Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Duh’ Category

JIHADI’S HOLD LEGION OF DOOM CON CALL!! WOULD YOU LIKE TO KNOW MORE?

with one comment

fednet

AZIJ XXRZ HMCKIDACVA GZ UZZW!

The Legion of DOOM!

Yesterday the camel’s back finally snapped in my head after reading a post on Harper’s Magazine entitled “Anatomy of an Al Qaeda Conference Call”  which the author called into question the whole story that was put out by the Washington Times and their “anonymous sources”  The paper claimed that Ayman Zawahiri and all the heads of the various jihadi splinter groups got onto their polycom phones and their SIP connections to have a “concall” as we say in business today.

You all may remember the heady headlines in the last couple weeks where the mass media picked up on this story and began scribbling away on how the so called jihadi “Legion of Doom” dialed in for a sooper sekret meeting to plan the end of our Western Civilization. Now, I am sure some of you out there have seen my screeds (140 chars at a time more so recently) on just how we get played too often by the media and the government on some things but this, this is just epic stupid here. If you or anyone you know believed any of this claptrap coming from the media please seek psychiatric attention post haste.

Let me tell you here and now and agreeing with the article cited above, that the “LOD” did not have a skype or asterisk call to plan our downfall. At the most they likely had a meeting of the minds in a chat room somewhere within the jihadist boards out there or had a server set up somewhere for them all to log into an encrypted chat. I lean towards the former and not the latter as they usually lack subtlety online. Though, given the revelations from Mssr “Snowman” I can see how the prudent Ayman would want this to be on it’s own server somewhere and for people to authenticate locally and encrypted on a system that does not keep logs… But I digress…

Suffice to say that a group of leaders and minions thereof got together for a chat on <REDACTED> and that they talked about plans and ideas (from hereon I am going to coin the term ideating) for the destruction of the West and the raising of a new global caliphate. Does that sound familiar to you all? Gee, I can’t seem to put my finger on where I have heard that one before. … So yeah, there was a meeting, there were minions, and there were plans but here’s the catch; NOTHING WAS SAID THAT ALLUDED TO A REAL PLAN! No, really, there wasn’t any solid evidence that prompted the closing of the embassies all over. It was a smoke and mirrors game and YOU all were the captive audience!

As you can see from the article cited there seems to be a lot amiss with all of this now that some reality has been injected into the media stream of derp. Why was this all brought to you in the way it was put out there by the media? Was it only the demented scribblings of one reporter seeking to make copy for his dying paper? Or was there more to it? Was there a greater plan at play here that would have the media be the shill to the duping of the public in order to make them see say, the NSA in a different light in these times of trouble for them?

Makes you wonder huh?

DISINFORMATON & OPSEC

So yeah, a story comes out and there are “sources” sooper sekret sources that are telling the reporter (exclusively *shudder with excitement*) that the Great Oz of the NSA has intercepted a LIVE call with the LOD and that it had scary scary portents for us all!

WE. ARE. DOOMED!

That the NSA had help prevent a major catastrophe from happening because they had the technology and the will to listen in on a conversation between some very bad dudes like Ayman and the new AQAP leaders plotting and planning our cumulative demise.

*SHUDDER*

The truth of the matter though is a bit different from the media spin and disinformation passed on by the so called “sources” however. The truth is this;

  • The “con call” never happened. There was no set of polycoms and Ayman is not a CEO of AQ.
  • The fact is that Ayman and many of the other “heads” of the LOD were not actually there typing. It was a series of minions!
  • The contents of the “chat” were not captured live. There was a transcript captured on a courier that the Yemeni got their hands on and passed it on to the Western IC. (So I have heard, there may in fact be a chance they captured the stream using this guys acct) the Yemeni that is, not so sure it was us.
  • As I understand it, there was nothing direct in this series of conversations that gave any solid INTEL/SIGINT that there was a credible threat to ANY embassies.

There you have it. This has been WHOLLY mis-represented to the Amurican people. The question I have is whether not there was an agenda here on the part of one of the three parties or more.

  • Right wing nutbag Eli Lake
  • The “anonymous sources of intel”
  • The “anonymous sources handlers”

These are the key players here that I would really like to get into the box and sweat for a while. After the madness was over and sanity let it’s light creep into the dialog, we began to see that these so called sources were no more or less better than “CURVEBALL” was during the run up to the Iraq war. In fact, I guess you could say they were less effective than old curveball because we did not actually go into another half baked war on bad intelligence this time did we?

