in this I am sure) they could in fact get some real talent and reign in the ranks to do some real damage down the road a piece I think. So, while I may be a little tongue in cheek here at the start of this post, I want you all to consider our current threatscape (*cough* SCADA etc) and consider the amount of nuisance they could be if they made a concerted effort with the likes of the HCARMY.

So, yeah, this could be an interesting development and it is surely one to keep our eyes on collectively… But.. Don’t exactly fear for your lives here ok? After all, my opinion still applies that the bugaboo of scada does not easily fit into the so called cyberwar unless it is effectively carried out with kinetic attacks and a lot of effort. Nope, if the HCA is going to do anything at all, it will be on the playing field of the following special warfare fronts;

PSYOPS
DISINFORMATION (PSYOPS)
Support of terrorism (Hezbullah and others)
INTEL OPS

These are the primary things I can see their being good at or being pawns of the VEVAK for.

So.. Sleep well for now because really all you have to truly worry about is that they are going to deface your page it seems (see picture at the top of the post)

Interview by IRNA with HCA

More than anything else though at the moment, the whole revealing of the HCA is more a publicity stunt than much else I think. For all of the talk in the US and other countries about mounting their own “Cyber Militia’s” it seems that Iran and Hezbullah wanted to get in on the ground floor..

Oh… Wait..

They forgot about the PLA and the Water Army!

DOH!

Oh well, sorry guys… Guess you will have to keep playing on that whole “HYPERSPACE WAR” angle to get your headlines huh? Besides, really, how much street cred is an organization like this anyway? So far I have been poking around all of their sites and find nothing (links or files) that would he helpful in teaching their “army” how to hack.

My guess.. This is kinda like putting out the inflatable tanks and planes for the Germans to bomb in place of the real ones.

The "About" Statement on HCA

Now.. Before You All Go Off Half Cocked (That means you Mass Media)

Meanwhile, I have seen the story that I linked up top scrawled all over the digital wall that is Twitter these last couple days. I am sure with everything that has been going on in Iran of late (i.e. the tendency for their bases to explode lately as well as their pulling another takeover of a consulate as well as spy roll ups) the media is salivating on this story because its juicy. It has it all really…

Cyberwar (hate that term)

HYPERSPACE!

Espionage

BOOGA BOOGA BOOGA We’re gonna activate our hackers inside your borders and attack your SCADA’s!

What’s the media not to love there?

HCA's YouTube Page Started in September

Well, let me set you all straight. This is piffle. This is Iran posturing and the proof thus far has been they have defaced a couple of sites with their logo.

THE HORROR!

This group has not even reached Anonymous standards yet! So relax.. Sit back… Watch the show. I am sure it will quickly devolve into an episode of the keystone cops really. They will make more propaganda videos for their YouTube, create a new Twitter account, and post more of their escapades on their two Facebook pages to let us all know when they have defaced another page!

… Because no one will notice unless they let us know…

Just The Persian Facts Ma’am

The real aegis here seems to be shown within the “about” statement for the group. Their primary goals seem to be to attack everyone who does not believe in their moral and religious doctrine. A translation of the statement rattles on about how the West are all foul non believers and that we are “pompous” Which really, kinda makes me think that the Iranian people, or at least this particular group, has a real inferiority complex going. More so though, it seems from the statement that they intend more of a propaganda and moral war against the west and anyone else they see fit than any kind of real threatening militant movement.

You know.. Like AQAP or AQ proper.. Or Jamaa Islamiya.

This is an ideological war and a weak rallying cry by a group funded by a government in its waning years trying to hold on to the digital snake that they cannot control forever. Frankly, I think that they are just going to run around defacing sites, claiming small victories, and trying to win over the real hackers within their country to their side of the issue.

Which… Well, I don’t think will play well. You see, for the most part, the younger set who know how to hack, already bypass the governments machinations and are a fair bit more cosmopolitan. Sorry Mamhoud, but the digital cat is already out of the bag and your recognition of this is too late. How long til the Arab Spring reaches into the heart of Tehran and all those would be hackers decide to work against you and your moral jihad?

Be afraid Mamhoud… khomeini…

All you really have is control temporarily.. You just have yet to realize it.

Tensions In The Region: Spooks & The Holiday Known as KABOOM

Now, back to the region and its current travails. I can see why this group was formed and rolled out in IRNA etc. Seems to me even with the roll up of the CIA operations there in Iran you guys still are being besot with problems that tend to explode.

Wayward Trojan drones filled with plastique
Nuclear scientists who are either being blown up or shot in the streets
Nuclear facilities becoming riddled with malware that eats your centrifuges.

You guys have it tough right now.

Let me clue you guys in on something… If you weren’t such a repressive and malignant regime, we might work with you on your nuclear programs to power your country. But, unfortunately, you guys are FUCKING NUTS! So, we keep having to blow your plans to shit (we as in the rest of the world other than say North Korea that is) because we are all concerned you just want a bomb. Why do you want that bomb? So you can lord it over the rest of us and use it as a cudgel to dismantle Israel say.. Or maybe to just out and out lob it over the border.

You are untrustworthy.

Oh well.. Yes we all have played games there and I agree some shit was bad. The whole Shah thing.. Our bad… Get over it.

I suspect that the reason why all of these bad things are happening to you now though sits in the PDB on the presidents desk or maybe in a secret IAEA report that says you guys are close to having a nuclear device. You keep claiming that you are just looking to use nuclear power peacefully… But then you let Mamhoud open his mouth again and shit just comes right out.

