Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Digital Insurgency’ Category

PLC Controlers, Stuxnet, and Kinetic Attacks: Blackhat 2011

with one comment

Since the advent of Stuxnet, the problem of SCADA (PLC) systems and their control vulnerabilities has become the focus of the world. In that this seems to be the new flavor of the day because someone (A nation state actor) decided to use those known vulnerabilities (at least 10 years worth of them) to exploit the Siemens systems at Natanz and Bushehr nuclear facilities in Iran we now have a new form of terrorist attack as Cofer Black pointed out in the keynote to Blackhat.

Dillon Beresford presented a talk on the Siemens 7 system vulnerabilities at Blackhat yesterday and did a great engineering job on the Siemens PLC system 7 attacks. However, in being so close to the subject, at least in the presentation, he seemed ill equipped to understand some of the ramifications of the exploit that was used against Iran and the amount of work that had to go into it to pull it off.

I say this because of the offhand comment that a single actor (hacker in a basement) could in fact have come up with the exploit code and he is technically right. He has singly come up with more exploit code and plugins to Metasploit to prove it, but, the attack on Iran was more complex than just exploit code for a Siemens 7 PLC. This too seemed to elude him in the statement that he did no understand the reasoning for the pivot point of the Windows machines that were infected with the worm that injected the code into the system 7.

The reasons for the attack vector pivot point is simply this;

The actors who created this exploit(s) wanted to be able to infect non connected systems at key hardened facilities that they did not have access to. Facilities that may have had regular network connections that might allow access to the worm and thus infect not only one site but many and not just the PLC systems themselves. This attack was multi purpose and needed to be persistent for a long time in order to carry out its mission goal.

And the goals seem pretty evident now:

Have the centrifuges eat themselves

Have the product from the centrifuges be compromised and thus put Iran’s nuclear program even further back.

The fact is, that the exploit code for the PLC’s was small in comparison to the amount of work and 0day that went into the worm itself. This is a key feature of the attack and something that Beresford seemed to miss. The worm was indeed the delivery system and it was likely carried into the Bushehr facility by a contractor (my thought is Russian as they were working on the Iranian program and had access) on a USB stick. Once inside, the malware had the ability to detect, spread, and inject the exploit code specific to the Siemens PLC systems at those facilities.

This brings me to a second point on all of this. The intelligence needed to know exactly what systems the Iranians had was something only a nation state actor could really have the resources to gather. This was in fact a nation state attack from all the signs of it. That it used exploits for SCADA systems that were known to be vulnerable for some time is the only twist. However, that twist had been used in the past and as long ago as the Reagan era.

An attack on a Russian pipeline was eventually disclosed by the CIA as a worm that attacked the systems of the pipeline (i.e. the PLC’s controlling the pressure of the gas) and caused a 3 kiloton explosion. This worm was likely created by the CIA and used to help dismantle the USSR.. Well at least cause some heavy damage to a pipeline that was in contention at the very least. So, this type of attack is NOT NEW. It was a quietly known vector of attack as far back (publically) as 2004 when it was revealed to the public at large, but much longer known about in intelligence circles.

The short and long, the exploits may be new in some cases, but, the type of attack is not at all.

The real difference today though is that we have the hacker community out there able to get their hands on code easily and even perhaps the PLC systems themselves to create even more exploits. Add to this that many SCADA systems have been connected to the Internet (as they should NEVER BE) ripe for attack and we have a big problem. However, the proof of concept now is out there, the exploit code is available and all it will take is an aggressor tenacious enough to write the malware to have another Stuxnet type attack on less hardened systems. An attack that could bring down the grid, cause the poop factory to explode and leak into our drinking water, or, like in Russia, have our pipelines explode in 3 kiloton explosions.

This Dillon is the key point and I know you get that. So, lets extrapolate further, how about in future conferences we have more of what Dillon did. He went to Siemens and gave them the exploit code and showed them the problems. They, unlike many companies, are taking up the challenge and not trying to hide the problems but instead are actively working on them to re-mediate. The next step is to go to EVERY PLC maker (wink wink Big O and the Administration.. Oh DHS maybe?) and bitch slap them into doing something about the problems? As Dillon pointed out, these systems are pretty open and inter-operable, so the code is likely to be just as bad everywhere.

