Archive for the ‘FUD’ Category
Recently Recorded Future caused a stir in the media over what they gathered through OSINT on Jihadi crypto since the Snowden revelations. This report nearly made me have an aneurysm from it’s simplistic approach to the problem and it’s deep lack of knowledge on the subjects of crypto and jihadism.This report though made the rounds and ended up on places like NPR (which RF cited on their report LA DE DA) adding cache to it all.
The realities though are that RF has in fact only seen one small slice of a larger issue concerning crypto, propaganda, jihad, and the GWOT in general and it makes me mental when I see shit like this. So this post is to set some things straight and I will be furthering this out with a guest appearance on The Loopcast to discuss all of this in a longer forum. For now though, let me splain some things.
Jihadi Crypto AFTER Snowden
Before Snowden the crypto choices for the jihadi’s online pretty much broke down to a couple choices. The Mujahideen Secrets, a couple other crappy ones, and PGP. I will tell you now that the Mujahideen Secrets was the “gold” standard for these guys and it was the suck to start. So really, pre Snowden there were more limited options sure, but the reality is that Mujahideen Secrets was only really used for low level talk between guys on jihobbyist boards and for emailing the brothers at Inspire their derpy ass questions about jihad.
The cryptography was standard in Mujahideen Secrets and the programming of the application itself was so so. I have looked at this before and didn’t think much of it back then. Today I think even less of the whole prospect of the great cryptojihad being an actual “thing” at all. Now though, since Snowden sure, there are more options out there and some may actually be well programmed and using cryptography that is solid. However, that does not mean that the real players are using them post Snowden. Nor does it mean that the players who ARE using the crypto are a serious threat at all to begin with.
Crypto is a Red Herring
Cryptography is only as good as it’s user in many cases. In the case of the jihadi’s out there on the net they are mostly luddites when it comes to tech. Tell me RF, who do you have on your list of great Jihadi hackers today? No, really, who do you have on that list? Don’t throw TH3PR0 at me either because he is not a Muslim extremist as far as I have seen in his traffic. So who do you see as the great threat technically today? If a lot of these guys were adept at tech then most certainly their shitty site’s wouldn’t be getting PWN3D all the time right?
So there is that. Now look at the user base of the jihad. If you are not in country then you are elsewhere and on the Shamikh site spouting shit and throwing as much puffery as possible out there to look good for all the girls right? On the whole, after watching these guys I have to say that the majority aren’t the swiftest boats in the river nor the sharpest blades in the drawer if you catch my drift. So how many of these guys you figure are gonna be able to handle a two key system effectively and not fuck up the key exchange right off the bat?
*Let me give you a hint.. I have seen these idiots place their PRIVATE keys on the Shamikh site**
These guys are like any other users in the base of common people who have trouble comprehending how crypto works never mind how to send a PUBLIC key to the person they want to talk to! So I say to you all here and now, the issue of crypto with these guys on the net is a complete red herring and just a means to an end for RF to get clicks and revenue.
So let’s get past all the crap about “ZOMG SNOWDEN GAVE THE JIHADI’S INTEL!!” and speak about the realities. Sure, the jiahdi’s saw what was being dropped and they learned from it. They immediately went out to create a new means to have encrypted traffic sure. However, ask yourselves how many of these guys using this stuff are really hard core AQ/ISIS/ISIL/AQAP etc guys? The truth of the matter is that the core AQ types are not even using the net because of fears that anything they do will be compromised.
A for instance is this; Post 9/11 UBL started using a sneakernet approach with REAL TRADECRAFT to carry his messages to his commanders. They carried messages by hand and if they used the net they did so sparingly for key comms. They did this because they knew that the net was PWN3D (more assumed) and they already knew communications like SATPHONE was already tagged. After all UBL’s SATPHONE had already been compromised and he found out after an attack.
My point here is that OPSEC and TRADECRAFT are important. If you have good crypto but you fail at OPSEC and TRADECRAFT then you lose. An example of this is that the Inspire accounts that they published in their so called magazine were Gmail and Hotmail accounts. That’s right kids, the jihadi’s were emailing their super secret questions and other things right to the NSA!
…But you think.. THEY USED CRYPTO! HA HA!
No, you see they have the account.. Then when YOU email them they have YOUR account too. See where I am going? Relational databases and bad OPSEC puts the jihadi on the list for flights to GITMO. On average these guys were not carrying out proficient OPSEC tactics and thus were likely to give up their private information along with the accounts and thus you have a black van or a drone showing up in the current GWOT. Crypto is not the answer nor is it the rubric to hang your hat on as to how a leak has compromised operations for the US.
