Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘ELINT’ Category

Phone Hacks Or Intercepts: Bezos’, Pecker, Sanchez, MBS, A Pragmatic Approach

leave a comment »

This whole thing about the Bezos’ dickpics is running amok in the media with panel after breathless panel dribbling on ad nauseum. Wanking on over whether or not a nation state secret service intercepted those texts and photos or if AMI (The National Inquirer) hacked them with the help of sleazy private investigators and or the brother of the mistress has me apoplectic every time it’s thrust in my face on the news. I finally decided to put this post together with some sense making to counter all the stupid out there. Of course the funniest thing about all of this though is that I have yet to see any of the hacking talking heads that usually show up like Dave Kennedy being dragged out to assess how easy or hard it would be to just hack a phone or an account. Who knew they would not be clambering to get more news cycle attention to pimp their services huh? Anyway, let’s do a little dive into what Bezos likely has as a phone, how easy they are to hack, and how likely that a bad actor like MBS and his secret services, a paid group, or just the brother of the mistress with a grudge were the culprits shall we?

What phone does Bezos likely have and how hack-able is it?

According to the babbling of the news media, claims have been made that Bezos has security and as such his phone is likely harder to hack. Well, let’s put that to the test and see. I did some looking and as of 2017 he was still using a Fire Phone, his own product and that runs on Android. A little more Googling and you can see that it had seven vulns that included DoS and overflow attacks in 2018

FireOS is based on Android 4.2 JellyBean and that had a host of vulnerabilities as well. So unless Bezos was using some super secret hardened version of JellyBean or FireOS then it is likely that even with iterations today he might have, it is still quite hack-able in all reality. So with that information one has to wonder at all this reporting that it HAD TO BE a nation state or that this was some exotic attack on a hard target.

Sorry, no.

INCONCEIVABLE!

Meanwhile, if indeed Bezos had another phone, he was spotted before with ANOTHER  model of phone (Samsung) which also uses Android as it’s base operating system. If you are in the hacking or security community, then you know that Android is a hot mess security wise because Google could really give a fuck, so there you  have it. Unless Bezos decided to get a Black Phone (which still had issues) I am gonna say it would not be hard to hack him with a phish with a bad .apk file and own him.

Sorry media, go home, you’re drunk again.

The facts are that unless Bezos got his hands on an NSA encrypted and hardened phone like the one that Obama had (which was Blackberry) then it is likely trivial to attack his phone and own him. That’s the fact and everyone should take that into account when listening or watching these talking heads on TV. Of course, this is not to say that it wasn’t MBS or minions he hired or AMI that did this because these are TRIVIAL hacks and one could pay easily for someone to do it. It would not take the NSA or that level of nation state access intercepts to get the data Pecker has.

What are the odds that a bad password(s) and an automatic backup to the cloud are responsible here?

Right, so what about bad passwords? I mean hell, Manny’s password to all his secret bad dealings was “bond007” right? So is Bezos using a good password vault with 16 character passwords and rotating them often? Well, I cannot say, but what I can say is this; “security is hard and OPSEC is even harder for regular people” This means that it is entirely possible that Bezos password could have been weak and he may not have changed them as regularly as might be needed for someone who is a higher risk target right? I am sure he has minions and possibly a security detail, but, think about this, would you want your security detail to have your password to your dickpic mistress phone?

This also brings up another question…. Did he have a mistress phone? Something separate from his regular phone and hidden so the wife would not see? You have to ask yourselves this question as well when thinking about this whole “affair” right? Let’s say Bezos bought a burn phone and used that instead of his primary phone to send his dickpics and stupid stupid texts mooning to his side piece? It’s not something you would really want to have laying about for the wife to find and nothing that could be directly tied to you in some ways, I mean sure he sent photos of himself, not just his junk, so yeah, not the greatest OPSEC there either. But would such a phone have less security because it was not hardened by the security detail?

Hmmmm….

Either way, passwords and access to Google (since I think he is still using Android) is problematic and unless he had all the 2FA turned on and alerting, he could have easily been pwned due to his own stupidity with passwords and access security.

