Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘FauxSec’ Category

ASSESSMENT: X-Ray Machine Exploits and TIP File Manipulation

leave a comment »

PH2010112902199

Exploiting The X-Ray Machines, TIPs, & TSANet:

A few years ago I worked with a startup who’s main goal was to protect the L3/Smith/Rapiscan machines from compromise from physical and network attacks. At the time the claim was made that the systems were not connected to any networks and were in fact islands and that this type of attack was not a real problem. Of course in the process of assessing these machines (one of them in a garage with an explosives expert) it became quite clear that these machines were wholly insecure and likely to be compromised at some point to allow things through the system. The connectivity issues aside, the physical access to the systems could be procured by saboteurs working in TSA and local compromise of the weak OS (Win98 as well as Xp based as the article states in Wired) could be carried out locally with a USB drive. So when looking at the threat-scape and reporting back to TSA and the makers of these machines it was clear that this type of attack could be possible but my issue was whether or not there was a probability of it being used as an attack vector. When talk was started about networking these machines as well as others (i.e. bomb sniffers) to the TSANet the startup changed their direction a bit and began to work the idea of a SOC to monitor the machines and the network to insure no tampering had been carried out. Unfortunately though the TSA and other entities did not really buy off on the idea and in fact the technologies on the systems did not make it easy for any kind of monitoring to be carried out. I went on my way having had a good insight into how TSA/DHS/Detection machines worked and had fun with the explosives expert messing around with the technologies and talking about red team exercises he had carried out in the old days with simulants. Then I saw the article in Wired yesterday and hit up my explosives and machine experts who got a bit unhappy with the article.

Exploit to Terrorism:

The Wired article on the whole of it is correct, it is quite possible to insert those already pre-made images into the system because that is how it is supposed to work. The article though mentions being able to insert socks over a gun for example in an image to cover up the fact that the gun is there. This one point was vehemently refuted by the guys I worked with as too hard to pull off live and that, as I agreed, it would just be easier to pass along a similar imaged bag image itself instead of trying to insert an image into an image to obfuscate things. I think perhaps that the reporter got that idea a bit wrong in translation but perhaps the researchers thought they could pull that off. Either way, this issue brings up a larger issue of the exploit itself being used at all. In hacking and exploits like terrorism often times the attackers opt for the path of least resistance approach. In this case I personally don’t see this type of attack as the first go to for any attacker. It think it would be much more advantageous and easier for the attackers to insiders to allow things to get past the systems or bypass them altogether to effect their goals. This type of attack has been seen before within the airports security mechanism with regard to thefts and smuggling so it is a higher likelihood that if AQAP were to attempt to board a plane with guns or other explosives, they would use insiders to pass that through the system without being seen by any X-ray or bomb detection at all and not attempt to hire hackers to compromise a networked or physically access a machine to pass a gun or guns through the TSA line. This also is why at the time of 9/11 the 19 went for very low tek solutions of box cutters to overtake planes and use them as missiles against buildings, it’s just the path of least resistance.

Failure Rates on X-ray and MM Wave Results:

Meanwhile the TSA has never been seen as a bastion of security by the public from day one. As time has progressed the people of this nation have realized that much of the function of the TSA seems to be to harass the passengers and provide a simulacra of security that really isn’t there. How many times have you dear traveller passed things through security, primarily the color x-ray Smith/L3/Rapiscan machines without even trying? I have gone through TSA on many occasions with forgotten knives and other things that are forbidden and TSA completely missed them on the scans. Once again I would point to the systems being insecure or the processes being lax that would lead to compromise of the overall security and not so much a hack on a Smith machine for a terrorist attacks success. A recent OSINT search in Google turned up an interesting document of an assessment of Hartsfield, Atlanta’s airport by the OIG that shows just how this airport at least was not following processes and procedures that would make an attack much easier for the prepared aggressor.  There are other documents out there and you can go dig them up but the point is that if you are not carrying out the policies and procedures, the technologies will not prevent their being bypassed. Additionally, there are issues around the technologies accuracy as well that have been addressed by the makers of the machines and the government so these systems are in no way foolproof and it requires vigilance to make them work well. The net/net here is that the technology can fail, be tampered with, or bypassed altogether without the need for an exotic and technical exploit series to be carried out on them to forward a terrorist attack.

