Archive for the ‘Google Hacking’ Category
The Emperor Is NAKED
gedh gedh gedh gedh gedh gedh
OMG THE DAM DATA!
Last week a report came out on Wired about how the ACE (Army Corps of Engineers) database was hacked by China and “sensitive” dam data was taken.. By China, let that sink in for a bit as there was no real attribution data in the story. Anyway, aside from the BOOGA BOOGA BOOGA headlines I had to wonder just how hard it was for these “Chinese” hackers to get in and steal the all important super secret DAM data. Given the nature of this type of site and the groups involved in generating, managing, and *cough* protecting it, I had a feeling that it would be rather easy to get the information without having to be uberleet. Sure enough a quick Google Fu session showed me how easy it was to just bypass the login and password scheme as a proof of concept. You can see from the picture at the top of the page that you can just download what you like there (16 meg on dams alone) just by clicking a link on Google and then the link on the page that is not supposed to be served out without authentication.
*I feel so secure now*
So yeah, there you have it and I still cannot understand how the media types paid no attention to my attempts to make them aware of this little factoid. See, here’s the thing kids, I didn’t go any further. Nor did I download the 16 meg file because, well, no one else wants to be Aaron Swartz right? I am sure they could even try to squash my nuts over this post alone but hey, I am sick of the bullshit stories of China hacking our shit when in reality all one need do is GOOGLE the information. This is not to say that this information here is the SAME information that was allegedly stolen by China, but it is a PROOF OF CONCEPT that the site, EVEN TODAY is still insecure and leaking information without authentication!! (yes above pic was taken today via a tor node) So, when I stopped there one has to continue to wonder if you looked further and enumerated more of the site by directory walk could you in fact get even more access?
Feel the derp burn…
OMG CHINA!
Meanwhile back in the hallowed halls of Congress and the Pentagon we have reports coming out in pdf that China is hacking our shit to gain a better “war footing” by taking such data as what this story is all about. DAMS COULD BE BLOWN! WATER COULD LEAK! LIVES LOST! yadda yadda yadda. If you were to take it seriously then one would think that SECOPS demands that this data would be classified and protected per classification. Obviously it wasn’t given the access that you see above as well as the alleged password issue that the hack was allegedly predicated on in the Wired article. But I digress.. I am meaning to talk about China… Yes, so the DOD puts out a report that is subtly saying that no longer are the Chinese only looking to steal IP but now they are looking for ways to stalemate us in war.
*blink*
NO WAY! Like we aren’t doing the same thing everywhere else as well? Derp! Look, it’s only natural that they would be doing so and their doctrine says as much. Just go take a read of their doctrine on all things cybery and you will see that the domination of the infoscape is really important to them. We have only been paying attention for a little while now and we have catching up to do! Alas though, not all roads lead to China so really, I would love to see some attribution on this alleged hack on the dam data when one, once again, could just GOOGLE that shit up. As they say on the internets.. “Pictures or it didn’t happen!”
OMG FAIL!
So here we are again. Our cybers are FAIL and the news media perpetuates more FAIL with their non depth articles on the problem. Maybe China stole some dam data. BIG WHOOP. The real story is that the site that it came from and the people watching it are not paying attention to the cyberz. Their clue phone is broken! They do not know how to “Internet” and it is just another derpy hype cycle in the media that allows China to be blamed for our own stupidity. I swear somewhere there is a Chinese guy laughing like Chumley rolling on the ground over this.
Smell our own fail kids… And weep.
K.
BofA Gets A Burn Notice
rode bb iqdnpmbia fpn’k ybi lr qektrf?
PARANOIA
par·a·noi·a
[par-uh-noi-uh]
noun1.Psychiatry. a mental disorder characterized by systematized delusions and the projection of personalconflicts, which are ascribed to the supposed hostility of others, sometimes progressing todisturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.2.baseless or excessive suspicion of the motives of others.Also, par·a·noe·a [par-uh-nee-uh] Show IPA .Origin:
1805–15; < Neo-Latin < Greek paránoia madness. See para-, nous, -ia
Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.
This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.
B of A’s THREAT INTELLIGENCE TEAM
Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.
One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.
Nothing more.. Nothing less.
Threat Intelligence vs. Analysis and Product
All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.
Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.
Threat Intelligence vs. HUMINT
This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.