What are the chances that physical access to the mistresses phone are to blame?

Ahh this mistress… Well all of the things above could play with her as well. It could have also been physical access to the phone by others as well. Let’s face it, Sanchez could have been using her dogs name as a password to all her accounts for all we know. She is the weakest of weak points as far as I am concerned in the security picture in this story. It seems that a running theme in the story seems to be that the mistresses brother is tied into the Trump camp and its acolytes so there is a chance that he accessed her phone either physically or perhaps he had a password to gather the details and leaked them to AMI.

Think about that though….

You would have to be one cold bastard as a family member to hack into the sister’s phone and dump pics that seem to include some nudity on her part as well to AMI right? I mean that is some serious pathology there. Keep that in mind further down this post ok? *turns over standing presentation board with pics and yarn connections* So yeah, it could be the brother, or it could be anyone who had proximity to the phone and a desire to carry out this attack on her and Bezos.

I am unaware of what phone the mistress is using but I am willing to bet that she is not as security conscious as Bezos might be. It could even be that Bezos and her both had burn phones that were insecure, who knows right? Suffice to say that the mistress and her electronics hygiene may have in fact been the vector of the leak and everyone has to take that into account even if you are thinking that this was carried out by nation state actors like MBS or Russia. It would be a soft target campaign with phishing, physical access, and stupidity that would win the day and would not take that much effort really.

Was it a nation state intercepting Bezos and just handed this over to Pecker and AMI?

Speaking of nation state actors here’s the deal…

It’s quite possible. It would likely be trivial to attack the weak link (mistress) and gather all the intel. In fact, let’s suppose the nation state actors did do this, it would not only be dick pics that AMI might have. It is possible that they also have audio and video captures of phone calls and the like as well. How do we know that Bezos and the mistress didn’t make any videos together as well? Or perhaps little videos for one another?

Ponder that one too.

The fact of the matter is that nation state, hired hackers, or sleazy PI’s could all have done this and all have passed on even more dirt to use against Bezos and his mistress and it all sits somewhere in a safe on an external hard drive right? All I am saying is that there may be more to come in the future if at some other time AMI and or others decide to go nuclear on Bezos. I will sit back and watch the fires burn and sip my whiskey when it all comes down. At the end of the day it cannot be said that it wasn’t a nation state that did this and there are hints and allegations that AMI might have that avenue of interest with MBS and Saudi to have made this happen.

My biggest problem though with that is that it was so fucking hamfisted in it’s being carried out that makes me wonder if it wasn’t just AMI doing what they have been doing since they started their yellow journalism agitprop fuckery. I would hope that a nation state would be smoother than; “It would be a shame if something happened to that marriage you have there” but hey, we are in the Trump era of thuggery and clown cars full of Russians right? So yeah, entirely possible it was MBS in the conservatory with AMI and a phone hack. Time will tell though, but let’s not make this into a James Bond epic huh?

What are the chances that this was a honey-trap?

Ok, breaking out the muder conspiracy board here for the fun of it…

What if, just what if, this was a honeytrap? What if the mistress is like the brother and a Trump supporter? What if this was all a trap to get Bezos to back off by AMI and others using this woman wittingly or unwittingly? I mean, it is possible isn’t it? I am not saying it is likely but I am just gonna put that out there for you all. If I were looking to damage an adversary (perceived) like Bezos I might just hire hookers and get the good on him in a hotel that’s been wired, of course it would have to be a situation that Bezos doesn’t have a TSCM team sweeping rooms before he stays in them and such but yeah, that would be one way. Another might be to leverage someone in the orbit or put someone in the orbit who he can be enticed by and get the goods on him that way…

Ya know… like what we are seeing play out here right? This is exactly the sleazy way that espionage is carried out on the nation state level (blackmail) as it is on the AMI level of play. So this is not an impossibility. Is it likely in this case? Well, what do we know about Sanchez anyway? I guess a deeper look into her and her brother might be in order and is likely being done by the likes of the FBI right about now.

Giggity.