Screenshot from 2014-02-12 08:21:07

ANALYSIS:

My analysis here is that yet again the research is valid but the hype around the revealing of such research at places like the recent Kaspersky Security Analyst Summit is just a way to garner attention. Much like the issues with the power grid and physical attacks which I profiled last on this blog, we are enamoured with the idea of cyber attacks as a vector for terror but the realities are somewhat more mundane. A physical attack or an insider attack is much more probable in this case as in the power systems attacks as the main modus operandi not an elaborate hack to insecure machines that will require access to begin with. At such time as we have networked all of these machines (remember many are islands presently) then we will have to address these issues much more closely and yet still, this attack vector may be sexy to the hacker set, but not so much to the terrorist set today. The machines are insecure though, the researchers are bang on about that and these issues should be addressed but then you have to look at the government procurement process as well as the corporations that do not want to have to re-architect their systems completely. It was a pain to try and get these makers to add API’s to their code in order to allow for remote monitoring by a SOC so think about telling them then that they have to not only harden their systems but also re-architect them completely to run on more advanced systems than WIN98. I would also point you all to the recent revelation that 94% of the ATM’s in the world still run on Windows Xp… How about an upgrade there?

K.

Written by Krypt3ia

2014/02/12 at 13:38

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

Virtual Arkham: Explaining Anonymous, Lulzsec, and Antisec Animus in Our Digital Gotham City

with 12 comments

Personae Dramatis: The Rogues Gallery

In this post I would like to show you what I have been seeing with regard to Anonymous the other groups that have spawned from it. Increasingly over the last year or two I have been seeing analogies both literally, and figuratively between the forces at play and I feel that all of it is directly affected by the comic book world of Batman. The analogies that I am making come from observing not only the actions of the parties but also the methods that they use (down to the imagery in word and graphical) to get that message out to the masses.

In the case of Anonymous and their spin off groups, I have observed a shift in personalities that could be termed an evolution in motivations and thought. Generally though, the game plan seems to be just a general way for the groups to sow anarchy while feeding their narcissistic needs through media attention. This is the crux of the issue I think as the core groups don’t seem to be solely motivated by ethical or political change. Instead, it all seems to be focused on a few drivers;

  1. Lulz Just for the hell of it, or a desire for amorphous anarchy
  2. A feeling of power over other forces (government/law) that subsumes their feelings of powerlessness
  3. A need to fulfil the narcissistic tendencies by sowing havoc and seeing it in the media (like some narcissistic serial killers Denny Rader for example)

Equating this with the world of the Batman has been in the back of my mind for some time, especially since my dealings with Jester. His logo and his persona of the “joker” from the last Dark Knight film set the stage for me to start to think in this vein. A more recent video by the History Channel solidified all of this for me. The video, “Batman Unmasked: The Psychology of the Dark Knight” struck me as not only as being the zeitgeist of this article, but, also seemed to show a generation of comic book and movie goers that are internet denizens that want to emulate this last iteration of “The Joker” specifically.

The Heath Ledger portrayal of Joker seems to have been the catalyst to me, of many an internet anarchist. The media surrounding this being his last role as well as the way the character was re-written in this story arc, hit a common nerve with the masses. So much so, that seemingly, the Joker became the more emulated and lauded character in the story over its real hero, Batman. It is from this realisation that I derive the rest of the analogies made here. Of course these are gross generalities, but, I tend to think that given the recent activities (riots in the UK and flash mob thievery in the US as well as all the lulz) there is a strong correlation to be made.

First though, lets look at the Rogues Gallery that end up in Arkham Asylum…

Ra’s Al Ghul and The Shadow Assassins

Ra’s is a control freak. His agenda is to have order but his means to get that order mean subjugation of the masses and removal of anyone that does not conform to his sense of right and wrong. This order that he wishes to impose comes from his shadow assassins and their lethality without question.

The Riddler

The Riddler is a pure narcissistic criminal genius. His narcissism though, is usually his undoing as he cannot perpetrate any crime without leaving overt clues in an attention seeking pathology. It is this pathology, the need for the attention that drives him altogether and is his undoing.

