Archive for the ‘Heists’ Category
The DNC Hack: SVR? KGB? GRU? Lone Hacker?
Attribution Games:
I grow more and more weary of the attribution games being played in INFOSEC and the DNC hack is just another in a cavalcade of epic missing the point parades. Since the “scoop” given to WaPo by Crowdstrike, there has been a flurry of allegations, revelations, and throwing of attribution dice akin to a basement game of Magic The Gathering repleate with summoning!
“I summon the Russian GRU!”
“I summon the LONE ACTOR!”
“I summon the KGB!”
*slaps down cards on table* TAKE THAT!
The reality here is that there are more than a few games going on here. Think about it, Crowdstrike gets a media coup by selling this story to WaPo, who just happens to have been banned by the Orange Julius of our time, presidential candidate Donald Trump! WaPo jumps on this like a child on a fresh tit and runs with the attribution story and sets the world on fire for Donny boy with the release that the DNC not only was hacked but that his dirty laundry may be in the hands of Kommisar Putin!
“Whoa”
So, first let’s set aside the whole issue of marketing, which is akin for me, to choking on a hairball left from that chick in “Ringu” and move on to the veracity of the attribution as well as the real need to name and shame here. I for one can believe that the two nation state actors software and activities were found by Crowdstrike on the DNC systems. The fact that there are two disparate groups from the same nation state is interesting in itself. I guess they are not really talking to each other and given the state of affairs there in Russia I can see this as being a true accounting. However, I can also see my way to there being third, fourth, fith, sixtieth actors also in the network or having had been in the past as well. Face it, these are government systems who usually go to the lowest bidder right? This was likely the Diagon Alley of Democratic networks.
So, to say that it was only these two actors might be a stretch. There is room for doubt and after the dump by “Guccifer2” as they are calling themselves, it is easier to think that perhaps there is more to the story than what we have been given by the media, the DNC, and Crowdstrike. That the documents are legit on the wordpress site by Gucci and that they seem to be pretty well stamped down on metadata, one can’t make too many assumptions.. Oh, yeah, but everyone is! At the end of the day for me, even though I will play the game a little bit below the fold here, the real issues should be how the hackers did it, and fixing the behaviors of the DNC to stop it from happening for a year or two at a time in the future. Not so much pointing at Russia and yelling; “YOU TOOK OUR SHIT! BAD POOTY! BAD!”
Put another way… I eagerly await the FBI warrants and 10 most wanted cyber listings for the Russian actors they have all this attribution on … I suspect I will be waiting the rest of my life for that one kids… Just sayin. This was mostly about marketing as far as I am concerned and I have to give them props for working that one. Sales must be up in the government area now because of this caper right?
Metadata and Cyrillic:
Meanwhile, after the WaPo story hit the wires the “lone hacker” created his wordpress site and dropped dox as we say on the intertubes. Shortly after the drop people were inspecting, detecting, infecting, and making circles and arrows with captions on the back to describe what you were seeing! … And the conspiracy theory machine went into overdrive. Pwnallthethings made some good comments on the metadata in the dropped dox but really, concluding that this is a Russian disinformation operation from metadata stripped documents on the idea that the machine name was cyrillic for Felix Dzerzhinsky (Феликс Эдмундович) Really? Now that is fucking SOLID work man! Stellar! FUCK LET’S GO BOMB RUSSIA NOW!
NAILED IT!
You know at least Crowdstrike has like actual data, ya know, C2’s, malware, and shit like that. Anything else is totally speculative, I mean even more speculative than most attribution that these companies make with real data! Anyway, I took a look at the metadata on the documents and here is what I have found…
- Much of the data was stamped out in saving from format to format
- Emails of users though were still embedded in the excel files
- The word docs have no more metadata than the Iron Felix machine name save, which, gee, kinda leads one to wonder…
- The image files have no metadata.. none.. niente clean.