Assessment
My assessment in a nutshell here of the Paranoia BofA Drop is as follows:
- Paranoia found some interesting documentation but no smoking gun
- TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
- BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
- If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
- BofA needs to classify their data and protect it better on this front
- Paranoia needs to not let its name get the best of itself
All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.
For everyone else.. It’s just LULZ.
K.
HB Gary: Hubris, Bad Science, Poor Operational Methodology, and The HIVE MIND
Algorithms, Social Networks, and COMINT:
When I had heard that HB Gary had been popped and their spool file was on PB I thought that it was unfortunate for them as a fairly well known company. Once the stories started coming out though with the emails being published online, I began to re-think it all. It seems that Aaron Barr really fucked the pooch on this whole thing. He primarily did so due to his own hubris, and for this I cannot fault Anonymous for their actions (within reason) in breaking HB Gary and Barr’s digital spine.
It seems that Barr was labouring not only a flawed theory on tracking social networks, but also in that he planned on selling such a theory and application to the government. One notion was bad, and the other was worse. First off though, lets cover the science shall we? Barr wanted to track users on social networks and show connections that would lead to further data on the users. The extension that he was trying to make was obtaining actual real names, locations and affiliations from disparate sources (i.e. Facebook, Twitter, Myspace, IRC, etc) While this type of data gathering has been done in the past, it has not usually been culled from multiple sources automatically electronically and then strung together to form a coherent pattern. In short, Barr was wanting to create software/scripts to just scrape content, and then try to connect the dots based on statistics to tie people to an entity like Anonymous. The problem, and what Barr seemed to not comprehend, is that the Internet is a stochastic system, and as such it is impossible to do what he wanted with any kind of accuracy. At least in the way he wanted to do it, you see, it takes some investigation skills to make the connections that a scripted process cannot.
This can be seen directly from the article snippet below where the programmer calls Barr on his flawed logic in what he was doing and wanted to do.
From “How one man tracked down Anonymous and paid a heavy price”
“Danger, Will Robinson!”
Throughout Barr’s research, though, the coder he worked with worried about the relevance of what was being revealed. Barr talked up the superiority of his “analysis” work, but doubts remained. An email exchange between the two on January 19 is instructive:
Barr: [I want to] check a persons friends list against the people that have liked or joined a particular group.
Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.
Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.
Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.
Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.
Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.
Barr: [redacted]
Coder: [some information redacted] Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.
Barr: [some information redacted] On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!
Coder: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate. mmmm…..taco!
Aaron, I have news for you, the coder was right! Let the man eat his taco in peace! For God’s sake you were hanging your hat completely on scrape data from disparate social networks to tie people together within a deliberately anonymous body of individuals! Of course one could say that this is not an impossible feat, but, one would also say that it would take much more than just gathering statistical data of logins and postings, it would take some contextual investigation too. This was something Barr was not carrying out.
I actually know something about this type of activity as you all may know. I do perform scraping, but, without real context to understand the data (i.e. understanding the users, their goals, their MO, etc) then you really have no basis to predict what they are going to do or really their true affiliations. In the case of jihadi’s they often are congregating on php boards, so you can easily gather their patterns of friendship or communications just by the postings alone. Now, trying to tie these together with posts on other boards, unless the users use the same nick or email address, is nearly impossible.
Just how Aaron Barr was proposing to do this and get real usable data is beyond comprehension. It was thus that the data he did produce, and then leak to the press enraged Anonymous, who then hacked HB Gary and leaked the data in full claiming that none of the data was correct. Either way, Aaron got his clock cleaned not only from the hack (which now claims to have been partially a social engineering attack on the company) but also from the perspective of his faulty methodologies to harvest this data being published to the world by Anonymous.
OSINT, Counter-Intelligence, and Social Engineering:
The real ways to gather the intelligence on people like Anonymous’ core group is to infiltrate them. Aaron tried this at first, but failed to actually be convincing at it. The Anon’s caught on quickly to him and outed him with relish, they in fact used this as an advantage, spurring on their own efforts to engineer the hack on HB Gary. Without the right kind of mindset or training, one cannot easily insert themselves in a group like this and successfully pull of the role of mole or double agent.
