Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘History Repeats Itself’ Category

Three Days of The Condor… With Malware…

leave a comment »

Rvy taes eha qgcq tlmbvq tqsix. Px iiuz ytwtqn cvzl dek. Yxi dtf fq wjzbbuk. Yahpv moi riagk lbrzy mop hm xte bdibuk. Mnm o tty aulu gchd fqsrrv rvy, mnm o uhvv iiuz filr, mnm gfflsze hcl dusi, mjmsx lzqn cflla, aulu uvm vyf oo hyx jed. Awr yx dmxl bazel, e nelcdbuk emrzv. Ubx te fwce simvn cgxu xte mcfk vj fhn qrk hrp ootvk as sies phb e xioh.


Turner: Do we have plans to invade the Middle East?
Higgins: Are you crazy?
Turner: Am I?
Higgins: Look, Turner…
Turner: Do we have plans?
Higgins: No. Absolutely not. We have games. That’s all. We play games. What if? How many men? What would it take? Is there a cheaper way to destabilize a regime? That’s what we’re paid to do.
Turner: So Atwood just took the games too seriously. He was really going to do it, wasn’t he?
Higgins: A renegade operation. Atwood knew 54/12 would never authorize it, not with the heat on the company.
Turner: What if there hadn’t been any heat? Suppose I hadn’t stumbled on their plan?
Higgins: Different ballgame. Fact is, there was nothing wrong with the plan. Oh, the plan was all right, the plan would’ve worked.
Turner: Boy, what is it with you people? You think not getting caught in a lie is the same thing as telling the truth?
Higgins: No. It’s simple economics. Today it’s oil, right? In ten or fifteen years, food. Plutonium. And maybe even sooner. Now, what do you think the people are gonna want us to do then?
Turner: Ask them.
Higgins: Not now — then! Ask ’em when they’re running out. Ask ’em when there’s no heat in their homes and they’re cold. Ask ’em when their engines stop. Ask ’em when people who have never known hunger start going hungry. You wanna know something? They won’t want us to ask ’em. They’ll just want us to get it for ’em!
Turner: Boy, have you found a home. There were seven people killed, Higgins.
Higgins: The company didn’t order it.
Turner: Atwood did. Atwood did. And who the hell is Atwood? He’s you. He’s all you guys. Seven people killed, and you play fucking games!
Higgins: Right. And the other side does, too. That’s why we can’t let you stay outside.

The Geopolitics of Fossil Fuels

Since the discovery of fossil fuels (oil and the derivative of gas from it) we have had a real love affair with it. Though it was tough to get out of the ground and then refine into a usable product we decided that it was the best alternative to keeping our lights on and our cars running. Since then, the resources have become the aegis of foreign and domestic policies globally, and likely will continue this way until the last drop of fuel is burned by some car somewhere. It’s these policies that I believe are driving the recent attacks on oil and gas firms within the Middle East recently. There may be some tit for tat as well, and maybe a warning to certain players, but, overall, it seems to me that a game is being played. Of course, all the games have been being played in the region of the Middle East because of the need for fossil fuels, anyone who says otherwise I think, well, is delusional.

Whether or not you are a “tipping point” believer, in general, we have seen over the years many instances where the Med has affected and still affects today, the price of gas and thus, the cascade effect prices on just about everything because we are dependent on the gas to move things, to grow things, to.. Well you get the point right? No gas means no economy really today. So, this is an imperative and those countries seeking to gain access to said fuel resources would not be above trying to get a competitive edge over others, never mind the possibilities of gaming the owners of the resource from the start right? Add to this the pressures today of the instability in the region (and really, when has it ever been really steady?) and you have quite the motive to use espionage to get that advantage and deny others the access they too desire.