If we don’t.. We are likley to wake up one day to a big explosion and it may just be an accident.. Or, it could be another targeted attack like Stuxnet.

K.

PS.. One small thing Dillon.. Please, attend Toastmasters. I think it would help you greatly. You speak too softly and did not enunciate.

ウェブ忍者が失敗する : Dox-ing, Disinformation, and The Fifth Battlespace

leave a comment »

Digital Ninja Fail: ウェブ忍者が失敗する

The recent arrests of alleged key members of LulzSec and Anonymous have been called into question by the ‘Web Ninja’s‘, a group of would be hackers who have been ‘DOX-ing” the anonymous hierarchy for some time now. Yesterday, they posted the following on their page concerning the arrest of a man from the Shetland Islands who is purported to be ‘Topiary‘ by the Met and SOCA.

Now, this is a bold statement for anyone who really knows what they are doing in the intelligence analysis field. So, it is my supposition that these guys have no clue about what they are doing by making bold assertions like this. The data they have is tenuous at best and by making such bold statements, I have to wonder if indeed the so called ‘Ninja’s” themselves might not be a tool of anonymous to in fact sow that disinformation.

Here are the facts as I see them;

  • To date, the federal authorities have not questioned anyone who was DOX’d by the Ninja’s that I am aware of
  • The individuals who were DOX’d that were investigated by the authorities were in fact outed by LulzSec/Anonymous themselves
  • Adrian Chen has spoken to the person that the Ninja’s have fingered and claims that he (said person) went to the authorities himself. So far he is still not a suspect.

So, taking into account these facts, I would have to say that the Ninja’s have failed in their stated mission so far and I would suffice to say that if they are indeed a part of a disinformation campaign, then that too has failed. After all, the police seem to be ignoring the data put on the interent by the likes of the Ninja’s in favour of other tried and true tactics. The primary tactic as I see it, is grab one individual and then get them to roll over on their compatriots in the face of massive jail time.

This pretty much works all the time as we, as human beings, are most willing to sacrifice others for the self. In the case of the likes of LulzSec skiddies, I would have to say that the ages of the players, and their generational tendencies will allow them to cut deals pretty quickly. It’s my assessment that they are in it for the self gratification and lulz, not for the altruism that the LulzSec and Anonymous press releases have been trying to have one believe. My assumption is that if indeed the 19 year old guy they popped in Scotland is involved with LulzSec, and is in fact Topiary, he will roll over soon enough.

I also believe that these are all untrained operatives and they have made and will make more mistakes. I am pretty sure that the alleged “leaderless” group has leaders AND that unlike a true guerrilla warfare cell, will know the other players personal details. Essentially, they have had no compartmentalisation and they will all fall eventually though interrogation and deal making. As I said before, the insider threat to the organisation is key here, and it was this idea I think the Ninja’s had.. Well, at least that was the original idea of the Ninja Warrior. They were spies who infiltrated the ranks and destroyed from within.

So far with these guys.. Not so much.

Welcome To Spook World: Disinformation Campaigns and Intelligence Analysis

Now, on the whole disinformation thing, I know that the Lulz and Anonymous have said that they are using disinformation as well to try and create a smoke screen. Frankly, all of the intelligence out there that is open source is suspect. Maltego map’s of end user names as I have shown in the past can be useful in gathering intelligence… Sometimes. For the most part, if a user keeps using a screen name in many places and ties that name to real data, then they can be tracked, but, it takes a lot of analysis and data gathering to do it. Though, many of the foot soldiers within the Anon movement are young and foolish enough to just keep using the same screen names for everything so there is a higher likelihood that the data being pulled up on Maltego and with Google searches is solid enough to make some justified conclusions.

With the more experienced people though, there has been some forethought and they have protected their identities as best they could. What became their real downfall was that they could not rise above petty infighting and dox-ing each other. Thus you have the start of the potential domino effect on the core group as well as anyone who has any peripheral affiliation with the Lulz. Be assured, those who have been pinched are giving up as many names as possible as well as whatever is on their hard drives, Anon hacker manuals or not. All of these scenarios lead to the conclusion of more arrests by the authorities and even more skiddies getting into legal trouble around the globe. Meanwhile though, if the core group has been smart, then perhaps the leaders will skate for a time, using the masses as canon fodder.