Until you guys at least try to work with others and not repress your people as much.. Expect more KABOOM.

What You Should Really Worry About From All of This

My real fear though in all of this hoo ha out of the HCA is that VEVAK and Hezbullah will see fit to work with the other terrorist groups out there to make a reality of this whole “Cyber Jihad” thing. One of these factors might in fact be the embracing of AQ a bit more and egging them on in their own cyber jihad. So far the AQ kids have been behind on this but if you give them ideas AND support, then we have a problem I think. The ideal of hit and run terror attacks on infrastructure that the government and those in the INFOSEC community who have been wringing their hands over might come to pass.

HCA Propaganda Fixating on OWS

If the propaganda war heats up and gains traction, this could embolden others and with the support of Hezbullah (Iran) they could “try” to make another Anonymous style movement. Albeit I don’t think that they will be motivated as much by the moral and religious aspects that HCA puts out there as dictum. Maybe though, they will have the gravitational force enough to spin all of this off into the other jihadist movements.

“The enemy of my enemy is my friend”

If the HCA does pull off any real hacks though (say on infrastructure) then indeed they will get the attention they seek and more than likely give the idea to other movements out there to do the same.

AND that is what worries me.

Cinch Up That Seatbelt… It’s Gonna Be A Bumpy Ride

Finally, I think that things are just getting started in Iran and its about to get interesting. With all of the operations that seem to be going on in spook world (please don’t use PIZZA as a code word again mmkay?) and the Israeli’s feeling pressured by Tehran’s nuclear ambitions and rhetoric, I suspect something is about to give way. Add to this the chicken-hawks who want to be president (Herman I wanna touch your monkey) Caine and the others who have so recently been posturing like prima donna models on a runway over Iran and we have a disaster to come.

Oh.. and Bachmann.. *Shudder* Please remove her from the Intelligence committe!! That whole Pakistani nuclear AQ attacks thing was sooo not right!

PSSSSST BACHMANN they’re called SECRETS! (or, for your impaired and illiterate self SEKRETS) STFU ok?

OH.. Too late, now NATO is attacking into Pakistan…

It looks to me like the whole middle east is about to erupt like a pregnant festering boil and we are the nurse with the needs who has to pop it and duck.

So.. Uh yeah, sorry, got carried away there… I guess the take away is this; When you look at all the other stuff going on there, this alleged cyber army is laughable.

Yuk yuk yuk… You’re killin me Ahmed!

Written by Krypt3ia

2011/11/29 at 21:12

Posted in .gov, .mil, A New Paradigm, APT, CIA, CodeWars, COMINT, Con Games, Covert Ops, CyberWar, DD0S, Digital Insurgency, Disinformation, Espionage, Hacking, Infowar, Insurgency, INTELOPS, Internet Jihad, Iran, jihad, Mahmoud The Whack

Anonymous, SCADA, LULZ, DHS, and Motivations

with 2 comments

Anonymous Is Interested In PLC’s & SCADA?

A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.

And therein lies the difference.

If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.

DHS Jumping The Shark?

The motivations of the release by DHS have also been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.

Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’ factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.

For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.

Motives, Means, Technical Abilities

So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?

Telco?
Power?
Manufacturing?

Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.

Now, we do know that the Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars being made.

Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.

Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.

Governments

Nations

Nation States

… AND.. Corporations.

You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.

Blowback

In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.

Not to say that everything is going ever so well now…

DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..

Get yer FUD here!

Same goes for this DHS warning.

Your results may vary…

Written by Krypt3ia

2011/10/18 at 19:39

	Krypt3ia on Active Measures
	abdymok on Active Measures
	john hendrix on A Psychological Thumbnail of D…
	Bobby Wellsville on A Psychological Thumbnail of D…
	Krypt3ia on A Psychological Thumbnail of D…

Archive for the ‘Digital Insurgency’ Category

Rate this:

Rate this:

Operation: ROLLING THUNDER:

Civil Disobedience vs. Criminality In Anon Actions:

Cyber Warfare and Law:

Covert Actions, HUMINT, and SIGINT:

ANALYSIS:

Rate this:

The Legion of DOOM!

DISINFORMATON & OPSEC

Political Wag The Dog

Rate this:

Flame, DuQU, STUXNET, and now GAUSS:

Malware Wars:

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

We Have Many Tigers by The Tail and I Expect Blowback:

Pandora’s Box Has Been Opened:

Rate this:

A Conversation

Hard vs. Soft Powers and Nomenclature

China, The Hard and Soft Power via Economic Espionage and Investment

A New Battlespace, A New Set of Battles

Rate this:

The Problem

Fingerprints and Ballistics

Digital Fingerprints

Inductive vs. Deductive Reasoning

Rate this:

Global Salafi Jihad

The Group of Guys Theory and Jihad

Post UBL, Anwar Alawki, & Inspire Magazine

The Failures of Social Networking in Jihad

The Network As Battle Space for Jihad

Running on Empty, AQ’s Message is Losing Steam

Looking Forward Into The Jihad

Rate this:

WAR! in HYPERSPACE: The Cyber Jihad!

Now.. Before You All Go Off Half Cocked (That means you Mass Media)

Just The Persian Facts Ma’am

What You Should Really Worry About From All of This

Cinch Up That Seatbelt… It’s Gonna Be A Bumpy Ride

Rate this:

Anonymous Is Interested In PLC’s & SCADA?

DHS Jumping The Shark?

Motives, Means, Technical Abilities

Blowback

Rate this:

Blog Stats

Categories

Blogroll

Recent Comments