It’s with this in mind that I have been sitting back and watching the events with Saudi Aramco and RasGas with some interest. I have been reading the news reports as well as the malware assessments and cannot help but see a parallel with the movie “Three Days of the Condor” from 1975. The story line moves along the lines of an analyst finding an unsanctioned plot to overthrow a government in the Middle East over oil. This film stuck with me since seeing it as a kid in the 80’s and I have quoted it before in posts on other things. This time around though, I think we are seeing some more direct actions by persons unknown, to manipulate the playing field where oil or fuel resources are concerned..

Albeit with a modern twist for today.

Spygames  with Malware

Virus origin in Gulf computer attacks in question

New Virus Hits Oil Giant, LNG Producer

At least two types of malware are alleged to have penetrated Saudi Aramco and RASGAS in the last month or two. Not much is known about them, though Shamoon aka W32.Disttrack seems to have been pulled apart a bit by Symantec. Not much has been really made in the press over these attacks and those attacked have been quiet as well. Both RasGas and Saudi Aramco though, made statements that none of their production or distribution systems were affected by the malware, a claim that they have not really backed up with facts I might add. However, as far as we can see thus far, those statements are overall true because there are no reports of system breakdowns in getting the product to and from the companies collectively.

As it would seem from the analysis thus far of Shamoon, the malware seems to be the run of the mill data thievery type that is almost COTS in a way. The more interesting bits seem to be around the “wiping” feature that was written into it. Why the malware was made to wipe the MBR is a bit of a mystery to me and seems rather amateurish in a way that leads me to believe either someone is playing it very smart, or, they are just malicious.

I can’t be sure which…

While the method of wiping is not as exotic as the so called “wiper”  Shamoon corrupts the MBR of the system and game over. I have not seen in any of the data so far (via googling) a means of triggering the wipe sequence on Shamoon though. One wonders if it’s just timed out or is there some trigger if it is detected or tampered with? Also, it is interesting to note that the name “Shamoon or Simon” is from a folder listed in the malware as well as the fact that this was targeted to the “Arabian Gulf” as the wiper module alludes to as well. So, this seems to have been a targeted attack from these bits of data and the fact that it’s penetration out in the wild is low from what I have seen online. It is likely that this was initiated by a directed phishing attack at the companies afflicted and worked it’s way through their networks. Networks by the way, that may not in fact have been separate from the ICS/SCADA networks, which it seems may not have been directly “affected” because the payload did not include any attacks on said systems. The only fallout would likely come from a PC getting wiped which could easily be re-imaged or replaced with a working copy.

Still.. What was the goal here? What data was taken? In the case of both Saudi Aramco and RasGas, a look with Google (Google Fu) shows that both companies had quite a bit of data hanging out there to exploit and use in an attack. Today though, most of their data has been redacted, but, you still can get some cached copies of interesting tidbits. Given that they were loose before, one might imagine that they were a rich target environment for the malware to ex-filtrate all kinds of documents to the C&C server. It would take a lengthy investigation as to their market placement and any potential deals ongoing to give some more context I think, but doing so would be an interesting diversion to understand these attacks a bit better as to motive though.

The Possible Players in Shamoon/Wiper/UNSUB Malware Attacks

With all that said, then who would be the likely players here? Is this nation state? Is it corporate espionage and acts of attrition in an ongoing oil war? It’s hard to say really. One source indicated to me that perhaps it was a move by Russia to give the hint to Iran on some internecine plot over power plays in the region. I personally think that the whole “cutting sword of justice” claim that they took down Saudi Aramco is bunk but hey, maybe a cabal of hackers did this to… Well do what? Perhaps there is more yet to be dumped online in a pastebin to give us the proper scope here. Overall though, it’s been really low key and not much has come out like I said on what was taken, what was done, and the damages to the systems/companies involved.

So where does that leave us regarding who did this? Well, pretty much where we stared, with supposition and guess work. Was this nation state? This is an interesting question. If it was nation state, could it have been a fledgling group, like say, the IRGC and it’s cyber hacking group recently formed? Would Iran benefit from such attacks? All good questions and something we should all ponder. However, the most interesting point there might in fact be that since the Stuxnet genie was let out of the bottle, it was only a matter of time before actors like Iran would make their own variants and loose them upon others. In the case of Iran though, they too seem to have been hit with the same if not similar malware in recent days as well, but, this does not presuppose that they didn’t have a hand in it.