Another question that should be asked here is why was this information leaked in this way to the press on an ongoing operation that I would say might be pretty sensitive. I mean, you have a channel into a chat room (or *cough* con call as the case may be har har) that you could exploit further and yet you decide to close all the embassies and leak the fact that you have closed said embassies because you intercepted their sooper sekret lines of communication?

*blink blink*

Holy what the Hell? What are you thinking POTUS and IC community? Oh, wait … Let me ideate on this a bit….

  • The intel community is in the dog house right now because of the SNOWMAN FILES yup yup
  • So a WIN would be very very good for PR wouldn’t it? I mean you don’t have to hire a PR firm to figure this one out right?
  • HOLY WIN WIN BATMAN! We tell them we foiled their plans using sooper sekret means that the public hates for infringing on their “so called” rights and we can win hearts and minds!

Could it be that simple?

All joking aside though, think about it. Why blow an operational means of watching how the bad guys are talking UNLESS it was never something you really had access to in the first place right? You could win all around here (though that seems to be backfiring) IF the Yemeni passed this along and it was after the fact then how better to make the AQ set abandon the channel by saying you had access to it?

Right…

How better also to try and get a PR win by alluding (ok lying lying lying with pantalones on fire!) that you had compromised (you being the NSA and IC here) said channel! I guess overall the government thinks that the old axiom of “A sucker born every minute” still applies to wide scale manipulations of stories in the media to sway thought huh? Oh and by the way, if any of you out there think this is just too Machiavellian I point you to all those cables dropped by Wikileaks. Take a look at the duplicity factor going on in international realpolitik ok?

Political Wag The Dog

It seems after all once all the dust has settled that either one of two things happened here;

  1. Eli Lake did this on his own and played the system for hits on his paper’s page
  2. Eli Lake was either a witting or un-witting dupe in this plan to put out some disinformation in a synergistic attempt to make the IC and the government look good on terrorism in a time where their overreach has been exposed.

It’s “Wag The Dog” to me. Well, less the war in Albania right? I suggest you all out there take a more jaundiced eye to the news and certainly question ANYTHING coming from “ANONYMOUS SOURCES” on NATSEC issues. It is likely either they are leakers and about to be prosecuted, or there is a cabal at work and DISINFORMATION is at play using the mass media as the megaphone.

Sorry to sound so Alex Jones here but hell, even a clock is right twice a day.

K.

 

THE IRANIANS ARE KNOCKING! THE IRANIANS ARE KNOCKING!

with 4 comments

Iran-cyber-attackZOMG

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

“Mankdrake, come over here, the Redcoats are coming!”

THE IRANIANS ARE DDOS’ing OUR BANKS! UNCLE FRED CAN’T SEE HIS BANK ACCOUNTS OH THE HUMANITY!

The hue and cry over the DDoS that has been taking place since the summer on certain banks has been increasing over the last week and of course the secret squirrels and the hangers on who want to sell their wares and stories have been rife on the mainstream media. Of course the likes of Droopy Dawg (former Senator Lieberman) have also been making the rounds at podiums near you droning their dire warnings that Iran is double secretly “out to get us with cyber attacks”

Several of my contemporaries have posted articles this week pointing out that emperors all, have have no clothes on and yet, only within this small verse known as the INFOSEC community am I seeing this fact being leveled at all. It’s sad really that we the community in the know should be so marginalized by the media because we do not take the party line. Thusly the truth of the matter never reaches the unwashed masses and they live on in mortal fear and loathing over the great Muslim Shaitan that is Iran.

For us in the know though, we can only continue to say “No, that’s not what’s happening” to those who will listen or yell it out as I am here once again on my screed… Uhh.. I mean blog. Sad but true as well as for me at least cathartic to at least yell in ALL CAPS for a while. I feel better usually after a good screed here…

But I digress…

“What difference does it make if it’s true? If it’s a story and it breaks, they’re gonna run with it.”

Truth is something that media outlets and the government tell you they are giving you but really are they? In the case of the DDoS attacks on the banks there is no solid evidence as to any kind of attribution of who is doing it. This however has not stopped “government sources” and certain secret squirrels within the INFOSEC community *cough VENDORS cough* who are more than willing to tell you that it’s GOTTA be Iran. Why? well… Because.. IRAN DAMMIT! That’s about the sum of it right there. It is so because they say it is, we don’t need no stinkin proof or anything do we?

