Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘.gov’ Category

Prosecuting The Russian Cyber War: Beyond The Hyperbole

leave a comment »

screenshot-from-2016-12-19-13-42-28

This weekend my father actually asked me what I thought Big O was gonna do to respond to the hacking of our elections. He continued in the same breath to ask if we were going to take out Russia’s grid or something like that. My first thought was to say “Noooo” and to then explain to him how that might go all kinetic real quick like on us if we did. My response to him yesterday will be the genesis of this blog post today for you all. Since everyone seems all hot and bothered as to how we will respond and not giving Big O the benefit of the doubt that he actually reads the PDB’s and thinks about them, I will boil it all down to what I would do against Russia and Pooty to thread the needle and not cause an escalation.

First:

I would undertake the review on what exactly happened with the IW/DISINFO/PSYOP/Hack that took place for the election. This is important to not only understand what happened, but to understand just how much damage was done and what actions it took to set that into motion. From this you can assess the response level you need and in this case it has been rather speculative as to what really went down. This I also really point at the whole argument that the election machines in key states may or may not have had some supply chain tampering going on. So far I personally have seen no evidence that there was enough of an investigation to rule this out.

Second:

I would look at the capabilities we have and the intelligence we have collected on Putin. Intel such as a good psych profile and anything on his wealth/business structure. With both of these I would seek to discern what would hurt him personally, not so much the country. I would also use the psych profile to determine in red teaming out what his responses would be to certain scenarios. In essence I would perform a game scenario simulation to get the best results for us and start to build a plan(s) on those.

Third:

I would, knowing that this attack was personal for Pooty, and given his nature (much like Trumps really) I would perform the following actions;

  1. Attack his finances. All of the dirty ones first.
  2. Attack him with whatever kompromat we have (CIA/NSA) in the same leaks style that we saw from the elections (See news today about Tillerson for a cue)
  3. IF we have the assets in place both digital and “other” I would work to counter ongoing efforts in Germany and France as well as other places where we know he wants to do the same thing politically

These are the things I would do in parallel to assessing the damage to our forward capacities regarding the ShadowBrokers recent tease. IF all of those exploits on there are real, then all of them have been compromised and burned. Any operations that may have used those tools are burned and any future use of them has been burned. It is my opinion that the new events with the ersatz “Boceefus” account is just Pooty and the GRU saying “Try anything and you will fail” but that is only one dimensional thinking frankly. It is time to go beyond bits and bytes and also use HUMINT.

Just this guys take…

K.

Written by Krypt3ia

2016/12/19 at 19:05

Re-Counts and Forensics in 2016

leave a comment »

screenshot-from-2016-11-28-08-06-06

Since the election I have taken a break from the insanity as much as I could. I blocked off Trump on Twitter but he keeps leaking through the blocks anyway. I have been reading though on the usual source sites like the New York Times and other news sites and with each day I am seeing the utter unravelling of America. Thinking about it though I have to wonder if the unravelling happened long ago and this is all just an echo of the failure finally reaching us all like a radio wave from a distant dying pulsar…

Anyway, I wanted to write today about the current debacle concerning the vote and the calls for an audit of that vote. Since the Green’s have gotten the ball rolling and the Clinton camp finally agreed to look at the vote it seems to be happening and that is a good thing. In an election where blatant tampering through hacking and information operations (DISINFO and IFO-OPS) by the Russian state one can have some sense that perhaps the same adversaries ‘might’ have tampered with the actual votes as well. Now, had it been just troll propaganda wars I might say; “Ok we have been played, they did it, we lost because we as a people are unable to comprehend real news from fake news” but that is not all that happened here. We saw actual hacking campaigns carried out on our voting infrastructure and one of the parties outright and still no one is clamouring for a re-count AND an audit of the systems that are already known to be security challenged?

It is incomprehensible to me at times how our government works at all. The group think and the lackadaisical attitudes towards information security are staggering but this whole episode takes the cake. You mean to tell me that the DHS and the government, the ones who brought us the OPM hack and other massive data breaches are going to tell us that the vote could not have been hacked and it is silly to even consider a forensic audit? This is what I keep hearing in the media and out of the government as calls for the votes to be re-counted and audited. It is also what I am hearing post Halderman’s paper and blog post that says: “I’m not saying the vote was hacked but there is evidence enough to say maybe we should look into it”  What the fuck? We know things went down so why all the reticence to check?

Well let’s look at it another way shall we? let’s say the government, ya know the one who keeps claiming we have “cyber superiority” in fact is shown to have such a poor state of security (like OPM isn’t enough to cast doubt on that one) that the election systems, the ones that the security community has been warning about as insecure for years now, was in fact manipulated as part of a larger operation to fix the election for Putins puppet regime? What exactly would the outcomes be from that revelation?

  1. The system would not be trusted
  2. The country would be in chaos
  3. The government would be seen as incompetent
  4. Putin wins.

It seems to me that most of these things have already come to pass. Sure, we have not actually proven that the systems in key Electoral College states were tampered with by malware or added code yet. That code could have been put in the supply chain easily by infecting the key systems the polling places use (see Halderman’s paper *think USB and ballot templates*) but all it takes is a real forensic evaluation to determine if something was amiss right? Yet I still don’t hear a clamour to get this done. Why is that really? We have been sold the idea on many occasions that it is too hard to hack the election but really, with a limited target and a goal of manipulating it subtly one would not see it blatantly would they? I mean fuck, look, Clinton has what like 2 million more popular votes and this fuckwit wins the college? It is either fantastic strategy on the part of his campaign (I mean Putin’s campaign) or, given all of the other evidence of tampering and obfuscation that something could be amiss with the known insecure systems we vote with right?