- Grizzli777 is just someone who pirates
Yep, not a lot to see there and people are hanging their collective hats on the deliberate placement of Феликс Эдмундович as the machine name to it’s quite OBVIOUSLY being Mother Russia’s exclusive secret services.
*squint.. takes drag of cigarette*
So here’s my assessment…. Maybe Russia did it… OR Maybe this actor is the real thing and happens to want to take credit. The facts that this person(s) reads, writes, has, cyrillic on their machine and names it after the founder of the KGB is as reliable a means to saying it was Russia as it is to say that aliens built the pyramid because people just were fucking too stupid back then!
All of this hoo ha really means nothing. The fact of the matter is that now Donny’s dirty dirt is open source!
YAAAAY!
Wait.. I read it.. What the shit people? REALLY? THAT’S ALL YOU HAD HILLARY? COME ON!
It doesn’t matter who did it really.. Horse is out of the barn and the barn is on fire kids. So please, stop with all the wankery and move on to the next hack ok?
DATA:
Motivation Analysis and Hypothesis
RIGHT! Well now I want to play the attribution/motivation/game of clue too! So here goes…
Imagine if you will that Russia did do it. Imagine also that Gucci2 is still Russia’s services performing a disinfo campain against Crowdstrike. Now imagine why would they be doing that? Why would they drop Donny’s dox AND all the other fun stuff for the Clinton campaign, which is in trouble already over the cybers! What effects would this have? Let’s list it out for you…
- Dropped dox of the dirt —-> Blows all Hill had on him unless there is a double secret probation file somewhere
- Dropped dox yet to be releast on Wikileaks —> Let’s say, as Gucci2 alluded, they were also in Hill’s mail server, ya know, the one that wasn’t supposed to be? Oh yeah…
- If that server was popped by the Russians and Gucci1 those criminal charges could be much more deleterious right? *waves at FBI*
- Dropping of dox and general hackery causes DNC and the election process to be even more fractious than it already is
- Dropping dox makes Hill’s candidacy potentially weaker (hint hint server –> Russians–>PWN wink wink nudge nudge!
So all those effects would do what possibly? Why would they want to do this? WHO WOULD WANT A TRUMP PRESIDENCY?????
Why Pooty of course!
Think about it kids. Given your knowledge of Teeny Tiny Baby Hands Trump, do you think he could stand up to a bearish Putin? *sorry had to use that one* Do you think that perhaps Donald is easily.. Shall we say.. Distracted or led? Come on, I know you can all reason this out. A Trump presidency would be sweet sweet love for Putin. He would have a friend, and someone he can sit on his knee to play ventriloquist with! … Well, until he has to polonium enema him that is.
That’s my theory and I am sticking with it… For all the fucks that it is worth.
I will say though.. I am waiting on those documents to show up in Wikileaks. That’s when the shit is really gonna hit the fan.
See you all in INFOSEC attribution Hell.
K.
$1.1M Degas artwork stolen from museum
MARSEILLE, France (AP) – A drawing by Impressionist Edgar Degas worth €800,000 ($1.15 million) has been stolen from an exhibit in southeast France, officials said Thursday.
The work, “Les Choristes,” (or “The Chorus Singers”), was stolen overnight from the Cantini Museum in the city of Marseille without setting off an alarm, police and judicial officials said.
A security guard discovered it was missing when opening the museum Thursday morning. The museum was closed Thursday while the theft is being investigated.
“This picture was unscrewed. It wasn’t ripped down,” Marseille state prosecutor Jacques Dallest told reporters. “That suggests at least a little bit of organization… It’s not necessarily the work of a great professional either.”
The small pastel, dominated by hues of pink, orange, red and yellow, features a group of singers on stage in varying expressions. Some have their hands extended, or over their chests. The drawing dates back to 1876-77 and is worth €800,000, France’s national museums authority said.
The famed Musee d’Orsay in Paris, known for its Impressionist works, had lent the picture to the Marseille museum for an exhibition, the officials said.
No other details were immediately available.