Now, had any of these people made the caveat that there is no real proof of this but my gut say’s it’s Iran that’d be ok but then again really? Really? That’s going to be an answer? If there is no proof then you say that there isn’t any and that you CANNOT say who did it. It’s simple really but instead we get the Iran angle because that is the party line for the saber rattling du jour right? Who am I kidding though right? After all according to Karl “Turdblossom” Rove back in the Bush administration “we make the reality” right? So the reality is, since it’s on the news and the secret squirrels have told us on background, that Iran is HACKING OUR BANKS!

*chuckle*

Hacking.. Ugh, that’s another issue altogether. The nomenclature is completely ignored by the media and the masses just eat it up because it has the word “hack” in it and that is god damned scary! Never mind that the DDoS really isn’t that harmful to anyone. Honestly, DDoS of the banks does not mean that they are down for the count. Sure they will lose some revenues while the sites are down but this is no nuclear strike or massive hack on the banking system that siphons trillions of dollars to Swiss accounts ala Dr. No. It’s all really much ado about nothing yet it is being flogged for the masses in one assumes is a preparatory campaign against Iran and nothing more.

“Can’t have a war without an enemy…You could have one, but it would be a very dull war…”

So yeah Iran is a repressive authoritarian theocratic government that treats its people poorly and seeks to engender itself as powerful to the global scene. They do have some technological know how and they are fixin on getting them some revenge but is a DDoS really going to be their raison d’etre? Think about it isn’t it laughable as a serious attack? Sure Anonymous does it but that isn’t all they have been doing right? THEY have actually been HACKING!

Good lord! I mean c’mon people! If you are gonna frame up Iran for some cyber shit at least do it with some serious hacks against corporations or infrastructure!! Oh, wait, I know, if they were to really do that then there’d be some real reasons for action right? Then perhaps the people might ask if what they are being sold is the truth or not right? Ahh that must be it right there huh? Just some DDoS, pay no attention, it’s not the end of the world.. Oh and IRAN IRAN IRAN CYBER CYBER CYBER!

*subliminal fear images flash across the screen as Anderson Cooper looks sternly into the camera*

Derp derp derp… So yeah, the government needs an enemy and attribution is soooo hard! It’s Iran.. No doubt about it. No, really, it’s a really complex attack! I mean no ordinary group of hackers or security folks could do this kind of thing! Well, except for those guys who have bitcoins and go to the darknet and rent some botnets.. Wait.. SHHHH… It’s IRAN! It HAS TO BE IRAN! IT’S A NATION STATE DDoS!

*takes drag on cig and looks through wayfarers*

You people make my ass twitch…

No no no no no, fuck freedom.

So once again we are left with the media not taking the full measure of things and that even includes NPR which had a report this week that nearly gave me an aneurysm. Brian Krebs told me yesterday in fact that he declined an interview/comment on this because they were not really willing to hear the truth about this. By the way Brian KUDOS to you man. YOU are my new hero! I presume that others who lack a certain moral ethical compass will be blathering every chance they get and those people should be publicly taken to task for their perpetuation of this farce.

Of course others like Jeff Carr have been a voice of sanity on NPR and elsewhere in the past but you know what? Jeff’s logic and truth doesn’t make for bleeding headlines that will draw clicks for ad revenue will it? Marginalize those who tell the truth that is too dull to sell ad space is the way of it today. So on it goes, the media drumbeat will continue saying that Iran is at the heart of every little cyber hiccup that we have from now on. Iran is in good company with China now. Hey, at least China isn’t alone! Now China can just glibly point at Iran and Mahmoud saying “It was them!” and surely many in the government and the media will say AH HA!

My friends we are doomed. The truth no longer matters and I suppose it hasn’t for some time. I am a dinosaur I suppose to believe that there are truths out there that should be told. Could Iran be behind the attacks by using proxy orgs? Sure. Do we have definitive proof? No. That’s all that needs to be said. That is of course not what we are getting from the government and media today though.

Hmm how long til Glenn Beck or O’Rielly are “Cyber Experts” I wonder….

K.

Written by Krypt3ia

2013/01/11 at 20:32

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

China’s cyber-warfare capabilities are ‘fairly rudimentary’… What is it with these crazy Australians?

with 5 comments


Conclusions
Chinese strategists are quite aware of their own deficiencies and
vulnerabilities with respect to cyber-warfare. In June 2000, “a series of high-
technology combat exercises” being conducted by the PLA “had to be
92 suspended” when they were attacked by “a computer hacker”.