In the case of Anonymous though, it is not impossible to pull this off. It would take time and patience. Patience it seems that Aaron Barr lacked as much as he did on scientific and mathematical method where this whole expedition was concerned. Where his method could have been successful would have only come from the insertion of an agent provocateur into the core group to gather intel and report back those connections. Without that, the process which Aaron was trying would have yielded some data, but to sift through it all with interviews by the FBI and other agencies would have become ponderous and useless in the end.
It is my belief that there is a core group of Anon’s as I have said before. Simply from a C&C structure, there has to be an operational core in order for there to be cohesion. This can be seen in any hive structure like bees, there are drones, and there is a queen. A simple infrastructure that works efficiently, and in the case of anon, I believe it is much the same. So, were one looking to infiltrate this core, they would have a bit of a time doing so, but, it could be done. Take out the core, and you take out the operational ability of the unit as a whole to be completely effective. To do this though, one should be able to understand and apply the precepts of counter intelligence warfare, something Barr failed to grasp.
In the end.. It bit him pretty hard in the ass because he was in a hurry to go to press and to sell the ideas to the military industrial complex. Funny though, the real boys and girls of the spook world would have likely told him the same thing I am saying here… No sale.
Oh well… Arron Icarus Barr flew too close to the anonymous sun on wings made from faulty mathematical designs and burned up on re-entry.
K.
Jihadi Hacking Tutorials: Irhabi 007’s Text and More….
I recently posted some preliminary findings on files found on Jihadist websites for hacking. Actual full tutorials on how to hack that ended up with actually useful data and tools for the jihadi’s to hack in the name of Allah. In looking at those files I also ran across a section of .pdf files that included a text, that if I read correctly, is from Younis Tsouli aka “Irhabi 007” (Terrorist 007) Like the autorun/distro like tutorials from earlier, these pdf’s run the gauntlet of current hacking attacks that are the hack-du-jour. PHP hacking, SQL, Linux/*NIX hacking, Database hacking of various kinds etc. Much of this data has been taken from other sites like MILW0RM and others, translated into Arabic with notations and put into the pdf format for dissemination on jihadi sites and or, certain Arabic hacking group sites like XP10.
With each tutorial though, the hackers had to add their own personal emails on there, so I have about 10 or so addresses to put into Maltego and Google. So far, “metoovet”, who created the tutorial on hacking that I posted about last, seems to be rather open in using his hotmail address on other sites including a business site for programming. The site is ostensibly his and via a whois I was able to get another address of his. The sum of the data points toward his being not only a hacker programmer, but he also claims to be a medical student.
Heh.
I will continue the poking about on this, but I thought these files would be interesting for you all to see. They were uploaded to the megashare a while back and I am sure have proliferated all over.
On the 007 text though, I need a good way to translate the pdf file. His stuff was pretty comprehensive too…
More soon.
CoB
FOCA: A New Recon Tool
I recently got a text from a former co-worker saying that I should take a look at FOCA, a tool that I had not heard of before. The text said that this tool had a good deal of forensics potential in that it would search a group of documents and extract the metadata from them. My friend got it half right from what I have experienced so far.
The tool does indeed cull metadata, but, it is from directed web searches with engines like Google and Bing that it does so. This however is a fantastic thing! Even if you cannot just point it at a directory on a hard drive locally, this tool is a great resource for OSINT/RECON online. I decided to give it a try first on some Jihadist sites *post to follow* but then decided to use it against a “known domain” NYSE.com
The tool gives you a simple front end that allows you to search a domain/website and saves the whole process in a proprietary project based format. So, you can go looking for a specific domain and create a whole project to save all the collected data. The only flaw I have seen so far is that this tool does not output your search/project into any kind of use able report format.
The tool goes out to Google, begins searching for numerous filetypes such as .doc or .pdf. Once located, the URL’s show up in the tools window to show you if you do indeed have good hits. After the initial search, you can then download all of the documents for the next step of pulling the metadata. This is where it gets interesting…
Once the docs are downloaded, you can analyze the metadata and then FOCA gives you a series of pull downs that show you all of the user data that the docs offer up… And boy can it provide a plethora of data! From the NYSE searches I was able to not only see the user names, email addresses, software being used to create the documents, but also folders that they were stored in!
