Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Hacking’ Category

Vault 7

leave a comment »

See Robert Redford at the top of the page? He’s playing a character who was an intelligence analyst who read books for the CIA. He came back from getting lunch for his co-workers and found them all dead, killed by a rogue CIA operation that hired an outside freelance assassin to kill them all and cover up rogue operations. This is fiction, and YOU are not him. So please everyone just calm the fuck down about the Wikileaks Vault7 dump ok?

RIGHT! Well Wikileaks has done it again and released a dump of CIA exploits this time around. There are quite a few little gems in there and the hue and cry by the genpop has been idiotic as usual. My personal favorite was the epic fuckery around how the New York Times chose to say that some of the exploits “bypassed” the encryption of programs like Signal which sent many an INFOSEC twitter account into a tizzy over “OMG IT ISN’T A BYPASS!” which, by the way, FUCKING CUT THAT SHIT OUT YOU SELF IMPORTANT FUCKWITS! The point of the statement is true, if the software in the Vault7 dump is used on someone’s phone then the CIA is BYPASSING the encryption altogether. For that matter they are bypassing the application altogether! So stop with the self important I AM A GOD DAMNED IMPORTANT PENTESTER AND THE SEMANTICS OF THE HERE ARTICLE ARE WRONG ERMEGERD!

Just stop.

The point of it all is that these tools, if used against you (until they are mitigated by patching and fixes to OS’) will make any precautions you take on those devices moot ok? Arguing over the semantics of it all is just fucking stupid posturing and if you expect the average person to understand what you are saying, then you are delusional ok? Oh, and if you think that the average person is the target of these attacks, yep, you once again are delusional. Specifically, if you are a US person CONUS and you are just the average Joe the plummer, you are NOT the target of the CIA.

Sorry.. I know it hurts your self image but it’s fucking true.

Get over yourselves.

Ok, so that rant is over, now let’s move on to other things about this dump. There’s a lot of techical stuff that will make the wonks masturbate for quite a long time and that’s to be expected. However, I would like to talk about a few other side loaded things happening that you should think about. First off, let’s talk about the dump itself and who dumped it. It seems from what I am seeing Assange saying, is that the dump was given to Wikileaks by an insider who wanted to open up discussion over the pervasive nature of these kinds of exploits against common and deeply penetrated systems in our collective lives. By this I mean cell phones, TV’s and other IOT devices. Now most of the stuff in the dump looks to be from 2012 up to nearly 2016 so it is older in respect to 0day and hacking exploits in many ways. Since they were secret though and they took a lot of time to make sure there were bypasses as well as ways to hide their presence, the CIA’s stuff is still old from a certain standpoint. Within the community one has to offer up the idea that not everything stays secret and those services that cover assets that the CIA might want to bug also have people who spend their time looking for such software right? What I am saying is who knows what has been working well and undetected and what has been detected by a foreign power and counteracted or allowed to use as a means of disinformation. Take that into consideration when you read the dump. Sure the common man here in the world may not know about this stuff and it will blow their minds but in the IC maybe not ok?

Now let’s consider how long this data has been in the hands of Wikileaks and who may have had it before. This stuff may have been in the community at large for a long time. The CIA may have shared this tech with FIVE EYES in some cases but if you look at the headers much of it was NOFORN (No Foreign Persons) so let’s just assume it was inside Langley. If the data was common there, when did it get leaked originally? Who had it in the interim? This goes back to the paragraph above too. If the exploits were working, now we have to wonder if they were being fed bad data by them from an aware adversary (this will play a key fact in the дезинформация part of this post later) given when we think the data was stolen and leaked. The fact of the matter is this, brass tacks I don’t believe a word Assange says from his balcony at Hacienda Ecuador and my money is that this was not leaked by a CIA employee just because they had a change of heart. I personally believe that whoever leaked it is an asset of a foreign power and that power just might be Russia.

