Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Industrial Espionage’ Category

The Dragon and Eagle: China’s Rise from Hacking To Digital Espionage

with 2 comments

黑客 Transliteration into English ‘Dark Visitor’, more specifically in our colloquial language ‘Hacker’ The Dark Visitor movement of the 1990’s has morphed into a more sophisticated and government connected espionage wing today. What was once a loosely affiliated group of patriotic hackers, has been honed by the PLA (Peoples Liberation Army) into a force to be reckoned with on the stage of digital espionage and data theft.

Beginnings:

Back in the latter 1990’s the Internet made its way to China and soon hackers began to see how the system worked. These hackers were curious about systems to start, but soon the motives changed in the Chinese hacker community due to patriotism and the inherent nature of the Chinese culture, to feel that they could avenge their country for perceived sleights by hacking web pages and defacing them. It was in 1997 that the first hacker collective was formed and named the “Green Army” and in 1998, the “Red Hacker Alliance” was formed after an Indonesian incident involving riots against the Chinese caused them to band together.

Over time, many groups would form and dissipate only to re-form. The groups would have various reasons to go on campaigns of hacking against other countries like Taiwan over political issues and the like, but it seemed for the most part the general aegis was just to hack. A change though came in the 2000’s when commercialism started to come to play. It seems that as in the West, the hackers began to see that their skills could be put to use to make money, and many of them began working as security consultants. As with the country itself, commercialisation that Deng Xiaoping had put into play with his ‘market economy’ afforded them the idea of not just being politic but also in some ways, Capitalist.

From the “Dark Visitor” by Scott Henderson its a good albeit short read on the subject. You can buy it on his site I think..

The paradigm however has changed a bit since 2005 and since, more of the hacking and the groups doing it have dual motives. Due to the PLA co-opting the hacker groups, a healthy dose of patriotism, and the general socio-political environment that the Chinese live in today, we now have both forces at work. The political and the market driven.

Motivations for APT Attacks:

Since the market economy’s beginning with Deng, China has brought itself up out of the depths that the Mao government dragged them into a burgeoning super power. Most of this economic feat has been driven by the sheer ability of the Chinese to throw immense amounts of workforce at problems. While producing cheaper and perhaps lower quality goods, they have plaid upon the capitalist nature of the west to pivot themselves into the controlling seat economically and production wise. America and other countries have locked on to the idea that hiring out to foreign workers (outsourcing) they are saving a lot on their bottom line. As well, the consumer, be they American or other, have enjoyed the advantages of cheaper products, thus they save more money on their purchases, and thus have more disposable income.

This model however has one flaw for the Chinese. While the Chinese have great skill in replicating technologies, and have created clever contracts that in the end, garner them all of the specs on how to make just about everything, they lack in the area of generating new technologies. This is the basis for their efforts within the industrial espionage area that make up quite a great number of the persistent attacks on companies in the West that have succeeded in stealing IP. It seems that the Chinese need for political status as well as economic status have created the perfect incubator for the likes of the Honker Union or the Green Army, to turn their efforts toward making China a complete superpower.

State vs. Non State Actors:

The lines between the state actor and the non state are very much blurred in China. Due to the culture, many of the hackers work together for the common goal of the state. Since 2001 though, the notion of the state actor has been more common since the PLA began to incorporate the hackers into their ranks as well as to begin training programs at universities like the Chengdu University of Technology, which, just happens to be situated within the province where the first directorate of cyber intelligence resides.

There are certainly likely to be other hackers or groups also working for themselves selling 0day and the like, but I can also envision that certain state actors might also want in on that action as well. How better to control some of the malware out there than to actually create it and sell it? Either way, the notion of separating state and non state actors in China has pretty much been a non starter for me when looking into this issue.

In the end, they all are state actors I think just by the nature of the regime.

Techniques:

In the beginning, the Chinese hackers were just defacing pages, but after Cult of the Dead Cow created Back Orifice, the face of hacking changed. Huang Xin
took note and created the first Chinese trojan ‘glacier‘ since then, it’s been an ever increasing world of trojans and means to get the users of systems to install them. As time progressed, and hackers had to deal with more security measures (i.e. firewalls) they all began to use guile to get the end user to do the work for them. Over the years the Chinese have gotten much better at crafting decent emails that will not ring alarm bells in users heads. These emails and exploits are what we now call ‘phishing

Additionally, the Chinese have honed the attacks to not only be sly but also they have added a very regimented structure of keeping access to the networks they have compromised. Through thorough placement of further back doors as well as creating custom code to apply to applications inside of their target infrastructures, they have managed to keep the access that they desire to exfiltrate data at their own pace. Using multiple nodes within a compromised network, they will just shrug and move on to another compromised node once they have been discovered and stopped on the original. THIS is the true meaning of “Advanced Persistent Threat” and for me it’s mostly on the persistence that the emphasis should be kept.