Recorded Future has just taken a slice of the problem and blown it out of proportion for attention and that is a disservice. So please mass media ask some more questions on this. Don’t run with the Snowman OMG story because that is bogus. I know you won’t listen to me but hey a man’s gotta try right? The rest of you out there who read this blog likely already understand this and I am preaching to the choir.
I will look at the varying crypto programs soon and critique them as well as use the data to track some of these idiots just to show the MSM how easy it can be to track them. I have done it before and man sometimes these guys just make it too easy. Like that Jihadi who thought he was l337 by putting up YOUTUBE’s of himself hacking… With his own IP…
SUPER DERP.. But now he has CRYPTO post SNOWDEN OMG!
PS.. Look for the Loopcast podcast on all this coming soon.
The Mujahideen Secrets program for crypto has been around for a long time for those who wanted to connect in the jihad online. I looked at it a long time ago and didn’t think much of it to begin with but it has been around a while and in use by some. Recently there has been some tongue wagging that the Snowden Effect has deeply scarred the GWOT because actors (aka the jihadi’s) are not changing their patterns of behaviour and creating new crypto and comms. While this program was out there for use to say communicate with AQAP on their Inspire gmail account it wasn’t as far as I have seen over the years the go to for securing communications for the jihobbyists. In fact, I would preface that people are people and crypto is hard so not many really adopted the technology in the first place.
Since the program had been kicking around the internet so long my assumption was that it was broken already or tampered with more likely to allow for easier reading by security services. So with that said and I think some others within the jihad actually thinking the same it became just another not often used tool in the arsenal for communication between the jiahdi’s on the internet boards. Of course one must also take into account just how many of these people on the boards are “active” in the jihad and not just “jihobbyists” who want to blow smoke online but would never actuate themselves into real terroristic actions.
Pre and Post Snowden:
So the articles out there from Recorded Future which is pretty much a theft of a MEMRI document by the way, purport that since Snowden dropped all his data online people are changing their operational patterns. I say that they perhaps are just seeing the crust of the data and not the innards of the problem statement. There may be a lot of chatter about not using Mujahideen Secrets anymore or of using other technologies but one has to look at the problem from the social/networking standpoint of a fractured AQ/Global jihad now as well. This is where I think they are failing.
GIMF is back and the groups are scrabbling for purchase in the jihad because of things like ISIS causing a stir, Boko Haram as well, and other players out there looking to be the big boss of jihad. Online the boards have been rife with hack attacks, paranoia, and a general malaise of people not actually doing anything but the usual spewing of dogma and posturing. So really, when one starts talking about the online jihad and the use of crypto the reality is on the whole that the online jihad is just a side show to the real deal that happens off the net. Communications are being handled offline now altogether with couriers and paper or USB drives and phones. It has been that way for a long time actually and the general public just doesn’t get this from the press.
The final analysis of this story is pretty simple and it is this; Mujahideen secrets and the other new technologies being offered by GIMF are just fluff. The changing of tactics is only natural post any kind of leak that the nation states are watching and frankly since Snowden this should be a global reality and thus no surprise really. All of the people bemoaning it are just doing so in my mind to tow the party line and aren’t really facing the reality that the game is up. Secondarily, in the case of the jihad the game was pretty much a kids game to boot so please don’t moan about it in the press to make the general populace feel the fear again so you can go on about your business of “surveilling all the things”
This is much more a political power play than it is anything else and reading this tripe in the news makes me gag.
Threat intelligence is the new hotness in the field of information security and there are many players who want your money to give you their interpretation of it. Crowdstrike, Mandiant, and a host of others all offer what they call threat intelligence but what is it really in the end that the customer gets when they receive a report? Too often what I am seeing is reports based on suppositions and little critical thinking rather than the traditional raison dartre of a threat intelligence report on actors that may have an interest in your environment. A case in point is the report from HP that was conveniently released right in time for this years RSA conference in San Francisco.
This report on the Iranian cyber threat was hard to read due to the lack of real product or knowledge thereof that would have made this report useful to anyone seeking true threat intelligence on an actor that may have interests in them. With a long winded assortment of Googling as Open Source Intelligence, this report makes assumptions on state actors motivations as well as non state actors who may, or may not, be acting on behalf of the Basij or the Iranian government altogether. While the use of Google and OSINT is indeed a valid way of gathering said intelligence, intelligence is not “intelligence” until proper analysis is carried out on it. This was one of the primary problems with the HP report, the analysis was lacking as was the use of an intelligence analyst who knew what they were doing.
