(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Forensics’ Category

U.S. Fails Test In Simulated Cyberattack

leave a comment »

U.S. Fails Test In Simulated Cyberattack

Organizers, observers of “Cyber Shockwave” conclude that nation is not ready for the real thing

Feb 17, 2010 | 06:48 PM

By TimWilson

A large-scale simulated cyberattack on the U.S. yesterday proved one thing, according to organizers: the country isn’t prepared for a real attack.

In a press release issued today, the Bipartisan Policy Center — which organized “Cyber Shockwave” using a group of former government officials and computer simulations — concluded that the U.S is “unprepared for cyber threats.”

Former Secretary of Homeland Security Michael Chertoff, who chaired the simulated National Security Council, said cyber-terrorism “ought to be treated as a threat of sufficient seriousness that we give it the priority attention we’ve given weapons of mass destruction.” Cyber-terrorism is “more complicated by the fact that it involves every individual,” Chertoff said. “Anybody who has a smart phone, who downloads an app or gets on their PC is engaged in this process.”

Reports from those who witnessed the simulation indicate that the U.S. defenders had difficulty identifying the source of the simulated attack, which in turn made it difficult to take action.

“During the exercise, a server hosting the attack appeared to be based in Russia,” said one report. “However, the developer of the malware program was actually in the Sudan. Ultimately, the source of the attack remained unclear during the event.”

The simulation envisioned an attack that unfolds over a single day in July 2011. When the Cabinet convenes to face this crisis, 20 million of the nation’s smart phones have already stopped working. The attack, the result of a malware program that had been planted in phones months earlier through a popular “March Madness” basketball bracket application, disrupts mobile service for millions. The attack escalates, shutting down an electronic energy trading platform and crippling the power grid on the Eastern seaboard.

“A useful aspect of something like this simulation is it helps people visualize what is realistic and possible in some circumstances,” said John McLaughlin, who played the role of Director of National Intelligence. “The smart thing is to prepare now, to do the legislation now, to do the bipartisan work now, to do the intelligence work now, the foreign policy work. These are all very complicated things and we need to get started on them.”

Stephen Friedman, who played the role of Secretary of the Treasury, said of a potential cyber attack on the U.S.: “There is no question in my mind that this is a predictable surprise and we need to get our act together.””

The panel of government officials agreed that cyber-terrorism is a national security issue that needs to be addressed quickly in a bipartisan manner. “It raises an issue of the system’s responsibility to be able to come together in a nonpartisan way and figure out the answer to questions as opposed to kicking the can down the road until we’re in an emergency,” said Chertoff.

During the exercise, legal questions were raised regarding personal privacy versus national security. “We have to come to grips with the implications for our personal privacy and the relationship between the federal government and the private sector,” said Jamie Gorelick, who played the role of Attorney General.

Cyber ShockWave demonstrated the tremendous challenges the government has in dealing with potential cyber attacks,” said Jason Grumet, founder and president of the BPC. “Our goal for Cyber Shockwave was to identify real policy and preparedness issues that need to be addressed in order to combat an attack of this magnitude that escalates rapidly and is of unknown origin.”

So, I have been lamenting this outcome for years now and the one thing that really is running through my mind right now is

“Umm where was Tsar Schmidt?”

Was he involved? Was he watching? Has he a clue? So far I have heard dick out of him in the way of saying anything of meaning about his job. Perhaps he is not sure what is job is as yet anyway… Meh. In any case, this should be an interesting report to read.

Now on the “predictable surprise” comment.. Uhh What? What the hell does that mean? How is anything predictable a surprise? Is this the calibre of the people working on this problem? Ugh.

Lastly, the whole issue of the legal right to privacy seeming to be at risk to “solve” these issues really is a load of crap. FIND ways to take care of the problems without having to invade all our privacy please!