China‟s telecommunications technicians were impotent against the intermittent
hijacking of the Sinosat-1 national communications satellite by Falun Gong
„practitioners‟ in the early 2000s. China‟s demonstrated offensive cyber-
warfare capabilities are fairly rudimentary. Chinese hackers have been able
to easily orchestrate sufficient simultaneous „pings‟ to crash selected Web
servers (i.e., Denial-of-Service attacks). They have been able to penetrate
Web-sites and deface them, erase data from them, and post different
information on them (such as propaganda slogans). And they have
developed various fairly simple viruses for spreading by e-mails to disable
targeted computer systems, as well as Trojan Horse programs insertible by
e-mails to steal information from them. However, they have evinced little
proficiency with more sophisticated hacking techniques.

The viruses and Trojan Horses they have used have been fairly easy to detect and remove
before any damage has been done or data stolen. There is no evidence that
China‟s cyber-warriors can penetrate highly secure networks or covertly
steal or falsify critical data. They would be unable to systematically cripple
selected command and control, air defence and intelligence networks and
databases of advanced adversaries, or to conduct deception operations by
secretly manipulating the data in these networks. The gap between the
sophistication of the anti-virus and network security programs available to
China‟s cyber-warriors as compared to those of their counterparts in the
more open, advanced IT societies, is immense. China‟s cyber-warfare
authorities must despair at the breadth and depth of modern digital
information and communications systems and technical expertise available
to their adversaries.

China is condemned to inferiority in IW capabilities for probably several
decades. At best, it can employ asymmetric strategies designed to exploit
the (perhaps relatively greater) dependence on IT by their potential
adversaries—both the C ISREW elements of adversary military forces and
the vital telecommunications and computer systems in the adversary’s
homelands. In particular, attacks on US information systems relating to
military command and control, transportation and logistics could “possibly
degrade or delay U.S. force mobilisation in a time-dependent scenario”, such
as US intervention in a military conflict in the Taiwan Straits.

China‟s cyber-warfare capabilities are very destructive, but could not compete in
extended scenarios of sophisticated IW operations. In other words, they
function best when used pre-emptively, as the PLA now practices in its exercises.

In sum, the extensive Chinese IW capabilities, and the
possibilities for asymmetric strategies, are only potent if employed first.

Desmond Ball: China’s Cyber Warfare Capabilities


Oh Desmond…

Desmond, Desmond, Desmond… You spend so much time pointing out all of the Honker Union activities, the malware created by China, and all their overall IW/Espionage activities and then you say;

“Well, because there’s no real proof of their actually having done anything, they are unable to do so”

*blink blink*

Crikey! Have you been sipping what Dr. Wright has been drinking or what? Tell me Desmond, what is your classification rating? Because I think you are lacking some pertinent information that might change your hypothesis quite a bit. Either way, your contention is lacking understanding of the playing field I think, so let me enlighten you a bit ok?

Rudimentary? Really?

I personally have heard of “on the fly” coding of malware to affect pertinent systems within a defense contractor network to not only keep access within said network, but, also to exfiltrate even more interesting data. Now, that sounds rather advanced to me..

How about you?

Sure, the coders could have been just about anyone, but, the data was being exfiltrated to areas that were in the Asia Pacific and more than likely were Chinese in origin so, yeah, it likely was them and not say, Germany. However, once again, we have no real proof of it being “solely” China. Oddly enough though, when data was caught in the hands of the Chinese we pretty much had to admit it was them doing it. So, no Desmond, they are not wholly unskilled and certainly as unsophisticated as you would paint them. This is just one instance of access and hacking that allowed for the APT (Advanced Persistent Threat) activity that, well Desmond, was coined for their activities against the defense industrial base here in the US.

Simply Desmond, you can cite all the articles from the internet you want.. You still won’t have the whole picture.

PSSST… Guess What?