Clients and Products:
When carrying out any kind of intelligence gathering and analysis you must first have a client for the product. In the intelligence game you have “products” that “clients” consume and in the case of the HP report on Iranian actors it is unclear as to whom the client is to be here. There are no direct ties to any one sector or actor for the intelligence to have any true “threat matrix” meaning and thus this report is of no real use. These are fairly important factors when generating an analysis of a threat actor and the threat vectors that may affect them when creating a report that should be tailored to the client paying for it. Of course the factors of threat actors and vectors of attack can be general at times and I assume that the HP analyst was trying to use this rather wide open interpretation to sell a report as a means to an end to sell HP services in the near future. I am also willing to bet that this report was a deliberate drop for RSAC and they had a kiosk somewhere where they were hawking their new “Threat Intelligence” services to anyone who might want to pay for them.
In the case of this threat intelligence report ask yourself just who the client is here. Who is indeed really under threat by the alleged Iranian hackers that are listed. What sectors of industry are we talking about and who are their primary targets of choice thus far? In the case of Iran there has been also a great deal of supposition as to these actors and their motives. The report makes allusions to state actor intentions but only lists known Iranian hacker groups that may or may not have affiliations with the government. The same can be said for their TTP’s and other alleged data within the report. The important bit about threat intelligence in the world of information security is that you need hard data to model the threats and the actors for your specific company and this report generates none of this. This fact makes the report not really threat intelligence at all, not in the aspect of either true intelligence nor corporate intelligence.
The collection of intelligence is an arduous process that should be carried out by trained individuals. There are so many pitfalls that can happen to an untrained analyst that could make the product of the report bias or useless in the end and these things should be avoided. In the case of corporate intelligence reporting and threat intelligence the same is true. Just carrying out some OSINT on some individuals and outputting what you find by stringing together assumptions is not a valid way of carrying out intelligence reporting nor is it the correct way to gather intelligence. The collection of intelligence in the information security spectrum should also include direct data on telemetry and known instances of attack against the organization in question to determine if they are in fact subject to the interests of the threat actor such as Iran or SEA. The HP report lacks this context and thus is not much more than some suppositions about how you might be under threat from an amorphous threat actor, and thus is little more than FUD.
If you are going to collect intelligence I suggest that you get trained individuals to start or if you are interested in the subject yourself you can easily locate materials online to read on how to do so properly and avoid the common pitfalls like bias and group think. Intelligence collection is comprised of many facets. You need to be collecting information from a vast array of sources and methods before you attempt to analyze it and create any kind of cogent reporting for a client. In the case of the HP report you only have histrionic data from news reports and light analysis of websites owned by alleged hackers or state actors. True collection though for a client would also include detailed data or knowledge of their business, their technical measures, and their history to create a cogent picture of their business and the threats that they may face from the actors out there who may have interest in them. The HP report lacks this and that is unfortunate.
The analysis of intelligence is as I said above, a learned skill that must be honed in order to perform it correctly. Analysis in and of itself takes all of the data out there and generates a report on the entirety of the data for an against, positive and negative. Anything short of this kind of holistic analysis of information in a report of this kind only serves to mislead the client and usually be quite incorrect. An example of this would be the White House Iraq Group’s (WHIG) assessment of Iraq’s WMD’s and intentions pre Gulf War II. In this case however it was even worse because the intelligence was fit to the political desire of the administration and thus was not really analysis nor intelligence product. In the case of the HP report there is a narrow swath of data that was alleged to be collected (presented in footnotes or screen shots) in addition to snippets of news media as intelligence.
To analyze intelligence one must first have proficiency in the disciplines of intelligence gathering, analysis, and the particular subject matter. In the case of the HP report, there is a lack of comprehension of the politics of Iran which might be drivers for the alleged hackers or state actors. There is also a lack of rigorous interrogation of the data presented as intelligence to test whether or not there may be a disinformation campaign or deception operations at play as well. Put simply, the analyst for HP did not take into account that this is in fact a nation state and that they may in fact be leading such analysts down the primrose path to obfuscate the real actors. This was not even considered in the report and just paints the alleged hacker groups as more than likely linked to nation state activities. This is poor analysis even if there may be some truth to it, but without a rigorous investigation and questioning there can be no real solid assumptions made. The net net here is that analysis of intelligence is not just looking at websites and making assumptions.