All in all, there just isn’t enough information to nail down a culprit or culprits.. But, it does show us a precedent that we should all worry about just as much as we should over certain instances of attacks against pockets of ICS/SCADA implementations. What I am talking about is blowback from attacks.

Blowback

Blowback usually refers to consequences coming back on those who took the action in the first place. Here though, I am not only referring to those who carried out the malware attacks, but also on the rest of the world in certain scenarios like this. By attacking systems such as these, one could in fact cause market fluctuations depending on the markets and their jittery-ness. In the case of the oil business, we have seen great changes in prices due to not only the control over the oil and it’s price by the cartels (Saudi) but also how the countries are feeling about their markets and the state of affairs in the world. If you start tinkering with companies of this kind and by the product of destroying infrastructure (or the perception of such) you will be affecting the prices at least for those companies directly. What if though, you were to hit more of them at the same time and cause not only damage but the “perception” of insecurity within the system of oil/gas production and distribution?

This time nothing much seems to have happened, but one can only say this because there isn’t much information out there as to what really took place on those systems and networks. What if this played out another way, with much more press and obvious damages? This would be worse and might occur the next time whether or not it was intended by the programming of the malware. This all of course depends on the scope of the attacks and with that you have to wonder about nation state vs. non state actors here. The difference being, that a nation state may attack a wider variety of systems and companies as a precursor to war while the non state actors may just be looking for information or to hobble a competitor. Both however, could have unforeseen blowback from their actions.

What all of this says though, is that Pandora’s box has been opened. All the players are now taking the field, and many of them may not be ready to play a proper game… Shamoon did it’s thing, but it seems to be more a brute force tool than an elegant piece of code and a slick plan. The blowback though is yet to be determined.

K.

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

Enemy of the State

with 2 comments

Fort Meade has acres of mainframe computers underground. You're talking on the phone and you use the word, "bomb," "president," "Allah," any of a hundred key words, the computer recognizes it, automatically records it, red flags it for analysis; that was twenty years ago.

From The New Yorker; The Secret Sharer

The government argues that Drake recklessly endangered the lives of American servicemen. “This is not an issue of benign documents,” William M. Welch II, the senior litigation counsel who is prosecuting the case, argued at a hearing in March, 2010. The N.S.A., he went on, collects “intelligence for the soldier in the field. So when individuals go out and they harm that ability, our intelligence goes dark and our soldier in the field gets harmed.”

Top officials at the Justice Department describe such leak prosecutions as almost obligatory. Lanny Breuer, the Assistant Attorney General who supervises the department’s criminal division, told me, “You don’t get to break the law and disclose classified information just because you want to.” He added, “Politics should play no role in it whatsoever.”

Politics should play no role whatsoever? Really? This man is delusional to think that the statement, albeit correct, is actually factual. Of course politics play a part in such prosecutions, and case in point, this article cites examples of people getting slaps on the hand for breaking the espionage act and others where TS/S documents are concerned. The reasons that these others were not prosecuted to the full extent of the law was exactly because of politics and their entanglements. No Mr. Breuer, politics do play a role all too often.

That said, I encourage you all to read the full article and judge for yourselves just what happened with the case against Mr. Drake. It is my understanding from other sources as well as the New Yorker piece, that Drake was seeking to show waste on a grand scale while others were motivated by the idea that the sweeping changes to US law and oversight within the espionage area had taken a deep turn for the un-constitutional. This is an assessment that I agree with and have seen even more such dark turns lately where the digital realm is concerned. Frankly, at times I am a bit scared of the access and perhaps excess that the changes in the law have allowed for the NSA as well as anyone with enough juice within the newly minted security infrastructure post 9/11.