Which brings me to the issue of the quick disinformation spin up by what looks to be Russian trolls and bots on Twitter and elsewhere over this last dump. The narratives that are starting to spin up are aiming this data directly at Democrats (including Hillary) and are aimed to cause more friction within the country and our politics. Gee, who lately has been doing that I wonder? The Daily Beast had a good report on this and I agree with Rob that this has spun up way too quickly and too much cohesion to allow for it not to have been in the pipeline before the dump. My meaning is that as we have seen in the recent past with the hack on the DNC and active measures on our electoral system, the Russians have a useful idiot in Assange and the Wikileaks organization. Assange has been another lackey of Putin like Trump and in fact it is quite possible that the leaked data came from Russia by way of an asset inside the CIA. Which then makes the inevitability of a Russian mole hunt at Langley a very large possibility. I bet the polygraphers are all warming up their electrodes as I write this in Virginia.

So, while all you INFOSEC nerds wank off to the sploits just remember these salient points.

  • There’s a bigger more subtle game going on here
  • YOU are not that important so just take this stuff and work on how to fix it
  • Take a beat and remember YOU ARE NOT THAT IMPORTANT
  • The CIA is not charter to work within the USA these exploits were targeted at other countries. Just look at FINE DINING for case officers
  • Consider what exploits other countries have and are being used that you don’t know about
  • PENTESTERS ARE NOT FUCKING JAMES BOND. FOR FUCKS SAKE JAMES BOND IS NOT JAMES BOND!

Look at the bigger picture.

K.

Written by Krypt3ia

2017/03/08 at 13:48

The DNC Hack: SVR? KGB? GRU? Lone Hacker?

with 2 comments

191

Attribution Games:

I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!

“I summon the Russian GRU!”

“I summon the LONE ACTOR!”

“I summon the KGB!”

*slaps down cards on table* TAKE THAT!

The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!

“Whoa”

So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.

So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”

Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?

Metadata and Cyrillic:

Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович)  Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!

Dr._Strangelove

NAILED IT!

You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…

  • Much of the data was stamped out in saving from format to format
  • Emails of users though were still embedded in the excel files
  • The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
  • The image files have no metadata.. none.. niente clean.
  • Grizzli777 is just someone who pirates

Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.

*squint.. takes drag of cigarette*

So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!

All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!

YAAAAY!

Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!

It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?

DATA:

Screenshot from 2016-06-17 13:35:04

Screenshot from 2016-06-17 13:33:43

Screenshot from 2016-06-17 13:31:49

Screenshot from 2016-06-17 12:51:57

Screenshot from 2016-06-17 12:46:55

Screenshot from 2016-06-17 12:46:44

Screenshot from 2016-06-17 12:46:33

Screenshot from 2016-06-17 12:46:14

Screenshot from 2016-06-17 12:46:03

Screenshot from 2016-06-17 12:45:43

Screenshot from 2016-06-17 12:44:48

Screenshot from 2016-06-17 09:51:34

Motivation Analysis and Hypothesis

RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…

Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…

  • Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
  • Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
    • If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
  • Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
  • Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!

So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????

Why Pooty of course!

Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin?  *sorry had to use that one*  Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.

That’s my theory and I am sticking with it… For all the fucks that it is worth.

I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.

See you all in INFOSEC attribution Hell.

K.

 

Written by Krypt3ia

2016/06/17 at 18:34

The Rise of The Middle Eastern Patriot Hacker

leave a comment »

Screenshot from 2016-06-02 13:56:48

A news story posted today got my attention if for nothing else than the lulz. The post was about how a team of Saudi hackers had popped and defaced a bunch of Iranian sites and how in return the Iranian authorities had tapped INTERPOL to clap the irons on those cyber terrorists! Now, usually I am not so much interested in these types of defacements being that they are just tit for tat political posturing by derpy kids online but this reminded me of China in the 90’s so here I am.

That’s right, you read me right there, China, remember the Green Army? Remember all those posts I did back in the day about the patriot hackers there? Well, now we have the same kind of thing happening in the Kingdom of Saud and since I am a bit of an Arabist, I thought it interesting enough to pontificate on here. Hell, I might even thought lead here! Well, ugh, no, I will not thought lead, there is jut no coming back from that. Anyway, back to the matter at hand.