The Penguin & The Joker or PenguiJoker

The Penguin (Societal and Governmental corruption) and The Joker (pure anarchy) are two rogues that have become one in this scenario. Within the world of Batman though, each attacks the order seeking to destroy it for their own ends. In the Penguin we have someone looking to corrupt the system. Meanwhile, the Joker, is pure anarchy diametrically opposed to the order (aka Batman) Joker’s need is fuelled by a nihilistic world view twisted with a good deal of insanity.

All of the Batman wannabes in hockey suits

Lastly, we have the Bat-men, the would be vigilante’s who want to be the Bat, but, don’t have the tools to really be of use. This character set was added from the last film (The Dark Knight) and I generally attribute to one player in the real world (if you call it that) version of Gotham Knights being played out on the internet. That individual(the afore mentioned jester) oddly enough aligns himself visually much of the time with “The Joker” but, he is more like the hockey suit wearing would be Batman.

Now that I have laid down the Batman’s Rogues Gallery, I will move on to the real world players and their motives aligned with my premise.

Anima & Animus:

The shadow, in being instinctive and irrational, is prone to projection: turning a personal inferiority into a perceived moral deficiency in someone else. Jung writes that if these projections are unrecognized “The projection-making factor (the Shadow archetype) then has a free hand and can realize its object–if it has one–or bring about some other situation characteristic of its power.” [3] These projections insulate and cripple individuals by forming an ever thicker fog of illusion between the ego and the real world.

C.G. Jung

According to Jung and even Freud, the darker side of the psyche can drive our actions solely by the shadow self. One can see hints of their theories in the actions of each of the groups we are talking about here. Even the subtle connections made from overt symbolism can be made through the icon of Antisec itself. As seen at the top of the page, the connections are there to be made between the characters of Penguin, Joker, and Riddler, even if the original core image came from another source altogether (V for Vendetta) I believe that the collective unconscious here latched on to the images of Riddler/Joker/Penguin and co-opten them, if they didn’t actually do so overtly and with forethought.

So, with all of this said, I will make the claim now that I believe the movements and the players have been created out of vainglorious motives and have not changed at all since taking on the mantle of ethical and political change through civil disobedience. To that end, here are the players aligned to their characters from the world of Gotham as well as their psychological underpinnings.

Anonymous: Ra’s Al Ghul and The Shadow Assassins

Anonymous started out as a group of people who inhabited the 4chan group but wanted to do something different for ‘entertainment’ This loose idea was co-opted when they began to commit civil disobedience for their own purposes either political or for the aforementioned entertainment value. Either way, their animus is wholly about the control which they can wield over others. This should never be forgotten, that the core of the group ethos has nothing to do with change or moral/ethical betterment. It is in fact all for their own enjoyment.

Lulzsec: The Riddler

Lulzsec came into being because they felt that the ethos and moral constructs of Anonymous were too weak and they wanted to escalate the ‘lulz’ for their own enjoyment. The take away here is that just being pranksters was not enough, instead they wanted to show everyone they were smarter than everyone else AND that they could do so and get away with it. All the while, they performed these acts in an exceedingly narcissistic way. A key player in this that has been caught would be Topiary. It seems that even in the face of prosecution he thumbs his nose at authorities as well as seems to be enjoying the limelight (philosophical book in hand for the cameras)

Antisec: The Penguin & The Joker or PenguiJoker

The love child of Anonymous and LulzSec are #Antisec. This agenda or perhaps subgroup (I tend to think there are cells of Antisec) has chosen a logo that decidedly shows the melding of at least two of the Batman Rogues Gallery (Joker and Penguin as you can see at the top of this article) This too follows into their attitudes about what they are doing and why they are doing it. They really have no rhyme or reason for what they do other than their own entertainment and attention. This is a classical narcissist behaviour  and by all communiqués laid out by LulzSec, they fully enjoyed their ‘voyage’ in the lulz sea.