But yeah, with all the hyperventilation going on in the media, this is a possibility and I cannot just wipe this away as a not a thing.

Time will tell.

Forensics or GTFO!

Finally, I would like to once again yell at the media FORENSICS OR GET THE FUCK OUT! I would like to see some evidence that points to nation state hacking or intercepts of Bezos and the mistresses accounts or phones. Will we ever see this data? Well, who the hell knows really but it won’t stop me from yelling this out every time the media breathlessly makes claims that exotic espionage has been carried out on alleged hard targets who use Android phones!

STAAAAAAHHHHP

I eagerly await some evidence in this case but I don’t really expect any. I will keep an eye on it all but at the end of the day I just wanted to put this out there. It is not super secret nation state shit level stuff going on here. It may in fact be leveraged by MBS and his people but it is not something along the lines of them using SS-7 on Bezos and his mistress right?

Right?

Oh right, need forensics for that…

Derp.

K.

Written by Krypt3ia

2019/02/10 at 14:53

Posted in Analysis, Android, COMINT, Conspiracy Theory, CounterIntelligence, Cracking, Digital Forensics, ELINT, Extortion, Hacking

Robin Sage Has Taught Us Nothing It Seems…

with one comment

Screenshot from 2014-07-08 09:28:52

Cutouts and LinkedIn

Recently I was sent an invite by the profile of “Emanuel Gomez” an alleged recruiter from Alaska asking to be added to my LinkedIn “friends” Some of you may have seen the event happen on LinkedIn as after I did a little due diligence OSINT it became clear that this account was a cutout for someone looking for entree to my list of connections using a rather obvious fake name and details. The first clue though was a quick search of the headshot used on Google image search which came up with the real person’s name and profile elsewhere. Once I got that hit it was all out OSINT time and here is what I found.

linkedinSE2Real user profile of unsuspecting Richard Velazquez

 

linkedinSE3

The culprit behind this fake LI account is one Leon Jaimes, a techie in Alaska via Colorado. Leon had used an email address in his profile that led me right to him as he posted under his real name at various bulletin boards and had a flickr account attached to the same address. Within his data on the image upload site he had many personal details as well as an old registration with pertinent personal data on it that he had photographed and placed on the web… Yeah.. Sigh…

 

 

Screenshot from 2014-07-08 09:58:18

I made short work of Leon and dug up a lot on him including an arrest record for being drunk and trespassing in someone’s house. All I have to say is Leon, buddy, like I said in the email I sent to you, your OPSEC sucks! Leon actually emailed me back asking where he had gone wrong and admitting to the profile which I did not answer… I mean really? I am going to teach you better OPSEC? Two words FUCK. NO.

I had meanwhile begun a thread on LinkedIn about the incident (pic at top started the string) to alert others as to the ongoing ruse. I had seen others within my circle who had fallen for this as well as others he seemed to be aiming at. At the time of my initially getting the email to add him he had 23 people as connections. By 10 am he had 50. People were just click happy and adding him to their connections without really taking a closer look at his profile. Mind you, these were people in INFOSEC as well as MIL and Fed types! I checked the profile as of this writing though and it is now gone from LI so there is at least that and more than a few people have looked at my post and commented. Yet, it still bothers me that so many fell for such a poorly constructed profile.

FAIL.

Social Animals With Cognitive Issues

Screenshot from 2014-07-08 09:41:30

So what have we learned since the big hullabaloo over Robin Sage? It would seem not much really. Why is this? Why have people generally not learned from the event Tommy sparked back a few years ago? Are we just not teaching people about SE and the perils of cutout accounts and espionage being carried out by state actors and others via venues like LinkedIn? I actually believe that there are many concomitant issues at play here and I recently spoke at BsidesCT about the cognitive issues around security.

We are creatures of habit with lazy minds it seems with biological impediments cognitively as well as generally, as a species have adapted to being social animals. It’s this very social aspect that is being leveraged so well today as always in the espionage world. It is just that today you can reach people much easier via the net and social media and harvest much more data extremely quickly. There are of course a host of social mores that I could go into but perhaps that’s for another day. What I would really like to say here though is that if you are on LinkedIn and you are not at least trying to vet those people trying to get you to add them then you are likely adding cutout accounts as well who are spying on you.