Screenshot from 2016-06-02 14:02:13

The “team” in question is the new-ish group calling themselves “Team Bad Dream” and ermegerd they are as derpy as they come. When you start to pull at the threads of their digital tangled skein you quickly come to some real profiles and real names. I will not post them here because I don’t want the Iranians whacking anyone and I certainly don’t want INTERPOL on them just yet. Suffice to say, guys, ummm, you may want to pay attention to your old nicks and re-use. Oh, and don’t forget to not use your SKYPE addresses and shit like that that you have not created good backstops and cutouts for!

Screenshot from 2016-06-02 13:50:05 Screenshot from 2016-06-02 13:49:39 Screenshot from 2016-06-02 11:39:49 Screenshot from 2016-06-02 11:35:26

*Oh, maybe that was a little OPSEC/INTEL slip I just pulled there huh? Oops*

Anywho… Aside from the derpy defacements that really mean nothing in the scheme of things as hot “cyber” wars go, there is this notion of a shift in politics/warfare/statecraft that I just have to mention. It is claimed that the KSA government has been supporting these guys in their defacement spree and if this is the case, then it’s a bit of a different kettle of fish no? It is one thing to have a bunch of guys who just do this shit for giggles but these guys are now hitting Iran, the mortal enemy of Saudi with *gasp* DEFACEMENTS!

Ok, ok, ok, you all probably have the same opinion that I do about defacements:

Screenshot from 2016-06-02 14:22:16

That XKCD pretty much sums it up for me. However, you are now dealing with the governments of two rather shall we say touchy countries. Just look at the rhetoric between the two to see. In fact, hell, just look at the rhetoric and crazy that comes out of Iran on a regular basis and you might see where I am going here. I can imagine here an all out, full scale, cyber defacement war soon enough. However, what if that also turns into a full on “cyber” war between the two now too? What if they really start hacking the shit out of each other’s infrastructure?

What if they start stuxnet-ing all the things! My god man.. it will be 9/11 x 1000

index

Ok on a more serious note though. This may in fact be the start of something bigger and we could be seeing more hacking and net-centric warfare between these players in the near future. I eagerly await the next salvo with popcorn in hand and a nice big scotch. Everyone get comfortable because soon there will be attribution marketing and cutesy pseudo Arabic code names for all the actors!

K.

 

Written by Krypt3ia

2016/06/02 at 18:35

Did China Just Bill Clinton Us on OPM?

leave a comment »

Clintond

 

In an article posted today from the Chinese State News service Xinhua the official ruling on the OPM hack has been determined to have been carried out by a group of “criminal hackers” not at the behest of the Chinese government. As such they say, the hack was not an official act of cyber war but instead a criminal act according to current laws on cyber warfare.

Dude, we just got Bill Clinton’d on one of the largest hacks to date on governmental databases! Let’s parse this out a bit and then move on to another story that was also posted today. That story; “Congress wants to know how OPM hack could hurt U.S. spies” asks one of the most idiotic questions I for one can think of as someone who’s data was stolen by a foreign power who is now saying in effect; “We have your data, but hey, it was a criminal act. We didn’t ask them to do it but thanks for the files!” 

Thanks China! Don’t mind you holding that data for me since I think that the OPM and the DHS aren’t really capable even with their neato NCATS cyber hygiene service! Say… Did I mention I found all your FOUO documents on your super neato hacker hygiene program being leaked by your own servers? YAY!

Asshats.

But I digress… Ok so back to the first story. I believe that in the past I have written about the coming cyber wars in context of how incredibly hard it will be to prosecute not only the war, but also the defense as well as the, well, prosecution, of anyone we think carried out actions against us. Here we have a classic example of how this will all work with the, well lets call it from hereon the “Clinton Defense” for lack of a better moniker.

China was pretty smart to play it this way because not only does it sort of absolve them but it also gives them a chance to now leak that data to the darknet let’s say and lend credence to the idea that criminal gangs stole the data and are now trying to profit from it. Once the cat is out of the bag the cat pretty much is useless right? Well no, in fact they have their copy of the data and I am sure the MSS and more so the PLA have farmed all that data out to their intelligence customers for further exploitation.