Really what I am saying here is this; “We have been played. We have been played and now we have this kleptocrat in office who’s been placed there, whether or not you want to hear this, by the Russian governments intelligence apparatus. The least you can do now is do the due diligence to see if something more happened than the hacks and disinformation operations we already know about.” I suspect though that the government does not want to do this because it would call everything into question. It would openly call out the fact that a nation state fucked with us in such a fundamental way that the only real response would have to be, well, war? I mean what is the response to something of this scale anyway right?

Weigh the evidence.

Occams Razor this shit.

DO THE FUCKING FORENSICS.

K.

Written by Krypt3ia

2016/11/28 at 13:39

Posted in .gov, 2016

Scenarios on Outcomes from Russian Information Operations on the US 2016 Election

with 2 comments

1016374513

Assessment Goals:

With all that has been happening with the disinformation and influence operations during this election cycle I thought it prudent to thought experiment out some scenarios if Russia or any other adversary with the means, decided to attack the election cycle in other ways. One might ask right now what benefit would other countries like Russia gain from such operations and you would be right to ask. That is a question for another post but suffice to say that if Russia is indeed tampering with our electoral process like they have in others, then the reasons are geopolitical and very much Putin’s aegis in ordering the SVR and KGB to carry them out.

The goal here is to just lay out the attacks that could happen simply and then give you the likely outcomes. All of these are not as comprehensive as you might find in some think tanks like Wikistrat but you get the idea. All of these attacks are possible, and they do not have to all work completely to have secondary and tertiary effects on the US population and political system. Please read through them and ponder yourselves how would you react if these happened? How would the general populace? Would government be able to carry on? If the election cycle is broken and the systems not trusted, how would one re-set the vote and how long would it take?

Interesting times….

SCENARIO 1: VOTE TAMPERING

The voting machine have been tampered with electronically or code has been inserted. The potential for votes being tabulated incorrectly or data tampered with is possible but not probable in the grander scheme in the US according to sources. However, this does not preclude a way found to insert such code or physical devices in key states. It is also not impossible to have assets in play such as sympathizers or outright KGB assets on the ground helping to tamper with the results. I will not go into the details because this is a scenario to start but it is also not the point. Let’s just assume ways have been found to tamper enough to call the electoral data into question via tampering directly with the systems.

POTENTIAL OUTCOME:

  • Trust in the election system is diminished
  • Recalls are called for by both candidates and the public
  • The electronic systems will lose public trust and a re-assessment of the process will be mandated

SCENARIO 2: VOTER ROLLS TAMPERING

Scenario 2 is based on recent events. The hacking of the rolls databases in key states could be an attempt to manipulate the data and cause secondary issues with that data on the day of the election. The posit is that the adversary has tampered with people’s voting preferences data. If you are a republican they can change that roll to the opposite party and vice versa. Additionally what if a users region or address were changed surreptitiously? To date there are no systems that I am aware of that will email you when a change is made to your voting status and how many people check before they go to the polls? This is a common tactic that has been used in gerrymandering an election area by disallowing voters from voting on the day of the election. To date, the FBI has not been able to determine what the hacking on the voter databases was about and this could be one of the goals.

POTENTIAL OUTCOME:

  • Voters are unable to vote once they get to the polling place.
  • Voters are not allowed to correct these records and are thusly negated from the process
  • Attack key states once again, going for the electoral college and you can change the outcome of an election
  • All of the above once again have the amplification of causing distrust of the system and damage to the election
  • The candidates and the people are left with a recall and with the system being manipulated already how can they trust it?

SCENARIO 3: DISRUPTION OF THE PROCESS ELECTRONICALLY

Russia has attacked the Ukraine elections by inserting malware/code into the election machines in 2014 that effectively bricked them. If such an attack code were placed and propagated within the American voting systems the disruption would cause the election to be halted and emergency measures taken. Perhaps the election might try to carry on with paper ballots but I am unsure the process can be that effectively nimble. If the election systems are down, since they are of varying makes and models of machines, the time to return of service would be long, causing more FUD to the elections process itself.

POTENTIAL OUTCOME:

  • Voters are unable to vote or the process takes so long that they walk away with a more analog process
  • Trust in the electronic system would be degraded or destroyed
  • The election cycle would be likely broken and emergency measures would have to be employed (contingencies)
  • Continuity of government is challenged

CONCLUSIONS:

These three scenarios to date, have not been covered I believe. This post comes to you as the fruit of a discussion I had with @SteveD3 and I believe that in our current atmosphere of information warfare and influence operations carried out by Russia, one has to take these thought experiments out for a drive. All of these scenarios are possible and will have the effects of denial, disruption, and degradation to our election systems and the stability of the nation. It need not render the election completely in the favor of one or the other candidate conclusively to cause faith in the system and its outcome to be questioned. Imagine if you will, as Trump has already been saying repeatedly, that these tactics are used and the general populace believes that the election has been rigged? With or without the hand of the Russians, others could be easily blamed by a candidate like Trump and his followers. The outcomes from this could lead to civil unrest and other worse things if they came to pass with the help of information operations attacks by another nation state.