So, to move this further along the philosophical and technical path for you let me explain it another way for you. The Chinese, as with most of the Asiatic countries, have a different perspective on things than we in the West. Something core to the Chinese mindset on warfare are the following:

The Chinese do not have a goal of outright cyber warfare with us. In fact, they would use the subterfuge angle you speak of by leaving trap doors in software and hardware, which they have done in the past (and have been caught) However, more than likely, they would use the supply chain that we have allowed them to become the lions share of via outsourcing of cheap parts/labor to infiltrate our systems with bad chips or said same back doors. Why do you think we spend so much time (the military) checking everything that we get for the government/mil from China?
Soft power Desmond would dictate that they use the thousand grains of sand to not only steal our IP but also use the technology and our dependence on their cheap rates to insert bad data/systems/hardware into our own infrastructure for them to call up when needed to fail. This is not to say that they do not also have operators who have inserted code into other systems remotely to late be used when needed as well.
Simply Desmond, you don’t see the whole picture and its rather sad that you go on to make such defined claims. The simple truth is that the Chinese don’t need to attack us pre-emptively. They have been undermining us (US) for a very long time as we sell out to them for cheap goods. and services. THIS is soft power. They now sit in the catbird seat in many ways financially (though yes, they could lose much by us defaulting) however, from the soft power perspective, they hold the upper hand. A coup de grace would be to take down military systems were we to get uppity about Taiwan.. but really, are we in a position to do so after being wholly owned by them and their capital?
Desmond.. It’s not so much Red Dawn as it is “They Live” if you are into movie references.

網絡戰 !!!

Alrighty, now that I have gotten that off my chest, Cyberwar is to me, too hard to carry out for ANY of the countries out there now. China being only one country that might want to. The systems are too disparate and to control a single node would take great effort. So, yes, I can agree with you that they are not in a position to do us major damage from a CYBERWAR booga booga booga perspective. Frankly, no one could in my opinion. However, your contention that they could not insert bad data during a time of war is a load of crap.

ANYONE could IF they had the access and the desire. It would not need to be nation state, it could be a private citizen for that matter. What is more interesting Desmond is that you fail to understand the espionage angle here. The Chinese use their expat’s to do their bidding under threat, or, mostly under the “poor poor China” argument. Imagine an insider adding code to systems that could be triggered…

Yeah.. Soft power once again.. It could turn hard though with the right circumstances.

Once again Desmond, you think too one dimension-ally.

The Sad Truth…

Now, with all of that said, lets turn it around a bit. The saddest truth is this;

“Given all of what has happened recently with Lulzsec, it has become clear that it does not take an uber hacker to take down pretty much anyone”

The systems out there have not been protected well enough. Patching, and secure coding have not been at the fore here and thus it is trivial for the most part to hack into systems throughout the internet. So, the Chinese need not be uber haxx0rs to do the damage needed because we collectively have done a bad job at securing our own networks.

*sadface*

Once again, you fail to look at the problem from a more multidimensional angle.

Please go back to the drawing board Desmond because you lack the proper information and perspective to really make the claims you are making.

K.

“What We Have Here… Is A Failure To Communicate” Stuxpocalypse and FUDDERY

with 3 comments

FUD FUD FUD PUFFERY!

Once again I find myself having to respond to chicken little dullards spewing FUD across the internets to make themselves muy importante. Once more I have to say that the current FUD du jour on STUXNET and the fact of just how many SCADA systems are online is getting tedious. So, Mr. Wright, yet again I have to school you on the facts and disabuse you of the idea that you are correct in your thinking.

So you say that SCADA is online… I never said they were’nt frankly. If you look closely at the sentence I actually say *crosses fingers* I KNOW that there are systems online and available to the internet TODAY, a simple Shodan search for Siemens Simatic PLC systems turns up 25 hits in the US alone. So, yes Mr. Wright, they are online and I knew this. I also was saying tongue in cheek that I had hoped that more of them would not be so readily available and that the people involved in management were taking care to remove the systems from non air gap networks.

Yes Craig, there is a problem, but, it is not of the EPIC proportions that you seem to be ascribing to as a member of the Langer echo chamber.

Shodan Search


http://www.shodanhq.com/?q=PLC
http://www.shodanhq.com/?q=allen+bradley
http://www.shodanhq.com/?q=fanuc
http://www.shodanhq.com/?q=Rockwell
http://www.shodanhq.com/?q=Cimplicity
http://www.shodanhq.com/?q=Omron
http://www.shodanhq.com/?q=Novatech
http://www.shodanhq.com/?q=Citect
http://www.shodanhq.com/?q=RTU
http://www.shodanhq.com/?q=Modbus+Bridge
http://www.shodanhq.com/?q=modicon
http://www.shodanhq.com/?q=bacnet
http://www.shodanhq.com/?q=telemetry+gateway
http://www.shodanhq.com/?q=SIMATIC
http://www.shodanhq.com/?q=hmi
http://www.shodanhq.com/?q=siemens+-…er+-Subscriber
http://www.shodanhq.com/?q=scada+RTS
http://www.shodanhq.com/?q=SCHNEIDER