Constitutional Law vs. Technological Ease of Access vs. Political Agendas:

When the Constitution was created none of the technologies at play today were even a dream for the makers. Today though, the ideas of privacy, unreasonable search and seizure, and the fundamental freedoms we claim to cherish so much have been blurred. The blame for this rests partly on the technology, but mostly on the people who should be monitoring their system of laws. After 9/11 the people became all too trusting of the government to take care of them and all too willing to accept the over-reaches that they knew of while they were kept in the dark about others.

Case in point would be the FISA and warrantless wiretap situation that the Bush administration put into play after the terrorist attacks. It was the belief of the administration and the law enforcement community (certain factions) that too much time was lost to entering FISA warrants and getting approvals. So, instead they began to draft opinions that said the process was too ponderous, all the while they were putting together a secret process to just bypass the FISA altogether with or without the legal status to do so. This then begat the further access programs that essentially placed a tap on ALL communications going in and out of the backbone of the internet with the NARUS systems in the MAE’s around the country.

Since the technology was there, and it could be placed into a position to audit everything, they just said let’s do it. Thus, all traffic that you or I create over the Internet has the potential of being captured, flagged, and audited by someone at Ft. Meade without a warrant to do so. This also includes the cell phones as well because that traffic too passes through the same backbone system. Like the image of Brill above states;

Fort Meade has acres of mainframe computers underground. You’re talking on the phone and you use the word, “bomb,” “president,” “Allah,” any of a hundred key words, the computer recognizes it, automatically records it, red flags it for analysis; that was twenty years ago.

Brill, a character from Enemy of the State, was going on about this in a film out before the attacks on the US. It would seem that if the technology had not already been in place then, the administration took a cue from the film and made it a reality after the twin towers came down. After all, the enemy could be anyone and the US populace wanted an action hero to take on the bad men and win. The same people though, did not seem to understand that to do so, the administration would take the shortcut of bypassing decades of laws set in place to protect our freedoms from excessive powers that the Bush administration wanted to have to ‘protect’ us.

It was this over-stepping of the laws that others within the story at The New Yorker had begun to tell to the Sun reporter and who now are being pursued by an alleged non political NSA and government for calling them on their breaking of the law. Just as much as Mr. Drake was seeking to show that the waste created by Trailblazer could also tie into the misuse of ThinThread’s code to eavesdrop on anyone.

Both of these concerns are shared by me as well. After all, with the technology in place and without the oversight, how do we know that abuses aren’t happening? The NSA is famously known to tell the Senate oversight committee to go pound sand… So, who is really watching the watchers?

Right Versus Wrong and Speaking Truth To Power; Do We Have A Say Anymore?:

So, if you have access to classified materials and programs and you see that things have gone off the rails how can you expect to report on it to the authorities and not be prosecuted? It used to be that there were protections, but, it seems now post 9/11 that changes to the paradigms of classification and the re-interpretation of the law to suit the state, it has become increasingly impossible to whistle blow and not be prosecuted. What’s more, if you decide to report, the data that you are reporting on may be classified to the extent that it cannot even be used in open court or with your non cleared lawyer because it may be deemed too sensitive.

The net effect is that if there is malfeasance going on it may be impossible to report it and not get yourself into dire legal trouble with the current whistle blowing legislation on the books. This makes it even easier for the state and or entities and parties within its infrastructure to not abide by the law and have little to fear of oversight or speaking truth to power.

Sheeple vs. The Informed and Worried:

Meanwhile, the populace may live their lives unaware of the capacities for the state to listen to them and or present evidence gathered on them in an extra-legal way. At the very least, due to the wider interpretation of the law, it is easier for the state to gather and use evidence in ways that were not possible before because of the latitudes given post the Bush administration.