OPSEC Lessons Learned

So I guess many people may not care at all who they connect to on LinkedIn. Perhaps some of those people are in INFOSEC or the Defense base as well. Maybe those users really have nothing in their profiles to protect and do not consider their connections to be of worth to some adversary somewhere. Perhaps those same people are idiots and have not been paying attention to the news for the last, oh, let’s say 3 years? Maybe there is just a general lack of education on the whole within companies about social engineering, phishing, and today’s common attacks? Is there actually a study out there showing just how much education is going on at a corporate and nationwide scale?

Here are the salient simple facts for you all to chew on:

  • Everyone is a target and your information and your connections are important to an adversary looking to attack YOUR business.
  • Social Media sites like LinkedIn are a goldmine for this intelligence gathering. Not only of your connections but also your personal information that you may leak there or other places that when mined, can lead to a fuller picture of who you are, your habits, and your weaknesses.
  • Phishing and SPEAR-Phishing attacks start at this level with intelligence gathering on you and others in your circles. Plans are hatched leveraging who you know and who you work with to exploit yourself and others into clicking links or giving up intelligence to the adversary.
  • All of the above happens every day to millions of people and the reality is you are the only one who can try to prevent it by being more aware of these things.

I should think that there would be more moratoriums on the use of LinkedIn and other places tagging where you work to your profile. This is a real harvest festival and has been for some time and yet no one has made a move here. LinkedIn also is a part of the problem too. They seem to be doing pretty much nothing to invent means of vetting people to insure they are who they say they are. Look at the recent case of Newscaster and their use of not only LI but also Facebook and Twitter. They had numerous people from the Aerospace community connected to them on LinkedIn and this was an Iranian operation (note** Amateurish and likely not state sponsored or run**) but still… You get the picture right?

I will leave you with these questions;

  • What’s on your LinkedIn?
  • Who are you connected to?
  • What information is on your profile that could be used to tell what access you have, who you work for, who your friends are, what your preferences are etc…
  • What secrets do you have that I can exploit from your social media accounts?
  • What OPSEC precautions have you taken to protect your information?
  • Are you even aware of these things?

Think before you click ADD USER.

K.

 

Written by Krypt3ia

2014/07/08 at 14:41

Posted in .gov, .mil, CounterIntelligence, Cut-Outs, CUTOUTS, CyberWar, ELINT, Espionage, FAIL, Social Engineering

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

Written by Krypt3ia

2013/09/13 at 21:05

Posted in .gov, .mil, 1984, 1st Amendment, 4rth Amendment, A New Paradigm, A personal note, Advanced Persistent Annoyance, Advanced Persistent Threat, Apocalypse, Chiba City Blues, Chinese Overlords, CodeWars, COMINT, Conspiracy Theory, CounterIntelligence, Cut-Outs, CUTOUTS, Cyber, CYBER CYBER CYBER, CyberDouchery, CyberFAIL, CyberPocalypse, CyberSec, CyberSociology, CyberWar, Disinformation, Dystopian Nightmares, ELINT, Espionage, Ethics, Fourth Amendment, FUD, Geopolitics, GWOT, Hacking, Infosec, Infowar, Infringement, MillenniuM, Net Culture, OSINT, Panopticon

Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY

with 2 comments

X

Flame, DuQU, STUXNET, and now GAUSS:

Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.

Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…

I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.

Malware Wars:

Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.

And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.

Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.

An Interesting Week of News About Lebanon and Bankers:

Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.

Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.

All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.

Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:

Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?

Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.

Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.

The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:

Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.

We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.

So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.

In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.

We Have Many Tigers by The Tail and I Expect Blowback:

Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?

The cyber-genie is out of the cyber-bottle.

Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.

I have mentioned the other events above, but here are some links to stories for you to read up on it…

  • PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
  • Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
  • Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)

All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.