I suggest you red team these ideas yourselves and see what else you can come up with…

Written by Krypt3ia

2016/10/11 at 14:20

Influence Operations: We All Carry Them Out

leave a comment »

Screenshot from 2016-09-06 08-29-26

 

All of the hand wringing and whinge-ing over the possibility that Russia has hacked our completely insecure election systems has my bile up… Well that and it seems I am lactose intolerant and ate whole ice cream last night. Anyway, back to INFLUENCE OPS and their use globally. The article above from the Boston Globe really set me off this weekend. All of these guys in the corridors of power all hand wringing over the possible fact that Russia has been messing with our political process makes me want to fly to Washington and bitch slap people. This type of activity has been going on forever and it is not just Russia pulling these strings even today. If you take a look at the actual history of the world you will see many players playing the same games with or without the benefit of Wikileaks and computers both then and now. This is not new people and for fucks sake wake up and realize that the US playing the “hurt” card in this game is really quite absurd in the grand scheme of things.

Now once you have taken a little trip down history lane with those links I just provided, then I want to ruminate on the whole problem today of the hacks on our democratic systems. See, as a former pentester and now a blue team guy I often ran into places that just did not have a clue about security. Still today there are many places that are very clue free and that also includes our government and those bodies that comprise our election systems. Seriously? Seriously those election systems were not even being monitored? You are shitting me right that the alleged Russian hackers used Acunetix to scan and then just SQLi dumped shit right? …

And no one saw a god damned thing…

It’s hardly INFLUENCE OPS when all you need to do is run a shitty tool and just take what you want with a script kids. So really, stop with the hurt and surprised bullshit Congressman and Senators alike! Put on your big boy and big girl pants and get the fuck over the fact that someone would have the audacity to fuck with our already fucked up election cycle anyway! As to Putin’s comment on the subject recently ‘‘It doesn’t really matter who hacked this data from Mrs. Clinton’s campaign headquarters,’’ I agree, it doesn’t really matter because the fact of the matter here is that her actions alone concerning the BleachBit of her server days after it’s public disclosure should be enough to show us all just what fuckery is afoot without Russian intervention to begin with. What the paradigm change here is is that we now don’t have to send plumbers to Watergate’s to break into file cabinets to get the data. All one needs to do now is fucking Acunetix an IP and then run SQLi map to fuck with a national election and that is just fucking sad.

Screenshot from 2016-09-06 09-17-01Shut up Grandma Nixon!

At the end of the day I for one don’t care who hacked the shit, what I care about is that there is enough evidence to show that even with out information/influence operations that there’s some crooked shit going on. The problem is that this is the default state of our governance and election system so one tends to just become complacent about it. The hack on the election here and now, with the fate of the world in the balance so to speak, with Führer Trump or Grandma Nixon only makes it all the more piquant for the hungry news media but in the end means a choice between two terrible shit sandwiches to those paying attention here.

We are all fucked either way.

Move on.

Dr. K.

Written by Krypt3ia

2016/09/06 at 13:26

No, Juny Was Not Whacked Because He Was A Hacker

leave a comment »

1488

With the alleged death of Juny “AbuHussain Al Britani” Hussain at the local Gas-N-Sip in Raqqa has come the steady stream of self serving headlines and leading questions from the media and the hacking community. I am here to stop you right now and tell you to cut the shit out and read more about what is going on with Da’esh and just who Juny was. The fact of the matter is that Juny was a recruiter as well as an instigator who was directly tied to the Garland shootings because he was on Twitter exhorting those fucktards into action.

Juny as a hacker is a separate story and one that at some times shows he had some talents but overall once he left for Syria he was fuck all as a hacker or part of the alleged “cyber caliphate” In fact if you really look at the alleged hacks by the Caliphate there is not much to look at really. The DOD/Pentagon emails and the open sourced intelligence that was often wrong on military members was all low level fuckery and not a clear and present danger to the West. No, it was not the hacking that made him a HVT on the US and British lists, it was that he was someone these shitheads look up to and was an avowed Da’eshbag who was ‘in country’ and fighting with Da’esh.

That is why they killed him with a hellfire fired from a drone. It was not because he was a hacker and for fucks sake stop it with the “Ermegerd hackers are now targets of drones!” self important bullshit.

So please stop it with all the bullshit that he was a HVT that we really really wanted because he hacked. The reality is he was a HVT but he was also a target of opportunity as well. Another thing to note is that the stories also all cite “anonymous intelligence sources” and the like. That is a euphamism for the government wanting to claim a win and have it all look good. I am still going by the axiom of ‘DNA or it didn’t happen” So far Umm Britani has said he is not dead and there has not been a host of shahidi bullshit videos and poems on the boards or anywhere else online. Perhaps we all are waiting to see some proof here but for fucks sake hackers, hacker media, and news media in general.

Cut it the fuck out. He was an unlawful combatant in country, in the alleged Caliphate and a mouthpiece for Da’esh. It’s as simple as that.

K.

Written by Krypt3ia

2015/08/28 at 10:37

Posted in .gov, .mil, Da'esh

Cryptofuckery: Comey, OPM, YOU.

leave a comment »

tumblr_static_tumblr_lm05wykzkl1qdqgg6o1_500

I watched in ever increasing fits of rage as the hearings proceeded. First it was the five hearings on the OPM data loss and failures therein, then it was the two hearings on “going dark” featuring James Comey. By the end I was a seething mass of hate gnashing my teeth and using the last nearly shredded synapse I had left to parse the fuckery I had seen.