Reporting intelligence is a key part to the overall process within all types of intelligence activities. A report as stated above, must have a client and in the case of the HP report I would once again ask who is the client here? What type of business should be worried that they may fall into the targeting of the nation state of Iran or these Iranian hackers? What sectors of business should be more worried than others here? In the case of the HP report I suspect there was no real client here but it should never be forgotten why one is carrying out the intelligence cycle and just who your client is in order to tailor the report so they can use the information in a productive way. Form and formats change but the aegis of the report is to apprise your client of the five W’s (Who, What, Why, Where, and When) and should be paramount in your efforts at collection and reporting of any kind of intelligence.
My analysis here is this; “Buyer beware” Threat Intelligence may be all the rage out there as services go but really think about what you are getting as product. Ask yourselves just what you are looking for when you consider buying into threat intelligence services and how you may be getting it. If you are looking to see what your current threats are your analyst should be asking you to provide intelligence on you first in order to see who might be attacking you. The technical means of log analysis and telemetry is an integral part of the process here for threat intel for corporate bodies and should never not be a part of the process. Any other reporting on threat actors without defined and direct matrices to your org is nothing more than news reports on possible terrorists who may or may not be attacking in the near future somewhere near you. This is not threat intelligence nor is it giving you a true picture of the threats you may face.
VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!
Face it.. We are all PWND six ways to Sunday
Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.
*ponder ponder ponder*
Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.
As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”
Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.
I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.
OPSEC! OPSEC! OPSEC!
Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?
If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.
Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.
Fuck this shit.
Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!
Sick. And. Tired.
I really feel like that Shatner skit where he tells the Trekkies to get a life…
Awaiting the DERPOCALYPSE
All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.
RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.
We are well and truly fucked.
So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…
There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know.
“Mankdrake, come over here, the Redcoats are coming!”
THE IRANIANS ARE DDOS’ing OUR BANKS! UNCLE FRED CAN’T SEE HIS BANK ACCOUNTS OH THE HUMANITY!
The hue and cry over the DDoS that has been taking place since the summer on certain banks has been increasing over the last week and of course the secret squirrels and the hangers on who want to sell their wares and stories have been rife on the mainstream media. Of course the likes of Droopy Dawg (former Senator Lieberman) have also been making the rounds at podiums near you droning their dire warnings that Iran is double secretly “out to get us with cyber attacks”
Several of my contemporaries have posted articles this week pointing out that emperors all, have have no clothes on and yet, only within this small verse known as the INFOSEC community am I seeing this fact being leveled at all. It’s sad really that we the community in the know should be so marginalized by the media because we do not take the party line. Thusly the truth of the matter never reaches the unwashed masses and they live on in mortal fear and loathing over the great Muslim Shaitan that is Iran.
For us in the know though, we can only continue to say “No, that’s not what’s happening” to those who will listen or yell it out as I am here once again on my screed… Uhh.. I mean blog. Sad but true as well as for me at least cathartic to at least yell in ALL CAPS for a while. I feel better usually after a good screed here…
But I digress…
“What difference does it make if it’s true? If it’s a story and it breaks, they’re gonna run with it.”
Truth is something that media outlets and the government tell you they are giving you but really are they? In the case of the DDoS attacks on the banks there is no solid evidence as to any kind of attribution of who is doing it. This however has not stopped “government sources” and certain secret squirrels within the INFOSEC community *cough VENDORS cough* who are more than willing to tell you that it’s GOTTA be Iran. Why? well… Because.. IRAN DAMMIT! That’s about the sum of it right there. It is so because they say it is, we don’t need no stinkin proof or anything do we?
Now, had any of these people made the caveat that there is no real proof of this but my gut say’s it’s Iran that’d be ok but then again really? Really? That’s going to be an answer? If there is no proof then you say that there isn’t any and that you CANNOT say who did it. It’s simple really but instead we get the Iran angle because that is the party line for the saber rattling du jour right? Who am I kidding though right? After all according to Karl “Turdblossom” Rove back in the Bush administration “we make the reality” right? So the reality is, since it’s on the news and the secret squirrels have told us on background, that Iran is HACKING OUR BANKS!