From a privacy perspective and the expectation thereof, the idea that all traffic is being hoovered up by the state is kind of scary. From a constitutional law perspective, you have the right to privacy in your papers and your domicile. Does this actually apply to digital papers, computers, hard drives, and anything you pass over telco lines to the cloud? Or is it considered public domain like your trash being placed at the end of your driveway?

This is an important precedent and should be considered with every email, IM, and call you make today. Just as well, if you are intent on retaining your privacy, what are the ways to do so now that all of these lines of communication are monitored by the state? One also has to determine just how worried they should be about intrusion into their privacy. After all, today we as a people give up a lot of information on ourselves at sites like Facebook and if we do that, just how much privacy can we expect?

Following that thought process, if we give up our privacy so easily how can we make an argument against the changes to the FISA rules as well as other laws where eavesdropping on our daily digital lives are concerned?

I for one do not want all of my conversations recorded for someone else to audit whether or not I may have said or done something that could be construed as illegal or perhaps pique the interests of the fed. Of course today one could easily be stopped in some states for alleged traffic violations and be asked if they could clone your phone data… Just because.

Whistle Blowing… Not So Much:

I guess in the end that the state of affairs today leans heavily toward the government being able to pretty much do what it wants to. From the warrantless wiretaps to the detention of non combatants, we have quite an inheritance from 9/11 and the Bush years. Unfortunately much of what President Obama had pledged he would roll back from those years have instead been re-approved if not enhanced. Add the whole Wikileaks debacle and now you have an even more reflexive and paranoid government trying to over classify everything and getting really bent when things get out.

So, the idea of whistle blowing I think is pretty much a dead one from here on. If anyone sees wrongdoing going on then they probably will let it go for fear that they will be prosecuted into oblivion.

And then the state wins… There have to be checks and balances.

K.

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

Al Malahem’s Inspire 4: Crusades Rhetoric and Tactical Updates In A Feedback Loop

with one comment

 

Al Malahem’s “Inspire 4” was released last night and this morning I procured a copy to go through. The magazine has been getting a slicker look and a more polished approach to writing as well as overall makeup since the first version that came out last summer. Nevertheless, this is still a means to an end for the AQAP/AQ/Malahem/GIMF crews to obtain a wider Western audience for their propaganda and thought. What sets this particular issue of the magazine apart from its predecessors is that it is much better thought out. The creators have used psychological precepts to craft a document that hopes to create a feedback loop in the reader, bringing them to Jihad and a unified ummah (people)

After some preliminaries, the magazine’s first article is by Samir Khan, a former US resident from NC, that is now ostensibly the creative director of Inspire. His piece sets the tone and begins the feedback loop. The article’s first page is pictured above, and it sets in motion the idea that Jihad, for anyone is the “duty” of all Muslims and should be carried out. Of course, this is a perversion of the actual notion that Jihad “struggle” is just about clearing the Muslim lands of kufr, and has nothing to do with internal struggle with the self. Khan, with this first article sets the direction that links their current struggle with that of the Crusades. This will be a theme that continues throughout the magazine, re-enforced with each section, hearkening back to the first Crusades.

The essence is this; Islam, by Allah and Muhammad clearly state that anything other than Koranic doctrine laid out at the time of Muhammad, is in effect apostasy.

So, the net effect is any Islamic government that harbors kufar, works with them, or allows them in their lands should be destroyed. Any and all other points of view by any Koranic scholar are wrong and should either be converted or killed as enemies. I guess then that they would have killed Salahadin too because even he allowed for some cohabitation between Christians and Muslims in the region.

Thus begins the feedback loop. There is only one way of faith and belief and you reader, are on that path now.

Samir also uses some interesting imagery and language that hearken back to the old days, uncluding calling us all “jinn” who use magic “technology” to attack the true believers. Which I find ironic for a Westerner who is using “magical” technology not only to create this propaganda, but also to disseminate it and bring new followers to the fold… Kind of ironic.