OPM:

What was all this? How did we get here? How the holy hell did our government completely abdicate its responsibilities around secret information that was used to grant people secret and top secret clearances? I sat mouth agape in rage as I watched Archuleta mumble and stumble her way toward insufficient if not blatantly obfuscated answers to the senators on what and how things had happened. It was clear by the mid point that we had been fucked collectively by the US government who consistently says “trust us” then turns us over and fucks us in the ass.

Now we hear that there actually were approximately 22 million people who’s personal data was stolen by god knows who, though really can we trust that figure? I mean how many times did Archuleta say she did not know how many to the senators? How many though is a relative thing when you are not logging, which now we also know per the CIRT team that testified in one of the hearings. When you aren’t logging it is like every day is a day in Vegas baby.

Fucking hell.

Meanwhile everyone is a twitter about the “who” that did it and the OPM and their minions are crying APT and CHINA! Well, what evidence has been presented that it was in fact China?

Oh, yeah, “trust us”

So, an org that wasn’t properly logging, wasn’t following recommendations from the IG, and had a terrible security record that included not hiring people who knew what they were doing but double and triple tasked current employees to be security is going to tell me definitively that China did it. Sure, I will just believe the fuck out of that. The reality though is that I can believe it was China since I have not seen any data for sale in the darknets and this is their modus operandi but that is cold comfort here. It could have been Russia, it could have been DPRK for all we really know and this can be said because once again, they weren’t logging and they weren’t practicing security due diligence so the bar to entry there was low.

For fucks sake, with what we know now it could have been little Billy in his bedroom with the sticky tube socks who hacked OPM right?

By the end of the hearings I had a massive headache and needed a bottle of whiskey to kill the memories and the pain. Do not get me wrong here people, this is no news to me. You see I once did some work in the gov space and in fact worked in the DOI where that server was housed by OPM (yeah, not even in their own space) and I know how that government sausage was made. I especially loved how I was lied to by employees, to my face, only to show them the actual scans and pentests that proved they were lying. Obviously nothing has changed since I was there many years ago.

The moral of this story though is not only about the lack of due diligence but I wanted to focus on the cryptofuckery that was on every senators lips.

“Why weren’t those files encrypted Mrs. Archuleta?”

Every time this question was asked I just wanted to yell at the tiny screen.

“NO YOU FUCKERS THE CRYPTO WOULD NOT MATTER! YOU DON’T FUCKING GET IT!”

I shook my impotent fist in the air and grumbled over and over but as you would expect it is to no one, since no one listens anyway. The fact of the matter though is that many in the world misapprehend what crypto is and does. A database that is encrypted and is live is not encrypted. The data is encrypted at rest, not while users have active access to it!! So it is useless to hang your hat on the crypto argument in the debate over OPM failure but the senate and the genpop just don’t get that.

Here it is for you all in plain lingo;

If the system is live and the user who has access to it is pwn3d then FUCK ALL matters crypto ok? Own the endpoint and you own the whole thing. I sense a Game of Thrones quote here somewhere but I just can’t put it together.

JESUS FUCK.

Comey The Backdoor King:

Then the hearings for “Going Dark” came and the derp parade was in full derp regalia. James “back door” Comey came to the senate to beg the question;

“What’s so bad about backdoor’s on crypto? I mean, trust us, we are the government!”

I sat agog once again as this guy took every opportunity to say “Well, I am not an expert but I see no problem with doing this” repeatedly to the senators. Senators mind you, that did not really take him to task. Instead they listened and nodded and agreed that ISIS is scary and that terrorism was as well. The odd thing though was that if you listened closely enough, Comey was not predicating all of this on Islamic terror but instead “regular crime” He chose to use the old pedophile routine and the obvious child kidnapping scenario to make his case.

It was Jack Bauer all over again except this time Jack was tearing the finger nails off of someone to get their crypto keys because the gubment did not have an easy access backdoor to just decrypt the everything. This is the same argument that we almost saw behind the scenes post 9/11 that got us to where we are today with global pervasive surveillance in the post Snowden era. The only difference this go around is that Comey is asking and the senate and us are watching. This time we at least get to watch and say “WHAT THE FUCK?”

Well, the hearing went on and on while Comey said the same thing again and again “We need this and I don’t think it’s a bad thing, I mean, there has to be a way right?” Contrary to what the experts did say though, that a back door, front door, side door, whatever, degrades the efficacy of the crypto and it should not be done at all. Never mind the whole issue of thinking that we live in an Orwellian dystopia now with pervasive surveillance, add to that that the government would have access, warrant or not, to a universal back door to cryptographic systems. This would be the shit sammich on top of the shit sunday we have today not to put too fine a point on it.

No Comey. Just. No.

Alas though we will see what the senate has to say and the rest of our “august” body we call our government. Kids, we are well and truly more fucked than we were before and I am afraid it is only going to get worse. Back door access to crypto will not help, people will come up with ways to use crypto that is not back door accessible and I am fucking sure that the terrorists and other bad actors will carry on as they have. No Comey, it’s time you did your fucking jobs and got more people into the HUMINT space not just back door all the things.

If I were you all… I would start coding new crypto programs or start printing one time pads.

K.