Then you can move on to more obscure searches using the metadata. FOCA has a feature to search those same engines that it just pulled the files from to go further and look into the domain structures, server names, users, printers, suffice to say it pretty much will map out a whole infrastructure for you using Google/Bing and the metadata you already have.
Now, depending on the security levels that the systems being searched against have, it is possible to cull quite a bit of intel on your target. So much data that in fact one could make a real network map as well as a full plan of attack on users, networks, file systems, etc.
It’s kinda scary really as you may be able to see from the pictures here….
All in all, this tool is quite the find. I would only like to ask the creator to allow for a local feature to just access metadata for files that have been downloaded already… But that’s for another post to follow on those whacky jihadist sites…
CoB
The SKYNET of Wall Street… How About CyberWar by Russia or Joe the Hacker?
Given the recent events with the stock markets sudden and sharp dip, many people have been pondering whether or not there was some computer trickery involved. One might even dare to say “hack” or, unfortunately, the moniker of “CyberWar” has been thrown out there about the incident.
From what I have heard on the news, the systems just seemed to go off on their own, the words used were “took off” and there were even references in the news to “Skynet” Oh my… Now that is scary, these people are looking at this as the next SkyNet out to whack us with giant Schwarzenegger’s! I think though, that the reality lies more along the lines of perhaps a test. Perhaps a pre-test to something more akin to the cyberwar scenarios.
What’s bothering me though is the eerie silence on the part of the government, the police/feds, and Wall Street itself on this. Of course I am sure they would all love to minimize any fears that the public may have here because surely, if the word went out that this was an attack or a hack, then the market would crash further and for longer than it did last week. People would just not have any faith in the system and there would be the equivalent of a bank run on Wall Street.
So the news media and the talking heads tried to pawn this off to a “fat finger” trade, but then, as time went on, it came to light that it couldn’t be that. So, what was it then? Are they investigating? Are there Secret Service folks on site performing forensics on digital assets?
Like I said.. “eerie silence”
This all got me thinking about the potential for a hack on the NYSE and the stock markets in general. My first task as any good security specialist was to footprint the target. So, I went to “The Google” and did some foot printing at www.nyse.com what I found rather flabbergasted me. If you look in the right way, you can gather a LOT of intel on the network makeup, protocols, processes, clients, and vendors for the stock market. All of this just coming from one domain mind you…
I was able to not only obtain documents marked “CONFIDENTIAL” but those same documents described networks, processes for DR, Backup, and daily operations. I was also able to get manuals on their systems that interface to make trades from both inside and from outside of the exchange. Some of these documents actually described actions that the network operations folks are yet to actually carry out for 2010.
Oh yes, our theoretical money on Wall Street is safe… Not.
In one case, I actually was able to gather IP addresses for failover in NJ and Chicago as well as when they were planning on running a failover test. So, yeah, these documents are all, as a whole, a hell of a start to begin planning for an attack on the monetary engine of our country. Many of these documents I assume have just been put in the wrong directories on the web facing servers even with the markings on them, but, really, c’mon guys where’s your OPSEC?
Even better, the uber document with much data on how the systems work and includes network diagrams goes further to show you cabinet details in collocation areas as well as has actual blueprints to the trading floor in NYC.
DOH!
So, perhaps there is a reason for the quiet huh? Imagine the panic that would ensue if indeed the market was attacked by someone with a computer and a set of pdf’s on how to operate trading software? Imagine the fear right now to those of you in the security field who are about to learn that in one case, a system used to trade carries out its actions on a TELNET session over the internet…
No… Really… I saw it. Perhaps they have a VPN or maybe I misread it but….
Check whether you can telnet://XXX.XXX.XXX.224:1723. If not, try to telnet://XXX.XXX.XXX.224:1838. If you can reach 1838 but not 1723, you must create a new line in the [TALIPC] section of the TAL.INI. The line reads: UseNewPort=
Oh yeah.. there you have it… Needless to say, I stopped there. Google had given me enough to really mount a plan…
Its time to start hiding your money in mattresses folks… Or maybe just buy all the gold jewelery you can and head to “Good ol’ Tom” when the shit hits the fan. So Wall Street, What’s the story here?
K
Whois: Ansar007
It seems that since the take down of the Saudi intel gathering site, the Jihad’s took a little time to think about what to do next and then began their site posting in earnest. On the Ansar boards, the traffic has been up and someone calling themselves “Ansar007” has been quite busy posting up propaganda video and audio files. The latest was a little ditty that he claims to have sung himself as an ode/anthem to a shahid who bought it.