The next article is a short one from Adam Gadhan aka Azzam Al Amriki. This piece goes on to re-inforce what Samir has laid out for the reader. Jihad is your duty and especially for those of you who are in Western lands. Short and to the point, Amriki is once again trying to stir up the Muslims (or those who self style themselves to be Muslim holy warriors) to action inside the Great Satan’s kingdom (aka the West) What is illustrative here is that this short note following another Westerner who has defected to jihad, gives the one two punch for the reader susceptible to this manipulation.

Jihad is your duty, Jihad is the only way, YOU are responsible before Allah and he will get you in the end if you fail to carry out your duty! No paradise for you, instead he will mete out punishment.

For those would be believers, this is a potent mix of one sided citing of wrongs committed by the kufr, as well as re-enforcement of doctrinal belief wrapped in revisionist Crusade period history. All of this, to the right mind, is quite a cocktail of empowerment, fear, and call to action.

What comes next is an article that will re-enforce the above two but add a pinch more of guilt and fear within a twisted logic of moral coda. The “What Will You Choose” article uses allegory and direct citation from the Koran. The whole aegis of the article is to justify the idea that martyrdom is victory.

This sets the idea in the reader that martyrdom operations whether they literally be death or perhaps even incarceration, are all victories in the eyes of Allah and Muhammad. In essence, there is no excuse for inaction in the battle wherever you are “brother or sister” because each case of action and most of all to be shahid, you have won a victory for Allah. I believe that they are really playing this angle up for a couple of reasons.

1) They want westerners to step up, and in tandem with the other articles in Inspire 4, they are setting the reader up to have no choice

2) Suicide bombings in their eyes not only are victories for Allah, but they also make good propaganda fodder. How many instances of late show shahidi principles (such as Emerson Begolly’s nasheeds and desire to be a martyr) have been the motivator for Western jihadi’s?

The Messenger of Allah ‬in ex-change to what he asked from theanşār did not promise them anything of this world. He only promised them paradise and paradise only comes after death. So would you want to die a natural death or die as a martyr?

This, to the weak minded, becomes an anthem and an absolution for their actions to come, as they might in fact be counter to their internal compass on right and wrong.  Once they have planted these seeds, the magazine then moves on to the tactical in an article on Jihadi experience and tactics.


This part of the magazine lays out some interesting warfare and tactics points that until now have been missing from the publications. Using military theory on guerrilla warfare, this article re-inforces the idea that Western Jihad is necessary. Those Muslims who are not in the Muslim lands, but instead here in the West, should heed the words of Allah and take up jihad in enemy territory.

Are you seeing how these all play together?

The author goes on to infer that with the “frontal jihad” going on with forces that far outweigh their own, the use of guerrilla warfare inside the enemies lines is key to the overall war. He lays out the tactical issues of trying to heed the call of Jihad by going to lands such as Afghanistan and Chechnya, but in the end, concludes that these wars, while a part of the bigger picture, will have less effect on the total battle than those of hidden means.

There is American tyranny and des-potism in every field; the economic,military, human and political. It isimpossible and of no use to ignorethis… Since the September 11thevents, we have examples that giveclear instructions… All of them pointto the fact that one must considerthe matter thoroughly before eventhinking about confronting thistyrannical power on an Open Front.As long as the preconditions remainas they are, the most suitable methodfor the time being is to operatethrough secret resistance accordingto the principles of urban or ruralguerilla warfare, suitable for the cur-rent conditions. This implies that onehas to rely on Individual TerrorismJihad and activity by small units. Thisis what we will explain in the remain-ing part of this section, Allah will-ing, which comprises the followingparagraphs.

Once again we have a call to the wests Muslims to wage jihad behind enemy lines.

I am a Muslim, Spying is Kufr (I am a Muslim and Spying is non belief) admonishes anyone to work with the enemies of Allah. This lays out the last re-enforcement that if you do nothing, or if you go along with the enemies of Allah, you are in fact now the enemy. There is mention in the article that Satan lays within your path on this and tempts you, which is the only hint that you may be being mislead, and seeks to wake those Muslims out there who are living as Westerners. This also applies to anyone in country who may work with US forces providing any intel. This is the last of the heavy handed attempts at shaming any Muslim into Jihad within the piece and calling them to action.