Written by Krypt3ia

2015/07/11 at 12:52

Posted in .gov, FUCKERY

Commentary: OPM Is Just Another Link In The CyberFail Chain

with 2 comments

Screenshot from 2015-06-22 09:31:49

 

OPM is the exemplar of how our government deals with information security, or should I say doesn’t deal with it. Some will say that there are many mitigating circumstances like old systems that cannot be updated that caused much of the failures that lead to the OPM being compromised for over a year. However, the subsequent pivoting by the adversaries into many other networks we have not begun to even discuss as a nation yet because we are now media and governmentally fixated on the fact that the adversary had access to SF86 forms. Forms mind you that should be one of the better protected things out of all the possible things the government holds in it’s systems. So far the discourse in the media has been more sensationally oriented on the magic secret code names that the likes of Crowdstrike and Mandiant have come up with respectively for actors. Actors that they claim with varying vociferousness are in fact China whether it be the PLA (People’s Liberation Army) or the MSS (Ministry of State Security) though neither is accepting the pure hubris of all their press releases and anonymous or semi anonymous back-channel chats with the media in hopes of more attention.

Screenshot from 2015-06-22 09:31:04

Whether or not these attacks were from China and their varying and vying espionage organs is rather irrelevant now and everyone needs to understand this. The cat is proverbially out of the bag here and by the cat slipping the bag, we now notice that the emperor who was holding that burlap sack of cat is in fact naked. Or at least that should be the story here but as you can see from the stories filed above by the New York Times alone, the real attention seems to be on the fact that China is in fact hacking us. Well, I am sorry but I have news for you all, they have been hacking us for a long time now and doing very well at it. The primary reason for their being so able to steal us blind though is not as the media and the government and the Mandiant or Crowdstrike’s of the world would like you think. The APT (Advanced Persistent Threat) it seems, does not have to be advanced. They just need to be persistent and might I add patient.

So when you read the headlines and the stories like those in the Times about the advanced malware called “Sakula” and how the tricksy Chinese have gotten administrator on OPM systems I cannot blame the uninitiated thinking that this is hard and that the Chinese actors are the equivalent of super villains hacking from beneath islands with skull faced volcano’s on them. After all, the media is teaching the people not in the know by these lede’s that computer security is unfathomable and hard. You know, like the comment by Archuleta in the Congressional hearing that “Security takes decades” No ma’am it doesn’t and as the congressman who yelled at you that day said, we don’t have decades. In fact, I would say that this game of Go is almost done and we aren’t winning. We have lost and the reasons we have lost are manifold but I would say that the root of it all is that we, America, have abdicated the notion of securing the things that we should have long ago. The excuses are many; because it would be costly, or hard, or perhaps more so due to government stagnation, self interest, and indolence.

I know that the majority of the readers of my blog are in the security community but I wanted this post to reach across the void to the everyman on this matter. I exhort you to read the stories in the news and to take a step back. Consider the following statements and really understand where we are today.

  • The OIG not only has been reporting on the OPM’s security issues but all of the governments. Go read the reports online for other orgs. You just have to Google for them and you will see over the years the same issues surfacing.
  • OPM was told many times and with every report only minor changes were made. Money was not spent, people were not brought in, and all over networks that hold sensitive data.
  • OPM was not practising security at a level commensurate with policies and procedures that were standard 20 years ago.
  • OPM is part of a larger network of systems intergovernmentally. DOI (Dept of Interior) is one that I have had personal experince with. Insecurities abound.
  • Since the hearings the President has made comment that he believes in Archuleta and she is keeping her job, though she has failed to make changers per OIG that have been pending for years.
  • The argument that an adversary is advanced falls apart when the target is not following even the base security protocols that stop a user from using “password” as a password lord knows what else they weren’t doing.

Brass tacks, we deserved to be hacked.

Sad but true.

So gentle reader, consider what I have told you here. The government is not protecting OUR data commensurate with the security requirements we would demand of a company that holds it like say Target. It’s time to hold the government to the standards that they would like to enforce on companies. Let’s not listen to the marketing leaks by Mandiant and Crowdstrike about the actors and who they may be. What matters is that the data was taken and the reason it was taken was because of poor security and bad management on the part of the federal government. You know, those guys rattling the cyber war sabre lately.

Physician heal thyself.

K.

 

Written by Krypt3ia

2015/06/22 at 14:09

SAND APT WORM 28 Screedle

leave a comment »

THISISMARKETING

 

SANDWORMS AND APT’S

Recently there has been a hubbub over iSight’s dox drop on what they called Sandworm. This was a group of Russian actors (alleged) that were spying digitally on Ukraine and NATO with malware and phishing. The program had been ongoing for a long time and iSight needed that market share so they dropped their report on us all, ya know, to let us all know that Russia spies on shit like Ukraine when they are in a heated battle with that runaway state.

WHO’DA THUNK IT??

Anywho, now FireEye wants to get in on the action and has dropped their report on APT-28… AKA Sandworm. They pretty much say the same things. There’s a group of Russians out there spying digitally on Ukraine and NATO with malware and phishing.

WOO

At least the FireEye report is less derpy than the iSight report so there is that. Sure the APT-28 report gives more IOC’s and such for the technowonks out there to follow up on and maybe put in C&C’s on their collective SIEM’s but really, what use is all this to the rest of us? Nada. Nada and this burns my ass. I really hate all this posturing bullshit marketing that passes for intelligence. To my amazement even the FireEye report states that this is nothing new and that these guys have been in the news in security circles for some time. Now it’s just time to make them a new BUZZWORD for the marketing and this is what makes me apoplectic about all of these services out there.