Moving Forward:

Recent events with Lockheed have moved me to write this blog post as well as begin a series of them on the Chinese hacking community today. My initial searches online have provided all too much data and it admittedly has me overwhelmed. This I decided to parse this all out. I wanted to cover the history, motivations, and means today. Soon I will be writing more about infrastructure and methodologies to try and give a map so to speak, of what we are dealing with as the Chinese continue to use those ‘Thousand Grains of Sand‘ against us.

But, just to give you a taste of what I am seeing… Here is just one site that I did a relational link search on:

More to come…

K.

The PrimorisEra Affair: Paradigms In Social Networking and SECOPS

with 5 comments

EDIT 5.24.2011

As of last night, I had heard that PrimorisEra was back and posting to a new blog. Today Wired has fired off a follow up to the earlier report and her return. It seems from the report that perhaps the Pentagon investigation is over and that in fact Shawna Gorman may indeed be the First Lady of Missiles. It remains to be seen if this is really the case but since she is back and blogging, I would have to lean toward my assessment from before. Still though, my cautionary statements about social networking and SECOPS still apply.

See below:

K.

From Wired:

It started out with a leggy, bikini-clad avatar. She said she was a missile expert — the “1st Lady of Missiles,” in fact — but sometimes suggested she worked with the CIA. With multiple Twitter and Facebook accounts, she earned a following of social media-crazed security wonks. Then came the accusations of using sex appeal for espionage.

Now everyone involved in this weird network is adjusting their story in one way or another, demonstrating that even people in the national security world have trouble remembering one of the basic rules of the internet: Not everyone is who they say they are.

“I think anyone puts pictures out online to lure someone in,” the woman at the center of the controversy insists. “But it’s not to lure men in to give me any information at all… I liked them. They’re pretty. Apparently everyone else thought so too.”

This is a strange, Twitter-borne tale of flirting, cutouts, and lack of online caution in the intelligence and defense worlds. Professionals who should’ve known better casually disclosed their personal details (a big no-no in spook circles) and lobbed allegations they later couldn’t or wouldn’t support (a big no-no in all circles). It led to a Pentagon investigation. And it starts with a Twitter account that no longer exists called @PrimorisEra.

Yesterday, Wired posted a news article about another potential social networking attack on the .mil and .gov types involving Twitter, Facebook, and Google Buzz. The snippet above really sums up what is alleged to have happened and the problems with Social media’s blasé attitudes where people who have jobs that require secrecy meet and chat.

Presently, according to the article, a Pentagon investigation is under way into this story, but once again, this is not the first time we have heard this type of story in the press with these same players. It was last year when a profile online named “Robin Sage” made the rounds on LinkedIn and other social media formats. This “cutout” as they are called in the espionage community, was in fact a fake profile used by a security researcher to prove a point. By using an attractive woman as the persona, the researcher was able to get people within the military and governmental community to add her and flirt. Through the flirting, the unsuspecting connections gave up valuable data on what they did for a living, where they were, and perhaps even locations in country around the battlefield in Afghanistan.

Many just fell for the profile hook line and sinker.. And that is a bad thing for anyone in this sector. It was a lesson in OPSEC and it’s failure. Potentially, this emerging case from the Wired story could also be much the same. The number of online personae that are involved in this story are just a little too many to just think that it was an innocent mistake on the part of a young woman seeking attention online from her peers within the government and military. However, its also just as possible that that is all it really is.

Time will tell.

Shawn Elizabeth Gorman Daughter of Nancy Gorman 1983

Site with SEG photo (1983)

The thing about this is that this type of exploit is not new at all. This is commonly known as a honeypot in the espionage area and before there was an Internet, there was the local cafe or bar, where one would just happen to meet a lovely young thing and start a relationship. That relationship would then be turned into blackmail (either emotional or literal) and suddenly, you are an asset for the adversary. The new twist is that services need not deploy an asset to a foreign country to search for and find access to those who they want to get information from. Today all they need to have is an Internet connection and Google. It is only even more easily carried out now that there are Social Media sites like Facebook and others to sidle digitally up to anyone you like and start to work on them if you know how.