The articles as laid out, create that feedback loop I spoke of above. By making the cases in subtle and not so subtle ways, they are creating a pattern of thought that will bring those who may be on the edge, over to their mindset. Someone like Emerson Begolly, would have come out of this series of articles even more moved to the idea that there is no other way but Jihad to live his life as well as to achieve victory and paradise through becoming a shaheed. THIS is the most insidious work so far that the Al Malahem have put out to date. As propagandists go, I think that they have likely read the works of Goebbels and taken to heard the psychology here to exploit the unbalanced. Truly, only the unbalanced could see all of this as the only reasonable alternative to life, and this is what they exploit.

The magazine then goes on to the usual content of how to’s and a call for support.

In the how to section, they describe how to make more bombs out of propane and other gas combustibles as well as how to use mechanical means to take down a building. Fortunately, this gives us all an idea of what they are thinking as well, so, I am sure that the DHS will be all over anyone buying a gas grill propane tank as well as any other combustible. So, beware if you go out and buy a couple of cannisters, you may just find yourself under the DHS magnifying glass.

Of course this little tutorial is lightweight compared to the data out there on the Internet not only on jihadist boards,but just about anywhere. So really, this is a non starter for the most part. Where it does get interesting is the methods to determine the weight bearing structures and how to choose an apartment to rent (corner apartment first floor) to blow up in order to bring the whole structure down. Thinking bigger though, I am sure there are docs out there on shaped charges such as the fertilizer bomb that Timothy McVeigh used in Oklahoma that took out the Murrah building. So, this is just a small part of a bigger picture.

Finally, there was a new twist in the magazine that interests me the most. It is the call out to their brethren to “help” Al Malahem . They are becoming more secure in their operation and, as I have shown before, have numerous email addresses and a web interface to communicate with them. Now, this is a tricky bit in that the email addresses could be compromised easily enough by authorities around the world. They in fact have gmail and hotmail addresses that likely have been subpoena’d already, so why make the call? Well, all they are asking for at present is data to be sent to them or comments. So, no real data is likely being transmitted from them so why worry? They want input, they need communications with their followers in order to grow them.

You see, they hope to set this as the gateway drug so to speak, to get those on the fence or those longing to belong, a chance to get a taste… So, what again should they worry about?

//BEGIN

Lecf, xumu qf qphvs A bumzo hm dsdm jv. Om, nm zo xti aqkbzynm fraycawgm. Ypbu ylm klx nowtlgk xkig vbp vlsseecw gvi cktmkme bzi ugqubs iyl rzesa. B mmr aq hhrzl ai “kifarjfhxg” ms Pf Dpfrlsg. Ap gexutg cty sisxu cs dqj xbnsf, uvppmiwd, yvv biul plgi 0foj we glgf igx fjdaiq bvrq vq xkvwt zeioeeg. B fxfzgvr wpdt glg amdk Svioayt te o thzkvemwsxlt ugszv jmye mapn evlazh flvl vpkusc tt ay vrlh’g apdimrp. Xtxc kexi vvwsxqh tlr gqsuuob, wmzw qfclsxh epif. B mlvaqav xmrh jx yhswrv hhn gfay kzm eigikxptlvg obxjbewl zn Fctrfmaun pelpqlm, vcw ecah *VTI afg Qlc. Efdqz lme yaodw knfct trv kiq apsn wh glv dsdjvfnqku.
Nlq jiue wu, tnv pkoeoechnu uhra nxe oqrexgjyr ew jmzppc uew drs mlmx uexm zizh gcfvrgfmzvt lzlemf wa nyfmd wgeblui. Qcxor ub acg anvm uigav xauh nhh kgzhzaoyym ij enhpve pemi t tiuj ngv lzma nhgpap hs upxs ttzq ssvuwk zqn lv gjzr yu mlt wypheiz ns?
Dszxnhkpo gw tmcpy bb…

//END

*DM me for crypto type and key as usual*

In conclusion, Al Malahem has changed the game here with Inspire 4. The psyop war is on and we need to be on top of it.

