Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Errata’ Category

DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up

with 2 comments

A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.

“This is a very delicate window into our future,” he told the hackers. “Cold war, global war on terrorism and now you have the code war — which is your war.”

Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;

If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?

Or, would you start using sharp implements to get him to talk in a more expedient fashion?

We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.

I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.

Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.

We all will have choices to make and trials to overcome… Cofer was right.

“May you live in interesting times” the Chinese say…

Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;

“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”

Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;

Curtis: If it isn’t Leopard Boy and the Decepticons.”

So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:

  1. Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
  2. Targets need recon and intelligence gathered has to be vetted before dumping
  3. Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
  4. Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
  5. Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
  6. If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
  7. Grow up
  8. The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
  9. If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
  10. You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
  11. Failure to pay attention will only result in fail.

There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.

K.

http://www.darkreading.com/security/attacks-breaches/231300360/building-a-better-anonymous.html

http://www.pcworld.idg.com.au/article/396320/three_tips_better_anonymous

http://www.wired.com/threatlevel/2011/08/defcon-anonymous-panel/

http://venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here-lulzsec-is-here-theyre-everywhere/

#LIGATT A Cautionary Tale of Cyber-Security Snake Oil

with 10 comments

The Charlatan of the Intertubes:

Last week an internet war broke out on Twitter that became all the rage within INFOSEC circles. A self proclaimed #1 hacker “Gregory D. Evans” was being taken to task for the blatant plagiarism in his book of the same name. Evidently, Mr. Evans, like the BP and other oil company executives, decided it was quite alright to just cut and paste their way to a complete document and claim it as their own. Mr. Evans now though, is learning a couple of things;

1) Plagiarism is just wrong.

2) Do not meddle in the affairs of hackers.. For they are subtle and quick to temper.

Whats more, this whole event has brought to light the fact that this charlatan has been hoodwinking certain governmental bodies into believing that he is qualified to handle their information security and technical security needs. This is the most frightening thing for me because we are already pretty behind the eight ball where this is concerned with regard to the government and our infrastructure. What we really DON’T need is a wanker like this guy to get contracts for work within the government sphere.

Since the original calling out by Ben Rothke and also by the Shitcast as well as Exotic Liability much has been dug up on Gregory Evans and his merry band of plagiarists that he calls “authors” on his Nationalcybersecurity site. Here are some examples;

  • His author picture for “Seria Mullen” was in fact a picture of a local tv news anchor
  • None of his authors seem to actually write anything, instead they copy AP stories and place them on the site under their name
  • His site nationalcybersecurity.com is riddled wth PHP and XSS vulnerabilities (it was in fact hacked and taken down.. Its back unfixed now as you can see from the image above)
  • None of his alleged experts seems to be qualified for the positions he claims they have in information security and technical security
  • He immediately played the race card in response to the allegations of his plagiarism and fraud
  • In one STUNNING case Evans claims he has a 13 yo hacker who he hired at 11.. He has a youtube commercial with him in it as a testimonial.. Turns out the kid is an actor (see twitter below)

Here are some more examples via Twitter:

#LIGATT Meet Beth Sommer another “author” who actually writes NONE of her posts http://tinyurl.com/29yvjuo

#LIGATT Mark Wilkerson author. Anyone know this guy?http://tinyurl.com/33zlrwc http://tinyurl.com/33zlrwc

#LIGATT Meet Rex Frank (cyber sec expert)http://tinyurl.com/2dghu33 http://tinyurl.com/2a5mh9j and “author” Funny, I see no creds there..

#LGTT Meet Avery Mitchell Ligatt flunky http://tinyurl.com/35hz6bohttp://tinyurl.com/35a8fjo http://tinyurl.com/27csy7r He’s their top guy

#LIGATT None of these “authors” actually write anything on nationalcybersecurity.com http://tinyurl.com/258jd5x they just add their names

♺ @wireheadlance: Ligatt fraud exposed: “hacker” is an actorhttp://tinyurl.com/3xus8ey http://bit.ly/dh0hw5 NICE

Over and over again, Evans has claimed that he was consulted by Kevin Mitnick in jail over his plea agreement, that his company is worth millions, and that he paid the authors of the content that he used. All of these claims seem to have been quite easily refuted and there have been more than a few authors who have said that he never asked them, never paid them, and in fact were quite unhappy with their work being stolen. In short, its pretty well known now that Gregory Evans is a liar and a thief… At least a thief of intellectual capital in the form of hacking texts.