Hacking.. Ugh, that’s another issue altogether. The nomenclature is completely ignored by the media and the masses just eat it up because it has the word “hack” in it and that is god damned scary! Never mind that the DDoS really isn’t that harmful to anyone. Honestly, DDoS of the banks does not mean that they are down for the count. Sure they will lose some revenues while the sites are down but this is no nuclear strike or massive hack on the banking system that siphons trillions of dollars to Swiss accounts ala Dr. No. It’s all really much ado about nothing yet it is being flogged for the masses in one assumes is a preparatory campaign against Iran and nothing more.
“Can’t have a war without an enemy…You could have one, but it would be a very dull war…”
So yeah Iran is a repressive authoritarian theocratic government that treats its people poorly and seeks to engender itself as powerful to the global scene. They do have some technological know how and they are fixin on getting them some revenge but is a DDoS really going to be their raison d’etre? Think about it isn’t it laughable as a serious attack? Sure Anonymous does it but that isn’t all they have been doing right? THEY have actually been HACKING!
Good lord! I mean c’mon people! If you are gonna frame up Iran for some cyber shit at least do it with some serious hacks against corporations or infrastructure!! Oh, wait, I know, if they were to really do that then there’d be some real reasons for action right? Then perhaps the people might ask if what they are being sold is the truth or not right? Ahh that must be it right there huh? Just some DDoS, pay no attention, it’s not the end of the world.. Oh and IRAN IRAN IRAN CYBER CYBER CYBER!
*subliminal fear images flash across the screen as Anderson Cooper looks sternly into the camera*
Derp derp derp… So yeah, the government needs an enemy and attribution is soooo hard! It’s Iran.. No doubt about it. No, really, it’s a really complex attack! I mean no ordinary group of hackers or security folks could do this kind of thing! Well, except for those guys who have bitcoins and go to the darknet and rent some botnets.. Wait.. SHHHH… It’s IRAN! It HAS TO BE IRAN! IT’S A NATION STATE DDoS!
*takes drag on cig and looks through wayfarers*
You people make my ass twitch…
No no no no no, fuck freedom.
So once again we are left with the media not taking the full measure of things and that even includes NPR which had a report this week that nearly gave me an aneurysm. Brian Krebs told me yesterday in fact that he declined an interview/comment on this because they were not really willing to hear the truth about this. By the way Brian KUDOS to you man. YOU are my new hero! I presume that others who lack a certain moral ethical compass will be blathering every chance they get and those people should be publicly taken to task for their perpetuation of this farce.
Of course others like Jeff Carr have been a voice of sanity on NPR and elsewhere in the past but you know what? Jeff’s logic and truth doesn’t make for bleeding headlines that will draw clicks for ad revenue will it? Marginalize those who tell the truth that is too dull to sell ad space is the way of it today. So on it goes, the media drumbeat will continue saying that Iran is at the heart of every little cyber hiccup that we have from now on. Iran is in good company with China now. Hey, at least China isn’t alone! Now China can just glibly point at Iran and Mahmoud saying “It was them!” and surely many in the government and the media will say AH HA!
My friends we are doomed. The truth no longer matters and I suppose it hasn’t for some time. I am a dinosaur I suppose to believe that there are truths out there that should be told. Could Iran be behind the attacks by using proxy orgs? Sure. Do we have definitive proof? No. That’s all that needs to be said. That is of course not what we are getting from the government and media today though.
Hmm how long til Glenn Beck or O’Rielly are “Cyber Experts” I wonder….
Has AQAP Been Watching “The Dark Knight” Or What?
It seems lately that the officials out there “in the know” have decided to allow a leak about a certain 15 page report alleging that Al-Asiri, the mad bomber/designer and much described “genius” of terror, has been attempting to perfect a design for an internal “body bomb” Now, no one really knows if this is indeed “the truth” or just how far Asiri may have come in his plans to create these surgically implanted bombs. However, what one can extrapolate from the press on this thing and the sources on “background” willing to talk, is that this seems to be more of a propaganda ploy than anything else on the face of it.
While I have no doubt that this vector of attack has been on the minds of AQ for a long time, so too has the use of CBRN, but to date, they have not been able to do anything in those areas and in fact the BIO warfare program they tried to start was a miserable failure. So, do we really see them getting to the point where a convincing as well as operational “body cavity bomb” is actually put to the test? I suspect that it may be some time until such a plan is put together and operational but as the media would have it now, as well as those leaking the “details” here, they seem to be saying FEAR NOW!
The Case for Surgically Implanted Munitions: Possible, Crazy, Exceedingly Hard to Pull Off
Now that we are all abuzz about the “surgically implanted bombs” lets take a look at the actual nitty gritty of how this would have to be conceived and acted on to work.