China wins.

This is probably a scenario that certain analysts already thought might come to play since we kind of already pointed the finger at China anyway. It also may have been a foregone conclusion given the futile naming of names and placing them on wanted lists that the DOJ put out this year. If you think we will ever get hold of those Chinese PLA assets you are just deluding yourself. From now on I can see how China and now other nations will just blame non state actors for the hacks against any assets just like some mother scolding a bad child for thievery out of the cookie jar. All the while the players will not be charged with anything and perhaps never even be known because the government will cover their identities.

Do you see where this is all going? What a slippery slope this is? All the while we keep focusing on attack and not on defense. Yeah, that will win the day for us for sure. I am so tired of all the bullshit. Even if you can DFIR and OSINT the shit out of things all one has to do is “officially” blame another actor and the game is over. There won’t be any trials and the data is still in the hands of the adversary, once again, because WE FAILED TO HAVE THAT CYBER HYGIENE!!

Fuckery.

Meanwhile the congress seems to be overtaxing their small minds trying to understand how the data that was stolen (SF86’s and the kitchen sink at OPM) could affect those in the clandestine service. Seriously? Are you fucking kidding me? You don’t understand how China having not only access to where someone worked and works, but also all their personal histories, clearance levels, friends information, psych status, fucking everything to create a super dossier on them could affect a clandestine agent? Tell me something congressman… Are you an idiot?

I would like the congress to understand even more deeply about the hack on OPM. It is more than just the data that they stole. It is also about how long they had access to the internals at OPM and then the networks that the OPM network touch. For instance, did you know that the server the data was being held in partially sat in the DOI?

NO I AM NOT KIDDING

The Department of the Interior is a place I know rather well because I worked for the DOJ on a case against them back in the day. I had to look at their networks and boy oh boy, what a fucking mess. Would it also surprise you to know congressman that the DOI network has classified network connections as well? Did you know for example that when I was poking about I saw NRO shit as well? Think about that and let it rattle around your empty heads a bit. Ask yourself and then ask OPM and DHS what other networks the Chinese may have had access to for about a year?

HEAD. SPLODE.

I dunno, it seems like every day I just want to crawl into the woods and build my 6×6 shack and wait for the apocalypse to come far away from the asshattery that will undoubtedly occur. Fuck the whole iot bullshit with fridges and toasters exploding from grid hacks by Ted Koppel. I just want out because we as a species are just incapable of handling this shit appropriately. I eagerly await the end where the AI finally takes over and decides to liquefy us all to feed to one another to be used as batteries for the Matrix.

Let’s get this over with already.

K.

Written by Krypt3ia

2015/12/02 at 18:19

Posted in China, CyberWar, Hacking

ASSESSMENT: TEAM JM511

leave a comment »

Screenshot from 2014-03-14 10:04:48

JM511 Hacking since at least 2004:

There is a typical history to certain types of hackers and this genesis usually embodies first defacing sites and gloating about it online. Since the advent of pastebin and Anonymous things have changed a bit by dumping DOX or proof of hacks while gloating. JM511 has been one of these hackers who started around 2004 (by his own account as seen in the picture below) defacing sites and shouting out gr33tz to those he wanted to share his conquests with. Often times the tenor of JM511 has been “neener neener neener you stupid idiots!” which is pretty common and bespeaks a certain core need to feel superior to anyone and everyone coupled with poor impulse control. Of course in today’s world there are so many outlets to garner fame and fortune for your exploits like Twitter where JM511 has a long lived twitter feed where he posted his thoughts on hacking, politics, Islam, and generally used it as a platform for self aggrandizement.

Screenshot from 2014-03-14 10:31:54

To date JM511 has been pretty prolific and for the most part an afterthought by most for his acts against poorly protected sites. However, he has recently taken on a new aspect with recent posts that dumped credit cards and email addresses as well as other PII that some out there certainly should care about. Law enforcement at the least should be paying attention to large dumps of credit cards and PII as well as watching these guys who profess their ties (albeit tenuously at first) to AQ. I personally got him on my radar by a tip from a comrade who thought it might be a fun diversion for me to look into Mr. 511.. That tipster was right and I tip my hat to you sir.