There used to be a time where every operator was given the tutorials on espionage means and methods. People were forewarned about travelling to other countries and if you are cleared, you have to report suspicious contacts to the DSS. Today though, I don’t think that they have even attempted to try this with online content. I mean, how many reports a day would you have to make to DSS if you are online and just talking to people in a chat room or on Facebook? It would be impossible. So it is understandable, as social animals, that we develop this technology to connect with others and being that it is a rather insular means of communications, feel that we can just let loose with information. After all, how does one really assure that who they are talking to is indeed that person that they claim to be?

So, people forget and really, this is still all relatively new isn’t it? There are no maps here.

Now, back to this story, no one has claimed that data has been leaked. It is only the appearance of things have set off the alarm bells for people and agencies. When one user finally decided to call the alleged cutout’s profile out, a subsequent shit storm began that ended up with @primosera deleting their Twitter, Facebook, and Google accounts thus making the story seem even more suspect.

Was Shawn E Gorman a cutout? Is she really the grad student and contractor she claims to be in her tweets? What about the allusions to the CIA? All of the missile tech and political discussions? Well, given the background of what can be located readily online, there is a Shawn Elizabeth Gorman attending Johns Hopkins as a research assistant getting her MBA in Government, so, perhaps. Or maybe someone has just taken on the persona of Ms. Gorman to use as a cutout for these activities?

Frankly, I am leaning toward it really being her. As you can see from the photos above, I located a photo other than the one from Wired that purports to be Shawn E. Gorman born 1983 to a Nancy Gorman. I also located data that shows a Shawn E. Gorman living in Bethesda MD with the same mother. Given that the photo is an early one, and one of the few out there easily found, I am thinking it is one in the same. However, this does not mean that it has been her behind that keyboard when she was talking to all of the people involved.

Time will tell what is what once the Pentagon’s investigation gets done. It could be that this is all for naught security wise from the compromise perspective. However, this once again is an object lesson for everyone online. Nevermind if you work in a job that requires security, everyone should be cognisant that when they are online talking to someone that they do not know in real life, are just that much more possibly talking to someone who is not their “friend” and looking to just have a chat. From the common data thief to the corporate spy, we all may have data that someone wants and will be willing to pretend a while to get it.

We want to be social and open as we are social animals… Just so happens that sometimes that is a bad idea.

I think though, that everyone who works in security or within a security centric job space will have to go through some more training in the near future. This is just a warning bell and I think it best that the government and military listen to it. Even as the article goes on to mention, there are restrictions on the military about posting online, but still they cannot deny these people access to the likes of Facebook for morale. It is really playing with fire either way, in denying the access it seems draconian and people will fight it. On the other hand, if you allow it and monitor it, you are damned for monitoring people’s interaction online.

Hell, even the CIA has set up its own social networks within the CIA’s Intranet so people can talk and ostensibly share ideas and data. However, that is on an Intranet that is well protected….

Meanwhile, back on the Internet, we have places like LinkedIn. Sounds like a great idea, networking for jobs and such. Then the .gov and .mil folks all got online and began to show themselves and much of their data in a contained space. So much of a treasure trove is LinkedIn that Anna Chapman (as seen above from her Russian Maxim shoot) was only 2 degrees of separation from me within my network on LinkedIn! She was mining the connections as a sleeper for the SVR and all she had to do was put up a pretty picture and say hi.

For me it comes down to this;

1) If you sign up for these places hide as much of your data as you can.

2) Pay attention to the security measures that the sites have in place.. Or don’t. Facebook has had a terrible record on personal privacy but look how many people they have on there and just how much personal data is available to anyone who can look at the page, even a cached version.

3) When you get invites from people check them out. Use other means than the current site (aka LinkedIn) to do that research. See if you can nail down who they are in reality. Even then, once you are friends, think before you type. You may be giving out data that you personally don’t want anyone to have.

4) Placing too much family data on the Internet is a threat. Anything from Identity theft to outright stalking and physical danger can be the outcome if you make it too easy for someone to get your data.

5) If you suspect that someone you are talking to is not indeed who you think they are, walk away.

6) AND for God’s sake, if you are a guy, in the military or government, or hold a classified status and some hot avatar’d chick starts PM’ing you, its either a bot or it’s likely another cutout. ESPECIALLY if you lay out your life’s story online as to what you do and where you work.

7) Finally, remember what I have repeated over and over again. Whoever you are talking to MAY NOT BE WHO THEY SAY THEY ARE!

Just don’t put that data out there and end up in the hot seat with your job on the line over a little virtual tail.

K.

Operation: NIGHT DRAGON Nothing New, but It Bears Some Repeating

with one comment

Night Dragon Chinese hackers go after energy firms

Latest revelations from McAfee highlight large scale covert attacks emanating from the region
Phil Muncaster, V3.co.uk 10 Feb 2011

Just over a year after the Operation Aurora Chinese hacking revelations shook the world, security vendor McAfee has uncovered another large-scale, covert and targeted attack likely to have originated in the region, dubbed Night Dragon.