It’s a delicate balance.. #shutupeugene

Pandora’s Box Has Been Opened:

In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.

It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.

The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.

Will we eventually have to have another treaty ban on malware of this kind?

Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?

K.

Written by Krypt3ia

2012/08/10 at 20:03

Posted in .gov, .mil, CIA, Codes, CodeWars, CounterIntelligence, Covert Ops, Cyber, CyberPocalypse, CyberSec, CyberWar, Digital Ecosystem, Digital Epidemiology, Digital Forensics, Digital Insurgency, Digital Pearl Harbor, Economic Warfare, ELINT, Espionage, GWOT, Hubris, Infopocalypse, Infosec, Infowar, Infrastructure, INTEL, INTELOPS, Iran, OSINT, Peak oil, PLC's, PsyOPS, SECOPS, SIGINT, Spooks, STUXNET, Weaponized Code

The Subtle Art of OSINT

with 14 comments

Recently, I have been barraged with requests about how OSINT works and how to actually carry out the work after talking about it on Cloak & Swagger. This post is a response on the tenets of the discipline as well as a basic how to. You all can download the documents I link to here as well as go out and locate tools such as Maltego (by Paterva) and attempt to use the precepts/tools to do your own OSINT gathering and analysis.

Many of you out there who read me though may in fact do this every day though. For you guys, well, hang in there.. Maybe check out the dox I linked because you may not have seen them before.

Otherwise, enjoy…

OSINT: Open Source Intelligence

OSINT: is the acronym for Open Source Intelligence and has been gaining steady purview in the internet age due to the ease of access to all kinds of information via the net.

Open-source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or classified sources); it is not related to open-source software or public intelligence.

From Wikipedia

The use of OSINT has grown within the private sector as well as has been a mainstay of the military and the intelligence services for years. Earlier on, these sources of information that were being culled and combed through by the likes of Langley, now can be easily done by the likes of you and I with a few tools on the web or applications that you can install on your machines at home. The key though to the whole process of OSINT is that it is a subtle art that needs its other half to be of real value to anyone. That other half of the picture is “Analysis” which is key to making assessments of the data you get from the open sources you are looking at.

Today it is common to see corporations using OSINT but perhaps calling it “Competitive Intelligence” Still though, the processes are OSINT much of the time. By researching various sources online and in the media, one can gain quite a bit of intelligence on a subject and be able to extrapolate a lot about what a company, individual, group, or country is up to and maybe where they are headed. Much of this type of data gathering (harvesting) is now going on as well tied to predictive analysis engines online (such as Silo.com or basistech etc) that ostensibly can “predict future actions” as they claim. However, the base idea of OSINT is to gather open source information to then analyse to generate reports on subjects…

Such analysis can also lead to predictive behaviour analysis and forecasts. It all depends on your goals as the analyst really.

Intelligence Analysis and Bias

Before delving into tools and methods, it is important to cover the “Analysis” part of the picture. Much of the time the data that you are gathering as an OSINT analyst can be confusing or perhaps even disinformation. One must be able to weed through facts, comments, data, and others analysis (news cycle) to then take all of what you have gathered and sift it for the core data you seek. Raw data has to be parsed and you, as the analyst must judge what is true and what is not as well as decide on the weights of the sources.

A key to this is to not be biased in your thinking when performing an OSINT analysis. An example of this may be something like looking at a Fox news report and taking it at face value. As we all pretty much know, Fox is not known for their stellar reporting nor their unbiased approach to “news” However, there may in fact be core kernels of data within their reporting that might be true. At the very least, the compare and contrast model has to be used and weighed as you collect data to create a whole picture on a subject. It was the “group think” issue that got the US into trouble within intelligence circles during the Bush Presidency (W) with regard to the WHIG (White House Iraq Group) It was a small cabal of like minded analysts under the direction of Dick Cheney, that led us quite astray on the topic of Saddam and CBRN materials.

It is important to conduct OSINT and analysis of the informatics that you get from the collection, in a broad minded way and not to get too stove piped in your thinking.. If you do, the intel that you generate will likely be incorrect.