JM511 Today:

JM511 has been a busy busy boy. A recent post by him on pastebin was what triggered all of this from the angle of Islamic hackers who may be in fact carding on the nets. The posting below is the cause for my looksee and as you can see he is taking pleasure in dumping people’s credit details and names on pastebin with impunity. JM511 has a whole long list of pastes out there showing his knowledge of XSS to SQLi and other attacks whilst mocking those he has ripped off or otherwise shamed in some way. Of course now he called his crew “Islam Hackers” and seems to have the aforementioned aegis towards opposing those who would oppose Islam. In fact he was one of the many voices on twitter back last April saying tha Dzokhar was not guilty of his crimes (bombing the Boston Marathon) and that Islam is a religion of peace. Odd that he says such things as he then turns around and starts abusing people online…

Screenshot from 2014-03-14 11:47:34

Screenshot from 2014-03-14 11:31:31 Screenshot from 2014-03-14 11:31:16

JM511 aka   فيصل البقعاوي aka Faisal Bakaawi aka Faisal Faisal Al Otaibi:

JM511 thought he had it all figured out though. His reign has been long and no one seems to have caught onto him to date.. That is until now. Through a circuitous use of Maltego, Google, and the frontal lobes of my brain I managed to trace JM511 through his SPECTACULAR OPSEC FAIL to his real name and his location. As JM511 aka Faisal Bakaawi or Faisal Al Otaibi claims that he is in and from Saudi Arabia I am sure he thought he could not be tracked. Well, he would be incorrect there because he forgot to compartmentalize his real life with his ID’s. Faisal failed to not re-use ID’s for non hacking things like say posting an ad for housing in Dekalb Illinois recently.

Screenshot from 2014-03-14 10:58:40It seems that Faisal is attending ESL (language school) in Dekalb and used his Yahoo account (jxffh@yahoo.com) which he tied to his Skype account FoFox511x which he also kindly attached to his cell phone (443-820-8939 Baltimore number btw) and he wanted a move in date of 11/5/2013 so I am going to assume that he has found lodgings by now there in Dekalb. Some might say to me “why did you post his details on the net! Shame on you!” well, I subscribe to the idea t hat turnabout is indeed fair play and all of this data is open source and public so it has an added giggle factor for schadenfreude.

UPDATE: While researching this it became clear that the name Faisal Otaibi also comes to bear in posts and videos by JM511. Further study showed direct links to Faisal Otaibi also being a Dekalb resident attending school (see pic below) I believe that Faisal either has a pal there with him also named Faisal or, more likely, they are one in the same and Faisal has just been trying to obfuscate his name. Either way, it is my conviction that Faisal Otaibi/Bakawai is indeed JM511. It is also key to note that a Faisal Otaibi is also listed as an ethical hacker who also attended last years hacker conference in Germany…. Oh and one more thing, ELS, the school is located on NIU’s campus.

Screenshot from 2014-03-14 17:12:44

Screenshot from 2014-03-14 11:36:25

Screenshot from 2014-03-14 10:30:07

Screenshot from 2014-03-14 10:48:32Screenshot from 2014-03-14 12:32:12

So, Faisal, thanks for playing but you lose. Please collect your silver bracelets at the door because LE has been informed of these details coming to light and you should be visited hopefully soon. I do love the irony of the selfies you took showing how you used those people’s credit cards to purchase domains on your Twitter feed though. I mean usually it’s some unsuspecting idiot showing off their new credit card and not understanding OPSEC. Of course in this case it’s  you and someone else’s money that will get you some jail time I suspect.

ASSESSMENT:

My analysis of this interesting side trip to my day is this; OPSEC, USE IT or FAIL miserably. Faisal, you failed and I eagerly await the news of your being popped for your crimes. Let it be an object lesson for others out there who may look up to such fools. You may hack for a while, you may have your fun at the expense of others but eventually you will make a mistake and get caught. It’s just your human nature and the law of averages that will get you in the end. Run! Scurry! Someone’s coming to see you.