- You have to have a willing shahidi… Well, there are some out there so there you go. One that is willing to have srugery as well as recuperation time, well, ok… Harder but possible
- You have to have a sealed, self contained system that will not bleed (inside the device) and make it malfunction
- You have to have explosives that are high power and yet only require small amounts to be of use
- You have to have no metal parts to pass through the magnetometer
- You have to have a surgeon or surgeons willing to do the cutting and sewing (Well Ayman is a Dr. after all too so…)
- The device will have to be hidden enough inside the body so as to not alert others and preclude mobility issues (i.e. small, though the BVD bombs seem to be so as well)
- Your detonator has to be either chemical or electric/remote (timed or say an RF device) I lean toward chemical for these but who knows
The Case for FUDDERY as A Means to an End For BOTH Sides
So, what we have here though seems to be a lot of clucking about bombs inside of people and the fear mongering that goes on with some quarters of the intelligence community feeding this all to the media. SOFREP, a site concerned with SOF (SPECOPS) had this story out there last week and now it seems to be making the rounds with backup data (background from anonymous sources) that the mad bomber is in fact working on this with a cadre of doctors. Of course one can only assume that this “data” is perhaps coming from the recent mole that got into AQAP posing as a suicide bomber and stole their new prototype BVD bomb.
If true, then yes, sure, they had plans and were trying to make a bomb system that would be hard to detect, I mean, how many MRI’s are at the airports now huh? If this data did not come from the mole though (and there is data that this has been floating around now since at least last fall, way before mole man) then why now is this being thrust upon the media? Or, now that I think about it, there was that arrest of the guy with the pr0n that had the stegged “future work” file in there.
I am willing to bet that is the provenance of the file in question. Ok, so, there you have it. We have the plans and.. What.. Why release this to the public? I mean, what real purpose does it serve other than to scare the populace into submission? In the SOFREP report there is mention of something along the lines of “So how do you feel about your L3 machine now?”Uhhh, just fine really, I mean, it won’t help me if there is a surgically implanted bomb, but it gets much of the rest of the stuff when used properly. I am guessing that the impetus here was to make the TSA look good, by saying “you think you are hassled now, but look at what the jihadi’s are planning!”
Honestly, sure, it could happen, but the odds are slimmer than one might think I think and this seems to be a play here to manipulate the public mindset. Others have called the same foul on the play here but I just wanted to put it down here and sort through all the issues to ascertain where the truth might lie. In this case, for me, it seems like this story serves the purposes of both sides. For one, the security services here and the politicians both get a win by leaking data to sow fear, a fear that was ever so well used in the past (like G’Dub’s admin) and others to sway thought and perhaps lessen resistance to certain things. On the other side, this also works for AQAP because even if they are planning it, they are causing us to create even more elaborate Rube Goldberg devices to stop them, costing us more money and time.
It’s a win win for all of them.. FUD it seems is a booming business.
So, IF They Make These Bombs Happen Then What?
In the end, it comes down to this; “What are we going to do?” Do we really expect that we will now install MRI’s and X-Ray machines in the TSA lines to scan our internal organs as well as the sniffer/blower/wand/m-wave that we already have? This is a means of bombing that would be hard to detect if done well and certainly would not easily be seen under clothes or even with an M-Wave scan if it is not protruding/bulging the persons body in some way. Hell, for that matter, AQAP should just be looking for morbidly obese shahidi candidates huh?
Certainly, leaking this data to the news serves little purpose than to perhaps get people (including those on the hill) to buy into new measures and monies to appropriate them? It would not make one whit of difference in the current protection scheme now would it? Frankly, if AQAP and A-Asiri have been working on this, and it were a major threat, I personally would not have been dropping this to the media. Keep the intel secret (as the report is alleged to be) and keep it out of the public eye…
Unless you all think that by leaking this data you are retarding the chances that AQAP will try this method? I really don’t think that will be the outcome here.
In the end.. I call shenanigans.
OMG! The Russians Are Attacking Illinois Water!
This last week we heard that a pump in a water system in Illinois ate itself and fried up. The reason for the pump doing so was soon discovered to be that someone from a Russian IP address had been messing with it remotely. Something that should not be readily possible, but it was available online remotely. Yes, that’s right, the vulnerable system was online for anyone with an IP address to hit up AND it was in such an un-secured state that pretty much anyone with a pulse could have messed with it. However, this isn’t the story that you get from the press and the talking heads in infosec. Instead you get…
The SCADA boogey man was out and had attacked our vital infrastructure!