What have we learned here in this report?

  • Russian APT uses phishing
  • Russian APT uses obfuscation in code
  • Russian APT use Cyrillic keyboards
  • Russian APT knows more than one language
  • Russian APT are sneaky

No.. Really? As the report remarks, there is nothing new here.. So why post it?

MARKETING

All of this from FireEye as well as iSight is just tit for tat marketing to garner media attention for their “services” and nothing more. There is nothing in this report that really applies to the average blue team player unless you are in Ukraine or in NATO and ya know what? Those guys already know because they have been briefed by the intelligence agencies. So really, there is very little value to these reports to the common security player. It’s all just marketing HOODOO and we should all just see it as that ok?

“But it’s cool and now we have TTP’s on the Russki’s” you say… Well fuck that. The intelligence agencies are the players in that space not you. How many of you out there not in Defense base companies have EVER run into a known C&C for APT on your networks actively being used?

…. Anyone?

Yeah, thought so. Look, FireEye reports are the new EBOLA of ISIS! It’s utter wankery.

POLITICS

Meanwhile, some on my time-line asked a very pertinent question.. “Just how long has FireEye been the US governments lapdog anyway?” To which my answer was “since APT-1” This report feels more like a mix of marketing as well as political pokery on the part of FE for the US government who happens to be having a pissing match over Ukraine and general Pooty Poot fuckery. So really, is this a report that we can all use or is this just a grab for political fuckery and money through self aggrandizing and self serving marketing to preserve market share that maybe iSight was perceived to have taken from them?

Your mileage may vary…

K.

Written by Krypt3ia

2014/10/28 at 17:13

Posted in .gov, .mil, APT

Digital Jihad: The Great Irhabi Cyber War That Won’t Be.

leave a comment »

 

Screenshot from 2014-09-12 10:03:12

 

Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK

 

The Great Cyber Jihad

Since Junaid Hussain escaped over the border to the new lands of jihad (aka Syria) he has been vocal on Twitter showing off his great cyber manhood in classic irhabi bloviating online. That Junaid made some inroads by hacking into the prime minister’s email address at Gmail only lends him dubious credit to his hacking skills  to a person involved in the security field. This however is not how the great unwashed within the media and certain quarters of the government and the military seem to perceive the threat posed by Junaid today now that he is an ISIL irhabi.

Islamic State militants are planning the creation of a ‘cyber caliphate’ protected by their own encryption software – from behind which they will launch massive hacking attacks on the U.S. and the West.

Both Islamic State and Al Qaeda claim to be actively recruiting skilled hackers in a bid to create a team of jihadist computer experts capable of causing devastating cyber disruptions to Western institutions.

They are now boasting it is only a matter of time before their plan becomes a reality.

~Daily Mail UK

The above text came from just one of the spate of recent reports on the great “Cyber Jihad” that is being touted to come from the likes of Junaid and ISIS/L as they attempt to expand their reach from the Middle East globally. This ls.particular commentary makes the bile rise within my gut on so many levels though. But that kind of pales in comparison to the one right below…

“We’re in a pre-9/11 moment with cyber,” John Carlin, assistant attorney in charge of the Justice Department’s National Security Division, warned at a July conference in Aspen. “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction as they can to our infrastructure.” 

~Fox

PRE-9/11 OMG!!! Look you fuckwit if that were the case then China would have already put us out of our misery really. For that matter some half assed pot sodden kid who happened to hack into our grid would have taken us down years ago. There is just no need for this posturing and certainly above all coming from someone without a clue in their head about how things really work in the world of computer security. This kind of scare tactic aimed at getting people to respond in fear to allow for the government to do anything in the name of protecting us is vile.

Meanwhile you have other players such as the one below making statements of “ALL OUT CYBER WAR” while commenting on Anonymous’ operation against ISIS. I laughed and I laughed and I laughed until I just wanted to cry at the sheer stupidity of it all. Look, Anonymous can’t get their shit together enough to be both leaderless and effective so really, how much of an “ALL OUT CYBER WAR” can there be there huh? Do you even know what a cyber war really means? Cyber warfare is both digital and kinetic in it’s purest form and what kinetics did Anonymous really carry out in this operation to DoS ISIS offline?

Lemme give you a clue… None.

“Anonymous announced late last week a full scale cyber war against the Islamic State (Operation Ice ISIS), intended to attack ISIS supporters using social media for propaganda purposes”

~Fortuna’s Corner

So aside from the bloviating and the scare tactics coming out of ISIS itself we also have our responses from the government and the media with all their so called experts on cyber war and jihad. There is a lot of wankery going on here but finally this guy makes a little sense in the middle of his post on this mess…

ISIS’s main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the internet with video clips portraying the brutal acts of beheading and mass executions, as well as victory parades, as part of developing deterrence and creating an illusion of force in excess of the organization’s actual strength. The essence of its online activity, however, is broader. It enables its supporters to obtain operational information, including training in preparing explosives and car bombs, and religious rulings legitimizing massacres in regions under ISIS control. In tandem, it distributes indoctrination materials, such as a maagzine called Dabiq: The Return of Khilafah, which focuses mainly on topics relating to formation of the new Islamic state headed by ISIS leader Abu Bakr al-Baghdadi. However, ISIS’s technological expertise is not the only factor. Perhaps the public, which is revolted by the organization’s deeds but closely follows these clips and photos as a kind of reality show, is contributing a great deal to the organization’s popularity.