Gee kids.. Did you know that you were all expendable?

On another tac, I would like to speak about the potential of the disinformation campaigns being perpetrated by the authorities as well. Consider that the trained professionals out there who are hunting these characters (Topiary, Sabu, et al.) are also adept at using not only the technologies of the fifth battlespace, but also the training afforded them in ‘spook world’ This means disinformation campaigns, mole hunts, and insurgencies of their own, getting to the inner core of Anonymous and Lulz. Now, that there were six (alleged) lulzer’s it would be more difficult to do, especially if those LulzSec folks really do know one another (as they claim they do not, which, I just don’t buy.. Remember the compartmentalisation issue) The agent provocateur’s are out there I am sure and with each rung of the ladder, they get closer to the core group.

That is unless the core group falls apart on their own and DOX’s each other out. In the end, I am going to suggest that the authorities will use all of the tricks of the trade on the Anon/Lulz folks to bag them… And with concerted effort by government resources, they will get their men/women.

Untrained, Unruly, and Unprofessional Operators:

“Discretion is the better part of valour” as they say, and in the case of the Lulz and Anon crews, they seem to not have a clue. Perhaps the Lulz think that by being unruly and unpredictable to a certain amount, will be just the cover they need, but, I think that their lack of discretion will be their undoing as well as their hubris. Had many of these folks had some real training, they might have just stood down for a while (not just a week or so) after setting sail into the sunset.

As I have said before, it was a bad idea to recruit and have comm’s out in the open on IRC servers even if they had ‘invite only’ channels. As is being seen now, someone (jester perhaps) has taken down their servers again after other outages due to Ryan Cleary’s attack and pressure from the government on those connection sources that the Anon’s were using. I am sure the idea was to have a movement that could also serve as diversion for the core users as well as to LOIC, but this all failed in the end didn’t it? The LOIC is what has given the FBI the 1,000 IP addresses as a hit list, so to speak, that they are now using to collect people and charge them for the DD0S attacks.

Had these people been trained or not been so compulsive, they might have had more of a chance to keep this up for a much much longer time. As I write, the Lulz do continue, but they have slowed quite a bit since the arrests started again. This I think is because the cages are starting to get rattled and people are finally coming to the conclusion that some discretion is needed to not end up Bubba’s play pal in prison. It’s a learning curve, and likely going to be a painful one for the kiddies.

Unprofessional actions within this area of battle will end up with your being put in jail kids.

To end this section I would also like to add this thought. My assessment of the Lulz core group is this;

  • They were drunk on the power of their escapades
  • The more followers they had and more attention, the less risk averse they became
  • They seem to have compulsion disorders (don’t say it.. Aspergers!) that seem to not allow them to lay low (until now it seems)
  • The ego has eaten their id altogether
  • Base ages are within the teens with a couple over 20

Technical Issues Within The Fifth Battlespace:

Another BIG issue within this battlespace is the technology. The Anon’s and Lulz have been ascribing to the idea of “Proxies, we haz them! So we’re secure!” and to a certain extent they are right. There are always ways around that though and certainly leaks in data (such as the TOR leaks that have happened) that could lead someone to locate the end user behind the proxy, so they are not fool proof. Certainly not if the fool in question is some skiddie 12 year old using LOIC un-proxied and not obfuscated while they D0S Paypal.

The problem is that the technology could fail you as well as the untrained operative could make small and large mistakes that could lead authorities right back to their IP and home accts. On the other side of that equation is that when properly done, it is damn hard to prove a lot in hacking cases because of obfuscation, as well as mis-configured end systems that have been hit. I cannot tell you how many times I have seen incidents play out where the target systems had no logging on as well as being completely un-secured, thus leaving practically nothing for a forensics team to find and use.

Once again, this brings us back to the insider threat, whether they be the insider who decides to go turncoat, or, the agent provocateur (i.e. Jester and the Ninja’s as well as others from the authorities) who infiltrate the Lulz and then gut them from the inside. What it really boils all down to is that in the end, it will be the foibles of the Lulz core and the actions of spooks that will bring them down.. And I think they are learning that very fact now.