Unravelling The Strands and Yanking

Much of the OSINT that I personally have been carrying out has been around persons of interest and not so much about governments. However, the “persons of interest” in fact may be part of a larger movement or group that could be equivalent to a government or a company in reality, so the macro and the micro are interconnected when doing this kind of work. Primarily, one has to be able to take a lot of data, sort it, mill it down, and then extrapolate the connections between people as well as motives etc.

Sometimes it is even necessary for the analyst to interact with the subjects in certain ways to confirm data. This means that the process is not a dead one, but the analyst must also be aware and able to interact with subjects as well. Think of the process overall though, as akin to being a reporter or a detective. You have to follow the clues, ask questions, and generally keep a log of everything to extrapolate from later on. It is also key that like any good detective or reporter, that you verify your sources and data.

It’s also easy to get lost in the data as well. So be aware when you are getting into the mindset of not seeing the forest for the trees so to speak…

Tools of The Trade

Google:

Much OSINT today can be gathered with something simple as a Google search. However, to leverage everything you can out of Google, one has to become adept at “Google Hacking” (i.e. key searches and strings that get you much more granular results) There are books on the subject out there you can buy, but here are some basic strings that may be of help.

  • site:.gov | .mil inurl:/FOUO/ filetype:pdf
  • site:.mil | .gov "FOUO" filetype:pdf
  • site:.mil | .gov FOUO filetype:pdf
  • site:.mil | .gov //SIGINT filetype:pdf
  • Filetypes can be just about anything .xls .pdf .txt etc.

Etc etc… You get the picture. You use the defined search parameters and go right after what you want. Of course for most pentesters this is also what you would use on any given domain you are attacking to see what flaws there are or what documents are available to give you the in to their systems. In the case of something like user ID’s or screen names it becomes a matter of doing concentric Google searches for the value you want.

  • Googling just a user name to start: “TNT_ON” for example
  • site: alfajr.com “TNT_ON”
  • “TNT_ON@hotmail.com” if you have the address

Alternatively you can also use Google alerts as well. This will perform key word searches and email you the results when the crawler locates them. This is handy when it comes right to you and you need not go searching for subjects (I have one set up for LIGATT) Thus I keep on top of things this way. All of this is probably within your repertoire already if you use Google regularly to do searches. The same types of strings apply not only to just keywords though, you can put whole sentences in (like if you were say looking into some plagiarism) Google will often spit out results where cut and pastes of articles have been put out there by others or in fact just RSS copied into feeds on other pages. By refining your searches though, you can narrow down quite a bit and winnow out the real data you want using Google.

The Wayback Machine:

Sometimes you run into searches that turn up sites that are archived online at Google (cache) but often times sites that are no longer online are in fact archived by the likes of the Wayback Machine. This site has been really helpful lately for sites that were around circa 2001 but were taken down since then by people who did not want to have their data out there any more. I recommend using this site to attempt to find the content if it is not online presently. You may in fact hit paydirt.

Social Media Search Tools:

Twitter, Facebook, Tumblr, etc are all great sources of information as people put a lot of stuff out there that they likely shouldn’t. This includes governments and companies as well. News sources also fall into this category, so the sites listed below grab all those from search engines like Google and perform key word searches then aggregate the data for you, often in graphical formats.

  • Silobreaker.com
  • recordedfuture.com
  • PasteLert.com
  • Socialmention.com
  • addictomatic.com
  • whostalking.com
  • kurrently.com
  • SamePoint.com
  • newsnow.co.uk

 WHOIS and other Tools … ROBTEX

Today it is easy to attempt to obfuscate who you are if you own a domain and you don’t want people to know who really owns it. This privacy shield though sometimes is an afterthought if one at all so, one can gain a great deal of information about a target or a piece of the puzzle by looking at the domain data. Many engines and sites exist out there and I would just Google around some more for the ones you like. Some of them are meta engines and will give you a lot of relational data to boot. One such site is Robtex.

Robtex is nice because it gives you a lot of info about the domain, the IP it sits on, the domain owner data, as well as things like what other domains reside on the same server space.