Whats worse to me though, as I mentioned above, is that there are people out there and companies.. Perhaps even governmental bodies that have thought about contracting with him for ethical hacks on their networks and likely have been sold snake oil reports on their security postures. It is highly likely, that these places are just as insecure as they were the day before Gregory and his lackeys came along and this is a large disservice to them and to the information security industry.

This is however, not an uncommon occurrence unfortunately… Just in this case it is so egregious that its hard to believe anyone bought it!

The “Industry”

The infosec industry has become like any other industry.. Like the fast food “industry” there is a lot of crap out there and unfortunately the buyers are unaware of the differences between the garbage and the good stuff. The words “Caveat Emptor” just don’t compute for many people in the corporations that need these kinds of services. They also might go for the cheaper service in hopes that they will just get a piece of paper saying they have been audited and its all good. It’s not all good.

Of course, I would like to also add here and now, that security is…. Well.. Not a hard target. It’s rather like philosophy in many ways really. You either get it and you work at getting more of it, or, you just are lost and have no idea what its all about. It is also rather tricky from a technical perspective because someone could come in and run the tests, tell you you are good in one area, leave, and two minutes after they are gone someone could open up a new hole and BAM you get compromised. So, in reality one could make the logical extension that many of the companies out there now doing “ethical hacks” and “vulnerability scans” could in fact just be fools with tools who don’t know how to judge between an IIS vulnerability or an Apache Tomcat vuln.

The “Industry” has become a the new MCSE with the CISSP being potentially the new paper tiger equivalent of that old Microsoft cert that really, no one cares about any more. Now with the “cyberwar” boondoggle, we have many more pigs at the troth (like Ligatt) looking to make lots and lots of cash on specious claims of being #1 Hackers. This is even worse when you stop to think about the stakes here…

I mean you either have the skills and the drive to perform this type of work, or you don’t.. Unfortunately now, the CEH courses out there are cranking out “CEH” candidates like sausages and I would hazard that a good 90% of them have no idea how to really be a good security analyst.

Security is a voyage… Not a destination:

This is the mindset one needs to really be working on security and it is work. You have to keep at it or you will eventually find yourself compromised because you didn’t patch something or an end user did not know better than to click on that “VIAGRA FREE” pdf file with the new 0day in it. In short, much of the security puzzle resides in the most basic of principles within security and most places out there do not have a solid footing on how to perform these functions.

I personally, would like to see a more holistic approach to information and technical security today as opposed to just selling a vuln scan and or an ethical hack. You can hack the shit out of a place, have them remediate the holes, and still, if they do not have proper policies, procedures, standards, and awareness programs in place, they will be pwn3d again and again.

It’s really all about the basics…

So, you out there who want to get into this field… Don’t be a Ligatt (Evans) get the books, do the homework, and if you have the drive then you can do a good job. Remember there is that pesky word “Ethical” in there…

CoB

Hikikomori: Mental Illness or Lifestyle Choice?

with one comment

Hikikomori (ひきこもり or 引き籠もり Hikikomori?, lit. “pulling away, being confined”, i.e., “acute social withdrawal”)

Definition

Although there are occasions where the hikikomori may venture outdoors,[1] usually at night to buy food, the Japanese Ministry of Health, Labour and Welfare defines hikikomori as individuals who refuse to leave their parents’ house, and isolate themselves from society in their homes for a period exceeding six months.[2] While the degree of the phenomenon varies depending on the individual, some youths remain in isolation for years, or in rare cases, decades. Often hikikomori start out as school refusals, or tōkōkyohi (登校拒否) in Japanese.

Symptoms

While many people feel the pressures of the outside world, hikikomori react by complete social withdrawal. In some cases, they lock themselves in a room for prolonged periods, sometimes measured in years. They usually have few, if any friends.

Hikikomori often set their own sleep schedules, typically waking in the afternoon and going to bed early in the morning. Their days are characterized by long spells of sleeping, while nighttime hours are spent watching TV, drawing, playing computer games, surfing the Internet, reading, listening to music, and other non-social activities. While hikikomori favor indoor activities, most venture outdoors on occasion, though they prefer to do so at night.