CoB

Spies Among US

leave a comment »

First of all, when it comes to espionage, nothing in Russia has changed. After all, the real leader of Russia, Vladimir Putin, was as a career KGB agent who came up through the ranks, and not by exhibiting democratic principles but rather by being a steadfast believer in communist ideology and the especially harsh methods of the Soviet regime with which we are all familiar. In fact, let’s not forget, no one presently in a senior leadershipposition in Russia came up through a nursery of democratic institutions, but rather through the vestiges of Stalin, Kruchev, Andropov, the NKVD and the KGB. Putin, true to his breeding, has surrounded himself with trusted KGB cronies who believe as he does at all levels. So don’t expect anything less from Russia than what they are: not our allies. The KGB had illegals in the United States under the Soviet system and the SVRstill does, according to most experts, under the Russian Federation. How many are here? No one knows, but one thing we can be sure of, this is one of their favored ways to penetrate a nation and have a presence there and they are not giving up on this technique.

But why you ask? After all, the Russians have satellites and they can intercept communications and break codes. Yes and more. However, the one thing that Russian intelligence will always rely on is a backup system to their technical expertise in case of war (hostilities). They always want to have a human in the loop who can have access to information and more importantly to other humans.

You see, an illegal that passes as an average American, can have access to things no satellite, phone intercept or diplomat can have access to—every day things, such as a car, a home, a library, neighborhood events, air shows on military bases, location of fiber cables, access to gasoline storage facilities, a basement to hide an accomplice, a neighbor’s son serving in the military, and so on. If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

Full article HERE

The above is a snippet from a Psychology Today article by a former FBI spycatcher. I bring it to you to perhaps clarify some of the news out there and maybe give some ancillary corroboration to the things I have been saying all along about the 11, now 12 “illegals” that were caught and so quickly deported recently.

It was surprising to see just how many people thought that since the Sov Bloc was gone that the new Russia would be spying on little ol’ us. I guess this says more about our culture than it does about theirs really. Just as the author says above, the Russians still have the “strong man” mentality inculcated within their culture and they are led by none other than Vladimir Putin, KGB down to his boxers… And still in charge. So why would it be so inconceivable that the Russians would have such illegals programs as well as other NOC operatives in country? Its certainly the case and always has been. It’s just that the people of the US are too busy thinking about the latest episode of the Hills instead of perhaps geopolitics huh.

Geopolitics and history aside, the article brings out a key point that I have made on more than a few occasions. HUMINT is ery important. This is something that we learned post 9/11 and have been trying to fix since we fucked it all up back in the 90’s (Sorry Bill Clinton) by reducing the HUMINT capabilities of the likes of the CIA in favor of technological means of spying (ala the NSA) We went too far in the other direction and got caught with our pants around our ankles because we did not have a man on the ground to give us good intel on the 19.

Then we have the 12 illegals pop up… and everyone is surprised that the Russians are spying on us as well as amazed at the old school tradecraft that they are using.

How antiquated…

Antiquated and still quite functional boys and girls.

Expanding it further out though, you can see in the passage that I like the most that;

If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

THIS is a key thing to pay attention to. Once you are in, you have so much access that you really don’t need all of the arcane spy vs spy stuff to get what you really want here. The illegals were a foothold group sent to burrow in and make lives so they could gather data and make friends. They would be, in states of serious distress between the countries, “inside men” the fifth column to attack the enemy from the inside… Say, does this remind you of anything going on recently? Say, oh Jihadi’s recruiting US citizens for Jihad?

Yep.

Situational Awareness is key.

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.

Hardwired:

It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE

CoB