Antisec also has a Penguin side to them too. By using the system against itself (i.e. using the governments lack of network and system security) they poke them in the eye by subverting their own data to shame them. This is a lesser characteristic as I see it, but it is still important to note as well as point out the imagery (homage) to the Penguin in their logo whether it was overtly done or by proxy of some unconscious connection made by the designer.

th3j35t3r: All of the Batman wannabes in hockey suits

Finally, we have the jester. A character who wants to be the Batman, but fails to actually affect any kind of real change in the battle. For all of the attempts made, the efforts fall flat and to date, nothing has been attributed to him that substantially made a difference against the Anonymous/Lulzsec movement. I believe he does this as well as his other DDOS actions out of a self described sense of helplessness. Jester makes the claim that he had to do something as he saw his comrades dying at the hands of Jihadists. He made similar remarks about why he was attacking Anonymous, as they were outing data that could harm those in the field of battle.

Either way, his motivations seem to be tainted with a bit of narcissism as well, seeking the attention of the media as he has in the past makes him part and parcel to the overall problem.

Escalation:

And so it goes on… The Anon movement has begat others who have agenda’s of their own (or perhaps pathos is a better word) As the movements lose interest in the day to day grind of operations, they will increasingly seek to up the ante. As the media winds down on them, they will need to seek even bigger targets and outcomes to end up back on the top of the news, all the while feeding their collective need to be the centre of attention. The flip side of this will be that the authorities, unable to cope easily with the problem at hand, will create new and more stringent laws that will harm us all. Though this will not matter to the groups.. Because this is unimportant to their end goal of satisfying their needs. It will keep going round and round and the outcomes are likely not to be good. There will be a lot of collateral damage and in the end, no one will have profited at all from it all.

End Game:

So what is the end game here? Will there be any good outcome from this?

Not if it keeps going the way it has been. More indiscriminate hits against targets without showing anything for it along the lines of showing corruption or malfeasance will only lead to more knee jerk reactions by authorities. I imagine some will be caught and tried for their actions, others will escape and perhaps go on to other things… Overall though, it will not make a better world. It will only have fulfilled the dsires temporarily of the ones perpetrating the acts against.. Well anyone and everyone.. Until they get put into Arkham.

K.

Not So 3R337 Kidz

with 5 comments

Once again we find ourselves following the story of a new uber dump of data on a Friday (Fuck FBI Friday’s) as they have been dubbed by the skiddies. It seems that 4cid 8urn, C3r3al Kill3r, and Zer0C00l once again have failed to deliver the goods in their #antisec campaign with their ManTech dump. ManTech, for those who don’t know, is a company that handles defense and government security contracts for such things as secure networks etc. The skiddies decided to try and haxx0r the Gibson and get the goods on the bad bad men at ManTech.

Once again, they failed.

The files are mostly UNCLASS (kids, that means UN-CLASSIFIED mmkay?) with a few SBU (Sensitive but UNCLASSIFIED) as well. Many of the files are just documents of finances, bills, resume’s and email addresses that frankly you could get with a good Googling session. Again, we are not impressed by this crap Lulz skiddies. I have told you once, and now I till tell you again, you are failing to deliver anything of interest really.

Now, if you were real APT, then you would have used the data in the excel sheets to create some nice phishing exploits and then gone on to root some good shit. But no, you aren’t that advanced are you? You just want to do the quick hit and dump your ‘booty’ to collect the love from your adoring, albeit stupid, fans. I am sure some of them are at home now wanking off to the idea that you have really stuck it to ManTech and by proxy ‘the man’

Well, you haven’t.. Not so 3r337 as Raz0r and Bl4d3 say.

What you keep failing to understand are sever key things here:

  1. The good shit is in more protected systems, ya know, like the ones Manning had access to
  2. You have no idea what you are taking or what you are dumping! Bitch please, understand the classification markings!
  3. It’s only important to your ‘movement’ if the data actually uncovers bad behavior on the part of the government!

And it’s on that last point I want to harp a little more on. You guys say you are exposing fraud and devious behavior (other than your own subversive tendencies?) and yet, you keep missing the mark. There have been no cohesive plots outed by you other than Aaron and HB Gary’s little foray into creating 0day and programs for propaganda tools online.

Yay you!… ehhh… not so much.

You certainly did spank Aaron though, and for that my top hat and monocle are off to you. He rather deserved what he got for being so God damned stupid. However, you must all understand that these are the standard operating procedures in warfare (PSYOPS, INFOWAR, PROPAGANDA) every nation plays the game and its just the way of life. So, unless you get some real data of a plan to use this type of tech by the US on the US, (other than Rupert & Co.) Once again, I am not really so impressed.