InfoSniper

Infosniper is a “geolocational” search engine for IP addresses and domains. This will give you a graphical picture of where a server resides physically. This ties into Google maps and comes in handy if you are seeking to lock down the location of a server in case say someone wants to serve a warrant on it. This becomes key in such things as terrorist investigations when jurisdiction is a matter of concern (US vs EU etc)

Maltego:

This is the big boy of the tool kits as far as I am concerned. Maltego by Paterva is a meta search engine and graphical/relational database tool that I use on a daily basis. Of course in some ways I am using Maltego kind of unconventionally but this, like I said, is the Swiss army knife of data collection and OSINT. With transforms being created every day, you get a plethora of data that can be sifted and winnowed down to a usable product.

I suggest anyone who wants to do OSINT get a copy of the CE client and work with it. Read the tutorials and be creative in their searches. *HINT* just by using the “phrase” search capability, you get a lot of hits that you can then focus in on. By removing data from the map that is extraneous, you can keep the data tight and not have a messy map as well. It is a process of using your brain though to delineate good from bad data, and that takes some investigation and some guess work at times.

Maltego and “Relational Mapping”  One of the nice things about Maltego is that it does a “weight based” mapping of data points. This allows you to look at the map (like the one at the top of this page) and see the connections between data points (or in the case of above, users) so you can see easily who talks to who, and what data is related to other data. This is something to get used to and to leverage heavily in OSINT. Often times you are looking for “connections” between disparate data and this is a key thing in say looking at terrorists and who they talk to for instance.

Paterva “Casefile”

Casefile is a new product by Paterva and it is a kind of “Maltego Light” in a way, however, it has one real advantage. It is really a kind of digital white board or “murder board” as you might call it (ala the police drama’s on TV) You can attach names and pictures to create “case files” on entities and I like this quite a bit. I wish though that they would port it to *nix for us people not wanting to use Micro$oft. I have yet to really play with this tool but I plan on implementing it soon to make some nifty case files that can be used in posts or sent on to clients.

Translate.google.com and other Online Translation Services

Today much of the content out there is in languages other than the one you might speak fluently. This is a problem for some even with the tools out there to translate the media for you. Google does an ok job at most languages, but when you get semantic challenges like Arabic to translate, it gets a little tricky. One has to take in what the text that comes back says in a loose way and try to interpret the meanings if the translation fails for you. The best thing though is to either speak the languages in question (unless you are a polyglot, that ain’t easy) you can rely on these tools to a certain extent.

Remember though, these tools rely on algorithms that do not usually take into account for slang and the nuances of linguistics so your mileage will vary greatly.

Paid Services for Public Information

Sometimes you have to pay for data. Yep, its true. Search out different sources online and you may be able to get public information for free from some states. However, the one stop shopper will go to a place like Intelius for data. It can be a bit pricey, but in the end it can also give you data you did not have before to use in further searches and to hone in on your target.

There Are Very Few “Schools” for This

Most of all, I wanted to let you all know that this is not something that is taught frequently. Most of the time you will only see this type of analysis and tutorials about it in the military sector under IO (information Operations) This is where I culled many documents and learned the ropes so to speak.

Reading Material

Much of the subtle art here is taught within the intelligence gathering units of the military or civilian services like the CIA. It is key that you pay attention to the “analysis” portion of this post as well. Analysis is the key factor here, without really paying attention and taking good notes (or making case files and maps) you will only end up with a blog of information that you may in fact misinterpret.

It is also very important that any analyst already have a good grasp of the targets that they are looking into (i.e. if you are looking at Islamic Jihad, then you need to understand the territory, the lingo, the ideals etc) unless you have a basis of knowledge to work from, you will be useless in gathering intelligence never mind actually developing analysis of what you locate.

All in all, play with the tools and footprint your targets.. Then extrapolate what you find into actionable intelligence.

K.

Written by Krypt3ia

2012/01/11 at 20:03

Posted in ELINT, HUMINT, OSINT, SIGINT