Now, looking into this Irhabi007 wannabe, I found some interesting tidbits that might be of use. Frist off, a Maltego map of the user name shows some interesting connections. This included a couple specific items that lead me to the data I am about to present. The first bit of data was an email address:
Ansar007@hotmail.co.uk
This email when put into Google turned up about 5 hits altogether, but, it was one that had the exact address in the site that drew me to a page for LN Travel, a taxi company in West Yorkshire England. This little blurb is an alleged advertisement for a taxi service at a specific address. You are to contact them at the email address to use them… Odd I thought, just an email address to get a taxi service huh? I began to think that perhaps this was a red herring.. Or, maybe some kind of dead drop or coded post. I decided to look up the place on Google and came up with the following maps:
LN TRAVEL
106 Harlow Road
bradford
West Yorkshire
bd72hu
01274521867
Funny, I don’t see a taxi.. Do you? Curiouser and curiouser…
Widening the search of the hotmail address lead me to another email address from Yahoo. This address lead me to a website for Arabic music an video files. Interestingly enough, this fits the profile of a wanna be musician who is posting songs that he has sung huh? The site: listenarabic.com had a post on the users account that the email keyed off of from Ansar007. Ansar believe it or not, had an account on the same site and after a little manipulation I had access to his user profile. It presented me with the following data:
Is this you Ansar007? Hmmm? Do you in fact now live in or had always lived in Pakistan or the UK? Either way, there is a phone number.. Anyone wish to make a long distance call? Fort Meade anyone? Better still, Ansar007 on this site has some pictures of himself for everyone to see. So, I took the picture from the Ansar Jihad site on his recent post and one from the arabic music site and viola:
Could they be one in the same person? Could be, but I do feel a bit like Jack Ryan in “Patriot Games” I can’t be sure, but, the coincidences of the music site and all connected with the email address.. Well, I think I may be in the right neighborhood data wise. So, what do you all think?
Johnny Utah?
Anyone?
Oh well, I will pass this on and keep looking into Ansar007. He is rather mouthy on those boards so eventually, someone will be coming along to collect him I am sure..
CoB
Al-Ansar Jihadist Site: Mapping Jihad
Seeing the traffic lately on Twitter between @allthingsct and Jokey, I thought it prudent to once again put some perspective on jokey’s little venture and how futile it really is. So, I bring to you this report I have generated on “Ansar-AlJihad”, a consortium of sites that are run by the same “persons” of interest and serve up jihadi content and links.
The picture above is a stealth mirror site of Ansar. The site is located in the US on a server that I assume the owners do not know has been compromised. This is just one of twelve sites that Ansar has stood up on varying servers and domains. Several of these sites all reside on IP addresses out of the US but being registered domains whose owner claims to be in Brussels.
The stealth site is physically located in Provo UT:
While the other sites primarily reside in Washington State:
The last site is physically located in Malaysia, which interestingly enough is a very active area for jihadi activity these last few years. All of these sites though, mirror the data that is updated consistently over all sites. Thus, should any site be taken down or denied service, one can just go to the next in line located on the main page, and get your jihadi content.
The addition of the stealth site proves the point that even IF all of the sites were to be taken down, they would indeed back up to the stealth site strategy and just keep popping sites to upload to. So, jokey’s little idea that just annoying them offline forever and they will just go away is a fallacy at best and half baked logic at worst.
Meanwhile, let’s consider the other way to deal with these sites. By tracking them, their users, and their data.
By looking at the domains, the home IP addresses, and the links as well as the data on these sites you can get a pretty good picture of who may be setting up these sites and who may be using them. In the case of Al Ansar, I was able to use Maltego to get a line on one site of interest that gave up a solid name and email address.
The Maltego made the connection between the Ansar site and three Blogspot accounts. The one that was the most of interest was pathtomartyrdom.blogspot.com:
The owner of this site actually used a hotmail address and a name to set up the blog.
hassankhalid025@hotmail.com
This address was used in a few posts on Yahoo and not much else. However, I am sure that the authorities would be able to talk to M$ about opening that one up and seeing who said what to whom. Of course given the recent flap with Cryptome and the M$ guide for LEO’s I am quite sure they have all the logged traffic and can provide it when asked.