Although rare, some hikikomori have become extremely wealthy. For example, starting with 1.6 million yen (apr. US$14,000) in 2000, Takashi Kotegawa (Japanese: 小手川 隆) grew his account in the JASDAQ Securities Exchange 10,000 fold over 7 years to 17 billion yen (apr. US$152 million). [6] He first gained fame in Japan after he managed to profit 2 billion yen (apr. US$20 million) in 10 minutes from a Mizuho Securities order blunder.[7]

Refusal to participate in society makes hikikomori an extreme subset of a much larger group of younger Japanese that includes parasite singles and freeters. All three groups seem to reject the current social norms in unique ways, with lifestyles considered deviant by society at large.

The withdrawal from society usually starts gradually. Affected individuals may appear unhappy, lose their friends, become insecure, shy, and talk less. Those in their teens may be bullied at school, which, atop the already high pressures of school and family, may be the final trigger for withdrawal.

I heard this term and some explanation of it this morning on Studio 360 and became somewhat intrigued by the idea of it. After some light (heh) reading in Wikipedia, I have more questions than answers about this “disorder” than I had before the reading. Is this really a product of the Japanese society? A biproduct of their tense competitive schooling and terrible economy? Or, is it just a lifestyle choice that some have made due to the nature of technology today and its pervasive ability to limit our social interaction needs in real life?

On the face of it, I feel that some of this angst like behavior that starts in the teens is just being accepted by mothers and fathers and allowed to flourish. I see today in our society that it is too easy to just live at home because mom and dad will take care of you and allow you to wallow. The net effect is that parents are too pliant and coddling their kids too much. I say kick their ass out the door and tell them to go to school!

In some cases I can also see that these folks might indeed be agoraphobic on a certain level as well as perhaps have aspbergers traits. A fixation on a specific thing like the Otaku nature that has grown in Japan really seems to mark these people as exceedingly focused to almost an autistic level to start with. Add that to their strict social order and focus on polite behavior and wham, you have a real mix for an introverted individual.

On the one hand I think its whack.. On the other I am kinda fascinated by the whole thing. I feel a string of posts coming on this and the whole suicide movement in Japan in the near future…

Written by Krypt3ia

2009/02/08 at 02:07

Posted in Errata, Japan, Mental Floss

New Hampshire, a playground for those with fur on their nuts…

leave a comment »

Well, we headed up to NH finally to see the siblings (hers) and give them presents from Christmas. We decided to drive up yesterday morning even though we saw that it was going to snow today. We figured that if we stayed at the hotel, got up at 5am, and hit the road we “might” miss the bulk of the snow. We were of course wrong….

Yesterday started off well enough, but then we could not get a hold of the siblings. They did not answer the phones and there was a potential we would not get hold of them, so, we were almost just going to drop stuff off at their door and leave. Luckily though, half way up the 2 hour drive, we got hold of the kids and told them when we would arrive. It was from there that things went to shit.

We got to NH and I had had the Mio map set for the hotel in Concord. At exit 14 the lil fucker blipped and suddenly had us driving out to some bumblefuck area of NH where it “claimed” our hotel was. Soon after we realized we were digitally fucked by the GPS Semiotic got cranky, which in turn made me rather cranky. We were lost for about 30-40 minutes and just decided to head to the new apartment that Semiotics mother got after selling the house.

After getting about 3/4 the way there we realized that if indeed it was an apartment, we did not know the number. Nor could we call the kids to see what that was because the bumblefuck town they live in had no ATT signal at all. So, we turned around in a fit of crankyness until we got a solid signal to call and get the exact number.

Things got better after that. We saw at least one of the kids, brought the boy out for dinner and then to the book store where we bought him a large bag of books (the classics) and then went to the hotel, which, was located NOWHERE near where the GPS had us looking! Remind me to smash the GPS this week…

Next thing you know, it’s 5am and our wakeup call came. I immediately looked out the window and BAM, it was snowing heavily, dark, and did not look promising for a 2+ hour drive home. We packed up though, and headed out. The roads were mostly unplowed but there was no traffic to speak of so we took our time. The Hyundai handled exceedingly well in the snow (Hyundai Santa Fe) with the all wheel drive letting us cruise at about 50 mph.

Nearly 4 hours later we made it home. All in all not a bad ride. There were some idiots out there though, we also passed about 6 accidents on 93/90/290…

Like I said though.. NH, is a playground if you have fur on your nuts…

Written by Krypt3ia

2009/01/18 at 23:27

Posted in Errata