JIN; One Must Know The Enemies Mind To Be Victorious:

As a last note, I would like to say to the Ninja’s, you need to learn and practice your Kuji-in. It is obvious to me that you have failed on the ‘Jin’ (knowing the opponents mind) with your dox attempts. Until such time as I see people being hauled in that directly relate to your documents posted, then I am going to consider the following to be the case:

  1. DOX-ing is mostly useless and takes quite a bit of analysis before just releasing names
  2. The Feds are not taking your data as gospel, nor should the general public or media
  3. You yourselves may in fact be a tool of Anonymous/Lulz and as such, spewing disinformation
  4. You could be right, but by releasing it to the public at large, you are letting the Lulz know to destroy evidence and create obfuscation that will hinder arrests later.

Ninja’s got results.. Not so much for ‘Web’ Ninjas. At least Jester, if his claims are true, is breaking their C&C channels lately.. Which has its own problematic issues.. Just like his meddling in the Jihadi area, but, that’s a story for another time.

K.

Internet Jihad vs. Internet Propaganda Jihad: When The Media Gives Me Tourrettes

with 2 comments

From dnaindia.com

I followed a link today off of esecurityintelligence.net and after reading the first graph of the piece I pretty much had a bad case of Tourrettes syndrome. This is some of the WORST reporting I have seen where it concerns the state of internet jihad. Now, I know why these places all do this, they just want a lead story and headline that will draw people in and make them click into the site. I get it… But.. It’s just wrong. The internet jihad is more a propaganda campaign than anything else and as you can see from the piece below from of all places, “The Sun” did a bit of a better job on the facts than dnaindia did!

Now that is surprising.

From thesun.co.uk

So, as I was saying, a ‘bit’ of a better job.. Then they too go off the rails. Look, the cyber jihad or Internet jihad is comprised mostly of jihobbyists, guys who want to get in on the action but are too clueless to actually go to the battlefield in some cases. In others, they are deluded individuals with mental health issues that need to be medicated and taken care of. In either case, the needed skills to really cause greater issues other than setting up php bulletin boards to throw propaganda on are lacking on the part of the general jihobbyist populace. Just how many of the attacks by LulzSec were attributed to the likes of Al Qaeda?

hint: NONE

Yet the media persists in perpetuating this idea the there are some 31337 jihadi’s out there who are going to pwn the grid. Really guys, get your shit straight when reporting on things ok? I have seen some strives in the Jihadi hacking scene these last few years, but NOTHING like what you are talking about. Hell, their real hacker went to jail years ago (Irhabi007) What is worse it seems, is that likes of Home Secretary May, may in fact be spinning half truths about Internet jihad for whatever political expediency she needs. I have reported in the past about the Facebook Jihad (notice 2010) and pretty much sum it up to propaganda and thats it. Sure, there may be some illicit comms channels here, but, its Facebook for God’s sake! They are on top of this shit, TRUST ME! The jihadi’s have been complaining that as soon as they set up a Facebook page it gets taken down by Zucky and company! So really, there is no threat there.

So, lets take another look at it from the post LulzSec perspective.

Lulz have been wreaking digital havoc with some pretty low level hacks. They carried out DD0S, they hacked low hanging fruit and stole data which they then published. LULZ did it, NOT Al Qaeda. Now, don’t you think that if AQ was adroit at hacking and wanted to cause pandemonium they would have beaten LulzSec to it all? Don’t you further think that perhaps when and if they hacked the servers with the low hanging fruit hacks (SQLi) that instead of just publishing the data, they would have say RM’d the whole databases?

Think about it;

  • Economic targets like the stock market
  • Military targets like the recent Anon attacks on Booz Allen
  • Attacks on grid and other key infrastructure targets

ALL of these things likely already harbor vulnerabilities that the likes of Anonymous could already have access to! The difference? The LULZ don’t want to be thrown in a hole forever and know their limits I suspect. Now, if you were AQ though, what’s to lose?

NADA

AQ, if they had the capabilities would already have used it! They haven’t, which means to me they lack the critical skills in their jihobbyist base to be a threat in this arena. It is as simple as that. So please Media, fucking buy a clue and stop just trying to use the “If it bleeds it leads” mentality to get clicks. Do your JOB’s and get subject matter experts with credentials to talk about this stuff instead of just trying to scare the straights with false reports.