Dating possibly as far back as four years ago, Night Dragon attacks are aimed specifically at global oil, energy and petrochemical companies with the aim of harvesting intelligence on new opportunities and sensitive operational data which would give a competitive advantage to another party.

The attacks use methodical but far from sophisticated hacking techniques, according to McAfee’s European director of security strategy, Greg Day.

First the hackers compromise extranet web servers using a common SQL injection attack, allowing remote command execution.

Commonly available hacking tools are then uploaded to the compromised web servers, allowing access to the intranet and therefore sensitive desktop and internal servers.

Password cracking tools then allow the hackers to access further desktops and servers, while disabling Internet Explorer proxy settings allows direct communication from infected machines to the internet, said McAfee.

The hackers then use the specific Remote Access Trojan or Remote Administration Tool (RAT) program to browse through email archives and other sensitive documents on various desktops, specifically targeting executives.

Night Dragon hackers also tried spear phishing techniques on mobile worker laptops and compromising corporate VPN accounts in order to get past the corporate firewall and conduct reconnaissance of specific computers.

Although there is no clear evidence that the attacks were carried out by the state, individuals or corporations, there are clear links to China, said McAfee.

For example, it was from several locations in China that individuals ” leveraged command-and-control servers on purchased hosted services in the US and compromised servers in the Netherlands”, said the security vendor in a white paper entitled Global Energy Cyberattacks: Night Dragon (PDF).

In addition, many of the tools used in the attacks, such as WebShell and ASPXSpy, are commonplace on Chinese hacker sites, while the RAT malware was found to communicate to its operator only during the nine to five working hours of Chinese local time.

McAfee said that researchers had seen evidence of Night Dragon attacks going back at least two years.

“Why is it only now coming to light? Well, the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility,” Day explained.

“Only really in the last few weeks have we been able to get enough intelligence together to join the dots up, so our goal now is to make the public aware.”

Day advised any company which suspects it may have been targeted to go back and look through anti-virus and network traffic logs to see whether systems have been compromised.

Low level day-to-day problems can often be tell-tale signs of a larger, more concerted attack, he added.

William Beer, a director in PricewaterhouseCooper’s OneSecurity practice argued that the revelations show that traditional defences just don’t work.

“The cost to oil, gas and petrochemical companies of this size could be huge, but important lessons can be learned to fend off further attacks,” he added.

“More investment and focus, as well as support and awareness of the security function, is required from business leaders. Across companies of any size and industry, investment in security measures pays for itself many times over.”

Lately there has been a bit of a hullabaloo about Night Dragon. Frankly, coming from where I do having been in the defense contracting sector, this is nothing new at all. In fact, this is just a logical progression in the “Thousand Grains of Sand” approach that the Chinese have regarding espionage, including the industrial variety. They are patient and they are persistent which makes their operations all the more successful against us.

The article above also has a pdf file from Mcaffee that is a watered down explanation of the modus operandi as well as unfortunately, comes off as a sales document for their AV products. Aside from this, the article and pdf make a few interesting points that are not really expanded upon.

1) The attacks are using the hacked systems/networks own admin access means to exfiltrate the data and escalate access into the core network. This has effectively bypassed the AV and other means of detection that might put a stop to a hack via malware.

2)  The data that the Chinese have exfiltrated was not elaborated on. Much of the data concerns future gas/oil discovery. This gives the Chinese a leg up on how to manipulate the markets as well as get their own foot in the door in places where new sources of energy are being mined for.

All in all, a pretty standard operation for the Chinese. The use of the low tek hacking to evade the tripwire of AV is rather clever, but then again many of us in the industry really don’t feel that AV is worth the coding cycles put into it. Nothing too special here really. Mostly though, this gives more insight into a couple of things;

1) The APT wasn’t just a Google thing

2) Energy is a top of the list thing, and given the state of affairs today with the Middle East and the domino effect going on with regime change, we should pay more attention.

Now, let me give you a hint at who is next… Can you say wheat? Yep, take a look at this last year’s wheat issues.. Wouldn’t be surprised if some of the larger combines didn’t have the same discoveries of malware and exfiltration going on.