So, as you can see, with a little footprinting, a little digging, and some patience, you can do a lot more than just DDoS a site offline. You can in fact provide the authorities with the data needed to maybe catch these guys instead of drive them under the digital carpet.
My hope is that these sites are already in the hands of the authorities here in the states and their traffic being logged. It would be great to see that the server had been set up to have all the captures taken so even if the jihadists were using proxies they could at least track those too. It’s all links in a chain that can be followed to the source.
It may also be a key practice that these sites are not only watched, but also being actively added to by the authorities here. One would hope that they would be members on these sites also, adding content to “disinform” the jihadi’s and catch them in the act.
Ahh well.. One can hope huh?
Needless to say, I have posted the findings report to the feds and will wait to see what they do…
CoB
ZOMG China HACKED the US!
Olson told Threat Level that the attackers are “incredibly good” at finding new exploits and infecting the right people but that nothing he’d seen in the malware indicated they were above average in writing malicious code.
“The sophistication here is all about the fact they were able to target the right people using a previously unknown vulnerability,” he says.
Full article on Wired
OMG OMG OMG OMG CHINA used an 0-day to hack defense contractors and Silicon Valley!
… And this is new how? No, really, this is new and deserves all of this attention as if it were incredible news? INCONCEIVABLE! Chinese hackers got us with crafted emails to important targeted people and got them to, no, don’t say it! Can it be true? TO CLICK ON THEIR LINKS OR FILES!!!! NOOOOOOO IMPOSSIBLE!
C’mon news media! C’mon Security Blogosphere! Where have you all been these last oh, at least 4 years? This is NOTHING new! So why all the fuss and why all the OMG I cannot believe this!
To top it off… ad Adobe 0-day surprises you all?
Really?
Shucks.. Say, would you all like to buy a bridge I just happen to own? Perhaps some nice land in Florida?
Let me tell you this is nothing new, nothing innovative and really, all of the security theater that is going to follow in posturing and news cycles will mean nothing. You want to know why? Because people are people and they are the weakest link in the security chain. Basically, its a social engineering exploit.
Click this link! It’s important! It’s from HR! It’s your new PDF version of that book that isn’t out yet! It’s PR0N!
CLICK CLICK CLICK CLICK!.. P0wn.
I have news for you all.. This is not new nor should it be getting all the attention out there that it is. I see this all the time and much of what has been going on is kept quiet by the companies out there being hit. That is, IF they actually catch on to the compromise. I mean geez, how do you think the Chinese got hold of all that data on the JSF from Lockheed huh? What was it 2.5 Gig of data passed out of their network before they caught on?
Nope, now had this exploit been targeted to attack mostly *NIX machines (servers) and had been infiltrated by a hapless technoween’s clicked PDF email.. THEN we would have something. This though… Meh. Face facts that we are just cyber challenged and the Chinese are using this to their advantage. After all, they created the game of “Go” A game most people here would say, “Uh game of what?”
Oh, and another thing.. Seems to me I remember there being charges leveled not too long ago by a Chinese company that Google stole their Pinyin code..
But.. Nah, that never would have happened.. Not Google!
Heh.
CoB
Maltegoing Our New Tsar
So I decided after the article this morning I found about Howies defunct site to do some searches with Maltego. By using this I came up with all kinds of fun information..
In the end I have located his email addresses, correspondences that have been encrypted with PGP, and a couple of his phone numbers. I also used Google to locate some of his presentations on INFOSEC that he gave via ISC. Amazingly there are no notes with that particular Powerpoint.
Anyway, I am still digging on all of this but let me just make my mind known about this choice for Tsar….
1) He worked for two companies that have not been known for stellar security
a) Microsoft
b) Ebay
2) He comes from a military/governmental background also. So he knows the DC Two step and is likely to play by those rules. Meaning he is just another insider who will not get anywhere nor be able to think outside the box
3) The Tsar position has been neutered as far as I have read and thus is just another “captain dunsel” in Star Trek parlance.
In the end, I have little hope that anything will change for the better with regard to our information security posture as a nation both governmentally and privately. In other words, get the rations stored, the water tanked, and the ammo stockpiled.
CoB
Krypt3ia 