I have often written on this topic in the past and from what I have seen here is the overall picture of the state of Jihadi hacking tech.

  • They are using OLD malware packages to infect machines to steal data/money (mostly money)
  • They are using OLD hacking exploits for the most part just as they are with the malware packages
  • SOME jihadi hackers (TNT_ON) are clued in and know what they are doing technically, but yet are inept enough to leave their real IP addresses in their tutorial videos (I see you!)
  • They are learning.. Slowly.. but their sites still keep getting popped and their super sekret rooms online have been penetrated
  • Their crypto program (Mujahid Secrets) has been cracked/Reverse Engineered

Finally, let me leave you with this little bit of wisdom post the demise of OBL:

  • They got him because his lackeys were tracked by their electronic comms
  • Even though they were using sneakernet  and email Dead Drops we managed to catch on (these techniques are not hacking)

Were OBL and his crew using high tech hacking techniques or crypto (aka steg) as their main means of communications, judiciously, it would have been even harder to get a line on what they were up to, where they were, and moving forward, determine future plans from OBL’s hard drives etc. Instead, they were using old spy tactics with minor digital twists to evade the US and other countries. This says a lot about their abilities and ours to detect them. They decided it was better to go old school because we cornered the digital market.

This follows today to the hacking scene, where we have some muslim hacker groups out there defacing pages, but not doing much else in the way of Islamic Electronic Jihad. So, media, let me put it plainly again;

They don’t have the skills to be super scary like you want them to be in your exaggerated reports!

CUT IT OUT!

I will let you know when they have their shit together.. Trust me.

K.

Past posts on this subject:

Cyber Jihad: Malaysia

Great Likelihood of Cyber Attacks By Terrorists: You Don’t Say!

Inspire Magazine Analysis: Going Green for College Age Recruits

Abo Yahya and Metadata Cleaning

TNT_ON@hotmail.com —> zmm@hotmail.com = Sword Azzam?

Inspire vol II: Rationalization, Operational Directions, Open-Source Jihad, and Pivoting the Battle-Space

Jihadi Malware 2010, Al Mojahden’s User Acct Boo Boo, & The Jihadi Technical Forums

Jihadi Hacking Tutorials: Irhabi 007′s Text and More

Jihadi Penetration Tutorials: Metoovet

The Jihadist Repertoire Expands

MJAHDEN: Jihadi Crypto Progam

Al-Qaida Goes “Old School” With Tradecraft and Steganography

 

 

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit – 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

The Lulzboat Sailed The Internets and All I Got Was This Stupid Garbage File!

leave a comment »

That’s it? All we get is this stinkin garbage file?

Well, it seems that the Lulz are over for now as last night saw the Lulzboat sail into the sunset. In a post on twitter and a rapidly seeded file dump on Pirate Bay, the LulzSec collective decided to hang up their tophat claiming that they were basically going to pull a Costanza at the top of their game.

Within the torrent file the following parting words were sent:

Friends around the globe,

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures. You are not failures. You have not blown away. You can get what you want and you are worth having it, believe in yourself.

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people. People with a preference for music, a preference for food; we have varying taste in clothes and television, we are just like you. Even Hitler and Osama Bin Laden had these unique variations and style, and isn’t that interesting to know? The mediocre painter turned supervillain liked cats more than we did.

Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz. We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling. Please don’t stop. Together, united, we can stomp down our common oppressors and imbue ourselves with the power and freedom we deserve.

So with those last thoughts, it’s time to say bon voyage. Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.

Thank you for sailing with us. The breeze is fresh and the sun is setting, so now we head for the horizon.

Let it flow…

Hrmmm.. 50 days? Is there any real significance to this other than perhaps the party van was pulling up outside your doors and you had to dump the garbage file quick like? Honestly, the files that you dumped, while in sheer numbers of passwords and logon’s to a few sites is well, kinda weak. In short, there is nothing revelatory here. I mean, jeez at LEAST the garbage file in the movie had some interesting malware shit in it right?