Above links from backtracklinux.com by way of infracritical.com

So Craig, your experiences, while not the outside the norm of mine and others in the business (inclusive of pentesting systems within airframe and engine facilities inclusive of SCADA used to control engines) has little bearing on the contention at the root of Mr. Langers diatribe about a “stuxpocalypse”  In short, in order to have the “mass casualties” scenario he is crying about, the Stuxnet variants would have to be as varied as the number of makers of PLC systems out there. Just as the actual payload file to make a fire sale scenario happen would geometrically increase to have to become its own form of bloatware.

No Craig, I just don’t see it all happening. I see perhaps pockets of localized attacks on systems, but I do not see a large power failure as much as I see someone making the poop factory spill waste into the water systems. Quite simply, as I was trying to point out Langer is spreading a large amount of FUD in an attempt to garner attention.. Much like I think you have been with your posts on Island that have been.. Well, lackluster at best. It would seem by my reading, that you only comprehend half of what is said and then regurgitate the FUD interspersed with your own experiences.

Let me enlighten you some more..

I have also been told that it’s too expensive, or it’s not important, or it’s not on our agenda as well when it comes to remediation’s that I have recommended to companies, agencies, or governments. We all have, I know this. However, the point I was making was that post Stuxnet, I had hoped that all of these people were taking a new look and remediating the problems that we all know are there. I am not foolish enough to think that everything has an air gap and that all those systems connected to the SCADA themselves are fully patched. This does not mean though, that I think we have to be chicken little here and run around being the “Langer who cried wolf”

Which, you seem to be falling into that category Craig. Which once again makes me think that you are less of a source I would listen to, and perhaps this is why these people you speak of have not taken your advice.

Just an opinion Craig.

So, back to the problem at hand other than your puffery…

SCADA systems are all too often connected to non air gap networks. We all know this. Let me tell you a secret *this one’s for you Craig* Some of them even have WIRELESS connectivity! *yes, its true!*

INCONCEIVABLE!

So, do I think it is a problem? Yes. Do I think that there are so many of these systems online and readily available that we will have a fire sale as Mr. Langer would imply?

No.

Could someone (either state or hacktivist or miscreant) do something to select systems fairly easily if there are not remediations?

Yep.

Would the world end and there would be mass casualites?

No.

All of the systems at play have some redundancy built into them. Am I worried about a meltdown at a nuclear facility *Chernobyl style* if someone messes with some Simatic PLC’s?

No.

Why? Because the systems are redundant and deliberately so. Stuxnet did not cause a meltdown, it was not that kind of network. Stuxnet took out some centrifuges. Could someone infect a network/facility to the point of making all redundant systems fail and cause a meltdown in a nuke plant?

Maybe, but that is really pushing it.

So, sure, there are problems. I know this, you know this, we all know this. However, there is no need to go around whining about how no one will listen to you because you are whining pathetically about no one listening to you. All of this being done on the media who embellishes and uses the FUD to sell air time as well as makes it even worse! It would be better to just shut up and say I told you so than to add to the cacophony of FUD which will inure the masses into apathy.

So, where do we go from here?

As I mentioned before, the picture is bigger than whether or not SCADA systems (whether they be Xp, Windows 98, or NT 3.5.1) *shudder* Old, unpatched, or otherwise vulnerable systems still pose a large threat whether or not they are internet accessible (directly) The fact that physical access had to be had in order to load Stuxnet and then had a feature (p2p) built in as well as a re-infection vector for USB in general, shows that it was a rather complex effort. If someone were able to modify the payload to work on other systems and use it in a phishing exploit, sure, we would have many more potentially infected systems. However, unless they create the uber package I mentioned at the top of this piece, it would take a fair amount of footprinting to find the exact models and firmware being used. Not impossible, but not easy either.

See, its more about defense in depth (or should be) than it is “THE SKY IS FALLING!!”

Do changes need to happen?

YES!

One hopes that they are, but all of this debate and going off half cocked is pointless… And that was my main point.. Which you utterly failed to comprehend Craig. It just goes to show, no matter how many acronyms and letters you have after your name, or how big your bio at the bottom of articles online, do not really mean you have a grasp of the situation.