I recently started reading about the Gardner Heist, in fact I am almost done with the book as it is a slimmer volume. Anyway, this little heist really interests me. As you can see from this report the pastel was unscrewed from the wall and made off with. This is interesting.
This implies a few things:
1) Someone had some time to unscrew it even “if” they had a power driver
2) It’s a small work and was the only one taken (that we know of at this time) and thus really portable
3) That there is no evidence of break in implies that this theft was well planned out and likely had an inside source
Now, I don’t know what if any, alarm systems they may have had on the pastel’s frame. Usually, a system would be in place to alarm if the painting is taken from the wall but, I have found out recently that many institutions are skimping on the alarms due to today’s financial problems globally. Many museums simply cannot afford the best of the best in alarms and protection for their works.
So, someone either saw this as an easy target for some fast money or they really wanted “this” work. I am willing though, to bet that someone wanted this work in particular unless this was one of those heists where the place is closing, the guard has passed, and someone just ZIP ZIP ZIP takes it down and walks out with it.
Either way, I will keep an eye on this story. I wonder what the reward for return will be….
CoB
A Blow Against The Proletariat?
The computer hack, said a senior member of the Inter-governmental Panel on Climate Change, was not an amateur job, but a highly sophisticated, politically motivated operation. And others went further. The guiding hand behind the leaks, the allegation went, was that of the Russian secret services.
Well well well.. I was just saying to someone the other day that I had thought that this hack was a paid and planned gig. The real tip off for me was that the hackers had been culling data for some time before the release to the intertubes. As it turns out, there is even more evidence to perhaps link this hack to Russia.
The files were placed on a server in Tomsk, which could be a coincidence.. But…
At any rate, this smacked of a directed attack against the whole idea of climate change and likely was a paid exploit.
Who would have the most to gain here?
Would a nation state seek to quash the argument?
Interesting timing with this whole Copenhagen climate summit going on no?
I have to wonder if we will ever really know…
FEDWIRE
What didn’t make it on the air was part of an interview with Jim Lewis, one of the nation’s leading authorities on cybersecurity, in which he discussed efforts by the Federal Reserve Board to secureFed Wire, its funds transfer network in which trillions of dollars a day flow through.
Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, the group that sponsors the Commission on Cybersecurity for the 44th Presidency, said the Fed has put so much effort into Fed Wire that he doubts it can be hacked by criminals to steal money. In an outtake posted on the 60 Minutes website, Lewis characterized Fed Wire as a criminal hacker’s Holy Grail:
“If you can hack into it for even a minute, you’d be rich beyond your wildest dreams. but the Fed has done a really good job, so the backbone of the banking system is safe. At the edges, though, we’re beginning to see significant losses.”To make his point, Lewis referenced a recent, hushed-up virtual bank robbery that netted real money:
“It’s great to be a cyber bank robber; you have zero chance of getting caught, and you make a lot of money. There is a bank that recently lost $60 million in an online hacking incident; it didn’t make the front pages, but $60 million is a pretty good haul for some guy.”
Ahh FEDWIRE, I remember you well. It’s so fun to know that one can transfer at least 20 million dollars easily without being caught. Especially when the systems used to connect to FEDWIRE are not properly secured.
Of course you could just Google the docs one might need to start an exploit.. But whoever would do that? Good to see nothing’s changed…
The “Insider Threat” aka Your Companies Management
Two stories on the internet today piqued my interest in the actual facts of this this issue of the “insider threat” as opposed to hack attacks from external sources. I would say that perhaps aside from “security theatre” that the real insider threat is the inaction and incompetence in some cases on the part of the companies out there who are insecure from basic lack of secure practices. This I would think is the larger issue that allows both insider attacks as well as outsider to be so successful.
Basic things like default settings on systems, printers, network appliances, applications, etc really make the work of the insider or outsider very easy. Once those low hanging fruit attacks are performed, the foothold actually can be in fact root on many systems because of these issues not being remediated at the time of install on many systems.