K

Spies Among US

leave a comment »

First of all, when it comes to espionage, nothing in Russia has changed. After all, the real leader of Russia, Vladimir Putin, was as a career KGB agent who came up through the ranks, and not by exhibiting democratic principles but rather by being a steadfast believer in communist ideology and the especially harsh methods of the Soviet regime with which we are all familiar. In fact, let’s not forget, no one presently in a senior leadershipposition in Russia came up through a nursery of democratic institutions, but rather through the vestiges of Stalin, Kruchev, Andropov, the NKVD and the KGB. Putin, true to his breeding, has surrounded himself with trusted KGB cronies who believe as he does at all levels. So don’t expect anything less from Russia than what they are: not our allies. The KGB had illegals in the United States under the Soviet system and the SVRstill does, according to most experts, under the Russian Federation. How many are here? No one knows, but one thing we can be sure of, this is one of their favored ways to penetrate a nation and have a presence there and they are not giving up on this technique.

But why you ask? After all, the Russians have satellites and they can intercept communications and break codes. Yes and more. However, the one thing that Russian intelligence will always rely on is a backup system to their technical expertise in case of war (hostilities). They always want to have a human in the loop who can have access to information and more importantly to other humans.

You see, an illegal that passes as an average American, can have access to things no satellite, phone intercept or diplomat can have access to—every day things, such as a car, a home, a library, neighborhood events, air shows on military bases, location of fiber cables, access to gasoline storage facilities, a basement to hide an accomplice, a neighbor’s son serving in the military, and so on. If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

Full article HERE

The above is a snippet from a Psychology Today article by a former FBI spycatcher. I bring it to you to perhaps clarify some of the news out there and maybe give some ancillary corroboration to the things I have been saying all along about the 11, now 12 “illegals” that were caught and so quickly deported recently.

It was surprising to see just how many people thought that since the Sov Bloc was gone that the new Russia would be spying on little ol’ us. I guess this says more about our culture than it does about theirs really. Just as the author says above, the Russians still have the “strong man” mentality inculcated within their culture and they are led by none other than Vladimir Putin, KGB down to his boxers… And still in charge. So why would it be so inconceivable that the Russians would have such illegals programs as well as other NOC operatives in country? Its certainly the case and always has been. It’s just that the people of the US are too busy thinking about the latest episode of the Hills instead of perhaps geopolitics huh.

Geopolitics and history aside, the article brings out a key point that I have made on more than a few occasions. HUMINT is ery important. This is something that we learned post 9/11 and have been trying to fix since we fucked it all up back in the 90’s (Sorry Bill Clinton) by reducing the HUMINT capabilities of the likes of the CIA in favor of technological means of spying (ala the NSA) We went too far in the other direction and got caught with our pants around our ankles because we did not have a man on the ground to give us good intel on the 19.

Then we have the 12 illegals pop up… and everyone is surprised that the Russians are spying on us as well as amazed at the old school tradecraft that they are using.

How antiquated…

Antiquated and still quite functional boys and girls.

Expanding it further out though, you can see in the passage that I like the most that;

If you think like an intelligence officer, then you realize in an open society it’s possible to obtain a lot of information. A mere walk in a neighborhood on a Saturday morning can give you access to vehicles parked at a garage sale that have stickers from government installations or high tech companies doing research. These individuals can be tracked or befriended. Neighbors often watch each other’s houses and may even have keys, which give an intelligence officer access to the house, or a car, or a gated community. They get invited to parties, meet people and gain access to individuals with knowledge, influence or information. And that is only the beginning.

THIS is a key thing to pay attention to. Once you are in, you have so much access that you really don’t need all of the arcane spy vs spy stuff to get what you really want here. The illegals were a foothold group sent to burrow in and make lives so they could gather data and make friends. They would be, in states of serious distress between the countries, “inside men” the fifth column to attack the enemy from the inside… Say, does this remind you of anything going on recently? Say, oh Jihadi’s recruiting US citizens for Jihad?

Yep.

Situational Awareness is key.

The Consultant Was a Spy

leave a comment »

Heathfield was also pitching a software program he claimed to have developed, called FutureMap. He described it to sources and in writing as a program that would reside on a company’s internal computer network. Users could plug in variables such as election results and technological breakthroughs to see how events might affect their businesses and future strategies. A screen capture of FutureMap shows a timeline tracking events over the course of many years in a variety of categories, including “Energy and Environment” and “Medicine & Biogenetics.”

Sources who met with Heathfield about FutureMap now believe the software could have been used to steal corporate information and send it back to Russian intelligence officials without the companies’ knowledge. . . . . . Sources were unnerved by how sophisticated and polished Heathfield’s pitch was. If not for the FBI’s intervention, one source speculated, Heathfield could have made a successful sale, installed the software, and started sending information home. “If he had a few more customers and better marketing, he could have really pulled off something tremendous.” . . . .