~Fortuna’s Corner

Yes, there it is.. ISIS has been carrying out a PROPAGANDA war primarily and with that comes from PSYOPS as well. This is the first true set of statements I have seen to date over this whole debacle. Ok, they are waging a propaganda war and a recruitment drive for sure but really, a cyber caliphate? I mean to date I have not seen this show up verbatim anywhere on the boards or on twitter so who’s leaping logic here? Seems to me that there’s a sucker born every minute and about 99% of them want to go into journalism nowadays.

A propaganda war using Twitter does not a cyber war make.

Cyber Warfare and Jihad

So let’s chat about the realities here about the capabilities of the Irhabi (ISIS/L or AQ or SEA) in a context of what we have seen so far. What have we seen you ask? Well, DoS, some data thievery, some malware use and phishing, but generally nothing spectacularly scary. Certainly nothing on the level of a nation state actor like China has been seen out of any of the loose groups that claim some jihadi notions online to date. So where do we get all this BOOGA BOOGA over the likes of Junaid Hussain and ISIS taking down our grids and things?

*squint*

Yeah, there’s no there there. I am sorry but even if ISIS/L used it’s monies that it has stolen over the last months to set up a “cyber team” they still would be LIGHT YEARS behind the likes of China.. Hell they would even be way behind Iran for that matter so really, there is nothing to fear here. Never mind that many of these guys like Junaid are working in countries that are actively being bombed and shooting is happening so really, how much longer does Juny have anyway before he gets a Hellfile missile up his ass?

Truly the cyber jihad is a non starter for me and it should be for you too. On the other end of that equation though is the fact that they are actively recruiting and getting their message out using social media and this is a problem. Now don’t get me wrong, it is not a clear and present danger kind of thing because really, 100 Americans out of how many people seeing their online drivel have actually left the country to go to jihad pretty much gives a sense of the threat. You have to be pretty unbalanced to want to do this shit to start with so if you get up and leave the country to join up you are a truly unbalanced person to start. One so easily swayed by the propaganda wing of ISIS needs help and what they will certainly get is a bullet instead while fighting. Even ISISL really doesn’t care about the Takfiri, you see kids, they are just bodies to be used… Nothing more. They may call you brother but under their breath they call you fodder.

Much Ado About Nothing

The reality is that ISIS is more a conventional force than anything else. They are not as well planned as AQ and they tend to be one dimensional thinkers. I will admit that their propaganda war has been interesting to watch but I don’t see that it is an existential threat. In fact, I concur with the assessment that AQ is still the real player here who can strike at the US and had a better track record thus far. Surely if ISIS continues to carry out the propaganda war they may garner more recruits but I just don’t see them being that inspirational to get lone wolves to activate/radicalize. I certainly don’t see them being able to put teams together to hack our infrastructure and take us down either. In fact I am not a proponent of that line of thinking anyway as a great threat. Our systems are too complex and fragmented to allow for such a spectacular attack.

So please news media… STFU.

K.

Written by Krypt3ia

2014/09/12 at 15:31

OPSEC In the Post Snowden World

with one comment

 

WWBD

OPSEC:

Operations security (OPSEC) is a term originating in U.S. military jargon, as a process that identifies critical information to determine if friendly actions can be observed by adversary intelligence systems, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information

~Wikipedia

I would take this definition further to include the tactics and methods of protecting your information from being compromised by the adversary. Compromise not only by technical means but also social and other means as well. (i.e. giving that information to the wrong people by being too trusting or careless with it) Given the focus I have seen online and in the media about “secure communications” by technologies that may or may not be worth trusting. I just can’t help but feel that the majority of people out there today concerned about their privacy or their security in communications will utterly fail in the end because they lack OPSEC awareness to start. Here are some key concepts for you all to consider as you download your new fresh install of TAILS with a vulnerable i2p instance and begin to wonder about the security of the product.. I will give you a hint… Unless you consider all these things you will fail at your security machinations.

Technology and OPSEC:

Screenshot from 2014-07-25 13:34:36

So you have a Laptop you bought new from your vendor and you have downloaded TAILS so you are good to go right?

No.

Consider these things before you begin your super sekret affair online…

  • Can you trust that that laptop doesn’t have some extra chips or other hardware installed? Have you taken it apart to see?
  • Are you even capable of looking at the mainboard and determining what if anything does or does not belong there?
  • Do you in fact own the pipe, the DNS, the router, or anything from the cable modem on your desk provided to you by the cable company? If not, then how do you know that the network is not already compromised?
  • The same goes for the hardware router provided to you as well as the COTS Linksys router you bought
  • Can you trust the supply chain of the TAILS instance you downloaded to start with?
  • Can you sift through the code of that TAILS instance yourself to check if there is rogue code that allows for compromise and surveillance?
  • Can you truly say you are a master of your GPG/PGP public and private keys and processes to encrypt and send email to one another?
  • Can you say that you securely transmitted your keys to the other party in the first place? Or that your private key is not already compromised from an end point CNE attack?

All of these things are compromise-able and no one is a master of all things. Unless you build your own laptop from the ground up with hardware you checked at every step AND you never let it out of your sight then you cannot say that the supply chain has not been tampered with. Thus your security measures are potentially void.