The first story I saw today had the headline of: Security Experts Raise Alarm Over Insider Threat and it espoused the common thread of late that all the layoffs today are making turncoats out of many and thus, those with the insider access are the biggest threat. On the one hand I agree with that assessment. However, if the company in question is actually following procedure, they should be able to mitigate the issue by closing accounts and changing passwords etc on key systems. This is of course to say that you actually lay this person off, and walk them out at that moment.
If instead your insider thinks that they are about to be laid off, well, they may use their access to steal data or perhaps even damage it before they get the ax. So sure, they may actually be a threat in this way, but, I think there is a larger threat by their ethics being lax and someone coming along with some quick cash or a threat of blackmail. You see, I think that the insider threat must be approached from a HUMINT (aka spying) angle instead in this day and age.
The average disgruntled employee is the one that I would approach with quick cash after some time getting to know them and egg them on. Once you have them in the bag you just ask them to do the deed with the promise of money. Access can be bought these day if not easily tricked out of a worker with some low end social engineering. On the other hand, were I looking for some more long term and higher access I would go for the longer approach of coercion of an asset.
All this aside, either way you do it you, the company, make it easier for a non technical person or a technical APT to root your networks when you don’t follow the most basic of security principles of CIA. Which brings me back to the larger of the inside threats… Management.
In all my years of assessment, I have seen all too many places where the management just does not get security, does not care about security, and does not want to spend the time and money doing the due diligence for secure operations. Without a proper buy in from the top, then security becomes a non issue with the masses and thus nothing is carried out securely at company X. Default passwords, no passwords, poor passwords, sharing passwords etc all are very common in places without any security insight. Often too, these companies have no insight into what is happening on their networks to tell if indeed someone is attacking or exfiltrating data out of their networks through their own firewall… Never mind the guy with the 4 gig USB stick who just downloaded the “secret sauce” recipe and is walking out the front door as he smiles at the guard.
So, my take, the insider threat is a big one indeed and so easy to exploit.
And that brings me to the second article today: Simple information security mistakes can cause data loss, says expert wherein an eminent forensics investigator from Verizon has found through his assessments that the outsider attacks have been far greater. He does however in a backhanded way, have my opinion as to who that insider threat really is: Management.
However, as the article does not really cover this overtly nor the real insight I think about “who” these attackers are I will add to this a bit. I think that those spear phishing attacks that rely on very specific individuals being targeted also has an insider portion to it. After all, just where does all that data come from to target these individuals? The inside of course.
Intranet/internet websites are a rich data mining arena for the APT or the industrial spy. All too often the companies themselves give up all the details an attacker could ever need or want. Most of the time too no hacking need be done to get the information and often much more data than should be available is due to misconfiguration as any good Google hacker can attest. Add this to the whole lack of security posture and you have a deadly mix.
So, to bring it all together, I think that as a general rule “we” are our own worst enemy and the de facto “insider” threat when security is not applied.
Speaking Of “Fire Sale”
A Cyber-Attack on an American City
Bruce Perens
Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.
That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital’s internal computer network, proved to be dependent on external resources, leaving the hospital with a “paper system” for the day.
In technical terms, the area was partitioned from the surrounding internet. What was the attackers goal? Nothing has been revealed. Robbery? With wires cut, silent alarms were useless. Manipulation of the stock market? Companies, brokerages, and investors in the very wealthy community were cut off. Mayhem, murder, terrorism? But nothing like that seems to have happened. Some theorize unhappy communications workers, given the apparent knowledge of the community’s infrastructure necessary for this attack. Or did the attackers simply want to teach us a lesson?
The rest HERE
Just last night I was thinking about this as I sat watching Die Hard. Anyway, yeah this is not getting much press and certainly may in fact be kept quiet a bit by design… Maybe we (when I say we, I mean the media really) just don’t care? Don’t understand? I mean, think about it.. With China hacking JSF, Air Force, etc and this incident doesn’t it kinda say “Gee, we really aren’t that secure are we?”