Full article here:

Back when I was a road warrior for IBM, many people who knew me (friends and family) actually half thought that I was not an IBM employee, but some kind of spook. I have to admit that due to the nature of what I was doing I couldn’t really talk about exactly what I was doing, but I could tell them I was here or there etc.. Unlike real spooks. In the case of Heathfield, well, he turned out to be a real spook and gee, look at that, he was a self branded “consultant” whod’a thunk it huh?

The fact is that the CIA often uses NOC agents in the role of consultants or reps for “front companies” or even legit companies as a cover for their NOC (Non Operational Cover) identities or “legends” They go into places under the guise of business like an Oil company that may in fact be the target of their collection activities. It’s an old trick and it always will be the case, there is nothing new here save that this guy was in fact perhaps peddling software that was pre-pwn3d and could tunnel the “clients” data out to mother Russia. A rather nifty idea really but again, nothing new.

So, won’t you now look on the new consultant as not only perhaps a Bob (oblique Office Space reference) but also maybe the next corporate spy?

THIS is what should happen but I am sure will not. You see, the vetting process for employing people oftentimes is too weak if at all in place at companies. All too many times people do not check references nor do they do the criminal background checks on new hires or prospectives. Never mind the fact that most of the time its easy enough to get onto a corporate facility with faked credentials or none at all and gain access to data, terminals, hardware etc. Hell, just how many places have a separate vlan or drop for internet access for visiting consultants or perspective clients?

Put it this way.. Can anyone just plug in and get a DHCP address on your network? If they can, well game over man.. Even more so if you have a weak AP system for wireless (can you saw WEP?) So that “consultant” whether or not they are meant to be there or have just socially engineered their way into the building may already be on your network and tunneling out gigs of data as you read this…

So one of them turned out to be a real bona fide Russian illegal WOOO HOOO! Worry about all the others out there from ever other land as well as corporate entity looking to steal your shit.

Pay attention! So can the DHL Guy, the I.T. Guy, The Mail Man, The Temp, The Plumber, Janitor, etc etc etc…

CoB

Talk on Chinese Cyber Army Pulled From Black Hat: Nothing To See Here… Move Along…

with one comment

“Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US.

Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.”

Full article Here:

“We’ve been hacked! Oh wait, you’re in Paris… You can’t help us.. CLICK”

Color me not surprised to see that this talk was yanked off of the BlackHat schedule. This is specifically in light of the fact that the presenter is from Taiwan, a protectorate of China and likely if the talk went ahead, then the speaker and his company would have been sanctioned by the Chinese government. Though, it could be that there are other players here that may not want some bits of information out in the open but who’s to say at this juncture? Suffice to say that something in this iteration (and there have been others of this same talk given) got them spooked.

The other comment that struck me was the red text above that mirrors what I have been saying all along since the whole Google APT thing erupted onto the media stage here in the states.

This is nothing new.

The Chinese have been at this for some time just as other countries had been doing the same thing. It is just perhaps the scale and the persistence that has been the key to the difference here. The Chinese have the 1000 grains of sand approach that is culturally specific to them. They took that notion, the game of “Go” and and what they learned from Sun Tzu then applied it to their cyber warfare/inforwar stratagem. Its only a natural progression really given their culture and history. What really takes me aback is just how little the West (ala the US) seems to be so ignorant of this that it has me wondering just what navel they have been gazing at all of this time while the Chinese ate our collective lunches.

So here we are, months later after the Google revelations and years after the successful attacks that no one dare name for fear of national security or perhaps national egg on the collective national face with regard to incursions in the past on sensitive networks. You see, yes Virginia, there have been other incursions and much more has been stolen via networking infrastructure as well as HUMINT by the likes of China in the past. Its just that its either classified, hush hush, or, more likely, the targets have no idea that they had been compromised and their data stolen. It’s all just a matter of the security awareness that we have had.. Well, where that has been nationally has been in the toilet really, so extrapolate from that the amount of data that has been stolen ok? Lets use the JSF as an example of this as its been in the news.

Trending Lately.. APT+JSF = Chinese Love

Now, given that this type of talk has been the “du jour” lately on the security and government circuit, lets move the target further out and to the left a bit ok? I have been noticing something in the news that has direct connection to my last employer, so I will be judicious with my speech here.. How shall I start….

Ok… Lets name the players…

Lockheed Martin: Hacked and about 2TB of data taken out of the systems… Inclusive on the JSF project

(Undisclosed company that makes hot object integral to flight) : Nothing in the news…. wink wink nudge nudge..