K.

Written by Krypt3ia

2014/03/14 at 16:32

ASSESSMENT: Tesco.com Hack and Account Drop

with one comment

Screenshot from 2014-02-17 08:56:17

TESCO Dump:

Screenshot from 2014-02-17 09:04:27

Two thousand accounts and passwords to Tesco.com’s site were dumped on Pastebin 2/12/14 and it set the news all a twitter about how Tesco had been hacked. The accounts and passwords have all been deactivated and changed according to Tesco and if they had it their way I am sure they’d just like to move on. However, the news on the hack has as yet been unclear as to how it happened. In looking around the usual dirty corners of the internet I have found a few details about how common it seems companies like Tesco have been the target of these kinds of attacks. I found trails of chatter going back to August of last year talking about how to go about abusing the Tesco online system to order goods and have them delivered in many places as well as offers by coders for scripts and programs to carry out the attack that seems to have befallen Tesco.

Tesco_Checker.exe and Freelancers:

Screenshot from 2014-02-17 09:45:45

Screenshot from 2014-02-17 09:03:45

One of the first hits that I located was talk of a “Tesco Account Checker” program back in October of last year. I was unable (as yet) to locate the live download of the program but above you can see a screen shot of one of the common file sharing sites where it was hosted back then. This program allegedly checks the site by imputing user ID’s (emails) and passwords which it will check for a (200) on the site and output a report much like what was uploaded to Pastebin recently. In fact there are many offerings out there for these kinds of scripts and programs that will work on many sites and some of them have a brute force element as well. It has yet to be determined though if the Tesco event was an actual hack on their systems with something like these programs or if the Pastebin dump was just a shot over the bow from data gathered and tested with a new tool. Of course Tesco was also not very strong on their security for their passwords or their practices here with six character non complex passwords and a tendency to send pass resets in email clear text. These factors may also have been at play in this dump of the two thousand accounts actually occurring but it still doesn’t elucidate on why someone would just dump them there and not just use them.

Carding Forums:

 

Screenshot from 2014-02-17 09:07:05

Screenshot from 2014-02-17 09:07:23

Tied to the scripts and programs being created for the purpose of checking accounts at Tesco and other places, the carding forums make their appearance selling the data culled as well as giving short tutorials on how to check balances and such. As seen above there are at least two different groups of carders involved in this incident (v3ch4j.cc as well as tuxedocrew.biz) so it seems that perhaps it may have been more than 2k accounts compromised and may in fact be being sold on their closed markets today. It does seem though that these guys are in it for the purchase of goods then having them shipped as Tesco is an online super market. There are posts asking how to get food sent and how to scam the site to get that food so it seems that this has been going on for some time now. Tesco users may want to check into their accounts for small charges that may have gone unnoticed as well as Tesco themselves should be looking at a full scale DFIR on their systems to see just what has happened here.

ANALYSIS:

Screenshot from 2014-02-17 09:07:41

The overall analysis here is that Tesco was using insecure processes to generate passwords as well as reset them for people (in the clear in email) as well as perhaps had been under attack for some time (since last summer really) by these attackers. Probes of their site should have been noticed and one would hope that Tesco would have some sort of intelligence gathering to tell them when these types of campaigns are being created. My Googling only took about 15 minutes and I had a plethora of data on who was talking about this script as well as methods to cheat Tesco out of goods online. The upshot here is these guys weren’t really hiding very well and this stuff should be monitored. If they had been paying attention though they might have noticed Moad Abo Al Sheakh (G+ above) who posted a tutorial on using the Tesco account checking tool on his blog under the title “no secret her” and aside from his poor typing/spelling skills, lays it out pretty plainly. Overall this isn’t a Target attack on the scale of interesting but it does show just how poorly some places treat security as a primary goal only to get popped and dumped on Pastebin.

K.

Written by Krypt3ia

2014/02/17 at 15:26

Posted in ASSESSMENT, Hacking

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.