Of course, you have to know that you are now the target of all of those tools right? Not only by the US, but other nations as I have mentioned before. Do you really think that you have not opened the door for other nation states to attack using your name? No one mentioned yet that you are now considered domestic terrorists and could even be considered non domestic after you get caught? You have opened Pandora’s box and all the bad shit is coming.. And much of it is going to be aimed straight at you.

The ironic thing is this.. You have delivered shit. It’s the idea and the cover you have given other nation states or individuals that is key here. You say you can’t arrest an idea… I say certainly not! BUT They can arrest YOU and then make that IDEA not so appealing to the other skiddies once your prosecutions begin on national TV.

So keep it up.. That hornets nest won’t spew hundreds of angry wasps…

K.

Faux Security: @JosephKBlack, @ElyssaD, BlackBerg Security, and Shades of Project Viglio

with 4 comments

Blackberg & ElyssaD:

A while back, I ran across ElyssaD and her whack ass site which was scraping my content from Infosecisland. I later read  Jaded Security’s post filling in the gaps that I had given up on in my searches on her digital rats warren of sites and chalked it up to fucktards at play. However, since then, she has failed to remove my content from her sites, her ersatz ’employer’ Joe Black, has called me out as a supporter of Anonymous and LulzSec, and still, my content is on her frantically moronic sites.

So, the gloves come off.

I began to look around at her sites again to see what was being taken and scraped when I  began to not only see more of her erratic behaviour, but a pattern of baiting for attention not only on her part, but that of Joe Black. So much so in fact, that I have to really wonder if Elyssa is not just an identity scrape of a real person as opposed to actually being online herself and posting all this claptrap. After all, what was it that Ligatt and Aaron Barr were trying to do but create many sock puppet identities to control and use to sway opinion in PSYOPS fashion. So the questions for me now are these;

  • Is Joe Black just an insanely inept buffoon with some alleged connections to the defence base?
  • Is ElyssaD just a cutout for Joe to weave his insane batshit online for.. Well whatever purposes he has in mind?
  • Is all of this just the personal lulz machine for whoever Joe may really be and is having a laugh?
  • Are they both just batshit insane and useless wankers?

After picking through their digital trails, I still cannot say for sure what their goal is or just how real they both are. I am told that Joe is a real person and that some in my circles know of him. Personally, I had never heard of him until he started tweeting craziness on Twitter and came up with his craptastic site. Over time though, he just progressively got crazier and crazier with comments and challenges to the likes of LulzSec, who then allegedly hacked him and showed just how poor his site security was.

Of course now there are allegations that Lulz did nothing that that he (Joe) had hacked/defaced his page himself to garner attention (as seen below)

After his site went down this last weekend, we all thought perhaps he had been hit by another Anon attack of some sort, but then he popped up again yesterday, claiming fantastically, that he is the new Nietzsche of information security! Which is ironic, because Nietzsche went insane at the end of his life due to Tertiary Syphilis, which I think Joe has a head start on now. Then again, if you really know who Nietzsche was, and did, perhaps this is another nod to irony and a play on the ideas of putting crazy out to the world to see what happens.

Frankly though, from his tweets and writings, I think it is the former and not the latter. Joe is just an attention seeking whore and Elyssa, well, if Elyssa is truly the one posting on the Internet, hon, you need some mental health dollars spent on you STAT!

So, on to the  Ligatt worthy asshattery shall we? I will present it in short montages, somewhat like the montage scene in Team America. Mostly because I am listening to the soundtrack now and YOU are, well, you are a farce just like the film.

Joe.. Joe Black… CIA…:

Seriously Joe.. If YOU are a NOC, then I am the king of Prussia. What the Hell are you saying? I mean, this right here just screams that you are either out of your head or just a clown. If you are at all serious about this alleged business of yours and its ties to the military and government, then they, if they are indeed connected with you at all, should quickly pull out.

Then there’s this little ditty:

Holy WTF? Really? C’mon man! Who is going to buy this shit other than Elyssa? (to the tune of Freedom Ain’t Free.. It costs a BUCK OH FIVE!)