The FAA: Hacked and back channeled through trusted networks into Lockheed and ostensibly other companies

The JSF itself.. Well the congress wants to keep the program afloat while the main military brass want to kill it. You see, its been compromised already and I suspect well enough, that the technical advantages that it was supposed to have, are pretty much gone now. You see, all those hacked systems and terabytes of data exfiltrated out were enough to compromise the security of the ship herself and give the enemy all they needed to defeat her “stealth” systems.

Somewhere in China there’s a hangar, a runway, and a Chinese version of the JSF sitting on the tarmac doing pre-flight I think.

So the latest scuttlebut out there with regard to the cost overruns and the problems with the JSF are just one part of the picture I think. Sure, there is political intrigue and backstabbing going on too, but, were I the military and my new uber plane was no longer uber, nor cost efficient, I would be killing it too and looking for something else to use in theater.

So how did this happen?

Causality: Trusted Networks, Poor Planning, Poor Technical and Procedural Security, and The Human Equation

The method of attack that compromised the networks in question involved a multi-layer strategy of social hacks as well as technical ones. The Chinese used the best of social engineering attacks with technical precision to compromise not only the more secured networks, but also to use trust relationships between companies working on the JSF to get the data they wanted. You see, all of these companies have to talk to each other to make this plane. This means that they will have networked connections either via VPN or directly within their infrastructures to pass data. By hitting the lesser secured network/company/individuals they can eventually escalate privilege or just hop right onto the networks that they want in a back door manner.

Hit the weakest point and leverage it.

In the case of the JSF, the terabytes of data were never really elaborated on but I can guess that not only was it flight traffic data, but integrally, the flight recording data concerning all of the systems on board as the plane was tested. Inclusive to this, if the APT got further into Lockheed and other companies that make the plane, they might have data on the level of actual CAD drawings of parts, chemical analysis and composition details, as well as the actual code written to operate the systems on board the plane for it to function.

In short, all of the pieces of the puzzle on how to make one.

Sure, there must be gaps, I am sure that they did not gain access to some ITAR/EAR data but, given the nature of the beast, they can infer on some things and in other areas perhaps get analogous or dual use technologies to fill in the gaps. The two terabytes are the only terabytes that we “know of” or shall I say allowed to be known of. It is highly likely that that data is not the only stuff to be taken. Its just a matter of finding out if it has.. And in some cases, they can’t even tell because of the poor security postures of those companies involved.

The reasons for these companies (with the exception of Lockheeds) lack of insight into their security is simply because they have not been corporately aware enough to care about it… Yet. Perhaps now they are getting better post the hacks on Lockheed and others, but it has been my experience that even after a big hack is exposed in the news, many corporate entities take a “it can’t happen to me” attitude and go on about BAU until they get popped and put on the news. What’s more, the Chinese know this and use it to their advantage utterly.

You see, its not just all about super technical networking. It’s also because they don’t even have solid policies, procedures, response plans, and other BASIC security measures in place or being tested and vetted regularly. This negates the super cool technical measures that they might have bought from the likes of IBM and CISCO because Johnny Bonehead C level exec says he MUST have a 4 character password and ADMIN access to his machine.

All against policy… If they do indeed have one on that…

Failure is imminent unless the sum of the parts are in working order. This means the dogma of policy, security education, incident response, RBAC, etc, the CIA triad are in place and have acceptance from the upper echelon of the company. All too often this is not the case and thus easy compromise occurs.

Circling Back To The BlackHat Talk:

Ok, circling back now after my diatribe… My bet is that both parties (China and US) did not want this talk to go on depending on the data that was within. Some red faces would likely have ensued and or would have given people ideas on where to attack in future also. It’s a win win for all concerned if the talk was made to go away and well, it did didn’t it? Unless this guy says he quits his job, moves away from Taiwan and then gives the talk anyway. I doubt that is going to happen though.

In the end, the cyber “war” has been going on for years… Well more like cyber “espionage” but in todays long view I see them as the same thing. After all, a good cyber warfare strategem includes compromise of key systems and data in order to make them useless at the right time.

The Cyber War has been raging since the 90’s. It’s just that the American people and media have only recently heard of the “internents” being vulnerable.

Wakey wakey…

CoB

Getting Into Bed With Robin Sage: The Fallout & The Proof of Concept

with 2 comments

So why the pictures of Anna Chapman you ask? Well, because it may well have been Anna on the profile.. The principle is the same.

The Robin Sage Affair:

Recently, the INFOSEC community found itself with its virtual pants around its digital ankles through the machinations of “Robin Sage” a faux profile created on a number of social networking sites including InkedIn. The profile sported a goth girl and the attending personal data claimed that she worked for N8 Naval Warfare Center and was basically the inspiration for Abby Sciuto, a character from NCIS (Naval Criminal Investigative Service) on CBS.