Time to start my plans for a big Faraday cage…

Sensing A Pattern

with one comment

Source SC- DIAL TELECOM Romania Slammer DTG Wireless Latvia DdoS Grid Hosting Turkey DOS/SYN Northern Telephone OSHKOSH BAD IP Interserver Inc NJ DOS/SYN China Telecom DOS/SYN Chinanet DOS/SYN UNICOM JL China DOS/SYN NINGHAI-XINYANG-LTD China Slammer Chinanet AH China DOS/SYN CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan MAINT-CHINANET-LN DOS/SYN MAINT-CHINANET-SD Slammer CHINANET jiangsu province network China DOS/SYN Kunde Htech Ltd Co China DOS/SYN CHINANET-HN Changsha node network DOS/SYN CHINANET Chongqing province network Slammer CHINANET SHANDONG PROVINCE NETWORK DOS/SYN China Unicom Shandong province network DOS/SYN China Unicom Beijing province network DOS/SYN TIANJIN-CHANGCHENGZHIBAO-LTD DOS/SYN China Unicom Hebei Province Network Korea DOS/SYN KORNET-10321992250 DOS/SYN ZHEJIANG-PEOPLE-GOV TCP Nmap Scan LY-GUANGDIAN-ISP China Slammer JINHUA-TELECOM-LTD Slammer China Unicom Liaoning province network DOS/SYN CHINANET Anhui province network Slammer China Mobile Communications Corporation – jiangxi Slammer Ratel Company Russia DOS/SYN SuperOnline Inc. Turkey Slammer CHINACOMM DOS/SYN CMNET-jilin DOS/SYN BEIJING ZHENG-BO TECHNOLOGY CO.LTD Slammer Shanghai University DOS/SYN App Anomaly RPC CHINANET Sichuan province network DOS/SYN SC-MY-SJDF-LTD China DOS/SYN CHINANET-ZJ-HZ DOS/SYN CNC Group CHINA169 Zhejiang Province Network TCP Nmap Scan CUCBUUDIENTW-NET DOS/SYN JIAXING-TELECOM-LTD DOS/SYN SJZ-FriendshipHotelNorthStateStreetstore China DOS/SYN Maxis Communications Bhd Malaysia DOS/SYN shantoushitianyingxinxijishuyou China DOS/SYN NTT Communications Corporation Japan BAD IP CHINANET Shanghai province network DOS/SYN

Since my little incident with j35t3r I have been paying more attention again to the IDS. In the last few days alone the system has seen some interesting traffic including another DDoS attempt from Latvia. I am seeing a pattern though for the most part. Our Chinese overlords have a lot of traffic coming my way from worms.

Also interesting to note is the Nmap traffic, guess some folks got interested in my system to see what ports I have open. They went away unhappy though. Kinda makes you wonder what your traffic is like huh? It also might make you wonder just how much your system is protected.. If it is at all.

If you are interested, you can take a scan for yourself with Shields Up. It’s a system in place to run a Nessus scan against your IP address and see whats what. It does a good job and will tell you what ports are open and perhaps what vulns you might have.

Just remember, if you have a persistent connection and your machine is on.. Well, they are knocking at the door.


Written by Krypt3ia

2010/01/24 at 01:23


1.16.2010 DD0S ABTS (Karnataka), CMSU-NET AMAZON-EC2-5 Research in motion Microsoft Centauri Comms Layer42.Net, Inc ViaWest ViaWest FR-METALLERIE-VILLEMIN PSINet, Inc. Silicon Valley Colocation, Inc. Road Runner HoldCo LLC Road Runner HoldCo LLC COMCAST Layer42.Net, Inc. Cricket Communications Inc Edgios Inc. Road Runner HoldCo LLC CABLE ONE Inc. Wave Broadband TELINEA BOSNIA SIL-UBIT SK-Gaming via Gameserver Asuk Creative Limited OVH SAS
1.17.2010 DD0S KORNET TOR node SHAWCABLE.NETE.NET BLUTMAGIE Olaf Selke Exploit Prevention Labs SCSNET-CATV-SEOKYUNG BORANET-1 Seoul Neucom Inc.

Pcaps have been parsed, there is much too much for a full disclosure, besides I don’t want to give out everything. Pcaps and forensics report have been passed to the authorities carrying out the investigation to add to the other data that they have gotten elsewhere.

The basics of the attack as of his last hit on me are these:

  • Using TOR nodes as well as perhaps a proxy, but most likely just tor sessions. If he were sneaky like though, he would be proxying to a box that then has poisoned TOR nodes at their disposal
  • Other compromised or complicit machines are also being used (admins will be being contacted by authorities) I am sure there are thousands of these botnet machines that the C&C can use. The irony is that trying to stamp out the compromised C&C boxes is kinda like trying to DoS all the Jihadi websites out there. For every one you take down, there are 5 more mirrors out there for content to be broadcast from
  • Much of the traffic was being sent from the EU focusing in the DE region, but there was also some Korea in there
  • 30 minutes at a time.. Either paying for increments of time to a botherd, or, the TOR nodes throttle out as this is something they do to try and prevent this type of misuse
  • He’s using a combination of syn/fin TCP callouts to flood the system with junk and hose the webserver.
  • In the last attack he was using what looked like canned scan scripts to flood the server with junk calls for different protocols/ports etc
  • He seems to have been using a C&C system that would call up a java script to check if the DDoS was in fact working. Now, if the script was working with the home IP address of the box initiating, then perhaps the GET’s like the FIOS address were actually his box looking for a file. Or maybe it was someone working with him… Or.. Them.
  • The FIOS address made a DIRECT call out to my webserver looking for a WMV file. That file has only been linked to my WordPress blog from some time back. This access coincided with the timing of the attack to be used as a method of seeing how the server was responding. By looking at the download bar one could tell just how horked the system was. As well, the download initiation would also engage much of the servers bandwith making the attack work even faster. Would he be that foolish to actually make this mistake? He is rather full of himself so, yeah, he seemed to think that I was some IT auditor without skills so maybe he just got lax. Maybe he is just a stupid kid with impulse issues…

Once the investigators do their thing, the nodes that they can reach will be closed. The TOR server admins will be told about the events, and if they are keeping any logging at all, they likely will help out. However, the TOR is really meant to not have any logging. Kinda like ANONINE the proxy he has been using.

Also while looking about I noticed that mypetjawa, seems to have redacted their post about j35t3r taking down Ahmadinejad’s site. Maybe its just an internal server error 500 as I see when I search their site directly, but its in their archive if you Google it. I am sure that DD0S-ing that site pretty much makes j35t3r no friends on either side of the political situation there.

… And me? My site? Still up.

Well, it’s no biggie if its down here and there. But, the opportunity to capture all the packet traffic, as well as get that .ru hotmail account from his direct correspondence is helping the boys do their thing. Of late though he has laid off with only the occasional twitter taunt to get me to respond.

Weak attempts at best.. And such bravado talking about how he has bested me. Well, it’s not really me he has to worry about. He will do himself and his pals in quite nicely on his own I think.

It’s mostly out of my hands now… Oh and deleting Twitters won’t be helping either.. Google cache is a wonderful thing.

Hope you look good in orange j35t3r, cuz I think that is the color that they will be giving you.



Written by Krypt3ia

2010/01/21 at 03:19

Framed for Child Porn: The State of Digital Forensics and the Law

leave a comment »

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it’s your reputation that’s stolen.

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

Full Article

Aside from the US pronunciation of Paedophile, I can’t fault the premise here nor the overarching idea that the American justice system is ill prepared to handle these cases properly.

Having been on the periphery of the Amero case, I saw first hand how the prosecution, the police, and the legal system in general were really quite incapable of understanding the evidence never mind the principles behind the processes going into gathering  that evidence “per legal requirements”

So, that brings us up to this article and the case it cites. This poor bastard has had his life ruined because of a piece of malware and a lack of comprehension on the part of the justice system. His life is ruined and he has no redress because the state cannot be sued for any amount of money worth suing for! That is utter bullshit and it has to stop.

Now, on the side of the  equation, it can be difficult if not darn near impossible at times to say unequivocally, that someone actually “did” the crime in question. It is all dependent on many factors when you take a “no write” image of the subject machine. Had the machine been tampered with before seizure? Is there malware on there that is home brew and subtle enough to miss? have the users ID and password been compromised and the system physically accessed by someone else to perform these acts?

Many questions and as an expert witness you may not be able to decisively say yes to anything. It’s a slippery slope. Now add to this that there are many prosecutors out there looking to make a mark on the world by making a case even with weak or no real concrete evidence to prove it. All of this could find you in jail with no real way to prove your innocence because the system still does not “get” the whole “Digital Forensics” thing.

All I know is I am going to take that CHFI test and hope that the system changes…

Written by Krypt3ia

2009/11/11 at 00:29

Does Your Company Classify,Protect, and Track Its Data?

leave a comment »

Ex-Ford employee held in data theft

Engineer charged with copying proprietary documents and trying to sell them in China

Bryce G. Hoffman / The Detroit News

The Justice Department charged a former Ford Motor Co. engineer with stealing company secrets and trying to peddle them to Chinese competitors.

Chinese-born Xiang Dong Yu — also known as Mike Yu — was arrested Wednesday at Chicago’s O’Hare International Airport when he tried to re-enter the country from China. The 47-year-old is charged with five counts of theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer.