The same can be said about the operating system on the laptop. Did you code it? Have you vetted it yourself? Sure there is open source but really, unless you do this yourself how can you be sure? You can’t really so you have to have a measure of trust that it’s safe. But hey, now we are talking about nation state efforts to listen in and watch everything you do online so really it’s game over right?

There is no sure thing here. So you have to take this stance from the start that you are likely already compromised. You can now either attempt to game the system and have some modicum of security by using OPSEC and technical means or you can just say fuck it and not care. If you are in the former category then you can move on in this post and perhaps consider some other things you need to protect your secrets. If not, you can stop here and go back to your blue pill existence.

Nation State Surveillance and YOU:

So you have decided to read on.. Gut gut…

OPSEC is more than just technical means. As you can see from the above nothing technical can really truly be trusted. Just as no one really can be trusted in reality. I am willing to bet many of the LulZSec gang trusted Sabu didn’t they? I mean after all they made some stellar OPSEC failures in trusting him that ended up with them in prison now right? They also had technology fails too, I mean Sabu was pinched when he logged into an IRC without a proxy with his own IP so there ya go. It was partly technical failure and partly human failure. Had there been a bulletproof technology to obfuscate himself Sabu would not be in the witness protection plan now and the kidz would not be in the pokey right?

So let’s consider some other things outside of the technical 0day and hackery bullshit.

POSIT: The technology is already owned and there is nothing you can do about it.

CONSEQUENCE: All your communications even encrypted by these means are compromised

RESULT: Nothing you do or say should be trusted to be secure

So what do you do then? Do you just give up? Or do you try other means in a layered approach to protect your security? Let me give you a hint; “it’s the latter” However you have to be diligent and you have to follow some ground rules. Given that the documents from the Snowden trove show that if you just use crypto for your communications, no matter how banal, you are now a target of interest and collection you have to consider using the Moscow Rules as a daily routine.

Now does this mean you are really an enemy of the state and in grave danger? No. However, the precedent has been set that we are all under scrutiny and at the whim of whatever algorithm that flags us for traffic on the wire as well as any analyst who might take an interest in you. What’s worse is that many times one might find themselves under suspicion for who they talk to or what they may say online in today’s world and this is where we all should be very afraid. The Fourth Amendment is in tatters kids and what the state considers as papers or personal items does not consist presently of your phone or your computer files according to many in power.

It’s Moscow Rules:

  • Assume nothing.
  • Murphy is right.
  • Never go against your gut; it is your operational antenna.
  • Don’t look back; you are never completely alone.
  • Everyone is potentially under opposition control.
  • Go with the flow, blend in.
  • Vary your pattern and stay within your cover.
  • Any operation can be aborted. If it feels wrong, it is wrong.
  • Maintain a natural pace.
  • Lull them into a sense of complacency.
  • Build in opportunity, but use it sparingly.
  • Float like a butterfly, sting like a bee. 
  • Don’t harass the opposition.
  • There is no limit to a human being’s ability to rationalize the truth.
  • Pick the time and place for action.
  • Keep your options open.
  • Once is an accident. Twice is coincidence. Three times is an enemy action.
  • Don’t attract attention, even by being too careful

So there you have them. This is most likely a fictional list that was used in some book or other but the CIA and the Spy museum seem to have grabbed these as useful. These come obviously out of the old days of Spying in Moscow. Which coincidentally had so much surveillance on their native populace that I have begun to feel a strange sense of deja vu lately about our own affairs of state. Of course we don’t have the omnipresent fear of being disappeared.. Oh.. Wait.. Never mind…

Ok so we don’t really get disappeared so often but we can be taken into custody, our things searched, and our lives ruined by the government all on alleged information that you cannot see because it’s been marked as “Secret” with a handy NSL attached. I guess maybe that is a kind of disappearing huh? Not exactly to the Gulag Archipelago but close enough to ruin you. I know some of you out there probably just thought I put on my tinfoil hat there but I have personally seen this shit in action and it ain’t pretty.

Anyway, back to the purpose here, OPSEC is what you need to practice and you have to make it second nature if you want to keep your secrets secret. Unfortunately if you are in the sights of the nation state then you are pretty much fucked. However, you CAN make it more difficult as long as you are diligent and smart about it. So here’s the short and sweet of OPSEC for you:

  • Trust cannot be implicit in technology or people
  • Study up on disinformation and other obfuscation techniques and use them as a kind of chaff to protect your real comms
  • Understand the adversary, their motives, their techniques, and their weaknesses
  • If you use a technology be sure that you are it’s master
  • Secrets are secret (First rule of Fight Club) keep them that way
  • COMPARTMENT THE EVERYTHING!
  • Layer your encryption techniques and if possible use a OTP
  • Go read up on TSCM
  • Go read up on Counter-Surveillance techniques
  • If they can’t get at you technically they will send in assets to get close to you
  • If they can’t get assets close to you they will use your friends
  • If they can’t get your friends, assets, technical measures to work they will go after you in other ways (think legal issues)

I bet some of you are thinking I am a real paranoid freak right now. Well, welcome to the new age of the surveillance state kids. Get used to it. YOU wanted to play this game and now you are. Welcome to the big leagues.

K.

 

 

 

 

Written by Krypt3ia

2014/07/25 at 18:25

Posted in .gov, .mil, OPSEC