K.

Written by Krypt3ia

2011/09/25 at 22:49

Posted in Duh, FUD, SCADA, STUXNET

DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up

with 2 comments

A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.

“This is a very delicate window into our future,” he told the hackers. “Cold war, global war on terrorism and now you have the code war — which is your war.”

Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;

If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?

Or, would you start using sharp implements to get him to talk in a more expedient fashion?

We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.

I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.

Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.

We all will have choices to make and trials to overcome… Cofer was right.

“May you live in interesting times” the Chinese say…

Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;

“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”

Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;

Curtis: If it isn’t Leopard Boy and the Decepticons.”

So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:

  1. Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
  2. Targets need recon and intelligence gathered has to be vetted before dumping
  3. Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
  4. Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
  5. Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
  6. If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
  7. Grow up
  8. The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
  9. If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
  10. You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
  11. Failure to pay attention will only result in fail.

There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.

K.

http://www.darkreading.com/security/attacks-breaches/231300360/building-a-better-anonymous.html

http://www.pcworld.idg.com.au/article/396320/three_tips_better_anonymous

http://www.wired.com/threatlevel/2011/08/defcon-anonymous-panel/

http://venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here-lulzsec-is-here-theyre-everywhere/

Not So 3R337 Kidz

with 5 comments

Once again we find ourselves following the story of a new uber dump of data on a Friday (Fuck FBI Friday’s) as they have been dubbed by the skiddies. It seems that 4cid 8urn, C3r3al Kill3r, and Zer0C00l once again have failed to deliver the goods in their #antisec campaign with their ManTech dump. ManTech, for those who don’t know, is a company that handles defense and government security contracts for such things as secure networks etc. The skiddies decided to try and haxx0r the Gibson and get the goods on the bad bad men at ManTech.

Once again, they failed.

The files are mostly UNCLASS (kids, that means UN-CLASSIFIED mmkay?) with a few SBU (Sensitive but UNCLASSIFIED) as well. Many of the files are just documents of finances, bills, resume’s and email addresses that frankly you could get with a good Googling session. Again, we are not impressed by this crap Lulz skiddies. I have told you once, and now I till tell you again, you are failing to deliver anything of interest really.

Now, if you were real APT, then you would have used the data in the excel sheets to create some nice phishing exploits and then gone on to root some good shit. But no, you aren’t that advanced are you? You just want to do the quick hit and dump your ‘booty’ to collect the love from your adoring, albeit stupid, fans. I am sure some of them are at home now wanking off to the idea that you have really stuck it to ManTech and by proxy ‘the man’

Well, you haven’t.. Not so 3r337 as Raz0r and Bl4d3 say.

What you keep failing to understand are sever key things here:

  1. The good shit is in more protected systems, ya know, like the ones Manning had access to
  2. You have no idea what you are taking or what you are dumping! Bitch please, understand the classification markings!
  3. It’s only important to your ‘movement’ if the data actually uncovers bad behavior on the part of the government!

And it’s on that last point I want to harp a little more on. You guys say you are exposing fraud and devious behavior (other than your own subversive tendencies?) and yet, you keep missing the mark. There have been no cohesive plots outed by you other than Aaron and HB Gary’s little foray into creating 0day and programs for propaganda tools online.

Yay you!… ehhh… not so much.

You certainly did spank Aaron though, and for that my top hat and monocle are off to you. He rather deserved what he got for being so God damned stupid. However, you must all understand that these are the standard operating procedures in warfare (PSYOPS, INFOWAR, PROPAGANDA) every nation plays the game and its just the way of life. So, unless you get some real data of a plan to use this type of tech by the US on the US, (other than Rupert & Co.) Once again, I am not really so impressed.

Of course, you have to know that you are now the target of all of those tools right? Not only by the US, but other nations as I have mentioned before. Do you really think that you have not opened the door for other nation states to attack using your name? No one mentioned yet that you are now considered domestic terrorists and could even be considered non domestic after you get caught? You have opened Pandora’s box and all the bad shit is coming.. And much of it is going to be aimed straight at you.

The ironic thing is this.. You have delivered shit. It’s the idea and the cover you have given other nation states or individuals that is key here. You say you can’t arrest an idea… I say certainly not! BUT They can arrest YOU and then make that IDEA not so appealing to the other skiddies once your prosecutions begin on national TV.

So keep it up.. That hornets nest won’t spew hundreds of angry wasps…

K.