Terrorism? Really? Messing about a podunk water system is now terrorism? Seems to me that this system was already having problems since it was put in by the Curran-Gardner people (Problems with the Curran-Gardener SCADA systems can be found here) from their own accounts of what they had to fix since 2008 or so including the wiring being set up wrong to start with on the system in one case as noted.
It turns out that the supervisory passwords were alleged to have come from a password database from the maker of the supervisory system that the Curran people decided to use. Now, given the poor system setup and all of the issues here so far seen in their own documents, I am hopeful that this was not a main supplier of systems to major corporations and governments.
Once again, this all seems rather opportunity based than targeted to me. Someone popped a dbase at a maker who likely had their systems hanging in the lowest of the low hanging fruit state and the skiddies went on to locate another low hanging fruit target.. You guessed it… Curran-Gardner. The fact that they used a Russian IP address is as telling as a Don Rumsfeld news conference on “known unknowns” as well. So all this hand wringing by DHS and others over this little flap need to just calm down and speak to the country soothingly…
Instead we get OMFG RUSSIA IS ATTACKING THE ILLINOIS WATER SYSTEMS! and the papers run with it.
THIS WAS NOT TERRORISM! THIS WAS SOMEONE MESSING AROUND!
How did the pump finally eat itself? Someone basically was flipping the digital light switch on and off.. That’s how. It could not take being turned on and off.
Wow, what resiliency!
OMG! Some Kid Learned How To Use Shodan!
I have news for you… This is no big secret. In fact, I was talking about these systems a while back after my fracas with Ol’ Craig “The END IS NIGH” Wright. A simple Shodan search turned up many a water system online and open to being poked at. In fact, as I remember it, the other system that has been talked about lately in Nevada, yeah, that one too was online and found on Shodan. Their systems were so horrid in fact that you could easily make a reservation to show up at Hoover dam as a VIP/Government visitor!
So, what’s the takeaway here? Well, that someone was messing around with SCADA because of two factors:
- It’s been in the news hyped ad nauseum as the panacea of the modern world and its final inescapable doom
- It’s been shown to be easy and the fools running these systems have made them even more insecure by putting the ICS online!
What have you all been thinking? Yes, you guys putting this shit online AND all of you out there SHOCKED that someone started messing with these systems that are so easily found and exploited online in bugsville Idaho!
Come on people wake up! This is just the start here.. Expect more… AND NO, THEY WILL NOT BE ATTACKS COMING FROM AL-QAEDA There’s just no real interest there on their part, these types of attacks on small water systems will not sow the mayhem and fear that they desire.
Get over it.. Deal with the real problems please.
OMFG! SOME SCADA SYSTEMS ARE ONLINE!
Next, let me step into the wayback machine and once again talk about the SCADA systems being online. I had an.. “argument” with Dr. wright about the dire circumstances of SCADA systems being online. I had said that not all of them were online and Wright pretty much said;
“WE’RE DOOMED! HIDE YOUR WOMEN AND CHILDREN!”
To which I had a small aneurysm and went off on him.. Lets just say that the whole thing got out of hand and Dr. Wright was shown by his own hand to be a chicken little with a tendency to spill secrets about previous engagements he had had. The net net here is this;
“Yes Mr. Wright, there are SCADA/ICS systems online, I have seen them.. BUT not ALL systems are and the important ones that I dealt with, were at least nominally protected behind firewalls and v-lans”
Hey, at least they tried huh? Unlike our water works friends in the news of late right? What’s more, I actually saw one system that was air gapped from the network proper. You would have to actually be on site to get at it.
So, yes, we are learning through Shodan searches as well as unfortunately, in the news, that there are many stupid people running those systems. However, in all the searches of ICS/SCADA systems I did on Shodan, I really only found a couple places that made me say “crap” The others were places like the podunk water supply..
And I am not worried that these will cause mass casualty events.. What it said to me is if stuff went down, some people would be buying bottled water for a while.
If They Attack Our Pumps They Will Then Escalate To Our Nuclear Missiles!
Moving on, one of the things that really peeved me off here about this little story on Illinois was that some were alluding that this could be the clarion bell that the end is nigh. The thought process goes something like this;
“If they can hack this place, then they can escalate through their network to uber important systems!”