According to a federal indictment unsealed Wednesday, Yu was a product engineer for Ford from 1997 to 2007 and had access to Ford trade secrets. Law enforcement officials say that, just prior to leaving the Dearborn automaker, Yu copied thousands of confidential documents, including what they described as “sensitive Ford design documents” and “system design specification documents.”

Full Story Here:

Ya know, is it me, or are we seeing more cases of industrial espionage from China lately? Hmmm, guess it’s just my imagination… NOT. So, this begs a question;

“Just how many more cases have there been that just never got caught on to?”

Now, I assume that Ford caught on to his espionage by either one of two scenarios;

  • Yu was sloppy and someone in his group of workmates saw or felt that he was taking large amounts of data or acting strangely
  • Yu was caught with auditing from the file servers that he was accessing the data from
  • Now, I would love to think that they had auditing measures in place and caught on to his taking of mass quantities of data by copying them to an external drive… But… Well, given what I have seen in many companies, this just isn’t as likely a scenario as one might suspect.

    So, ask yourself this question.. Just how many companies out there that make important machines, or hold important data actually are performing the “due diligence” to protect their own IP from being stolen and placed in the hands of the likes of China?

    My last post has insight into the collective mindset at many corporations. security has always been the first budget to be cut in bad times and even today, with all the threats in the environment, still the corps cut off their nose despite their face.

    Now take this idea and apply it to the government. A place where turf wars are preventing proper securing of the space and laws are weak…

    Good god we are screwed…

    No wonder all of the “Cyber Tsars” keep quitting eh?

    Just sayin…

    Anyway, one has to wonder just how much of our data is in the Chinese hands by the likes of Mr. Yu and others like him… Perhaps we will never know because companies are just not able to, or willing to implement the right proactive remediations to stop them if not just track their data leaving their domains…

    ** EDIT ** Well in looking through some Google searches it seems that they caught Yu getting OFF the plane from Mainland China.. So.. OOPSIES, I guess Ford was not too proactive were they… Damage done.

    Dear Rod Beckstrom: To quote Inigo Montoya “I no think he knows the meaning of what he says”

    leave a comment »

    Rod Beckstrom, who resigned in March as director of the National Cyber Security Center at the Homeland Security Department, said in an interview that he feared that the N.S.A.’s push for a greater role in guarding the government’s computer systems could give it the power to collect and analyze every e-mail message, text message and Google search conducted by every employee in every federal agency.

    Mr. Beckstrom said he believed that an intelligence service that is supposed to focus on foreign targets should not be given so much control over the flow of information within the United States government. To detect threats against the computer infrastructure — including hackers, viruses and intrusions by foreign agents and terrorists — cybersecurity guardians must have virtually unlimited access to networks. Mr. Beckstrom argues that those responsibilities should be divided among agencies

    The rest is HERE

    I’m sorry Mr. Beckstrom, you seem to be confused. Had you not been paying attention to the news these last few years? Your fears are a little off the mark. You see, you might have to go read about the NARUS STA 6400 that was put into the MAE West in San Francisco as well as all the others at the MAE facilities.

    What’s that? You don’t know what that means?

    It means that the internet as we know it, has already been BACKDOORED my friend. SO, giving the NSA any more powers as you concieve it, is a MOOT POINT. Now, add this to the warrantless wiretapping litigation and sovereignty cover that the Obama Administration case it just made, and you have no argument to make really.

    It isn’t that I agree with it all.. I don’t.. BUT you need to pay attention before you open your mouth and quit.


    Written by Krypt3ia

    2009/04/17 at 14:23

    Ghost Net: Aka Subseven or any other trojan backdoor program

    with one comment

    LONDON, England (CNN) — Nearly 1,300 computers in more than 100 countries have been attacked and have become part of an computer espionage network apparently based in China, security experts alleged in two reports Sunday.

    The network was discovered after computers at the Dalai Lama's office were hacked, researchers say.

    Computers — including machines at NATO, governments and embassies — are infected with software that lets attackers gain complete control of them, according to the reports. One was issued by the University of Toronto’s Munk Centre for International Studies in conjunction with the Ottawa, Canada-based think tank The SecDev Group; the second came from the University of Cambridge Computer Laboratory.

    Researchers have dubbed the network GhostNet. The network can not only search a computer but see and hear the people using it, according to the Canadian report.

    “GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras,” the report says.

    The discovery of GhostNet grew out of suspicions that the office of the Dalai Lama had been hacked.

    The network was discovered after computers at the Dalai Lama’s office were hacked, researchers say.