And then there is this other missive:

Huh? Wha? Elyssa, take your God DAMNED MEDS! With employees like this, Joe is gonna have to have one HELL of a insurance plan! Elyssa, I am sure the Feds took you up on your offer and will give you FULL immunity *snort* (to the tune of North Korean Melody.. So Ronery)

AND then there is my favorite!

SO! That’s how it works within the intelligence and hacking communities! I had NO IDEA! Really, Elyssa, if indeed you are real and this tweet wasn’t just some elaborate insane joke. YOU are not a hacker and it does not happen by “association” you morons. No more so than any of your degree’s (if real) make you an INTEL analyst or a Black OP specialist. (to the tune of Team America March.. just because it came on.. Can you smell the gravitas?)

Speaking of gravitas, if indeed Joe and Co. are real, that is what they are trying, and failing to convey to the would be clients that the site alleges to want. Therein, you have Ligatt-ed quite well Joey.

Board of Advisors:

Now, in another more interesting vein, Joe has added a board of directors to his site. Of course I had to look once Praetorian had pointed it out asking; “Who the hell are these people?” So, I put on the waders and got the gloves on to go looking. What I found kinda makes me wonder what the hell is going on yet again. So, lets have a look at these people shall we?

Fernando Patzan:

Alright, so Fernando was pretty easy to find. I mean how many Fernando’s are there in infosec who have government ties? Yeah, so Fernando, my first question is this; “Do you really represent in any way Joe Black and his particular brand of crazy?” Because if you don’t then this guy is dragging your reputation down with his easy use of your name as an advisor. Honestly, if half the shit that Joe has done and said was on your advice, well, I should think that your current employers might want to re-think your job status.

Of course I have yet to speak with anyone who really knows you.. So you too could be another cutout. However, I have found ancillary data through Google that you do really exist and you did work at GD. So, tell me my man, are you huffing the same glue from the same paper bag under that local underpass with Joe?

Oh, and if you don’t know him.. Well dude, you better get on the horn with your lawyer…

Patricia Ellington:

Oh Patty, Patty, Patty, your creds are kinda.. Well ‘meh’ aren’t they? You also have connections to me like Fernando now that the LinkedIn is working right. So, why have I never heard of you? Well, I suppose that that is a bad question. So I will go back to the credibility issue and your connection to Joey here. Do you know Joe? Is Joe taking YOUR advice too in posting his whack ass diatribes about being in the CIA and allegedly outing Team Poison?

You too might want to call your lawyer…

John Berry:

John… Well.. John is a blank slate to me. Of course his name is pretty common and bland, but I could locate no one with that name within the infosec community nor by using the sooper special word “CYBER” that all of the morons are using as a catch phrase today.

So he is a ghost.. OOOOH maybe he is a super spy like Jason Bourne! I bet Joe knows you through his adventures in Thailand chasing heroin smugglers!

Not.

Justin Johnson:

Justin.. Well Justin was a bit of a puzzle. The only one who came up with network cred was this one. Are you an advisor to Joey? Once again, I say you should get a lawyer if you don’t already have one because this guy may be trading on your good name and credibility (VERY Ligattworthy!) Justin, if you do in fact know Joey and you are working with him let me know.. I have more questions like; HUH? Why?

Kevin G. Coleman:

Lastly, and most interestingly, we have Kevin. Oh Kevin, I liminally have heard of you before and I cannot believe that you would have anything to do with Joey, but, then again, maybe you like the glue huff now and again? Do you really advise Joe to do the crazy shit he has been up to? Do you really approve of, or even know about this Elyssa character?

Dude, you are the most credible of the group and now you have this stink upon you!

If you know him and are working with him, best sever those ties now sir… EVEN if you are SEMI retired! This Joey character is only going to lead you down the path to smelling like a dog after a skunk attack while standing in the poop factory while it exploded due to a SCADA hack.

Please.. Someone tell these people their names are on this fool’s site!

Ugh…

Ok, so in the end, as “I’m So Ronery” plays on the headphones I end this psychic barf of a post. Joe, Elyssa, …. Time for your meds! And as always “Remember to fade away in a montage”

K.

Written by Krypt3ia

2011/07/13 at 16:12