Personally I think that this particular incident was a decoy for a bigger criminal undertaking. I doubt it was a test run on a thought experiment. So, we will see what shakes out when the details (if ever) come to light on this little cable cutting foray.
Keep your wits about you…
Art Imitating Movies?
Leonardo Notarbartolo strolls into the prison visiting room trailing a guard as if the guy were his personal assistant. The other convicts in this eastern Belgian prison turn to look. Notarbartolo nods and smiles faintly, the laugh lines crinkling around his blue eyes. Though he’s an inmate and wears the requisite white prisoner jacket, Notarbartolo radiates a sunny Italian charm. A silver Rolex peeks out from under his cuff, and a vertical strip of white soul patch drops down from his lower lip like an exclamation mark.
In February 2003, Notarbartolo was arrested for heading a ring of Italian thieves. They were accused of breaking into a vault two floors beneath the Antwerp Diamond Center and making off with at least $100 million worth of loose diamonds, gold, jewelry, and other spoils. The vault was thought to be impenetrable. It was protected by 10 layers of security, including infrared heat detectors, Doppler radar, a magnetic field, a seismic sensor, and a lock with 100 million possible combinations. The robbery was called the heist of the century, and even now the police can’t explain exactly how it was done.
The loot was never found, but based on circumstantial evidence, Notarbartolo was sentenced to 10 years. He has always denied having anything to do with the crime and has refused to discuss his case with journalists, preferring to remain silent for the past six years.
Until now.
The rest HERE
Wired has just published a story on the web that it plans on publishing in their next paper edition on the “Antwerp Diamond Heist” of 2003. I write the title of “Art Imitating Movies” because this story reads much like the script for a “heist” film on par with The “Oceans” series of movies or “The Italian Job” *side note, I am listening to both scores as I read and write about this article**
This heist story brings in all the big plot lines that these films usually have. A group of con artists, technicians, and thugs, an impenitrable vault, and an elusive and as yet un-named mastermind with the funds and the connections to make it happen. Hell, they even had a scale model of the vault just like the movies!
The question is though; “Do we believe this story at all, in part or just a little?”
I for one believe the technical details as they can be seen in the crime scene photos as well as the police reports. Such things as how they defeated the light/heat sensor in the vault with a can of hair spray is a classic hack that has been done. Or perhaps the use of the polystyrene shield to prevent the heat sensor on the exterior from going off by “The Genius”
The working out of the code by watching a video taken by secreted cameras is a bit harder to conceive working, but, it could be done. Even the bypass of the internal electrical pulse and the electromagnetic plates was sheer simple genius that obviously the designers never thought low tech enough to discover their weakness.
Classic.. and well done gentlemen.
Now, how the story played out by the tale told by Leonardo Notabartolo has some interesting twists. The real truth of what happened to the “merch” may never be down. Diamonds are all too easy to traffic, cut, sell, disperse, that they are likely already in your friend “Tom’s” diamond engagement ring he got over at the mall for all we know.
The idea that these guys were played and played so handily really is the thing that trips alarms for me. The article contends that the face man (Notarbartolo), a known Mafia connected guy, who had been a thief since 8 years old, could be so easily duped just doesn’t play. Leonardo’s been around the block, he is no fool, but you are supposed to believe that he would go into a gig like this so trusting of his benefactor/facilitator?
I agree though, what a short con this would make! Imagine carrying off a con where you pocket 100 million in diamonds all the while you have used a talented crew of thieves to do your dirty work. Staggering really, yet so so elegant in play. This too also implies a very large conspiracy by the merchants at that facility. All of them would have to be on board for this to work. Keeping all their diamonds in their personal vaults, somehow shifting them to secure locations instead of being in the vault. Of course they have dirty dealings on a daily basis there no? Not inconceivable.
Overall, this story I think has yet to really play out. How it wil I cannot say…What can I say though… I admire their escapade.. Well sans the pound me in the ass prison part.