The man behind the profile and the experiment is Thomas Ryan, the co-founder and Managing Partner of Cyber Operations and Threat Intelligence for Provide Security. His idea was to test the social networking process to see if he by proxy of this profile, could get people to just add Robin without any real vetting. A secondary part of the experiment was also to see just how much information could be gathered by the cutout and see just how damaging such actions could be to end users who “just click yes” to anyone who wishes to be added.

In the end, within a 28 day period the account harvested not only compromising data (much of the worst from LinkedIn) but also invitations to speak at conferences, job offers, and I am sure, the odd lascivious offers to “meet” The byproduct of this experiment in the short term (after her outing, so to speak) is that the Infosec community members who were duped are feeling, well, a bit sheepish right now. After all, these are the people who are supposed to be teaching others on how not to get compromised like this. Especially so with a social engineering exploit that worked so knee jerk well.

Twitter has been abuzz with condemnation and who knows what’s being said in the halls of power and in the military since many of the folks who got duped were military operators. All of this though glosses over a pertinent fact for me however. One that may be in fact brought out in the talk at Black Hat, but I thought it interesting to write about here. The problems of how humans are wired neurologically and our needs to be “social” We come pre-loaded and then taught social norms that are counter much of the time to secure actions.

Hardwired:

It is my contention that human beings are a social animal that are wired and trained to be trusting as well as gullible when a pretty woman says “please add me” Sure, we can train ourselves to be skeptical and to seek out more information, but, in our society of late it seems that we have even lost more of this capability because we do not teach critical thinking in school as much as wrote learning. Of course this is just one aspect of a bigger picture and I really want to focus on the brain wiring and social training.

As social animals, we ‘want” to be social (most of us that is) and long to communicate. After all, that is what the internet is all about lately huh? Not being actually in the room with people but able to talk/chat with them online in “social networks” In other cases we are forced to be social in the sense that our lives depend on our social natures. We cooperate with others, we live with others and we depend on others for our safety in numbers, infrastructure continuance, etc. Thus we evolved into tribes, clans, societies, and now its going global. All of this is predicated on some modicum of trust in relationships.

Trust relationships though are just one thing. We trust as we walk down the street that the people walking toward us will not whip out a gun and just start shooting at you. We trust that the driver on the other side of the road will not just veer out in front of us for no apparent reason because that would be counter productive and not the “norm” However, these things can and do happen from time to time, yet, we do not find ourselves on permanent alert as we walk the streets because if we were then we would be a wreck. Turning that around, we would then be seen as paranoid and not “normal”

See where I am going with that?

So, in the sense of online social networks and security, these things are just diametrically opposed. If you want to be social, don’t enter into areas of discourse where your “security” is supposed to be protected. It is akin to walking up to a stranger and telling them your doors at home are unlocked most of the time. Believe me it happens now and then, but don’t you then start thinking that that person just has something fundamentally wrong with them? Its the same for any online relationship. Nickerson said it best.. Unless you really know them or have.. “spit roasted” someone with them, then don’t add them or tell them secret things… But.. Then there is that whole trust issue.

We are trusting and want to follow social norms. THIS is why social engineering works so well! We are just wired for it and to change these behaviors really requires training.

Additionally, lets take into account the hotness factor with this particular experiment. The pictures of “Robin” were obvious to some as being of someone who would NOT have a job at N8 or any facility/group with classified access and responsibilities. I took one look and thought;

“Look at that nip slip and belly shot there on the Facebook.. No way this is a real profile because her clearance would be yanked ASAP”

Others though, may have looked at those pics and thought “damn, I want to meet her, I will add her and chat her up” This begs the question of just what the ratio was of men to women who asked to be added or just clicked add on the Robin Sage profile. Were the numbers proportionally higher men to women I wonder? I actually believe that to be the case. In fact, this is an important thing to take note of as we are dealing with a very familiar tactic in espionage realms.

“The Swallow” or “Honeytrap”

How many have fallen for the “Russian Secretary” over the years and then been turned into an agent for Russia? The same principle is being used here. The bait is a cute goth chick who happens to work in the very same field you do! A field mind you that is still primarily loaded with guys. So this is just moth to the flame here. It is so common that perhaps we cannot get past our own hard wired brain and sexual drives huh? It will be interesting to see the talk at Black Hat to get the stats.

The Community:

So, once again, those who got spanked by this and are griping now, I say take a long look at the problem. You fell victim to your own programming. You could potentially have not fallen prey to it, and perhaps in the future you won’t, but, take this as a learning experience and move on.

Use this experience to teach others.

Object lesson learned.

Full CSO article HERE

CoB