The Files:

So, we have some AT&T data from inside that cover some frequency ranges, and some manuals, minutes from meetings etc that are kind of interesting. There is a scan of the FBI.gov site that shows a vuln, and they managed to add Pablo Escobar to the Navy jobs database.

Whoopee.

All in all I have to give the Lulzsec crew a big “MEH” on this as well as their other dumps really. Sure, they have pointed out that low hanging fruit is abundant on the internet, but, really, who in the security or hacking world did not know this? Further more, what does the average everyday end user care? I mean, if their passwords are stolen, they will reset them. If their money is stolen they are insured by the Fed… Is there a great hue and cry from the masses because Lulz were had by the general populace to have the Lulzboat crew hoisted on the yard arm?

Not that I have seen.

In short kidz, you have only served to amuse yourselves and others out there but if you had anything else in mind about bringing change to the scene, I don’t think you have succeeded. People are creatures of habit and sloth. Short of taking the whole system down for the count, nothing will be so epic as to make corporations secure their networks and perform due diligence. Those who have done so out of worry because of your antics will go back to their peaceful Luddite slumber.

Leaving So Soon?

So, on to your sudden departure from the scene. I have the feeling that as I had written about before, you were coming to realize that perhaps you could never be as clever or wily to evade detection and prosecution given your penchant for the dramatic you all seem to have. Your propaganda machine and communication channels were leaking, this you could see from the A-Team dumps.

You guys have tried variations of your names, you have attempted obfuscate as much as you could, but, in the end, your re-use of favored screen names was your undoing. You see, the jester has been scouring the internet (I am sure with help from others) looking for any connections to those screen names or iterations thereof. I myself have done this and came up with analogous data to what jester and others have posted. With each successive day, your true identities are being uncovered if they have not fully been as of now.

However, this re-use of nick names and ties to email addresses aside, you guys just were immature enough to do yourselves in with petty disputes and the use of non trustworthy assets. This whole outing of each other thing was one of the most stupid things I have seen. Sure, some of it could be digital chaff, with you trying to set out disinformation, but I think that is not the case. Your own hubris shall be the thing that ends up placing the party vans on your collective front steps.

Lets face it, you played the game of spooks and I think in the end, you will lose. In fact, I think that you should probably have been better off had you just gone off seeking some sharks with frikkin lazers on their heads in your volcano lair instead of playing with the fire that you have been. Once they do pop you, you all are going to see some very interesting things inside jail as the governments kluge together terrorism charges on you.

Your Legacy:

Well, I guess we will have to see if anyone decides to take up the Lulzsec mantle. For now, we all await the party van posse to pick you all up sooner or later. You have spawned some more fools though like Team Poison who want to up the ante with releases of data like old Tony Blair stuff… That was kinda lame too frankly and made so sense when they claimed to still have access.. Why dump what you have and then claim to still have access? If it was current, I am pretty sure they have yanked the plug on that mail server and ‘five’ has it.

Oh, did you take that into account? I mean, he is Tony Blair after all… They are MI5… ‘Expect them’

So where was I?… Oh yeah..

In all of your dumps you delivered nothing worth your or our time. You proved a point that SQLi is prevalent but who didn’t know this? You have proved that you were pretty immature and likely suffer from Asperger’s yourselves… Well that will be the claim that your lawyers make to the judge won’t it huh? I mean that is the mental illness du jour as excuses go for immature hacking antics today isn’t it? I don’t think that will work though, the government just doesn’t care, they will medicate you and then put you on trial. You see Asperger’s is not a form of insanity, and the insanity plea, as some of us know, is NOTORIOUSLY hard to use as a defense in court. Nope, you guys really actually suffer from inflated ego’s and too much jolt cola.. That’s my diagnosis, for what its worth.

So, yeah, legacy… Well, you certainly have tried to do your best imitation of SPECTRE, but instead you came off as Bighead. I am sure there will be others following in your footsteps, but, in the end I don’t think you have launched a new SPECTRE.

Nope, I expect your real legacy will be the creation of more draconian laws by the government as a backlash to your antics. Laws that will make all our lives a bit more less private and a lot more prone to being misused. I also expect that the lulz will continue, though at your expense once you are all caught and put into the pokey.

… And those lulz will also be epic fail.

K.