Ok, yes, the Curran-Gardner systems were located within a company that covered both water and power, so yes, they could have jumped to the local grid for the area. They could have hopped over (mostly because these guys have already proven themselves to be clueless about security) and messed maybe with some power regulation to home customers in the area.
No big explosions.. No watershed event.. Other than once again pointing out that the emperor has no clothes and is functionally retarded really. This is an object lesson and one hopes that the local nuclear plant is not online for the Joey Pardell’s of the world to access via the internet. However, such systems that could cause mass casualties may also be in the same state, and this is worrisome.
So far though, I haven’t seen them.
Make No Mistakes.. There Will Be Deaths…
Once again, there is always the possibility that there could be a mass casualty event with regard to SCADA systems controlling pipelines etc. However, I do not see this as a prelude to war nor really an effective means of terrorism just yet. IF someone does exploit a system to cause a pipeline explosion it would be just to sow fear, and that is pretty much it. Sure, you take out a big enough system such as the ones in the Gulf, you “could” have a cascade effect on the supply chain as well as roll over to the financial base of the country.
C’mon, you have all seen this in the movies right? You know what I am talking about.
However, we have not seen this yet and if these systems are so piss poor, then why haven’t we? I mean SCADA issues have been around for a long time now. Why haven’t our enemies used this yet to their advantage? No, I say that the likelihood is that someone will be messing around and accidentally cause an explosion or cascade failure.
The FUD response from this by the government and the media will be the real disaster that will cause the most damage.
Nope, I place the probability of the dark nightmares that the Dick Clarkes of the world are predicting up there with the probability that Bigfoot will walk up to my door, ring the bell, and offer to sell me “Bigfoot Cookies”
So, whatever happened to sanity? I surely think our collective sanity has been eroded by the likes of the media and our overly risk averse government. Since 9/11 they have been hyping (press) and pussyfooting (gov) around the problems we have. In the case of the digital landscape of hacking and security, neither has a solid grip on reality. This is really disappointing as they are the ones feeding the fear to the masses. Never mind those in the security industry who seek to make money as well as those who have no qualifications to speak on subjects but feel they must to get the headlines.
It’s a Mobius loop of stupidity and fear mongering.
We need to get our collective heads out of our collective asses here…
- Yes, there are SCADA systems online and yes, they can be made to eat themselves
- Yes, this is a problem, but it is NOT the end of the world
- No, the terrorists are not using this as a vector of attack.. trust me.
- NO, the Russians and the Chinese are not attacking here.. Those guys have been in and out of our systems without us knowing (ni hao!)
- NO, no one will be launching nukes from SCADA/ICS attacks
- NO, no one will be causing a China Syndrome from SCADA
- Yes, you may see more pumps eating themselves and you may have to buy some potable water
- Yes, once the smart *giggle* grid is online you might find yourself without power or unexpected large bills (bad hackers!)
- Yes, this is all a problem… But more a nuisance than the apocalypse
So, lets all sit back and breathe a bit ok? Yes, there are problems here, but, in the scheme of things, this is not worth all of the attention it is getting from everyone. Never mind the worries that many seem to have.. and are using to their advantage perhaps to sell you services?
Yeah, I went there…. Better watch out, LIGATT soon will have offerings in SCADA security I am sure.
The Teachable Moment
This is all what they call a “Teachable Moment” as someone on my Twitter F-list said the other day. The lessons to be learned are simple ones and you have to step back, take a breath, and think a bit here.
- Don’t place inherently insecure systems (as we know SCADA to be) online for access to the internet and anyone on the globe
- Don’t believe everything you read in the news.. Often times the reporters have no clue
- Don’t listen to every doomsayer or alleged “expert” online or on the media as to the dire straights we are in due to this
- Research the problems… compare and contrast.. Use your brains people!
- Ok, so we found this one out there and it failed because it was messed with… Now take it and every other one offline (connectivity to the net)
- Force the SCADA manufacturers to securely code their systems
- Force the government to perform DUE DILIGENCE on critical infrastructure (i.e. audit them all for this and other security problems)
- THEN FORCE THEM TO FIX THEM!
- DO NOT PROCLAIM THIS THE END OF THE WORLD
- DO NOT INTONE IT IS TERRORISM WITHOUT EVIDENCE
- DON’T LISTEN TO THE CHICKEN LITTLE’S OF THE WORLD (Craiggy)
This is my take away from this little incident. Like I said, there are problems, but we know they are out there now..
GO FIX THEM AND CUT THE FUD!