    The Rest

    Ok, well, there is nothing really new here except that this is a nation state (Our Chinese Overlords) using a back door to perform a massive and orchestrated intel harvesting operation… And perhaps got caught. Of course, this in tandem with the efforts of the likes that wrote “Conficker” then we have something interesting to talk about.

    I would like to get a copy of this “Ghost Net” to pick apart…

    Until then Tracking Ghost Net is the paper the article mentions

    Written by Krypt3ia

    2009/03/30 at 01:28

    Digital DNA

    leave a comment »

    “Today the majority of malware cannot be detected by signature-based security solutions and other traditional security methods. While these solutions play a role in a company’s defense-in-depth security strategy, malware now is more sophisticated and can easily go around these solutions,” said Greg Hoglund, CEO and founder of HBGary. “Our Digital DNA technology detects malware that is polymorphic, using advanced techniques or currently unknown that these solutions can’t find.” HBGary Digital DNA: How it Works Digital DNA is a patent-pending technology to detect advanced computer security threats within computer memory without relying on information provided by the computer’s operating system. All software modules residing in memory are identified and ranked by level of severity. The Digital DNA sequence appears as a series of trait codes when concatenated together describe the behaviors of each software module. For an example of a Digital DNA sequence, pleases use this link Observed behavioral traits are then matched against HBGary’s new Global Threat Genome database to classify digital objects as good, bad or neutral. The database currently contains more than 2500 codified behavior traits.

    Full Article HERE

    I recently had a discussion about the DNA traits that could be programmed digitally into malware/virus’ I am interested to see a RNA version too that would mutate with connection to other malware/virus’ so they could trade and create new variants on their own.

    With the advent of Conficker, I think this is getting closer to a reality. It is conceiveable to create code that could mesh in a random mutation and thus generate new and intersting modus operandi.

    On the other end of this I am sure that the presented methodology by HB Gary will be all the rage in future attempts to detect and thwart all those pesky nasties.

    Written by Krypt3ia

    2009/03/26 at 01:16

    Conficker C Variant: SRI Analysis

    with 4 comments


    We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009.  This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service.   Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet.  Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time.   C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet.   This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools.  It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts.  Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

    Full report HERE

    So, what does it all mean? What is the master plan for Conficker? The Cabal has not yet been able to find out who wrote it (but my guess is that they are Ukrainian) to track them down. Everything just looms over us as April 1 approaches and its activation day comes.

    What’s missing here is the actual commands that the code is supposed to enact on April 1 though. I am sure they have decoded the bug and know, so why not let us all know? Perhaps the game is afoot and they plan on stopping a mass attack. Who knows…

    What I find really interesting about the Conficker updates is that they seem to have thought this out very well. With the random DNS calls, the random sleep times, and other methods to obfuscate its presence, this bug would seem to have the ability to propagate itself, attack the internet, and possibly pass data to the herders at an incredible rate. All the while it would be unable to be stopped by common IDS/Friewalls etc.

    April 1 will be interesting to say the least…

    Written by Krypt3ia

    2009/03/24 at 11:24

    CSC to help combat cyber warfare

    leave a comment »

    Published 18 March 2009

    Cyberattacks pose a major threat to the welfare and security of developing countries; developing protection against that threat offers business opportunities

    Cyber attacks are emerging as a major threat to the welfare and security of developing countries (see, for example, “FBI: U.S. Facing ‘Cybergeddon’,” 7 January 2009 HS Daily Wire). This means, among other things, that there are business opportunities in providing protection against this threat. Falls Church, Virginia-based Computer Sciences Corp. (NYSE: SC) has established a new virtual cybersecurity center in a move to help counter cyber warfare threats for clients. CSC said the center — which will include the company’s Innovation Laboratory, Infrastructure Laboratory and Service Oriented Architecture Center of Excellence — will simulate cyber threats and potential security solutions.

    Company officials said the security center would support security infrastructure, information assurance and identity management through understanding of information technology vulnerabilities. “Cyber warfare is one of the biggest threats to America, and CSC is applying our proven expertise and global capabilities to help government and commercial customers protect their networks,” James Sheaffer, CSC North American public-sector line of business president, said in a statement. “This new virtual facility will allow our customers to witness threats and see how effectively our programs engage to block potentially devastating intrusions.”


    I work with these clowns as a company for support… I seriously doubt they are capable.

    Written by Krypt3ia

    2009/03/19 at 21:24